diff options
| author | David S. Miller <davem@davemloft.net> | 2014-09-29 14:46:53 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-09-29 14:46:53 -0400 |
| commit | 852248449c73b5ffe109a33d65485c71d3d398a7 (patch) | |
| tree | a77a5b4a8145eb14d30264d734ed2f1f7ba6d3b3 /net/ipv6 | |
| parent | 735d383117e113403442d971b23e7cfa2f876c7c (diff) | |
| parent | db29a9508a9246e77087c5531e45b2c88ec6988b (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
pull request: netfilter/ipvs updates for net-next
The following patchset contains Netfilter/IPVS updates for net-next,
most relevantly they are:
1) Four patches to make the new nf_tables masquerading support
independent of the x_tables infrastructure. This also resolves a
compilation breakage if the masquerade target is disabled but the
nf_tables masq expression is enabled.
2) ipset updates via Jozsef Kadlecsik. This includes the addition of the
skbinfo extension that allows you to store packet metainformation in the
elements. This can be used to fetch and restore this to the packets through
the iptables SET target, patches from Anton Danilov.
3) Add the hash:mac set type to ipset, from Jozsef Kadlecsick.
4) Add simple weighted fail-over scheduler via Simon Horman. This provides
a fail-over IPVS scheduler (unlike existing load balancing schedulers).
Connections are directed to the appropriate server based solely on
highest weight value and server availability, patch from Kenny Mathis.
5) Support IPv6 real servers in IPv4 virtual-services and vice versa.
Simon Horman informs that the motivation for this is to allow more
flexibility in the choice of IP version offered by both virtual-servers
and real-servers as they no longer need to match: An IPv4 connection
from an end-user may be forwarded to a real-server using IPv6 and
vice versa. No ip_vs_sync support yet though. Patches from Alex Gartrell
and Julian Anastasov.
6) Add global generation ID to the nf_tables ruleset. When dumping from
several different object lists, we need a way to identify that an update
has ocurred so userspace knows that it needs to refresh its lists. This
also includes a new command to obtain the 32-bits generation ID. The
less significant 16-bits of this ID is also exposed through res_id field
in the nfnetlink header to quickly detect the interference and retry when
there is no risk of ID wraparound.
7) Move br_netfilter out of the bridge core. The br_netfilter code is
built in the bridge core by default. This causes problems of different
kind to people that don't want this: Jesper reported performance drop due
to the inconditional hook registration and I remember to have read complains
on netdev from people regarding the unexpected behaviour of our bridging
stack when br_netfilter is enabled (fragmentation handling, layer 3 and
upper inspection). People that still need this should easily undo the
damage by modprobing the new br_netfilter module.
8) Dump the set policy nf_tables that allows set parameterization. So
userspace can keep user-defined preferences when saving the ruleset.
From Arturo Borrero.
9) Use __seq_open_private() helper function to reduce boiler plate code
in x_tables, From Rob Jones.
10) Safer default behaviour in case that you forget to load the protocol
tracker. Daniel Borkmann and Florian Westphal detected that if your
ruleset is stateful, you allow traffic to at least one single SCTP port
and the SCTP protocol tracker is not loaded, then any SCTP traffic may
be pass through unfiltered. After this patch, the connection tracking
classifies SCTP/DCCP/UDPlite/GRE packets as invalid if your kernel has
been compiled with support for these modules.
====================
Trivially resolved conflict in include/linux/skbuff.h, Eric moved some
netfilter skbuff members around, and the netfilter tree adjusted the
ifdef guards for the bridging info pointer.
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/Kconfig | 50 |
1 files changed, 28 insertions, 22 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index a8f25306a46a..bb1a40db7be1 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig | |||
| @@ -40,16 +40,6 @@ config NFT_CHAIN_ROUTE_IPV6 | |||
| 40 | fields such as the source, destination, flowlabel, hop-limit and | 40 | fields such as the source, destination, flowlabel, hop-limit and |
| 41 | the packet mark. | 41 | the packet mark. |
| 42 | 42 | ||
| 43 | config NFT_CHAIN_NAT_IPV6 | ||
| 44 | depends on NF_TABLES_IPV6 | ||
| 45 | depends on NF_NAT_IPV6 && NFT_NAT | ||
| 46 | tristate "IPv6 nf_tables nat chain support" | ||
| 47 | help | ||
| 48 | This option enables the "nat" chain for IPv6 in nf_tables. This | ||
| 49 | chain type is used to perform Network Address Translation (NAT) | ||
| 50 | packet transformations such as the source, destination address and | ||
| 51 | source and destination ports. | ||
| 52 | |||
| 53 | config NFT_REJECT_IPV6 | 43 | config NFT_REJECT_IPV6 |
| 54 | depends on NF_TABLES_IPV6 | 44 | depends on NF_TABLES_IPV6 |
| 55 | default NFT_REJECT | 45 | default NFT_REJECT |
| @@ -70,6 +60,34 @@ config NF_NAT_IPV6 | |||
| 70 | forms of full Network Address Port Translation. This can be | 60 | forms of full Network Address Port Translation. This can be |
| 71 | controlled by iptables or nft. | 61 | controlled by iptables or nft. |
| 72 | 62 | ||
| 63 | if NF_NAT_IPV6 | ||
| 64 | |||
| 65 | config NFT_CHAIN_NAT_IPV6 | ||
| 66 | depends on NF_TABLES_IPV6 | ||
| 67 | tristate "IPv6 nf_tables nat chain support" | ||
| 68 | help | ||
| 69 | This option enables the "nat" chain for IPv6 in nf_tables. This | ||
| 70 | chain type is used to perform Network Address Translation (NAT) | ||
| 71 | packet transformations such as the source, destination address and | ||
| 72 | source and destination ports. | ||
| 73 | |||
| 74 | config NF_NAT_MASQUERADE_IPV6 | ||
| 75 | tristate "IPv6 masquerade support" | ||
| 76 | help | ||
| 77 | This is the kernel functionality to provide NAT in the masquerade | ||
| 78 | flavour (automatic source address selection) for IPv6. | ||
| 79 | |||
| 80 | config NFT_MASQ_IPV6 | ||
| 81 | tristate "IPv6 masquerade support for nf_tables" | ||
| 82 | depends on NF_TABLES_IPV6 | ||
| 83 | depends on NFT_MASQ | ||
| 84 | select NF_NAT_MASQUERADE_IPV6 | ||
| 85 | help | ||
| 86 | This is the expression that provides IPv4 masquerading support for | ||
| 87 | nf_tables. | ||
| 88 | |||
| 89 | endif # NF_NAT_IPV6 | ||
| 90 | |||
| 73 | config IP6_NF_IPTABLES | 91 | config IP6_NF_IPTABLES |
| 74 | tristate "IP6 tables support (required for filtering)" | 92 | tristate "IP6 tables support (required for filtering)" |
| 75 | depends on INET && IPV6 | 93 | depends on INET && IPV6 |
| @@ -258,18 +276,6 @@ config IP6_NF_NAT | |||
| 258 | 276 | ||
| 259 | if IP6_NF_NAT | 277 | if IP6_NF_NAT |
| 260 | 278 | ||
| 261 | config NF_NAT_MASQUERADE_IPV6 | ||
| 262 | tristate "IPv6 masquerade support" | ||
| 263 | help | ||
| 264 | This is the kernel functionality to provide NAT in the masquerade | ||
| 265 | flavour (automatic source address selection) for IPv6. | ||
| 266 | |||
| 267 | config NFT_MASQ_IPV6 | ||
| 268 | tristate "IPv6 masquerade support for nf_tables" | ||
| 269 | depends on NF_TABLES_IPV6 | ||
| 270 | depends on NFT_MASQ | ||
| 271 | select NF_NAT_MASQUERADE_IPV6 | ||
| 272 | |||
| 273 | config IP6_NF_TARGET_MASQUERADE | 279 | config IP6_NF_TARGET_MASQUERADE |
| 274 | tristate "MASQUERADE target support" | 280 | tristate "MASQUERADE target support" |
| 275 | select NF_NAT_MASQUERADE_IPV6 | 281 | select NF_NAT_MASQUERADE_IPV6 |