Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains updates for your net-next tree,
they are:

1) Use kvfree() helper function from x_tables, from Eric Dumazet.

2) Remove extra timer from the conntrack ecache extension, use a
   workqueue instead to redeliver lost events to userspace instead,
   from Florian Westphal.

3) Removal of the ulog targets for ebtables and iptables. The nflog
   infrastructure superseded this almost 9 years ago, time to get rid
   of this code.

4) Replace the list of loggers by an array now that we can only have
   two possible non-overlapping logger flavours, ie. kernel ring buffer
   and netlink logging.

5) Move Eric Dumazet's log buffer code to nf_log to reuse it from
   all of the supported per-family loggers.

6) Consolidate nf_log_packet() as an unified interface for packet logging.
   After this patch, if the struct nf_loginfo is available, it explicitly
   selects the logger that is used.

7) Move ip and ip6 logging code from xt_LOG to the corresponding
   per-family loggers. Thus, x_tables and nf_tables share the same code
   for packet logging.

8) Add generic ARP packet logger, which is used by nf_tables. The
   format aims to be consistent with the output of xt_LOG.

9) Add generic bridge packet logger. Again, this is used by nf_tables
   and it routes the packets to the real family loggers. As a result,
   we get consistent logging format for the bridge family. The ebt_log
   logging code has been intentionally left in place not to break
   backward compatibility since the logging output differs from xt_LOG.

10) Update nft_log to explicitly request the required family logger when
    needed.

11) Finish nft_log so it supports arp, ip, ip6, bridge and inet families.
    Allowing selection between netlink and kernel buffer ring logging.

12) Several fixes coming after the netfilter core logging changes spotted
    by robots.

13) Use IS_ENABLED() macros whenever possible in the netfilter tree,
    from Duan Jiong.

14) Removal of a couple of unnecessary branch before kfree, from Fabian
    Frederick.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

4 files changed, 65 insertions, 63 deletions

diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 0e3d08e4b1d3..57c880378443 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -18,7 +18,6 @@ struct nf_conntrack_ecache {
         u16 ctmask;             /* bitmask of ct events to be delivered */
         u16 expmask;            /* bitmask of expect events to be delivered */
         u32 portid;             /* netlink portid of destroyer */
-        struct timer_list timeout;
 };
 
 static inline struct nf_conntrack_ecache *
@@ -216,8 +215,23 @@ void nf_conntrack_ecache_pernet_fini(struct net *net);
 
 int nf_conntrack_ecache_init(void);
 void nf_conntrack_ecache_fini(void);
-#else /* CONFIG_NF_CONNTRACK_EVENTS */
 
+static inline void nf_conntrack_ecache_delayed_work(struct net *net)
+{
+        if (!delayed_work_pending(&net->ct.ecache_dwork)) {
+                schedule_delayed_work(&net->ct.ecache_dwork, HZ);
+                net->ct.ecache_dwork_pending = true;
+        }
+}
+
+static inline void nf_conntrack_ecache_work(struct net *net)
+{
+        if (net->ct.ecache_dwork_pending) {
+                net->ct.ecache_dwork_pending = false;
+                mod_delayed_work(system_wq, &net->ct.ecache_dwork, 0);
+        }
+}
+#else /* CONFIG_NF_CONNTRACK_EVENTS */
 static inline void nf_conntrack_event_cache(enum ip_conntrack_events event,
                                             struct nf_conn *ct) {}
 static inline int nf_conntrack_eventmask_report(unsigned int eventmask,
@@ -255,6 +269,14 @@ static inline int nf_conntrack_ecache_init(void)
 static inline void nf_conntrack_ecache_fini(void)
 {
 }
+
+static inline void nf_conntrack_ecache_delayed_work(struct net *net)
+{
+}
+
+static inline void nf_conntrack_ecache_work(struct net *net)
+{
+}
 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
 
 #endif /*_NF_CONNTRACK_ECACHE_H*/
diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 99eac12d040b..534e1f2ac4fc 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -12,8 +12,11 @@
 #define NF_LOG_UID              0x08    /* Log UID owning local socket */
 #define NF_LOG_MASK             0x0f
 
-#define NF_LOG_TYPE_LOG         0x01
-#define NF_LOG_TYPE_ULOG        0x02
+enum nf_log_type {
+        NF_LOG_TYPE_LOG         = 0,
+        NF_LOG_TYPE_ULOG,
+        NF_LOG_TYPE_MAX
+};
 
 struct nf_loginfo {
         u_int8_t type;
@@ -40,10 +43,10 @@ typedef void nf_logfn(struct net *net,
                       const char *prefix);
 
 struct nf_logger {
-        struct module   *me;
-        nf_logfn        *logfn;
-        char            *name;
-        struct list_head        list[NFPROTO_NUMPROTO];
+        char                    *name;
+        enum nf_log_type        type;
+        nf_logfn                *logfn;
+        struct module           *me;
 };
 
 /* Function to register/unregister log function. */
@@ -58,6 +61,13 @@ int nf_log_bind_pf(struct net *net, u_int8_t pf,
                    const struct nf_logger *logger);
 void nf_log_unbind_pf(struct net *net, u_int8_t pf);
 
+int nf_logger_find_get(int pf, enum nf_log_type type);
+void nf_logger_put(int pf, enum nf_log_type type);
+void nf_logger_request_module(int pf, enum nf_log_type type);
+
+#define MODULE_ALIAS_NF_LOGGER(family, type) \
+        MODULE_ALIAS("nf-logger-" __stringify(family) "-" __stringify(type))
+
 /* Calls the registered backend logging function */
 __printf(8, 9)
 void nf_log_packet(struct net *net,
@@ -69,4 +79,24 @@ void nf_log_packet(struct net *net,
                    const struct nf_loginfo *li,
                    const char *fmt, ...);
 
+struct nf_log_buf;
+
+struct nf_log_buf *nf_log_buf_open(void);
+__printf(2, 3) int nf_log_buf_add(struct nf_log_buf *m, const char *f, ...);
+void nf_log_buf_close(struct nf_log_buf *m);
+
+/* common logging functions */
+int nf_log_dump_udp_header(struct nf_log_buf *m, const struct sk_buff *skb,
+                           u8 proto, int fragment, unsigned int offset);
+int nf_log_dump_tcp_header(struct nf_log_buf *m, const struct sk_buff *skb,
+                           u8 proto, int fragment, unsigned int offset,
+                           unsigned int logflags);
+void nf_log_dump_sk_uid_gid(struct nf_log_buf *m, struct sock *sk);
+void nf_log_dump_packet_common(struct nf_log_buf *m, u_int8_t pf,
+                               unsigned int hooknum, const struct sk_buff *skb,
+                               const struct net_device *in,
+                               const struct net_device *out,
+                               const struct nf_loginfo *loginfo,
+                               const char *prefix);
+
 #endif /* _NF_LOG_H */
diff --git a/include/net/netfilter/xt_log.h b/include/net/netfilter/xt_log.h
deleted file mode 100644
index 9d9756cca013..000000000000
--- a/include/net/netfilter/xt_log.h
+++ /dev/null
@@ -1,54 +0,0 @@
-#define S_SIZE (1024 - (sizeof(unsigned int) + 1))
-
-struct sbuff {
-        unsigned int    count;
-        char            buf[S_SIZE + 1];
-};
-static struct sbuff emergency, *emergency_ptr = &emergency;
-
-static __printf(2, 3) int sb_add(struct sbuff *m, const char *f, ...)
-{
-        va_list args;
-        int len;
-
-        if (likely(m->count < S_SIZE)) {
-                va_start(args, f);
-                len = vsnprintf(m->buf + m->count, S_SIZE - m->count, f, args);
-                va_end(args);
-                if (likely(m->count + len < S_SIZE)) {
-                        m->count += len;
-                        return 0;
-                }
-        }
-        m->count = S_SIZE;
-        printk_once(KERN_ERR KBUILD_MODNAME " please increase S_SIZE\n");
-        return -1;
-}
-
-static struct sbuff *sb_open(void)
-{
-        struct sbuff *m = kmalloc(sizeof(*m), GFP_ATOMIC);
-
-        if (unlikely(!m)) {
-                local_bh_disable();
-                do {
-                        m = xchg(&emergency_ptr, NULL);
-                } while (!m);
-        }
-        m->count = 0;
-        return m;
-}
-
-static void sb_close(struct sbuff *m)
-{
-        m->buf[m->count] = 0;
-        printk("%s\n", m->buf);
-
-        if (likely(m != &emergency))
-                kfree(m);
-        else {
-                emergency_ptr = m;
-                local_bh_enable();
-        }
-}
-
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 773cce308bc6..29d6a94db54d 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -4,6 +4,7 @@
 #include <linux/list.h>
 #include <linux/list_nulls.h>
 #include <linux/atomic.h>
+#include <linux/workqueue.h>
 #include <linux/netfilter/nf_conntrack_tcp.h>
 #include <linux/seqlock.h>
 
@@ -73,6 +74,10 @@ struct ct_pcpu {
 struct netns_ct {
         atomic_t                count;
         unsigned int            expect_count;
+#ifdef CONFIG_NF_CONNTRACK_EVENTS
+        struct delayed_work ecache_dwork;
+        bool ecache_dwork_pending;
+#endif
 #ifdef CONFIG_SYSCTL
         struct ctl_table_header *sysctl_header;
         struct ctl_table_header *acct_sysctl_header;
@@ -82,7 +87,6 @@ struct netns_ct {
 #endif
         char                    *slabname;
         unsigned int            sysctl_log_invalid; /* Log invalid packets */
-        unsigned int            sysctl_events_retry_timeout;
         int                     sysctl_events;
         int                     sysctl_acct;
         int                     sysctl_auto_assign_helper;