Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for your net-next
tree. Basically, a new extension for ip6tables, simplification work of
nf_tables that saves us 500 LoC, allow raw table registration before
defragmentation, conversion of the SNMP helper to use the ASN.1 code
generator, unique 64-bit handle for all nf_tables objects and fixes to
address fallout from previous nf-next batch.  More specifically, they
are:

1) Seven patches to remove family abstraction layer (struct nft_af_info)
   in nf_tables, this simplifies our codebase and it saves us 64 bytes per
   net namespace.

2) Add IPv6 segment routing header matching for ip6tables, from Ahmed
   Abdelsalam.

3) Allow to register iptable_raw table before defragmentation, some
   people do not want to waste cycles on defragmenting traffic that is
   going to be dropped, hence add a new module parameter to enable this
   behaviour in iptables and ip6tables. From Subash Abhinov
   Kasiviswanathan. This patch needed a couple of follow up patches to
   get things tidy from Arnd Bergmann.

4) SNMP helper uses the ASN.1 code generator, from Taehee Yoo. Several
   patches for this helper to prepare this change are also part of this
   patch series.

5) Add 64-bit handles to uniquely objects in nf_tables, from Harsha
   Sharma.

6) Remove log message that several netfilter subsystems print at
   boot/load time.

7) Restore x_tables module autoloading, that got broken in a previous
   patch to allow singleton NAT hook callback registration per hook
   spot, from Florian Westphal. Moreover, return EBUSY to report that
   the singleton NAT hook slot is already in instead.

8) Several fixes for the new nf_tables flowtable representation,
   including incorrect error check after nf_tables_flowtable_lookup(),
   missing Kconfig dependencies that lead to build breakage and missing
   initialization of priority and hooknum in flowtable object.

9) Missing NETFILTER_FAMILY_ARP dependency in Kconfig for the clusterip
   target. This is due to recent updates in the core to shrink the hook
   array size and compile it out if no specific family is enabled via
   .config file. Patch from Florian Westphal.

10) Remove duplicated include header files, from Wei Yongjun.

11) Sparse warning fix for the NFPROTO_INET handling from the core
    due to missing static function definition, also from Wei Yongjun.

12) Restore ICMPv6 Parameter Problem error reporting when
    defragmentation fails, from Subash Abhinov Kasiviswanathan.

13) Remove obsolete owner field initialization from struct
    file_operations, patch from Alexey Dobriyan.

14) Use boolean datatype where needed in the Netfilter codebase, from
    Gustavo A. R. Silva.

15) Remove double semicolon in dynset nf_tables expression, from
    Luis de Bethencourt.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 15 insertions, 41 deletions

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index dd238950df81..663b015dace5 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -143,22 +143,22 @@ static inline void nft_data_debug(const struct nft_data *data)
  *      struct nft_ctx - nf_tables rule/set context
  *
  *      @net: net namespace
- *      @afi: address family info
  *      @table: the table the chain is contained in
  *      @chain: the chain the rule is contained in
  *      @nla: netlink attributes
  *      @portid: netlink portID of the original message
  *      @seq: netlink sequence number
+ *      @family: protocol family
  *      @report: notify via unicast netlink message
  */
 struct nft_ctx {
         struct net                      *net;
-        struct nft_af_info              *afi;
         struct nft_table                *table;
         struct nft_chain                *chain;
         const struct nlattr * const     *nla;
         u32                             portid;
         u32                             seq;
+        u8                              family;
         bool                            report;
 };
 
@@ -374,6 +374,7 @@ void nft_unregister_set(struct nft_set_type *type);
  *      @list: table set list node
  *      @bindings: list of set bindings
  *      @name: name of the set
+ *      @handle: unique handle of the set
  *      @ktype: key type (numeric type defined by userspace, not used in the kernel)
  *      @dtype: data type (verdict or numeric type defined by userspace)
  *      @objtype: object type (see NFT_OBJECT_* definitions)
@@ -396,6 +397,7 @@ struct nft_set {
         struct list_head                list;
         struct list_head                bindings;
         char                            *name;
+        u64                             handle;
         u32                             ktype;
         u32                             dtype;
         u32                             objtype;
@@ -946,9 +948,11 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
  *      @objects: stateful objects in the table
  *      @flowtables: flow tables in the table
  *      @hgenerator: handle generator state
+ *      @handle: table handle
  *      @use: number of chain references to this table
  *      @flags: table flag (see enum nft_table_flags)
  *      @genmask: generation mask
+ *      @afinfo: address family info
  *      @name: name of the table
  */
 struct nft_table {
@@ -958,38 +962,14 @@ struct nft_table {
         struct list_head                objects;
         struct list_head                flowtables;
         u64                             hgenerator;
+        u64                             handle;
         u32                             use;
-        u16                             flags:14,
+        u16                             family:6,
+                                        flags:8,
                                         genmask:2;
         char                            *name;
 };
 
-enum nft_af_flags {
-        NFT_AF_NEEDS_DEV        = (1 << 0),
-};
-
-/**
- *      struct nft_af_info - nf_tables address family info
- *
- *      @list: used internally
- *      @family: address family
- *      @nhooks: number of hooks in this family
- *      @owner: module owner
- *      @tables: used internally
- *      @flags: family flags
- */
-struct nft_af_info {
-        struct list_head                list;
-        int                             family;
-        unsigned int                    nhooks;
-        struct module                   *owner;
-        struct list_head                tables;
-        u32                             flags;
-};
-
-int nft_register_afinfo(struct net *, struct nft_af_info *);
-void nft_unregister_afinfo(struct net *, struct nft_af_info *);
-
 int nft_register_chain_type(const struct nf_chain_type *);
 void nft_unregister_chain_type(const struct nf_chain_type *);
 
@@ -1007,9 +987,9 @@ int nft_verdict_dump(struct sk_buff *skb, int type,
  *      @name: name of this stateful object
  *      @genmask: generation mask
  *      @use: number of references to this stateful object
- *      @data: object data, layout depends on type
+ *      @handle: unique object handle
  *      @ops: object operations
- *      @data: pointer to object data
+ *      @data: object data, layout depends on type
  */
 struct nft_object {
         struct list_head                list;
@@ -1017,6 +997,7 @@ struct nft_object {
         struct nft_table                *table;
         u32                             genmask:2,
                                         use:30;
+        u64                             handle;
         /* runtime data below here */
         const struct nft_object_ops     *ops ____cacheline_aligned;
         unsigned char                   data[]
@@ -1098,6 +1079,7 @@ void nft_unregister_obj(struct nft_object_type *obj_type);
  *      @ops_len: number of hooks in array
  *      @genmask: generation mask
  *      @use: number of references to this flow table
+ *      @handle: unique object handle
  *      @data: rhashtable and garbage collector
  *      @ops: array of hooks
  */
@@ -1110,6 +1092,7 @@ struct nft_flowtable {
         int                             ops_len;
         u32                             genmask:2,
                                         use:30;
+        u64                             handle;
         /* runtime data below here */
         struct nf_hook_ops              *ops ____cacheline_aligned;
         struct nf_flowtable             data;
@@ -1154,9 +1137,6 @@ void nft_trace_init(struct nft_traceinfo *info, const struct nft_pktinfo *pkt,
 
 void nft_trace_notify(struct nft_traceinfo *info);
 
-#define MODULE_ALIAS_NFT_FAMILY(family) \
-        MODULE_ALIAS("nft-afinfo-" __stringify(family))
-
 #define MODULE_ALIAS_NFT_CHAIN(family, name) \
         MODULE_ALIAS("nft-chain-" __stringify(family) "-" name)
 
diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h
index 4109b5f3010f..48134353411d 100644
--- a/include/net/netns/nftables.h
+++ b/include/net/netns/nftables.h
@@ -7,14 +7,8 @@
 struct nft_af_info;
 
 struct netns_nftables {
-        struct list_head        af_info;
+        struct list_head        tables;
         struct list_head        commit_list;
-        struct nft_af_info      *ipv4;
-        struct nft_af_info      *ipv6;
-        struct nft_af_info      *inet;
-        struct nft_af_info      *arp;
-        struct nft_af_info      *bridge;
-        struct nft_af_info      *netdev;
         unsigned int            base_seq;
         u8                      gencursor;
 };