Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== netfilter/IPVS updates for net-next The following patchset contains Netfilter updates for your net-next tree, they are: * Add full port randomization support. Some crazy researchers found a way to reconstruct the secure ephemeral ports that are allocated in random mode by sending off-path bursts of UDP packets to overrun the socket buffer of the DNS resolver to trigger retransmissions, then if the timing for the DNS resolution done by a client is larger than usual, then they conclude that the port that received the burst of UDP packets is the one that was opened. It seems a bit aggressive method to me but it seems to work for them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a new NAT mode to fully randomize ports using prandom. * Add a new classifier to x_tables based on the socket net_cls set via cgroups. These includes two patches to prepare the field as requested by Zefan Li. Also from Daniel Borkmann. * Use prandom instead of get_random_bytes in several locations of the netfilter code, from Florian Westphal. * Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack mark, also from Florian Westphal. * Fix compilation warning due to unused variable in IPVS, from Geert Uytterhoeven. * Add support for UID/GID via nfnetlink_queue, from Valentina Giusti. * Add IPComp extension to x_tables, from Fan Du. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-01-05 20:18:50 -0500
committer: David S. Miller <davem@davemloft.net> 2014-01-05 20:18:50 -0500
commit: 855404efae0d449cc491978d54ea5d117a3cb271 (patch)
tree: 3c44948365a77058d8b1f2ed6e6683bfc52ef256 /include/net
parent: a1d4b03a076d95edc88d070f7627a73ab80abddc (diff)
parent: 82a37132f300ea53bdcd812917af5a6329ec80c3 (diff)
6 files changed, 36 insertions, 60 deletions
diff --git a/include/net/cls_cgroup.h b/include/net/cls_cgroup.h
index 33d03b648646..9cf2d5ef38d9 100644
--- a/include/net/cls_cgroup.h
+++ b/include/net/cls_cgroup.h
@@ -16,17 +16,16 @@
 #include <linux/cgroup.h>
 #include <linux/hardirq.h>
 #include <linux/rcupdate.h>
+#include <net/sock.h>
-#if IS_ENABLED(CONFIG_NET_CLS_CGROUP)
+#ifdef CONFIG_CGROUP_NET_CLASSID
-struct cgroup_cls_state
+struct cgroup_cls_state {
-{
        struct cgroup_subsys_state css;
        u32 classid;
 };
-void sock_update_classid(struct sock *sk);
+struct cgroup_cls_state *task_cls_state(struct task_struct *p);
-#if IS_BUILTIN(CONFIG_NET_CLS_CGROUP)
 static inline u32 task_cls_classid(struct task_struct *p)
 {
        u32 classid;
@@ -41,33 +40,18 @@ static inline u32 task_cls_classid(struct task_struct *p)
        return classid;
 }
-#elif IS_MODULE(CONFIG_NET_CLS_CGROUP)
-static inline u32 task_cls_classid(struct task_struct *p)
-{
-        struct cgroup_subsys_state *css;
-        u32 classid = 0;
-        if (in_interrupt())
-                return 0;
-        rcu_read_lock();
-        css = task_css(p, net_cls_subsys_id);
-        if (css)
-                classid = container_of(css,
-                                       struct cgroup_cls_state, css)->classid;
-        rcu_read_unlock();
-        return classid;
-}
-#endif
-#else /* !CGROUP_NET_CLS_CGROUP */
 static inline void sock_update_classid(struct sock *sk)
 {
-}
+        u32 classid;
-static inline u32 task_cls_classid(struct task_struct *p)
+        classid = task_cls_classid(current);
+        if (classid != sk->sk_classid)
+                sk->sk_classid = classid;
+}
+#else /* !CONFIG_CGROUP_NET_CLASSID */
+static inline void sock_update_classid(struct sock *sk)
 {
-        return 0;
 }
-#endif /* CGROUP_NET_CLS_CGROUP */
+#endif /* CONFIG_CGROUP_NET_CLASSID */
 #endif  /* _NET_CLS_CGROUP_H */
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 6c3d12e2949f..981c327374da 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -19,6 +19,4 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
 int nf_conntrack_ipv4_compat_init(void);
 void nf_conntrack_ipv4_compat_fini(void);
-void need_ipv4_conntrack(void);
 #endif /*_NF_CONNTRACK_IPV4_H*/
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index 3efab704b7eb..adc1fa3dd7ab 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -87,7 +87,6 @@ int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto);
 void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto);
 struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);
-void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p);
 /* Existing built-in protocols */
 extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic;
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index c9c0c538b68b..fbcc7fa536dc 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -65,6 +65,23 @@ struct nf_ip_net {
 struct netns_ct {
        atomic_t                count;
        unsigned int            expect_count;
+#ifdef CONFIG_SYSCTL
+        struct ctl_table_header *sysctl_header;
+        struct ctl_table_header *acct_sysctl_header;
+        struct ctl_table_header *tstamp_sysctl_header;
+        struct ctl_table_header *event_sysctl_header;
+        struct ctl_table_header *helper_sysctl_header;
+#endif
+        char                    *slabname;
+        unsigned int            sysctl_log_invalid; /* Log invalid packets */
+        unsigned int            sysctl_events_retry_timeout;
+        int                     sysctl_events;
+        int                     sysctl_acct;
+        int                     sysctl_auto_assign_helper;
+        bool                    auto_assign_helper_warned;
+        int                     sysctl_tstamp;
+        int                     sysctl_checksum;
        unsigned int            htable_size;
        struct kmem_cache       *nf_conntrack_cachep;
        struct hlist_nulls_head *hash;
@@ -75,14 +92,6 @@ struct netns_ct {
        struct ip_conntrack_stat __percpu *stat;
        struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
        struct nf_exp_event_notifier __rcu *nf_expect_event_cb;
-        int                     sysctl_events;
-        unsigned int            sysctl_events_retry_timeout;
-        int                     sysctl_acct;
-        int                     sysctl_tstamp;
-        int                     sysctl_checksum;
-        unsigned int            sysctl_log_invalid; /* Log invalid packets */
-        int                     sysctl_auto_assign_helper;
-        bool                    auto_assign_helper_warned;
        struct nf_ip_net        nf_ct_proto;
 #if defined(CONFIG_NF_CONNTRACK_LABELS)
        unsigned int            labels_used;
@@ -92,13 +101,5 @@ struct netns_ct {
        struct hlist_head       *nat_bysource;
        unsigned int            nat_htable_size;
 #endif
-#ifdef CONFIG_SYSCTL
-        struct ctl_table_header *sysctl_header;
-        struct ctl_table_header *acct_sysctl_header;
-        struct ctl_table_header *tstamp_sysctl_header;
-        struct ctl_table_header *event_sysctl_header;
-        struct ctl_table_header *helper_sysctl_header;
-#endif
-        char                    *slabname;
 };
 #endif
diff --git a/include/net/netprio_cgroup.h b/include/net/netprio_cgroup.h
index 099d02782e22..dafc09f0fdbc 100644
--- a/include/net/netprio_cgroup.h
+++ b/include/net/netprio_cgroup.h
@@ -13,12 +13,12 @@
 #ifndef _NETPRIO_CGROUP_H
 #define _NETPRIO_CGROUP_H
 #include <linux/cgroup.h>
 #include <linux/hardirq.h>
 #include <linux/rcupdate.h>
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
 struct netprio_map {
        struct rcu_head rcu;
        u32 priomap_len;
@@ -27,8 +27,7 @@ struct netprio_map {
 void sock_update_netprioidx(struct sock *sk);
-#if IS_BUILTIN(CONFIG_NETPRIO_CGROUP)
+#if IS_BUILTIN(CONFIG_CGROUP_NET_PRIO)
 static inline u32 task_netprioidx(struct task_struct *p)
 {
        struct cgroup_subsys_state *css;
@@ -40,9 +39,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
        rcu_read_unlock();
        return idx;
 }
+#elif IS_MODULE(CONFIG_CGROUP_NET_PRIO)
-#elif IS_MODULE(CONFIG_NETPRIO_CGROUP)
 static inline u32 task_netprioidx(struct task_struct *p)
 {
        struct cgroup_subsys_state *css;
@@ -56,9 +53,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
        return idx;
 }
 #endif
+#else /* !CONFIG_CGROUP_NET_PRIO */
-#else /* !CONFIG_NETPRIO_CGROUP */
 static inline u32 task_netprioidx(struct task_struct *p)
 {
        return 0;
@@ -66,6 +61,5 @@ static inline u32 task_netprioidx(struct task_struct *p)
 #define sock_update_netprioidx(sk)
-#endif /* CONFIG_NETPRIO_CGROUP */
+#endif /* CONFIG_CGROUP_NET_PRIO */
 #endif  /* _NET_CLS_CGROUP_H */
diff --git a/include/net/sock.h b/include/net/sock.h
index 8d9af66ccf2c..5c3f7c3624aa 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -395,7 +395,7 @@ struct sock {
        unsigned short          sk_ack_backlog;
        unsigned short          sk_max_ack_backlog;
        __u32                   sk_priority;
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
        __u32                   sk_cgrp_prioidx;
 #endif
        struct pid              *sk_peer_pid;
author	David S. Miller <davem@davemloft.net>	2014-01-05 20:18:50 -0500
committer	David S. Miller <davem@davemloft.net>	2014-01-05 20:18:50 -0500
commit	855404efae0d449cc491978d54ea5d117a3cb271 (patch)
tree	3c44948365a77058d8b1f2ed6e6683bfc52ef256 /include/net
parent	a1d4b03a076d95edc88d070f7627a73ab80abddc (diff)
parent	82a37132f300ea53bdcd812917af5a6329ec80c3 (diff)

diff --git a/include/net/cls_cgroup.h b/include/net/cls_cgroup.h index 33d03b648646..9cf2d5ef38d9 100644 --- a/include/net/cls_cgroup.h +++ b/include/net/cls_cgroup.h
@@ -16,17 +16,16 @@
16	#include <linux/cgroup.h>	16	#include <linux/cgroup.h>
17	#include <linux/hardirq.h>	17	#include <linux/hardirq.h>
18	#include <linux/rcupdate.h>	18	#include <linux/rcupdate.h>
		19	#include <net/sock.h>
19		20
20	#if IS_ENABLED(CONFIG_NET_CLS_CGROUP)	21	#ifdef CONFIG_CGROUP_NET_CLASSID
21	struct cgroup_cls_state	22	struct cgroup_cls_state {
22	{
23	struct cgroup_subsys_state css;	23	struct cgroup_subsys_state css;
24	u32 classid;	24	u32 classid;
25	};	25	};
26		26
27	void sock_update_classid(struct sock *sk);	27	struct cgroup_cls_state task_cls_state(struct task_struct p);
28		28
29	#if IS_BUILTIN(CONFIG_NET_CLS_CGROUP)
30	static inline u32 task_cls_classid(struct task_struct *p)	29	static inline u32 task_cls_classid(struct task_struct *p)
31	{	30	{
32	u32 classid;	31	u32 classid;
@@ -41,33 +40,18 @@ static inline u32 task_cls_classid(struct task_struct *p)
41		40
42	return classid;	41	return classid;
43	}	42	}
44	#elif IS_MODULE(CONFIG_NET_CLS_CGROUP)
45	static inline u32 task_cls_classid(struct task_struct *p)
46	{
47	struct cgroup_subsys_state *css;
48	u32 classid = 0;
49
50	if (in_interrupt())
51	return 0;
52
53	rcu_read_lock();
54	css = task_css(p, net_cls_subsys_id);
55	if (css)
56	classid = container_of(css,
57	struct cgroup_cls_state, css)->classid;
58	rcu_read_unlock();
59		43
60	return classid;
61	}
62	#endif
63	#else /* !CGROUP_NET_CLS_CGROUP */
64	static inline void sock_update_classid(struct sock *sk)	44	static inline void sock_update_classid(struct sock *sk)
65	{	45	{
66	}	46	u32 classid;
67		47
68	static inline u32 task_cls_classid(struct task_struct *p)	48	classid = task_cls_classid(current);
		49	if (classid != sk->sk_classid)
		50	sk->sk_classid = classid;
		51	}
		52	#else /* !CONFIG_CGROUP_NET_CLASSID */
		53	static inline void sock_update_classid(struct sock *sk)
69	{	54	{
70	return 0;
71	}	55	}
72	#endif /* CGROUP_NET_CLS_CGROUP */	56	#endif /* CONFIG_CGROUP_NET_CLASSID */
73	#endif /* _NET_CLS_CGROUP_H */	57	#endif /* _NET_CLS_CGROUP_H */


diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h index 6c3d12e2949f..981c327374da 100644 --- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h +++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -19,6 +19,4 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
19	int nf_conntrack_ipv4_compat_init(void);	19	int nf_conntrack_ipv4_compat_init(void);
20	void nf_conntrack_ipv4_compat_fini(void);	20	void nf_conntrack_ipv4_compat_fini(void);
21		21
22	void need_ipv4_conntrack(void);
23
24	#endif /_NF_CONNTRACK_IPV4_H/	22	#endif /_NF_CONNTRACK_IPV4_H/


diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index 3efab704b7eb..adc1fa3dd7ab 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -87,7 +87,6 @@ int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto);
87	void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto);	87	void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto);
88		88
89	struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);	89	struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);
90	void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p);
91		90
92	/* Existing built-in protocols */	91	/* Existing built-in protocols */
93	extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic;	92	extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic;


diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index c9c0c538b68b..fbcc7fa536dc 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h
@@ -65,6 +65,23 @@ struct nf_ip_net {
65	struct netns_ct {	65	struct netns_ct {
66	atomic_t count;	66	atomic_t count;
67	unsigned int expect_count;	67	unsigned int expect_count;
		68	#ifdef CONFIG_SYSCTL
		69	struct ctl_table_header *sysctl_header;
		70	struct ctl_table_header *acct_sysctl_header;
		71	struct ctl_table_header *tstamp_sysctl_header;
		72	struct ctl_table_header *event_sysctl_header;
		73	struct ctl_table_header *helper_sysctl_header;
		74	#endif
		75	char *slabname;
		76	unsigned int sysctl_log_invalid; /* Log invalid packets */
		77	unsigned int sysctl_events_retry_timeout;
		78	int sysctl_events;
		79	int sysctl_acct;
		80	int sysctl_auto_assign_helper;
		81	bool auto_assign_helper_warned;
		82	int sysctl_tstamp;
		83	int sysctl_checksum;
		84
68	unsigned int htable_size;	85	unsigned int htable_size;
69	struct kmem_cache *nf_conntrack_cachep;	86	struct kmem_cache *nf_conntrack_cachep;
70	struct hlist_nulls_head *hash;	87	struct hlist_nulls_head *hash;
@@ -75,14 +92,6 @@ struct netns_ct {
75	struct ip_conntrack_stat __percpu *stat;	92	struct ip_conntrack_stat __percpu *stat;
76	struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;	93	struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
77	struct nf_exp_event_notifier __rcu *nf_expect_event_cb;	94	struct nf_exp_event_notifier __rcu *nf_expect_event_cb;
78	int sysctl_events;
79	unsigned int sysctl_events_retry_timeout;
80	int sysctl_acct;
81	int sysctl_tstamp;
82	int sysctl_checksum;
83	unsigned int sysctl_log_invalid; /* Log invalid packets */
84	int sysctl_auto_assign_helper;
85	bool auto_assign_helper_warned;
86	struct nf_ip_net nf_ct_proto;	95	struct nf_ip_net nf_ct_proto;
87	#if defined(CONFIG_NF_CONNTRACK_LABELS)	96	#if defined(CONFIG_NF_CONNTRACK_LABELS)
88	unsigned int labels_used;	97	unsigned int labels_used;
@@ -92,13 +101,5 @@ struct netns_ct {
92	struct hlist_head *nat_bysource;	101	struct hlist_head *nat_bysource;
93	unsigned int nat_htable_size;	102	unsigned int nat_htable_size;
94	#endif	103	#endif
95	#ifdef CONFIG_SYSCTL
96	struct ctl_table_header *sysctl_header;
97	struct ctl_table_header *acct_sysctl_header;
98	struct ctl_table_header *tstamp_sysctl_header;
99	struct ctl_table_header *event_sysctl_header;
100	struct ctl_table_header *helper_sysctl_header;
101	#endif
102	char *slabname;
103	};	104	};
104	#endif	105	#endif


diff --git a/include/net/netprio_cgroup.h b/include/net/netprio_cgroup.h index 099d02782e22..dafc09f0fdbc 100644 --- a/include/net/netprio_cgroup.h +++ b/include/net/netprio_cgroup.h
@@ -13,12 +13,12 @@
13		13
14	#ifndef _NETPRIO_CGROUP_H	14	#ifndef _NETPRIO_CGROUP_H
15	#define _NETPRIO_CGROUP_H	15	#define _NETPRIO_CGROUP_H
		16
16	#include <linux/cgroup.h>	17	#include <linux/cgroup.h>
17	#include <linux/hardirq.h>	18	#include <linux/hardirq.h>
18	#include <linux/rcupdate.h>	19	#include <linux/rcupdate.h>
19		20
20		21	#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
21	#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
22	struct netprio_map {	22	struct netprio_map {
23	struct rcu_head rcu;	23	struct rcu_head rcu;
24	u32 priomap_len;	24	u32 priomap_len;
@@ -27,8 +27,7 @@ struct netprio_map {
27		27
28	void sock_update_netprioidx(struct sock *sk);	28	void sock_update_netprioidx(struct sock *sk);
29		29
30	#if IS_BUILTIN(CONFIG_NETPRIO_CGROUP)	30	#if IS_BUILTIN(CONFIG_CGROUP_NET_PRIO)
31
32	static inline u32 task_netprioidx(struct task_struct *p)	31	static inline u32 task_netprioidx(struct task_struct *p)
33	{	32	{
34	struct cgroup_subsys_state *css;	33	struct cgroup_subsys_state *css;
@@ -40,9 +39,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
40	rcu_read_unlock();	39	rcu_read_unlock();
41	return idx;	40	return idx;
42	}	41	}
43		42	#elif IS_MODULE(CONFIG_CGROUP_NET_PRIO)
44	#elif IS_MODULE(CONFIG_NETPRIO_CGROUP)
45
46	static inline u32 task_netprioidx(struct task_struct *p)	43	static inline u32 task_netprioidx(struct task_struct *p)
47	{	44	{
48	struct cgroup_subsys_state *css;	45	struct cgroup_subsys_state *css;
@@ -56,9 +53,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
56	return idx;	53	return idx;
57	}	54	}
58	#endif	55	#endif
59		56	#else /* !CONFIG_CGROUP_NET_PRIO */
60	#else /* !CONFIG_NETPRIO_CGROUP */
61
62	static inline u32 task_netprioidx(struct task_struct *p)	57	static inline u32 task_netprioidx(struct task_struct *p)
63	{	58	{
64	return 0;	59	return 0;
@@ -66,6 +61,5 @@ static inline u32 task_netprioidx(struct task_struct *p)
66		61
67	#define sock_update_netprioidx(sk)	62	#define sock_update_netprioidx(sk)
68		63
69	#endif /* CONFIG_NETPRIO_CGROUP */	64	#endif /* CONFIG_CGROUP_NET_PRIO */
70
71	#endif /* _NET_CLS_CGROUP_H */	65	#endif /* _NET_CLS_CGROUP_H */


diff --git a/include/net/sock.h b/include/net/sock.h index 8d9af66ccf2c..5c3f7c3624aa 100644 --- a/include/net/sock.h +++ b/include/net/sock.h
@@ -395,7 +395,7 @@ struct sock {
395	unsigned short sk_ack_backlog;	395	unsigned short sk_ack_backlog;
396	unsigned short sk_max_ack_backlog;	396	unsigned short sk_max_ack_backlog;
397	__u32 sk_priority;	397	__u32 sk_priority;
398	#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)	398	#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
399	__u32 sk_cgrp_prioidx;	399	__u32 sk_cgrp_prioidx;
400	#endif	400	#endif
401	struct pid *sk_peer_pid;	401	struct pid *sk_peer_pid;