diff options
| author | David S. Miller <davem@davemloft.net> | 2014-01-05 20:18:50 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-01-05 20:18:50 -0500 |
| commit | 855404efae0d449cc491978d54ea5d117a3cb271 (patch) | |
| tree | 3c44948365a77058d8b1f2ed6e6683bfc52ef256 /include/uapi/linux | |
| parent | a1d4b03a076d95edc88d070f7627a73ab80abddc (diff) | |
| parent | 82a37132f300ea53bdcd812917af5a6329ec80c3 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
netfilter/IPVS updates for net-next
The following patchset contains Netfilter updates for your net-next tree,
they are:
* Add full port randomization support. Some crazy researchers found a way
to reconstruct the secure ephemeral ports that are allocated in random mode
by sending off-path bursts of UDP packets to overrun the socket buffer of
the DNS resolver to trigger retransmissions, then if the timing for the
DNS resolution done by a client is larger than usual, then they conclude
that the port that received the burst of UDP packets is the one that was
opened. It seems a bit aggressive method to me but it seems to work for
them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a
new NAT mode to fully randomize ports using prandom.
* Add a new classifier to x_tables based on the socket net_cls set via
cgroups. These includes two patches to prepare the field as requested by
Zefan Li. Also from Daniel Borkmann.
* Use prandom instead of get_random_bytes in several locations of the
netfilter code, from Florian Westphal.
* Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack
mark, also from Florian Westphal.
* Fix compilation warning due to unused variable in IPVS, from Geert
Uytterhoeven.
* Add support for UID/GID via nfnetlink_queue, from Valentina Giusti.
* Add IPComp extension to x_tables, from Fan Du.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/Kbuild | 2 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nf_nat.h | 12 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_queue.h | 5 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/xt_cgroup.h | 11 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/xt_ipcomp.h | 16 |
5 files changed, 41 insertions, 5 deletions
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild index 17c3af2c4bb9..2344f5a319fc 100644 --- a/include/uapi/linux/netfilter/Kbuild +++ b/include/uapi/linux/netfilter/Kbuild | |||
| @@ -39,6 +39,7 @@ header-y += xt_TEE.h | |||
| 39 | header-y += xt_TPROXY.h | 39 | header-y += xt_TPROXY.h |
| 40 | header-y += xt_addrtype.h | 40 | header-y += xt_addrtype.h |
| 41 | header-y += xt_bpf.h | 41 | header-y += xt_bpf.h |
| 42 | header-y += xt_cgroup.h | ||
| 42 | header-y += xt_cluster.h | 43 | header-y += xt_cluster.h |
| 43 | header-y += xt_comment.h | 44 | header-y += xt_comment.h |
| 44 | header-y += xt_connbytes.h | 45 | header-y += xt_connbytes.h |
| @@ -54,6 +55,7 @@ header-y += xt_ecn.h | |||
| 54 | header-y += xt_esp.h | 55 | header-y += xt_esp.h |
| 55 | header-y += xt_hashlimit.h | 56 | header-y += xt_hashlimit.h |
| 56 | header-y += xt_helper.h | 57 | header-y += xt_helper.h |
| 58 | header-y += xt_ipcomp.h | ||
| 57 | header-y += xt_iprange.h | 59 | header-y += xt_iprange.h |
| 58 | header-y += xt_ipvs.h | 60 | header-y += xt_ipvs.h |
| 59 | header-y += xt_length.h | 61 | header-y += xt_length.h |
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h index bf0cc373ffb6..1ad3659102b6 100644 --- a/include/uapi/linux/netfilter/nf_nat.h +++ b/include/uapi/linux/netfilter/nf_nat.h | |||
| @@ -4,10 +4,14 @@ | |||
| 4 | #include <linux/netfilter.h> | 4 | #include <linux/netfilter.h> |
| 5 | #include <linux/netfilter/nf_conntrack_tuple_common.h> | 5 | #include <linux/netfilter/nf_conntrack_tuple_common.h> |
| 6 | 6 | ||
| 7 | #define NF_NAT_RANGE_MAP_IPS 1 | 7 | #define NF_NAT_RANGE_MAP_IPS (1 << 0) |
| 8 | #define NF_NAT_RANGE_PROTO_SPECIFIED 2 | 8 | #define NF_NAT_RANGE_PROTO_SPECIFIED (1 << 1) |
| 9 | #define NF_NAT_RANGE_PROTO_RANDOM 4 | 9 | #define NF_NAT_RANGE_PROTO_RANDOM (1 << 2) |
| 10 | #define NF_NAT_RANGE_PERSISTENT 8 | 10 | #define NF_NAT_RANGE_PERSISTENT (1 << 3) |
| 11 | #define NF_NAT_RANGE_PROTO_RANDOM_FULLY (1 << 4) | ||
| 12 | |||
| 13 | #define NF_NAT_RANGE_PROTO_RANDOM_ALL \ | ||
| 14 | (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY) | ||
| 11 | 15 | ||
| 12 | struct nf_nat_ipv4_range { | 16 | struct nf_nat_ipv4_range { |
| 13 | unsigned int flags; | 17 | unsigned int flags; |
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h index 0132bad79de7..8dd819e2b5fe 100644 --- a/include/uapi/linux/netfilter/nfnetlink_queue.h +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h | |||
| @@ -47,6 +47,8 @@ enum nfqnl_attr_type { | |||
| 47 | NFQA_CAP_LEN, /* __u32 length of captured packet */ | 47 | NFQA_CAP_LEN, /* __u32 length of captured packet */ |
| 48 | NFQA_SKB_INFO, /* __u32 skb meta information */ | 48 | NFQA_SKB_INFO, /* __u32 skb meta information */ |
| 49 | NFQA_EXP, /* nf_conntrack_netlink.h */ | 49 | NFQA_EXP, /* nf_conntrack_netlink.h */ |
| 50 | NFQA_UID, /* __u32 sk uid */ | ||
| 51 | NFQA_GID, /* __u32 sk gid */ | ||
| 50 | 52 | ||
| 51 | __NFQA_MAX | 53 | __NFQA_MAX |
| 52 | }; | 54 | }; |
| @@ -99,7 +101,8 @@ enum nfqnl_attr_config { | |||
| 99 | #define NFQA_CFG_F_FAIL_OPEN (1 << 0) | 101 | #define NFQA_CFG_F_FAIL_OPEN (1 << 0) |
| 100 | #define NFQA_CFG_F_CONNTRACK (1 << 1) | 102 | #define NFQA_CFG_F_CONNTRACK (1 << 1) |
| 101 | #define NFQA_CFG_F_GSO (1 << 2) | 103 | #define NFQA_CFG_F_GSO (1 << 2) |
| 102 | #define NFQA_CFG_F_MAX (1 << 3) | 104 | #define NFQA_CFG_F_UID_GID (1 << 3) |
| 105 | #define NFQA_CFG_F_MAX (1 << 4) | ||
| 103 | 106 | ||
| 104 | /* flags for NFQA_SKB_INFO */ | 107 | /* flags for NFQA_SKB_INFO */ |
| 105 | /* packet appears to have wrong checksums, but they are ok */ | 108 | /* packet appears to have wrong checksums, but they are ok */ |
diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h new file mode 100644 index 000000000000..43acb7e175f6 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_cgroup.h | |||
| @@ -0,0 +1,11 @@ | |||
| 1 | #ifndef _UAPI_XT_CGROUP_H | ||
| 2 | #define _UAPI_XT_CGROUP_H | ||
| 3 | |||
| 4 | #include <linux/types.h> | ||
| 5 | |||
| 6 | struct xt_cgroup_info { | ||
| 7 | __u32 id; | ||
| 8 | __u32 invert; | ||
| 9 | }; | ||
| 10 | |||
| 11 | #endif /* _UAPI_XT_CGROUP_H */ | ||
diff --git a/include/uapi/linux/netfilter/xt_ipcomp.h b/include/uapi/linux/netfilter/xt_ipcomp.h new file mode 100644 index 000000000000..45c7e40eb8e1 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_ipcomp.h | |||
| @@ -0,0 +1,16 @@ | |||
| 1 | #ifndef _XT_IPCOMP_H | ||
| 2 | #define _XT_IPCOMP_H | ||
| 3 | |||
| 4 | #include <linux/types.h> | ||
| 5 | |||
| 6 | struct xt_ipcomp { | ||
| 7 | __u32 spis[2]; /* Security Parameter Index */ | ||
| 8 | __u8 invflags; /* Inverse flags */ | ||
| 9 | __u8 hdrres; /* Test of the Reserved Filed */ | ||
| 10 | }; | ||
| 11 | |||
| 12 | /* Values for "invflags" field in struct xt_ipcomp. */ | ||
| 13 | #define XT_IPCOMP_INV_SPI 0x01 /* Invert the sense of spi. */ | ||
| 14 | #define XT_IPCOMP_INV_MASK 0x01 /* All possible flags. */ | ||
| 15 | |||
| 16 | #endif /*_XT_IPCOMP_H*/ | ||