Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== netfilter/IPVS updates for net-next The following patchset contains Netfilter updates for your net-next tree, they are: * Add full port randomization support. Some crazy researchers found a way to reconstruct the secure ephemeral ports that are allocated in random mode by sending off-path bursts of UDP packets to overrun the socket buffer of the DNS resolver to trigger retransmissions, then if the timing for the DNS resolution done by a client is larger than usual, then they conclude that the port that received the burst of UDP packets is the one that was opened. It seems a bit aggressive method to me but it seems to work for them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a new NAT mode to fully randomize ports using prandom. * Add a new classifier to x_tables based on the socket net_cls set via cgroups. These includes two patches to prepare the field as requested by Zefan Li. Also from Daniel Borkmann. * Use prandom instead of get_random_bytes in several locations of the netfilter code, from Florian Westphal. * Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack mark, also from Florian Westphal. * Fix compilation warning due to unused variable in IPVS, from Geert Uytterhoeven. * Add support for UID/GID via nfnetlink_queue, from Valentina Giusti. * Add IPComp extension to x_tables, from Fan Du. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2014-01-05 20:18:50 -0500
committer: David S. Miller <davem@davemloft.net> 2014-01-05 20:18:50 -0500
commit: 855404efae0d449cc491978d54ea5d117a3cb271 (patch)
tree: 3c44948365a77058d8b1f2ed6e6683bfc52ef256 /include
parent: a1d4b03a076d95edc88d070f7627a73ab80abddc (diff)
parent: 82a37132f300ea53bdcd812917af5a6329ec80c3 (diff)
14 files changed, 80 insertions, 69 deletions
diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h
index b613ffd402d1..7b99d717411d 100644
--- a/include/linux/cgroup_subsys.h
+++ b/include/linux/cgroup_subsys.h
@@ -31,7 +31,7 @@ SUBSYS(devices)
 SUBSYS(freezer)
 #endif
-#if IS_SUBSYS_ENABLED(CONFIG_NET_CLS_CGROUP)
+#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
 SUBSYS(net_cls)
 #endif
@@ -43,7 +43,7 @@ SUBSYS(blkio)
 SUBSYS(perf)
 #endif
-#if IS_SUBSYS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_PRIO)
 SUBSYS(net_prio)
 #endif
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index 51c0fe258163..0c30af38be0d 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -1444,7 +1444,7 @@ struct net_device {
        /* max exchange id for FCoE LRO by ddp */
        unsigned int            fcoe_ddp_xid;
 #endif
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
        struct netprio_map __rcu *priomap;
 #endif
        /* phy device may attach itself for hardware timestamping */
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index c7174b816674..0c7d01eae56c 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -331,7 +331,6 @@ extern ip_set_id_t ip_set_get_byname(struct net *net,
                                     const char *name, struct ip_set **set);
 extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);
 extern const char *ip_set_name_byindex(struct net *net, ip_set_id_t index);
-extern ip_set_id_t ip_set_nfnl_get(struct net *net, const char *name);
 extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);
 extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);
diff --git a/include/net/cls_cgroup.h b/include/net/cls_cgroup.h
index 33d03b648646..9cf2d5ef38d9 100644
--- a/include/net/cls_cgroup.h
+++ b/include/net/cls_cgroup.h
@@ -16,17 +16,16 @@
 #include <linux/cgroup.h>
 #include <linux/hardirq.h>
 #include <linux/rcupdate.h>
+#include <net/sock.h>
-#if IS_ENABLED(CONFIG_NET_CLS_CGROUP)
+#ifdef CONFIG_CGROUP_NET_CLASSID
-struct cgroup_cls_state
+struct cgroup_cls_state {
-{
        struct cgroup_subsys_state css;
        u32 classid;
 };
-void sock_update_classid(struct sock *sk);
+struct cgroup_cls_state *task_cls_state(struct task_struct *p);
-#if IS_BUILTIN(CONFIG_NET_CLS_CGROUP)
 static inline u32 task_cls_classid(struct task_struct *p)
 {
        u32 classid;
@@ -41,33 +40,18 @@ static inline u32 task_cls_classid(struct task_struct *p)
        return classid;
 }
-#elif IS_MODULE(CONFIG_NET_CLS_CGROUP)
-static inline u32 task_cls_classid(struct task_struct *p)
-{
-        struct cgroup_subsys_state *css;
-        u32 classid = 0;
-        if (in_interrupt())
-                return 0;
-        rcu_read_lock();
-        css = task_css(p, net_cls_subsys_id);
-        if (css)
-                classid = container_of(css,
-                                       struct cgroup_cls_state, css)->classid;
-        rcu_read_unlock();
-        return classid;
-}
-#endif
-#else /* !CGROUP_NET_CLS_CGROUP */
 static inline void sock_update_classid(struct sock *sk)
 {
-}
+        u32 classid;
-static inline u32 task_cls_classid(struct task_struct *p)
+        classid = task_cls_classid(current);
+        if (classid != sk->sk_classid)
+                sk->sk_classid = classid;
+}
+#else /* !CONFIG_CGROUP_NET_CLASSID */
+static inline void sock_update_classid(struct sock *sk)
 {
-        return 0;
 }
-#endif /* CGROUP_NET_CLS_CGROUP */
+#endif /* CONFIG_CGROUP_NET_CLASSID */
 #endif  /* _NET_CLS_CGROUP_H */
diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
index 6c3d12e2949f..981c327374da 100644
--- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -19,6 +19,4 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
 int nf_conntrack_ipv4_compat_init(void);
 void nf_conntrack_ipv4_compat_fini(void);
-void need_ipv4_conntrack(void);
 #endif /*_NF_CONNTRACK_IPV4_H*/
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index 3efab704b7eb..adc1fa3dd7ab 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -87,7 +87,6 @@ int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto);
 void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto);
 struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);
-void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p);
 /* Existing built-in protocols */
 extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic;
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index c9c0c538b68b..fbcc7fa536dc 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -65,6 +65,23 @@ struct nf_ip_net {
 struct netns_ct {
        atomic_t                count;
        unsigned int            expect_count;
+#ifdef CONFIG_SYSCTL
+        struct ctl_table_header *sysctl_header;
+        struct ctl_table_header *acct_sysctl_header;
+        struct ctl_table_header *tstamp_sysctl_header;
+        struct ctl_table_header *event_sysctl_header;
+        struct ctl_table_header *helper_sysctl_header;
+#endif
+        char                    *slabname;
+        unsigned int            sysctl_log_invalid; /* Log invalid packets */
+        unsigned int            sysctl_events_retry_timeout;
+        int                     sysctl_events;
+        int                     sysctl_acct;
+        int                     sysctl_auto_assign_helper;
+        bool                    auto_assign_helper_warned;
+        int                     sysctl_tstamp;
+        int                     sysctl_checksum;
        unsigned int            htable_size;
        struct kmem_cache       *nf_conntrack_cachep;
        struct hlist_nulls_head *hash;
@@ -75,14 +92,6 @@ struct netns_ct {
        struct ip_conntrack_stat __percpu *stat;
        struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
        struct nf_exp_event_notifier __rcu *nf_expect_event_cb;
-        int                     sysctl_events;
-        unsigned int            sysctl_events_retry_timeout;
-        int                     sysctl_acct;
-        int                     sysctl_tstamp;
-        int                     sysctl_checksum;
-        unsigned int            sysctl_log_invalid; /* Log invalid packets */
-        int                     sysctl_auto_assign_helper;
-        bool                    auto_assign_helper_warned;
        struct nf_ip_net        nf_ct_proto;
 #if defined(CONFIG_NF_CONNTRACK_LABELS)
        unsigned int            labels_used;
@@ -92,13 +101,5 @@ struct netns_ct {
        struct hlist_head       *nat_bysource;
        unsigned int            nat_htable_size;
 #endif
-#ifdef CONFIG_SYSCTL
-        struct ctl_table_header *sysctl_header;
-        struct ctl_table_header *acct_sysctl_header;
-        struct ctl_table_header *tstamp_sysctl_header;
-        struct ctl_table_header *event_sysctl_header;
-        struct ctl_table_header *helper_sysctl_header;
-#endif
-        char                    *slabname;
 };
 #endif
diff --git a/include/net/netprio_cgroup.h b/include/net/netprio_cgroup.h
index 099d02782e22..dafc09f0fdbc 100644
--- a/include/net/netprio_cgroup.h
+++ b/include/net/netprio_cgroup.h
@@ -13,12 +13,12 @@
 #ifndef _NETPRIO_CGROUP_H
 #define _NETPRIO_CGROUP_H
 #include <linux/cgroup.h>
 #include <linux/hardirq.h>
 #include <linux/rcupdate.h>
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
 struct netprio_map {
        struct rcu_head rcu;
        u32 priomap_len;
@@ -27,8 +27,7 @@ struct netprio_map {
 void sock_update_netprioidx(struct sock *sk);
-#if IS_BUILTIN(CONFIG_NETPRIO_CGROUP)
+#if IS_BUILTIN(CONFIG_CGROUP_NET_PRIO)
 static inline u32 task_netprioidx(struct task_struct *p)
 {
        struct cgroup_subsys_state *css;
@@ -40,9 +39,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
        rcu_read_unlock();
        return idx;
 }
+#elif IS_MODULE(CONFIG_CGROUP_NET_PRIO)
-#elif IS_MODULE(CONFIG_NETPRIO_CGROUP)
 static inline u32 task_netprioidx(struct task_struct *p)
 {
        struct cgroup_subsys_state *css;
@@ -56,9 +53,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
        return idx;
 }
 #endif
+#else /* !CONFIG_CGROUP_NET_PRIO */
-#else /* !CONFIG_NETPRIO_CGROUP */
 static inline u32 task_netprioidx(struct task_struct *p)
 {
        return 0;
@@ -66,6 +61,5 @@ static inline u32 task_netprioidx(struct task_struct *p)
 #define sock_update_netprioidx(sk)
-#endif /* CONFIG_NETPRIO_CGROUP */
+#endif /* CONFIG_CGROUP_NET_PRIO */
 #endif  /* _NET_CLS_CGROUP_H */
diff --git a/include/net/sock.h b/include/net/sock.h
index 8d9af66ccf2c..5c3f7c3624aa 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -395,7 +395,7 @@ struct sock {
        unsigned short          sk_ack_backlog;
        unsigned short          sk_max_ack_backlog;
        __u32                   sk_priority;
-#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
+#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
        __u32                   sk_cgrp_prioidx;
 #endif
        struct pid              *sk_peer_pid;
diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild
index 17c3af2c4bb9..2344f5a319fc 100644
--- a/include/uapi/linux/netfilter/Kbuild
+++ b/include/uapi/linux/netfilter/Kbuild
@@ -39,6 +39,7 @@ header-y += xt_TEE.h
 header-y += xt_TPROXY.h
 header-y += xt_addrtype.h
 header-y += xt_bpf.h
+header-y += xt_cgroup.h
 header-y += xt_cluster.h
 header-y += xt_comment.h
 header-y += xt_connbytes.h
@@ -54,6 +55,7 @@ header-y += xt_ecn.h
 header-y += xt_esp.h
 header-y += xt_hashlimit.h
 header-y += xt_helper.h
+header-y += xt_ipcomp.h
 header-y += xt_iprange.h
 header-y += xt_ipvs.h
 header-y += xt_length.h
diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h
index bf0cc373ffb6..1ad3659102b6 100644
--- a/include/uapi/linux/netfilter/nf_nat.h
+++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -4,10 +4,14 @@
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_conntrack_tuple_common.h>
-#define NF_NAT_RANGE_MAP_IPS            1
+#define NF_NAT_RANGE_MAP_IPS                    (1 << 0)
-#define NF_NAT_RANGE_PROTO_SPECIFIED    2
+#define NF_NAT_RANGE_PROTO_SPECIFIED            (1 << 1)
-#define NF_NAT_RANGE_PROTO_RANDOM       4
+#define NF_NAT_RANGE_PROTO_RANDOM               (1 << 2)
-#define NF_NAT_RANGE_PERSISTENT         8
+#define NF_NAT_RANGE_PERSISTENT                 (1 << 3)
+#define NF_NAT_RANGE_PROTO_RANDOM_FULLY         (1 << 4)
+#define NF_NAT_RANGE_PROTO_RANDOM_ALL           \
+        (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY)
 struct nf_nat_ipv4_range {
        unsigned int                    flags;
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index 0132bad79de7..8dd819e2b5fe 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -47,6 +47,8 @@ enum nfqnl_attr_type {
        NFQA_CAP_LEN,                   /* __u32 length of captured packet */
        NFQA_SKB_INFO,                  /* __u32 skb meta information */
        NFQA_EXP,                       /* nf_conntrack_netlink.h */
+        NFQA_UID,                       /* __u32 sk uid */
+        NFQA_GID,                       /* __u32 sk gid */
        __NFQA_MAX
 };
@@ -99,7 +101,8 @@ enum nfqnl_attr_config {
 #define NFQA_CFG_F_FAIL_OPEN                    (1 << 0)
 #define NFQA_CFG_F_CONNTRACK                    (1 << 1)
 #define NFQA_CFG_F_GSO                          (1 << 2)
-#define NFQA_CFG_F_MAX                          (1 << 3)
+#define NFQA_CFG_F_UID_GID                      (1 << 3)
+#define NFQA_CFG_F_MAX                          (1 << 4)
 /* flags for NFQA_SKB_INFO */
 /* packet appears to have wrong checksums, but they are ok */
diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h
new file mode 100644
index 000000000000..43acb7e175f6
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_cgroup.h
@@ -0,0 +1,11 @@
+#ifndef _UAPI_XT_CGROUP_H
+#define _UAPI_XT_CGROUP_H
+#include <linux/types.h>
+struct xt_cgroup_info {
+        __u32 id;
+        __u32 invert;
+};
+#endif /* _UAPI_XT_CGROUP_H */
diff --git a/include/uapi/linux/netfilter/xt_ipcomp.h b/include/uapi/linux/netfilter/xt_ipcomp.h
new file mode 100644
index 000000000000..45c7e40eb8e1
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_ipcomp.h
@@ -0,0 +1,16 @@
+#ifndef _XT_IPCOMP_H
+#define _XT_IPCOMP_H
+#include <linux/types.h>
+struct xt_ipcomp {
+        __u32 spis[2];  /* Security Parameter Index */
+        __u8 invflags;  /* Inverse flags */
+        __u8 hdrres;    /* Test of the Reserved Filed */
+};
+/* Values for "invflags" field in struct xt_ipcomp. */
+#define XT_IPCOMP_INV_SPI       0x01    /* Invert the sense of spi. */
+#define XT_IPCOMP_INV_MASK      0x01    /* All possible flags. */
+#endif /*_XT_IPCOMP_H*/
author	David S. Miller <davem@davemloft.net>	2014-01-05 20:18:50 -0500
committer	David S. Miller <davem@davemloft.net>	2014-01-05 20:18:50 -0500
commit	855404efae0d449cc491978d54ea5d117a3cb271 (patch)
tree	3c44948365a77058d8b1f2ed6e6683bfc52ef256 /include
parent	a1d4b03a076d95edc88d070f7627a73ab80abddc (diff)
parent	82a37132f300ea53bdcd812917af5a6329ec80c3 (diff)

diff --git a/include/linux/cgroup_subsys.h b/include/linux/cgroup_subsys.h index b613ffd402d1..7b99d717411d 100644 --- a/include/linux/cgroup_subsys.h +++ b/include/linux/cgroup_subsys.h
@@ -31,7 +31,7 @@ SUBSYS(devices)
31	SUBSYS(freezer)	31	SUBSYS(freezer)
32	#endif	32	#endif
33		33
34	#if IS_SUBSYS_ENABLED(CONFIG_NET_CLS_CGROUP)	34	#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_CLASSID)
35	SUBSYS(net_cls)	35	SUBSYS(net_cls)
36	#endif	36	#endif
37		37
@@ -43,7 +43,7 @@ SUBSYS(blkio)
43	SUBSYS(perf)	43	SUBSYS(perf)
44	#endif	44	#endif
45		45
46	#if IS_SUBSYS_ENABLED(CONFIG_NETPRIO_CGROUP)	46	#if IS_SUBSYS_ENABLED(CONFIG_CGROUP_NET_PRIO)
47	SUBSYS(net_prio)	47	SUBSYS(net_prio)
48	#endif	48	#endif
49		49


diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h index 51c0fe258163..0c30af38be0d 100644 --- a/include/linux/netdevice.h +++ b/include/linux/netdevice.h
@@ -1444,7 +1444,7 @@ struct net_device {
1444	/* max exchange id for FCoE LRO by ddp */	1444	/* max exchange id for FCoE LRO by ddp */
1445	unsigned int fcoe_ddp_xid;	1445	unsigned int fcoe_ddp_xid;
1446	#endif	1446	#endif
1447	#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)	1447	#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
1448	struct netprio_map __rcu *priomap;	1448	struct netprio_map __rcu *priomap;
1449	#endif	1449	#endif
1450	/* phy device may attach itself for hardware timestamping */	1450	/* phy device may attach itself for hardware timestamping */


diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index c7174b816674..0c7d01eae56c 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h
@@ -331,7 +331,6 @@ extern ip_set_id_t ip_set_get_byname(struct net *net,
331	const char name, struct ip_set *set);	331	const char name, struct ip_set *set);
332	extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);	332	extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);
333	extern const char ip_set_name_byindex(struct net net, ip_set_id_t index);	333	extern const char ip_set_name_byindex(struct net net, ip_set_id_t index);
334	extern ip_set_id_t ip_set_nfnl_get(struct net net, const char name);
335	extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);	334	extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);
336	extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);	335	extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);
337		336


diff --git a/include/net/cls_cgroup.h b/include/net/cls_cgroup.h index 33d03b648646..9cf2d5ef38d9 100644 --- a/include/net/cls_cgroup.h +++ b/include/net/cls_cgroup.h
@@ -16,17 +16,16 @@
16	#include <linux/cgroup.h>	16	#include <linux/cgroup.h>
17	#include <linux/hardirq.h>	17	#include <linux/hardirq.h>
18	#include <linux/rcupdate.h>	18	#include <linux/rcupdate.h>
		19	#include <net/sock.h>
19		20
20	#if IS_ENABLED(CONFIG_NET_CLS_CGROUP)	21	#ifdef CONFIG_CGROUP_NET_CLASSID
21	struct cgroup_cls_state	22	struct cgroup_cls_state {
22	{
23	struct cgroup_subsys_state css;	23	struct cgroup_subsys_state css;
24	u32 classid;	24	u32 classid;
25	};	25	};
26		26
27	void sock_update_classid(struct sock *sk);	27	struct cgroup_cls_state task_cls_state(struct task_struct p);
28		28
29	#if IS_BUILTIN(CONFIG_NET_CLS_CGROUP)
30	static inline u32 task_cls_classid(struct task_struct *p)	29	static inline u32 task_cls_classid(struct task_struct *p)
31	{	30	{
32	u32 classid;	31	u32 classid;
@@ -41,33 +40,18 @@ static inline u32 task_cls_classid(struct task_struct *p)
41		40
42	return classid;	41	return classid;
43	}	42	}
44	#elif IS_MODULE(CONFIG_NET_CLS_CGROUP)
45	static inline u32 task_cls_classid(struct task_struct *p)
46	{
47	struct cgroup_subsys_state *css;
48	u32 classid = 0;
49
50	if (in_interrupt())
51	return 0;
52
53	rcu_read_lock();
54	css = task_css(p, net_cls_subsys_id);
55	if (css)
56	classid = container_of(css,
57	struct cgroup_cls_state, css)->classid;
58	rcu_read_unlock();
59		43
60	return classid;
61	}
62	#endif
63	#else /* !CGROUP_NET_CLS_CGROUP */
64	static inline void sock_update_classid(struct sock *sk)	44	static inline void sock_update_classid(struct sock *sk)
65	{	45	{
66	}	46	u32 classid;
67		47
68	static inline u32 task_cls_classid(struct task_struct *p)	48	classid = task_cls_classid(current);
		49	if (classid != sk->sk_classid)
		50	sk->sk_classid = classid;
		51	}
		52	#else /* !CONFIG_CGROUP_NET_CLASSID */
		53	static inline void sock_update_classid(struct sock *sk)
69	{	54	{
70	return 0;
71	}	55	}
72	#endif /* CGROUP_NET_CLS_CGROUP */	56	#endif /* CONFIG_CGROUP_NET_CLASSID */
73	#endif /* _NET_CLS_CGROUP_H */	57	#endif /* _NET_CLS_CGROUP_H */


diff --git a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h index 6c3d12e2949f..981c327374da 100644 --- a/include/net/netfilter/ipv4/nf_conntrack_ipv4.h +++ b/include/net/netfilter/ipv4/nf_conntrack_ipv4.h
@@ -19,6 +19,4 @@ extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
19	int nf_conntrack_ipv4_compat_init(void);	19	int nf_conntrack_ipv4_compat_init(void);
20	void nf_conntrack_ipv4_compat_fini(void);	20	void nf_conntrack_ipv4_compat_fini(void);
21		21
22	void need_ipv4_conntrack(void);
23
24	#endif /_NF_CONNTRACK_IPV4_H/	22	#endif /_NF_CONNTRACK_IPV4_H/


diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index 3efab704b7eb..adc1fa3dd7ab 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -87,7 +87,6 @@ int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto);
87	void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto);	87	void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto);
88		88
89	struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);	89	struct nf_conntrack_l3proto *nf_ct_l3proto_find_get(u_int16_t l3proto);
90	void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p);
91		90
92	/* Existing built-in protocols */	91	/* Existing built-in protocols */
93	extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic;	92	extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic;


diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index c9c0c538b68b..fbcc7fa536dc 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h
@@ -65,6 +65,23 @@ struct nf_ip_net {
65	struct netns_ct {	65	struct netns_ct {
66	atomic_t count;	66	atomic_t count;
67	unsigned int expect_count;	67	unsigned int expect_count;
		68	#ifdef CONFIG_SYSCTL
		69	struct ctl_table_header *sysctl_header;
		70	struct ctl_table_header *acct_sysctl_header;
		71	struct ctl_table_header *tstamp_sysctl_header;
		72	struct ctl_table_header *event_sysctl_header;
		73	struct ctl_table_header *helper_sysctl_header;
		74	#endif
		75	char *slabname;
		76	unsigned int sysctl_log_invalid; /* Log invalid packets */
		77	unsigned int sysctl_events_retry_timeout;
		78	int sysctl_events;
		79	int sysctl_acct;
		80	int sysctl_auto_assign_helper;
		81	bool auto_assign_helper_warned;
		82	int sysctl_tstamp;
		83	int sysctl_checksum;
		84
68	unsigned int htable_size;	85	unsigned int htable_size;
69	struct kmem_cache *nf_conntrack_cachep;	86	struct kmem_cache *nf_conntrack_cachep;
70	struct hlist_nulls_head *hash;	87	struct hlist_nulls_head *hash;
@@ -75,14 +92,6 @@ struct netns_ct {
75	struct ip_conntrack_stat __percpu *stat;	92	struct ip_conntrack_stat __percpu *stat;
76	struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;	93	struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
77	struct nf_exp_event_notifier __rcu *nf_expect_event_cb;	94	struct nf_exp_event_notifier __rcu *nf_expect_event_cb;
78	int sysctl_events;
79	unsigned int sysctl_events_retry_timeout;
80	int sysctl_acct;
81	int sysctl_tstamp;
82	int sysctl_checksum;
83	unsigned int sysctl_log_invalid; /* Log invalid packets */
84	int sysctl_auto_assign_helper;
85	bool auto_assign_helper_warned;
86	struct nf_ip_net nf_ct_proto;	95	struct nf_ip_net nf_ct_proto;
87	#if defined(CONFIG_NF_CONNTRACK_LABELS)	96	#if defined(CONFIG_NF_CONNTRACK_LABELS)
88	unsigned int labels_used;	97	unsigned int labels_used;
@@ -92,13 +101,5 @@ struct netns_ct {
92	struct hlist_head *nat_bysource;	101	struct hlist_head *nat_bysource;
93	unsigned int nat_htable_size;	102	unsigned int nat_htable_size;
94	#endif	103	#endif
95	#ifdef CONFIG_SYSCTL
96	struct ctl_table_header *sysctl_header;
97	struct ctl_table_header *acct_sysctl_header;
98	struct ctl_table_header *tstamp_sysctl_header;
99	struct ctl_table_header *event_sysctl_header;
100	struct ctl_table_header *helper_sysctl_header;
101	#endif
102	char *slabname;
103	};	104	};
104	#endif	105	#endif


diff --git a/include/net/netprio_cgroup.h b/include/net/netprio_cgroup.h index 099d02782e22..dafc09f0fdbc 100644 --- a/include/net/netprio_cgroup.h +++ b/include/net/netprio_cgroup.h
@@ -13,12 +13,12 @@
13		13
14	#ifndef _NETPRIO_CGROUP_H	14	#ifndef _NETPRIO_CGROUP_H
15	#define _NETPRIO_CGROUP_H	15	#define _NETPRIO_CGROUP_H
		16
16	#include <linux/cgroup.h>	17	#include <linux/cgroup.h>
17	#include <linux/hardirq.h>	18	#include <linux/hardirq.h>
18	#include <linux/rcupdate.h>	19	#include <linux/rcupdate.h>
19		20
20		21	#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
21	#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)
22	struct netprio_map {	22	struct netprio_map {
23	struct rcu_head rcu;	23	struct rcu_head rcu;
24	u32 priomap_len;	24	u32 priomap_len;
@@ -27,8 +27,7 @@ struct netprio_map {
27		27
28	void sock_update_netprioidx(struct sock *sk);	28	void sock_update_netprioidx(struct sock *sk);
29		29
30	#if IS_BUILTIN(CONFIG_NETPRIO_CGROUP)	30	#if IS_BUILTIN(CONFIG_CGROUP_NET_PRIO)
31
32	static inline u32 task_netprioidx(struct task_struct *p)	31	static inline u32 task_netprioidx(struct task_struct *p)
33	{	32	{
34	struct cgroup_subsys_state *css;	33	struct cgroup_subsys_state *css;
@@ -40,9 +39,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
40	rcu_read_unlock();	39	rcu_read_unlock();
41	return idx;	40	return idx;
42	}	41	}
43		42	#elif IS_MODULE(CONFIG_CGROUP_NET_PRIO)
44	#elif IS_MODULE(CONFIG_NETPRIO_CGROUP)
45
46	static inline u32 task_netprioidx(struct task_struct *p)	43	static inline u32 task_netprioidx(struct task_struct *p)
47	{	44	{
48	struct cgroup_subsys_state *css;	45	struct cgroup_subsys_state *css;
@@ -56,9 +53,7 @@ static inline u32 task_netprioidx(struct task_struct *p)
56	return idx;	53	return idx;
57	}	54	}
58	#endif	55	#endif
59		56	#else /* !CONFIG_CGROUP_NET_PRIO */
60	#else /* !CONFIG_NETPRIO_CGROUP */
61
62	static inline u32 task_netprioidx(struct task_struct *p)	57	static inline u32 task_netprioidx(struct task_struct *p)
63	{	58	{
64	return 0;	59	return 0;
@@ -66,6 +61,5 @@ static inline u32 task_netprioidx(struct task_struct *p)
66		61
67	#define sock_update_netprioidx(sk)	62	#define sock_update_netprioidx(sk)
68		63
69	#endif /* CONFIG_NETPRIO_CGROUP */	64	#endif /* CONFIG_CGROUP_NET_PRIO */
70
71	#endif /* _NET_CLS_CGROUP_H */	65	#endif /* _NET_CLS_CGROUP_H */


diff --git a/include/net/sock.h b/include/net/sock.h index 8d9af66ccf2c..5c3f7c3624aa 100644 --- a/include/net/sock.h +++ b/include/net/sock.h
@@ -395,7 +395,7 @@ struct sock {
395	unsigned short sk_ack_backlog;	395	unsigned short sk_ack_backlog;
396	unsigned short sk_max_ack_backlog;	396	unsigned short sk_max_ack_backlog;
397	__u32 sk_priority;	397	__u32 sk_priority;
398	#if IS_ENABLED(CONFIG_NETPRIO_CGROUP)	398	#if IS_ENABLED(CONFIG_CGROUP_NET_PRIO)
399	__u32 sk_cgrp_prioidx;	399	__u32 sk_cgrp_prioidx;
400	#endif	400	#endif
401	struct pid *sk_peer_pid;	401	struct pid *sk_peer_pid;


diff --git a/include/uapi/linux/netfilter/Kbuild b/include/uapi/linux/netfilter/Kbuild index 17c3af2c4bb9..2344f5a319fc 100644 --- a/include/uapi/linux/netfilter/Kbuild +++ b/include/uapi/linux/netfilter/Kbuild
@@ -39,6 +39,7 @@ header-y += xt_TEE.h
39	header-y += xt_TPROXY.h	39	header-y += xt_TPROXY.h
40	header-y += xt_addrtype.h	40	header-y += xt_addrtype.h
41	header-y += xt_bpf.h	41	header-y += xt_bpf.h
		42	header-y += xt_cgroup.h
42	header-y += xt_cluster.h	43	header-y += xt_cluster.h
43	header-y += xt_comment.h	44	header-y += xt_comment.h
44	header-y += xt_connbytes.h	45	header-y += xt_connbytes.h
@@ -54,6 +55,7 @@ header-y += xt_ecn.h
54	header-y += xt_esp.h	55	header-y += xt_esp.h
55	header-y += xt_hashlimit.h	56	header-y += xt_hashlimit.h
56	header-y += xt_helper.h	57	header-y += xt_helper.h
		58	header-y += xt_ipcomp.h
57	header-y += xt_iprange.h	59	header-y += xt_iprange.h
58	header-y += xt_ipvs.h	60	header-y += xt_ipvs.h
59	header-y += xt_length.h	61	header-y += xt_length.h


diff --git a/include/uapi/linux/netfilter/nf_nat.h b/include/uapi/linux/netfilter/nf_nat.h index bf0cc373ffb6..1ad3659102b6 100644 --- a/include/uapi/linux/netfilter/nf_nat.h +++ b/include/uapi/linux/netfilter/nf_nat.h
@@ -4,10 +4,14 @@
4	#include <linux/netfilter.h>	4	#include <linux/netfilter.h>
5	#include <linux/netfilter/nf_conntrack_tuple_common.h>	5	#include <linux/netfilter/nf_conntrack_tuple_common.h>
6		6
7	#define NF_NAT_RANGE_MAP_IPS 1	7	#define NF_NAT_RANGE_MAP_IPS (1 << 0)
8	#define NF_NAT_RANGE_PROTO_SPECIFIED 2	8	#define NF_NAT_RANGE_PROTO_SPECIFIED (1 << 1)
9	#define NF_NAT_RANGE_PROTO_RANDOM 4	9	#define NF_NAT_RANGE_PROTO_RANDOM (1 << 2)
10	#define NF_NAT_RANGE_PERSISTENT 8	10	#define NF_NAT_RANGE_PERSISTENT (1 << 3)
		11	#define NF_NAT_RANGE_PROTO_RANDOM_FULLY (1 << 4)
		12
		13	#define NF_NAT_RANGE_PROTO_RANDOM_ALL \
		14	(NF_NAT_RANGE_PROTO_RANDOM \| NF_NAT_RANGE_PROTO_RANDOM_FULLY)
11		15
12	struct nf_nat_ipv4_range {	16	struct nf_nat_ipv4_range {
13	unsigned int flags;	17	unsigned int flags;


diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h index 0132bad79de7..8dd819e2b5fe 100644 --- a/include/uapi/linux/netfilter/nfnetlink_queue.h +++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -47,6 +47,8 @@ enum nfqnl_attr_type {
47	NFQA_CAP_LEN, /* __u32 length of captured packet */	47	NFQA_CAP_LEN, /* __u32 length of captured packet */
48	NFQA_SKB_INFO, /* __u32 skb meta information */	48	NFQA_SKB_INFO, /* __u32 skb meta information */
49	NFQA_EXP, /* nf_conntrack_netlink.h */	49	NFQA_EXP, /* nf_conntrack_netlink.h */
		50	NFQA_UID, /* __u32 sk uid */
		51	NFQA_GID, /* __u32 sk gid */
50		52
51	__NFQA_MAX	53	__NFQA_MAX
52	};	54	};
@@ -99,7 +101,8 @@ enum nfqnl_attr_config {
99	#define NFQA_CFG_F_FAIL_OPEN (1 << 0)	101	#define NFQA_CFG_F_FAIL_OPEN (1 << 0)
100	#define NFQA_CFG_F_CONNTRACK (1 << 1)	102	#define NFQA_CFG_F_CONNTRACK (1 << 1)
101	#define NFQA_CFG_F_GSO (1 << 2)	103	#define NFQA_CFG_F_GSO (1 << 2)
102	#define NFQA_CFG_F_MAX (1 << 3)	104	#define NFQA_CFG_F_UID_GID (1 << 3)
		105	#define NFQA_CFG_F_MAX (1 << 4)
103		106
104	/* flags for NFQA_SKB_INFO */	107	/* flags for NFQA_SKB_INFO */
105	/* packet appears to have wrong checksums, but they are ok */	108	/* packet appears to have wrong checksums, but they are ok */


diff --git a/include/uapi/linux/netfilter/xt_cgroup.h b/include/uapi/linux/netfilter/xt_cgroup.h new file mode 100644 index 000000000000..43acb7e175f6 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_cgroup.h
@@ -0,0 +1,11 @@
		1	#ifndef _UAPI_XT_CGROUP_H
		2	#define _UAPI_XT_CGROUP_H
		3
		4	#include <linux/types.h>
		5
		6	struct xt_cgroup_info {
		7	__u32 id;
		8	__u32 invert;
		9	};
		10
		11	#endif /* _UAPI_XT_CGROUP_H */


diff --git a/include/uapi/linux/netfilter/xt_ipcomp.h b/include/uapi/linux/netfilter/xt_ipcomp.h new file mode 100644 index 000000000000..45c7e40eb8e1 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_ipcomp.h
@@ -0,0 +1,16 @@
		1	#ifndef _XT_IPCOMP_H
		2	#define _XT_IPCOMP_H
		3
		4	#include <linux/types.h>
		5
		6	struct xt_ipcomp {
		7	__u32 spis[2]; /* Security Parameter Index */
		8	__u8 invflags; /* Inverse flags */
		9	__u8 hdrres; /* Test of the Reserved Filed */
		10	};
		11
		12	/* Values for "invflags" field in struct xt_ipcomp. */
		13	#define XT_IPCOMP_INV_SPI 0x01 /* Invert the sense of spi. */
		14	#define XT_IPCOMP_INV_MASK 0x01 /* All possible flags. */
		15
		16	#endif /_XT_IPCOMP_H/