Commit ba402810 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Remove #ifdef pollution around nf_ingress(), from Lukas Wunner.

2) Document ingress hook in netdevice, also from Lukas.

3) Remove htons() in tunnel metadata port netlink attributes,
   from Xin Long.

4) Missing erspan netlink attribute validation also from Xin Long.

5) Missing erspan version in tunnel, from Xin Long.

6) Missing attribute nest in NFTA_TUNNEL_KEY_OPTS_{VXLAN,ERSPAN}
   Patch from Xin Long.

7) Missing nla_nest_cancel() in tunnel netlink dump path,
   from Xin Long.

8) Remove two exported conntrack symbols with no clients,
   from Florian Westphal.

9) Add nft_meta_get_eval_time() helper to nft_meta, from Florian.

10) Add nft_meta_pkttype helper for loopback, also from Florian.

11) Add nft_meta_socket uid helper, from Florian Westphal.

12) Add nft_meta_cgroup helper, from Florian.

13) Add nft_meta_ifkind helper, from Florian.

14) Group all interface related meta selector, from Florian.

15) Add nft_prandom_u32() helper, from Florian.

16) Add nft_meta_rtclassid helper, from Florian.

17) Add support for matching on the slave device index,
    from Florian.

This batch, among other things, contains updates for the netfilter
tunnel netlink interface: This extension is still incomplete and lacking
proper userspace support which is actually my fault, I did not find the
time to go back and finish this. This update is breaking tunnel UAPI in
some aspects to fix it but do it better sooner than never.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 1a1fda57 c14ceb0e
...@@ -1709,6 +1709,7 @@ enum netdev_priv_flags { ...@@ -1709,6 +1709,7 @@ enum netdev_priv_flags {
* @miniq_ingress: ingress/clsact qdisc specific data for * @miniq_ingress: ingress/clsact qdisc specific data for
* ingress processing * ingress processing
* @ingress_queue: XXX: need comments on this one * @ingress_queue: XXX: need comments on this one
* @nf_hooks_ingress: netfilter hooks executed for ingress packets
* @broadcast: hw bcast address * @broadcast: hw bcast address
* *
* @rx_cpu_rmap: CPU reverse-mapping for RX completion interrupts, * @rx_cpu_rmap: CPU reverse-mapping for RX completion interrupts,
......
...@@ -805,6 +805,8 @@ enum nft_exthdr_attributes { ...@@ -805,6 +805,8 @@ enum nft_exthdr_attributes {
* @NFT_META_TIME_NS: time since epoch (in nanoseconds) * @NFT_META_TIME_NS: time since epoch (in nanoseconds)
* @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday) * @NFT_META_TIME_DAY: day of week (from 0 = Sunday to 6 = Saturday)
* @NFT_META_TIME_HOUR: hour of day (in seconds) * @NFT_META_TIME_HOUR: hour of day (in seconds)
* @NFT_META_SDIF: slave device interface index
* @NFT_META_SDIFNAME: slave device interface name
*/ */
enum nft_meta_keys { enum nft_meta_keys {
NFT_META_LEN, NFT_META_LEN,
...@@ -840,6 +842,8 @@ enum nft_meta_keys { ...@@ -840,6 +842,8 @@ enum nft_meta_keys {
NFT_META_TIME_NS, NFT_META_TIME_NS,
NFT_META_TIME_DAY, NFT_META_TIME_DAY,
NFT_META_TIME_HOUR, NFT_META_TIME_HOUR,
NFT_META_SDIF,
NFT_META_SDIFNAME,
}; };
/** /**
......
...@@ -4932,7 +4932,6 @@ static bool skb_pfmemalloc_protocol(struct sk_buff *skb) ...@@ -4932,7 +4932,6 @@ static bool skb_pfmemalloc_protocol(struct sk_buff *skb)
static inline int nf_ingress(struct sk_buff *skb, struct packet_type **pt_prev, static inline int nf_ingress(struct sk_buff *skb, struct packet_type **pt_prev,
int *ret, struct net_device *orig_dev) int *ret, struct net_device *orig_dev)
{ {
#ifdef CONFIG_NETFILTER_INGRESS
if (nf_hook_ingress_active(skb)) { if (nf_hook_ingress_active(skb)) {
int ingress_retval; int ingress_retval;
...@@ -4946,7 +4945,6 @@ static inline int nf_ingress(struct sk_buff *skb, struct packet_type **pt_prev, ...@@ -4946,7 +4945,6 @@ static inline int nf_ingress(struct sk_buff *skb, struct packet_type **pt_prev,
rcu_read_unlock(); rcu_read_unlock();
return ingress_retval; return ingress_retval;
} }
#endif /* CONFIG_NETFILTER_INGRESS */
return 0; return 0;
} }
......
...@@ -2334,7 +2334,6 @@ int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp) ...@@ -2334,7 +2334,6 @@ int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp)
return nf_conntrack_hash_resize(hashsize); return nf_conntrack_hash_resize(hashsize);
} }
EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
static __always_inline unsigned int total_extension_size(void) static __always_inline unsigned int total_extension_size(void)
{ {
......
...@@ -37,7 +37,6 @@ void nf_ct_ext_destroy(struct nf_conn *ct) ...@@ -37,7 +37,6 @@ void nf_ct_ext_destroy(struct nf_conn *ct)
kfree(ct->ext); kfree(ct->ext);
} }
EXPORT_SYMBOL(nf_ct_ext_destroy);
void *nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp) void *nf_ct_ext_add(struct nf_conn *ct, enum nf_ct_ext_id id, gfp_t gfp)
{ {
......
This diff is collapsed.
...@@ -248,6 +248,7 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr, ...@@ -248,6 +248,7 @@ static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
} }
static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = { static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
[NFTA_TUNNEL_KEY_ERSPAN_VERSION] = { .type = NLA_U32 },
[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 }, [NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX] = { .type = NLA_U32 },
[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 }, [NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] = { .type = NLA_U8 },
[NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 }, [NFTA_TUNNEL_KEY_ERSPAN_V2_HWID] = { .type = NLA_U8 },
...@@ -442,10 +443,15 @@ static int nft_tunnel_ip_dump(struct sk_buff *skb, struct ip_tunnel_info *info) ...@@ -442,10 +443,15 @@ static int nft_tunnel_ip_dump(struct sk_buff *skb, struct ip_tunnel_info *info)
if (!nest) if (!nest)
return -1; return -1;
if (nla_put_in6_addr(skb, NFTA_TUNNEL_KEY_IP6_SRC, &info->key.u.ipv6.src) < 0 || if (nla_put_in6_addr(skb, NFTA_TUNNEL_KEY_IP6_SRC,
nla_put_in6_addr(skb, NFTA_TUNNEL_KEY_IP6_DST, &info->key.u.ipv6.dst) < 0 || &info->key.u.ipv6.src) < 0 ||
nla_put_be32(skb, NFTA_TUNNEL_KEY_IP6_FLOWLABEL, info->key.label)) nla_put_in6_addr(skb, NFTA_TUNNEL_KEY_IP6_DST,
&info->key.u.ipv6.dst) < 0 ||
nla_put_be32(skb, NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
info->key.label)) {
nla_nest_cancel(skb, nest);
return -1; return -1;
}
nla_nest_end(skb, nest); nla_nest_end(skb, nest);
} else { } else {
...@@ -453,9 +459,13 @@ static int nft_tunnel_ip_dump(struct sk_buff *skb, struct ip_tunnel_info *info) ...@@ -453,9 +459,13 @@ static int nft_tunnel_ip_dump(struct sk_buff *skb, struct ip_tunnel_info *info)
if (!nest) if (!nest)
return -1; return -1;
if (nla_put_in_addr(skb, NFTA_TUNNEL_KEY_IP_SRC, info->key.u.ipv4.src) < 0 || if (nla_put_in_addr(skb, NFTA_TUNNEL_KEY_IP_SRC,
nla_put_in_addr(skb, NFTA_TUNNEL_KEY_IP_DST, info->key.u.ipv4.dst) < 0) info->key.u.ipv4.src) < 0 ||
nla_put_in_addr(skb, NFTA_TUNNEL_KEY_IP_DST,
info->key.u.ipv4.dst) < 0) {
nla_nest_cancel(skb, nest);
return -1; return -1;
}
nla_nest_end(skb, nest); nla_nest_end(skb, nest);
} }
...@@ -467,42 +477,58 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, ...@@ -467,42 +477,58 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb,
struct nft_tunnel_obj *priv) struct nft_tunnel_obj *priv)
{ {
struct nft_tunnel_opts *opts = &priv->opts; struct nft_tunnel_opts *opts = &priv->opts;
struct nlattr *nest; struct nlattr *nest, *inner;
nest = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS); nest = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS);
if (!nest) if (!nest)
return -1; return -1;
if (opts->flags & TUNNEL_VXLAN_OPT) { if (opts->flags & TUNNEL_VXLAN_OPT) {
inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_VXLAN);
if (!inner)
goto failure;
if (nla_put_be32(skb, NFTA_TUNNEL_KEY_VXLAN_GBP, if (nla_put_be32(skb, NFTA_TUNNEL_KEY_VXLAN_GBP,
htonl(opts->u.vxlan.gbp))) htonl(opts->u.vxlan.gbp)))
return -1; goto inner_failure;
nla_nest_end(skb, inner);
} else if (opts->flags & TUNNEL_ERSPAN_OPT) { } else if (opts->flags & TUNNEL_ERSPAN_OPT) {
inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_ERSPAN);
if (!inner)
goto failure;
if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ERSPAN_VERSION,
htonl(opts->u.erspan.version)))
goto inner_failure;
switch (opts->u.erspan.version) { switch (opts->u.erspan.version) {
case ERSPAN_VERSION: case ERSPAN_VERSION:
if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX, if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
opts->u.erspan.u.index)) opts->u.erspan.u.index))
return -1; goto inner_failure;
break; break;
case ERSPAN_VERSION2: case ERSPAN_VERSION2:
if (nla_put_u8(skb, NFTA_TUNNEL_KEY_ERSPAN_V2_HWID, if (nla_put_u8(skb, NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
get_hwid(&opts->u.erspan.u.md2)) || get_hwid(&opts->u.erspan.u.md2)) ||
nla_put_u8(skb, NFTA_TUNNEL_KEY_ERSPAN_V2_DIR, nla_put_u8(skb, NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
opts->u.erspan.u.md2.dir)) opts->u.erspan.u.md2.dir))
return -1; goto inner_failure;
break; break;
} }
nla_nest_end(skb, inner);
} }
nla_nest_end(skb, nest); nla_nest_end(skb, nest);
return 0; return 0;
inner_failure:
nla_nest_cancel(skb, inner);
failure:
nla_nest_cancel(skb, nest);
return -1;
} }
static int nft_tunnel_ports_dump(struct sk_buff *skb, static int nft_tunnel_ports_dump(struct sk_buff *skb,
struct ip_tunnel_info *info) struct ip_tunnel_info *info)
{ {
if (nla_put_be16(skb, NFTA_TUNNEL_KEY_SPORT, htons(info->key.tp_src)) < 0 || if (nla_put_be16(skb, NFTA_TUNNEL_KEY_SPORT, info->key.tp_src) < 0 ||
nla_put_be16(skb, NFTA_TUNNEL_KEY_DPORT, htons(info->key.tp_dst)) < 0) nla_put_be16(skb, NFTA_TUNNEL_KEY_DPORT, info->key.tp_dst) < 0)
return -1; return -1;
return 0; return 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment