[PATCH net-next 0/5] Netfilter updates for net-next

[PATCH net-next 0/5] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter updates for net-next:

1) Use array_size() in ebtables, from Gustavo A. R. Silva.

2) Attach IPS_ASSURED to internal UDP stream state, reported by
   Maciej Zenczykowski.

3) Add NFT_META_IFTYPE to match on the interface type either
   from ingress or egress.

4) Generalize pktinfo->tprot_set to flags field.

5) Allow to match on inner headers / payload data.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks.

----------------------------------------------------------------

The following changes since commit ab98bbee072c7c30c391ae742b209efebb468273:

  Merge branch 'ax88796c-spi-ethernet-adapter' (2021-10-21 16:28:44 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD

for you to fetch changes up to c46b38dc8743535e686b911d253a844f0bd50ead:

  netfilter: nft_payload: support for inner header matching / mangling (2021-11-01 09:31:03 +0100)

----------------------------------------------------------------
Gustavo A. R. Silva (1):
      netfilter: ebtables: use array_size() helper in copy_{from,to}_user()

Pablo Neira Ayuso (4):
      netfilter: conntrack: set on IPS_ASSURED if flows enters internal stream state
      netfilter: nft_meta: add NFT_META_IFTYPE
      netfilter: nf_tables: convert pktinfo->tprot_set to flags field
      netfilter: nft_payload: support for inner header matching / mangling

 include/net/netfilter/nf_tables.h        | 10 ++++--
 include/net/netfilter/nf_tables_ipv4.h   |  7 ++--
 include/net/netfilter/nf_tables_ipv6.h   |  6 ++--
 include/uapi/linux/netfilter/nf_tables.h |  6 +++-
 net/bridge/netfilter/ebtables.c          |  7 ++--
 net/netfilter/nf_conntrack_proto_udp.c   |  7 ++--
 net/netfilter/nf_tables_core.c           |  2 +-
 net/netfilter/nf_tables_trace.c          |  4 +--
 net/netfilter/nft_meta.c                 |  8 +++--
 net/netfilter/nft_payload.c              | 60 +++++++++++++++++++++++++++++---
 10 files changed, 94 insertions(+), 23 deletions(-)

[PATCH net-next 0/5] netfilter updates for net-next

[Florian Westphal]

Hello,

This pull request contains changes for the *net-next* tree.

1. Change IPv6 stack to keep conntrack references until ipsec policy
   checks are done, like ipv4, from Madhu Koriginja.
   This update was missed when IPv6 NAT support was added 10 years ago.

2. get rid of old 'compat' structure layout in nf_nat_redirect
   core and move the conversion to the only user that needs the
   old layout for abi reasons. From Jeremy Sowden.

3. Compact some common code paths in nft_redir, also from Jeremy.

4. Time to remove the 'default y' knob so iptables 32bit compat interface
   isn't compiled in by default anymore, from myself.

5. Move ip(6)tables builtin icmp matches to the udptcp one.
   This has the advantage that icmp/icmpv6 match doesn't load the
   iptables/ip6tables modules anymore when iptables-nft is used.
   Also from myself.

The following changes since commit 5c5945dc695c54f2b55a934a10b6c4e220f9c140:

  selftests/net: Add SHA256 computation over data sent in tcp_mmap (2023-03-22 15:34:31 +0100)

are available in the Git repository at:

  ssh://git@gitolite.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next main

for you to fetch changes up to b0e214d212030fe497d4d150bb3474e50ad5d093:

  netfilter: keep conntrack reference until IPsecv6 policy checks are done (2023-03-22 21:50:23 +0100)

----------------------------------------------------------------
Florian Westphal (2):
      netfilter: xtables: disable 32bit compat interface by default
      xtables: move icmp/icmpv6 logic to xt_tcpudp

Jeremy Sowden (2):
      netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs
      netfilter: nft_masq: deduplicate eval call-backs

Madhu Koriginja (1):
      netfilter: keep conntrack reference until IPsecv6 policy checks are done

 include/net/netfilter/nf_nat_redirect.h |   3 +-
 net/dccp/ipv6.c                         |   1 +
 net/ipv4/netfilter/ip_tables.c          |  68 +-------------------
 net/ipv6/ip6_input.c                    |  14 ++--
 net/ipv6/netfilter/ip6_tables.c         |  68 +-------------------
 net/ipv6/raw.c                          |   5 +-
 net/ipv6/tcp_ipv6.c                     |   2 +
 net/ipv6/udp.c                          |   2 +
 net/netfilter/Kconfig                   |   1 -
 net/netfilter/nf_nat_redirect.c         |  71 ++++++++++-----------
 net/netfilter/nft_masq.c                |  75 +++++++++-------------
 net/netfilter/nft_redir.c               |  84 +++++++++---------------
 net/netfilter/xt_REDIRECT.c             |  10 ++-
 net/netfilter/xt_tcpudp.c               | 110 ++++++++++++++++++++++++++++++++
 14 files changed, 226 insertions(+), 288 deletions(-)

[PATCH net-next 0/5] netfilter updates for net-next

[Florian Westphal]

Hello,

This batch contains a few updates for your *net-next* tree.
Note that this includes two patches that make changes to lib/.

1.  silence a harmless warning for CONFIG_NF_CONNTRACK_PROCFS=n builds,
from Zhu Wang.

2, 3:
Allow NLA_POLICY_MASK to be used with BE16/BE32 types, and replace a few
manual checks with nla_policy based one in nf_tables, from myself.

4: cleanup in ctnetlink to validate while parsing rather than
   using two steps, from Lin Ma.

5: refactor boyer-moore textsearch by moving a small chunk to
   a helper function, rom Jeremy Sowden.

The following changes since commit bc758ade614576d1c1b167af0246ada8c916c804:

  net/mlx4: clean up a type issue (2023-07-26 22:08:44 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-23-07-27

for you to fetch changes up to 86e9c9aa2358a74bcc5e63f9fc69c2d01e64c002:

  lib/ts_bm: add helper to reduce indentation and improve readability (2023-07-27 13:45:51 +0200)

----------------------------------------------------------------
netfilter net-next pull request 2023-07-27

----------------------------------------------------------------
Florian Westphal (2):
      netlink: allow be16 and be32 types in all uint policy checks
      netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options

Jeremy Sowden (1):
      lib/ts_bm: add helper to reduce indentation and improve readability

Lin Ma (1):
      netfilter: conntrack: validate cta_ip via parsing

Zhu Wang (1):
      nf_conntrack: fix -Wunused-const-variable=

 include/net/netlink.h                   | 10 +++-----
 lib/nlattr.c                            |  6 +++++
 lib/ts_bm.c                             | 43 +++++++++++++++++++++++----------
 net/netfilter/nf_conntrack_netlink.c    |  8 ++----
 net/netfilter/nf_conntrack_proto_dccp.c |  2 ++
 net/netfilter/nft_fib.c                 | 13 +++++-----
 net/netfilter/nft_lookup.c              |  6 ++---
 net/netfilter/nft_masq.c                |  8 +++---
 net/netfilter/nft_nat.c                 |  8 +++---
 net/netfilter/nft_redir.c               |  8 +++---
 10 files changed, 61 insertions(+), 51 deletions(-)

[PATCH net-next 1/5] nf_conntrack: fix -Wunused-const-variable=

[Florian Westphal]

From: Zhu Wang <wangzhu9@huawei.com>

When building with W=1, the following warning occurs.

net/netfilter/nf_conntrack_proto_dccp.c:72:27: warning: ‘dccp_state_names’ defined but not used [-Wunused-const-variable=]
 static const char * const dccp_state_names[] = {

We include dccp_state_names in the macro
CONFIG_NF_CONNTRACK_PROCFS, since it is only used in the place
which is included in the macro CONFIG_NF_CONNTRACK_PROCFS.

Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")
Signed-off-by: Zhu Wang <wangzhu9@huawei.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_proto_dccp.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index d4fd626d2b8c..e2db1f4ec2df 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -69,6 +69,7 @@
 
 #define DCCP_MSL (2 * 60 * HZ)
 
+#ifdef CONFIG_NF_CONNTRACK_PROCFS
 static const char * const dccp_state_names[] = {
 	[CT_DCCP_NONE]		= "NONE",
 	[CT_DCCP_REQUEST]	= "REQUEST",
@@ -81,6 +82,7 @@ static const char * const dccp_state_names[] = {
 	[CT_DCCP_IGNORE]	= "IGNORE",
 	[CT_DCCP_INVALID]	= "INVALID",
 };
+#endif
 
 #define sNO	CT_DCCP_NONE
 #define sRQ	CT_DCCP_REQUEST
-- 
2.41.0

[PATCH net-next 2/5] netlink: allow be16 and be32 types in all uint policy checks

[Florian Westphal]

__NLA_IS_BEINT_TYPE(tp) isn't useful.  NLA_BE16/32 are identical to
NLA_U16/32, the only difference is that it tells the netlink validation
functions that byteorder conversion might be needed before comparing
the value to the policy min/max ones.

After this change all policy macros that can be used with UINT types,
such as NLA_POLICY_MASK() can also be used with NLA_BE16/32.

This will be used to validate nf_tables flag attributes which
are in bigendian byte order.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/net/netlink.h | 10 +++-------
 lib/nlattr.c          |  6 ++++++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/include/net/netlink.h b/include/net/netlink.h
index b12cd957abb4..8a7cd1170e1f 100644
--- a/include/net/netlink.h
+++ b/include/net/netlink.h
@@ -375,12 +375,11 @@ struct nla_policy {
 #define NLA_POLICY_BITFIELD32(valid) \
 	{ .type = NLA_BITFIELD32, .bitfield32_valid = valid }
 
-#define __NLA_IS_UINT_TYPE(tp)						\
-	(tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 || tp == NLA_U64)
+#define __NLA_IS_UINT_TYPE(tp)					\
+	(tp == NLA_U8 || tp == NLA_U16 || tp == NLA_U32 ||	\
+	 tp == NLA_U64 || tp == NLA_BE16 || tp == NLA_BE32)
 #define __NLA_IS_SINT_TYPE(tp)						\
 	(tp == NLA_S8 || tp == NLA_S16 || tp == NLA_S32 || tp == NLA_S64)
-#define __NLA_IS_BEINT_TYPE(tp)						\
-	(tp == NLA_BE16 || tp == NLA_BE32)
 
 #define __NLA_ENSURE(condition) BUILD_BUG_ON_ZERO(!(condition))
 #define NLA_ENSURE_UINT_TYPE(tp)			\
@@ -394,7 +393,6 @@ struct nla_policy {
 #define NLA_ENSURE_INT_OR_BINARY_TYPE(tp)		\
 	(__NLA_ENSURE(__NLA_IS_UINT_TYPE(tp) ||		\
 		      __NLA_IS_SINT_TYPE(tp) ||		\
-		      __NLA_IS_BEINT_TYPE(tp) ||	\
 		      tp == NLA_MSECS ||		\
 		      tp == NLA_BINARY) + tp)
 #define NLA_ENSURE_NO_VALIDATION_PTR(tp)		\
@@ -402,8 +400,6 @@ struct nla_policy {
 		      tp != NLA_REJECT &&		\
 		      tp != NLA_NESTED &&		\
 		      tp != NLA_NESTED_ARRAY) + tp)
-#define NLA_ENSURE_BEINT_TYPE(tp)			\
-	(__NLA_ENSURE(__NLA_IS_BEINT_TYPE(tp)) + tp)
 
 #define NLA_POLICY_RANGE(tp, _min, _max) {		\
 	.type = NLA_ENSURE_INT_OR_BINARY_TYPE(tp),	\
diff --git a/lib/nlattr.c b/lib/nlattr.c
index 489e15bde5c1..7a2b6c38fd59 100644
--- a/lib/nlattr.c
+++ b/lib/nlattr.c
@@ -355,6 +355,12 @@ static int nla_validate_mask(const struct nla_policy *pt,
 	case NLA_U64:
 		value = nla_get_u64(nla);
 		break;
+	case NLA_BE16:
+		value = ntohs(nla_get_be16(nla));
+		break;
+	case NLA_BE32:
+		value = ntohl(nla_get_be32(nla));
+		break;
 	default:
 		return -EINVAL;
 	}
-- 
2.41.0

[PATCH net-next 3/5] netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options

[Florian Westphal]

nf_tables relies on manual test of netlink attributes coming from userspace
even in cases where this could be handled via netlink policy.

Convert a bunch of 'flag' attributes to use NLA_POLICY_MASK checks.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nft_fib.c    | 13 +++++++------
 net/netfilter/nft_lookup.c |  6 ++----
 net/netfilter/nft_masq.c   |  8 +++-----
 net/netfilter/nft_nat.c    |  8 +++-----
 net/netfilter/nft_redir.c  |  8 +++-----
 5 files changed, 18 insertions(+), 25 deletions(-)

diff --git a/net/netfilter/nft_fib.c b/net/netfilter/nft_fib.c
index 6e049fd48760..601c9e09d07a 100644
--- a/net/netfilter/nft_fib.c
+++ b/net/netfilter/nft_fib.c
@@ -14,17 +14,18 @@
 #include <net/netfilter/nf_tables.h>
 #include <net/netfilter/nft_fib.h>
 
+#define NFTA_FIB_F_ALL (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR | \
+			NFTA_FIB_F_MARK | NFTA_FIB_F_IIF | NFTA_FIB_F_OIF | \
+			NFTA_FIB_F_PRESENT)
+
 const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = {
 	[NFTA_FIB_DREG]		= { .type = NLA_U32 },
 	[NFTA_FIB_RESULT]	= { .type = NLA_U32 },
-	[NFTA_FIB_FLAGS]	= { .type = NLA_U32 },
+	[NFTA_FIB_FLAGS]	=
+		NLA_POLICY_MASK(NLA_BE32, NFTA_FIB_F_ALL),
 };
 EXPORT_SYMBOL(nft_fib_policy);
 
-#define NFTA_FIB_F_ALL (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR | \
-			NFTA_FIB_F_MARK | NFTA_FIB_F_IIF | NFTA_FIB_F_OIF | \
-			NFTA_FIB_F_PRESENT)
-
 int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
 		     const struct nft_data **data)
 {
@@ -77,7 +78,7 @@ int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 
 	priv->flags = ntohl(nla_get_be32(tb[NFTA_FIB_FLAGS]));
 
-	if (priv->flags == 0 || (priv->flags & ~NFTA_FIB_F_ALL))
+	if (priv->flags == 0)
 		return -EINVAL;
 
 	if ((priv->flags & (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR)) ==
diff --git a/net/netfilter/nft_lookup.c b/net/netfilter/nft_lookup.c
index 29ac48cdd6db..870e5b113d13 100644
--- a/net/netfilter/nft_lookup.c
+++ b/net/netfilter/nft_lookup.c
@@ -90,7 +90,8 @@ static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
 	[NFTA_LOOKUP_SET_ID]	= { .type = NLA_U32 },
 	[NFTA_LOOKUP_SREG]	= { .type = NLA_U32 },
 	[NFTA_LOOKUP_DREG]	= { .type = NLA_U32 },
-	[NFTA_LOOKUP_FLAGS]	= { .type = NLA_U32 },
+	[NFTA_LOOKUP_FLAGS]	=
+		NLA_POLICY_MASK(NLA_BE32, NFT_LOOKUP_F_INV),
 };
 
 static int nft_lookup_init(const struct nft_ctx *ctx,
@@ -120,9 +121,6 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
 	if (tb[NFTA_LOOKUP_FLAGS]) {
 		flags = ntohl(nla_get_be32(tb[NFTA_LOOKUP_FLAGS]));
 
-		if (flags & ~NFT_LOOKUP_F_INV)
-			return -EINVAL;
-
 		if (flags & NFT_LOOKUP_F_INV)
 			priv->invert = true;
 	}
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index b115d77fbbc7..8a14aaca93bb 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -20,7 +20,8 @@ struct nft_masq {
 };
 
 static const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
-	[NFTA_MASQ_FLAGS]		= { .type = NLA_U32 },
+	[NFTA_MASQ_FLAGS]		=
+		NLA_POLICY_MASK(NLA_BE32, NF_NAT_RANGE_MASK),
 	[NFTA_MASQ_REG_PROTO_MIN]	= { .type = NLA_U32 },
 	[NFTA_MASQ_REG_PROTO_MAX]	= { .type = NLA_U32 },
 };
@@ -47,11 +48,8 @@ static int nft_masq_init(const struct nft_ctx *ctx,
 	struct nft_masq *priv = nft_expr_priv(expr);
 	int err;
 
-	if (tb[NFTA_MASQ_FLAGS]) {
+	if (tb[NFTA_MASQ_FLAGS])
 		priv->flags = ntohl(nla_get_be32(tb[NFTA_MASQ_FLAGS]));
-		if (priv->flags & ~NF_NAT_RANGE_MASK)
-			return -EINVAL;
-	}
 
 	if (tb[NFTA_MASQ_REG_PROTO_MIN]) {
 		err = nft_parse_register_load(tb[NFTA_MASQ_REG_PROTO_MIN],
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 5c29915ab028..583885ce7232 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -132,7 +132,8 @@ static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
 	[NFTA_NAT_REG_ADDR_MAX]	 = { .type = NLA_U32 },
 	[NFTA_NAT_REG_PROTO_MIN] = { .type = NLA_U32 },
 	[NFTA_NAT_REG_PROTO_MAX] = { .type = NLA_U32 },
-	[NFTA_NAT_FLAGS]	 = { .type = NLA_U32 },
+	[NFTA_NAT_FLAGS]	 =
+		NLA_POLICY_MASK(NLA_BE32, NF_NAT_RANGE_MASK),
 };
 
 static int nft_nat_validate(const struct nft_ctx *ctx,
@@ -246,11 +247,8 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
 		priv->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
 	}
 
-	if (tb[NFTA_NAT_FLAGS]) {
+	if (tb[NFTA_NAT_FLAGS])
 		priv->flags |= ntohl(nla_get_be32(tb[NFTA_NAT_FLAGS]));
-		if (priv->flags & ~NF_NAT_RANGE_MASK)
-			return -EOPNOTSUPP;
-	}
 
 	return nf_ct_netns_get(ctx->net, family);
 }
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index a70196ffcb1e..a58bd8d291ff 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -22,7 +22,8 @@ struct nft_redir {
 static const struct nla_policy nft_redir_policy[NFTA_REDIR_MAX + 1] = {
 	[NFTA_REDIR_REG_PROTO_MIN]	= { .type = NLA_U32 },
 	[NFTA_REDIR_REG_PROTO_MAX]	= { .type = NLA_U32 },
-	[NFTA_REDIR_FLAGS]		= { .type = NLA_U32 },
+	[NFTA_REDIR_FLAGS]		=
+		NLA_POLICY_MASK(NLA_BE32, NF_NAT_RANGE_MASK),
 };
 
 static int nft_redir_validate(const struct nft_ctx *ctx,
@@ -68,11 +69,8 @@ static int nft_redir_init(const struct nft_ctx *ctx,
 		priv->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
 	}
 
-	if (tb[NFTA_REDIR_FLAGS]) {
+	if (tb[NFTA_REDIR_FLAGS])
 		priv->flags = ntohl(nla_get_be32(tb[NFTA_REDIR_FLAGS]));
-		if (priv->flags & ~NF_NAT_RANGE_MASK)
-			return -EINVAL;
-	}
 
 	return nf_ct_netns_get(ctx->net, ctx->family);
 }
-- 
2.41.0

[PATCH net-next 4/5] netfilter: conntrack: validate cta_ip via parsing

[Florian Westphal]

From: Lin Ma <linma@zju.edu.cn>

In current ctnetlink_parse_tuple_ip() function, nested parsing and
validation is splitting as two parts,  which could be cleanup to a
simplified form. As the nla_parse_nested_deprecated function
supports validation in the fly. These two finially reach same place
__nla_validate_parse with same validate flag.

nla_parse_nested_deprecated
  __nla_parse(.., NL_VALIDATE_LIBERAL, ..)
    __nla_validate_parse

nla_validate_nested_deprecated
  __nla_validate_nested(.., NL_VALIDATE_LIBERAL, ..)
    __nla_validate
      __nla_validate_parse

This commit removes the call to nla_validate_nested_deprecated and pass
cta_ip_nla_policy when do parsing.

Signed-off-by: Lin Ma <linma@zju.edu.cn>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_conntrack_netlink.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 69c8c8c7e9b8..334db22199c1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1321,15 +1321,11 @@ static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
 	struct nlattr *tb[CTA_IP_MAX+1];
 	int ret = 0;
 
-	ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
+	ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr,
+					  cta_ip_nla_policy, NULL);
 	if (ret < 0)
 		return ret;
 
-	ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
-					     cta_ip_nla_policy, NULL);
-	if (ret)
-		return ret;
-
 	switch (tuple->src.l3num) {
 	case NFPROTO_IPV4:
 		ret = ipv4_nlattr_to_tuple(tb, tuple, flags);
-- 
2.41.0

[PATCH net-next 5/5] lib/ts_bm: add helper to reduce indentation and improve readability

[Florian Westphal]

From: Jeremy Sowden <jeremy@azazel.net>

The flow-control of `bm_find` is very deeply nested with a conditional
comparing a ternary expression against the pattern inside a for-loop
inside a while-loop inside a for-loop.

Move the inner for-loop into a helper function to reduce the amount of
indentation and make the code easier to read.

Fix indentation and trailing white-space in preceding debug logging
statement.

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 lib/ts_bm.c | 43 ++++++++++++++++++++++++++++++-------------
 1 file changed, 30 insertions(+), 13 deletions(-)

diff --git a/lib/ts_bm.c b/lib/ts_bm.c
index c8ecbf74ef29..e5f30f9177df 100644
--- a/lib/ts_bm.c
+++ b/lib/ts_bm.c
@@ -55,6 +55,24 @@ struct ts_bm
 	unsigned int	good_shift[];
 };
 
+static unsigned int matchpat(const u8 *pattern, unsigned int patlen,
+			     const u8 *text, bool icase)
+{
+	unsigned int i;
+
+	for (i = 0; i < patlen; i++) {
+		u8 t = *(text-i);
+
+		if (icase)
+			t = toupper(t);
+
+		if (t != *(pattern-i))
+			break;
+	}
+
+	return i;
+}
+
 static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)
 {
 	struct ts_bm *bm = ts_config_priv(conf);
@@ -72,19 +90,18 @@ static unsigned int bm_find(struct ts_config *conf, struct ts_state *state)
 			break;
 
 		while (shift < text_len) {
-			DEBUGP("Searching in position %d (%c)\n", 
-				shift, text[shift]);
-			for (i = 0; i < bm->patlen; i++) 
-				if ((icase ? toupper(text[shift-i])
-				    : text[shift-i])
-					!= bm->pattern[bm->patlen-1-i])
-				     goto next;
-
-			/* London calling... */
-			DEBUGP("found!\n");
-			return consumed + (shift-(bm->patlen-1));
-
-next:			bs = bm->bad_shift[text[shift-i]];
+			DEBUGP("Searching in position %d (%c)\n",
+			       shift, text[shift]);
+
+			i = matchpat(&bm->pattern[bm->patlen-1], bm->patlen,
+				     &text[shift], icase);
+			if (i == bm->patlen) {
+				/* London calling... */
+				DEBUGP("found!\n");
+				return consumed + (shift-(bm->patlen-1));
+			}
+
+			bs = bm->bad_shift[text[shift-i]];
 
 			/* Now jumping to... */
 			shift = max_t(int, shift-i+bs, shift+bm->good_shift[i]);
-- 
2.41.0

Re: [PATCH net-next 1/5] nf_conntrack: fix -Wunused-const-variable=

[Jakub Kicinski]

On Thu, 27 Jul 2023 15:35:56 +0200 Florian Westphal wrote:
> When building with W=1, the following warning occurs.
> 
> net/netfilter/nf_conntrack_proto_dccp.c:72:27: warning: ‘dccp_state_names’ defined but not used [-Wunused-const-variable=]
>  static const char * const dccp_state_names[] = {
> 
> We include dccp_state_names in the macro
> CONFIG_NF_CONNTRACK_PROCFS, since it is only used in the place
> which is included in the macro CONFIG_NF_CONNTRACK_PROCFS.

FTR I can't say I see this with the versions of gcc / clang I have :S

> Fixes: 2bc780499aa3 ("[NETFILTER]: nf_conntrack: add DCCP protocol support")

Nor that it's worth a Fixes tag?

Re: [PATCH net-next 1/5] nf_conntrack: fix -Wunused-const-variable=

[Jakub Kicinski]

On Thu, 27 Jul 2023 20:28:11 -0700 Jakub Kicinski wrote:
> > We include dccp_state_names in the macro
> > CONFIG_NF_CONNTRACK_PROCFS, since it is only used in the place
> > which is included in the macro CONFIG_NF_CONNTRACK_PROCFS.  
> 
> FTR I can't say I see this with the versions of gcc / clang I have :S

Ignore. Just my stupidity.

Re: [PATCH net-next 1/5] nf_conntrack: fix -Wunused-const-variable=

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net-next.git (main)
by Florian Westphal <fw@strlen.de>:

On Thu, 27 Jul 2023 15:35:56 +0200 you wrote:
> From: Zhu Wang <wangzhu9@huawei.com>
> 
> When building with W=1, the following warning occurs.
> 
> net/netfilter/nf_conntrack_proto_dccp.c:72:27: warning: ‘dccp_state_names’ defined but not used [-Wunused-const-variable=]
>  static const char * const dccp_state_names[] = {
> 
> [...]

Here is the summary with links:
  - [net-next,1/5] nf_conntrack: fix -Wunused-const-variable=
    https://git.kernel.org/netdev/net-next/c/a927d77778e3
  - [net-next,2/5] netlink: allow be16 and be32 types in all uint policy checks
    https://git.kernel.org/netdev/net-next/c/5fac9b7c16c5
  - [net-next,3/5] netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options
    https://git.kernel.org/netdev/net-next/c/100a11b69842
  - [net-next,4/5] netfilter: conntrack: validate cta_ip via parsing
    https://git.kernel.org/netdev/net-next/c/0c805e80e35d
  - [net-next,5/5] lib/ts_bm: add helper to reduce indentation and improve readability
    https://git.kernel.org/netdev/net-next/c/86e9c9aa2358

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net-next 0/5] netfilter updates for net-next

[Florian Westphal]

Hello,

This batch contains a few updates for your *net-next* tree.
First 4 Patches, from Yue Haibing, remove unused prototypes in
various netfilter headers.

Last patch makes nfnetlink_log to always include a packet timestamp, up
to now it was only included if the skb had assigned previously.
From Maciej Żenczykowski.


The following changes since commit b98a5aa7e4c20d6e4d9062ee0f0156ff3ad300fa:

  Merge branch 'net-remove-redundant-initialization-owner' (2023-08-07 19:18:30 -0700)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-2023-08-08

for you to fetch changes up to 1d85594fd3e7e39e63b53b1bdc2d89db43b6ecd5:

  netfilter: nfnetlink_log: always add a timestamp (2023-08-08 13:03:36 +0200)

----------------------------------------------------------------
nf-next pull request 2023-08-08

----------------------------------------------------------------
Maciej Żenczykowski (1):
      netfilter: nfnetlink_log: always add a timestamp

Yue Haibing (4):
      netfilter: gre: Remove unused function declaration nf_ct_gre_keymap_flush()
      netfilter: helper: Remove unused function declarations
      netfilter: conntrack: Remove unused function declarations
      netfilter: h323: Remove unused function declarations

 include/linux/netfilter/nf_conntrack_h323.h      | 4 ----
 include/linux/netfilter/nf_conntrack_proto_gre.h | 1 -
 include/net/netfilter/nf_conntrack.h             | 4 ----
 include/net/netfilter/nf_conntrack_acct.h        | 2 --
 include/net/netfilter/nf_conntrack_helper.h      | 3 ---
 include/net/netfilter/nf_conntrack_labels.h      | 1 -
 net/netfilter/nfnetlink_log.c                    | 6 ++----
 7 files changed, 2 insertions(+), 19 deletions(-)

[PATCH net-next 0/5] netfilter: updates for net-next

[Florian Westphal]

The following patchset contains Netfilter changes for *net-next*:

1) Don't respond to ICMP_UNREACH errors with another ICMP_UNREACH
   error.
2) Support fetching the current bridge ethernet address.
   This allows a more flexible approach to packet redirection
   on bridges without need to use hardcoded addresses. From
   Fernando Fernandez Mancera.
3) Zap a few no-longer needed conditionals from ipvs packet path
   and convert to READ/WRITE_ONCE to avoid KCSAN warnings.
   From Zhang Tengfei.
4) Remove a no-longer-used macro argument in ipset, from Zhen Ni.

Please, pull these changes from:
The following changes since commit 5adf6f2b9972dbb69f4dd11bae52ba251c64ecb7:

  Merge branch 'ipv4-icmp-fix-source-ip-derivation-in-presence-of-vrfs' (2025-09-11 12:22:40 +0200)

are available in the Git repository at:

  https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git tags/nf-next-25-09-11

for you to fetch changes up to db99b2f2b3e2cd8227ac9990ca4a8a31a1e95e56:

  netfilter: nf_reject: don't reply to icmp error messages (2025-09-11 15:40:55 +0200)

----------------------------------------------------------------
netfilter pull request nf-next-25-09-11

----------------------------------------------------------------
Andres Urian Florez (1):
      selftest:net: fixed spelling mistakes

Fernando Fernandez Mancera (1):
      netfilter: nft_meta_bridge: introduce NFT_META_BRI_IIFHWADDR support

Florian Westphal (1):
      netfilter: nf_reject: don't reply to icmp error messages

Zhang Tengfei (1):
      ipvs: Use READ_ONCE/WRITE_ONCE for ipvs->enable

Zhen Ni (1):
      netfilter: ipset: Remove unused htable_bits in macro ahash_region

 include/uapi/linux/netfilter/nf_tables.h         |  2 ++
 net/bridge/netfilter/nft_meta_bridge.c           | 11 +++++++++
 net/ipv4/netfilter/nf_reject_ipv4.c              | 25 ++++++++++++++++++++
 net/ipv6/netfilter/nf_reject_ipv6.c              | 30 ++++++++++++++++++++++++
 net/netfilter/ipset/ip_set_hash_gen.h            |  8 +++----
 net/netfilter/ipvs/ip_vs_conn.c                  |  4 ++--
 net/netfilter/ipvs/ip_vs_core.c                  | 11 ++++-----
 net/netfilter/ipvs/ip_vs_ctl.c                   |  6 ++---
 net/netfilter/ipvs/ip_vs_est.c                   | 16 ++++++-------
 tools/testing/selftests/net/netfilter/nft_nat.sh |  4 ++--
 10 files changed, 91 insertions(+), 26 deletions(-)