diff options
| author | David S. Miller <davem@davemloft.net> | 2014-09-10 15:46:32 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-09-10 15:46:32 -0400 |
| commit | 0aac383353693edcd8fc5a82a692bb7e5f60d2fd (patch) | |
| tree | 53750f41a82c12fb468d360b635bcbd65958ccc9 /include/uapi/linux | |
| parent | b167a37c7bbc6f7589f439ba7d9a49af5ad37ff5 (diff) | |
| parent | 9ba1f726bec090399eb9bb9157eb32dedc8e8c45 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
nf-next pull request
The following patchset contains Netfilter/IPVS updates for your
net-next tree. Regarding nf_tables, most updates focus on consolidating
the NAT infrastructure and adding support for masquerading. More
specifically, they are:
1) use __u8 instead of u_int8_t in arptables header, from
Mike Frysinger.
2) Add support to match by skb->pkttype to the meta expression, from
Ana Rey.
3) Add support to match by cpu to the meta expression, also from
Ana Rey.
4) A smatch warning about IPSET_ATTR_MARKMASK validation, patch from
Vytas Dauksa.
5) Fix netnet and netportnet hash types the range support for IPv4,
from Sergey Popovich.
6) Fix missing-field-initializer warnings resolved, from Mark Rustad.
7) Dan Carperter reported possible integer overflows in ipset, from
Jozsef Kadlecsick.
8) Filter out accounting objects in nfacct by type, so you can
selectively reset quotas, from Alexey Perevalov.
9) Move specific NAT IPv4 functions to the core so x_tables and
nf_tables can share the same NAT IPv4 engine.
10) Use the new NAT IPv4 functions from nft_chain_nat_ipv4.
11) Move specific NAT IPv6 functions to the core so x_tables and
nf_tables can share the same NAT IPv4 engine.
12) Use the new NAT IPv6 functions from nft_chain_nat_ipv6.
13) Refactor code to add nft_delrule(), which can be reused in the
enhancement of the NFT_MSG_DELTABLE to remove a table and its
content, from Arturo Borrero.
14) Add a helper function to unregister chain hooks, from
Arturo Borrero.
15) A cleanup to rename to nft_delrule_by_chain for consistency with
the new nft_*() functions, also from Arturo.
16) Add support to match devgroup to the meta expression, from Ana Rey.
17) Reduce stack usage for IPVS socket option, from Julian Anastasov.
18) Remove unnecessary textsearch state initialization in xt_string,
from Bojan Prtvar.
19) Add several helper functions to nf_tables, more work to prepare
the enhancement of NFT_MSG_DELTABLE, again from Arturo Borrero.
20) Enhance NFT_MSG_DELTABLE to delete a table and its content, from
Arturo Borrero.
21) Support NAT flags in the nat expression to indicate the flavour,
eg. random fully, from Arturo.
22) Add missing audit code to ebtables when replacing tables, from
Nicolas Dichtel.
23) Generalize the IPv4 masquerading code to allow its re-use from
nf_tables, from Arturo.
24) Generalize the IPv6 masquerading code, also from Arturo.
25) Add the new masq expression to support IPv4/IPv6 masquerading
from nf_tables, also from Arturo.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/nf_nat.h | 5 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 21 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_acct.h | 8 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter_arp/arpt_mangle.h | 2 |
4 files changed, 35 insertions, 1 deletions
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h index 1ad3659102b6..0880781ad7b6 100644 --- a/include/uapi/linux/netfilter/nf_nat.h +++ b/include/uapi/linux/netfilter/nf_nat.h | |||
| @@ -13,6 +13,11 @@ | |||
| 13 | #define NF_NAT_RANGE_PROTO_RANDOM_ALL \ | 13 | #define NF_NAT_RANGE_PROTO_RANDOM_ALL \ |
| 14 | (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) | 14 | (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) |
| 15 | 15 | ||
| 16 | #define NF_NAT_RANGE_MASK \ | ||
| 17 | (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED | \ | ||
| 18 | NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT | \ | ||
| 19 | NF_NAT_RANGE_PROTO_RANDOM_FULLY) | ||
| 20 | |||
| 16 | struct nf_nat_ipv4_range { | 21 | struct nf_nat_ipv4_range { |
| 17 | unsigned int flags; | 22 | unsigned int flags; |
| 18 | __be32 min_ip; | 23 | __be32 min_ip; |
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 801bdd1e56e3..eeec0ae845ef 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
| @@ -571,6 +571,10 @@ enum nft_exthdr_attributes { | |||
| 571 | * @NFT_META_L4PROTO: layer 4 protocol number | 571 | * @NFT_META_L4PROTO: layer 4 protocol number |
| 572 | * @NFT_META_BRI_IIFNAME: packet input bridge interface name | 572 | * @NFT_META_BRI_IIFNAME: packet input bridge interface name |
| 573 | * @NFT_META_BRI_OIFNAME: packet output bridge interface name | 573 | * @NFT_META_BRI_OIFNAME: packet output bridge interface name |
| 574 | * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback | ||
| 575 | * @NFT_META_CPU: cpu id through smp_processor_id() | ||
| 576 | * @NFT_META_IIFGROUP: packet input interface group | ||
| 577 | * @NFT_META_OIFGROUP: packet output interface group | ||
| 574 | */ | 578 | */ |
| 575 | enum nft_meta_keys { | 579 | enum nft_meta_keys { |
| 576 | NFT_META_LEN, | 580 | NFT_META_LEN, |
| @@ -592,6 +596,10 @@ enum nft_meta_keys { | |||
| 592 | NFT_META_L4PROTO, | 596 | NFT_META_L4PROTO, |
| 593 | NFT_META_BRI_IIFNAME, | 597 | NFT_META_BRI_IIFNAME, |
| 594 | NFT_META_BRI_OIFNAME, | 598 | NFT_META_BRI_OIFNAME, |
| 599 | NFT_META_PKTTYPE, | ||
| 600 | NFT_META_CPU, | ||
| 601 | NFT_META_IIFGROUP, | ||
| 602 | NFT_META_OIFGROUP, | ||
| 595 | }; | 603 | }; |
| 596 | 604 | ||
| 597 | /** | 605 | /** |
| @@ -777,6 +785,7 @@ enum nft_nat_types { | |||
| 777 | * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) | 785 | * @NFTA_NAT_REG_ADDR_MAX: source register of address range end (NLA_U32: nft_registers) |
| 778 | * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) | 786 | * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers) |
| 779 | * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) | 787 | * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers) |
| 788 | * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) | ||
| 780 | */ | 789 | */ |
| 781 | enum nft_nat_attributes { | 790 | enum nft_nat_attributes { |
| 782 | NFTA_NAT_UNSPEC, | 791 | NFTA_NAT_UNSPEC, |
| @@ -786,8 +795,20 @@ enum nft_nat_attributes { | |||
| 786 | NFTA_NAT_REG_ADDR_MAX, | 795 | NFTA_NAT_REG_ADDR_MAX, |
| 787 | NFTA_NAT_REG_PROTO_MIN, | 796 | NFTA_NAT_REG_PROTO_MIN, |
| 788 | NFTA_NAT_REG_PROTO_MAX, | 797 | NFTA_NAT_REG_PROTO_MAX, |
| 798 | NFTA_NAT_FLAGS, | ||
| 789 | __NFTA_NAT_MAX | 799 | __NFTA_NAT_MAX |
| 790 | }; | 800 | }; |
| 791 | #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) | 801 | #define NFTA_NAT_MAX (__NFTA_NAT_MAX - 1) |
| 792 | 802 | ||
| 803 | /** | ||
| 804 | * enum nft_masq_attributes - nf_tables masquerade expression attributes | ||
| 805 | * | ||
| 806 | * @NFTA_MASQ_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32) | ||
| 807 | */ | ||
| 808 | enum nft_masq_attributes { | ||
| 809 | NFTA_MASQ_FLAGS, | ||
| 810 | __NFTA_MASQ_MAX | ||
| 811 | }; | ||
| 812 | #define NFTA_MASQ_MAX (__NFTA_MASQ_MAX - 1) | ||
| 813 | |||
| 793 | #endif /* _LINUX_NF_TABLES_H */ | 814 | #endif /* _LINUX_NF_TABLES_H */ |
diff --git a/include/uapi/linux/netfilter/nfnetlink_acct.h b/include/uapi/linux/netfilter/nfnetlink_acct.h index 51404ec19022..f3e34dbbf966 100644 --- a/include/uapi/linux/netfilter/nfnetlink_acct.h +++ b/include/uapi/linux/netfilter/nfnetlink_acct.h | |||
| @@ -28,9 +28,17 @@ enum nfnl_acct_type { | |||
| 28 | NFACCT_USE, | 28 | NFACCT_USE, |
| 29 | NFACCT_FLAGS, | 29 | NFACCT_FLAGS, |
| 30 | NFACCT_QUOTA, | 30 | NFACCT_QUOTA, |
| 31 | NFACCT_FILTER, | ||
| 31 | __NFACCT_MAX | 32 | __NFACCT_MAX |
| 32 | }; | 33 | }; |
| 33 | #define NFACCT_MAX (__NFACCT_MAX - 1) | 34 | #define NFACCT_MAX (__NFACCT_MAX - 1) |
| 34 | 35 | ||
| 36 | enum nfnl_attr_filter_type { | ||
| 37 | NFACCT_FILTER_UNSPEC, | ||
| 38 | NFACCT_FILTER_MASK, | ||
| 39 | NFACCT_FILTER_VALUE, | ||
| 40 | __NFACCT_FILTER_MAX | ||
| 41 | }; | ||
| 42 | #define NFACCT_FILTER_MAX (__NFACCT_FILTER_MAX - 1) | ||
| 35 | 43 | ||
| 36 | #endif /* _UAPI_NFNL_ACCT_H_ */ | 44 | #endif /* _UAPI_NFNL_ACCT_H_ */ |
diff --git a/include/uapi/linux/netfilter_arp/arpt_mangle.h b/include/uapi/linux/netfilter_arp/arpt_mangle.h index 250f502902bb..8c2b16a1f5a0 100644 --- a/include/uapi/linux/netfilter_arp/arpt_mangle.h +++ b/include/uapi/linux/netfilter_arp/arpt_mangle.h | |||
| @@ -13,7 +13,7 @@ struct arpt_mangle | |||
| 13 | union { | 13 | union { |
| 14 | struct in_addr tgt_ip; | 14 | struct in_addr tgt_ip; |
| 15 | } u_t; | 15 | } u_t; |
| 16 | u_int8_t flags; | 16 | __u8 flags; |
| 17 | int target; | 17 | int target; |
| 18 | }; | 18 | }; |
| 19 | 19 | ||