Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

This small patchset contains three accumulated Netfilter/IPVS updates,
they are:

1) Refactorize common NAT code by encapsulating it into a helper
   function, similarly to what we do in other conntrack extensions,
   from Florian Westphal.

2) A minor format string mismatch fix for IPVS, from Masanari Iida.

3) Add quota support to the netfilter accounting infrastructure, now
   you can add quotas to accounting objects via the nfnetlink interface
   and use them from iptables. You can also listen to quota
   notifications from userspace. This enhancement from Mathieu Poirier.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

8 files changed, 118 insertions, 50 deletions

diff --git a/net/ipv4/netfilter/iptable_nat.c b/net/ipv4/netfilter/iptable_nat.c
index ee2886126e3d..f1787c04a4dd 100644
--- a/net/ipv4/netfilter/iptable_nat.c
+++ b/net/ipv4/netfilter/iptable_nat.c
@@ -91,17 +91,9 @@ nf_nat_ipv4_fn(const struct nf_hook_ops *ops,
         if (nf_ct_is_untracked(ct))
                 return NF_ACCEPT;
 
-        nat = nfct_nat(ct);
-        if (!nat) {
-                /* NAT module was loaded late. */
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL) {
-                        pr_debug("failed to add NAT extension\n");
-                        return NF_ACCEPT;
-                }
-        }
+        nat = nf_ct_nat_ext_add(ct);
+        if (nat == NULL)
+                return NF_ACCEPT;
 
         switch (ctinfo) {
         case IP_CT_RELATED:
diff --git a/net/ipv4/netfilter/nft_chain_nat_ipv4.c b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
index b5b256d45e67..3964157d826c 100644
--- a/net/ipv4/netfilter/nft_chain_nat_ipv4.c
+++ b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
@@ -48,15 +48,9 @@ static unsigned int nf_nat_fn(const struct nf_hook_ops *ops,
 
         NF_CT_ASSERT(!(ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)));
 
-        nat = nfct_nat(ct);
-        if (nat == NULL) {
-                /* Conntrack module was loaded late, can't add extension. */
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL)
-                        return NF_ACCEPT;
-        }
+        nat = nf_ct_nat_ext_add(ct);
+        if (nat == NULL)
+                return NF_ACCEPT;
 
         switch (ctinfo) {
         case IP_CT_RELATED:
diff --git a/net/ipv6/netfilter/ip6table_nat.c b/net/ipv6/netfilter/ip6table_nat.c
index 84c7f33d0cf8..387d8b8fc18d 100644
--- a/net/ipv6/netfilter/ip6table_nat.c
+++ b/net/ipv6/netfilter/ip6table_nat.c
@@ -90,17 +90,9 @@ nf_nat_ipv6_fn(const struct nf_hook_ops *ops,
         if (nf_ct_is_untracked(ct))
                 return NF_ACCEPT;
 
-        nat = nfct_nat(ct);
-        if (!nat) {
-                /* NAT module was loaded late. */
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL) {
-                        pr_debug("failed to add NAT extension\n");
-                        return NF_ACCEPT;
-                }
-        }
+        nat = nf_ct_nat_ext_add(ct);
+        if (nat == NULL)
+                return NF_ACCEPT;
 
         switch (ctinfo) {
         case IP_CT_RELATED:
diff --git a/net/ipv6/netfilter/nft_chain_nat_ipv6.c b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
index 9c3297a768fd..d189fcb437fe 100644
--- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c
+++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
@@ -47,15 +47,9 @@ static unsigned int nf_nat_ipv6_fn(const struct nf_hook_ops *ops,
         if (ct == NULL || nf_ct_is_untracked(ct))
                 return NF_ACCEPT;
 
-        nat = nfct_nat(ct);
-        if (nat == NULL) {
-                /* Conntrack module was loaded late, can't add extension. */
-                if (nf_ct_is_confirmed(ct))
-                        return NF_ACCEPT;
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL)
-                        return NF_ACCEPT;
-        }
+        nat = nf_ct_nat_ext_add(ct);
+        if (nat == NULL)
+                return NF_ACCEPT;
 
         switch (ctinfo) {
         case IP_CT_RELATED:
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 4f26ee46b51f..d9da8c448c76 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -97,7 +97,7 @@ const char *ip_vs_proto_name(unsigned int proto)
                 return "ICMPv6";
 #endif
         default:
-                sprintf(buf, "IP_%d", proto);
+                sprintf(buf, "IP_%u", proto);
                 return buf;
         }
 }
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 52ca952b802c..09096a670c45 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -358,6 +358,19 @@ out:
         rcu_read_unlock();
 }
 
+struct nf_conn_nat *nf_ct_nat_ext_add(struct nf_conn *ct)
+{
+        struct nf_conn_nat *nat = nfct_nat(ct);
+        if (nat)
+                return nat;
+
+        if (!nf_ct_is_confirmed(ct))
+                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
+
+        return nat;
+}
+EXPORT_SYMBOL_GPL(nf_ct_nat_ext_add);
+
 unsigned int
 nf_nat_setup_info(struct nf_conn *ct,
                   const struct nf_nat_range *range,
@@ -368,14 +381,9 @@ nf_nat_setup_info(struct nf_conn *ct,
         struct nf_conn_nat *nat;
 
         /* nat helper or nfctnetlink also setup binding */
-        nat = nfct_nat(ct);
-        if (!nat) {
-                nat = nf_ct_ext_add(ct, NF_CT_EXT_NAT, GFP_ATOMIC);
-                if (nat == NULL) {
-                        pr_debug("failed to add NAT extension\n");
-                        return NF_ACCEPT;
-                }
-        }
+        nat = nf_ct_nat_ext_add(ct);
+        if (nat == NULL)
+                return NF_ACCEPT;
 
         NF_CT_ASSERT(maniptype == NF_NAT_MANIP_SRC ||
                      maniptype == NF_NAT_MANIP_DST);
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index c7b6d466a662..70e86bbb3637 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -32,18 +32,24 @@ static LIST_HEAD(nfnl_acct_list);
 struct nf_acct {
         atomic64_t              pkts;
         atomic64_t              bytes;
+        unsigned long           flags;
         struct list_head        head;
         atomic_t                refcnt;
         char                    name[NFACCT_NAME_MAX];
         struct rcu_head         rcu_head;
+        char                    data[0];
 };
 
+#define NFACCT_F_QUOTA (NFACCT_F_QUOTA_PKTS | NFACCT_F_QUOTA_BYTES)
+
 static int
 nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
              const struct nlmsghdr *nlh, const struct nlattr * const tb[])
 {
         struct nf_acct *nfacct, *matching = NULL;
         char *acct_name;
+        unsigned int size = 0;
+        u32 flags = 0;
 
         if (!tb[NFACCT_NAME])
                 return -EINVAL;
@@ -68,15 +74,39 @@ nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
                         /* reset counters if you request a replacement. */
                         atomic64_set(&matching->pkts, 0);
                         atomic64_set(&matching->bytes, 0);
+                        smp_mb__before_clear_bit();
+                        /* reset overquota flag if quota is enabled. */
+                        if ((matching->flags & NFACCT_F_QUOTA))
+                                clear_bit(NFACCT_F_OVERQUOTA, &matching->flags);
                         return 0;
                 }
                 return -EBUSY;
         }
 
         nfacct = kzalloc(sizeof(struct nf_acct), GFP_KERNEL);
+        if (tb[NFACCT_FLAGS]) {
+                flags = ntohl(nla_get_be32(tb[NFACCT_FLAGS]));
+                if (flags & ~NFACCT_F_QUOTA)
+                        return -EOPNOTSUPP;
+                if ((flags & NFACCT_F_QUOTA) == NFACCT_F_QUOTA)
+                        return -EINVAL;
+                if (flags & NFACCT_F_OVERQUOTA)
+                        return -EINVAL;
+
+                size += sizeof(u64);
+        }
+
+        nfacct = kzalloc(sizeof(struct nf_acct) + size, GFP_KERNEL);
         if (nfacct == NULL)
                 return -ENOMEM;
 
+        if (flags & NFACCT_F_QUOTA) {
+                u64 *quota = (u64 *)nfacct->data;
+
+                *quota = be64_to_cpu(nla_get_be64(tb[NFACCT_QUOTA]));
+                nfacct->flags = flags;
+        }
+
         strncpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
 
         if (tb[NFACCT_BYTES]) {
@@ -117,6 +147,9 @@ nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
         if (type == NFNL_MSG_ACCT_GET_CTRZERO) {
                 pkts = atomic64_xchg(&acct->pkts, 0);
                 bytes = atomic64_xchg(&acct->bytes, 0);
+                smp_mb__before_clear_bit();
+                if (acct->flags & NFACCT_F_QUOTA)
+                        clear_bit(NFACCT_F_OVERQUOTA, &acct->flags);
         } else {
                 pkts = atomic64_read(&acct->pkts);
                 bytes = atomic64_read(&acct->bytes);
@@ -125,7 +158,13 @@ nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
             nla_put_be64(skb, NFACCT_BYTES, cpu_to_be64(bytes)) ||
             nla_put_be32(skb, NFACCT_USE, htonl(atomic_read(&acct->refcnt))))
                 goto nla_put_failure;
+        if (acct->flags & NFACCT_F_QUOTA) {
+                u64 *quota = (u64 *)acct->data;
 
+                if (nla_put_be32(skb, NFACCT_FLAGS, htonl(acct->flags)) ||
+                    nla_put_be64(skb, NFACCT_QUOTA, cpu_to_be64(*quota)))
+                        goto nla_put_failure;
+        }
         nlmsg_end(skb, nlh);
         return skb->len;
 
@@ -270,6 +309,8 @@ static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = {
         [NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 },
         [NFACCT_BYTES] = { .type = NLA_U64 },
         [NFACCT_PKTS] = { .type = NLA_U64 },
+        [NFACCT_FLAGS] = { .type = NLA_U32 },
+        [NFACCT_QUOTA] = { .type = NLA_U64 },
 };
 
 static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = {
@@ -336,6 +377,50 @@ void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct)
 }
 EXPORT_SYMBOL_GPL(nfnl_acct_update);
 
+static void nfnl_overquota_report(struct nf_acct *nfacct)
+{
+        int ret;
+        struct sk_buff *skb;
+
+        skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
+        if (skb == NULL)
+                return;
+
+        ret = nfnl_acct_fill_info(skb, 0, 0, NFNL_MSG_ACCT_OVERQUOTA, 0,
+                                  nfacct);
+        if (ret <= 0) {
+                kfree_skb(skb);
+                return;
+        }
+        netlink_broadcast(init_net.nfnl, skb, 0, NFNLGRP_ACCT_QUOTA,
+                          GFP_ATOMIC);
+}
+
+int nfnl_acct_overquota(const struct sk_buff *skb, struct nf_acct *nfacct)
+{
+        u64 now;
+        u64 *quota;
+        int ret = NFACCT_UNDERQUOTA;
+
+        /* no place here if we don't have a quota */
+        if (!(nfacct->flags & NFACCT_F_QUOTA))
+                return NFACCT_NO_QUOTA;
+
+        quota = (u64 *)nfacct->data;
+        now = (nfacct->flags & NFACCT_F_QUOTA_PKTS) ?
+               atomic64_read(&nfacct->pkts) : atomic64_read(&nfacct->bytes);
+
+        ret = now > *quota;
+
+        if (now >= *quota &&
+            !test_and_set_bit(NFACCT_F_OVERQUOTA, &nfacct->flags)) {
+                nfnl_overquota_report(nfacct);
+        }
+
+        return ret;
+}
+EXPORT_SYMBOL_GPL(nfnl_acct_overquota);
+
 static int __init nfnl_acct_init(void)
 {
         int ret;
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index b3be0ef21f19..8c646ed9c921 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -21,11 +21,14 @@ MODULE_ALIAS("ip6t_nfacct");
 
 static bool nfacct_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
+        int overquota;
         const struct xt_nfacct_match_info *info = par->targinfo;
 
         nfnl_acct_update(skb, info->nfacct);
 
-        return true;
+        overquota = nfnl_acct_overquota(skb, info->nfacct);
+
+        return overquota == NFACCT_UNDERQUOTA ? false : true;
 }
 
 static int