[PATCH 0/4] netfilter updates for net-next (upcoming 3.6), batch 4

[PATCH 0/4] netfilter updates for net-next (upcoming 3.6), batch 4

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following four patches provide Netfilter fixes for the cthelper
infrastructure that was recently merged mainstream, they are:

* two fixes for compilation breakage with two different configurations:

  - CONFIG_NF_NAT=m and CONFIG_NF_CT_NETLINK=y
  - NF_CONNTRACK_EVENTS=n and CONFIG_NETFILTER_NETLINK_QUEUE_CT=y

* two fixes for sparse warnings.

You can pull this changes from:

git://1984.lsi.us.es/nf-next master

Thanks!

Pablo Neira Ayuso (4):
  netfilter: nfq_ct_hook needs __rcu and __read_mostly
  netfilter: nfnetlink_queue: fix compilation with CONFIG_NF_NAT=m and CONFIG_NF_CT_NETLINK=y
  netfilter: nfnetlink_queue: fix sparse warning due to missing include
  netfilter: ctnetlink: fix compilation with NF_CONNTRACK_EVENTS=n

 include/linux/netfilter.h            |    6 +++++-
 net/ipv4/netfilter/nf_nat_core.c     |    6 ++++++
 net/netfilter/core.c                 |    5 ++++-
 net/netfilter/nf_conntrack_netlink.c |    5 +----
 net/netfilter/nfnetlink_queue_ct.c   |    9 +++++----
 5 files changed, 21 insertions(+), 10 deletions(-)

-- 
1.7.10

[PATCH 1/4] netfilter: nfq_ct_hook needs __rcu and __read_mostly

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

This removes some sparse warnings.

Reported-by: Fengguang Wu <wfg@linux.intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter.h |    2 +-
 net/netfilter/core.c      |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index dca19e6..38b96a5 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -404,7 +404,7 @@ struct nfq_ct_hook {
 	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
 			   u32 ctinfo, int off);
 };
-extern struct nfq_ct_hook *nfq_ct_hook;
+extern struct nfq_ct_hook __rcu *nfq_ct_hook;
 #else
 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 #endif
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 7eef845..4cd10ed 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -265,7 +265,7 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct)
 }
 EXPORT_SYMBOL(nf_conntrack_destroy);
 
-struct nfq_ct_hook *nfq_ct_hook;
+struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
 EXPORT_SYMBOL_GPL(nfq_ct_hook);
 
 #endif /* CONFIG_NF_CONNTRACK */
-- 
1.7.10

[PATCH 2/4] netfilter: nfnetlink_queue: fix compilation with CONFIG_NF_NAT=m and CONFIG_NF_CT_NETLINK=y

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

  LD      init/built-in.o
net/built-in.o:(.data+0x4408): undefined reference to `nf_nat_tcp_seq_adjust'
make: *** [vmlinux] Error 1

This patch adds a new pointer hook (nfq_ct_nat_hook) similar to other existing
in Netfilter to solve our complicated configuration dependencies.

Reported-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/linux/netfilter.h            |    6 +++++-
 net/ipv4/netfilter/nf_nat_core.c     |    6 ++++++
 net/netfilter/core.c                 |    3 +++
 net/netfilter/nf_conntrack_netlink.c |    3 ---
 net/netfilter/nfnetlink_queue_ct.c   |    8 ++++----
 5 files changed, 18 insertions(+), 8 deletions(-)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 38b96a5..c613cf0 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -401,10 +401,14 @@ struct nfq_ct_hook {
 	size_t (*build_size)(const struct nf_conn *ct);
 	int (*build)(struct sk_buff *skb, struct nf_conn *ct);
 	int (*parse)(const struct nlattr *attr, struct nf_conn *ct);
+};
+extern struct nfq_ct_hook __rcu *nfq_ct_hook;
+
+struct nfq_ct_nat_hook {
 	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
 			   u32 ctinfo, int off);
 };
-extern struct nfq_ct_hook __rcu *nfq_ct_hook;
+extern struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook;
 #else
 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 #endif
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index abb52ad..44b082f 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -691,6 +691,10 @@ static struct nf_ct_helper_expectfn follow_master_nat = {
 	.expectfn	= nf_nat_follow_master,
 };
 
+static struct nfq_ct_nat_hook nfq_ct_nat = {
+	.seq_adjust	= nf_nat_tcp_seq_adjust,
+};
+
 static int __init nf_nat_init(void)
 {
 	size_t i;
@@ -731,6 +735,7 @@ static int __init nf_nat_init(void)
 			   nfnetlink_parse_nat_setup);
 	BUG_ON(nf_ct_nat_offset != NULL);
 	RCU_INIT_POINTER(nf_ct_nat_offset, nf_nat_get_offset);
+	RCU_INIT_POINTER(nfq_ct_nat_hook, &nfq_ct_nat);
 	return 0;
 
  cleanup_extend:
@@ -747,6 +752,7 @@ static void __exit nf_nat_cleanup(void)
 	RCU_INIT_POINTER(nf_nat_seq_adjust_hook, NULL);
 	RCU_INIT_POINTER(nfnetlink_parse_nat_setup_hook, NULL);
 	RCU_INIT_POINTER(nf_ct_nat_offset, NULL);
+	RCU_INIT_POINTER(nfq_ct_nat_hook, NULL);
 	synchronize_net();
 }
 
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 4cd10ed..0bc6b60 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -268,6 +268,9 @@ EXPORT_SYMBOL(nf_conntrack_destroy);
 struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
 EXPORT_SYMBOL_GPL(nfq_ct_hook);
 
+struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
+EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);
+
 #endif /* CONFIG_NF_CONNTRACK */
 
 #ifdef CONFIG_PROC_FS
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 31d1d8f..8bb4733 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1757,9 +1757,6 @@ static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
 	.build_size	= ctnetlink_nfqueue_build_size,
 	.build		= ctnetlink_nfqueue_build,
 	.parse		= ctnetlink_nfqueue_parse,
-#ifdef CONFIG_NF_NAT_NEEDED
-	.seq_adjust	= nf_nat_tcp_seq_adjust,
-#endif
 };
 #endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
 
diff --git a/net/netfilter/nfnetlink_queue_ct.c b/net/netfilter/nfnetlink_queue_ct.c
index 68ef550..01247b7 100644
--- a/net/netfilter/nfnetlink_queue_ct.c
+++ b/net/netfilter/nfnetlink_queue_ct.c
@@ -86,12 +86,12 @@ nla_put_failure:
 void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct,
 			 enum ip_conntrack_info ctinfo, int diff)
 {
-	struct nfq_ct_hook *nfq_ct;
+	struct nfq_ct_nat_hook *nfq_nat_ct;
 
-	nfq_ct = rcu_dereference(nfq_ct_hook);
-	if (nfq_ct == NULL)
+	nfq_nat_ct = rcu_dereference(nfq_ct_nat_hook);
+	if (nfq_nat_ct == NULL)
 		return;
 
 	if ((ct->status & IPS_NAT_MASK) && diff)
-		nfq_ct->seq_adjust(skb, ct, ctinfo, diff);
+		nfq_nat_ct->seq_adjust(skb, ct, ctinfo, diff);
 }
-- 
1.7.10

[PATCH 3/4] netfilter: nfnetlink_queue: fix sparse warning due to missing include

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

This patch fixes a sparse warning due to missing include header file.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_queue_ct.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nfnetlink_queue_ct.c b/net/netfilter/nfnetlink_queue_ct.c
index 01247b7..ab61d66 100644
--- a/net/netfilter/nfnetlink_queue_ct.c
+++ b/net/netfilter/nfnetlink_queue_ct.c
@@ -12,6 +12,7 @@
 #include <linux/netfilter/nfnetlink.h>
 #include <linux/netfilter/nfnetlink_queue.h>
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nfnetlink_queue.h>
 
 struct nf_conn *nfqnl_ct_get(struct sk_buff *entskb, size_t *size,
 			     enum ip_conntrack_info *ctinfo)
-- 
1.7.10

[PATCH 4/4] netfilter: ctnetlink: fix compilation with NF_CONNTRACK_EVENTS=n

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

This patch fixes compilation with NF_CONNTRACK_EVENTS=n and
NETFILTER_NETLINK_QUEUE_CT=y.

I'm leaving all those static inline functions that calculate the size
of the event message out of the ifdef area of NF_CONNTRACK_EVENTS since
they will not be included by gcc in case they are unused.

Reported-by: Randy Dunlap <rdunlap@xenotime.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 8bb4733..b9b8f4a 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -478,7 +478,6 @@ nla_put_failure:
 	return -1;
 }
 
-#ifdef CONFIG_NF_CONNTRACK_EVENTS
 static inline size_t
 ctnetlink_proto_size(const struct nf_conn *ct)
 {
@@ -565,6 +564,7 @@ ctnetlink_nlmsg_size(const struct nf_conn *ct)
 	       ;
 }
 
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
 static int
 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
 {
-- 
1.7.10

Re: [PATCH 0/4] netfilter updates for net-next (upcoming 3.6), batch 4

[David Miller]

From: pablo@netfilter.org
Date: Sun, 24 Jun 2012 01:53:25 +0200

> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Hi David,
> 
> The following four patches provide Netfilter fixes for the cthelper
> infrastructure that was recently merged mainstream, they are:
> 
> * two fixes for compilation breakage with two different configurations:
> 
>   - CONFIG_NF_NAT=m and CONFIG_NF_CT_NETLINK=y
>   - NF_CONNTRACK_EVENTS=n and CONFIG_NETFILTER_NETLINK_QUEUE_CT=y
> 
> * two fixes for sparse warnings.
> 
> You can pull this changes from:
> 
> git://1984.lsi.us.es/nf-next master

Pulled, thanks Pablo.