Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
The following patchset contains relevant updates for the Netfilter
tree, they are:

* Enhancements for ipset: Add the counter extension for sets, this
  information can be used from the iptables set match, to change
  the matching behaviour. Jozsef required to add the extension
  infrastructure and moved the existing timeout support upon it.
  This also includes a change in net/sched/em_ipset to adapt it to
  the new extension structure.

* Enhancements for performance boosting in nfnetlink_queue: Add new
  configuration flags that allows user-space to receive big packets (GRO)
  and to disable checksumming calculation. This were proposed by Eric
  Dumazet during the Netfilter Workshop 2013 in Copenhagen. Florian
  Westphal was kind enough to find the time to materialize the proposal.

* A sparse fix from Simon, he noticed it in the SCTP NAT helper, the fix
  required a change in the interface of sctp_end_cksum.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 50 insertions, 5 deletions

diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h
index fbee42807a11..8024cdf13b70 100644
--- a/include/uapi/linux/netfilter/ipset/ip_set.h
+++ b/include/uapi/linux/netfilter/ipset/ip_set.h
@@ -108,6 +108,8 @@ enum {
         IPSET_ATTR_CIDR2,
         IPSET_ATTR_IP2_TO,
         IPSET_ATTR_IFACE,
+        IPSET_ATTR_BYTES,
+        IPSET_ATTR_PACKETS,
         __IPSET_ATTR_ADT_MAX,
 };
 #define IPSET_ATTR_ADT_MAX      (__IPSET_ATTR_ADT_MAX - 1)
@@ -137,12 +139,13 @@ enum ipset_errno {
         IPSET_ERR_REFERENCED,
         IPSET_ERR_IPADDR_IPV4,
         IPSET_ERR_IPADDR_IPV6,
+        IPSET_ERR_COUNTER,
 
         /* Type specific error codes */
         IPSET_ERR_TYPE_SPECIFIC = 4352,
 };
 
-/* Flags at command level */
+/* Flags at command level or match/target flags, lower half of cmdattrs*/
 enum ipset_cmd_flags {
         IPSET_FLAG_BIT_EXIST    = 0,
         IPSET_FLAG_EXIST        = (1 << IPSET_FLAG_BIT_EXIST),
@@ -150,10 +153,20 @@ enum ipset_cmd_flags {
         IPSET_FLAG_LIST_SETNAME = (1 << IPSET_FLAG_BIT_LIST_SETNAME),
         IPSET_FLAG_BIT_LIST_HEADER = 2,
         IPSET_FLAG_LIST_HEADER  = (1 << IPSET_FLAG_BIT_LIST_HEADER),
-        IPSET_FLAG_CMD_MAX = 15,        /* Lower half */
+        IPSET_FLAG_BIT_SKIP_COUNTER_UPDATE = 3,
+        IPSET_FLAG_SKIP_COUNTER_UPDATE =
+                (1 << IPSET_FLAG_BIT_SKIP_COUNTER_UPDATE),
+        IPSET_FLAG_BIT_SKIP_SUBCOUNTER_UPDATE = 4,
+        IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE =
+                (1 << IPSET_FLAG_BIT_SKIP_SUBCOUNTER_UPDATE),
+        IPSET_FLAG_BIT_MATCH_COUNTERS = 5,
+        IPSET_FLAG_MATCH_COUNTERS = (1 << IPSET_FLAG_BIT_MATCH_COUNTERS),
+        IPSET_FLAG_BIT_RETURN_NOMATCH = 7,
+        IPSET_FLAG_RETURN_NOMATCH = (1 << IPSET_FLAG_BIT_RETURN_NOMATCH),
+        IPSET_FLAG_CMD_MAX = 15,
 };
 
-/* Flags at CADT attribute level */
+/* Flags at CADT attribute level, upper half of cmdattrs */
 enum ipset_cadt_flags {
         IPSET_FLAG_BIT_BEFORE   = 0,
         IPSET_FLAG_BEFORE       = (1 << IPSET_FLAG_BIT_BEFORE),
@@ -161,7 +174,9 @@ enum ipset_cadt_flags {
         IPSET_FLAG_PHYSDEV      = (1 << IPSET_FLAG_BIT_PHYSDEV),
         IPSET_FLAG_BIT_NOMATCH  = 2,
         IPSET_FLAG_NOMATCH      = (1 << IPSET_FLAG_BIT_NOMATCH),
-        IPSET_FLAG_CADT_MAX     = 15,   /* Upper half */
+        IPSET_FLAG_BIT_WITH_COUNTERS = 3,
+        IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS),
+        IPSET_FLAG_CADT_MAX     = 15,
 };
 
 /* Commands with settype-specific attributes */
@@ -190,6 +205,7 @@ enum ip_set_dim {
          * If changed, new revision of iptables match/target is required.
          */
         IPSET_DIM_MAX = 6,
+        /* Backward compatibility: set match revision 2 */
         IPSET_BIT_RETURN_NOMATCH = 7,
 };
 
@@ -202,6 +218,18 @@ enum ip_set_kopt {
         IPSET_RETURN_NOMATCH = (1 << IPSET_BIT_RETURN_NOMATCH),
 };
 
+enum {
+        IPSET_COUNTER_NONE = 0,
+        IPSET_COUNTER_EQ,
+        IPSET_COUNTER_NE,
+        IPSET_COUNTER_LT,
+        IPSET_COUNTER_GT,
+};
+
+struct ip_set_counter_match {
+        __u8 op;
+        __u64 value;
+};
 
 /* Interface to iptables/ip6tables */
 
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index 70ec8c2bc11a..a2308ae5a73d 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -45,6 +45,7 @@ enum nfqnl_attr_type {
         NFQA_CT,                        /* nf_conntrack_netlink.h */
         NFQA_CT_INFO,                   /* enum ip_conntrack_info */
         NFQA_CAP_LEN,                   /* __u32 length of captured packet */
+        NFQA_SKB_INFO,                  /* __u32 skb meta information */
 
         __NFQA_MAX
 };
@@ -96,6 +97,13 @@ enum nfqnl_attr_config {
 /* Flags for NFQA_CFG_FLAGS */
 #define NFQA_CFG_F_FAIL_OPEN                    (1 << 0)
 #define NFQA_CFG_F_CONNTRACK                    (1 << 1)
-#define NFQA_CFG_F_MAX                          (1 << 2)
+#define NFQA_CFG_F_GSO                          (1 << 2)
+#define NFQA_CFG_F_MAX                          (1 << 3)
+
+/* flags for NFQA_SKB_INFO */
+/* packet appears to have wrong checksums, but they are ok */
+#define NFQA_SKB_CSUMNOTREADY (1 << 0)
+/* packet is GSO (i.e., exceeds device mtu) */
+#define NFQA_SKB_GSO (1 << 1)
 
 #endif /* _NFNETLINK_QUEUE_H */
diff --git a/include/uapi/linux/netfilter/xt_set.h b/include/uapi/linux/netfilter/xt_set.h
index e3a9978f259f..964d3d42f874 100644
--- a/include/uapi/linux/netfilter/xt_set.h
+++ b/include/uapi/linux/netfilter/xt_set.h
@@ -62,4 +62,13 @@ struct xt_set_info_target_v2 {
         __u32 timeout;
 };
 
+/* Revision 3 match */
+
+struct xt_set_info_match_v3 {
+        struct xt_set_info match_set;
+        struct ip_set_counter_match packets;
+        struct ip_set_counter_match bytes;
+        __u32 flags;
+};
+
 #endif /*_XT_SET_H*/