Commit eb43c081 authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) The various ip(6)table_foo incarnations are updated to expect
   that the table is passed as 'void *priv' argument that netfilter core
   passes to the hook functions. This reduces the struct net size by 2
   cachelines on x86_64. From Florian Westphal.

2) Add cgroupsv2 support for nftables.

3) Fix bridge log family merge into nf_log_syslog: Missing
   unregistration from netns exit path, from Phil Sutter.

4) Add nft_pernet() helper to access nftables pernet area.

5) Add struct nfnl_info to reduce nfnetlink callback footprint and
   to facilite future updates. Consolidate nfnetlink callbacks.

6) Add CONFIG_NETFILTER_XTABLES_COMPAT Kconfig knob, also from Florian.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 6876a18d 47a6959f

include/linux/netfilter/nfnetlink.h

+19 −14
Original line number Diff line number Diff line
@@ -7,21 +7,26 @@ 
#include <net/netlink.h>

#include <uapi/linux/netfilter/nfnetlink.h>



struct nfnl_info {

	struct net		*net;

	struct sock		*sk;

	const struct nlmsghdr	*nlh;

	struct netlink_ext_ack	*extack;

};



enum nfnl_callback_type {

	NFNL_CB_UNSPEC	= 0,

	NFNL_CB_MUTEX,

	NFNL_CB_RCU,

	NFNL_CB_BATCH,

};



struct nfnl_callback {

	int (*call)(struct net *net, struct sock *nl, struct sk_buff *skb,

		    const struct nlmsghdr *nlh,

		    const struct nlattr * const cda[],

		    struct netlink_ext_ack *extack);

	int (*call_rcu)(struct net *net, struct sock *nl, struct sk_buff *skb,

			const struct nlmsghdr *nlh,

			const struct nlattr * const cda[],

			struct netlink_ext_ack *extack);

	int (*call_batch)(struct net *net, struct sock *nl, struct sk_buff *skb,

			  const struct nlmsghdr *nlh,

			  const struct nlattr * const cda[],

			  struct netlink_ext_ack *extack);

	const struct nla_policy *policy;	/* netlink attribute policy */

	const u_int16_t attr_count;		/* number of nlattr's */

	int (*call)(struct sk_buff *skb, const struct nfnl_info *info,

		    const struct nlattr * const cda[]);

	const struct nla_policy	*policy;

	enum nfnl_callback_type	type;

	__u16			attr_count;

};



enum nfnl_abort_action {

include/linux/netfilter/x_tables.h

+10 −6
Original line number Diff line number Diff line
@@ -158,7 +158,7 @@ struct xt_match { 


	/* Called when entry of this type deleted. */

	void (*destroy)(const struct xt_mtdtor_param *);

#ifdef CONFIG_COMPAT

#ifdef CONFIG_NETFILTER_XTABLES_COMPAT

	/* Called when userspace align differs from kernel space one */

	void (*compat_from_user)(void *dst, const void *src);

	int (*compat_to_user)(void __user *dst, const void *src);
@@ -169,7 +169,7 @@ struct xt_match { 
	const char *table;

	unsigned int matchsize;

	unsigned int usersize;

#ifdef CONFIG_COMPAT

#ifdef CONFIG_NETFILTER_XTABLES_COMPAT

	unsigned int compatsize;

#endif

	unsigned int hooks;
@@ -199,7 +199,7 @@ struct xt_target { 


	/* Called when entry of this type deleted. */

	void (*destroy)(const struct xt_tgdtor_param *);

#ifdef CONFIG_COMPAT

#ifdef CONFIG_NETFILTER_XTABLES_COMPAT

	/* Called when userspace align differs from kernel space one */

	void (*compat_from_user)(void *dst, const void *src);

	int (*compat_to_user)(void __user *dst, const void *src);
@@ -210,7 +210,7 @@ struct xt_target { 
	const char *table;

	unsigned int targetsize;

	unsigned int usersize;

#ifdef CONFIG_COMPAT

#ifdef CONFIG_NETFILTER_XTABLES_COMPAT

	unsigned int compatsize;

#endif

	unsigned int hooks;
@@ -229,6 +229,9 @@ struct xt_table { 
	/* Man behind the curtain... */

	struct xt_table_info *private;



	/* hook ops that register the table with the netfilter core */

	struct nf_hook_ops *ops;



	/* Set this to THIS_MODULE if you are a module, otherwise NULL */

	struct module *me;
@@ -322,6 +325,7 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision); 
int xt_find_revision(u8 af, const char *name, u8 revision, int target,

		     int *err);



struct xt_table *xt_find_table(struct net *net, u8 af, const char *name);

struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,

				    const char *name);

struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
@@ -448,7 +452,7 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu) 


struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);



#ifdef CONFIG_COMPAT

#ifdef CONFIG_NETFILTER_XTABLES_COMPAT

#include <net/compat.h>



struct compat_xt_entry_match {
@@ -529,5 +533,5 @@ int xt_compat_check_entry_offsets(const void *base, const char *elems, 
				  unsigned int target_offset,

				  unsigned int next_offset);



#endif /* CONFIG_COMPAT */

#endif /* CONFIG_NETFILTER_XTABLES_COMPAT */

#endif /* _X_TABLES_H */

include/linux/netfilter_arp/arp_tables.h

+4 −4
Original line number Diff line number Diff line
@@ -51,15 +51,15 @@ struct arpt_error { 
extern void *arpt_alloc_initial_table(const struct xt_table *);

int arpt_register_table(struct net *net, const struct xt_table *table,

			const struct arpt_replace *repl,

			const struct nf_hook_ops *ops, struct xt_table **res);

void arpt_unregister_table(struct net *net, struct xt_table *table);

void arpt_unregister_table_pre_exit(struct net *net, struct xt_table *table,

			const struct nf_hook_ops *ops);

void arpt_unregister_table(struct net *net, const char *name);

void arpt_unregister_table_pre_exit(struct net *net, const char *name,

				    const struct nf_hook_ops *ops);

extern unsigned int arpt_do_table(struct sk_buff *skb,

				  const struct nf_hook_state *state,

				  struct xt_table *table);



#ifdef CONFIG_COMPAT

#ifdef CONFIG_NETFILTER_XTABLES_COMPAT

#include <net/compat.h>



struct compat_arpt_entry {

include/linux/netfilter_bridge/ebtables.h

+4 −5
Original line number Diff line number Diff line
@@ -100,6 +100,7 @@ struct ebt_table { 
	   unsigned int valid_hooks);

	/* the data used by the kernel */

	struct ebt_table_info *private;

	struct nf_hook_ops *ops;

	struct module *me;

};
@@ -108,11 +109,9 @@ struct ebt_table { 


extern int ebt_register_table(struct net *net,

			      const struct ebt_table *table,

			      const struct nf_hook_ops *ops,

			      struct ebt_table **res);

extern void ebt_unregister_table(struct net *net, struct ebt_table *table);

void ebt_unregister_table_pre_exit(struct net *net, const char *tablename,

			      const struct nf_hook_ops *ops);

extern void ebt_unregister_table(struct net *net, const char *tablename);

void ebt_unregister_table_pre_exit(struct net *net, const char *tablename);

extern unsigned int ebt_do_table(struct sk_buff *skb,

				 const struct nf_hook_state *state,

				 struct ebt_table *table);

include/linux/netfilter_ipv4/ip_tables.h

+3 −8
Original line number Diff line number Diff line
@@ -24,15 +24,10 @@ 


int ipt_register_table(struct net *net, const struct xt_table *table,

		       const struct ipt_replace *repl,

		       const struct nf_hook_ops *ops, struct xt_table **res);



void ipt_unregister_table_pre_exit(struct net *net, struct xt_table *table,

		       const struct nf_hook_ops *ops);



void ipt_unregister_table_exit(struct net *net, struct xt_table *table);



void ipt_unregister_table(struct net *net, struct xt_table *table,

			  const struct nf_hook_ops *ops);

void ipt_unregister_table_pre_exit(struct net *net, const char *name);

void ipt_unregister_table_exit(struct net *net, const char *name);



/* Standard entry. */

struct ipt_standard {
@@ -72,7 +67,7 @@ extern unsigned int ipt_do_table(struct sk_buff *skb, 
				 const struct nf_hook_state *state,

				 struct xt_table *table);



#ifdef CONFIG_COMPAT

#ifdef CONFIG_NETFILTER_XTABLES_COMPAT

#include <net/compat.h>



struct compat_ipt_entry {