* [PATCH 00/12] Netfilter updates for net-next
@ 2019-05-05 23:32 Pablo Neira Ayuso
2019-05-05 23:32 ` [PATCH 01/12] netfilter: nf_tables: relocate header content to consumer Pablo Neira Ayuso
` (12 more replies)
0 siblings, 13 replies; 27+ messages in thread
From: Pablo Neira Ayuso @ 2019-05-05 23:32 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following batch contains Netfilter updates for net-next, they are:
1) Move nft_expr_clone() to nft_dynset, from Paul Gortmaker.
2) Do not include module.h from net/netfilter/nf_tables.h,
also from Paul.
3) Restrict conntrack sysctl entries to boolean, from Tonghao Zhang.
4) Several patches to add infrastructure to autoload NAT helper
modules from their respective conntrack helper, this also includes
the first client of this code in OVS, patches from Flavio Leitner.
5) Add support to match for conntrack ID, from Brett Mastbergen.
6) Spelling fix in connlabel, from Colin Ian King.
7) Use struct_size() from hashlimit, from Gustavo A. R. Silva.
8) Add optimized version of nf_inet_addr_mask(), from Li RongQing.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit 7a1d8390d015a13c42b1effa1f22fda0858fe6f9:
net: phy: micrel: make sure the factory test bit is cleared (2019-04-29 23:17:21 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to 522e4077e8dcdfc5b8e96469d3bc2324bc5d6466:
netfilter: slightly optimize nf_inet_addr_mask (2019-05-06 01:18:58 +0200)
----------------------------------------------------------------
Brett Mastbergen (1):
netfilter: nft_ct: Add ct id support
Colin Ian King (1):
netfilter: connlabels: fix spelling mistake "trackling" -> "tracking"
Flavio Leitner (4):
netfilter: use macros to create module aliases.
netfilter: add API to manage NAT helpers.
netfilter: nf_nat: register NAT helpers.
openvswitch: load and reference the NAT helper.
Gustavo A. R. Silva (1):
netfilter: xt_hashlimit: use struct_size() helper
Li RongQing (1):
netfilter: slightly optimize nf_inet_addr_mask
Paul Gortmaker (3):
netfilter: nf_tables: relocate header content to consumer
netfilter: nf_tables: fix implicit include of module.h
netfilter: nf_tables: drop include of module.h from nf_tables.h
Tonghao Zhang (1):
netfilter: conntrack: limit sysctl setting for boolean options
include/linux/netfilter.h | 9 +++
include/net/netfilter/nf_conntrack_helper.h | 24 ++++++++
include/net/netfilter/nf_tables.h | 20 +------
include/net/netns/conntrack.h | 6 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/ipv4/netfilter/nf_nat_h323.c | 2 +-
net/ipv4/netfilter/nf_nat_pptp.c | 2 +-
net/netfilter/nf_conntrack_amanda.c | 8 ++-
net/netfilter/nf_conntrack_ftp.c | 18 +++---
net/netfilter/nf_conntrack_helper.c | 86 +++++++++++++++++++++++++++++
net/netfilter/nf_conntrack_irc.c | 6 +-
net/netfilter/nf_conntrack_sane.c | 12 ++--
net/netfilter/nf_conntrack_sip.c | 28 +++++-----
net/netfilter/nf_conntrack_standalone.c | 48 +++++++++++-----
net/netfilter/nf_conntrack_tftp.c | 18 +++---
net/netfilter/nf_nat_amanda.c | 9 ++-
net/netfilter/nf_nat_ftp.c | 9 ++-
net/netfilter/nf_nat_irc.c | 9 ++-
net/netfilter/nf_nat_sip.c | 9 ++-
net/netfilter/nf_nat_tftp.c | 9 ++-
net/netfilter/nf_tables_set_core.c | 1 +
net/netfilter/nft_ct.c | 8 +++
net/netfilter/nft_dynset.c | 17 ++++++
net/netfilter/xt_connlabel.c | 2 +-
net/netfilter/xt_hashlimit.c | 3 +-
net/openvswitch/conntrack.c | 26 +++++++--
26 files changed, 302 insertions(+), 89 deletions(-)
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 01/12] netfilter: nf_tables: relocate header content to consumer 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso @ 2019-05-05 23:32 ` Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 02/12] netfilter: nf_tables: fix implicit include of module.h Pablo Neira Ayuso ` (11 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:32 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Paul Gortmaker <paul.gortmaker@windriver.com> The nf_tables.h header is used in a lot of files, but it turns out that there is only one actual user of nft_expr_clone(). Hence we relocate that function to be with the one consumer of it and avoid having to process it with CPP for all the other files. This will also enable a reduction in the other headers that the nf_tables.h itself has to include just to be stand-alone, hence a pending further significant reduction in the CPP content that needs to get processed for each netfilter file. Note that the explicit "inline" has been dropped as part of this relocation. In similar changes to this, I believe Dave has asked this be done, so we free up gcc to make the choice of whether to inline or not. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_tables.h | 17 ----------------- net/netfilter/nft_dynset.c | 17 +++++++++++++++++ 2 files changed, 17 insertions(+), 17 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 2d5a0a1a87b8..706f744f7308 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -806,23 +806,6 @@ void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); int nft_expr_dump(struct sk_buff *skb, unsigned int attr, const struct nft_expr *expr); -static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) -{ - int err; - - if (src->ops->clone) { - dst->ops = src->ops; - err = src->ops->clone(dst, src); - if (err < 0) - return err; - } else { - memcpy(dst, src, src->ops->size); - } - - __module_get(src->ops->type->owner); - return 0; -} - /** * struct nft_rule - nf_tables rule * diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c index e461007558e8..8394560aa695 100644 --- a/net/netfilter/nft_dynset.c +++ b/net/netfilter/nft_dynset.c @@ -28,6 +28,23 @@ struct nft_dynset { struct nft_set_binding binding; }; +static int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) +{ + int err; + + if (src->ops->clone) { + dst->ops = src->ops; + err = src->ops->clone(dst, src); + if (err < 0) + return err; + } else { + memcpy(dst, src, src->ops->size); + } + + __module_get(src->ops->type->owner); + return 0; +} + static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr, struct nft_regs *regs) { -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 02/12] netfilter: nf_tables: fix implicit include of module.h 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 01/12] netfilter: nf_tables: relocate header content to consumer Pablo Neira Ayuso @ 2019-05-05 23:32 ` Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 03/12] netfilter: nf_tables: drop include of module.h from nf_tables.h Pablo Neira Ayuso ` (10 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:32 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Paul Gortmaker <paul.gortmaker@windriver.com> This file clearly uses modular infrastructure but does not call out the inclusion of <linux/module.h> explicitly. We add that include explicitly here, so we can tidy up some header usage elsewhere w/o causing build breakage. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_tables_set_core.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nf_tables_set_core.c b/net/netfilter/nf_tables_set_core.c index 814789644bd3..a9fce8d10051 100644 --- a/net/netfilter/nf_tables_set_core.c +++ b/net/netfilter/nf_tables_set_core.c @@ -1,4 +1,5 @@ /* SPDX-License-Identifier: GPL-2.0 */ +#include <linux/module.h> #include <net/netfilter/nf_tables_core.h> static int __init nf_tables_set_module_init(void) -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 03/12] netfilter: nf_tables: drop include of module.h from nf_tables.h 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 01/12] netfilter: nf_tables: relocate header content to consumer Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 02/12] netfilter: nf_tables: fix implicit include of module.h Pablo Neira Ayuso @ 2019-05-05 23:32 ` Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 04/12] netfilter: conntrack: limit sysctl setting for boolean options Pablo Neira Ayuso ` (9 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:32 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Paul Gortmaker <paul.gortmaker@windriver.com> Ideally, header files under include/linux shouldn't be adding includes of other headers, in anticipation of their consumers, but just the headers needed for the header itself to pass parsing with CPP. The module.h is particularly bad in this sense, as it itself does include a whole bunch of other headers, due to the complexity of module support. Since nf_tables.h is not going into a module struct looking for specific fields, we can just let it know that module is a struct, just like about 60 other include/linux headers already do. Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_tables.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 706f744f7308..5b8624ae4a27 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -2,7 +2,6 @@ #ifndef _NET_NF_TABLES_H #define _NET_NF_TABLES_H -#include <linux/module.h> #include <linux/list.h> #include <linux/netfilter.h> #include <linux/netfilter/nfnetlink.h> @@ -13,6 +12,8 @@ #include <net/netfilter/nf_flow_table.h> #include <net/netlink.h> +struct module; + #define NFT_JUMP_STACK_SIZE 16 struct nft_pktinfo { -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 04/12] netfilter: conntrack: limit sysctl setting for boolean options 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (2 preceding siblings ...) 2019-05-05 23:32 ` [PATCH 03/12] netfilter: nf_tables: drop include of module.h from nf_tables.h Pablo Neira Ayuso @ 2019-05-05 23:32 ` Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 05/12] netfilter: use macros to create module aliases Pablo Neira Ayuso ` (8 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:32 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Tonghao Zhang <xiangxia.m.yue@gmail.com> We use the zero and one to limit the boolean options setting. After this patch we only set 0 or 1 to boolean options for nf conntrack sysctl. Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netns/conntrack.h | 6 ++--- net/netfilter/nf_conntrack_standalone.c | 48 ++++++++++++++++++++++----------- 2 files changed, 36 insertions(+), 18 deletions(-) diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index f19b53130bf7..806454e767bf 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h @@ -24,9 +24,9 @@ struct nf_generic_net { struct nf_tcp_net { unsigned int timeouts[TCP_CONNTRACK_TIMEOUT_MAX]; - unsigned int tcp_loose; - unsigned int tcp_be_liberal; - unsigned int tcp_max_retrans; + int tcp_loose; + int tcp_be_liberal; + int tcp_max_retrans; }; enum udp_conntrack { diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index c2ae14c720b4..e0d392cb3075 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -511,6 +511,8 @@ static void nf_conntrack_standalone_fini_proc(struct net *net) /* Log invalid packets of a given protocol */ static int log_invalid_proto_min __read_mostly; static int log_invalid_proto_max __read_mostly = 255; +static int zero; +static int one = 1; /* size the user *wants to set */ static unsigned int nf_conntrack_htable_size_user __read_mostly; @@ -624,9 +626,11 @@ static struct ctl_table nf_ct_sysctl_table[] = { [NF_SYSCTL_CT_CHECKSUM] = { .procname = "nf_conntrack_checksum", .data = &init_net.ct.sysctl_checksum, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, [NF_SYSCTL_CT_LOG_INVALID] = { .procname = "nf_conntrack_log_invalid", @@ -647,33 +651,41 @@ static struct ctl_table nf_ct_sysctl_table[] = { [NF_SYSCTL_CT_ACCT] = { .procname = "nf_conntrack_acct", .data = &init_net.ct.sysctl_acct, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, [NF_SYSCTL_CT_HELPER] = { .procname = "nf_conntrack_helper", .data = &init_net.ct.sysctl_auto_assign_helper, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, #ifdef CONFIG_NF_CONNTRACK_EVENTS [NF_SYSCTL_CT_EVENTS] = { .procname = "nf_conntrack_events", .data = &init_net.ct.sysctl_events, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, #endif #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP [NF_SYSCTL_CT_TIMESTAMP] = { .procname = "nf_conntrack_timestamp", .data = &init_net.ct.sysctl_tstamp, - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, #endif [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { @@ -744,15 +756,19 @@ static struct ctl_table nf_ct_sysctl_table[] = { }, [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { .procname = "nf_conntrack_tcp_loose", - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { .procname = "nf_conntrack_tcp_be_liberal", - .maxlen = sizeof(unsigned int), + .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { .procname = "nf_conntrack_tcp_max_retrans", @@ -887,7 +903,9 @@ static struct ctl_table nf_ct_sysctl_table[] = { .procname = "nf_conntrack_dccp_loose", .maxlen = sizeof(int), .mode = 0644, - .proc_handler = proc_dointvec, + .proc_handler = proc_dointvec_minmax, + .extra1 = &zero, + .extra2 = &one, }, #endif #ifdef CONFIG_NF_CT_PROTO_GRE -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 05/12] netfilter: use macros to create module aliases. 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (3 preceding siblings ...) 2019-05-05 23:32 ` [PATCH 04/12] netfilter: conntrack: limit sysctl setting for boolean options Pablo Neira Ayuso @ 2019-05-05 23:32 ` Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 06/12] netfilter: add API to manage NAT helpers Pablo Neira Ayuso ` (7 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:32 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Flavio Leitner <fbl@redhat.com> Each NAT helper creates a module alias which follows a pattern. Use macros for consistency. Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_conntrack_helper.h | 4 ++++ net/ipv4/netfilter/nf_nat_h323.c | 2 +- net/ipv4/netfilter/nf_nat_pptp.c | 2 +- net/netfilter/nf_nat_amanda.c | 2 +- net/netfilter/nf_nat_ftp.c | 2 +- net/netfilter/nf_nat_irc.c | 2 +- net/netfilter/nf_nat_sip.c | 2 +- net/netfilter/nf_nat_tftp.c | 2 +- 8 files changed, 11 insertions(+), 7 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index ec52a8dc32fd..28bd4569aa64 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -15,6 +15,10 @@ #include <net/netfilter/nf_conntrack_extend.h> #include <net/netfilter/nf_conntrack_expect.h> +#define NF_NAT_HELPER_NAME(name) "ip_nat_" name +#define MODULE_ALIAS_NF_NAT_HELPER(name) \ + MODULE_ALIAS(NF_NAT_HELPER_NAME(name)) + struct module; enum nf_ct_helper_flags { diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c index 4e6b53ab6c33..7875c98072eb 100644 --- a/net/ipv4/netfilter/nf_nat_h323.c +++ b/net/ipv4/netfilter/nf_nat_h323.c @@ -631,4 +631,4 @@ module_exit(fini); MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>"); MODULE_DESCRIPTION("H.323 NAT helper"); MODULE_LICENSE("GPL"); -MODULE_ALIAS("ip_nat_h323"); +MODULE_ALIAS_NF_NAT_HELPER("h323"); diff --git a/net/ipv4/netfilter/nf_nat_pptp.c b/net/ipv4/netfilter/nf_nat_pptp.c index 68b4d450391b..e17b4ee7604c 100644 --- a/net/ipv4/netfilter/nf_nat_pptp.c +++ b/net/ipv4/netfilter/nf_nat_pptp.c @@ -37,7 +37,7 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); MODULE_DESCRIPTION("Netfilter NAT helper module for PPTP"); -MODULE_ALIAS("ip_nat_pptp"); +MODULE_ALIAS_NF_NAT_HELPER("pptp"); static void pptp_nat_expected(struct nf_conn *ct, struct nf_conntrack_expect *exp) diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c index e4d61a7a5258..6b729a897c5f 100644 --- a/net/netfilter/nf_nat_amanda.c +++ b/net/netfilter/nf_nat_amanda.c @@ -22,7 +22,7 @@ MODULE_AUTHOR("Brian J. Murrell <netfilter@interlinx.bc.ca>"); MODULE_DESCRIPTION("Amanda NAT helper"); MODULE_LICENSE("GPL"); -MODULE_ALIAS("ip_nat_amanda"); +MODULE_ALIAS_NF_NAT_HELPER("amanda"); static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, diff --git a/net/netfilter/nf_nat_ftp.c b/net/netfilter/nf_nat_ftp.c index 5063cbf1689c..0e93b1f19432 100644 --- a/net/netfilter/nf_nat_ftp.c +++ b/net/netfilter/nf_nat_ftp.c @@ -24,7 +24,7 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); MODULE_DESCRIPTION("ftp NAT helper"); -MODULE_ALIAS("ip_nat_ftp"); +MODULE_ALIAS_NF_NAT_HELPER("ftp"); /* FIXME: Time out? --RR */ diff --git a/net/netfilter/nf_nat_irc.c b/net/netfilter/nf_nat_irc.c index 3aa35a43100d..6c06e997395f 100644 --- a/net/netfilter/nf_nat_irc.c +++ b/net/netfilter/nf_nat_irc.c @@ -26,7 +26,7 @@ MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); MODULE_DESCRIPTION("IRC (DCC) NAT helper"); MODULE_LICENSE("GPL"); -MODULE_ALIAS("ip_nat_irc"); +MODULE_ALIAS_NF_NAT_HELPER("irc"); static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c index aa1be643d7a0..f1f007d9484c 100644 --- a/net/netfilter/nf_nat_sip.c +++ b/net/netfilter/nf_nat_sip.c @@ -27,7 +27,7 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); MODULE_DESCRIPTION("SIP NAT helper"); -MODULE_ALIAS("ip_nat_sip"); +MODULE_ALIAS_NF_NAT_HELPER("sip"); static unsigned int mangle_packet(struct sk_buff *skb, unsigned int protoff, diff --git a/net/netfilter/nf_nat_tftp.c b/net/netfilter/nf_nat_tftp.c index 7f67e1d5310d..dd3a835c111d 100644 --- a/net/netfilter/nf_nat_tftp.c +++ b/net/netfilter/nf_nat_tftp.c @@ -16,7 +16,7 @@ MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>"); MODULE_DESCRIPTION("TFTP NAT helper"); MODULE_LICENSE("GPL"); -MODULE_ALIAS("ip_nat_tftp"); +MODULE_ALIAS_NF_NAT_HELPER("tftp"); static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 06/12] netfilter: add API to manage NAT helpers. 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (4 preceding siblings ...) 2019-05-05 23:32 ` [PATCH 05/12] netfilter: use macros to create module aliases Pablo Neira Ayuso @ 2019-05-05 23:32 ` Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 07/12] netfilter: nf_nat: register " Pablo Neira Ayuso ` (6 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:32 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Flavio Leitner <fbl@redhat.com> The API allows a conntrack helper to indicate its corresponding NAT helper which then can be loaded and reference counted. Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_conntrack_helper.h | 22 +++++++- net/netfilter/nf_conntrack_amanda.c | 8 ++- net/netfilter/nf_conntrack_ftp.c | 18 +++--- net/netfilter/nf_conntrack_helper.c | 86 +++++++++++++++++++++++++++++ net/netfilter/nf_conntrack_irc.c | 6 +- net/netfilter/nf_conntrack_sane.c | 12 ++-- net/netfilter/nf_conntrack_sip.c | 28 +++++----- net/netfilter/nf_conntrack_tftp.c | 18 +++--- 8 files changed, 161 insertions(+), 37 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index 28bd4569aa64..44b5a00a9c64 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -15,7 +15,8 @@ #include <net/netfilter/nf_conntrack_extend.h> #include <net/netfilter/nf_conntrack_expect.h> -#define NF_NAT_HELPER_NAME(name) "ip_nat_" name +#define NF_NAT_HELPER_PREFIX "ip_nat_" +#define NF_NAT_HELPER_NAME(name) NF_NAT_HELPER_PREFIX name #define MODULE_ALIAS_NF_NAT_HELPER(name) \ MODULE_ALIAS(NF_NAT_HELPER_NAME(name)) @@ -58,6 +59,8 @@ struct nf_conntrack_helper { unsigned int queue_num; /* length of userspace private data stored in nf_conn_help->data */ u16 data_len; + /* name of NAT helper module */ + char nat_mod_name[NF_CT_HELPER_NAME_LEN]; }; /* Must be kept in sync with the classes defined by helpers */ @@ -157,4 +160,21 @@ nf_ct_helper_expectfn_find_by_symbol(const void *symbol); extern struct hlist_head *nf_ct_helper_hash; extern unsigned int nf_ct_helper_hsize; +struct nf_conntrack_nat_helper { + struct list_head list; + char mod_name[NF_CT_HELPER_NAME_LEN]; /* module name */ + struct module *module; /* pointer to self */ +}; + +#define NF_CT_NAT_HELPER_INIT(name) \ + { \ + .mod_name = NF_NAT_HELPER_NAME(name), \ + .module = THIS_MODULE \ + } + +void nf_nat_helper_register(struct nf_conntrack_nat_helper *nat); +void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat); +int nf_nat_helper_try_module_get(const char *name, u16 l3num, + u8 protonum); +void nf_nat_helper_put(struct nf_conntrack_helper *helper); #endif /*_NF_CONNTRACK_HELPER_H*/ diff --git a/net/netfilter/nf_conntrack_amanda.c b/net/netfilter/nf_conntrack_amanda.c index f2681ec5b5f6..dbec6fca0d9e 100644 --- a/net/netfilter/nf_conntrack_amanda.c +++ b/net/netfilter/nf_conntrack_amanda.c @@ -28,11 +28,13 @@ static unsigned int master_timeout __read_mostly = 300; static char *ts_algo = "kmp"; +#define HELPER_NAME "amanda" + MODULE_AUTHOR("Brian J. Murrell <netfilter@interlinx.bc.ca>"); MODULE_DESCRIPTION("Amanda connection tracking module"); MODULE_LICENSE("GPL"); MODULE_ALIAS("ip_conntrack_amanda"); -MODULE_ALIAS_NFCT_HELPER("amanda"); +MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); module_param(master_timeout, uint, 0600); MODULE_PARM_DESC(master_timeout, "timeout for the master connection"); @@ -179,13 +181,14 @@ static const struct nf_conntrack_expect_policy amanda_exp_policy = { static struct nf_conntrack_helper amanda_helper[2] __read_mostly = { { - .name = "amanda", + .name = HELPER_NAME, .me = THIS_MODULE, .help = amanda_help, .tuple.src.l3num = AF_INET, .tuple.src.u.udp.port = cpu_to_be16(10080), .tuple.dst.protonum = IPPROTO_UDP, .expect_policy = &amanda_exp_policy, + .nat_mod_name = NF_NAT_HELPER_NAME(HELPER_NAME), }, { .name = "amanda", @@ -195,6 +198,7 @@ static struct nf_conntrack_helper amanda_helper[2] __read_mostly = { .tuple.src.u.udp.port = cpu_to_be16(10080), .tuple.dst.protonum = IPPROTO_UDP, .expect_policy = &amanda_exp_policy, + .nat_mod_name = NF_NAT_HELPER_NAME(HELPER_NAME), }, }; diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index a11c304fb771..32aeac1c4760 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c @@ -29,11 +29,13 @@ #include <net/netfilter/nf_conntrack_helper.h> #include <linux/netfilter/nf_conntrack_ftp.h> +#define HELPER_NAME "ftp" + MODULE_LICENSE("GPL"); MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); MODULE_DESCRIPTION("ftp connection tracking helper"); MODULE_ALIAS("ip_conntrack_ftp"); -MODULE_ALIAS_NFCT_HELPER("ftp"); +MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); /* This is slow, but it's simple. --RR */ static char *ftp_buffer; @@ -588,12 +590,14 @@ static int __init nf_conntrack_ftp_init(void) /* FIXME should be configurable whether IPv4 and IPv6 FTP connections are tracked or not - YK */ for (i = 0; i < ports_c; i++) { - nf_ct_helper_init(&ftp[2 * i], AF_INET, IPPROTO_TCP, "ftp", - FTP_PORT, ports[i], ports[i], &ftp_exp_policy, - 0, help, nf_ct_ftp_from_nlattr, THIS_MODULE); - nf_ct_helper_init(&ftp[2 * i + 1], AF_INET6, IPPROTO_TCP, "ftp", - FTP_PORT, ports[i], ports[i], &ftp_exp_policy, - 0, help, nf_ct_ftp_from_nlattr, THIS_MODULE); + nf_ct_helper_init(&ftp[2 * i], AF_INET, IPPROTO_TCP, + HELPER_NAME, FTP_PORT, ports[i], ports[i], + &ftp_exp_policy, 0, help, + nf_ct_ftp_from_nlattr, THIS_MODULE); + nf_ct_helper_init(&ftp[2 * i + 1], AF_INET6, IPPROTO_TCP, + HELPER_NAME, FTP_PORT, ports[i], ports[i], + &ftp_exp_policy, 0, help, + nf_ct_ftp_from_nlattr, THIS_MODULE); } ret = nf_conntrack_helpers_register(ftp, ports_c * 2); diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 274baf1dab87..918df7f71c8f 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -42,6 +42,9 @@ module_param_named(nf_conntrack_helper, nf_ct_auto_assign_helper, bool, 0644); MODULE_PARM_DESC(nf_conntrack_helper, "Enable automatic conntrack helper assignment (default 0)"); +static DEFINE_MUTEX(nf_ct_nat_helpers_mutex); +static struct list_head nf_ct_nat_helpers __read_mostly; + /* Stupid hash, but collision free for the default registrations of the * helpers currently in the kernel. */ static unsigned int helper_hash(const struct nf_conntrack_tuple *tuple) @@ -130,6 +133,70 @@ void nf_conntrack_helper_put(struct nf_conntrack_helper *helper) } EXPORT_SYMBOL_GPL(nf_conntrack_helper_put); +static struct nf_conntrack_nat_helper * +nf_conntrack_nat_helper_find(const char *mod_name) +{ + struct nf_conntrack_nat_helper *cur; + bool found = false; + + list_for_each_entry_rcu(cur, &nf_ct_nat_helpers, list) { + if (!strcmp(cur->mod_name, mod_name)) { + found = true; + break; + } + } + return found ? cur : NULL; +} + +int +nf_nat_helper_try_module_get(const char *name, u16 l3num, u8 protonum) +{ + struct nf_conntrack_helper *h; + struct nf_conntrack_nat_helper *nat; + char mod_name[NF_CT_HELPER_NAME_LEN]; + int ret = 0; + + rcu_read_lock(); + h = __nf_conntrack_helper_find(name, l3num, protonum); + if (!h) { + rcu_read_unlock(); + return -ENOENT; + } + + nat = nf_conntrack_nat_helper_find(h->nat_mod_name); + if (!nat) { + snprintf(mod_name, sizeof(mod_name), "%s", h->nat_mod_name); + rcu_read_unlock(); + request_module(mod_name); + + rcu_read_lock(); + nat = nf_conntrack_nat_helper_find(mod_name); + if (!nat) { + rcu_read_unlock(); + return -ENOENT; + } + } + + if (!try_module_get(nat->module)) + ret = -ENOENT; + + rcu_read_unlock(); + return ret; +} +EXPORT_SYMBOL_GPL(nf_nat_helper_try_module_get); + +void nf_nat_helper_put(struct nf_conntrack_helper *helper) +{ + struct nf_conntrack_nat_helper *nat; + + nat = nf_conntrack_nat_helper_find(helper->nat_mod_name); + if (WARN_ON_ONCE(!nat)) + return; + + module_put(nat->module); +} +EXPORT_SYMBOL_GPL(nf_nat_helper_put); + struct nf_conn_help * nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp) { @@ -430,6 +497,8 @@ void nf_ct_helper_init(struct nf_conntrack_helper *helper, helper->help = help; helper->from_nlattr = from_nlattr; helper->me = module; + snprintf(helper->nat_mod_name, sizeof(helper->nat_mod_name), + NF_NAT_HELPER_PREFIX "%s", name); if (spec_port == default_port) snprintf(helper->name, sizeof(helper->name), "%s", name); @@ -466,6 +535,22 @@ void nf_conntrack_helpers_unregister(struct nf_conntrack_helper *helper, } EXPORT_SYMBOL_GPL(nf_conntrack_helpers_unregister); +void nf_nat_helper_register(struct nf_conntrack_nat_helper *nat) +{ + mutex_lock(&nf_ct_nat_helpers_mutex); + list_add_rcu(&nat->list, &nf_ct_nat_helpers); + mutex_unlock(&nf_ct_nat_helpers_mutex); +} +EXPORT_SYMBOL_GPL(nf_nat_helper_register); + +void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat) +{ + mutex_lock(&nf_ct_nat_helpers_mutex); + list_del_rcu(&nat->list); + mutex_unlock(&nf_ct_nat_helpers_mutex); +} +EXPORT_SYMBOL_GPL(nf_nat_helper_unregister); + static const struct nf_ct_ext_type helper_extend = { .len = sizeof(struct nf_conn_help), .align = __alignof__(struct nf_conn_help), @@ -493,6 +578,7 @@ int nf_conntrack_helper_init(void) goto out_extend; } + INIT_LIST_HEAD(&nf_ct_nat_helpers); return 0; out_extend: kvfree(nf_ct_helper_hash); diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index 4099f4d79bae..79e5014b3b0d 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -42,11 +42,13 @@ unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb, struct nf_conntrack_expect *exp) __read_mostly; EXPORT_SYMBOL_GPL(nf_nat_irc_hook); +#define HELPER_NAME "irc" + MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); MODULE_DESCRIPTION("IRC (DCC) connection tracking helper"); MODULE_LICENSE("GPL"); MODULE_ALIAS("ip_conntrack_irc"); -MODULE_ALIAS_NFCT_HELPER("irc"); +MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); module_param_array(ports, ushort, &ports_c, 0400); MODULE_PARM_DESC(ports, "port numbers of IRC servers"); @@ -259,7 +261,7 @@ static int __init nf_conntrack_irc_init(void) ports[ports_c++] = IRC_PORT; for (i = 0; i < ports_c; i++) { - nf_ct_helper_init(&irc[i], AF_INET, IPPROTO_TCP, "irc", + nf_ct_helper_init(&irc[i], AF_INET, IPPROTO_TCP, HELPER_NAME, IRC_PORT, ports[i], i, &irc_exp_policy, 0, help, NULL, THIS_MODULE); } diff --git a/net/netfilter/nf_conntrack_sane.c b/net/netfilter/nf_conntrack_sane.c index 5072ff96ab33..83306648dd0f 100644 --- a/net/netfilter/nf_conntrack_sane.c +++ b/net/netfilter/nf_conntrack_sane.c @@ -30,10 +30,12 @@ #include <net/netfilter/nf_conntrack_expect.h> #include <linux/netfilter/nf_conntrack_sane.h> +#define HELPER_NAME "sane" + MODULE_LICENSE("GPL"); MODULE_AUTHOR("Michal Schmidt <mschmidt@redhat.com>"); MODULE_DESCRIPTION("SANE connection tracking helper"); -MODULE_ALIAS_NFCT_HELPER("sane"); +MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); static char *sane_buffer; @@ -195,12 +197,12 @@ static int __init nf_conntrack_sane_init(void) /* FIXME should be configurable whether IPv4 and IPv6 connections are tracked or not - YK */ for (i = 0; i < ports_c; i++) { - nf_ct_helper_init(&sane[2 * i], AF_INET, IPPROTO_TCP, "sane", - SANE_PORT, ports[i], ports[i], + nf_ct_helper_init(&sane[2 * i], AF_INET, IPPROTO_TCP, + HELPER_NAME, SANE_PORT, ports[i], ports[i], &sane_exp_policy, 0, help, NULL, THIS_MODULE); - nf_ct_helper_init(&sane[2 * i + 1], AF_INET6, IPPROTO_TCP, "sane", - SANE_PORT, ports[i], ports[i], + nf_ct_helper_init(&sane[2 * i + 1], AF_INET6, IPPROTO_TCP, + HELPER_NAME, SANE_PORT, ports[i], ports[i], &sane_exp_policy, 0, help, NULL, THIS_MODULE); } diff --git a/net/netfilter/nf_conntrack_sip.c b/net/netfilter/nf_conntrack_sip.c index d5454d1031a3..c30c883c370b 100644 --- a/net/netfilter/nf_conntrack_sip.c +++ b/net/netfilter/nf_conntrack_sip.c @@ -30,11 +30,13 @@ #include <net/netfilter/nf_conntrack_zones.h> #include <linux/netfilter/nf_conntrack_sip.h> +#define HELPER_NAME "sip" + MODULE_LICENSE("GPL"); MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); MODULE_DESCRIPTION("SIP connection tracking helper"); MODULE_ALIAS("ip_conntrack_sip"); -MODULE_ALIAS_NFCT_HELPER("sip"); +MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); #define MAX_PORTS 8 static unsigned short ports[MAX_PORTS]; @@ -1669,21 +1671,21 @@ static int __init nf_conntrack_sip_init(void) ports[ports_c++] = SIP_PORT; for (i = 0; i < ports_c; i++) { - nf_ct_helper_init(&sip[4 * i], AF_INET, IPPROTO_UDP, "sip", - SIP_PORT, ports[i], i, sip_exp_policy, - SIP_EXPECT_MAX, sip_help_udp, + nf_ct_helper_init(&sip[4 * i], AF_INET, IPPROTO_UDP, + HELPER_NAME, SIP_PORT, ports[i], i, + sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp, NULL, THIS_MODULE); - nf_ct_helper_init(&sip[4 * i + 1], AF_INET, IPPROTO_TCP, "sip", - SIP_PORT, ports[i], i, sip_exp_policy, - SIP_EXPECT_MAX, sip_help_tcp, + nf_ct_helper_init(&sip[4 * i + 1], AF_INET, IPPROTO_TCP, + HELPER_NAME, SIP_PORT, ports[i], i, + sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp, NULL, THIS_MODULE); - nf_ct_helper_init(&sip[4 * i + 2], AF_INET6, IPPROTO_UDP, "sip", - SIP_PORT, ports[i], i, sip_exp_policy, - SIP_EXPECT_MAX, sip_help_udp, + nf_ct_helper_init(&sip[4 * i + 2], AF_INET6, IPPROTO_UDP, + HELPER_NAME, SIP_PORT, ports[i], i, + sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp, NULL, THIS_MODULE); - nf_ct_helper_init(&sip[4 * i + 3], AF_INET6, IPPROTO_TCP, "sip", - SIP_PORT, ports[i], i, sip_exp_policy, - SIP_EXPECT_MAX, sip_help_tcp, + nf_ct_helper_init(&sip[4 * i + 3], AF_INET6, IPPROTO_TCP, + HELPER_NAME, SIP_PORT, ports[i], i, + sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp, NULL, THIS_MODULE); } diff --git a/net/netfilter/nf_conntrack_tftp.c b/net/netfilter/nf_conntrack_tftp.c index 548b673b3625..6977cb91ae9a 100644 --- a/net/netfilter/nf_conntrack_tftp.c +++ b/net/netfilter/nf_conntrack_tftp.c @@ -20,11 +20,13 @@ #include <net/netfilter/nf_conntrack_helper.h> #include <linux/netfilter/nf_conntrack_tftp.h> +#define HELPER_NAME "tftp" + MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>"); MODULE_DESCRIPTION("TFTP connection tracking helper"); MODULE_LICENSE("GPL"); MODULE_ALIAS("ip_conntrack_tftp"); -MODULE_ALIAS_NFCT_HELPER("tftp"); +MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); #define MAX_PORTS 8 static unsigned short ports[MAX_PORTS]; @@ -119,12 +121,14 @@ static int __init nf_conntrack_tftp_init(void) ports[ports_c++] = TFTP_PORT; for (i = 0; i < ports_c; i++) { - nf_ct_helper_init(&tftp[2 * i], AF_INET, IPPROTO_UDP, "tftp", - TFTP_PORT, ports[i], i, &tftp_exp_policy, - 0, tftp_help, NULL, THIS_MODULE); - nf_ct_helper_init(&tftp[2 * i + 1], AF_INET6, IPPROTO_UDP, "tftp", - TFTP_PORT, ports[i], i, &tftp_exp_policy, - 0, tftp_help, NULL, THIS_MODULE); + nf_ct_helper_init(&tftp[2 * i], AF_INET, IPPROTO_UDP, + HELPER_NAME, TFTP_PORT, ports[i], i, + &tftp_exp_policy, 0, tftp_help, NULL, + THIS_MODULE); + nf_ct_helper_init(&tftp[2 * i + 1], AF_INET6, IPPROTO_UDP, + HELPER_NAME, TFTP_PORT, ports[i], i, + &tftp_exp_policy, 0, tftp_help, NULL, + THIS_MODULE); } ret = nf_conntrack_helpers_register(tftp, ports_c * 2); -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 07/12] netfilter: nf_nat: register NAT helpers. 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (5 preceding siblings ...) 2019-05-05 23:32 ` [PATCH 06/12] netfilter: add API to manage NAT helpers Pablo Neira Ayuso @ 2019-05-05 23:33 ` Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 08/12] openvswitch: load and reference the NAT helper Pablo Neira Ayuso ` (5 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:33 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Flavio Leitner <fbl@redhat.com> Register amanda, ftp, irc, sip and tftp NAT helpers. Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/nf_nat_amanda.c | 9 ++++++++- net/netfilter/nf_nat_ftp.c | 9 ++++++++- net/netfilter/nf_nat_irc.c | 9 ++++++++- net/netfilter/nf_nat_sip.c | 9 +++++++-- net/netfilter/nf_nat_tftp.c | 9 ++++++++- 5 files changed, 39 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_nat_amanda.c b/net/netfilter/nf_nat_amanda.c index 6b729a897c5f..4e59416ea709 100644 --- a/net/netfilter/nf_nat_amanda.c +++ b/net/netfilter/nf_nat_amanda.c @@ -19,10 +19,15 @@ #include <net/netfilter/nf_nat_helper.h> #include <linux/netfilter/nf_conntrack_amanda.h> +#define NAT_HELPER_NAME "amanda" + MODULE_AUTHOR("Brian J. Murrell <netfilter@interlinx.bc.ca>"); MODULE_DESCRIPTION("Amanda NAT helper"); MODULE_LICENSE("GPL"); -MODULE_ALIAS_NF_NAT_HELPER("amanda"); +MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); + +static struct nf_conntrack_nat_helper nat_helper_amanda = + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, @@ -74,6 +79,7 @@ static unsigned int help(struct sk_buff *skb, static void __exit nf_nat_amanda_fini(void) { + nf_nat_helper_unregister(&nat_helper_amanda); RCU_INIT_POINTER(nf_nat_amanda_hook, NULL); synchronize_rcu(); } @@ -81,6 +87,7 @@ static void __exit nf_nat_amanda_fini(void) static int __init nf_nat_amanda_init(void) { BUG_ON(nf_nat_amanda_hook != NULL); + nf_nat_helper_register(&nat_helper_amanda); RCU_INIT_POINTER(nf_nat_amanda_hook, help); return 0; } diff --git a/net/netfilter/nf_nat_ftp.c b/net/netfilter/nf_nat_ftp.c index 0e93b1f19432..0ea6b1bc52de 100644 --- a/net/netfilter/nf_nat_ftp.c +++ b/net/netfilter/nf_nat_ftp.c @@ -21,13 +21,18 @@ #include <net/netfilter/nf_conntrack_expect.h> #include <linux/netfilter/nf_conntrack_ftp.h> +#define NAT_HELPER_NAME "ftp" + MODULE_LICENSE("GPL"); MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); MODULE_DESCRIPTION("ftp NAT helper"); -MODULE_ALIAS_NF_NAT_HELPER("ftp"); +MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); /* FIXME: Time out? --RR */ +static struct nf_conntrack_nat_helper nat_helper_ftp = + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); + static int nf_nat_ftp_fmt_cmd(struct nf_conn *ct, enum nf_ct_ftp_type type, char *buffer, size_t buflen, union nf_inet_addr *addr, u16 port) @@ -124,6 +129,7 @@ static unsigned int nf_nat_ftp(struct sk_buff *skb, static void __exit nf_nat_ftp_fini(void) { + nf_nat_helper_unregister(&nat_helper_ftp); RCU_INIT_POINTER(nf_nat_ftp_hook, NULL); synchronize_rcu(); } @@ -131,6 +137,7 @@ static void __exit nf_nat_ftp_fini(void) static int __init nf_nat_ftp_init(void) { BUG_ON(nf_nat_ftp_hook != NULL); + nf_nat_helper_register(&nat_helper_ftp); RCU_INIT_POINTER(nf_nat_ftp_hook, nf_nat_ftp); return 0; } diff --git a/net/netfilter/nf_nat_irc.c b/net/netfilter/nf_nat_irc.c index 6c06e997395f..d87cbe5e03ec 100644 --- a/net/netfilter/nf_nat_irc.c +++ b/net/netfilter/nf_nat_irc.c @@ -23,10 +23,15 @@ #include <net/netfilter/nf_conntrack_expect.h> #include <linux/netfilter/nf_conntrack_irc.h> +#define NAT_HELPER_NAME "irc" + MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); MODULE_DESCRIPTION("IRC (DCC) NAT helper"); MODULE_LICENSE("GPL"); -MODULE_ALIAS_NF_NAT_HELPER("irc"); +MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); + +static struct nf_conntrack_nat_helper nat_helper_irc = + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, @@ -96,6 +101,7 @@ static unsigned int help(struct sk_buff *skb, static void __exit nf_nat_irc_fini(void) { + nf_nat_helper_unregister(&nat_helper_irc); RCU_INIT_POINTER(nf_nat_irc_hook, NULL); synchronize_rcu(); } @@ -103,6 +109,7 @@ static void __exit nf_nat_irc_fini(void) static int __init nf_nat_irc_init(void) { BUG_ON(nf_nat_irc_hook != NULL); + nf_nat_helper_register(&nat_helper_irc); RCU_INIT_POINTER(nf_nat_irc_hook, help); return 0; } diff --git a/net/netfilter/nf_nat_sip.c b/net/netfilter/nf_nat_sip.c index f1f007d9484c..464387b3600f 100644 --- a/net/netfilter/nf_nat_sip.c +++ b/net/netfilter/nf_nat_sip.c @@ -24,11 +24,15 @@ #include <net/netfilter/nf_conntrack_seqadj.h> #include <linux/netfilter/nf_conntrack_sip.h> +#define NAT_HELPER_NAME "sip" + MODULE_LICENSE("GPL"); MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); MODULE_DESCRIPTION("SIP NAT helper"); -MODULE_ALIAS_NF_NAT_HELPER("sip"); +MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); +static struct nf_conntrack_nat_helper nat_helper_sip = + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); static unsigned int mangle_packet(struct sk_buff *skb, unsigned int protoff, unsigned int dataoff, @@ -656,8 +660,8 @@ static struct nf_ct_helper_expectfn sip_nat = { static void __exit nf_nat_sip_fini(void) { + nf_nat_helper_unregister(&nat_helper_sip); RCU_INIT_POINTER(nf_nat_sip_hooks, NULL); - nf_ct_helper_expectfn_unregister(&sip_nat); synchronize_rcu(); } @@ -675,6 +679,7 @@ static const struct nf_nat_sip_hooks sip_hooks = { static int __init nf_nat_sip_init(void) { BUG_ON(nf_nat_sip_hooks != NULL); + nf_nat_helper_register(&nat_helper_sip); RCU_INIT_POINTER(nf_nat_sip_hooks, &sip_hooks); nf_ct_helper_expectfn_register(&sip_nat); return 0; diff --git a/net/netfilter/nf_nat_tftp.c b/net/netfilter/nf_nat_tftp.c index dd3a835c111d..e633b3863e33 100644 --- a/net/netfilter/nf_nat_tftp.c +++ b/net/netfilter/nf_nat_tftp.c @@ -13,10 +13,15 @@ #include <net/netfilter/nf_nat_helper.h> #include <linux/netfilter/nf_conntrack_tftp.h> +#define NAT_HELPER_NAME "tftp" + MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>"); MODULE_DESCRIPTION("TFTP NAT helper"); MODULE_LICENSE("GPL"); -MODULE_ALIAS_NF_NAT_HELPER("tftp"); +MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); + +static struct nf_conntrack_nat_helper nat_helper_tftp = + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); static unsigned int help(struct sk_buff *skb, enum ip_conntrack_info ctinfo, @@ -37,6 +42,7 @@ static unsigned int help(struct sk_buff *skb, static void __exit nf_nat_tftp_fini(void) { + nf_nat_helper_unregister(&nat_helper_tftp); RCU_INIT_POINTER(nf_nat_tftp_hook, NULL); synchronize_rcu(); } @@ -44,6 +50,7 @@ static void __exit nf_nat_tftp_fini(void) static int __init nf_nat_tftp_init(void) { BUG_ON(nf_nat_tftp_hook != NULL); + nf_nat_helper_register(&nat_helper_tftp); RCU_INIT_POINTER(nf_nat_tftp_hook, help); return 0; } -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 08/12] openvswitch: load and reference the NAT helper. 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (6 preceding siblings ...) 2019-05-05 23:33 ` [PATCH 07/12] netfilter: nf_nat: register " Pablo Neira Ayuso @ 2019-05-05 23:33 ` Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 09/12] netfilter: nft_ct: Add ct id support Pablo Neira Ayuso ` (4 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:33 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Flavio Leitner <fbl@redhat.com> This improves the original commit 17c357efe5ec ("openvswitch: load NAT helper") where it unconditionally tries to load the module for every flow using NAT, so not efficient when loading multiple flows. It also doesn't hold any references to the NAT module while the flow is active. This change fixes those problems. It will try to load the module only if it's not present. It grabs a reference to the NAT module and holds it while the flow is active. Finally, an error message shows up if either actions above fails. Fixes: 17c357efe5ec ("openvswitch: load NAT helper") Signed-off-by: Flavio Leitner <fbl@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/openvswitch/conntrack.c | 26 ++++++++++++++++++++------ 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/net/openvswitch/conntrack.c b/net/openvswitch/conntrack.c index bded32144619..c4128082f88b 100644 --- a/net/openvswitch/conntrack.c +++ b/net/openvswitch/conntrack.c @@ -1307,6 +1307,7 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, { struct nf_conntrack_helper *helper; struct nf_conn_help *help; + int ret = 0; helper = nf_conntrack_helper_try_module_get(name, info->family, key->ip.proto); @@ -1321,13 +1322,21 @@ static int ovs_ct_add_helper(struct ovs_conntrack_info *info, const char *name, return -ENOMEM; } +#ifdef CONFIG_NF_NAT_NEEDED + if (info->nat) { + ret = nf_nat_helper_try_module_get(name, info->family, + key->ip.proto); + if (ret) { + nf_conntrack_helper_put(helper); + OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d", + name, ret); + return ret; + } + } +#endif rcu_assign_pointer(help->helper, helper); info->helper = helper; - - if (info->nat) - request_module("ip_nat_%s", name); - - return 0; + return ret; } #if IS_ENABLED(CONFIG_NF_NAT) @@ -1801,8 +1810,13 @@ void ovs_ct_free_action(const struct nlattr *a) static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) { - if (ct_info->helper) + if (ct_info->helper) { +#ifdef CONFIG_NF_NAT_NEEDED + if (ct_info->nat) + nf_nat_helper_put(ct_info->helper); +#endif nf_conntrack_helper_put(ct_info->helper); + } if (ct_info->ct) { if (ct_info->timeout[0]) nf_ct_destroy_timeout(ct_info->ct); -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 09/12] netfilter: nft_ct: Add ct id support 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (7 preceding siblings ...) 2019-05-05 23:33 ` [PATCH 08/12] openvswitch: load and reference the NAT helper Pablo Neira Ayuso @ 2019-05-05 23:33 ` Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 10/12] netfilter: connlabels: fix spelling mistake "trackling" -> "tracking" Pablo Neira Ayuso ` (3 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:33 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Brett Mastbergen <bmastbergen@untangle.com> The 'id' key returns the unique id of the conntrack entry as returned by nf_ct_get_id(). Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_ct.c | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 061bb3eb20c3..f0cf7b0f4f35 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -967,6 +967,7 @@ enum nft_socket_keys { * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack + * @NFT_CT_ID: conntrack id */ enum nft_ct_keys { NFT_CT_STATE, @@ -993,6 +994,7 @@ enum nft_ct_keys { NFT_CT_SRC_IP6, NFT_CT_DST_IP6, NFT_CT_TIMEOUT, + NFT_CT_ID, __NFT_CT_MAX }; #define NFT_CT_MAX (__NFT_CT_MAX - 1) diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index b422b74bfe08..f043936763f3 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c @@ -178,6 +178,11 @@ static void nft_ct_get_eval(const struct nft_expr *expr, return; } #endif + case NFT_CT_ID: + if (!nf_ct_is_confirmed(ct)) + goto err; + *dest = nf_ct_get_id(ct); + return; default: break; } @@ -479,6 +484,9 @@ static int nft_ct_get_init(const struct nft_ctx *ctx, len = sizeof(u16); break; #endif + case NFT_CT_ID: + len = sizeof(u32); + break; default: return -EOPNOTSUPP; } -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 10/12] netfilter: connlabels: fix spelling mistake "trackling" -> "tracking" 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (8 preceding siblings ...) 2019-05-05 23:33 ` [PATCH 09/12] netfilter: nft_ct: Add ct id support Pablo Neira Ayuso @ 2019-05-05 23:33 ` Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 11/12] netfilter: xt_hashlimit: use struct_size() helper Pablo Neira Ayuso ` (2 subsequent siblings) 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:33 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Colin Ian King <colin.king@canonical.com> There is a spelling mistake in the module description. Fix this. Signed-off-by: Colin Ian King <colin.king@canonical.com> Reviewed-by: Mukesh Ojha <mojha@codeaurora.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/xt_connlabel.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/xt_connlabel.c b/net/netfilter/xt_connlabel.c index 4fa4efd24353..893374ac3758 100644 --- a/net/netfilter/xt_connlabel.c +++ b/net/netfilter/xt_connlabel.c @@ -15,7 +15,7 @@ MODULE_LICENSE("GPL"); MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); -MODULE_DESCRIPTION("Xtables: add/match connection trackling labels"); +MODULE_DESCRIPTION("Xtables: add/match connection tracking labels"); MODULE_ALIAS("ipt_connlabel"); MODULE_ALIAS("ip6t_connlabel"); -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 11/12] netfilter: xt_hashlimit: use struct_size() helper 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (9 preceding siblings ...) 2019-05-05 23:33 ` [PATCH 10/12] netfilter: connlabels: fix spelling mistake "trackling" -> "tracking" Pablo Neira Ayuso @ 2019-05-05 23:33 ` Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 12/12] netfilter: slightly optimize nf_inet_addr_mask Pablo Neira Ayuso 2019-05-06 4:35 ` [PATCH 00/12] Netfilter updates for net-next David Miller 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:33 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: "Gustavo A. R. Silva" <gustavo@embeddedor.com> Make use of the struct_size() helper instead of an open-coded version in order to avoid any potential type mistakes, in particular in the context in which this code is being used. So, replace code of the following form: sizeof(struct xt_hashlimit_htable) + sizeof(struct hlist_head) * size with: struct_size(hinfo, hash, size) This code was detected with the help of Coccinelle. Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/xt_hashlimit.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 8d86e39d6280..a30536b17ee1 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -288,8 +288,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg, size = 16; } /* FIXME: don't use vmalloc() here or anywhere else -HW */ - hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) + - sizeof(struct hlist_head) * size); + hinfo = vmalloc(struct_size(hinfo, hash, size)); if (hinfo == NULL) return -ENOMEM; *out_hinfo = hinfo; -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* [PATCH 12/12] netfilter: slightly optimize nf_inet_addr_mask 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (10 preceding siblings ...) 2019-05-05 23:33 ` [PATCH 11/12] netfilter: xt_hashlimit: use struct_size() helper Pablo Neira Ayuso @ 2019-05-05 23:33 ` Pablo Neira Ayuso 2019-05-06 4:35 ` [PATCH 00/12] Netfilter updates for net-next David Miller 12 siblings, 0 replies; 27+ messages in thread From: Pablo Neira Ayuso @ 2019-05-05 23:33 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Li RongQing <lirongqing@baidu.com> using 64bit computation to slightly optimize nf_inet_addr_mask Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/linux/netfilter.h | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index a7252f3baeb0..996bc247ef6e 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -41,10 +41,19 @@ static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, union nf_inet_addr *result, const union nf_inet_addr *mask) { +#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 + const unsigned long *ua = (const unsigned long *)a1; + unsigned long *ur = (unsigned long *)result; + const unsigned long *um = (const unsigned long *)mask; + + ur[0] = ua[0] & um[0]; + ur[1] = ua[1] & um[1]; +#else result->all[0] = a1->all[0] & mask->all[0]; result->all[1] = a1->all[1] & mask->all[1]; result->all[2] = a1->all[2] & mask->all[2]; result->all[3] = a1->all[3] & mask->all[3]; +#endif } int netfilter_init(void); -- 2.11.0 ^ permalink raw reply related [flat|nested] 27+ messages in thread
* Re: [PATCH 00/12] Netfilter updates for net-next 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso ` (11 preceding siblings ...) 2019-05-05 23:33 ` [PATCH 12/12] netfilter: slightly optimize nf_inet_addr_mask Pablo Neira Ayuso @ 2019-05-06 4:35 ` David Miller 12 siblings, 0 replies; 27+ messages in thread From: David Miller @ 2019-05-06 4:35 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 6 May 2019 01:32:53 +0200 > The following batch contains Netfilter updates for net-next, they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Pulled, thanks. ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 00/12] Netfilter updates for net-next
@ 2016-11-01 21:26 Pablo Neira Ayuso
2016-11-02 18:59 ` David Miller
0 siblings, 1 reply; 27+ messages in thread
From: Pablo Neira Ayuso @ 2016-11-01 21:26 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter updates for your net-next
tree. This includes better integration with the routing subsystem for
nf_tables, explicit notrack support and smaller updates. More
specifically, they are:
1) Add fib lookup expression for nf_tables, from Florian Westphal. This
new expression provides a native replacement for iptables addrtype
and rp_filter matches. This is more flexible though, since we can
populate the kernel flowi representation to inquire fib to
accomodate new usecases, such as RTBH through skb mark.
2) Introduce rt expression for nf_tables, from Anders K. Pedersen. This
new expression allow you to access skbuff route metadata, more
specifically nexthop and classid fields.
3) Add notrack support for nf_tables, to skip conntracking, requested by
many users already.
4) Add boilerplate code to allow to use nf_log infrastructure from
nf_tables ingress.
5) Allow to mangle pkttype from nf_tables prerouting chain, to emulate
the xtables cluster match, from Liping Zhang.
6) Move socket lookup code into generic nf_socket_* infrastructure so
we can provide a native replacement for the xtables socket match.
7) Make sure nfnetlink_queue data that is updated on every packets is
placed in a different cache from read-only data, from Florian Westphal.
8) Handle NF_STOLEN from nf_tables core, also from Florian Westphal.
9) Start round robin number generation in nft_numgen from zero,
instead of n-1, for consistency with xtables statistics match,
patch from Liping Zhang.
10) Set GFP_NOWARN flag in skbuff netlink allocations in nfnetlink_log,
given we retry with a smaller allocation on failure, from Calvin Owens.
11) Cleanup xt_multiport to use switch(), from Gao feng.
12) Remove superfluous check in nft_immediate and nft_cmp, from
Liping Zhang.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit 432490f9d455fb842d70219f22d9d2c812371676:
net: ip, diag -- Add diag interface for raw sockets (2016-10-23 19:35:24 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to 886bc50348fd69972baa4616ce95b7dc9ff8afe7:
netfilter: nf_queue: place volatile data in own cacheline (2016-11-01 20:50:33 +0100)
----------------------------------------------------------------
Anders K. Pedersen (1):
netfilter: nf_tables: introduce routing expression
Calvin Owens (1):
netfilter: nfnetlink_log: Use GFP_NOWARN for skb allocation
Florian Westphal (3):
netfilter: nf_tables: allow expressions to return STOLEN
netfilter: nf_tables: add fib expression
netfilter: nf_queue: place volatile data in own cacheline
Gao Feng (1):
netfilter: xt_multiport: Use switch case instead of multiple condition checks
Liping Zhang (3):
netfilter: nft_numgen: start round robin from zero
netfilter: nft_meta: permit pkttype mangling in ip/ip6 prerouting
netfilter: nf_tables: remove useless U8_MAX validation
Pablo Neira Ayuso (3):
netfilter: nft_ct: add notrack support
netfilter: nf_log: add packet logging for netdev family
netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c
include/net/netfilter/nf_log.h | 5 +
include/net/netfilter/nf_socket.h | 27 +++
include/net/netfilter/nft_fib.h | 31 ++++
include/uapi/linux/netfilter/nf_tables.h | 63 +++++++
net/bridge/netfilter/Kconfig | 1 +
net/bridge/netfilter/nf_log_bridge.c | 16 +-
net/ipv4/netfilter/Kconfig | 14 ++
net/ipv4/netfilter/Makefile | 3 +
net/ipv4/netfilter/nf_socket_ipv4.c | 163 +++++++++++++++++
net/ipv4/netfilter/nft_fib_ipv4.c | 238 ++++++++++++++++++++++++
net/ipv6/netfilter/Kconfig | 14 ++
net/ipv6/netfilter/Makefile | 3 +
net/ipv6/netfilter/nf_socket_ipv6.c | 151 +++++++++++++++
net/ipv6/netfilter/nft_fib_ipv6.c | 275 ++++++++++++++++++++++++++++
net/netfilter/Kconfig | 26 ++-
net/netfilter/Makefile | 6 +
net/netfilter/nf_log_common.c | 27 +++
net/netfilter/nf_log_netdev.c | 80 ++++++++
net/netfilter/nf_tables_core.c | 1 +
net/netfilter/nfnetlink_log.c | 2 +-
net/netfilter/nfnetlink_queue.c | 2 +-
net/netfilter/nft_cmp.c | 3 -
net/netfilter/nft_ct.c | 50 ++++-
net/netfilter/nft_fib.c | 159 ++++++++++++++++
net/netfilter/nft_fib_inet.c | 82 +++++++++
net/netfilter/nft_immediate.c | 3 -
net/netfilter/nft_meta.c | 5 +
net/netfilter/nft_numgen.c | 2 +-
net/netfilter/nft_rt.c | 153 ++++++++++++++++
net/netfilter/xt_multiport.c | 40 ++--
net/netfilter/xt_socket.c | 305 +------------------------------
31 files changed, 1610 insertions(+), 340 deletions(-)
create mode 100644 include/net/netfilter/nf_socket.h
create mode 100644 include/net/netfilter/nft_fib.h
create mode 100644 net/ipv4/netfilter/nf_socket_ipv4.c
create mode 100644 net/ipv4/netfilter/nft_fib_ipv4.c
create mode 100644 net/ipv6/netfilter/nf_socket_ipv6.c
create mode 100644 net/ipv6/netfilter/nft_fib_ipv6.c
create mode 100644 net/netfilter/nf_log_netdev.c
create mode 100644 net/netfilter/nft_fib.c
create mode 100644 net/netfilter/nft_fib_inet.c
create mode 100644 net/netfilter/nft_rt.c
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: [PATCH 00/12] Netfilter updates for net-next 2016-11-01 21:26 Pablo Neira Ayuso @ 2016-11-02 18:59 ` David Miller 0 siblings, 0 replies; 27+ messages in thread From: David Miller @ 2016-11-02 18:59 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Tue, 1 Nov 2016 22:26:21 +0100 > The following patchset contains Netfilter updates for your net-next > tree. This includes better integration with the routing subsystem for > nf_tables, explicit notrack support and smaller updates. More > specifically, they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git The nft fib module looks really cool. Pulled, thanks Pablo. ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 00/12] Netfilter updates for net-next
@ 2015-06-19 17:17 Pablo Neira Ayuso
2015-06-20 22:40 ` David Miller
0 siblings, 1 reply; 27+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains a final Netfilter pull request for net-next
4.2. This mostly addresses some fallout from the previous pull request, small
netns updates and a couple of new features for nfnetlink_log and the socket
match that didn't get in time for the previous pull request. More specifically
they are:
1) Add security context information to nfnetlink_queue, from Roman Kubiak.
2) Add support to restore the sk_mark into skb->mark through xt_socket,
from Harout Hedeshian.
3) Force alignment of 16 bytes of per cpu xt_counters, from Eric Dumazet.
4) Rename br_netfilter.c to br_netfilter_hooks.c to prepare split of IPv6 code
into a separated file.
5) Move the IPv6 code in br_netfilter into a separated file.
6) Remove unused RCV_SKB_FAIL() in nfnetlink_queue and nfetlink_log, from Eric
Biederman.
7) Two liner to simplify netns logic in em_ipset_match().
8) Add missing includes to net/net_namespace.h to avoid compilation problems
that result from not including linux/netfilter.h in netns headers.
9) Use a forward declaration instead of including linux/proc_fs.h from
netns/netfilter.h
10) Add a new linux/netfilter_defs.h to replace the linux/netfilter.h inclusion
in netns headers.
11) Remove spurious netfilter.h file included in the net tree, also from Eric
Biederman.
12) Fix x_tables compilation warnings on 32 bits platforms that resulted from
recent changes in x_tables counters, from Florian Westphal.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit 89d256bb69f2596c3a31ac51466eac9e1791c388:
bpf: disallow bpf tc programs access current->pid,uid (2015-06-15 20:51:20 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
for you to fetch changes up to dcb8f5c8139ef945cdfd55900fae265c4dbefc02:
netfilter: xtables: fix warnings on 32bit platforms (2015-06-18 21:14:33 +0200)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: x_tables: align per cpu xt_counter
Eric W Biederman (1):
netfilter: Remove spurios included of netfilter.h
Eric W. Biederman (2):
netfilter: Kill unused copies of RCV_SKB_FAIL
net: sched: Simplify em_ipset_match
Florian Westphal (1):
netfilter: xtables: fix warnings on 32bit platforms
Harout Hedeshian (1):
netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag
Pablo Neira Ayuso (5):
netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c
netfilter: bridge: split ipv6 code into separated file
net: include missing headers in net/net_namespace.h
netfilter: use forward declaration instead of including linux/proc_fs.h
netfilter: don't pull include/linux/netfilter.h from netns headers
Roman Kubiak (1):
netfilter: nfnetlink_queue: add security context information
drivers/net/hamradio/bpqether.c | 1 -
drivers/net/ppp/pptp.c | 2 -
drivers/net/wan/lapbether.c | 1 -
include/linux/netfilter.h | 6 +-
include/linux/netfilter/x_tables.h | 14 +-
include/linux/netfilter_defs.h | 9 +
include/net/net_namespace.h | 2 +
include/net/netfilter/br_netfilter.h | 60 +++++
include/net/netns/netfilter.h | 4 +-
include/net/netns/x_tables.h | 2 +-
include/uapi/linux/netfilter.h | 3 +-
include/uapi/linux/netfilter/nfnetlink_queue.h | 4 +-
include/uapi/linux/netfilter/xt_socket.h | 8 +
net/ax25/af_ax25.c | 1 -
net/ax25/ax25_in.c | 1 -
net/ax25/ax25_ip.c | 1 -
net/ax25/ax25_out.c | 1 -
net/ax25/ax25_uid.c | 1 -
net/bridge/Makefile | 2 +
.../{br_netfilter.c => br_netfilter_hooks.c} | 248 +-------------------
net/bridge/br_netfilter_ipv6.c | 245 +++++++++++++++++++
net/ipv6/output_core.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nfnetlink_log.c | 2 -
net/netfilter/nfnetlink_queue_core.c | 37 ++-
net/netfilter/xt_socket.c | 59 ++++-
net/netrom/nr_route.c | 1 -
net/rose/rose_link.c | 1 -
net/rose/rose_route.c | 1 -
net/sched/em_ipset.c | 4 +-
security/selinux/xfrm.c | 3 -
31 files changed, 444 insertions(+), 282 deletions(-)
create mode 100644 include/linux/netfilter_defs.h
rename net/bridge/{br_netfilter.c => br_netfilter_hooks.c} (82%)
create mode 100644 net/bridge/br_netfilter_ipv6.c
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: [PATCH 00/12] Netfilter updates for net-next 2015-06-19 17:17 Pablo Neira Ayuso @ 2015-06-20 22:40 ` David Miller 0 siblings, 0 replies; 27+ messages in thread From: David Miller @ 2015-06-20 22:40 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri, 19 Jun 2015 19:17:37 +0200 > The following patchset contains a final Netfilter pull request for net-next > 4.2. This mostly addresses some fallout from the previous pull request, small > netns updates and a couple of new features for nfnetlink_log and the socket > match that didn't get in time for the previous pull request. More specifically > they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Pulled, thanks a lot Pablo. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 00/12] Netfilter updates for net-next
@ 2015-03-09 17:14 Pablo Neira Ayuso
2015-03-09 19:59 ` David Miller
0 siblings, 1 reply; 27+ messages in thread
From: Pablo Neira Ayuso @ 2015-03-09 17:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter updates for your net-next
tree. Basically, improvements for the packet rejection infrastructure,
deprecation of CLUSTERIP, cleanups for nf_tables and some untangling for
br_netfilter. More specifically they are:
1) Send packet to reset flow if checksum is valid, from Florian Westphal.
2) Fix nf_tables reject bridge from the input chain, also from Florian.
3) Deprecate the CLUSTERIP target, the cluster match supersedes it in
functionality and it's known to have problems.
4) A couple of cleanups for nf_tables rule tracing infrastructure, from
Patrick McHardy.
5) Another cleanup to place transaction declarations at the bottom of
nf_tables.h, also from Patrick.
6) Consolidate Kconfig dependencies wrt. NF_TABLES.
7) Limit table names to 32 bytes in nf_tables.
8) mac header copying in bridge netfilter is already required when
calling ip_fragment(), from Florian Westphal.
9) move nf_bridge_update_protocol() to br_netfilter.c, also from
Florian.
10) Small refactor in br_netfilter in the transmission path, again from
Florian.
11) Move br_nf_pre_routing_finish_bridge_slow() to br_netfilter.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
And I'd appreciate if you can pull net into net-next, Patrick has some
pending changes that require patches already your net tree.
Thanks a lot!
----------------------------------------------------------------
The following changes since commit b898441f4ece44933af90b116b467f7864dd1ae7:
Merge branch 'neigh_cleanups' (2015-03-02 16:43:46 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
for you to fetch changes up to e5de75bf88858f5b3ab11e2504b86ec059f03102:
netfilter: bridge: move DNAT helper to br_netfilter (2015-03-09 17:56:07 +0100)
----------------------------------------------------------------
Florian Westphal (5):
netfilter: reject: don't send icmp error if csum is invalid
netfilter: bridge: rework reject handling
bridge: move mac header copying into br_netfilter
netfilter: bridge: move nf_bridge_update_protocol to where its used
netfilter: bridge: refactor conditional in br_nf_dev_queue_xmit
Pablo Neira Ayuso (4):
netfilter: ipt_CLUSTERIP: deprecate it in favour of xt_cluster
netfilter: nf_tables: consolidate Kconfig options
netfilter: nf_tables: limit maximum table name length to 32 bytes
netfilter: bridge: move DNAT helper to br_netfilter
Patrick McHardy (3):
netfilter: nf_tables: minor tracing cleanups
netfilter: nf_tables: consolidate tracing invocations
netfilter: nf_tables: cleanup nf_tables.h
include/linux/netfilter_bridge.h | 51 ---------
include/net/netfilter/ipv4/nf_reject.h | 6 +-
include/net/netfilter/ipv6/nf_reject.h | 11 +-
include/net/netfilter/nf_tables.h | 176 +++++++++++++++---------------
include/net/netns/x_tables.h | 1 +
include/uapi/linux/netfilter/nf_tables.h | 1 +
net/bridge/br_device.c | 5 +-
net/bridge/br_forward.c | 4 +-
net/bridge/br_netfilter.c | 78 ++++++++++++-
net/bridge/br_private.h | 5 +
net/bridge/netfilter/nft_reject_bridge.c | 84 +++++++++++---
net/ipv4/netfilter/Kconfig | 38 ++++---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 7 ++
net/ipv4/netfilter/ipt_REJECT.c | 17 +--
net/ipv4/netfilter/nf_reject_ipv4.c | 23 ++++
net/ipv4/netfilter/nft_reject_ipv4.c | 3 +-
net/ipv6/netfilter/Kconfig | 18 +--
net/ipv6/netfilter/nf_reject_ipv6.c | 35 ++++++
net/netfilter/Kconfig | 20 +---
net/netfilter/nf_tables_api.c | 7 +-
net/netfilter/nf_tables_core.c | 105 +++++++++---------
net/netfilter/nft_reject_inet.c | 6 +-
22 files changed, 412 insertions(+), 289 deletions(-)
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: [PATCH 00/12] Netfilter updates for net-next 2015-03-09 17:14 Pablo Neira Ayuso @ 2015-03-09 19:59 ` David Miller 0 siblings, 0 replies; 27+ messages in thread From: David Miller @ 2015-03-09 19:59 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 9 Mar 2015 18:14:23 +0100 > The following patchset contains Netfilter updates for your net-next > tree. Basically, improvements for the packet rejection infrastructure, > deprecation of CLUSTERIP, cleanups for nf_tables and some untangling for > br_netfilter. More specifically they are: Pulled, thanks. > And I'd appreciate if you can pull net into net-next, Patrick has some > pending changes that require patches already your net tree. I anticipate this happening after takes a 'net' pull request from me this evening. ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 00/12] Netfilter updates for net-next
@ 2014-12-03 12:55 Pablo Neira Ayuso
2014-12-06 4:58 ` David Miller
0 siblings, 1 reply; 27+ messages in thread
From: Pablo Neira Ayuso @ 2014-12-03 12:55 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following batch contains netfilter updates for net-next. Basically,
enhancements for xt_recent, skip zeroing of timer in conntrack, fix
linking problem with recent redirect support for nf_tables, ipset
updates and a couple of cleanups. More specifically, they are:
1) Rise maximum number per IP address to be remembered in xt_recent
while retaining backward compatibility, from Florian Westphal.
2) Skip zeroing timer area in nf_conn objects, also from Florian.
3) Inspect IPv4 and IPv6 traffic from the bridge to allow filtering using
using meta l4proto and transport layer header, from Alvaro Neira.
4) Fix linking problems in the new redirect support when CONFIG_IPV6=n
and IP6_NF_IPTABLES=n.
And ipset updates from Jozsef Kadlecsik:
5) Support updating element extensions when the set is full (fixes
netfilter bugzilla id 880).
6) Fix set match with 32-bits userspace / 64-bits kernel.
7) Indicate explicitly when /0 networks are supported in ipset.
8) Simplify cidr handling for hash:*net* types.
9) Allocate the proper size of memory when /0 networks are supported.
10) Explicitly add padding elements to hash:net,net and hash:net,port,
because the elements must be u32 sized for the used hash function.
Jozsef is also cooking ipset RCU conversion which should land soon if
they reach the merge window in time.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit 3a611e26e958b0372d2e7600b87bbb4a84c7704b:
net/smsc911x: Add minimal runtime PM support (2014-11-24 16:41:50 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
for you to fetch changes up to cac3763967362ace7996532ad3933f493a928a1b:
netfilter: ipset: Explicitly add padding elements to hash:net, net and hash:net, port, net (2014-12-03 12:43:36 +0100)
----------------------------------------------------------------
Alvaro Neira (2):
netfilter: nf_tables_bridge: export nft_reject_ip*hdr_validate functions
netfilter: nf_tables_bridge: set the pktinfo for IPv4/IPv6 traffic
Florian Westphal (2):
netfilter: xt_recent: relax ip_pkt_list_tot restrictions
netfilter: conntrack: avoid zeroing timer
Jozsef Kadlecsik (6):
netfilter: ipset: Support updating extensions when the set is full
netfilter: ipset: Alignment problem between 64bit kernel 32bit userspace
netfilter: ipset: Indicate when /0 networks are supported
netfilter: ipset: Simplify cidr handling for hash:*net* types
netfilter: ipset: Allocate the proper size of memory when /0 networks are supported
netfilter: ipset: Explicitly add padding elements to hash:net, net and hash:net, port, net
Pablo Neira Ayuso (1):
netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module
Steven Noonan (1):
netfilter: nf_log_ipv6: correct typo in module description
include/net/netfilter/ipv4/nf_nat_redirect.h | 9 --
include/net/netfilter/ipv6/nf_nat_redirect.h | 8 --
include/net/netfilter/nf_conntrack.h | 15 +--
include/net/netfilter/nf_nat_redirect.h | 12 +++
include/net/netfilter/nf_tables_bridge.h | 7 ++
include/uapi/linux/netfilter/ipset/ip_set.h | 8 +-
include/uapi/linux/netfilter/xt_set.h | 13 ++-
net/bridge/netfilter/nf_tables_bridge.c | 88 ++++++++++++++++-
net/bridge/netfilter/nft_reject_bridge.c | 52 +---------
net/ipv4/netfilter/Kconfig | 8 +-
net/ipv4/netfilter/Makefile | 1 -
net/ipv4/netfilter/nft_redir_ipv4.c | 2 +-
net/ipv6/netfilter/Kconfig | 8 +-
net/ipv6/netfilter/Makefile | 1 -
net/ipv6/netfilter/nf_log_ipv6.c | 2 +-
net/ipv6/netfilter/nf_nat_redirect_ipv6.c | 75 ---------------
net/ipv6/netfilter/nft_redir_ipv6.c | 2 +-
net/netfilter/Kconfig | 10 +-
net/netfilter/Makefile | 1 +
net/netfilter/ipset/ip_set_hash_gen.h | 101 +++++++++-----------
net/netfilter/ipset/ip_set_hash_netiface.c | 1 +
net/netfilter/ipset/ip_set_hash_netnet.c | 2 +
net/netfilter/ipset/ip_set_hash_netportnet.c | 2 +
net/netfilter/nf_conntrack_core.c | 11 +--
.../nf_nat_redirect.c} | 47 ++++++++-
net/netfilter/xt_REDIRECT.c | 3 +-
net/netfilter/xt_recent.c | 64 +++++++++----
net/netfilter/xt_set.c | 73 +++++++++++++-
28 files changed, 372 insertions(+), 254 deletions(-)
delete mode 100644 include/net/netfilter/ipv4/nf_nat_redirect.h
delete mode 100644 include/net/netfilter/ipv6/nf_nat_redirect.h
create mode 100644 include/net/netfilter/nf_nat_redirect.h
create mode 100644 include/net/netfilter/nf_tables_bridge.h
delete mode 100644 net/ipv6/netfilter/nf_nat_redirect_ipv6.c
rename net/{ipv4/netfilter/nf_nat_redirect_ipv4.c => netfilter/nf_nat_redirect.c} (67%)
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: [PATCH 00/12] Netfilter updates for net-next 2014-12-03 12:55 Pablo Neira Ayuso @ 2014-12-06 4:58 ` David Miller 0 siblings, 0 replies; 27+ messages in thread From: David Miller @ 2014-12-06 4:58 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Wed, 3 Dec 2014 13:55:30 +0100 > The following batch contains netfilter updates for net-next. Basically, > enhancements for xt_recent, skip zeroing of timer in conntrack, fix > linking problem with recent redirect support for nf_tables, ipset > updates and a couple of cleanups. More specifically, they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git > > Thanks! Pulled, thanks a lot Pablo. ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 00/12] netfilter updates for net-next
@ 2014-01-05 23:12 Pablo Neira Ayuso
0 siblings, 0 replies; 27+ messages in thread
From: Pablo Neira Ayuso @ 2014-01-05 23:12 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
[ forgot to attach the pull request to this email and cc netdev, resending ]
Hi David,
The following patchset contains Netfilter updates for your net-next tree,
they are:
* Add full port randomization support. Some crazy researchers found a way
to reconstruct the secure ephemeral ports that are allocated in random mode
by sending off-path bursts of UDP packets to overrun the socket buffer of
the DNS resolver to trigger retransmissions, then if the timing for the
DNS resolution done by a client is larger than usual, then they conclude
that the port that received the burst of UDP packets is the one that was
opened. It seems a bit aggressive method to me but it seems to work for
them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a
new NAT mode to fully randomize ports using prandom.
* Add a new classifier to x_tables based on the socket net_cls set via
cgroups. These includes two patches to prepare the field as requested by
Zefan Li. Also from Daniel Borkmann.
* Use prandom instead of get_random_bytes in several locations of the
netfilter code, from Florian Westphal.
* Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack
mark, also from Florian Westphal.
* Fix compilation warning due to unused variable in IPVS, from Geert
Uytterhoeven.
* Add support for UID/GID via nfnetlink_queue, from Valentina Giusti.
* Add IPComp extension to x_tables, from Fan Du.
* Several patches to remove dead code, by Stephen Hemminger.
* Reorder netns structure for conntrack, based on original patch from Eric
Dumazet, from Jesper D. Brouer.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
Thanks!
----------------------------------------------------------------
The following changes since commit 68536053600425c24aba031c45f053d447eedd9c:
ipv6: fix incorrect type in declaration (2013-12-12 16:14:09 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
for you to fetch changes up to 82a37132f300ea53bdcd812917af5a6329ec80c3:
netfilter: x_tables: lightweight process control group matching (2014-01-03 23:41:44 +0100)
----------------------------------------------------------------
Daniel Borkmann (4):
netfilter: nf_nat: add full port randomization support
net: net_cls: move cgroupfs classid handling into core
net: netprio: rename config to be more consistent with cgroup configs
netfilter: x_tables: lightweight process control group matching
Eric Leblond (1):
netfilter: xt_CT: fix error value in xt_ct_tg_check()
Florian Westphal (2):
netfilter: avoid get_random_bytes calls
netfilter: ctnetlink: honor CTA_MARK_MASK when setting ctmark
Geert Uytterhoeven (1):
ipvs: Remove unused variable ret from sync_thread_master()
Jesper Dangaard Brouer (1):
net: reorder struct netns_ct for better cache-line usage
Valentina Giusti (1):
netfilter: nfnetlink_queue: enable UID/GID socket info retrieval
fan.du (1):
netfilter: add IPv4/6 IPComp extension match support
stephen hemminger (2):
netfilter: ipset: remove unused code
netfilter: nf_conntrack: remove dead code
Documentation/cgroups/net_cls.txt | 5 +
include/linux/cgroup_subsys.h | 4 +-
include/linux/netdevice.h | 2 +-
include/linux/netfilter/ipset/ip_set.h | 1 -
include/net/cls_cgroup.h | 40 +++-----
include/net/netfilter/ipv4/nf_conntrack_ipv4.h | 2 -
include/net/netfilter/nf_conntrack_l3proto.h | 1 -
include/net/netns/conntrack.h | 33 +++----
include/net/netprio_cgroup.h | 18 ++--
include/net/sock.h | 2 +-
include/uapi/linux/netfilter/Kbuild | 2 +
include/uapi/linux/netfilter/nf_nat.h | 12 ++-
include/uapi/linux/netfilter/nfnetlink_queue.h | 5 +-
include/uapi/linux/netfilter/xt_cgroup.h | 11 +++
include/uapi/linux/netfilter/xt_ipcomp.h | 16 ++++
net/Kconfig | 11 ++-
net/core/Makefile | 3 +-
net/core/dev.c | 2 +-
net/core/netclassid_cgroup.c | 120 ++++++++++++++++++++++++
net/core/sock.c | 14 +--
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 --
net/netfilter/Kconfig | 19 ++++
net/netfilter/Makefile | 2 +
net/netfilter/ipset/ip_set_core.c | 28 ------
net/netfilter/ipvs/ip_vs_sync.c | 5 +-
net/netfilter/nf_conntrack_core.c | 15 ---
net/netfilter/nf_conntrack_netlink.c | 12 ++-
net/netfilter/nf_conntrack_proto.c | 6 --
net/netfilter/nf_nat_core.c | 4 +-
net/netfilter/nf_nat_proto_common.c | 10 +-
net/netfilter/nfnetlink_log.c | 8 --
net/netfilter/nfnetlink_queue_core.c | 34 +++++++
net/netfilter/nft_hash.c | 2 +-
net/netfilter/xt_CT.c | 4 +-
net/netfilter/xt_RATEEST.c | 2 +-
net/netfilter/xt_cgroup.c | 71 ++++++++++++++
net/netfilter/xt_connlimit.c | 2 +-
net/netfilter/xt_hashlimit.c | 2 +-
net/netfilter/xt_ipcomp.c | 111 ++++++++++++++++++++++
net/netfilter/xt_recent.c | 2 +-
net/sched/Kconfig | 1 +
net/sched/cls_cgroup.c | 111 +---------------------
42 files changed, 487 insertions(+), 274 deletions(-)
create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h
create mode 100644 include/uapi/linux/netfilter/xt_ipcomp.h
create mode 100644 net/core/netclassid_cgroup.c
create mode 100644 net/netfilter/xt_cgroup.c
create mode 100644 net/netfilter/xt_ipcomp.c
^ permalink raw reply [flat|nested] 27+ messages in thread* [PATCH 00/12] netfilter updates for net-next
@ 2013-06-30 23:54 Pablo Neira Ayuso
2013-07-01 0:35 ` David Miller
0 siblings, 1 reply; 27+ messages in thread
From: Pablo Neira Ayuso @ 2013-06-30 23:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following batch contains Netfilter/IPVS updates for net-next,
they are:
* Enforce policy to several nfnetlink subsystem, from Daniel
Borkmann.
* Use xt_socket to match the third packet (to perform simplistic
socket-based stateful filtering), from Eric Dumazet.
* Avoid large timeout for picked up from the middle TCP flows,
from Florian Westphal.
* Exclude IPVS from struct net if IPVS is disabled and removal
of unnecessary included header file, from JunweiZhang.
* Release SCTP connection immediately under load, to mimic current
TCP behaviour, from Julian Anastasov.
* Replace and enhance SCTP state machine, from Julian Anastasov.
* Add tweak to reduce sync traffic in the presence of persistence,
also from Julian Anastasov.
* Add tweak for the IPVS SH scheduler not to reject connections
directed to a server, choose a new one instead, from Alexander
Frolkin.
* Add support for sloppy TCP and SCTP modes, that creates state
information on any packet, not only initial handshake packets,
from Alexander Frolkin.
Please, consider pulling this batch from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
Thanks!
----------------------------------------------------------------
The following changes since commit fedaf4ffc224a194e2d13a3ec2abe5df0bc94258:
ndisc: Convert use of typedef ctl_table to struct ctl_table (2013-06-19 23:18:07 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
for you to fetch changes up to 496e4ae7dc944faa1721bfda7e9d834d5611a874:
netfilter: nf_queue: add NFQA_SKB_CSUM_NOTVERIFIED info flag (2013-06-30 18:15:48 +0200)
----------------------------------------------------------------
Alexander Frolkin (2):
ipvs: sloppy TCP and SCTP
ipvs: SH fallback and L4 hashing
Daniel Borkmann (1):
netfilter: check return code from nla_parse_tested
Eric Dumazet (1):
netfilter: xt_socket: add XT_SOCKET_NOWILDCARD flag
Florian Westphal (2):
netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
netfilter: nf_queue: add NFQA_SKB_CSUM_NOTVERIFIED info flag
Julian Anastasov (4):
ipvs: provide iph to schedulers
ipvs: replace the SCTP state machine
ipvs: drop SCTP connections depending on state
ipvs: add sync_persist_mode flag
JunweiZhang (2):
kernel: remove unnecessary head file
netns: exclude ipvs from struct net when IPVS disabled
Documentation/networking/ipvs-sysctl.txt | 13 +
include/net/ip_vs.h | 84 ++-
include/net/net_namespace.h | 2 +
include/uapi/linux/ip_vs.h | 6 +
include/uapi/linux/netfilter/nfnetlink_queue.h | 2 +
include/uapi/linux/netfilter/xt_socket.h | 7 +
kernel/sysctl_binary.c | 1 -
net/netfilter/ipvs/ip_vs_conn.c | 12 +
net/netfilter/ipvs/ip_vs_core.c | 4 +-
net/netfilter/ipvs/ip_vs_ctl.c | 21 +
net/netfilter/ipvs/ip_vs_dh.c | 10 +-
net/netfilter/ipvs/ip_vs_lblc.c | 12 +-
net/netfilter/ipvs/ip_vs_lblcr.c | 12 +-
net/netfilter/ipvs/ip_vs_lc.c | 3 +-
net/netfilter/ipvs/ip_vs_nq.c | 3 +-
net/netfilter/ipvs/ip_vs_proto_sctp.c | 860 +++++-------------------
net/netfilter/ipvs/ip_vs_proto_tcp.c | 14 +-
net/netfilter/ipvs/ip_vs_rr.c | 3 +-
net/netfilter/ipvs/ip_vs_sed.c | 3 +-
net/netfilter/ipvs/ip_vs_sh.c | 108 ++-
net/netfilter/ipvs/ip_vs_sync.c | 19 +-
net/netfilter/ipvs/ip_vs_wlc.c | 3 +-
net/netfilter/ipvs/ip_vs_wrr.c | 3 +-
net/netfilter/nf_conntrack_netlink.c | 30 +-
net/netfilter/nf_conntrack_proto_tcp.c | 6 +
net/netfilter/nfnetlink_cthelper.c | 16 +-
net/netfilter/nfnetlink_cttimeout.c | 6 +-
net/netfilter/nfnetlink_queue_core.c | 16 +-
net/netfilter/xt_socket.c | 70 +-
29 files changed, 529 insertions(+), 820 deletions(-)
^ permalink raw reply [flat|nested] 27+ messages in thread* Re: [PATCH 00/12] netfilter updates for net-next 2013-06-30 23:54 Pablo Neira Ayuso @ 2013-07-01 0:35 ` David Miller 0 siblings, 0 replies; 27+ messages in thread From: David Miller @ 2013-07-01 0:35 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Mon, 1 Jul 2013 01:54:29 +0200 > The following batch contains Netfilter/IPVS updates for net-next, > they are: ... > Please, consider pulling this batch from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master Pulled, thanks Pablo! ^ permalink raw reply [flat|nested] 27+ messages in thread
* [PATCH 00/12] Netfilter updates for net-next @ 2013-03-25 12:15 pablo 2013-03-25 16:13 ` David Miller 0 siblings, 1 reply; 27+ messages in thread From: pablo @ 2013-03-25 12:15 UTC (permalink / raw) To: netfilter-devel; +Cc: davem, netdev From: Pablo Neira Ayuso <pablo@netfilter.org> Hi David, The following patchset contains Netfilter/IPVS updates for your net-next tree, they are: * Better performance in nfnetlink_queue by avoiding copy from the packet to netlink message, from Eric Dumazet. * Remove unnecessary locking in the exit path of ebt_ulog, from Gao Feng. * Use new function ipv6_iface_scope_id in nf_ct_ipv6, from Hannes Frederic Sowa. * A couple of sparse fixes for IPVS, from Julian Anastasov. * Use xor hashing in nfnetlink_queue, as suggested by Eric Dumazet, from myself. * Allow to dump expectations per master conntrack via ctnetlink, from myself. * A couple of cleanups to use PTR_RET in module init path, from Silviu-Mihai Popescu. * Remove nf_conntrack module a bit faster if netns are in use, from Vladimir Davydov. * Use checksum_partial in ip6t_NPT, from YOSHIFUJI Hideaki. * Sparse fix for nf_conntrack, from Stephen Hemminger. You can pull these changes from: git://1984.lsi.us.es/nf-next master Thanks! Eric Dumazet (1): netfilter: nfnetlink_queue: zero copy support Gao feng (1): netfilter: ebt_ulog: remove unnecessary spin lock protection Hannes Frederic Sowa (1): netfilter: nf_ct_ipv6: use ipv6_iface_scope_id in conntrack to return scope id Julian Anastasov (2): ipvs: fix hashing in ip_vs_svc_hashkey ipvs: fix some sparse warnings Pablo Neira Ayuso (2): netfilter: nfnetlink_queue: use xor hash function to distribute instances netfilter: ctnetlink: allow to dump expectation per master conntrack Silviu-Mihai Popescu (2): ipv4: netfilter: use PTR_RET instead of IS_ERR + PTR_ERR bridge: netfilter: use PTR_RET instead of IS_ERR + PTR_ERR Vladimir Davydov (1): netfilter: nf_conntrack: speed up module removal path if netns in use YOSHIFUJI Hideaki (1): netfilter: ip6t_NPT: Use csum_partial() stephen hemminger (1): netfilter: nf_conntrack: add include to fix sparse warning include/net/ip_vs.h | 2 +- include/net/netfilter/nf_conntrack_core.h | 1 + net/bridge/netfilter/ebt_ulog.c | 3 +- net/bridge/netfilter/ebtable_broute.c | 4 +- net/ipv4/netfilter/arptable_filter.c | 4 +- net/ipv6/netfilter/ip6t_NPT.c | 11 +-- net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 8 +- net/netfilter/ipvs/ip_vs_core.c | 8 +- net/netfilter/ipvs/ip_vs_ctl.c | 8 +- net/netfilter/ipvs/ip_vs_est.c | 2 +- net/netfilter/nf_conntrack_core.c | 47 +++++++---- net/netfilter/nf_conntrack_netlink.c | 100 ++++++++++++++++++++++-- net/netfilter/nf_conntrack_standalone.c | 16 ++-- net/netfilter/nfnetlink_queue_core.c | 96 +++++++++++++++++------ 14 files changed, 228 insertions(+), 82 deletions(-) -- 1.7.10.4 ^ permalink raw reply [flat|nested] 27+ messages in thread
* Re: [PATCH 00/12] Netfilter updates for net-next 2013-03-25 12:15 [PATCH 00/12] Netfilter " pablo @ 2013-03-25 16:13 ` David Miller 0 siblings, 0 replies; 27+ messages in thread From: David Miller @ 2013-03-25 16:13 UTC (permalink / raw) To: pablo; +Cc: netfilter-devel, netdev From: pablo@netfilter.org Date: Mon, 25 Mar 2013 13:15:40 +0100 > The following patchset contains Netfilter/IPVS updates for > your net-next tree, they are: ... > You can pull these changes from: > > git://1984.lsi.us.es/nf-next master Pulled, thanks a lot Pablo. ^ permalink raw reply [flat|nested] 27+ messages in thread
end of thread, other threads:[~2019-05-06 4:35 UTC | newest] Thread overview: 27+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-05-05 23:32 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 01/12] netfilter: nf_tables: relocate header content to consumer Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 02/12] netfilter: nf_tables: fix implicit include of module.h Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 03/12] netfilter: nf_tables: drop include of module.h from nf_tables.h Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 04/12] netfilter: conntrack: limit sysctl setting for boolean options Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 05/12] netfilter: use macros to create module aliases Pablo Neira Ayuso 2019-05-05 23:32 ` [PATCH 06/12] netfilter: add API to manage NAT helpers Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 07/12] netfilter: nf_nat: register " Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 08/12] openvswitch: load and reference the NAT helper Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 09/12] netfilter: nft_ct: Add ct id support Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 10/12] netfilter: connlabels: fix spelling mistake "trackling" -> "tracking" Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 11/12] netfilter: xt_hashlimit: use struct_size() helper Pablo Neira Ayuso 2019-05-05 23:33 ` [PATCH 12/12] netfilter: slightly optimize nf_inet_addr_mask Pablo Neira Ayuso 2019-05-06 4:35 ` [PATCH 00/12] Netfilter updates for net-next David Miller -- strict thread matches above, loose matches on Subject: below -- 2016-11-01 21:26 Pablo Neira Ayuso 2016-11-02 18:59 ` David Miller 2015-06-19 17:17 Pablo Neira Ayuso 2015-06-20 22:40 ` David Miller 2015-03-09 17:14 Pablo Neira Ayuso 2015-03-09 19:59 ` David Miller 2014-12-03 12:55 Pablo Neira Ayuso 2014-12-06 4:58 ` David Miller 2014-01-05 23:12 [PATCH 00/12] netfilter " Pablo Neira Ayuso 2013-06-30 23:54 Pablo Neira Ayuso 2013-07-01 0:35 ` David Miller 2013-03-25 12:15 [PATCH 00/12] Netfilter " pablo 2013-03-25 16:13 ` David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).