Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftables

Pablo Neira Ayuso says:

====================
nf_tables updates for net-next

The following patchset contains the following nf_tables updates,
mostly updates from Patrick McHardy, they are:

* Add the "inet" table and filter chain type for this new netfilter
  family: NFPROTO_INET. This special table/chain allows IPv4 and IPv6
  rules, this should help to simplify the burden in the administration
  of dual stack firewalls. This also includes several patches to prepare
  the infrastructure for this new table and a new meta extension to
  match the layer 3 and 4 protocol numbers, from Patrick McHardy.

* Load both IPv4 and IPv6 conntrack modules in nft_ct if the rule is used
  in NFPROTO_INET, as we don't certainly know which one would be used,
  also from Patrick McHardy.

* Do not allow to delete a table that contains sets, otherwise these
  sets become orphan, from Patrick McHardy.

* Hold a reference to the corresponding nf_tables family module when
  creating a table of that family type, to avoid the module deletion
  when in use, from Patrick McHardy.

* Update chain counters before setting the chain policy to ensure that
  we don't leave the chain in inconsistent state in case of errors (aka.
  restore chain atomicity). This also fixes a possible leak if it fails
  to allocate the chain counters if no counters are passed to be restored,
  from Patrick McHardy.

* Don't check for overflows in the table counter if we are just renaming
  a chain, from Patrick McHardy.

* Replay the netlink request after dropping the nfnl lock to load the
  module that supports provides a chain type, from Patrick.

* Fix chain type module references, from Patrick.

* Several cleanups, function renames, constification and code
  refactorizations also from Patrick McHardy.

* Add support to set the connmark, this can be used to set it based on
  the meta mark (similar feature to -j CONNMARK --restore), from
  Kristian Evensen.

* A couple of fixes to the recently added meta/set support and nft_reject,
  and fix missing chain type unregistration if we fail to register our
  the family table/filter chain type, from myself.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

3 files changed, 43 insertions, 42 deletions

diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c
index d77db8a13505..0d812b31277d 100644
--- a/net/ipv6/netfilter/nf_tables_ipv6.c
+++ b/net/ipv6/netfilter/nf_tables_ipv6.c
@@ -16,34 +16,51 @@
 #include <net/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables_ipv6.h>
 
+static unsigned int nft_do_chain_ipv6(const struct nf_hook_ops *ops,
+                                      struct sk_buff *skb,
+                                      const struct net_device *in,
+                                      const struct net_device *out,
+                                      int (*okfn)(struct sk_buff *))
+{
+        struct nft_pktinfo pkt;
+
+        /* malformed packet, drop it */
+        if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
+                return NF_DROP;
+
+        return nft_do_chain(&pkt, ops);
+}
+
 static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops,
                                     struct sk_buff *skb,
                                     const struct net_device *in,
                                     const struct net_device *out,
                                     int (*okfn)(struct sk_buff *))
 {
-        struct nft_pktinfo pkt;
-
         if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
                 if (net_ratelimit())
                         pr_info("nf_tables_ipv6: ignoring short SOCK_RAW "
                                 "packet\n");
                 return NF_ACCEPT;
         }
-        if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
-                return NF_DROP;
 
-        return nft_do_chain_pktinfo(&pkt, ops);
+        return nft_do_chain_ipv6(ops, skb, in, out, okfn);
 }
 
-static struct nft_af_info nft_af_ipv6 __read_mostly = {
+struct nft_af_info nft_af_ipv6 __read_mostly = {
         .family         = NFPROTO_IPV6,
         .nhooks         = NF_INET_NUMHOOKS,
         .owner          = THIS_MODULE,
+        .nops           = 1,
         .hooks          = {
+                [NF_INET_LOCAL_IN]      = nft_do_chain_ipv6,
                 [NF_INET_LOCAL_OUT]     = nft_ipv6_output,
+                [NF_INET_FORWARD]       = nft_do_chain_ipv6,
+                [NF_INET_PRE_ROUTING]   = nft_do_chain_ipv6,
+                [NF_INET_POST_ROUTING]  = nft_do_chain_ipv6,
         },
 };
+EXPORT_SYMBOL_GPL(nft_af_ipv6);
 
 static int nf_tables_ipv6_init_net(struct net *net)
 {
@@ -73,44 +90,28 @@ static struct pernet_operations nf_tables_ipv6_net_ops = {
         .exit   = nf_tables_ipv6_exit_net,
 };
 
-static unsigned int
-nft_do_chain_ipv6(const struct nf_hook_ops *ops,
-                  struct sk_buff *skb,
-                  const struct net_device *in,
-                  const struct net_device *out,
-                  int (*okfn)(struct sk_buff *))
-{
-        struct nft_pktinfo pkt;
-
-        /* malformed packet, drop it */
-        if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0)
-                return NF_DROP;
-
-        return nft_do_chain_pktinfo(&pkt, ops);
-}
-
-static struct nf_chain_type filter_ipv6 = {
-        .family         = NFPROTO_IPV6,
+static const struct nf_chain_type filter_ipv6 = {
         .name           = "filter",
         .type           = NFT_CHAIN_T_DEFAULT,
+        .family         = NFPROTO_IPV6,
+        .owner          = THIS_MODULE,
         .hook_mask      = (1 << NF_INET_LOCAL_IN) |
                           (1 << NF_INET_LOCAL_OUT) |
                           (1 << NF_INET_FORWARD) |
                           (1 << NF_INET_PRE_ROUTING) |
                           (1 << NF_INET_POST_ROUTING),
-        .fn             = {
-                [NF_INET_LOCAL_IN]      = nft_do_chain_ipv6,
-                [NF_INET_LOCAL_OUT]     = nft_ipv6_output,
-                [NF_INET_FORWARD]       = nft_do_chain_ipv6,
-                [NF_INET_PRE_ROUTING]   = nft_do_chain_ipv6,
-                [NF_INET_POST_ROUTING]  = nft_do_chain_ipv6,
-        },
 };
 
 static int __init nf_tables_ipv6_init(void)
 {
+        int ret;
+
         nft_register_chain_type(&filter_ipv6);
-        return register_pernet_subsys(&nf_tables_ipv6_net_ops);
+        ret = register_pernet_subsys(&nf_tables_ipv6_net_ops);
+        if (ret < 0)
+                nft_unregister_chain_type(&filter_ipv6);
+
+        return ret;
 }
 
 static void __exit nf_tables_ipv6_exit(void)
diff --git a/net/ipv6/netfilter/nft_chain_nat_ipv6.c b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
index e86dcd70dc76..9c3297a768fd 100644
--- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
@@ -79,7 +79,7 @@ static unsigned int nf_nat_ipv6_fn(const struct nf_hook_ops *ops,
 
                 nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out);
 
-                ret = nft_do_chain_pktinfo(&pkt, ops);
+                ret = nft_do_chain(&pkt, ops);
                 if (ret != NF_ACCEPT)
                         return ret;
                 if (!nf_nat_initialized(ct, maniptype)) {
@@ -170,21 +170,21 @@ static unsigned int nf_nat_ipv6_output(const struct nf_hook_ops *ops,
         return ret;
 }
 
-static struct nf_chain_type nft_chain_nat_ipv6 = {
-        .family         = NFPROTO_IPV6,
+static const struct nf_chain_type nft_chain_nat_ipv6 = {
         .name           = "nat",
         .type           = NFT_CHAIN_T_NAT,
+        .family         = NFPROTO_IPV6,
+        .owner          = THIS_MODULE,
         .hook_mask      = (1 << NF_INET_PRE_ROUTING) |
                           (1 << NF_INET_POST_ROUTING) |
                           (1 << NF_INET_LOCAL_OUT) |
                           (1 << NF_INET_LOCAL_IN),
-        .fn             = {
+        .hooks          = {
                 [NF_INET_PRE_ROUTING]   = nf_nat_ipv6_prerouting,
                 [NF_INET_POST_ROUTING]  = nf_nat_ipv6_postrouting,
                 [NF_INET_LOCAL_OUT]     = nf_nat_ipv6_output,
                 [NF_INET_LOCAL_IN]      = nf_nat_ipv6_fn,
         },
-        .me             = THIS_MODULE,
 };
 
 static int __init nft_chain_nat_ipv6_init(void)
diff --git a/net/ipv6/netfilter/nft_chain_route_ipv6.c b/net/ipv6/netfilter/nft_chain_route_ipv6.c
index 3fe40f0456ad..42031299585e 100644
--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
@@ -47,7 +47,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
         /* flowlabel and prio (includes version, which shouldn't change either */
         flowlabel = *((u32 *)ipv6_hdr(skb));
 
-        ret = nft_do_chain_pktinfo(&pkt, ops);
+        ret = nft_do_chain(&pkt, ops);
         if (ret != NF_DROP && ret != NF_QUEUE &&
             (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
              memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
@@ -59,15 +59,15 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops,
         return ret;
 }
 
-static struct nf_chain_type nft_chain_route_ipv6 = {
-        .family         = NFPROTO_IPV6,
+static const struct nf_chain_type nft_chain_route_ipv6 = {
         .name           = "route",
         .type           = NFT_CHAIN_T_ROUTE,
+        .family         = NFPROTO_IPV6,
+        .owner          = THIS_MODULE,
         .hook_mask      = (1 << NF_INET_LOCAL_OUT),
-        .fn             = {
+        .hooks          = {
                 [NF_INET_LOCAL_OUT]     = nf_route_table_hook,
         },
-        .me             = THIS_MODULE,
 };
 
 static int __init nft_chain_route_init(void)