diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-02-05 14:23:45 -0500 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-02-05 14:23:45 -0500 |
| commit | 9d82f5eb3376cbae96ad36a063a9390de1694546 (patch) | |
| tree | d52daee3296d28455aff25c98b23fffab5282cd8 /net/netfilter | |
| parent | 14365ea2b868c96e18da73a3f454c7bcdb0627c5 (diff) | |
| parent | a409caecb2e17fc475533738dd1c69b32e13fe09 (diff) | |
MMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:
1) Stretch ACKs can kill performance with Reno and CUBIC congestion
control, largely due to LRO and GRO. Fix from Neal Cardwell.
2) Fix userland breakage because we accidently emit zero length netlink
messages from the bridging code. From Roopa Prabhu.
3) Carry handling in generic csum_tcpudp_nofold is broken, fix from
Karl Beldan.
4) Remove bogus dev_set_net() calls from CAIF driver, from Nicolas
Dichtel.
5) Make sure PPP deflation never returns a length greater then the
output buffer, otherwise we overflow and trigger skb_over_panic().
Fix from Florian Westphal.
6) COSA driver needs VIRT_TO_BUS Kconfig dependencies, from Arnd
Bergmann.
7) Don't increase route cached MTU on datagram too big ICMPs. From Li
Wei.
8) Fix error path leaks in nf_tables, from Pablo Neira Ayuso.
9) Fix bitmask handling regression in netlink that broke things like
acpi userland tools. From Pablo Neira Ayuso.
10) Wrong header pointer passed to param_type2af() in SCTP code, from
Saran Maruti Ramanara.
11) Stacked vlans not handled correctly by vlan_get_protocol(), from
Toshiaki Makita.
12) Add missing DMA memory barrier to xgene driver, from Iyappan
Subramanian.
13) Fix crash in rate estimators, from Eric Dumazet.
14) We've been adding various workarounds, one after another, for the
change which added the per-net tcp_sock. It was meant to reduce
socket contention but added lots of problems.
Reduce this instead to a proper per-cpu socket and that rids us of
all the daemons.
From Eric Dumazet.
15) Fix memory corruption and OOPS in mlx4 driver, from Jack
Morgenstein.
16) When we disabled UFO in the virtio_net device, it introduces some
serious performance regressions. The orignal problem was IPV6
fragment ID generation, so fix that properly instead. From Vlad
Yasevich.
17) sr9700 driver build breaks on xtensa because it defines macros with
the same name as those used by the arch code. Use more unique
names. From Chen Gang.
18) Fix endianness in new virio 1.0 mode of the vhost net driver, from
Michael S Tsirkin.
19) Several sysctls were setting the maxlen attribute incorrectly, from
Sasha Levin.
20) Don't accept an FQ scheduler quantum of zero, that leads to crashes.
From Kenneth Klette Jonassen.
21) Fix dumping of non-existing actions in the packet scheduler
classifier. From Ignacy Gawędzki.
22) Return the write work_done value when doing TX work in the qlcnic
driver.
23) ip6gre_err accesses the info field with the wrong endianness, from
Sabrina Dubroca.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
sit: fix some __be16/u16 mismatches
ipv6: fix sparse errors in ip6_make_flowlabel()
net: remove some sparse warnings
flow_keys: n_proto type should be __be16
ip6_gre: fix endianness errors in ip6gre_err
qlcnic: Fix NAPI poll routine for Tx completion
amd-xgbe: Set RSS enablement based on hardware features
amd-xgbe: Adjust for zero-based traffic class count
cls_api.c: Fix dumping of non-existing actions' stats.
pkt_sched: fq: avoid hang when quantum 0
net: rds: use correct size for max unacked packets and bytes
vhost/net: fix up num_buffers endian-ness
gianfar: correct the bad expression while writing bit-pattern
net: usb: sr9700: Use 'SR_' prefix for the common register macros
Revert "drivers/net: Disable UFO through virtio"
Revert "drivers/net, ipv6: Select IPv6 fragment idents for virtio UFO packets"
ipv6: Select fragment id during UFO segmentation if not set.
xen-netback: stop the guest rx thread after a fatal error
net/mlx4_core: Fix kernel Oops (mem corruption) when working with more than 80 VFs
isdn: off by one in connect_res()
...
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/ipvs/ip_vs_core.c | 33 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 28 | ||||
| -rw-r--r-- | net/netfilter/nft_masq.c | 26 | ||||
| -rw-r--r-- | net/netfilter/nft_nat.c | 40 | ||||
| -rw-r--r-- | net/netfilter/nft_redir.c | 25 |
5 files changed, 112 insertions, 40 deletions
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c index 990decba1fe4..b87ca32efa0b 100644 --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c | |||
| @@ -659,16 +659,24 @@ static inline int ip_vs_gather_frags(struct sk_buff *skb, u_int32_t user) | |||
| 659 | return err; | 659 | return err; |
| 660 | } | 660 | } |
| 661 | 661 | ||
| 662 | static int ip_vs_route_me_harder(int af, struct sk_buff *skb) | 662 | static int ip_vs_route_me_harder(int af, struct sk_buff *skb, |
| 663 | unsigned int hooknum) | ||
| 663 | { | 664 | { |
| 665 | if (!sysctl_snat_reroute(skb)) | ||
| 666 | return 0; | ||
| 667 | /* Reroute replies only to remote clients (FORWARD and LOCAL_OUT) */ | ||
| 668 | if (NF_INET_LOCAL_IN == hooknum) | ||
| 669 | return 0; | ||
| 664 | #ifdef CONFIG_IP_VS_IPV6 | 670 | #ifdef CONFIG_IP_VS_IPV6 |
| 665 | if (af == AF_INET6) { | 671 | if (af == AF_INET6) { |
| 666 | if (sysctl_snat_reroute(skb) && ip6_route_me_harder(skb) != 0) | 672 | struct dst_entry *dst = skb_dst(skb); |
| 673 | |||
| 674 | if (dst->dev && !(dst->dev->flags & IFF_LOOPBACK) && | ||
| 675 | ip6_route_me_harder(skb) != 0) | ||
| 667 | return 1; | 676 | return 1; |
| 668 | } else | 677 | } else |
| 669 | #endif | 678 | #endif |
| 670 | if ((sysctl_snat_reroute(skb) || | 679 | if (!(skb_rtable(skb)->rt_flags & RTCF_LOCAL) && |
| 671 | skb_rtable(skb)->rt_flags & RTCF_LOCAL) && | ||
| 672 | ip_route_me_harder(skb, RTN_LOCAL) != 0) | 680 | ip_route_me_harder(skb, RTN_LOCAL) != 0) |
| 673 | return 1; | 681 | return 1; |
| 674 | 682 | ||
| @@ -791,7 +799,8 @@ static int handle_response_icmp(int af, struct sk_buff *skb, | |||
| 791 | union nf_inet_addr *snet, | 799 | union nf_inet_addr *snet, |
| 792 | __u8 protocol, struct ip_vs_conn *cp, | 800 | __u8 protocol, struct ip_vs_conn *cp, |
| 793 | struct ip_vs_protocol *pp, | 801 | struct ip_vs_protocol *pp, |
| 794 | unsigned int offset, unsigned int ihl) | 802 | unsigned int offset, unsigned int ihl, |
| 803 | unsigned int hooknum) | ||
| 795 | { | 804 | { |
| 796 | unsigned int verdict = NF_DROP; | 805 | unsigned int verdict = NF_DROP; |
| 797 | 806 | ||
| @@ -821,7 +830,7 @@ static int handle_response_icmp(int af, struct sk_buff *skb, | |||
| 821 | #endif | 830 | #endif |
| 822 | ip_vs_nat_icmp(skb, pp, cp, 1); | 831 | ip_vs_nat_icmp(skb, pp, cp, 1); |
| 823 | 832 | ||
| 824 | if (ip_vs_route_me_harder(af, skb)) | 833 | if (ip_vs_route_me_harder(af, skb, hooknum)) |
| 825 | goto out; | 834 | goto out; |
| 826 | 835 | ||
| 827 | /* do the statistics and put it back */ | 836 | /* do the statistics and put it back */ |
| @@ -916,7 +925,7 @@ static int ip_vs_out_icmp(struct sk_buff *skb, int *related, | |||
| 916 | 925 | ||
| 917 | snet.ip = iph->saddr; | 926 | snet.ip = iph->saddr; |
| 918 | return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, | 927 | return handle_response_icmp(AF_INET, skb, &snet, cih->protocol, cp, |
| 919 | pp, ciph.len, ihl); | 928 | pp, ciph.len, ihl, hooknum); |
| 920 | } | 929 | } |
| 921 | 930 | ||
| 922 | #ifdef CONFIG_IP_VS_IPV6 | 931 | #ifdef CONFIG_IP_VS_IPV6 |
| @@ -981,7 +990,8 @@ static int ip_vs_out_icmp_v6(struct sk_buff *skb, int *related, | |||
| 981 | snet.in6 = ciph.saddr.in6; | 990 | snet.in6 = ciph.saddr.in6; |
| 982 | writable = ciph.len; | 991 | writable = ciph.len; |
| 983 | return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp, | 992 | return handle_response_icmp(AF_INET6, skb, &snet, ciph.protocol, cp, |
| 984 | pp, writable, sizeof(struct ipv6hdr)); | 993 | pp, writable, sizeof(struct ipv6hdr), |
| 994 | hooknum); | ||
| 985 | } | 995 | } |
| 986 | #endif | 996 | #endif |
| 987 | 997 | ||
| @@ -1040,7 +1050,8 @@ static inline bool is_new_conn(const struct sk_buff *skb, | |||
| 1040 | */ | 1050 | */ |
| 1041 | static unsigned int | 1051 | static unsigned int |
| 1042 | handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, | 1052 | handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, |
| 1043 | struct ip_vs_conn *cp, struct ip_vs_iphdr *iph) | 1053 | struct ip_vs_conn *cp, struct ip_vs_iphdr *iph, |
| 1054 | unsigned int hooknum) | ||
| 1044 | { | 1055 | { |
| 1045 | struct ip_vs_protocol *pp = pd->pp; | 1056 | struct ip_vs_protocol *pp = pd->pp; |
| 1046 | 1057 | ||
| @@ -1078,7 +1089,7 @@ handle_response(int af, struct sk_buff *skb, struct ip_vs_proto_data *pd, | |||
| 1078 | * if it came from this machine itself. So re-compute | 1089 | * if it came from this machine itself. So re-compute |
| 1079 | * the routing information. | 1090 | * the routing information. |
| 1080 | */ | 1091 | */ |
| 1081 | if (ip_vs_route_me_harder(af, skb)) | 1092 | if (ip_vs_route_me_harder(af, skb, hooknum)) |
| 1082 | goto drop; | 1093 | goto drop; |
| 1083 | 1094 | ||
| 1084 | IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); | 1095 | IP_VS_DBG_PKT(10, af, pp, skb, 0, "After SNAT"); |
| @@ -1181,7 +1192,7 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) | |||
| 1181 | cp = pp->conn_out_get(af, skb, &iph, 0); | 1192 | cp = pp->conn_out_get(af, skb, &iph, 0); |
| 1182 | 1193 | ||
| 1183 | if (likely(cp)) | 1194 | if (likely(cp)) |
| 1184 | return handle_response(af, skb, pd, cp, &iph); | 1195 | return handle_response(af, skb, pd, cp, &iph, hooknum); |
| 1185 | if (sysctl_nat_icmp_send(net) && | 1196 | if (sysctl_nat_icmp_send(net) && |
| 1186 | (pp->protocol == IPPROTO_TCP || | 1197 | (pp->protocol == IPPROTO_TCP || |
| 1187 | pp->protocol == IPPROTO_UDP || | 1198 | pp->protocol == IPPROTO_UDP || |
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3b3ddb4fb9ee..1ff04bcd4871 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c | |||
| @@ -1134,9 +1134,11 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) | |||
| 1134 | /* Restore old counters on this cpu, no problem. Per-cpu statistics | 1134 | /* Restore old counters on this cpu, no problem. Per-cpu statistics |
| 1135 | * are not exposed to userspace. | 1135 | * are not exposed to userspace. |
| 1136 | */ | 1136 | */ |
| 1137 | preempt_disable(); | ||
| 1137 | stats = this_cpu_ptr(newstats); | 1138 | stats = this_cpu_ptr(newstats); |
| 1138 | stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); | 1139 | stats->bytes = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_BYTES])); |
| 1139 | stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); | 1140 | stats->pkts = be64_to_cpu(nla_get_be64(tb[NFTA_COUNTER_PACKETS])); |
| 1141 | preempt_enable(); | ||
| 1140 | 1142 | ||
| 1141 | return newstats; | 1143 | return newstats; |
| 1142 | } | 1144 | } |
| @@ -1262,8 +1264,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, | |||
| 1262 | nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla); | 1264 | nft_ctx_init(&ctx, skb, nlh, afi, table, chain, nla); |
| 1263 | trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN, | 1265 | trans = nft_trans_alloc(&ctx, NFT_MSG_NEWCHAIN, |
| 1264 | sizeof(struct nft_trans_chain)); | 1266 | sizeof(struct nft_trans_chain)); |
| 1265 | if (trans == NULL) | 1267 | if (trans == NULL) { |
| 1268 | free_percpu(stats); | ||
| 1266 | return -ENOMEM; | 1269 | return -ENOMEM; |
| 1270 | } | ||
| 1267 | 1271 | ||
| 1268 | nft_trans_chain_stats(trans) = stats; | 1272 | nft_trans_chain_stats(trans) = stats; |
| 1269 | nft_trans_chain_update(trans) = true; | 1273 | nft_trans_chain_update(trans) = true; |
| @@ -1319,8 +1323,10 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, | |||
| 1319 | hookfn = type->hooks[hooknum]; | 1323 | hookfn = type->hooks[hooknum]; |
| 1320 | 1324 | ||
| 1321 | basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); | 1325 | basechain = kzalloc(sizeof(*basechain), GFP_KERNEL); |
| 1322 | if (basechain == NULL) | 1326 | if (basechain == NULL) { |
| 1327 | module_put(type->owner); | ||
| 1323 | return -ENOMEM; | 1328 | return -ENOMEM; |
| 1329 | } | ||
| 1324 | 1330 | ||
| 1325 | if (nla[NFTA_CHAIN_COUNTERS]) { | 1331 | if (nla[NFTA_CHAIN_COUNTERS]) { |
| 1326 | stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); | 1332 | stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); |
| @@ -3753,6 +3759,24 @@ int nft_chain_validate_dependency(const struct nft_chain *chain, | |||
| 3753 | } | 3759 | } |
| 3754 | EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); | 3760 | EXPORT_SYMBOL_GPL(nft_chain_validate_dependency); |
| 3755 | 3761 | ||
| 3762 | int nft_chain_validate_hooks(const struct nft_chain *chain, | ||
| 3763 | unsigned int hook_flags) | ||
| 3764 | { | ||
| 3765 | struct nft_base_chain *basechain; | ||
| 3766 | |||
| 3767 | if (chain->flags & NFT_BASE_CHAIN) { | ||
| 3768 | basechain = nft_base_chain(chain); | ||
| 3769 | |||
| 3770 | if ((1 << basechain->ops[0].hooknum) & hook_flags) | ||
| 3771 | return 0; | ||
| 3772 | |||
| 3773 | return -EOPNOTSUPP; | ||
| 3774 | } | ||
| 3775 | |||
| 3776 | return 0; | ||
| 3777 | } | ||
| 3778 | EXPORT_SYMBOL_GPL(nft_chain_validate_hooks); | ||
| 3779 | |||
| 3756 | /* | 3780 | /* |
| 3757 | * Loop detection - walk through the ruleset beginning at the destination chain | 3781 | * Loop detection - walk through the ruleset beginning at the destination chain |
| 3758 | * of a new jump until either the source chain is reached (loop) or all | 3782 | * of a new jump until either the source chain is reached (loop) or all |
diff --git a/net/netfilter/nft_masq.c b/net/netfilter/nft_masq.c index d1ffd5eb3a9b..9aea747b43ea 100644 --- a/net/netfilter/nft_masq.c +++ b/net/netfilter/nft_masq.c | |||
| @@ -21,6 +21,21 @@ const struct nla_policy nft_masq_policy[NFTA_MASQ_MAX + 1] = { | |||
| 21 | }; | 21 | }; |
| 22 | EXPORT_SYMBOL_GPL(nft_masq_policy); | 22 | EXPORT_SYMBOL_GPL(nft_masq_policy); |
| 23 | 23 | ||
| 24 | int nft_masq_validate(const struct nft_ctx *ctx, | ||
| 25 | const struct nft_expr *expr, | ||
| 26 | const struct nft_data **data) | ||
| 27 | { | ||
| 28 | int err; | ||
| 29 | |||
| 30 | err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | ||
| 31 | if (err < 0) | ||
| 32 | return err; | ||
| 33 | |||
| 34 | return nft_chain_validate_hooks(ctx->chain, | ||
| 35 | (1 << NF_INET_POST_ROUTING)); | ||
| 36 | } | ||
| 37 | EXPORT_SYMBOL_GPL(nft_masq_validate); | ||
| 38 | |||
| 24 | int nft_masq_init(const struct nft_ctx *ctx, | 39 | int nft_masq_init(const struct nft_ctx *ctx, |
| 25 | const struct nft_expr *expr, | 40 | const struct nft_expr *expr, |
| 26 | const struct nlattr * const tb[]) | 41 | const struct nlattr * const tb[]) |
| @@ -28,8 +43,8 @@ int nft_masq_init(const struct nft_ctx *ctx, | |||
| 28 | struct nft_masq *priv = nft_expr_priv(expr); | 43 | struct nft_masq *priv = nft_expr_priv(expr); |
| 29 | int err; | 44 | int err; |
| 30 | 45 | ||
| 31 | err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | 46 | err = nft_masq_validate(ctx, expr, NULL); |
| 32 | if (err < 0) | 47 | if (err) |
| 33 | return err; | 48 | return err; |
| 34 | 49 | ||
| 35 | if (tb[NFTA_MASQ_FLAGS] == NULL) | 50 | if (tb[NFTA_MASQ_FLAGS] == NULL) |
| @@ -60,12 +75,5 @@ nla_put_failure: | |||
| 60 | } | 75 | } |
| 61 | EXPORT_SYMBOL_GPL(nft_masq_dump); | 76 | EXPORT_SYMBOL_GPL(nft_masq_dump); |
| 62 | 77 | ||
| 63 | int nft_masq_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, | ||
| 64 | const struct nft_data **data) | ||
| 65 | { | ||
| 66 | return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | ||
| 67 | } | ||
| 68 | EXPORT_SYMBOL_GPL(nft_masq_validate); | ||
| 69 | |||
| 70 | MODULE_LICENSE("GPL"); | 78 | MODULE_LICENSE("GPL"); |
| 71 | MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>"); | 79 | MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>"); |
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c index aff54fb1c8a0..a0837c6c9283 100644 --- a/net/netfilter/nft_nat.c +++ b/net/netfilter/nft_nat.c | |||
| @@ -88,17 +88,40 @@ static const struct nla_policy nft_nat_policy[NFTA_NAT_MAX + 1] = { | |||
| 88 | [NFTA_NAT_FLAGS] = { .type = NLA_U32 }, | 88 | [NFTA_NAT_FLAGS] = { .type = NLA_U32 }, |
| 89 | }; | 89 | }; |
| 90 | 90 | ||
| 91 | static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, | 91 | static int nft_nat_validate(const struct nft_ctx *ctx, |
| 92 | const struct nlattr * const tb[]) | 92 | const struct nft_expr *expr, |
| 93 | const struct nft_data **data) | ||
| 93 | { | 94 | { |
| 94 | struct nft_nat *priv = nft_expr_priv(expr); | 95 | struct nft_nat *priv = nft_expr_priv(expr); |
| 95 | u32 family; | ||
| 96 | int err; | 96 | int err; |
| 97 | 97 | ||
| 98 | err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | 98 | err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); |
| 99 | if (err < 0) | 99 | if (err < 0) |
| 100 | return err; | 100 | return err; |
| 101 | 101 | ||
| 102 | switch (priv->type) { | ||
| 103 | case NFT_NAT_SNAT: | ||
| 104 | err = nft_chain_validate_hooks(ctx->chain, | ||
| 105 | (1 << NF_INET_POST_ROUTING) | | ||
| 106 | (1 << NF_INET_LOCAL_IN)); | ||
| 107 | break; | ||
| 108 | case NFT_NAT_DNAT: | ||
| 109 | err = nft_chain_validate_hooks(ctx->chain, | ||
| 110 | (1 << NF_INET_PRE_ROUTING) | | ||
| 111 | (1 << NF_INET_LOCAL_OUT)); | ||
| 112 | break; | ||
| 113 | } | ||
| 114 | |||
| 115 | return err; | ||
| 116 | } | ||
| 117 | |||
| 118 | static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, | ||
| 119 | const struct nlattr * const tb[]) | ||
| 120 | { | ||
| 121 | struct nft_nat *priv = nft_expr_priv(expr); | ||
| 122 | u32 family; | ||
| 123 | int err; | ||
| 124 | |||
| 102 | if (tb[NFTA_NAT_TYPE] == NULL || | 125 | if (tb[NFTA_NAT_TYPE] == NULL || |
| 103 | (tb[NFTA_NAT_REG_ADDR_MIN] == NULL && | 126 | (tb[NFTA_NAT_REG_ADDR_MIN] == NULL && |
| 104 | tb[NFTA_NAT_REG_PROTO_MIN] == NULL)) | 127 | tb[NFTA_NAT_REG_PROTO_MIN] == NULL)) |
| @@ -115,6 +138,10 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr, | |||
| 115 | return -EINVAL; | 138 | return -EINVAL; |
| 116 | } | 139 | } |
| 117 | 140 | ||
| 141 | err = nft_nat_validate(ctx, expr, NULL); | ||
| 142 | if (err < 0) | ||
| 143 | return err; | ||
| 144 | |||
| 118 | if (tb[NFTA_NAT_FAMILY] == NULL) | 145 | if (tb[NFTA_NAT_FAMILY] == NULL) |
| 119 | return -EINVAL; | 146 | return -EINVAL; |
| 120 | 147 | ||
| @@ -219,13 +246,6 @@ nla_put_failure: | |||
| 219 | return -1; | 246 | return -1; |
| 220 | } | 247 | } |
| 221 | 248 | ||
| 222 | static int nft_nat_validate(const struct nft_ctx *ctx, | ||
| 223 | const struct nft_expr *expr, | ||
| 224 | const struct nft_data **data) | ||
| 225 | { | ||
| 226 | return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | ||
| 227 | } | ||
| 228 | |||
| 229 | static struct nft_expr_type nft_nat_type; | 249 | static struct nft_expr_type nft_nat_type; |
| 230 | static const struct nft_expr_ops nft_nat_ops = { | 250 | static const struct nft_expr_ops nft_nat_ops = { |
| 231 | .type = &nft_nat_type, | 251 | .type = &nft_nat_type, |
diff --git a/net/netfilter/nft_redir.c b/net/netfilter/nft_redir.c index 9e8093f28311..d7e9e93a4e90 100644 --- a/net/netfilter/nft_redir.c +++ b/net/netfilter/nft_redir.c | |||
| @@ -23,6 +23,22 @@ const struct nla_policy nft_redir_policy[NFTA_REDIR_MAX + 1] = { | |||
| 23 | }; | 23 | }; |
| 24 | EXPORT_SYMBOL_GPL(nft_redir_policy); | 24 | EXPORT_SYMBOL_GPL(nft_redir_policy); |
| 25 | 25 | ||
| 26 | int nft_redir_validate(const struct nft_ctx *ctx, | ||
| 27 | const struct nft_expr *expr, | ||
| 28 | const struct nft_data **data) | ||
| 29 | { | ||
| 30 | int err; | ||
| 31 | |||
| 32 | err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | ||
| 33 | if (err < 0) | ||
| 34 | return err; | ||
| 35 | |||
| 36 | return nft_chain_validate_hooks(ctx->chain, | ||
| 37 | (1 << NF_INET_PRE_ROUTING) | | ||
| 38 | (1 << NF_INET_LOCAL_OUT)); | ||
| 39 | } | ||
| 40 | EXPORT_SYMBOL_GPL(nft_redir_validate); | ||
| 41 | |||
| 26 | int nft_redir_init(const struct nft_ctx *ctx, | 42 | int nft_redir_init(const struct nft_ctx *ctx, |
| 27 | const struct nft_expr *expr, | 43 | const struct nft_expr *expr, |
| 28 | const struct nlattr * const tb[]) | 44 | const struct nlattr * const tb[]) |
| @@ -30,7 +46,7 @@ int nft_redir_init(const struct nft_ctx *ctx, | |||
| 30 | struct nft_redir *priv = nft_expr_priv(expr); | 46 | struct nft_redir *priv = nft_expr_priv(expr); |
| 31 | int err; | 47 | int err; |
| 32 | 48 | ||
| 33 | err = nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | 49 | err = nft_redir_validate(ctx, expr, NULL); |
| 34 | if (err < 0) | 50 | if (err < 0) |
| 35 | return err; | 51 | return err; |
| 36 | 52 | ||
| @@ -88,12 +104,5 @@ nla_put_failure: | |||
| 88 | } | 104 | } |
| 89 | EXPORT_SYMBOL_GPL(nft_redir_dump); | 105 | EXPORT_SYMBOL_GPL(nft_redir_dump); |
| 90 | 106 | ||
| 91 | int nft_redir_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, | ||
| 92 | const struct nft_data **data) | ||
| 93 | { | ||
| 94 | return nft_chain_validate_dependency(ctx->chain, NFT_CHAIN_T_NAT); | ||
| 95 | } | ||
| 96 | EXPORT_SYMBOL_GPL(nft_redir_validate); | ||
| 97 | |||
| 98 | MODULE_LICENSE("GPL"); | 107 | MODULE_LICENSE("GPL"); |
| 99 | MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>"); | 108 | MODULE_AUTHOR("Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>"); |