diff options
| author | David S. Miller <davem@davemloft.net> | 2014-02-09 17:20:00 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-02-09 17:20:00 -0500 |
| commit | f41f03196041f91acad2b6d2b3e1f800aed60100 (patch) | |
| tree | 2981088eb28919bf32e8040b0ad73beead0ec815 /include/net | |
| parent | 4a5ab4e224288403b0b4b6b8c4d339323150c312 (diff) | |
| parent | 6d8c00d58e9e484fdc41aaaf62e5d8364efe375a (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter/nftables/IPVS fixes for net
The following patchset contains Netfilter/IPVS fixes, mostly nftables
fixes, most relevantly they are:
* Fix a crash in the h323 conntrack NAT helper due to expectation list
corruption, from Alexey Dobriyan.
* A couple of RCU race fixes for conntrack, one manifests by hitting BUG_ON
in nf_nat_setup_info() and the destroy path, patches from Andrey Vagin and
me.
* Dump direction attribute in nft_ct only if it is set, from Arturo
Borrero.
* Fix IPVS bug in its own connection tracking system that may lead to
copying only 4 bytes of the IPv6 address when initializing the
ip_vs_conn object, from Michal Kubecek.
* Fix -EBUSY errors in nftables when deleting the rules, chain and tables
in a row due mixture of asynchronous and synchronous object releasing,
from me.
* Three fixes for the nf_tables set infrastructure when using intervals and
mappings, from me.
* Four patches to fixing the nf_tables log, reject and ct expressions from
the new inet table, from Patrick McHardy.
* Fix memory overrun in the map that is used to dynamically allocate names
from anonymous sets, also from Patrick.
* Fix a potential oops if you dump a set with NFPROTO_UNSPEC and a table
name, from Patrick McHardy.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/nf_conntrack.h | 2 | ||||
| -rw-r--r-- | include/net/netfilter/nf_tables.h | 9 | ||||
| -rw-r--r-- | include/net/netfilter/nft_reject.h | 25 |
3 files changed, 32 insertions, 4 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 01ea6eed1bb1..b2ac6246b7e0 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
| @@ -284,6 +284,8 @@ extern unsigned int nf_conntrack_max; | |||
| 284 | extern unsigned int nf_conntrack_hash_rnd; | 284 | extern unsigned int nf_conntrack_hash_rnd; |
| 285 | void init_nf_conntrack_hash_rnd(void); | 285 | void init_nf_conntrack_hash_rnd(void); |
| 286 | 286 | ||
| 287 | void nf_conntrack_tmpl_insert(struct net *net, struct nf_conn *tmpl); | ||
| 288 | |||
| 287 | #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count) | 289 | #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count) |
| 288 | #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count) | 290 | #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count) |
| 289 | 291 | ||
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 57c8ff7955df..e7e14ffe0f6a 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h | |||
| @@ -252,6 +252,7 @@ void nf_tables_unbind_set(const struct nft_ctx *ctx, struct nft_set *set, | |||
| 252 | * @owner: module reference | 252 | * @owner: module reference |
| 253 | * @policy: netlink attribute policy | 253 | * @policy: netlink attribute policy |
| 254 | * @maxattr: highest netlink attribute number | 254 | * @maxattr: highest netlink attribute number |
| 255 | * @family: address family for AF-specific types | ||
| 255 | */ | 256 | */ |
| 256 | struct nft_expr_type { | 257 | struct nft_expr_type { |
| 257 | const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, | 258 | const struct nft_expr_ops *(*select_ops)(const struct nft_ctx *, |
| @@ -262,6 +263,7 @@ struct nft_expr_type { | |||
| 262 | struct module *owner; | 263 | struct module *owner; |
| 263 | const struct nla_policy *policy; | 264 | const struct nla_policy *policy; |
| 264 | unsigned int maxattr; | 265 | unsigned int maxattr; |
| 266 | u8 family; | ||
| 265 | }; | 267 | }; |
| 266 | 268 | ||
| 267 | /** | 269 | /** |
| @@ -320,7 +322,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr) | |||
| 320 | * struct nft_rule - nf_tables rule | 322 | * struct nft_rule - nf_tables rule |
| 321 | * | 323 | * |
| 322 | * @list: used internally | 324 | * @list: used internally |
| 323 | * @rcu_head: used internally for rcu | ||
| 324 | * @handle: rule handle | 325 | * @handle: rule handle |
| 325 | * @genmask: generation mask | 326 | * @genmask: generation mask |
| 326 | * @dlen: length of expression data | 327 | * @dlen: length of expression data |
| @@ -328,7 +329,6 @@ static inline void *nft_expr_priv(const struct nft_expr *expr) | |||
| 328 | */ | 329 | */ |
| 329 | struct nft_rule { | 330 | struct nft_rule { |
| 330 | struct list_head list; | 331 | struct list_head list; |
| 331 | struct rcu_head rcu_head; | ||
| 332 | u64 handle:46, | 332 | u64 handle:46, |
| 333 | genmask:2, | 333 | genmask:2, |
| 334 | dlen:16; | 334 | dlen:16; |
| @@ -389,7 +389,6 @@ enum nft_chain_flags { | |||
| 389 | * | 389 | * |
| 390 | * @rules: list of rules in the chain | 390 | * @rules: list of rules in the chain |
| 391 | * @list: used internally | 391 | * @list: used internally |
| 392 | * @rcu_head: used internally | ||
| 393 | * @net: net namespace that this chain belongs to | 392 | * @net: net namespace that this chain belongs to |
| 394 | * @table: table that this chain belongs to | 393 | * @table: table that this chain belongs to |
| 395 | * @handle: chain handle | 394 | * @handle: chain handle |
| @@ -401,7 +400,6 @@ enum nft_chain_flags { | |||
| 401 | struct nft_chain { | 400 | struct nft_chain { |
| 402 | struct list_head rules; | 401 | struct list_head rules; |
| 403 | struct list_head list; | 402 | struct list_head list; |
| 404 | struct rcu_head rcu_head; | ||
| 405 | struct net *net; | 403 | struct net *net; |
| 406 | struct nft_table *table; | 404 | struct nft_table *table; |
| 407 | u64 handle; | 405 | u64 handle; |
| @@ -529,6 +527,9 @@ void nft_unregister_expr(struct nft_expr_type *); | |||
| 529 | #define MODULE_ALIAS_NFT_CHAIN(family, name) \ | 527 | #define MODULE_ALIAS_NFT_CHAIN(family, name) \ |
| 530 | MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) | 528 | MODULE_ALIAS("nft-chain-" __stringify(family) "-" name) |
| 531 | 529 | ||
| 530 | #define MODULE_ALIAS_NFT_AF_EXPR(family, name) \ | ||
| 531 | MODULE_ALIAS("nft-expr-" __stringify(family) "-" name) | ||
| 532 | |||
| 532 | #define MODULE_ALIAS_NFT_EXPR(name) \ | 533 | #define MODULE_ALIAS_NFT_EXPR(name) \ |
| 533 | MODULE_ALIAS("nft-expr-" name) | 534 | MODULE_ALIAS("nft-expr-" name) |
| 534 | 535 | ||
diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h new file mode 100644 index 000000000000..36b0da2d55bb --- /dev/null +++ b/include/net/netfilter/nft_reject.h | |||
| @@ -0,0 +1,25 @@ | |||
| 1 | #ifndef _NFT_REJECT_H_ | ||
| 2 | #define _NFT_REJECT_H_ | ||
| 3 | |||
| 4 | struct nft_reject { | ||
| 5 | enum nft_reject_types type:8; | ||
| 6 | u8 icmp_code; | ||
| 7 | }; | ||
| 8 | |||
| 9 | extern const struct nla_policy nft_reject_policy[]; | ||
| 10 | |||
| 11 | int nft_reject_init(const struct nft_ctx *ctx, | ||
| 12 | const struct nft_expr *expr, | ||
| 13 | const struct nlattr * const tb[]); | ||
| 14 | |||
| 15 | int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr); | ||
| 16 | |||
| 17 | void nft_reject_ipv4_eval(const struct nft_expr *expr, | ||
| 18 | struct nft_data data[NFT_REG_MAX + 1], | ||
| 19 | const struct nft_pktinfo *pkt); | ||
| 20 | |||
| 21 | void nft_reject_ipv6_eval(const struct nft_expr *expr, | ||
| 22 | struct nft_data data[NFT_REG_MAX + 1], | ||
| 23 | const struct nft_pktinfo *pkt); | ||
| 24 | |||
| 25 | #endif | ||