Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
pull request: Netfilter/IPVS fixes for net

The following patchset contains seven Netfilter fixes for your net
tree, they are:

1) Make the NAT infrastructure independent of x_tables, some users are
   already starting to test nf_tables with NAT without enabling x_tables.
   Without this patch for Kconfig, there's a superfluous dependency
   between NAT and x_tables.
2) Allow to use 0 in the cgroup match, the kernel rejects with -EINVAL
   with no good reason. From Daniel Borkmann.

3) Select CONFIG_NF_NAT from the nf_tables NAT expression, this also
   resolves another NAT dependency with x_tables.

4) Use HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL in the Netfilter hook
   code as elsewhere in the kernel to resolve toolchain problems, from
   Zhouyi Zhou.

5) Use iptunnel_handle_offloads() to set up tunnel encapsulation
   depending on the offload capabilities, reported by Alex Gartrell
   patch from Julian Anastasov.

6) Fix wrong family when registering the ip_vs_local_reply6() hook,
   also from Julian.

7) Select the NF_LOG_* symbols from NETFILTER_XT_TARGET_LOG. Rafał
   Miłecki reported that when jumping from 3.16 to 3.17-rc, his log
   target is not selected anymore due to changes in the previous
   development cycle to accomodate the full logging support for
   nf_tables.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

11 files changed, 105 insertions, 70 deletions

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 2077489f9887..2517ece98820 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -9,6 +9,7 @@
 #include <linux/in6.h>
 #include <linux/wait.h>
 #include <linux/list.h>
+#include <linux/static_key.h>
 #include <uapi/linux/netfilter.h>
 #ifdef CONFIG_NETFILTER
 static inline int NF_DROP_GETERR(int verdict)
@@ -99,9 +100,9 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
 
 extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
 
-#if defined(CONFIG_JUMP_LABEL)
-#include <linux/static_key.h>
+#ifdef HAVE_JUMP_LABEL
 extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
+
 static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)
 {
         if (__builtin_constant_p(pf) &&
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index fb173126f03d..7cbcaf4f0194 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -82,6 +82,52 @@ config NF_TABLES_ARP
         help
           This option enables the ARP support for nf_tables.
 
+config NF_NAT_IPV4
+        tristate "IPv4 NAT"
+        depends on NF_CONNTRACK_IPV4
+        default m if NETFILTER_ADVANCED=n
+        select NF_NAT
+        help
+          The IPv4 NAT option allows masquerading, port forwarding and other
+          forms of full Network Address Port Translation. This can be
+          controlled by iptables or nft.
+
+if NF_NAT_IPV4
+
+config NF_NAT_SNMP_BASIC
+        tristate "Basic SNMP-ALG support"
+        depends on NF_CONNTRACK_SNMP
+        depends on NETFILTER_ADVANCED
+        default NF_NAT && NF_CONNTRACK_SNMP
+        ---help---
+
+          This module implements an Application Layer Gateway (ALG) for
+          SNMP payloads.  In conjunction with NAT, it allows a network
+          management system to access multiple private networks with
+          conflicting addresses.  It works by modifying IP addresses
+          inside SNMP payloads to match IP-layer NAT mapping.
+
+          This is the "basic" form of SNMP-ALG, as described in RFC 2962
+
+          To compile it as a module, choose M here.  If unsure, say N.
+
+config NF_NAT_PROTO_GRE
+        tristate
+        depends on NF_CT_PROTO_GRE
+
+config NF_NAT_PPTP
+        tristate
+        depends on NF_CONNTRACK
+        default NF_CONNTRACK_PPTP
+        select NF_NAT_PROTO_GRE
+
+config NF_NAT_H323
+        tristate
+        depends on NF_CONNTRACK
+        default NF_CONNTRACK_H323
+
+endif # NF_NAT_IPV4
+
 config IP_NF_IPTABLES
         tristate "IP tables support (required for filtering/masq/NAT)"
         default m if NETFILTER_ADVANCED=n
@@ -170,19 +216,21 @@ config IP_NF_TARGET_SYNPROXY
           To compile it as a module, choose M here. If unsure, say N.
 
 # NAT + specific targets: nf_conntrack
-config NF_NAT_IPV4
-        tristate "IPv4 NAT"
+config IP_NF_NAT
+        tristate "iptables NAT support"
         depends on NF_CONNTRACK_IPV4
         default m if NETFILTER_ADVANCED=n
         select NF_NAT
+        select NF_NAT_IPV4
+        select NETFILTER_XT_NAT
         help
-          The IPv4 NAT option allows masquerading, port forwarding and other
-          forms of full Network Address Port Translation.  It is controlled by
-          the `nat' table in iptables: see the man page for iptables(8).
+          This enables the `nat' table in iptables. This allows masquerading,
+          port forwarding and other forms of full Network Address Port
+          Translation.
 
           To compile it as a module, choose M here.  If unsure, say N.
 
-if NF_NAT_IPV4
+if IP_NF_NAT
 
 config IP_NF_TARGET_MASQUERADE
         tristate "MASQUERADE target support"
@@ -214,47 +262,7 @@ config IP_NF_TARGET_REDIRECT
         (e.g. when running oldconfig). It selects
         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
 
-endif
-
-config NF_NAT_SNMP_BASIC
-        tristate "Basic SNMP-ALG support"
-        depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
-        depends on NETFILTER_ADVANCED
-        default NF_NAT && NF_CONNTRACK_SNMP
-        ---help---
-
-          This module implements an Application Layer Gateway (ALG) for
-          SNMP payloads.  In conjunction with NAT, it allows a network
-          management system to access multiple private networks with
-          conflicting addresses.  It works by modifying IP addresses
-          inside SNMP payloads to match IP-layer NAT mapping.
-
-          This is the "basic" form of SNMP-ALG, as described in RFC 2962
-
-          To compile it as a module, choose M here.  If unsure, say N.
-
-# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
-# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
-# From kconfig-language.txt:
-#
-#           <expr> '&&' <expr>                   (6)
-#
-# (6) Returns the result of min(/expr/, /expr/).
-
-config NF_NAT_PROTO_GRE
-        tristate
-        depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
-
-config NF_NAT_PPTP
-        tristate
-        depends on NF_CONNTRACK && NF_NAT_IPV4
-        default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
-        select NF_NAT_PROTO_GRE
-
-config NF_NAT_H323
-        tristate
-        depends on NF_CONNTRACK && NF_NAT_IPV4
-        default NF_NAT_IPV4 && NF_CONNTRACK_H323
+endif # IP_NF_NAT
 
 # mangle + specific targets
 config IP_NF_MANGLE
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 33001621465b..edf4af32e9f2 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -43,7 +43,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
 # the three instances of ip_tables
 obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
 obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
-obj-$(CONFIG_NF_NAT_IPV4) += iptable_nat.o
+obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
 obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
 obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
 
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index ac93df16f5af..cf0b88f30f6f 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -60,6 +60,16 @@ config NF_LOG_IPV6
         depends on NETFILTER_ADVANCED
         select NF_LOG_COMMON
 
+config NF_NAT_IPV6
+        tristate "IPv6 NAT"
+        depends on NF_CONNTRACK_IPV6
+        depends on NETFILTER_ADVANCED
+        select NF_NAT
+        help
+          The IPv6 NAT option allows masquerading, port forwarding and other
+          forms of full Network Address Port Translation. This can be
+          controlled by iptables or nft.
+
 config IP6_NF_IPTABLES
         tristate "IP6 tables support (required for filtering)"
         depends on INET && IPV6
@@ -232,19 +242,21 @@ config IP6_NF_SECURITY
 
          If unsure, say N.
 
-config NF_NAT_IPV6
-        tristate "IPv6 NAT"
+config IP6_NF_NAT
+        tristate "ip6tables NAT support"
         depends on NF_CONNTRACK_IPV6
         depends on NETFILTER_ADVANCED
         select NF_NAT
+        select NF_NAT_IPV6
+        select NETFILTER_XT_NAT
         help
-          The IPv6 NAT option allows masquerading, port forwarding and other
-          forms of full Network Address Port Translation. It is controlled by
-          the `nat' table in ip6tables, see the man page for ip6tables(8).
+          This enables the `nat' table in ip6tables. This allows masquerading,
+          port forwarding and other forms of full Network Address Port
+          Translation.
 
           To compile it as a module, choose M here.  If unsure, say N.
 
-if NF_NAT_IPV6
+if IP6_NF_NAT
 
 config IP6_NF_TARGET_MASQUERADE
         tristate "MASQUERADE target support"
@@ -265,7 +277,7 @@ config IP6_NF_TARGET_NPT
 
           To compile it as a module, choose M here.  If unsure, say N.
 
-endif # NF_NAT_IPV6
+endif # IP6_NF_NAT
 
 endif # IP6_NF_IPTABLES
 
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index c0b263104ed2..c3d3286db4bb 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
 obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
 obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
 obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
-obj-$(CONFIG_NF_NAT_IPV6) += ip6table_nat.o
+obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o
 
 # objects for l3 independent conntrack
 nf_conntrack_ipv6-y  :=  nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index ad751fe2e82b..4bef6eb7c40d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -499,7 +499,7 @@ config NFT_LIMIT
 config NFT_NAT
         depends on NF_TABLES
         depends on NF_CONNTRACK
-        depends on NF_NAT
+        select NF_NAT
         tristate "Netfilter nf_tables nat module"
         help
           This option adds the "nat" expression that you can use to perform
@@ -747,7 +747,9 @@ config NETFILTER_XT_TARGET_LED
 
 config NETFILTER_XT_TARGET_LOG
         tristate "LOG target support"
-        depends on NF_LOG_IPV4 && NF_LOG_IPV6
+        select NF_LOG_COMMON
+        select NF_LOG_IPV4
+        select NF_LOG_IPV6 if IPV6
         default m if NETFILTER_ADVANCED=n
         help
           This option adds a `LOG' target, which allows you to create rules in
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 8308624a406a..fad5fdba34e5 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -95,7 +95,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
 obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
 obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
 obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o
-obj-$(CONFIG_NF_NAT) += xt_nat.o
+obj-$(CONFIG_NETFILTER_XT_NAT) += xt_nat.o
 
 # targets
 obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index a93c97f106d4..024a2e25c8a4 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -54,7 +54,7 @@ EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
 struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
 EXPORT_SYMBOL(nf_hooks);
 
-#if defined(CONFIG_JUMP_LABEL)
+#ifdef HAVE_JUMP_LABEL
 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
 EXPORT_SYMBOL(nf_hooks_needed);
 #endif
@@ -72,7 +72,7 @@ int nf_register_hook(struct nf_hook_ops *reg)
         }
         list_add_rcu(&reg->list, elem->list.prev);
         mutex_unlock(&nf_hook_mutex);
-#if defined(CONFIG_JUMP_LABEL)
+#ifdef HAVE_JUMP_LABEL
         static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
 #endif
         return 0;
@@ -84,7 +84,7 @@ void nf_unregister_hook(struct nf_hook_ops *reg)
         mutex_lock(&nf_hook_mutex);
         list_del_rcu(&reg->list);
         mutex_unlock(&nf_hook_mutex);
-#if defined(CONFIG_JUMP_LABEL)
+#ifdef HAVE_JUMP_LABEL
         static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
 #endif
         synchronize_net();
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index e6836755c45d..5c34e8d42e01 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -1906,7 +1906,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
         {
                 .hook           = ip_vs_local_reply6,
                 .owner          = THIS_MODULE,
-                .pf             = NFPROTO_IPV4,
+                .pf             = NFPROTO_IPV6,
                 .hooknum        = NF_INET_LOCAL_OUT,
                 .priority       = NF_IP6_PRI_NAT_DST + 1,
         },
diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 6f70bdd3a90a..56896a412bce 100644
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -38,6 +38,7 @@
 #include <net/route.h>                  /* for ip_route_output */
 #include <net/ipv6.h>
 #include <net/ip6_route.h>
+#include <net/ip_tunnels.h>
 #include <net/addrconf.h>
 #include <linux/icmpv6.h>
 #include <linux/netfilter.h>
@@ -862,11 +863,15 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
                 old_iph = ip_hdr(skb);
         }
 
-        skb->transport_header = skb->network_header;
-
         /* fix old IP header checksum */
         ip_send_check(old_iph);
 
+        skb = iptunnel_handle_offloads(skb, false, SKB_GSO_IPIP);
+        if (IS_ERR(skb))
+                goto tx_error;
+
+        skb->transport_header = skb->network_header;
+
         skb_push(skb, sizeof(struct iphdr));
         skb_reset_network_header(skb);
         memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
@@ -900,7 +905,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
         return NF_STOLEN;
 
   tx_error:
-        kfree_skb(skb);
+        if (!IS_ERR(skb))
+                kfree_skb(skb);
         rcu_read_unlock();
         LeaveFunction(10);
         return NF_STOLEN;
@@ -953,6 +959,11 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
                 old_iph = ipv6_hdr(skb);
         }
 
+        /* GSO: we need to provide proper SKB_GSO_ value for IPv6 */
+        skb = iptunnel_handle_offloads(skb, false, 0); /* SKB_GSO_SIT/IPV6 */
+        if (IS_ERR(skb))
+                goto tx_error;
+
         skb->transport_header = skb->network_header;
 
         skb_push(skb, sizeof(struct ipv6hdr));
@@ -988,7 +999,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
         return NF_STOLEN;
 
 tx_error:
-        kfree_skb(skb);
+        if (!IS_ERR(skb))
+                kfree_skb(skb);
         rcu_read_unlock();
         LeaveFunction(10);
         return NF_STOLEN;
diff --git a/net/netfilter/xt_cgroup.c b/net/netfilter/xt_cgroup.c
index f4e833005320..7198d660b4de 100644
--- a/net/netfilter/xt_cgroup.c
+++ b/net/netfilter/xt_cgroup.c
@@ -31,7 +31,7 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
         if (info->invert & ~1)
                 return -EINVAL;
 
-        return info->id ? 0 : -EINVAL;
+        return 0;
 }
 
 static bool