Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables

Pablo Neira Ayuso says:

====================
Netfilter/nftables updates for net-next

The following patchset contains Netfilter/nftables updates for net-next,
most relevantly they are:

1) Add set element update notification via netlink, from Arturo Borrero.

2) Put all object updates in one single message batch that is sent to
   kernel-space. Before this patch only rules where included in the batch.
   This series also introduces the generic transaction infrastructure so
   updates to all objects (tables, chains, rules and sets) are applied in
   an all-or-nothing fashion, these series from me.

3) Defer release of objects via call_rcu to reduce the time required to
   commit changes. The assumption is that all objects are destroyed in
   reverse order to ensure that dependencies betweem them are fulfilled
   (ie. rules and sets are destroyed first, then chains, and finally
   tables).

4) Allow to match by bridge port name, from Tomasz Bursztyka. This series
   include two patches to prepare this new feature.

5) Implement the proper set selection based on the characteristics of the
   data. The new infrastructure also allows you to specify your preferences
   in terms of memory and computational complexity so the underlying set
   type is also selected according to your needs, from Patrick McHardy.

6) Several cleanup patches for nft expressions, including one minor possible
   compilation breakage due to missing mark support, also from Patrick.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

4 files changed, 154 insertions, 2 deletions

diff --git a/net/bridge/Makefile b/net/bridge/Makefile
index e85498b2f166..906a18b4e74a 100644
--- a/net/bridge/Makefile
+++ b/net/bridge/Makefile
@@ -16,4 +16,4 @@ bridge-$(CONFIG_BRIDGE_IGMP_SNOOPING) += br_multicast.o br_mdb.o
 
 bridge-$(CONFIG_BRIDGE_VLAN_FILTERING) += br_vlan.o
 
-obj-$(CONFIG_BRIDGE_NF_EBTABLES) += netfilter/
+obj-$(CONFIG_BRIDGE_NETFILTER) += netfilter/
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index 5ca74a0e595f..3baf29d34e62 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -2,13 +2,25 @@
 # Bridge netfilter configuration
 #
 #
-config NF_TABLES_BRIDGE
+menuconfig NF_TABLES_BRIDGE
         depends on NF_TABLES
+        select BRIDGE_NETFILTER
         tristate "Ethernet Bridge nf_tables support"
 
+if NF_TABLES_BRIDGE
+
+config NFT_BRIDGE_META
+        tristate "Netfilter nf_table bridge meta support"
+        depends on NFT_META
+        help
+          Add support for bridge dedicated meta key.
+
+endif # NF_TABLES_BRIDGE
+
 menuconfig BRIDGE_NF_EBTABLES
         tristate "Ethernet Bridge tables (ebtables) support"
         depends on BRIDGE && NETFILTER
+        select BRIDGE_NETFILTER
         select NETFILTER_XTABLES
         help
           ebtables is a general, extensible frame/packet identification
diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
index ea7629f58b3d..6f2f3943d66f 100644
--- a/net/bridge/netfilter/Makefile
+++ b/net/bridge/netfilter/Makefile
@@ -3,6 +3,7 @@
 #
 
 obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o
+obj-$(CONFIG_NFT_BRIDGE_META)  += nft_meta_bridge.o
 
 obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
 
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
new file mode 100644
index 000000000000..4f02109d708f
--- /dev/null
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -0,0 +1,139 @@
+/*
+ * Copyright (c) 2014 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_meta.h>
+
+#include "../br_private.h"
+
+static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
+                                     struct nft_data data[NFT_REG_MAX + 1],
+                                     const struct nft_pktinfo *pkt)
+{
+        const struct nft_meta *priv = nft_expr_priv(expr);
+        const struct net_device *in = pkt->in, *out = pkt->out;
+        struct nft_data *dest = &data[priv->dreg];
+        const struct net_bridge_port *p;
+
+        switch (priv->key) {
+        case NFT_META_BRI_IIFNAME:
+                if (in == NULL || (p = br_port_get_rcu(in)) == NULL)
+                        goto err;
+                break;
+        case NFT_META_BRI_OIFNAME:
+                if (out == NULL || (p = br_port_get_rcu(out)) == NULL)
+                        goto err;
+                break;
+        default:
+                goto out;
+        }
+
+        strncpy((char *)dest->data, p->br->dev->name, sizeof(dest->data));
+        return;
+out:
+        return nft_meta_get_eval(expr, data, pkt);
+err:
+        data[NFT_REG_VERDICT].verdict = NFT_BREAK;
+}
+
+static int nft_meta_bridge_get_init(const struct nft_ctx *ctx,
+                                    const struct nft_expr *expr,
+                                    const struct nlattr * const tb[])
+{
+        struct nft_meta *priv = nft_expr_priv(expr);
+        int err;
+
+        priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
+        switch (priv->key) {
+        case NFT_META_BRI_IIFNAME:
+        case NFT_META_BRI_OIFNAME:
+                break;
+        default:
+                return nft_meta_get_init(ctx, expr, tb);
+        }
+
+        priv->dreg = ntohl(nla_get_be32(tb[NFTA_META_DREG]));
+        err = nft_validate_output_register(priv->dreg);
+        if (err < 0)
+                return err;
+
+        err = nft_validate_data_load(ctx, priv->dreg, NULL, NFT_DATA_VALUE);
+        if (err < 0)
+                return err;
+
+        return 0;
+}
+
+static struct nft_expr_type nft_meta_bridge_type;
+static const struct nft_expr_ops nft_meta_bridge_get_ops = {
+        .type           = &nft_meta_bridge_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
+        .eval           = nft_meta_bridge_get_eval,
+        .init           = nft_meta_bridge_get_init,
+        .dump           = nft_meta_get_dump,
+};
+
+static const struct nft_expr_ops nft_meta_bridge_set_ops = {
+        .type           = &nft_meta_bridge_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
+        .eval           = nft_meta_set_eval,
+        .init           = nft_meta_set_init,
+        .dump           = nft_meta_set_dump,
+};
+
+static const struct nft_expr_ops *
+nft_meta_bridge_select_ops(const struct nft_ctx *ctx,
+                           const struct nlattr * const tb[])
+{
+        if (tb[NFTA_META_KEY] == NULL)
+                return ERR_PTR(-EINVAL);
+
+        if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
+                return ERR_PTR(-EINVAL);
+
+        if (tb[NFTA_META_DREG])
+                return &nft_meta_bridge_get_ops;
+
+        if (tb[NFTA_META_SREG])
+                return &nft_meta_bridge_set_ops;
+
+        return ERR_PTR(-EINVAL);
+}
+
+static struct nft_expr_type nft_meta_bridge_type __read_mostly = {
+        .family         = NFPROTO_BRIDGE,
+        .name           = "meta",
+        .select_ops     = &nft_meta_bridge_select_ops,
+        .policy         = nft_meta_policy,
+        .maxattr        = NFTA_META_MAX,
+        .owner          = THIS_MODULE,
+};
+
+static int __init nft_meta_bridge_module_init(void)
+{
+        return nft_register_expr(&nft_meta_bridge_type);
+}
+
+static void __exit nft_meta_bridge_module_exit(void)
+{
+        nft_unregister_expr(&nft_meta_bridge_type);
+}
+
+module_init(nft_meta_bridge_module_init);
+module_exit(nft_meta_bridge_module_exit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "meta");