Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains Netfilter updates for net-next, they are: 1) Don't use userspace datatypes in bridge netfilter code, from Tobin Harding. 2) Iterate only once over the expectation table when removing the helper module, instead of once per-netns, from Florian Westphal. 3) Extra sanitization in xt_hook_ops_alloc() to return error in case we ever pass zero hooks, xt_hook_ops_alloc(): 4) Handle NFPROTO_INET from the logging core infrastructure, from Liping Zhang. 5) Autoload loggers when TRACE target is used from rules, this doesn't change the behaviour in case the user already selected nfnetlink_log as preferred way to print tracing logs, also from Liping Zhang. 6) Conntrack slabs with SLAB_HWCACHE_ALIGN to allow rearranging fields by cache lines, increases the size of entries in 11% per entry. From Florian Westphal. 7) Skip zone comparison if CONFIG_NF_CONNTRACK_ZONES=n, from Florian. 8) Remove useless defensive check in nf_logger_find_get() from Shivani Bhardwaj. 9) Remove zone extension as place it in the conntrack object, this is always include in the hashing and we expect more intensive use of zones since containers are in place. Also from Florian Westphal. 10) Owner match now works from any namespace, from Eric Bierdeman. 11) Make sure we only reply with TCP reset to TCP traffic from nf_reject_ipv4, patch from Liping Zhang. 12) Introduce --nflog-size to indicate amount of network packet bytes that are copied to userspace via log message, from Vishwanath Pai. This obsoletes --nflog-range that has never worked, it was designed to achieve this but it has never worked. 13) Introduce generic macros for nf_tables object generation masks. 14) Use generation mask in table, chain and set objects in nf_tables. This allows fixes interferences with ongoing preparation phase of the commit protocol and object listings going on at the same time. This update is introduced in three patches, one per object. 15) Check if the object is active in the next generation for element deactivation in the rbtree implementation, given that deactivation happens from the commit phase path we have to observe the future status of the object. 16) Support for deletion of just added elements in the hash set type. 17) Allow to resize hashtable from /proc entry, not only from the obscure /sys entry that maps to the module parameter, from Florian Westphal. 18) Get rid of NFT_BASECHAIN_DISABLED, this code is not exercised anymore since we tear down the ruleset whenever the netdevice goes away. 19) Support for matching inverted set lookups, from Arturo Borrero. 20) Simplify the iptables_mangle_hook() by removing a superfluous extra branch. 21) Introduce ether_addr_equal_masked() and use it from the netfilter codebase, from Joe Perches. 22) Remove references to "Use netfilter MARK value as routing key" from the Netfilter Kconfig description given that this toggle doesn't exists already for 10 years, from Moritz Sichert. 23) Introduce generic NF_INVF() and use it from the xtables codebase, from Joe Perches. 24) Setting logger to NONE via /proc was not working unless explicit nul-termination was included in the string. This fixes seems to leave the former behaviour there, so we don't break backward. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2016-07-06 12:15:15 -0400
committer: David S. Miller <davem@davemloft.net> 2016-07-06 12:15:15 -0400
commit: ae3e4562e2ce0149a4424c994a282955700711e7 (patch)
tree: af7f75611e30d8502c2f3eee9f1f9e1aaa9f6534 /net/ipv4
parent: 73e20b761acf8678de2d55d92b90a623b8558a77 (diff)
parent: c6ac37d8d8843fb1fdc34e4a2a41a4f027ab670c (diff)
4 files changed, 32 insertions, 36 deletions
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 2033f929aa66..c8dd9e26b185 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -89,22 +89,20 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
        __be32 src_ipaddr, tgt_ipaddr;
        long ret;
-#define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg)))
+        if (NF_INVF(arpinfo, ARPT_INV_ARPOP,
+                    (arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop))
-        if (FWINV((arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop,
-                  ARPT_INV_ARPOP))
                return 0;
-        if (FWINV((arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd,
+        if (NF_INVF(arpinfo, ARPT_INV_ARPHRD,
-                  ARPT_INV_ARPHRD))
+                    (arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd))
                return 0;
-        if (FWINV((arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro,
+        if (NF_INVF(arpinfo, ARPT_INV_ARPPRO,
-                  ARPT_INV_ARPPRO))
+                    (arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro))
                return 0;
-        if (FWINV((arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln,
+        if (NF_INVF(arpinfo, ARPT_INV_ARPHLN,
-                  ARPT_INV_ARPHLN))
+                    (arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln))
                return 0;
        src_devaddr = arpptr;
@@ -115,31 +113,32 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
        arpptr += dev->addr_len;
        memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
-        if (FWINV(arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr, dev->addr_len),
+        if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
-                  ARPT_INV_SRCDEVADDR) ||
+                    arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
-            FWINV(arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr, dev->addr_len),
+                                        dev->addr_len)) ||
-                  ARPT_INV_TGTDEVADDR))
+            NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
+                    arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
+                                        dev->addr_len)))
                return 0;
-        if (FWINV((src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr,
+        if (NF_INVF(arpinfo, ARPT_INV_SRCIP,
-                  ARPT_INV_SRCIP) ||
+                    (src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr) ||
-            FWINV(((tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr),
+            NF_INVF(arpinfo, ARPT_INV_TGTIP,
-                  ARPT_INV_TGTIP))
+                    (tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr))
                return 0;
        /* Look for ifname matches.  */
        ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask);
-        if (FWINV(ret != 0, ARPT_INV_VIA_IN))
+        if (NF_INVF(arpinfo, ARPT_INV_VIA_IN, ret != 0))
                return 0;
        ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask);
-        if (FWINV(ret != 0, ARPT_INV_VIA_OUT))
+        if (NF_INVF(arpinfo, ARPT_INV_VIA_OUT, ret != 0))
                return 0;
        return 1;
-#undef FWINV
 }
 static inline int arp_checkentry(const struct arpt_arp *arp)
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 54906e0e8e0c..f0df66f54ce6 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -58,32 +58,31 @@ ip_packet_match(const struct iphdr *ip,
 {
        unsigned long ret;
-#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
+        if (NF_INVF(ipinfo, IPT_INV_SRCIP,
+                    (ip->saddr & ipinfo->smsk.s_addr) != ipinfo->src.s_addr) ||
-        if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
+            NF_INVF(ipinfo, IPT_INV_DSTIP,
-                  IPT_INV_SRCIP) ||
+                    (ip->daddr & ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr))
-            FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
-                  IPT_INV_DSTIP))
                return false;
        ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
-        if (FWINV(ret != 0, IPT_INV_VIA_IN))
+        if (NF_INVF(ipinfo, IPT_INV_VIA_IN, ret != 0))
                return false;
        ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
-        if (FWINV(ret != 0, IPT_INV_VIA_OUT))
+        if (NF_INVF(ipinfo, IPT_INV_VIA_OUT, ret != 0))
                return false;
        /* Check specific protocol */
        if (ipinfo->proto &&
-            FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO))
+            NF_INVF(ipinfo, IPT_INV_PROTO, ip->protocol != ipinfo->proto))
                return false;
        /* If we have a fragment rule but the packet is not a fragment
         * then we return zero */
-        if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG))
+        if (NF_INVF(ipinfo, IPT_INV_FRAG,
+                    (ipinfo->flags & IPT_F_FRAG) && !isfrag))
                return false;
        return true;
@@ -122,7 +121,6 @@ static inline bool unconditional(const struct ipt_entry *e)
        return e->target_offset == sizeof(struct ipt_entry) &&
               memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
-#undef FWINV
 }
 /* for const-correctness */
diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c
index 57fc97cdac70..aebdb337fd7e 100644
--- a/net/ipv4/netfilter/iptable_mangle.c
+++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -87,10 +87,6 @@ iptable_mangle_hook(void *priv,
 {
        if (state->hook == NF_INET_LOCAL_OUT)
                return ipt_mangle_out(skb, state);
-        if (state->hook == NF_INET_POST_ROUTING)
-                return ipt_do_table(skb, state,
-                                    state->net->ipv4.iptable_mangle);
-        /* PREROUTING/INPUT/FORWARD: */
        return ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
 }
diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c
index b6ea57ec5e14..fd8220213afc 100644
--- a/net/ipv4/netfilter/nf_reject_ipv4.c
+++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -24,6 +24,9 @@ const struct tcphdr *nf_reject_ip_tcphdr_get(struct sk_buff *oldskb,
        if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
                return NULL;
+        if (ip_hdr(oldskb)->protocol != IPPROTO_TCP)
+                return NULL;
        oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
                                 sizeof(struct tcphdr), _oth);
        if (oth == NULL)
author	David S. Miller <davem@davemloft.net>	2016-07-06 12:15:15 -0400
committer	David S. Miller <davem@davemloft.net>	2016-07-06 12:15:15 -0400
commit	ae3e4562e2ce0149a4424c994a282955700711e7 (patch)
tree	af7f75611e30d8502c2f3eee9f1f9e1aaa9f6534 /net/ipv4
parent	73e20b761acf8678de2d55d92b90a623b8558a77 (diff)
parent	c6ac37d8d8843fb1fdc34e4a2a41a4f027ab670c (diff)

diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index 2033f929aa66..c8dd9e26b185 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c
@@ -89,22 +89,20 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
89	__be32 src_ipaddr, tgt_ipaddr;	89	__be32 src_ipaddr, tgt_ipaddr;
90	long ret;	90	long ret;
91		91
92	#define FWINV(bool, invflg) ((bool) ^ !!(arpinfo->invflags & (invflg)))	92	if (NF_INVF(arpinfo, ARPT_INV_ARPOP,
93		93	(arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop))
94	if (FWINV((arphdr->ar_op & arpinfo->arpop_mask) != arpinfo->arpop,
95	ARPT_INV_ARPOP))
96	return 0;	94	return 0;
97		95
98	if (FWINV((arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd,	96	if (NF_INVF(arpinfo, ARPT_INV_ARPHRD,
99	ARPT_INV_ARPHRD))	97	(arphdr->ar_hrd & arpinfo->arhrd_mask) != arpinfo->arhrd))
100	return 0;	98	return 0;
101		99
102	if (FWINV((arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro,	100	if (NF_INVF(arpinfo, ARPT_INV_ARPPRO,
103	ARPT_INV_ARPPRO))	101	(arphdr->ar_pro & arpinfo->arpro_mask) != arpinfo->arpro))
104	return 0;	102	return 0;
105		103
106	if (FWINV((arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln,	104	if (NF_INVF(arpinfo, ARPT_INV_ARPHLN,
107	ARPT_INV_ARPHLN))	105	(arphdr->ar_hln & arpinfo->arhln_mask) != arpinfo->arhln))
108	return 0;	106	return 0;
109		107
110	src_devaddr = arpptr;	108	src_devaddr = arpptr;
@@ -115,31 +113,32 @@ static inline int arp_packet_match(const struct arphdr *arphdr,
115	arpptr += dev->addr_len;	113	arpptr += dev->addr_len;
116	memcpy(&tgt_ipaddr, arpptr, sizeof(u32));	114	memcpy(&tgt_ipaddr, arpptr, sizeof(u32));
117		115
118	if (FWINV(arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr, dev->addr_len),	116	if (NF_INVF(arpinfo, ARPT_INV_SRCDEVADDR,
119	ARPT_INV_SRCDEVADDR) \|\|	117	arp_devaddr_compare(&arpinfo->src_devaddr, src_devaddr,
120	FWINV(arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr, dev->addr_len),	118	dev->addr_len)) \|\|
121	ARPT_INV_TGTDEVADDR))	119	NF_INVF(arpinfo, ARPT_INV_TGTDEVADDR,
		120	arp_devaddr_compare(&arpinfo->tgt_devaddr, tgt_devaddr,
		121	dev->addr_len)))
122	return 0;	122	return 0;
123		123
124	if (FWINV((src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr,	124	if (NF_INVF(arpinfo, ARPT_INV_SRCIP,
125	ARPT_INV_SRCIP) \|\|	125	(src_ipaddr & arpinfo->smsk.s_addr) != arpinfo->src.s_addr) \|\|
126	FWINV(((tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr),	126	NF_INVF(arpinfo, ARPT_INV_TGTIP,
127	ARPT_INV_TGTIP))	127	(tgt_ipaddr & arpinfo->tmsk.s_addr) != arpinfo->tgt.s_addr))
128	return 0;	128	return 0;
129		129
130	/* Look for ifname matches. */	130	/* Look for ifname matches. */
131	ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask);	131	ret = ifname_compare(indev, arpinfo->iniface, arpinfo->iniface_mask);
132		132
133	if (FWINV(ret != 0, ARPT_INV_VIA_IN))	133	if (NF_INVF(arpinfo, ARPT_INV_VIA_IN, ret != 0))
134	return 0;	134	return 0;
135		135
136	ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask);	136	ret = ifname_compare(outdev, arpinfo->outiface, arpinfo->outiface_mask);
137		137
138	if (FWINV(ret != 0, ARPT_INV_VIA_OUT))	138	if (NF_INVF(arpinfo, ARPT_INV_VIA_OUT, ret != 0))
139	return 0;	139	return 0;
140		140
141	return 1;	141	return 1;
142	#undef FWINV
143	}	142	}
144		143
145	static inline int arp_checkentry(const struct arpt_arp *arp)	144	static inline int arp_checkentry(const struct arpt_arp *arp)


diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 54906e0e8e0c..f0df66f54ce6 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c
@@ -58,32 +58,31 @@ ip_packet_match(const struct iphdr *ip,
58	{	58	{
59	unsigned long ret;	59	unsigned long ret;
60		60
61	#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))	61	if (NF_INVF(ipinfo, IPT_INV_SRCIP,
62		62	(ip->saddr & ipinfo->smsk.s_addr) != ipinfo->src.s_addr) \|\|
63	if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,	63	NF_INVF(ipinfo, IPT_INV_DSTIP,
64	IPT_INV_SRCIP) \|\|	64	(ip->daddr & ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr))
65	FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
66	IPT_INV_DSTIP))
67	return false;	65	return false;
68		66
69	ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);	67	ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
70		68
71	if (FWINV(ret != 0, IPT_INV_VIA_IN))	69	if (NF_INVF(ipinfo, IPT_INV_VIA_IN, ret != 0))
72	return false;	70	return false;
73		71
74	ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);	72	ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
75		73
76	if (FWINV(ret != 0, IPT_INV_VIA_OUT))	74	if (NF_INVF(ipinfo, IPT_INV_VIA_OUT, ret != 0))
77	return false;	75	return false;
78		76
79	/* Check specific protocol */	77	/* Check specific protocol */
80	if (ipinfo->proto &&	78	if (ipinfo->proto &&
81	FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO))	79	NF_INVF(ipinfo, IPT_INV_PROTO, ip->protocol != ipinfo->proto))
82	return false;	80	return false;
83		81
84	/* If we have a fragment rule but the packet is not a fragment	82	/* If we have a fragment rule but the packet is not a fragment
85	* then we return zero */	83	* then we return zero */
86	if (FWINV((ipinfo->flags&IPT_F_FRAG) && !isfrag, IPT_INV_FRAG))	84	if (NF_INVF(ipinfo, IPT_INV_FRAG,
		85	(ipinfo->flags & IPT_F_FRAG) && !isfrag))
87	return false;	86	return false;
88		87
89	return true;	88	return true;
@@ -122,7 +121,6 @@ static inline bool unconditional(const struct ipt_entry *e)
122		121
123	return e->target_offset == sizeof(struct ipt_entry) &&	122	return e->target_offset == sizeof(struct ipt_entry) &&
124	memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;	123	memcmp(&e->ip, &uncond, sizeof(uncond)) == 0;
125	#undef FWINV
126	}	124	}
127		125
128	/* for const-correctness */	126	/* for const-correctness */


diff --git a/net/ipv4/netfilter/iptable_mangle.c b/net/ipv4/netfilter/iptable_mangle.c index 57fc97cdac70..aebdb337fd7e 100644 --- a/net/ipv4/netfilter/iptable_mangle.c +++ b/net/ipv4/netfilter/iptable_mangle.c
@@ -87,10 +87,6 @@ iptable_mangle_hook(void *priv,
87	{	87	{
88	if (state->hook == NF_INET_LOCAL_OUT)	88	if (state->hook == NF_INET_LOCAL_OUT)
89	return ipt_mangle_out(skb, state);	89	return ipt_mangle_out(skb, state);
90	if (state->hook == NF_INET_POST_ROUTING)
91	return ipt_do_table(skb, state,
92	state->net->ipv4.iptable_mangle);
93	/* PREROUTING/INPUT/FORWARD: */
94	return ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);	90	return ipt_do_table(skb, state, state->net->ipv4.iptable_mangle);
95	}	91	}
96		92


diff --git a/net/ipv4/netfilter/nf_reject_ipv4.c b/net/ipv4/netfilter/nf_reject_ipv4.c index b6ea57ec5e14..fd8220213afc 100644 --- a/net/ipv4/netfilter/nf_reject_ipv4.c +++ b/net/ipv4/netfilter/nf_reject_ipv4.c
@@ -24,6 +24,9 @@ const struct tcphdr nf_reject_ip_tcphdr_get(struct sk_buff oldskb,
24	if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))	24	if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
25	return NULL;	25	return NULL;
26		26
		27	if (ip_hdr(oldskb)->protocol != IPPROTO_TCP)
		28	return NULL;
		29
27	oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),	30	oth = skb_header_pointer(oldskb, ip_hdrlen(oldskb),
28	sizeof(struct tcphdr), _oth);	31	sizeof(struct tcphdr), _oth);
29	if (oth == NULL)	32	if (oth == NULL)