diff options
| author | David S. Miller <davem@davemloft.net> | 2018-09-12 00:17:30 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2018-09-12 00:17:30 -0400 |
| commit | 4ecdf770914392eb654d24f00e301d3e6afd1cfc (patch) | |
| tree | d0012e4f49ac4cce805ad319481bf057b575eec3 | |
| parent | 7c5cca3588545e7f255171e28e0dd6e384ebb91d (diff) | |
| parent | 1286df269f498165061e0cf8092ca212545dbb5a (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for you net tree:
1) Remove duplicated include at the end of UDP conntrack, from Yue Haibing.
2) Restore conntrack dependency on xt_cluster, from Martin Willi.
3) Fix splat with GSO skbs from the checksum target, from Florian Westphal.
4) Rework ct timeout support, the template strategy to attach custom timeouts
is not correct since it will not work in conjunction with conntrack zones
and we have a possible free after use when removing the rule due to missing
refcounting. To fix these problems, do not use conntrack template at all
and set custom timeout on the already valid conntrack object. This
fix comes with a preparation patch to simplify timeout adjustment by
initializating the first position of the timeout array for all of the
existing trackers. Patchset from Florian Westphal.
5) Fix missing dependency on from IPv4 chain NAT type, from Florian.
6) Release chain reference counter from the flush path, from Taehee Yoo.
7) After flushing an iptables ruleset, conntrack hooks are unregistered
and entries are left stale to be cleaned up by the timeout garbage
collector. No TCP tracking is done on established flows by this time.
If ruleset is reloaded, then hooks are registered again and TCP
tracking is restored, which considers packets to be invalid. Clear
window tracking to exercise TCP flow pickup from the middle given that
history is lost for us. Again from Florian.
8) Fix crash from netlink interface with CONFIG_NF_CONNTRACK_TIMEOUT=y
and CONFIG_NF_CT_NETLINK_TIMEOUT=n.
9) Broken CT target due to returning incorrect type from
ctnl_timeout_find_get().
10) Solve conntrack clash on NF_REPEAT verdicts too, from Michal Vaner.
11) Missing conversion of hashlimit sysctl interface to new API, from
Cong Wang.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/netfilter/nf_conntrack_timeout.h | 2 | ||||
| -rw-r--r-- | net/ipv4/netfilter/Kconfig | 8 | ||||
| -rw-r--r-- | net/netfilter/Kconfig | 12 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto.c | 26 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_dccp.c | 19 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_generic.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_gre.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_icmp.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_icmpv6.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_sctp.c | 21 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 19 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_udp.c | 21 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 1 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_cttimeout.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_queue.c | 1 | ||||
| -rw-r--r-- | net/netfilter/nft_ct.c | 59 | ||||
| -rw-r--r-- | net/netfilter/xt_CHECKSUM.c | 22 | ||||
| -rw-r--r-- | net/netfilter/xt_cluster.c | 14 | ||||
| -rw-r--r-- | net/netfilter/xt_hashlimit.c | 18 |
19 files changed, 181 insertions, 100 deletions
diff --git a/include/net/netfilter/nf_conntrack_timeout.h b/include/net/netfilter/nf_conntrack_timeout.h index d5f62cc6c2ae..3394d75e1c80 100644 --- a/include/net/netfilter/nf_conntrack_timeout.h +++ b/include/net/netfilter/nf_conntrack_timeout.h | |||
| @@ -30,7 +30,7 @@ struct nf_conn_timeout { | |||
| 30 | }; | 30 | }; |
| 31 | 31 | ||
| 32 | static inline unsigned int * | 32 | static inline unsigned int * |
| 33 | nf_ct_timeout_data(struct nf_conn_timeout *t) | 33 | nf_ct_timeout_data(const struct nf_conn_timeout *t) |
| 34 | { | 34 | { |
| 35 | struct nf_ct_timeout *timeout; | 35 | struct nf_ct_timeout *timeout; |
| 36 | 36 | ||
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index d9504adc47b3..184bf2e0a1ed 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
| @@ -106,6 +106,10 @@ config NF_NAT_IPV4 | |||
| 106 | 106 | ||
| 107 | if NF_NAT_IPV4 | 107 | if NF_NAT_IPV4 |
| 108 | 108 | ||
| 109 | config NF_NAT_MASQUERADE_IPV4 | ||
| 110 | bool | ||
| 111 | |||
| 112 | if NF_TABLES | ||
| 109 | config NFT_CHAIN_NAT_IPV4 | 113 | config NFT_CHAIN_NAT_IPV4 |
| 110 | depends on NF_TABLES_IPV4 | 114 | depends on NF_TABLES_IPV4 |
| 111 | tristate "IPv4 nf_tables nat chain support" | 115 | tristate "IPv4 nf_tables nat chain support" |
| @@ -115,9 +119,6 @@ config NFT_CHAIN_NAT_IPV4 | |||
| 115 | packet transformations such as the source, destination address and | 119 | packet transformations such as the source, destination address and |
| 116 | source and destination ports. | 120 | source and destination ports. |
| 117 | 121 | ||
| 118 | config NF_NAT_MASQUERADE_IPV4 | ||
| 119 | bool | ||
| 120 | |||
| 121 | config NFT_MASQ_IPV4 | 122 | config NFT_MASQ_IPV4 |
| 122 | tristate "IPv4 masquerading support for nf_tables" | 123 | tristate "IPv4 masquerading support for nf_tables" |
| 123 | depends on NF_TABLES_IPV4 | 124 | depends on NF_TABLES_IPV4 |
| @@ -135,6 +136,7 @@ config NFT_REDIR_IPV4 | |||
| 135 | help | 136 | help |
| 136 | This is the expression that provides IPv4 redirect support for | 137 | This is the expression that provides IPv4 redirect support for |
| 137 | nf_tables. | 138 | nf_tables. |
| 139 | endif # NF_TABLES | ||
| 138 | 140 | ||
| 139 | config NF_NAT_SNMP_BASIC | 141 | config NF_NAT_SNMP_BASIC |
| 140 | tristate "Basic SNMP-ALG support" | 142 | tristate "Basic SNMP-ALG support" |
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 71709c104081..f61c306de1d0 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
| @@ -771,13 +771,13 @@ config NETFILTER_XT_TARGET_CHECKSUM | |||
| 771 | depends on NETFILTER_ADVANCED | 771 | depends on NETFILTER_ADVANCED |
| 772 | ---help--- | 772 | ---help--- |
| 773 | This option adds a `CHECKSUM' target, which can be used in the iptables mangle | 773 | This option adds a `CHECKSUM' target, which can be used in the iptables mangle |
| 774 | table. | 774 | table to work around buggy DHCP clients in virtualized environments. |
| 775 | 775 | ||
| 776 | You can use this target to compute and fill in the checksum in | 776 | Some old DHCP clients drop packets because they are not aware |
| 777 | a packet that lacks a checksum. This is particularly useful, | 777 | that the checksum would normally be offloaded to hardware and |
| 778 | if you need to work around old applications such as dhcp clients, | 778 | thus should be considered valid. |
| 779 | that do not work well with checksum offloads, but don't want to disable | 779 | This target can be used to fill in the checksum using iptables |
| 780 | checksum offload in your device. | 780 | when such packets are sent via a virtual network device. |
| 781 | 781 | ||
| 782 | To compile it as a module, choose M here. If unsure, say N. | 782 | To compile it as a module, choose M here. If unsure, say N. |
| 783 | 783 | ||
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index 9f14b0df6960..51c5d7eec0a3 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c | |||
| @@ -776,9 +776,26 @@ static const struct nf_hook_ops ipv6_conntrack_ops[] = { | |||
| 776 | }; | 776 | }; |
| 777 | #endif | 777 | #endif |
| 778 | 778 | ||
| 779 | static int nf_ct_tcp_fixup(struct nf_conn *ct, void *_nfproto) | ||
| 780 | { | ||
| 781 | u8 nfproto = (unsigned long)_nfproto; | ||
| 782 | |||
| 783 | if (nf_ct_l3num(ct) != nfproto) | ||
| 784 | return 0; | ||
| 785 | |||
| 786 | if (nf_ct_protonum(ct) == IPPROTO_TCP && | ||
| 787 | ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED) { | ||
| 788 | ct->proto.tcp.seen[0].td_maxwin = 0; | ||
| 789 | ct->proto.tcp.seen[1].td_maxwin = 0; | ||
| 790 | } | ||
| 791 | |||
| 792 | return 0; | ||
| 793 | } | ||
| 794 | |||
| 779 | static int nf_ct_netns_do_get(struct net *net, u8 nfproto) | 795 | static int nf_ct_netns_do_get(struct net *net, u8 nfproto) |
| 780 | { | 796 | { |
| 781 | struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id); | 797 | struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id); |
| 798 | bool fixup_needed = false; | ||
| 782 | int err = 0; | 799 | int err = 0; |
| 783 | 800 | ||
| 784 | mutex_lock(&nf_ct_proto_mutex); | 801 | mutex_lock(&nf_ct_proto_mutex); |
| @@ -798,6 +815,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto) | |||
| 798 | ARRAY_SIZE(ipv4_conntrack_ops)); | 815 | ARRAY_SIZE(ipv4_conntrack_ops)); |
| 799 | if (err) | 816 | if (err) |
| 800 | cnet->users4 = 0; | 817 | cnet->users4 = 0; |
| 818 | else | ||
| 819 | fixup_needed = true; | ||
| 801 | break; | 820 | break; |
| 802 | #if IS_ENABLED(CONFIG_IPV6) | 821 | #if IS_ENABLED(CONFIG_IPV6) |
| 803 | case NFPROTO_IPV6: | 822 | case NFPROTO_IPV6: |
| @@ -814,6 +833,8 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto) | |||
| 814 | ARRAY_SIZE(ipv6_conntrack_ops)); | 833 | ARRAY_SIZE(ipv6_conntrack_ops)); |
| 815 | if (err) | 834 | if (err) |
| 816 | cnet->users6 = 0; | 835 | cnet->users6 = 0; |
| 836 | else | ||
| 837 | fixup_needed = true; | ||
| 817 | break; | 838 | break; |
| 818 | #endif | 839 | #endif |
| 819 | default: | 840 | default: |
| @@ -822,6 +843,11 @@ static int nf_ct_netns_do_get(struct net *net, u8 nfproto) | |||
| 822 | } | 843 | } |
| 823 | out_unlock: | 844 | out_unlock: |
| 824 | mutex_unlock(&nf_ct_proto_mutex); | 845 | mutex_unlock(&nf_ct_proto_mutex); |
| 846 | |||
| 847 | if (fixup_needed) | ||
| 848 | nf_ct_iterate_cleanup_net(net, nf_ct_tcp_fixup, | ||
| 849 | (void *)(unsigned long)nfproto, 0, 0); | ||
| 850 | |||
| 825 | return err; | 851 | return err; |
| 826 | } | 852 | } |
| 827 | 853 | ||
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c index 8c58f96b59e7..f3f91ed2c21a 100644 --- a/net/netfilter/nf_conntrack_proto_dccp.c +++ b/net/netfilter/nf_conntrack_proto_dccp.c | |||
| @@ -675,7 +675,7 @@ static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct) | |||
| 675 | } | 675 | } |
| 676 | #endif | 676 | #endif |
| 677 | 677 | ||
| 678 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 678 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 679 | 679 | ||
| 680 | #include <linux/netfilter/nfnetlink.h> | 680 | #include <linux/netfilter/nfnetlink.h> |
| 681 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 681 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -697,6 +697,8 @@ static int dccp_timeout_nlattr_to_obj(struct nlattr *tb[], | |||
| 697 | timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; | 697 | timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; |
| 698 | } | 698 | } |
| 699 | } | 699 | } |
| 700 | |||
| 701 | timeouts[CTA_TIMEOUT_DCCP_UNSPEC] = timeouts[CTA_TIMEOUT_DCCP_REQUEST]; | ||
| 700 | return 0; | 702 | return 0; |
| 701 | } | 703 | } |
| 702 | 704 | ||
| @@ -726,7 +728,7 @@ dccp_timeout_nla_policy[CTA_TIMEOUT_DCCP_MAX+1] = { | |||
| 726 | [CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 }, | 728 | [CTA_TIMEOUT_DCCP_CLOSING] = { .type = NLA_U32 }, |
| 727 | [CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 }, | 729 | [CTA_TIMEOUT_DCCP_TIMEWAIT] = { .type = NLA_U32 }, |
| 728 | }; | 730 | }; |
| 729 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 731 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 730 | 732 | ||
| 731 | #ifdef CONFIG_SYSCTL | 733 | #ifdef CONFIG_SYSCTL |
| 732 | /* template, data assigned later */ | 734 | /* template, data assigned later */ |
| @@ -827,6 +829,11 @@ static int dccp_init_net(struct net *net, u_int16_t proto) | |||
| 827 | dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ; | 829 | dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ; |
| 828 | dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ; | 830 | dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ; |
| 829 | dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL; | 831 | dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL; |
| 832 | |||
| 833 | /* timeouts[0] is unused, make it same as SYN_SENT so | ||
| 834 | * ->timeouts[0] contains 'new' timeout, like udp or icmp. | ||
| 835 | */ | ||
| 836 | dn->dccp_timeout[CT_DCCP_NONE] = dn->dccp_timeout[CT_DCCP_REQUEST]; | ||
| 830 | } | 837 | } |
| 831 | 838 | ||
| 832 | return dccp_kmemdup_sysctl_table(net, pn, dn); | 839 | return dccp_kmemdup_sysctl_table(net, pn, dn); |
| @@ -856,7 +863,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = { | |||
| 856 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, | 863 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, |
| 857 | .nla_policy = nf_ct_port_nla_policy, | 864 | .nla_policy = nf_ct_port_nla_policy, |
| 858 | #endif | 865 | #endif |
| 859 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 866 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 860 | .ctnl_timeout = { | 867 | .ctnl_timeout = { |
| 861 | .nlattr_to_obj = dccp_timeout_nlattr_to_obj, | 868 | .nlattr_to_obj = dccp_timeout_nlattr_to_obj, |
| 862 | .obj_to_nlattr = dccp_timeout_obj_to_nlattr, | 869 | .obj_to_nlattr = dccp_timeout_obj_to_nlattr, |
| @@ -864,7 +871,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = { | |||
| 864 | .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, | 871 | .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, |
| 865 | .nla_policy = dccp_timeout_nla_policy, | 872 | .nla_policy = dccp_timeout_nla_policy, |
| 866 | }, | 873 | }, |
| 867 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 874 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 868 | .init_net = dccp_init_net, | 875 | .init_net = dccp_init_net, |
| 869 | .get_net_proto = dccp_get_net_proto, | 876 | .get_net_proto = dccp_get_net_proto, |
| 870 | }; | 877 | }; |
| @@ -889,7 +896,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = { | |||
| 889 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, | 896 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, |
| 890 | .nla_policy = nf_ct_port_nla_policy, | 897 | .nla_policy = nf_ct_port_nla_policy, |
| 891 | #endif | 898 | #endif |
| 892 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 899 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 893 | .ctnl_timeout = { | 900 | .ctnl_timeout = { |
| 894 | .nlattr_to_obj = dccp_timeout_nlattr_to_obj, | 901 | .nlattr_to_obj = dccp_timeout_nlattr_to_obj, |
| 895 | .obj_to_nlattr = dccp_timeout_obj_to_nlattr, | 902 | .obj_to_nlattr = dccp_timeout_obj_to_nlattr, |
| @@ -897,7 +904,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = { | |||
| 897 | .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, | 904 | .obj_size = sizeof(unsigned int) * CT_DCCP_MAX, |
| 898 | .nla_policy = dccp_timeout_nla_policy, | 905 | .nla_policy = dccp_timeout_nla_policy, |
| 899 | }, | 906 | }, |
| 900 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 907 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 901 | .init_net = dccp_init_net, | 908 | .init_net = dccp_init_net, |
| 902 | .get_net_proto = dccp_get_net_proto, | 909 | .get_net_proto = dccp_get_net_proto, |
| 903 | }; | 910 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c index ac4a0b296dcd..1df3244ecd07 100644 --- a/net/netfilter/nf_conntrack_proto_generic.c +++ b/net/netfilter/nf_conntrack_proto_generic.c | |||
| @@ -70,7 +70,7 @@ static bool generic_new(struct nf_conn *ct, const struct sk_buff *skb, | |||
| 70 | return ret; | 70 | return ret; |
| 71 | } | 71 | } |
| 72 | 72 | ||
| 73 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 73 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 74 | 74 | ||
| 75 | #include <linux/netfilter/nfnetlink.h> | 75 | #include <linux/netfilter/nfnetlink.h> |
| 76 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 76 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -113,7 +113,7 @@ static const struct nla_policy | |||
| 113 | generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = { | 113 | generic_timeout_nla_policy[CTA_TIMEOUT_GENERIC_MAX+1] = { |
| 114 | [CTA_TIMEOUT_GENERIC_TIMEOUT] = { .type = NLA_U32 }, | 114 | [CTA_TIMEOUT_GENERIC_TIMEOUT] = { .type = NLA_U32 }, |
| 115 | }; | 115 | }; |
| 116 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 116 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 117 | 117 | ||
| 118 | #ifdef CONFIG_SYSCTL | 118 | #ifdef CONFIG_SYSCTL |
| 119 | static struct ctl_table generic_sysctl_table[] = { | 119 | static struct ctl_table generic_sysctl_table[] = { |
| @@ -164,7 +164,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic = | |||
| 164 | .pkt_to_tuple = generic_pkt_to_tuple, | 164 | .pkt_to_tuple = generic_pkt_to_tuple, |
| 165 | .packet = generic_packet, | 165 | .packet = generic_packet, |
| 166 | .new = generic_new, | 166 | .new = generic_new, |
| 167 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 167 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 168 | .ctnl_timeout = { | 168 | .ctnl_timeout = { |
| 169 | .nlattr_to_obj = generic_timeout_nlattr_to_obj, | 169 | .nlattr_to_obj = generic_timeout_nlattr_to_obj, |
| 170 | .obj_to_nlattr = generic_timeout_obj_to_nlattr, | 170 | .obj_to_nlattr = generic_timeout_obj_to_nlattr, |
| @@ -172,7 +172,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic = | |||
| 172 | .obj_size = sizeof(unsigned int), | 172 | .obj_size = sizeof(unsigned int), |
| 173 | .nla_policy = generic_timeout_nla_policy, | 173 | .nla_policy = generic_timeout_nla_policy, |
| 174 | }, | 174 | }, |
| 175 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 175 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 176 | .init_net = generic_init_net, | 176 | .init_net = generic_init_net, |
| 177 | .get_net_proto = generic_get_net_proto, | 177 | .get_net_proto = generic_get_net_proto, |
| 178 | }; | 178 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c index d1632252bf5b..650eb4fba2c5 100644 --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c | |||
| @@ -285,7 +285,7 @@ static void gre_destroy(struct nf_conn *ct) | |||
| 285 | nf_ct_gre_keymap_destroy(master); | 285 | nf_ct_gre_keymap_destroy(master); |
| 286 | } | 286 | } |
| 287 | 287 | ||
| 288 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 288 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 289 | 289 | ||
| 290 | #include <linux/netfilter/nfnetlink.h> | 290 | #include <linux/netfilter/nfnetlink.h> |
| 291 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 291 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -334,7 +334,7 @@ gre_timeout_nla_policy[CTA_TIMEOUT_GRE_MAX+1] = { | |||
| 334 | [CTA_TIMEOUT_GRE_UNREPLIED] = { .type = NLA_U32 }, | 334 | [CTA_TIMEOUT_GRE_UNREPLIED] = { .type = NLA_U32 }, |
| 335 | [CTA_TIMEOUT_GRE_REPLIED] = { .type = NLA_U32 }, | 335 | [CTA_TIMEOUT_GRE_REPLIED] = { .type = NLA_U32 }, |
| 336 | }; | 336 | }; |
| 337 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 337 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 338 | 338 | ||
| 339 | static int gre_init_net(struct net *net, u_int16_t proto) | 339 | static int gre_init_net(struct net *net, u_int16_t proto) |
| 340 | { | 340 | { |
| @@ -367,7 +367,7 @@ static const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 = { | |||
| 367 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, | 367 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, |
| 368 | .nla_policy = nf_ct_port_nla_policy, | 368 | .nla_policy = nf_ct_port_nla_policy, |
| 369 | #endif | 369 | #endif |
| 370 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 370 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 371 | .ctnl_timeout = { | 371 | .ctnl_timeout = { |
| 372 | .nlattr_to_obj = gre_timeout_nlattr_to_obj, | 372 | .nlattr_to_obj = gre_timeout_nlattr_to_obj, |
| 373 | .obj_to_nlattr = gre_timeout_obj_to_nlattr, | 373 | .obj_to_nlattr = gre_timeout_obj_to_nlattr, |
| @@ -375,7 +375,7 @@ static const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 = { | |||
| 375 | .obj_size = sizeof(unsigned int) * GRE_CT_MAX, | 375 | .obj_size = sizeof(unsigned int) * GRE_CT_MAX, |
| 376 | .nla_policy = gre_timeout_nla_policy, | 376 | .nla_policy = gre_timeout_nla_policy, |
| 377 | }, | 377 | }, |
| 378 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 378 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 379 | .net_id = &proto_gre_net_id, | 379 | .net_id = &proto_gre_net_id, |
| 380 | .init_net = gre_init_net, | 380 | .init_net = gre_init_net, |
| 381 | }; | 381 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_icmp.c b/net/netfilter/nf_conntrack_proto_icmp.c index 036670b38282..43c7e1a217b9 100644 --- a/net/netfilter/nf_conntrack_proto_icmp.c +++ b/net/netfilter/nf_conntrack_proto_icmp.c | |||
| @@ -273,7 +273,7 @@ static unsigned int icmp_nlattr_tuple_size(void) | |||
| 273 | } | 273 | } |
| 274 | #endif | 274 | #endif |
| 275 | 275 | ||
| 276 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 276 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 277 | 277 | ||
| 278 | #include <linux/netfilter/nfnetlink.h> | 278 | #include <linux/netfilter/nfnetlink.h> |
| 279 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 279 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -313,7 +313,7 @@ static const struct nla_policy | |||
| 313 | icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = { | 313 | icmp_timeout_nla_policy[CTA_TIMEOUT_ICMP_MAX+1] = { |
| 314 | [CTA_TIMEOUT_ICMP_TIMEOUT] = { .type = NLA_U32 }, | 314 | [CTA_TIMEOUT_ICMP_TIMEOUT] = { .type = NLA_U32 }, |
| 315 | }; | 315 | }; |
| 316 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 316 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 317 | 317 | ||
| 318 | #ifdef CONFIG_SYSCTL | 318 | #ifdef CONFIG_SYSCTL |
| 319 | static struct ctl_table icmp_sysctl_table[] = { | 319 | static struct ctl_table icmp_sysctl_table[] = { |
| @@ -374,7 +374,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp = | |||
| 374 | .nlattr_to_tuple = icmp_nlattr_to_tuple, | 374 | .nlattr_to_tuple = icmp_nlattr_to_tuple, |
| 375 | .nla_policy = icmp_nla_policy, | 375 | .nla_policy = icmp_nla_policy, |
| 376 | #endif | 376 | #endif |
| 377 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 377 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 378 | .ctnl_timeout = { | 378 | .ctnl_timeout = { |
| 379 | .nlattr_to_obj = icmp_timeout_nlattr_to_obj, | 379 | .nlattr_to_obj = icmp_timeout_nlattr_to_obj, |
| 380 | .obj_to_nlattr = icmp_timeout_obj_to_nlattr, | 380 | .obj_to_nlattr = icmp_timeout_obj_to_nlattr, |
| @@ -382,7 +382,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp = | |||
| 382 | .obj_size = sizeof(unsigned int), | 382 | .obj_size = sizeof(unsigned int), |
| 383 | .nla_policy = icmp_timeout_nla_policy, | 383 | .nla_policy = icmp_timeout_nla_policy, |
| 384 | }, | 384 | }, |
| 385 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 385 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 386 | .init_net = icmp_init_net, | 386 | .init_net = icmp_init_net, |
| 387 | .get_net_proto = icmp_get_net_proto, | 387 | .get_net_proto = icmp_get_net_proto, |
| 388 | }; | 388 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_icmpv6.c b/net/netfilter/nf_conntrack_proto_icmpv6.c index bed07b998a10..97e40f77d678 100644 --- a/net/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/netfilter/nf_conntrack_proto_icmpv6.c | |||
| @@ -274,7 +274,7 @@ static unsigned int icmpv6_nlattr_tuple_size(void) | |||
| 274 | } | 274 | } |
| 275 | #endif | 275 | #endif |
| 276 | 276 | ||
| 277 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 277 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 278 | 278 | ||
| 279 | #include <linux/netfilter/nfnetlink.h> | 279 | #include <linux/netfilter/nfnetlink.h> |
| 280 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 280 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -314,7 +314,7 @@ static const struct nla_policy | |||
| 314 | icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = { | 314 | icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = { |
| 315 | [CTA_TIMEOUT_ICMPV6_TIMEOUT] = { .type = NLA_U32 }, | 315 | [CTA_TIMEOUT_ICMPV6_TIMEOUT] = { .type = NLA_U32 }, |
| 316 | }; | 316 | }; |
| 317 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 317 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 318 | 318 | ||
| 319 | #ifdef CONFIG_SYSCTL | 319 | #ifdef CONFIG_SYSCTL |
| 320 | static struct ctl_table icmpv6_sysctl_table[] = { | 320 | static struct ctl_table icmpv6_sysctl_table[] = { |
| @@ -373,7 +373,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 = | |||
| 373 | .nlattr_to_tuple = icmpv6_nlattr_to_tuple, | 373 | .nlattr_to_tuple = icmpv6_nlattr_to_tuple, |
| 374 | .nla_policy = icmpv6_nla_policy, | 374 | .nla_policy = icmpv6_nla_policy, |
| 375 | #endif | 375 | #endif |
| 376 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 376 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 377 | .ctnl_timeout = { | 377 | .ctnl_timeout = { |
| 378 | .nlattr_to_obj = icmpv6_timeout_nlattr_to_obj, | 378 | .nlattr_to_obj = icmpv6_timeout_nlattr_to_obj, |
| 379 | .obj_to_nlattr = icmpv6_timeout_obj_to_nlattr, | 379 | .obj_to_nlattr = icmpv6_timeout_obj_to_nlattr, |
| @@ -381,7 +381,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 = | |||
| 381 | .obj_size = sizeof(unsigned int), | 381 | .obj_size = sizeof(unsigned int), |
| 382 | .nla_policy = icmpv6_timeout_nla_policy, | 382 | .nla_policy = icmpv6_timeout_nla_policy, |
| 383 | }, | 383 | }, |
| 384 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 384 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 385 | .init_net = icmpv6_init_net, | 385 | .init_net = icmpv6_init_net, |
| 386 | .get_net_proto = icmpv6_get_net_proto, | 386 | .get_net_proto = icmpv6_get_net_proto, |
| 387 | }; | 387 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 8d1e085fc14a..e4d738d34cd0 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c | |||
| @@ -591,7 +591,7 @@ static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) | |||
| 591 | } | 591 | } |
| 592 | #endif | 592 | #endif |
| 593 | 593 | ||
| 594 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 594 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 595 | 595 | ||
| 596 | #include <linux/netfilter/nfnetlink.h> | 596 | #include <linux/netfilter/nfnetlink.h> |
| 597 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 597 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -613,6 +613,8 @@ static int sctp_timeout_nlattr_to_obj(struct nlattr *tb[], | |||
| 613 | timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; | 613 | timeouts[i] = ntohl(nla_get_be32(tb[i])) * HZ; |
| 614 | } | 614 | } |
| 615 | } | 615 | } |
| 616 | |||
| 617 | timeouts[CTA_TIMEOUT_SCTP_UNSPEC] = timeouts[CTA_TIMEOUT_SCTP_CLOSED]; | ||
| 616 | return 0; | 618 | return 0; |
| 617 | } | 619 | } |
| 618 | 620 | ||
| @@ -644,7 +646,7 @@ sctp_timeout_nla_policy[CTA_TIMEOUT_SCTP_MAX+1] = { | |||
| 644 | [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, | 646 | [CTA_TIMEOUT_SCTP_HEARTBEAT_SENT] = { .type = NLA_U32 }, |
| 645 | [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, | 647 | [CTA_TIMEOUT_SCTP_HEARTBEAT_ACKED] = { .type = NLA_U32 }, |
| 646 | }; | 648 | }; |
| 647 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 649 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 648 | 650 | ||
| 649 | 651 | ||
| 650 | #ifdef CONFIG_SYSCTL | 652 | #ifdef CONFIG_SYSCTL |
| @@ -743,6 +745,11 @@ static int sctp_init_net(struct net *net, u_int16_t proto) | |||
| 743 | 745 | ||
| 744 | for (i = 0; i < SCTP_CONNTRACK_MAX; i++) | 746 | for (i = 0; i < SCTP_CONNTRACK_MAX; i++) |
| 745 | sn->timeouts[i] = sctp_timeouts[i]; | 747 | sn->timeouts[i] = sctp_timeouts[i]; |
| 748 | |||
| 749 | /* timeouts[0] is unused, init it so ->timeouts[0] contains | ||
| 750 | * 'new' timeout, like udp or icmp. | ||
| 751 | */ | ||
| 752 | sn->timeouts[0] = sctp_timeouts[SCTP_CONNTRACK_CLOSED]; | ||
| 746 | } | 753 | } |
| 747 | 754 | ||
| 748 | return sctp_kmemdup_sysctl_table(pn, sn); | 755 | return sctp_kmemdup_sysctl_table(pn, sn); |
| @@ -773,7 +780,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = { | |||
| 773 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, | 780 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, |
| 774 | .nla_policy = nf_ct_port_nla_policy, | 781 | .nla_policy = nf_ct_port_nla_policy, |
| 775 | #endif | 782 | #endif |
| 776 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 783 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 777 | .ctnl_timeout = { | 784 | .ctnl_timeout = { |
| 778 | .nlattr_to_obj = sctp_timeout_nlattr_to_obj, | 785 | .nlattr_to_obj = sctp_timeout_nlattr_to_obj, |
| 779 | .obj_to_nlattr = sctp_timeout_obj_to_nlattr, | 786 | .obj_to_nlattr = sctp_timeout_obj_to_nlattr, |
| @@ -781,7 +788,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = { | |||
| 781 | .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, | 788 | .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, |
| 782 | .nla_policy = sctp_timeout_nla_policy, | 789 | .nla_policy = sctp_timeout_nla_policy, |
| 783 | }, | 790 | }, |
| 784 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 791 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 785 | .init_net = sctp_init_net, | 792 | .init_net = sctp_init_net, |
| 786 | .get_net_proto = sctp_get_net_proto, | 793 | .get_net_proto = sctp_get_net_proto, |
| 787 | }; | 794 | }; |
| @@ -806,7 +813,8 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = { | |||
| 806 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, | 813 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, |
| 807 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, | 814 | .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, |
| 808 | .nla_policy = nf_ct_port_nla_policy, | 815 | .nla_policy = nf_ct_port_nla_policy, |
| 809 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 816 | #endif |
| 817 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT | ||
| 810 | .ctnl_timeout = { | 818 | .ctnl_timeout = { |
| 811 | .nlattr_to_obj = sctp_timeout_nlattr_to_obj, | 819 | .nlattr_to_obj = sctp_timeout_nlattr_to_obj, |
| 812 | .obj_to_nlattr = sctp_timeout_obj_to_nlattr, | 820 | .obj_to_nlattr = sctp_timeout_obj_to_nlattr, |
| @@ -814,8 +822,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = { | |||
| 814 | .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, | 822 | .obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX, |
| 815 | .nla_policy = sctp_timeout_nla_policy, | 823 | .nla_policy = sctp_timeout_nla_policy, |
| 816 | }, | 824 | }, |
| 817 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 825 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 818 | #endif | ||
| 819 | .init_net = sctp_init_net, | 826 | .init_net = sctp_init_net, |
| 820 | .get_net_proto = sctp_get_net_proto, | 827 | .get_net_proto = sctp_get_net_proto, |
| 821 | }; | 828 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index d80d322b9d8b..b4bdf9eda7b7 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
| @@ -1279,7 +1279,7 @@ static unsigned int tcp_nlattr_tuple_size(void) | |||
| 1279 | } | 1279 | } |
| 1280 | #endif | 1280 | #endif |
| 1281 | 1281 | ||
| 1282 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 1282 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 1283 | 1283 | ||
| 1284 | #include <linux/netfilter/nfnetlink.h> | 1284 | #include <linux/netfilter/nfnetlink.h> |
| 1285 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 1285 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -1301,6 +1301,7 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[], | |||
| 1301 | timeouts[TCP_CONNTRACK_SYN_SENT] = | 1301 | timeouts[TCP_CONNTRACK_SYN_SENT] = |
| 1302 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ; | 1302 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_SENT]))*HZ; |
| 1303 | } | 1303 | } |
| 1304 | |||
| 1304 | if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) { | 1305 | if (tb[CTA_TIMEOUT_TCP_SYN_RECV]) { |
| 1305 | timeouts[TCP_CONNTRACK_SYN_RECV] = | 1306 | timeouts[TCP_CONNTRACK_SYN_RECV] = |
| 1306 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ; | 1307 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_SYN_RECV]))*HZ; |
| @@ -1341,6 +1342,8 @@ static int tcp_timeout_nlattr_to_obj(struct nlattr *tb[], | |||
| 1341 | timeouts[TCP_CONNTRACK_UNACK] = | 1342 | timeouts[TCP_CONNTRACK_UNACK] = |
| 1342 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ; | 1343 | ntohl(nla_get_be32(tb[CTA_TIMEOUT_TCP_UNACK]))*HZ; |
| 1343 | } | 1344 | } |
| 1345 | |||
| 1346 | timeouts[CTA_TIMEOUT_TCP_UNSPEC] = timeouts[CTA_TIMEOUT_TCP_SYN_SENT]; | ||
| 1344 | return 0; | 1347 | return 0; |
| 1345 | } | 1348 | } |
| 1346 | 1349 | ||
| @@ -1391,7 +1394,7 @@ static const struct nla_policy tcp_timeout_nla_policy[CTA_TIMEOUT_TCP_MAX+1] = { | |||
| 1391 | [CTA_TIMEOUT_TCP_RETRANS] = { .type = NLA_U32 }, | 1394 | [CTA_TIMEOUT_TCP_RETRANS] = { .type = NLA_U32 }, |
| 1392 | [CTA_TIMEOUT_TCP_UNACK] = { .type = NLA_U32 }, | 1395 | [CTA_TIMEOUT_TCP_UNACK] = { .type = NLA_U32 }, |
| 1393 | }; | 1396 | }; |
| 1394 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 1397 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 1395 | 1398 | ||
| 1396 | #ifdef CONFIG_SYSCTL | 1399 | #ifdef CONFIG_SYSCTL |
| 1397 | static struct ctl_table tcp_sysctl_table[] = { | 1400 | static struct ctl_table tcp_sysctl_table[] = { |
| @@ -1518,6 +1521,10 @@ static int tcp_init_net(struct net *net, u_int16_t proto) | |||
| 1518 | for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++) | 1521 | for (i = 0; i < TCP_CONNTRACK_TIMEOUT_MAX; i++) |
| 1519 | tn->timeouts[i] = tcp_timeouts[i]; | 1522 | tn->timeouts[i] = tcp_timeouts[i]; |
| 1520 | 1523 | ||
| 1524 | /* timeouts[0] is unused, make it same as SYN_SENT so | ||
| 1525 | * ->timeouts[0] contains 'new' timeout, like udp or icmp. | ||
| 1526 | */ | ||
| 1527 | tn->timeouts[0] = tcp_timeouts[TCP_CONNTRACK_SYN_SENT]; | ||
| 1521 | tn->tcp_loose = nf_ct_tcp_loose; | 1528 | tn->tcp_loose = nf_ct_tcp_loose; |
| 1522 | tn->tcp_be_liberal = nf_ct_tcp_be_liberal; | 1529 | tn->tcp_be_liberal = nf_ct_tcp_be_liberal; |
| 1523 | tn->tcp_max_retrans = nf_ct_tcp_max_retrans; | 1530 | tn->tcp_max_retrans = nf_ct_tcp_max_retrans; |
| @@ -1551,7 +1558,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 = | |||
| 1551 | .nlattr_size = TCP_NLATTR_SIZE, | 1558 | .nlattr_size = TCP_NLATTR_SIZE, |
| 1552 | .nla_policy = nf_ct_port_nla_policy, | 1559 | .nla_policy = nf_ct_port_nla_policy, |
| 1553 | #endif | 1560 | #endif |
| 1554 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 1561 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 1555 | .ctnl_timeout = { | 1562 | .ctnl_timeout = { |
| 1556 | .nlattr_to_obj = tcp_timeout_nlattr_to_obj, | 1563 | .nlattr_to_obj = tcp_timeout_nlattr_to_obj, |
| 1557 | .obj_to_nlattr = tcp_timeout_obj_to_nlattr, | 1564 | .obj_to_nlattr = tcp_timeout_obj_to_nlattr, |
| @@ -1560,7 +1567,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 = | |||
| 1560 | TCP_CONNTRACK_TIMEOUT_MAX, | 1567 | TCP_CONNTRACK_TIMEOUT_MAX, |
| 1561 | .nla_policy = tcp_timeout_nla_policy, | 1568 | .nla_policy = tcp_timeout_nla_policy, |
| 1562 | }, | 1569 | }, |
| 1563 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 1570 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 1564 | .init_net = tcp_init_net, | 1571 | .init_net = tcp_init_net, |
| 1565 | .get_net_proto = tcp_get_net_proto, | 1572 | .get_net_proto = tcp_get_net_proto, |
| 1566 | }; | 1573 | }; |
| @@ -1586,7 +1593,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 = | |||
| 1586 | .nlattr_tuple_size = tcp_nlattr_tuple_size, | 1593 | .nlattr_tuple_size = tcp_nlattr_tuple_size, |
| 1587 | .nla_policy = nf_ct_port_nla_policy, | 1594 | .nla_policy = nf_ct_port_nla_policy, |
| 1588 | #endif | 1595 | #endif |
| 1589 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 1596 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 1590 | .ctnl_timeout = { | 1597 | .ctnl_timeout = { |
| 1591 | .nlattr_to_obj = tcp_timeout_nlattr_to_obj, | 1598 | .nlattr_to_obj = tcp_timeout_nlattr_to_obj, |
| 1592 | .obj_to_nlattr = tcp_timeout_obj_to_nlattr, | 1599 | .obj_to_nlattr = tcp_timeout_obj_to_nlattr, |
| @@ -1595,7 +1602,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 = | |||
| 1595 | TCP_CONNTRACK_TIMEOUT_MAX, | 1602 | TCP_CONNTRACK_TIMEOUT_MAX, |
| 1596 | .nla_policy = tcp_timeout_nla_policy, | 1603 | .nla_policy = tcp_timeout_nla_policy, |
| 1597 | }, | 1604 | }, |
| 1598 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 1605 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 1599 | .init_net = tcp_init_net, | 1606 | .init_net = tcp_init_net, |
| 1600 | .get_net_proto = tcp_get_net_proto, | 1607 | .get_net_proto = tcp_get_net_proto, |
| 1601 | }; | 1608 | }; |
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c index 7a1b8988a931..3065fb8ef91b 100644 --- a/net/netfilter/nf_conntrack_proto_udp.c +++ b/net/netfilter/nf_conntrack_proto_udp.c | |||
| @@ -171,7 +171,7 @@ static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, | |||
| 171 | return NF_ACCEPT; | 171 | return NF_ACCEPT; |
| 172 | } | 172 | } |
| 173 | 173 | ||
| 174 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 174 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 175 | 175 | ||
| 176 | #include <linux/netfilter/nfnetlink.h> | 176 | #include <linux/netfilter/nfnetlink.h> |
| 177 | #include <linux/netfilter/nfnetlink_cttimeout.h> | 177 | #include <linux/netfilter/nfnetlink_cttimeout.h> |
| @@ -221,7 +221,7 @@ udp_timeout_nla_policy[CTA_TIMEOUT_UDP_MAX+1] = { | |||
| 221 | [CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 }, | 221 | [CTA_TIMEOUT_UDP_UNREPLIED] = { .type = NLA_U32 }, |
| 222 | [CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 }, | 222 | [CTA_TIMEOUT_UDP_REPLIED] = { .type = NLA_U32 }, |
| 223 | }; | 223 | }; |
| 224 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 224 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 225 | 225 | ||
| 226 | #ifdef CONFIG_SYSCTL | 226 | #ifdef CONFIG_SYSCTL |
| 227 | static struct ctl_table udp_sysctl_table[] = { | 227 | static struct ctl_table udp_sysctl_table[] = { |
| @@ -292,7 +292,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 = | |||
| 292 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, | 292 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, |
| 293 | .nla_policy = nf_ct_port_nla_policy, | 293 | .nla_policy = nf_ct_port_nla_policy, |
| 294 | #endif | 294 | #endif |
| 295 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 295 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 296 | .ctnl_timeout = { | 296 | .ctnl_timeout = { |
| 297 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, | 297 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, |
| 298 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, | 298 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, |
| @@ -300,7 +300,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 = | |||
| 300 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, | 300 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, |
| 301 | .nla_policy = udp_timeout_nla_policy, | 301 | .nla_policy = udp_timeout_nla_policy, |
| 302 | }, | 302 | }, |
| 303 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 303 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 304 | .init_net = udp_init_net, | 304 | .init_net = udp_init_net, |
| 305 | .get_net_proto = udp_get_net_proto, | 305 | .get_net_proto = udp_get_net_proto, |
| 306 | }; | 306 | }; |
| @@ -321,7 +321,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 = | |||
| 321 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, | 321 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, |
| 322 | .nla_policy = nf_ct_port_nla_policy, | 322 | .nla_policy = nf_ct_port_nla_policy, |
| 323 | #endif | 323 | #endif |
| 324 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 324 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 325 | .ctnl_timeout = { | 325 | .ctnl_timeout = { |
| 326 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, | 326 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, |
| 327 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, | 327 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, |
| @@ -329,7 +329,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 = | |||
| 329 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, | 329 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, |
| 330 | .nla_policy = udp_timeout_nla_policy, | 330 | .nla_policy = udp_timeout_nla_policy, |
| 331 | }, | 331 | }, |
| 332 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 332 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 333 | .init_net = udp_init_net, | 333 | .init_net = udp_init_net, |
| 334 | .get_net_proto = udp_get_net_proto, | 334 | .get_net_proto = udp_get_net_proto, |
| 335 | }; | 335 | }; |
| @@ -350,7 +350,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 = | |||
| 350 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, | 350 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, |
| 351 | .nla_policy = nf_ct_port_nla_policy, | 351 | .nla_policy = nf_ct_port_nla_policy, |
| 352 | #endif | 352 | #endif |
| 353 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 353 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 354 | .ctnl_timeout = { | 354 | .ctnl_timeout = { |
| 355 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, | 355 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, |
| 356 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, | 356 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, |
| @@ -358,7 +358,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 = | |||
| 358 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, | 358 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, |
| 359 | .nla_policy = udp_timeout_nla_policy, | 359 | .nla_policy = udp_timeout_nla_policy, |
| 360 | }, | 360 | }, |
| 361 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 361 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 362 | .init_net = udp_init_net, | 362 | .init_net = udp_init_net, |
| 363 | .get_net_proto = udp_get_net_proto, | 363 | .get_net_proto = udp_get_net_proto, |
| 364 | }; | 364 | }; |
| @@ -379,7 +379,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 = | |||
| 379 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, | 379 | .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, |
| 380 | .nla_policy = nf_ct_port_nla_policy, | 380 | .nla_policy = nf_ct_port_nla_policy, |
| 381 | #endif | 381 | #endif |
| 382 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT) | 382 | #ifdef CONFIG_NF_CONNTRACK_TIMEOUT |
| 383 | .ctnl_timeout = { | 383 | .ctnl_timeout = { |
| 384 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, | 384 | .nlattr_to_obj = udp_timeout_nlattr_to_obj, |
| 385 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, | 385 | .obj_to_nlattr = udp_timeout_obj_to_nlattr, |
| @@ -387,10 +387,9 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 = | |||
| 387 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, | 387 | .obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX, |
| 388 | .nla_policy = udp_timeout_nla_policy, | 388 | .nla_policy = udp_timeout_nla_policy, |
| 389 | }, | 389 | }, |
| 390 | #endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */ | 390 | #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ |
| 391 | .init_net = udp_init_net, | 391 | .init_net = udp_init_net, |
| 392 | .get_net_proto = udp_get_net_proto, | 392 | .get_net_proto = udp_get_net_proto, |
| 393 | }; | 393 | }; |
| 394 | EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6); | 394 | EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6); |
| 395 | #endif | 395 | #endif |
| 396 | #include <net/netfilter/nf_conntrack_timeout.h> | ||
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 1dca5683f59f..2cfb173cd0b2 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c | |||
| @@ -4637,6 +4637,7 @@ static int nft_flush_set(const struct nft_ctx *ctx, | |||
| 4637 | } | 4637 | } |
| 4638 | set->ndeact++; | 4638 | set->ndeact++; |
| 4639 | 4639 | ||
| 4640 | nft_set_elem_deactivate(ctx->net, set, elem); | ||
| 4640 | nft_trans_elem_set(trans) = set; | 4641 | nft_trans_elem_set(trans) = set; |
| 4641 | nft_trans_elem(trans) = *elem; | 4642 | nft_trans_elem(trans) = *elem; |
| 4642 | list_add_tail(&trans->list, &ctx->net->nft.commit_list); | 4643 | list_add_tail(&trans->list, &ctx->net->nft.commit_list); |
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index d46a236cdf31..a30f8ba4b89a 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c | |||
| @@ -489,8 +489,8 @@ err: | |||
| 489 | return err; | 489 | return err; |
| 490 | } | 490 | } |
| 491 | 491 | ||
| 492 | static struct ctnl_timeout * | 492 | static struct nf_ct_timeout *ctnl_timeout_find_get(struct net *net, |
| 493 | ctnl_timeout_find_get(struct net *net, const char *name) | 493 | const char *name) |
| 494 | { | 494 | { |
| 495 | struct ctnl_timeout *timeout, *matching = NULL; | 495 | struct ctnl_timeout *timeout, *matching = NULL; |
| 496 | 496 | ||
| @@ -509,7 +509,7 @@ ctnl_timeout_find_get(struct net *net, const char *name) | |||
| 509 | break; | 509 | break; |
| 510 | } | 510 | } |
| 511 | err: | 511 | err: |
| 512 | return matching; | 512 | return matching ? &matching->timeout : NULL; |
| 513 | } | 513 | } |
| 514 | 514 | ||
| 515 | static void ctnl_timeout_put(struct nf_ct_timeout *t) | 515 | static void ctnl_timeout_put(struct nf_ct_timeout *t) |
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index ea4ba551abb2..d33094f4ec41 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c | |||
| @@ -233,6 +233,7 @@ static void nfqnl_reinject(struct nf_queue_entry *entry, unsigned int verdict) | |||
| 233 | int err; | 233 | int err; |
| 234 | 234 | ||
| 235 | if (verdict == NF_ACCEPT || | 235 | if (verdict == NF_ACCEPT || |
| 236 | verdict == NF_REPEAT || | ||
| 236 | verdict == NF_STOP) { | 237 | verdict == NF_STOP) { |
| 237 | rcu_read_lock(); | 238 | rcu_read_lock(); |
| 238 | ct_hook = rcu_dereference(nf_ct_hook); | 239 | ct_hook = rcu_dereference(nf_ct_hook); |
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 26a8baebd072..5dd87748afa8 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c | |||
| @@ -799,7 +799,7 @@ err: | |||
| 799 | } | 799 | } |
| 800 | 800 | ||
| 801 | struct nft_ct_timeout_obj { | 801 | struct nft_ct_timeout_obj { |
| 802 | struct nf_conn *tmpl; | 802 | struct nf_ct_timeout *timeout; |
| 803 | u8 l4proto; | 803 | u8 l4proto; |
| 804 | }; | 804 | }; |
| 805 | 805 | ||
| @@ -809,26 +809,42 @@ static void nft_ct_timeout_obj_eval(struct nft_object *obj, | |||
| 809 | { | 809 | { |
| 810 | const struct nft_ct_timeout_obj *priv = nft_obj_data(obj); | 810 | const struct nft_ct_timeout_obj *priv = nft_obj_data(obj); |
| 811 | struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb); | 811 | struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb); |
| 812 | struct sk_buff *skb = pkt->skb; | 812 | struct nf_conn_timeout *timeout; |
| 813 | const unsigned int *values; | ||
| 814 | |||
| 815 | if (priv->l4proto != pkt->tprot) | ||
| 816 | return; | ||
| 813 | 817 | ||
| 814 | if (ct || | 818 | if (!ct || nf_ct_is_template(ct) || nf_ct_is_confirmed(ct)) |
| 815 | priv->l4proto != pkt->tprot) | ||
| 816 | return; | 819 | return; |
| 817 | 820 | ||
| 818 | nf_ct_set(skb, priv->tmpl, IP_CT_NEW); | 821 | timeout = nf_ct_timeout_find(ct); |
| 822 | if (!timeout) { | ||
| 823 | timeout = nf_ct_timeout_ext_add(ct, priv->timeout, GFP_ATOMIC); | ||
| 824 | if (!timeout) { | ||
| 825 | regs->verdict.code = NF_DROP; | ||
| 826 | return; | ||
| 827 | } | ||
| 828 | } | ||
| 829 | |||
| 830 | rcu_assign_pointer(timeout->timeout, priv->timeout); | ||
| 831 | |||
| 832 | /* adjust the timeout as per 'new' state. ct is unconfirmed, | ||
| 833 | * so the current timestamp must not be added. | ||
| 834 | */ | ||
| 835 | values = nf_ct_timeout_data(timeout); | ||
| 836 | if (values) | ||
| 837 | nf_ct_refresh(ct, pkt->skb, values[0]); | ||
| 819 | } | 838 | } |
| 820 | 839 | ||
| 821 | static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx, | 840 | static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx, |
| 822 | const struct nlattr * const tb[], | 841 | const struct nlattr * const tb[], |
| 823 | struct nft_object *obj) | 842 | struct nft_object *obj) |
| 824 | { | 843 | { |
| 825 | const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt; | ||
| 826 | struct nft_ct_timeout_obj *priv = nft_obj_data(obj); | 844 | struct nft_ct_timeout_obj *priv = nft_obj_data(obj); |
| 827 | const struct nf_conntrack_l4proto *l4proto; | 845 | const struct nf_conntrack_l4proto *l4proto; |
| 828 | struct nf_conn_timeout *timeout_ext; | ||
| 829 | struct nf_ct_timeout *timeout; | 846 | struct nf_ct_timeout *timeout; |
| 830 | int l3num = ctx->family; | 847 | int l3num = ctx->family; |
| 831 | struct nf_conn *tmpl; | ||
| 832 | __u8 l4num; | 848 | __u8 l4num; |
| 833 | int ret; | 849 | int ret; |
| 834 | 850 | ||
| @@ -863,28 +879,14 @@ static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx, | |||
| 863 | 879 | ||
| 864 | timeout->l3num = l3num; | 880 | timeout->l3num = l3num; |
| 865 | timeout->l4proto = l4proto; | 881 | timeout->l4proto = l4proto; |
| 866 | tmpl = nf_ct_tmpl_alloc(ctx->net, zone, GFP_ATOMIC); | ||
| 867 | if (!tmpl) { | ||
| 868 | ret = -ENOMEM; | ||
| 869 | goto err_free_timeout; | ||
| 870 | } | ||
| 871 | |||
| 872 | timeout_ext = nf_ct_timeout_ext_add(tmpl, timeout, GFP_ATOMIC); | ||
| 873 | if (!timeout_ext) { | ||
| 874 | ret = -ENOMEM; | ||
| 875 | goto err_free_tmpl; | ||
| 876 | } | ||
| 877 | 882 | ||
| 878 | ret = nf_ct_netns_get(ctx->net, ctx->family); | 883 | ret = nf_ct_netns_get(ctx->net, ctx->family); |
| 879 | if (ret < 0) | 884 | if (ret < 0) |
| 880 | goto err_free_tmpl; | 885 | goto err_free_timeout; |
| 881 | |||
| 882 | priv->tmpl = tmpl; | ||
| 883 | 886 | ||
| 887 | priv->timeout = timeout; | ||
| 884 | return 0; | 888 | return 0; |
| 885 | 889 | ||
| 886 | err_free_tmpl: | ||
| 887 | nf_ct_tmpl_free(tmpl); | ||
| 888 | err_free_timeout: | 890 | err_free_timeout: |
| 889 | kfree(timeout); | 891 | kfree(timeout); |
| 890 | err_proto_put: | 892 | err_proto_put: |
| @@ -896,22 +898,19 @@ static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, | |||
| 896 | struct nft_object *obj) | 898 | struct nft_object *obj) |
| 897 | { | 899 | { |
| 898 | struct nft_ct_timeout_obj *priv = nft_obj_data(obj); | 900 | struct nft_ct_timeout_obj *priv = nft_obj_data(obj); |
| 899 | struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl); | 901 | struct nf_ct_timeout *timeout = priv->timeout; |
| 900 | struct nf_ct_timeout *timeout; | ||
| 901 | 902 | ||
| 902 | timeout = rcu_dereference_raw(t->timeout); | ||
| 903 | nf_ct_untimeout(ctx->net, timeout); | 903 | nf_ct_untimeout(ctx->net, timeout); |
| 904 | nf_ct_l4proto_put(timeout->l4proto); | 904 | nf_ct_l4proto_put(timeout->l4proto); |
| 905 | nf_ct_netns_put(ctx->net, ctx->family); | 905 | nf_ct_netns_put(ctx->net, ctx->family); |
| 906 | nf_ct_tmpl_free(priv->tmpl); | 906 | kfree(priv->timeout); |
| 907 | } | 907 | } |
| 908 | 908 | ||
| 909 | static int nft_ct_timeout_obj_dump(struct sk_buff *skb, | 909 | static int nft_ct_timeout_obj_dump(struct sk_buff *skb, |
| 910 | struct nft_object *obj, bool reset) | 910 | struct nft_object *obj, bool reset) |
| 911 | { | 911 | { |
| 912 | const struct nft_ct_timeout_obj *priv = nft_obj_data(obj); | 912 | const struct nft_ct_timeout_obj *priv = nft_obj_data(obj); |
| 913 | const struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl); | 913 | const struct nf_ct_timeout *timeout = priv->timeout; |
| 914 | const struct nf_ct_timeout *timeout = rcu_dereference_raw(t->timeout); | ||
| 915 | struct nlattr *nest_params; | 914 | struct nlattr *nest_params; |
| 916 | int ret; | 915 | int ret; |
| 917 | 916 | ||
diff --git a/net/netfilter/xt_CHECKSUM.c b/net/netfilter/xt_CHECKSUM.c index 9f4151ec3e06..6c7aa6a0a0d2 100644 --- a/net/netfilter/xt_CHECKSUM.c +++ b/net/netfilter/xt_CHECKSUM.c | |||
| @@ -16,6 +16,9 @@ | |||
| 16 | #include <linux/netfilter/x_tables.h> | 16 | #include <linux/netfilter/x_tables.h> |
| 17 | #include <linux/netfilter/xt_CHECKSUM.h> | 17 | #include <linux/netfilter/xt_CHECKSUM.h> |
| 18 | 18 | ||
| 19 | #include <linux/netfilter_ipv4/ip_tables.h> | ||
| 20 | #include <linux/netfilter_ipv6/ip6_tables.h> | ||
| 21 | |||
| 19 | MODULE_LICENSE("GPL"); | 22 | MODULE_LICENSE("GPL"); |
| 20 | MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>"); | 23 | MODULE_AUTHOR("Michael S. Tsirkin <mst@redhat.com>"); |
| 21 | MODULE_DESCRIPTION("Xtables: checksum modification"); | 24 | MODULE_DESCRIPTION("Xtables: checksum modification"); |
| @@ -25,7 +28,7 @@ MODULE_ALIAS("ip6t_CHECKSUM"); | |||
| 25 | static unsigned int | 28 | static unsigned int |
| 26 | checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) | 29 | checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) |
| 27 | { | 30 | { |
| 28 | if (skb->ip_summed == CHECKSUM_PARTIAL) | 31 | if (skb->ip_summed == CHECKSUM_PARTIAL && !skb_is_gso(skb)) |
| 29 | skb_checksum_help(skb); | 32 | skb_checksum_help(skb); |
| 30 | 33 | ||
| 31 | return XT_CONTINUE; | 34 | return XT_CONTINUE; |
| @@ -34,6 +37,8 @@ checksum_tg(struct sk_buff *skb, const struct xt_action_param *par) | |||
| 34 | static int checksum_tg_check(const struct xt_tgchk_param *par) | 37 | static int checksum_tg_check(const struct xt_tgchk_param *par) |
| 35 | { | 38 | { |
| 36 | const struct xt_CHECKSUM_info *einfo = par->targinfo; | 39 | const struct xt_CHECKSUM_info *einfo = par->targinfo; |
| 40 | const struct ip6t_ip6 *i6 = par->entryinfo; | ||
| 41 | const struct ipt_ip *i4 = par->entryinfo; | ||
| 37 | 42 | ||
| 38 | if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { | 43 | if (einfo->operation & ~XT_CHECKSUM_OP_FILL) { |
| 39 | pr_info_ratelimited("unsupported CHECKSUM operation %x\n", | 44 | pr_info_ratelimited("unsupported CHECKSUM operation %x\n", |
| @@ -43,6 +48,21 @@ static int checksum_tg_check(const struct xt_tgchk_param *par) | |||
| 43 | if (!einfo->operation) | 48 | if (!einfo->operation) |
| 44 | return -EINVAL; | 49 | return -EINVAL; |
| 45 | 50 | ||
| 51 | switch (par->family) { | ||
| 52 | case NFPROTO_IPV4: | ||
| 53 | if (i4->proto == IPPROTO_UDP && | ||
| 54 | (i4->invflags & XT_INV_PROTO) == 0) | ||
| 55 | return 0; | ||
| 56 | break; | ||
| 57 | case NFPROTO_IPV6: | ||
| 58 | if ((i6->flags & IP6T_F_PROTO) && | ||
| 59 | i6->proto == IPPROTO_UDP && | ||
| 60 | (i6->invflags & XT_INV_PROTO) == 0) | ||
| 61 | return 0; | ||
| 62 | break; | ||
| 63 | } | ||
| 64 | |||
| 65 | pr_warn_once("CHECKSUM should be avoided. If really needed, restrict with \"-p udp\" and only use in OUTPUT\n"); | ||
| 46 | return 0; | 66 | return 0; |
| 47 | } | 67 | } |
| 48 | 68 | ||
diff --git a/net/netfilter/xt_cluster.c b/net/netfilter/xt_cluster.c index dfbdbb2fc0ed..51d0c257e7a5 100644 --- a/net/netfilter/xt_cluster.c +++ b/net/netfilter/xt_cluster.c | |||
| @@ -125,6 +125,7 @@ xt_cluster_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 125 | static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) | 125 | static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) |
| 126 | { | 126 | { |
| 127 | struct xt_cluster_match_info *info = par->matchinfo; | 127 | struct xt_cluster_match_info *info = par->matchinfo; |
| 128 | int ret; | ||
| 128 | 129 | ||
| 129 | if (info->total_nodes > XT_CLUSTER_NODES_MAX) { | 130 | if (info->total_nodes > XT_CLUSTER_NODES_MAX) { |
| 130 | pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n", | 131 | pr_info_ratelimited("you have exceeded the maximum number of cluster nodes (%u > %u)\n", |
| @@ -135,7 +136,17 @@ static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par) | |||
| 135 | pr_info_ratelimited("node mask cannot exceed total number of nodes\n"); | 136 | pr_info_ratelimited("node mask cannot exceed total number of nodes\n"); |
| 136 | return -EDOM; | 137 | return -EDOM; |
| 137 | } | 138 | } |
| 138 | return 0; | 139 | |
| 140 | ret = nf_ct_netns_get(par->net, par->family); | ||
| 141 | if (ret < 0) | ||
| 142 | pr_info_ratelimited("cannot load conntrack support for proto=%u\n", | ||
| 143 | par->family); | ||
| 144 | return ret; | ||
| 145 | } | ||
| 146 | |||
| 147 | static void xt_cluster_mt_destroy(const struct xt_mtdtor_param *par) | ||
| 148 | { | ||
| 149 | nf_ct_netns_put(par->net, par->family); | ||
| 139 | } | 150 | } |
| 140 | 151 | ||
| 141 | static struct xt_match xt_cluster_match __read_mostly = { | 152 | static struct xt_match xt_cluster_match __read_mostly = { |
| @@ -144,6 +155,7 @@ static struct xt_match xt_cluster_match __read_mostly = { | |||
| 144 | .match = xt_cluster_mt, | 155 | .match = xt_cluster_mt, |
| 145 | .checkentry = xt_cluster_mt_checkentry, | 156 | .checkentry = xt_cluster_mt_checkentry, |
| 146 | .matchsize = sizeof(struct xt_cluster_match_info), | 157 | .matchsize = sizeof(struct xt_cluster_match_info), |
| 158 | .destroy = xt_cluster_mt_destroy, | ||
| 147 | .me = THIS_MODULE, | 159 | .me = THIS_MODULE, |
| 148 | }; | 160 | }; |
| 149 | 161 | ||
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 9b16402f29af..3e7d259e5d8d 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c | |||
| @@ -1057,7 +1057,7 @@ static struct xt_match hashlimit_mt_reg[] __read_mostly = { | |||
| 1057 | static void *dl_seq_start(struct seq_file *s, loff_t *pos) | 1057 | static void *dl_seq_start(struct seq_file *s, loff_t *pos) |
| 1058 | __acquires(htable->lock) | 1058 | __acquires(htable->lock) |
| 1059 | { | 1059 | { |
| 1060 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); | 1060 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); |
| 1061 | unsigned int *bucket; | 1061 | unsigned int *bucket; |
| 1062 | 1062 | ||
| 1063 | spin_lock_bh(&htable->lock); | 1063 | spin_lock_bh(&htable->lock); |
| @@ -1074,7 +1074,7 @@ static void *dl_seq_start(struct seq_file *s, loff_t *pos) | |||
| 1074 | 1074 | ||
| 1075 | static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos) | 1075 | static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 1076 | { | 1076 | { |
| 1077 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); | 1077 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); |
| 1078 | unsigned int *bucket = v; | 1078 | unsigned int *bucket = v; |
| 1079 | 1079 | ||
| 1080 | *pos = ++(*bucket); | 1080 | *pos = ++(*bucket); |
| @@ -1088,7 +1088,7 @@ static void *dl_seq_next(struct seq_file *s, void *v, loff_t *pos) | |||
| 1088 | static void dl_seq_stop(struct seq_file *s, void *v) | 1088 | static void dl_seq_stop(struct seq_file *s, void *v) |
| 1089 | __releases(htable->lock) | 1089 | __releases(htable->lock) |
| 1090 | { | 1090 | { |
| 1091 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); | 1091 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); |
| 1092 | unsigned int *bucket = v; | 1092 | unsigned int *bucket = v; |
| 1093 | 1093 | ||
| 1094 | if (!IS_ERR(bucket)) | 1094 | if (!IS_ERR(bucket)) |
| @@ -1130,7 +1130,7 @@ static void dl_seq_print(struct dsthash_ent *ent, u_int8_t family, | |||
| 1130 | static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family, | 1130 | static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family, |
| 1131 | struct seq_file *s) | 1131 | struct seq_file *s) |
| 1132 | { | 1132 | { |
| 1133 | struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private)); | 1133 | struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file)); |
| 1134 | 1134 | ||
| 1135 | spin_lock(&ent->lock); | 1135 | spin_lock(&ent->lock); |
| 1136 | /* recalculate to show accurate numbers */ | 1136 | /* recalculate to show accurate numbers */ |
| @@ -1145,7 +1145,7 @@ static int dl_seq_real_show_v2(struct dsthash_ent *ent, u_int8_t family, | |||
| 1145 | static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family, | 1145 | static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family, |
| 1146 | struct seq_file *s) | 1146 | struct seq_file *s) |
| 1147 | { | 1147 | { |
| 1148 | struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private)); | 1148 | struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file)); |
| 1149 | 1149 | ||
| 1150 | spin_lock(&ent->lock); | 1150 | spin_lock(&ent->lock); |
| 1151 | /* recalculate to show accurate numbers */ | 1151 | /* recalculate to show accurate numbers */ |
| @@ -1160,7 +1160,7 @@ static int dl_seq_real_show_v1(struct dsthash_ent *ent, u_int8_t family, | |||
| 1160 | static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, | 1160 | static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, |
| 1161 | struct seq_file *s) | 1161 | struct seq_file *s) |
| 1162 | { | 1162 | { |
| 1163 | struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->private)); | 1163 | struct xt_hashlimit_htable *ht = PDE_DATA(file_inode(s->file)); |
| 1164 | 1164 | ||
| 1165 | spin_lock(&ent->lock); | 1165 | spin_lock(&ent->lock); |
| 1166 | /* recalculate to show accurate numbers */ | 1166 | /* recalculate to show accurate numbers */ |
| @@ -1174,7 +1174,7 @@ static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family, | |||
| 1174 | 1174 | ||
| 1175 | static int dl_seq_show_v2(struct seq_file *s, void *v) | 1175 | static int dl_seq_show_v2(struct seq_file *s, void *v) |
| 1176 | { | 1176 | { |
| 1177 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); | 1177 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); |
| 1178 | unsigned int *bucket = (unsigned int *)v; | 1178 | unsigned int *bucket = (unsigned int *)v; |
| 1179 | struct dsthash_ent *ent; | 1179 | struct dsthash_ent *ent; |
| 1180 | 1180 | ||
| @@ -1188,7 +1188,7 @@ static int dl_seq_show_v2(struct seq_file *s, void *v) | |||
| 1188 | 1188 | ||
| 1189 | static int dl_seq_show_v1(struct seq_file *s, void *v) | 1189 | static int dl_seq_show_v1(struct seq_file *s, void *v) |
| 1190 | { | 1190 | { |
| 1191 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); | 1191 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); |
| 1192 | unsigned int *bucket = v; | 1192 | unsigned int *bucket = v; |
| 1193 | struct dsthash_ent *ent; | 1193 | struct dsthash_ent *ent; |
| 1194 | 1194 | ||
| @@ -1202,7 +1202,7 @@ static int dl_seq_show_v1(struct seq_file *s, void *v) | |||
| 1202 | 1202 | ||
| 1203 | static int dl_seq_show(struct seq_file *s, void *v) | 1203 | static int dl_seq_show(struct seq_file *s, void *v) |
| 1204 | { | 1204 | { |
| 1205 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->private)); | 1205 | struct xt_hashlimit_htable *htable = PDE_DATA(file_inode(s->file)); |
| 1206 | unsigned int *bucket = v; | 1206 | unsigned int *bucket = v; |
| 1207 | struct dsthash_ent *ent; | 1207 | struct dsthash_ent *ent; |
| 1208 | 1208 | ||