Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

Conflicts: drivers/net/vxlan.c drivers/vhost/net.c include/linux/if_vlan.h net/core/dev.c The net/core/dev.c conflict was the overlap of one commit marking an existing function static whilst another was adding a new function. In the include/linux/if_vlan.h case, the type used for a local variable was changed in 'net', whereas the function got rewritten to fix a stacked vlan bug in 'net-next'. In drivers/vhost/net.c, Al Viro's iov_iter conversions in 'net-next' overlapped with an endainness fix for VHOST 1.0 in 'net'. In drivers/net/vxlan.c, vxlan_find_vni() added a 'flags' parameter in 'net-next' whereas in 'net' there was a bug fix to pass in the correct network namespace pointer in calls to this function. Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2015-02-05 17:33:28 -0500
committer: David S. Miller <davem@davemloft.net> 2015-02-05 17:33:28 -0500
commit: 6e03f896b52cd2ca88942170c5c9c407ec0ede69 (patch)
tree: 48ca9a6efa5f99819667538838bab3679416f92c /net/netfilter
parent: db79a621835ee91d3e10177abd97f48e0a4dcf9b (diff)
parent: 9d82f5eb3376cbae96ad36a063a9390de1694546 (diff)
5 files changed, 112 insertions, 40 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 990decba1fe4..b87ca32efa0b 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -659,16 +659,24 @@ static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user)
        return err;
 }
-static int ip_vs_route_me_harder(int af, struct sk_buff *skb)
+static int ip_vs_route_me_harder(int af, struct sk_buff *skb,
+                                 unsigned int hooknum)
 {
+        if (!sysctl_snat_reroute(skb))
+                return 0;
+        /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */
+        if (NF_INET_LOCAL_IN == hooknum)
+                return 0;
 #ifdef CONFIG_IP_VS_IPV6
        if (af == AF_INET6) {
-                if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0)
+                struct dst_entry *dst = skb_dst(skb);
+                if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) &&
+                    ip6_route_me_harder(skb) != 0)
                        return 1;
        } else
 #endif
-                if ((sysctl_snat_reroute(skb) ||
+                if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
-                     skb_rtable(skb)->rt_flags & RTCF_LOCAL) &&
                    ip_route_me_harder(skb, RTN_LOCAL) != 0)
                        return 1;
@@ -791,7 +799,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
                                union nf_inet_addr *snet,
                                __u8 protocol, struct ip_vs_conn *cp,
                                struct ip_vs_protocol *pp,
-                                unsigned int offset, unsigned int ihl)
+                                unsigned int offset, unsigned int ihl,
+                                unsigned int hooknum)
 {
        unsigned int verdict = NF_DROP;
@@ -821,7 +830,7 @@ static int handle_response_icmp(int af, struct sk_buff *skb,
 #endif
                ip_vs_nat_icmp(skb, pp, cp, 1);
-        if (ip_vs_route_me_harder(af, skb))
+        if (ip_vs_route_me_harder(af, skb, hooknum))
                goto out;
        /* do the statistics and put it back */
@@ -916,7 +925,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related,
        snet.ip = iph->saddr;
        return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp,
-                                    pp, ciph.len, ihl);
+                                    pp, ciph.len, ihl, hooknum);
 }
 #ifdef CONFIG_IP_VS_IPV6
@@ -981,7 +990,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related,
        snet.in6 = ciph.saddr.in6;
        writable = ciph.len;
        return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp,
-                                    pp, writable, sizeof(struct ipv6hdr));
+                                    pp, writable, sizeof(struct ipv6hdr),
+                                    hooknum);
 }
 #endif
@@ -1040,7 +1050,8 @@ static inline bool is_new_conn(const struct sk_buff *skb,
 */
 static unsigned int
 handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
-                struct ip_vs_conn *cp, struct ip_vs_iphdr *iph)
+                struct ip_vs_conn *cp, struct ip_vs_iphdr *iph,
+                unsigned int hooknum)
 {
        struct ip_vs_protocol *pp = pd->pp;
@@ -1078,7 +1089,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd,
         * if it came from this machine itself.  So re-compute
         * the routing information.
         */
-        if (ip_vs_route_me_harder(af, skb))
+        if (ip_vs_route_me_harder(af, skb, hooknum))
                goto drop;
        IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT");
@@ -1181,7 +1192,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
        cp = pp->conn_out_get(af, skb, &iph, 0);
        if (likely(cp))
-                return handle_response(af, skb, pd, cp, &iph);
+                return handle_response(af, skb, pd, cp, &iph, hooknum);
        if (sysctl_nat_icmp_send(net) &&
            (pp->protocol == IPPROTO_TCP ||
             pp->protocol == IPPROTO_UDP ||
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 70f697827b9b..199fd0f27b0e 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1136,9 +1136,11 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr)
        /* Restore old counters on this cpu, no problem. Per-cpu statistics
         * are not exposed to userspace.
         */
+        preempt_disable();
        stats = this_cpu_ptr(newstats);
        stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES]));
        stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS]));
+        preempt_enable();
        return newstats;
 }
@@ -1264,8 +1266,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
                nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla);
                trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN,
                                        sizeof(struct nft_trans_chain));
-                if (trans == NULL)
+                if (trans == NULL) {
+                        free_percpu(stats);
                        return -ENOMEM;
+                }
                nft_trans_chain_stats(trans) = stats;
                nft_trans_chain_update(trans) = true;
@@ -1321,8 +1325,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
                hookfn = type->hooks[hooknum];
                basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
-                if (basechain == NULL)
+                if (basechain == NULL) {
+                        module_put(type->owner);
                        return -ENOMEM;
+                }
                if (nla[NFTA_CHAIN_COUNTERS]) {
                        stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]);
@@ -3759,6 +3765,24 @@ int nft_chain_validate_dependency(const struct nft_chain *chain,
 }
 EXPORT_SYMBOL_GPL(nft_chain_validate_dependency);
+int nft_chain_validate_hooks(const struct nft_chain *chain,
+                             unsigned int hook_flags)
+{
+        struct nft_base_chain *basechain;
+        if (chain->flags & NFT_BASE_CHAIN) {
+                basechain = nft_base_chain(chain);
+                if ((1 << basechain->ops[0].hooknum) & hook_flags)
+                        return 0;
+                return -EOPNOTSUPP;
+        }
+        return 0;
+}
+EXPORT_SYMBOL_GPL(nft_chain_validate_hooks);
 /*
 * Loop detection - walk through the ruleset beginning at the destination chain
 * of a new jump until either the source chain is reached (loop) or all
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c
index d1ffd5eb3a9b..9aea747b43ea 100644
--- a/net/netfilter/nft_masq.c
+++ b/net/netfilter/nft_masq.c
@@ -21,6 +21,21 @@ const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = {
 };
 EXPORT_SYMBOL_GPL(nft_masq_policy);
+int nft_masq_validate(const struct nft_ctx *ctx,
+                      const struct nft_expr *expr,
+                      const struct nft_data **data)
+{
+        int err;
+        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        if (err < 0)
+                return err;
+        return nft_chain_validate_hooks(ctx->chain,
+                                        (1 << NF_INET_POST_ROUTING));
+}
+EXPORT_SYMBOL_GPL(nft_masq_validate);
 int nft_masq_init(const struct nft_ctx *ctx,
                  const struct nft_expr *expr,
                  const struct nlattr * const tb[])
@@ -28,8 +43,8 @@ int nft_masq_init(const struct nft_ctx *ctx,
        struct nft_masq *priv = nft_expr_priv(expr);
        int err;
-        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        err = nft_masq_validate(ctx, expr, NULL);
-        if (err < 0)
+        if (err)
                return err;
        if (tb[NFTA_MASQ_FLAGS] == NULL)
@@ -60,12 +75,5 @@ nla_put_failure:
 }
 EXPORT_SYMBOL_GPL(nft_masq_dump);
-int nft_masq_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
-                      const struct nft_data **data)
-{
-        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
-}
-EXPORT_SYMBOL_GPL(nft_masq_validate);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index aff54fb1c8a0..a0837c6c9283 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -88,17 +88,40 @@ static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = {
        [NFTA_NAT_FLAGS]         = { .type = NLA_U32 },
 };
-static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+static int nft_nat_validate(const struct nft_ctx *ctx,
-                        const struct nlattr * const tb[])
+                            const struct nft_expr *expr,
+                            const struct nft_data **data)
 {
        struct nft_nat *priv = nft_expr_priv(expr);
-        u32 family;
        int err;
        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
        if (err < 0)
                return err;
+        switch (priv->type) {
+        case NFT_NAT_SNAT:
+                err = nft_chain_validate_hooks(ctx->chain,
+                                               (1 << NF_INET_POST_ROUTING) |
+                                               (1 << NF_INET_LOCAL_IN));
+                break;
+        case NFT_NAT_DNAT:
+                err = nft_chain_validate_hooks(ctx->chain,
+                                               (1 << NF_INET_PRE_ROUTING) |
+                                               (1 << NF_INET_LOCAL_OUT));
+                break;
+        }
+        return err;
+}
+static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
+                        const struct nlattr * const tb[])
+{
+        struct nft_nat *priv = nft_expr_priv(expr);
+        u32 family;
+        int err;
        if (tb[NFTA_NAT_TYPE] == NULL ||
            (tb[NFTA_NAT_REG_ADDR_MIN] == NULL &&
             tb[NFTA_NAT_REG_PROTO_MIN] == NULL))
@@ -115,6 +138,10 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
                return -EINVAL;
        }
+        err = nft_nat_validate(ctx, expr, NULL);
+        if (err < 0)
+                return err;
        if (tb[NFTA_NAT_FAMILY] == NULL)
                return -EINVAL;
@@ -219,13 +246,6 @@ nla_put_failure:
        return -1;
 }
-static int nft_nat_validate(const struct nft_ctx *ctx,
-                            const struct nft_expr *expr,
-                            const struct nft_data **data)
-{
-        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
-}
 static struct nft_expr_type nft_nat_type;
 static const struct nft_expr_ops nft_nat_ops = {
        .type           = &nft_nat_type,
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c
index 9e8093f28311..d7e9e93a4e90 100644
--- a/net/netfilter/nft_redir.c
+++ b/net/netfilter/nft_redir.c
@@ -23,6 +23,22 @@ const struct nla_policy nft_redir_policy[NFTA_REDIR_MAX + 1] = {
 };
 EXPORT_SYMBOL_GPL(nft_redir_policy);
+int nft_redir_validate(const struct nft_ctx *ctx,
+                       const struct nft_expr *expr,
+                       const struct nft_data **data)
+{
+        int err;
+        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        if (err < 0)
+                return err;
+        return nft_chain_validate_hooks(ctx->chain,
+                                        (1 << NF_INET_PRE_ROUTING) |
+                                        (1 << NF_INET_LOCAL_OUT));
+}
+EXPORT_SYMBOL_GPL(nft_redir_validate);
 int nft_redir_init(const struct nft_ctx *ctx,
                   const struct nft_expr *expr,
                   const struct nlattr * const tb[])
@@ -30,7 +46,7 @@ int nft_redir_init(const struct nft_ctx *ctx,
        struct nft_redir *priv = nft_expr_priv(expr);
        int err;
-        err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
+        err = nft_redir_validate(ctx, expr, NULL);
        if (err < 0)
                return err;
@@ -88,12 +104,5 @@ nla_put_failure:
 }
 EXPORT_SYMBOL_GPL(nft_redir_dump);
-int nft_redir_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
-                       const struct nft_data **data)
-{
-        return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT);
-}
-EXPORT_SYMBOL_GPL(nft_redir_validate);
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>");
author	David S. Miller <davem@davemloft.net>	2015-02-05 17:33:28 -0500
committer	David S. Miller <davem@davemloft.net>	2015-02-05 17:33:28 -0500
commit	6e03f896b52cd2ca88942170c5c9c407ec0ede69 (patch)
tree	48ca9a6efa5f99819667538838bab3679416f92c /net/netfilter
parent	db79a621835ee91d3e10177abd97f48e0a4dcf9b (diff)
parent	9d82f5eb3376cbae96ad36a063a9390de1694546 (diff)