Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains netfilter fixes for you net tree, they are: 1) Missing ct zone size in the nft_ct initialization path, patch from Florian Westphal. 2) Two patches for netfilter uapi headers, one to remove unnecessary sysctl.h inclusion and another to fix compilation of xt_hashlimit.h in userspace, from Dmitry V. Levin. 3) Patch to fix a sloppy change in nf_ct_expect that incorrectly simplified nf_ct_expect_related_report() in the previous nf-next batch. This also includes another patch for __nf_ct_expect_check() to report success by returning 0 to keep it consistent with other existing functions. From Jarno Rajahalme. 4) The ->walk() iterator of the new bitmap set type goes over the real bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA is used. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains netfilter fixes for you net tree, they are: 1) Missing ct zone size in the nft_ct initialization path, patch from Florian Westphal. 2) Two patches for netfilter uapi headers, one to remove unnecessary sysctl.h inclusion and another to fix compilation of xt_hashlimit.h in userspace, from Dmitry V. Levin. 3) Patch to fix a sloppy change in nf_ct_expect that incorrectly simplified nf_ct_expect_related_report() in the previous nf-next batch. This also includes another patch for __nf_ct_expect_check() to report success by returning 0 to keep it consistent with other existing functions. From Jarno Rajahalme. 4) The ->walk() iterator of the new bitmap set type goes over the real bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA is used. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
4ca257ee · David S. Miller · 51fb60eb · 13aa5a8f · 4ca257ee · 4ca257ee
Commit 4ca257ee authored Feb 27, 2017 by David S. Miller
5 changed files
--- a/include/uapi/linux/netfilter.h
+++ b/include/uapi/linux/netfilter.h
@@ -3,7 +3,6 @@
 #include <linux/types.h>
 #include <linux/compiler.h>
-#include <linux/sysctl.h>
 #include <linux/in.h>
 #include <linux/in6.h>

--- a/include/uapi/linux/netfilter/xt_hashlimit.h
+++ b/include/uapi/linux/netfilter/xt_hashlimit.h
@@ -2,6 +2,7 @@
 #define _UAPI_XT_HASHLIMIT_H
 #include <linux/types.h>
+#include <linux/limits.h>
 #include <linux/if.h>
 /* timings are in milliseconds. */

--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -410,7 +410,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
 	struct net *net = nf_ct_exp_net(expect);
 	struct hlist_node *next;
 	unsigned int h;
-	int ret = 1;
+	int ret = 0;
 	if (!master_help) {
 		ret = -ESHUTDOWN;
@@ -460,14 +460,14 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
 	spin_lock_bh(&nf_conntrack_expect_lock);
 	ret = __nf_ct_expect_check(expect);
-	if (ret <= 0)
+	if (ret < 0)
 		goto out;
 	nf_ct_expect_insert(expect);
 	spin_unlock_bh(&nf_conntrack_expect_lock);
 	nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
-	return ret;
+	return 0;
 out:
 	spin_unlock_bh(&nf_conntrack_expect_lock);
 	return ret;

--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -528,6 +528,7 @@ static int nft_ct_set_init(const struct nft_ctx *ctx,
 		if (!nft_ct_tmpl_alloc_pcpu())
 			return -ENOMEM;
 		nft_ct_pcpu_template_refcnt++;
+		len = sizeof(u16);
 		break;
 #endif
 	default:

--- a/net/netfilter/nft_set_bitmap.c
+++ b/net/netfilter/nft_set_bitmap.c
@@ -258,7 +258,7 @@ static int nft_bitmap_init(const struct nft_set *set,
 {
 	struct nft_bitmap *priv = nft_set_priv(set);
-	priv->bitmap_size = nft_bitmap_total_size(set->klen);
+	priv->bitmap_size = nft_bitmap_size(set->klen);
 	return 0;
 }