Commit e15dbcde authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Remove IP MASQUERADING record in MAINTAINERS file,
   from Denis Efremov.

2) Counter arguments are swapped in ebtables, from
   Todd Seidelmann.

3) Missing netlink attribute validation in flow_offload
   extension.

4) Incorrect alignment in xt_nfacct that breaks 32-bits
   userspace / 64-bits kernels, from Juliana Rodrigueiro.

5) Missing include guard in nf_conntrack_h323_types.h,
   from Masahiro Yamada.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents ef8d8ccd 38a429c8
...@@ -8454,11 +8454,6 @@ S: Maintained ...@@ -8454,11 +8454,6 @@ S: Maintained
F: fs/io_uring.c F: fs/io_uring.c
F: include/uapi/linux/io_uring.h F: include/uapi/linux/io_uring.h
IP MASQUERADING
M: Juanjo Ciarlante <jjciarla@raiz.uncu.edu.ar>
S: Maintained
F: net/ipv4/netfilter/ipt_MASQUERADE.c
IPMI SUBSYSTEM IPMI SUBSYSTEM
M: Corey Minyard <minyard@acm.org> M: Corey Minyard <minyard@acm.org>
L: openipmi-developer@lists.sourceforge.net (moderated for non-subscribers) L: openipmi-developer@lists.sourceforge.net (moderated for non-subscribers)
......
...@@ -4,6 +4,9 @@ ...@@ -4,6 +4,9 @@
* Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net> * Copyright (c) 2006 Jing Min Zhao <zhaojingmin@users.sourceforge.net>
*/ */
#ifndef _NF_CONNTRACK_H323_TYPES_H
#define _NF_CONNTRACK_H323_TYPES_H
typedef struct TransportAddress_ipAddress { /* SEQUENCE */ typedef struct TransportAddress_ipAddress { /* SEQUENCE */
int options; /* No use */ int options; /* No use */
unsigned int ip; unsigned int ip;
...@@ -931,3 +934,5 @@ typedef struct RasMessage { /* CHOICE */ ...@@ -931,3 +934,5 @@ typedef struct RasMessage { /* CHOICE */
InfoRequestResponse infoRequestResponse; InfoRequestResponse infoRequestResponse;
}; };
} RasMessage; } RasMessage;
#endif /* _NF_CONNTRACK_H323_TYPES_H */
...@@ -11,4 +11,9 @@ struct xt_nfacct_match_info { ...@@ -11,4 +11,9 @@ struct xt_nfacct_match_info {
struct nf_acct *nfacct; struct nf_acct *nfacct;
}; };
struct xt_nfacct_match_info_v1 {
char name[NFACCT_NAME_MAX];
struct nf_acct *nfacct __attribute__((aligned(8)));
};
#endif /* _XT_NFACCT_MATCH_H */ #endif /* _XT_NFACCT_MATCH_H */
...@@ -221,7 +221,7 @@ unsigned int ebt_do_table(struct sk_buff *skb, ...@@ -221,7 +221,7 @@ unsigned int ebt_do_table(struct sk_buff *skb,
return NF_DROP; return NF_DROP;
} }
ADD_COUNTER(*(counter_base + i), 1, skb->len); ADD_COUNTER(*(counter_base + i), skb->len, 1);
/* these should only watch: not modify, nor tell us /* these should only watch: not modify, nor tell us
* what to do with the packet * what to do with the packet
...@@ -959,8 +959,8 @@ static void get_counters(const struct ebt_counter *oldcounters, ...@@ -959,8 +959,8 @@ static void get_counters(const struct ebt_counter *oldcounters,
continue; continue;
counter_base = COUNTER_BASE(oldcounters, nentries, cpu); counter_base = COUNTER_BASE(oldcounters, nentries, cpu);
for (i = 0; i < nentries; i++) for (i = 0; i < nentries; i++)
ADD_COUNTER(counters[i], counter_base[i].pcnt, ADD_COUNTER(counters[i], counter_base[i].bcnt,
counter_base[i].bcnt); counter_base[i].pcnt);
} }
} }
...@@ -1280,7 +1280,7 @@ static int do_update_counters(struct net *net, const char *name, ...@@ -1280,7 +1280,7 @@ static int do_update_counters(struct net *net, const char *name,
/* we add to the counters of the first cpu */ /* we add to the counters of the first cpu */
for (i = 0; i < num_counters; i++) for (i = 0; i < num_counters; i++)
ADD_COUNTER(t->private->counters[i], tmp[i].pcnt, tmp[i].bcnt); ADD_COUNTER(t->private->counters[i], tmp[i].bcnt, tmp[i].pcnt);
write_unlock_bh(&t->lock); write_unlock_bh(&t->lock);
ret = 0; ret = 0;
......
...@@ -149,6 +149,11 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx, ...@@ -149,6 +149,11 @@ static int nft_flow_offload_validate(const struct nft_ctx *ctx,
return nft_chain_validate_hooks(ctx->chain, hook_mask); return nft_chain_validate_hooks(ctx->chain, hook_mask);
} }
static const struct nla_policy nft_flow_offload_policy[NFTA_FLOW_MAX + 1] = {
[NFTA_FLOW_TABLE_NAME] = { .type = NLA_STRING,
.len = NFT_NAME_MAXLEN - 1 },
};
static int nft_flow_offload_init(const struct nft_ctx *ctx, static int nft_flow_offload_init(const struct nft_ctx *ctx,
const struct nft_expr *expr, const struct nft_expr *expr,
const struct nlattr * const tb[]) const struct nlattr * const tb[])
...@@ -207,6 +212,7 @@ static const struct nft_expr_ops nft_flow_offload_ops = { ...@@ -207,6 +212,7 @@ static const struct nft_expr_ops nft_flow_offload_ops = {
static struct nft_expr_type nft_flow_offload_type __read_mostly = { static struct nft_expr_type nft_flow_offload_type __read_mostly = {
.name = "flow_offload", .name = "flow_offload",
.ops = &nft_flow_offload_ops, .ops = &nft_flow_offload_ops,
.policy = nft_flow_offload_policy,
.maxattr = NFTA_FLOW_MAX, .maxattr = NFTA_FLOW_MAX,
.owner = THIS_MODULE, .owner = THIS_MODULE,
}; };
......
...@@ -54,25 +54,39 @@ nfacct_mt_destroy(const struct xt_mtdtor_param *par) ...@@ -54,25 +54,39 @@ nfacct_mt_destroy(const struct xt_mtdtor_param *par)
nfnl_acct_put(info->nfacct); nfnl_acct_put(info->nfacct);
} }
static struct xt_match nfacct_mt_reg __read_mostly = { static struct xt_match nfacct_mt_reg[] __read_mostly = {
.name = "nfacct", {
.family = NFPROTO_UNSPEC, .name = "nfacct",
.checkentry = nfacct_mt_checkentry, .revision = 0,
.match = nfacct_mt, .family = NFPROTO_UNSPEC,
.destroy = nfacct_mt_destroy, .checkentry = nfacct_mt_checkentry,
.matchsize = sizeof(struct xt_nfacct_match_info), .match = nfacct_mt,
.usersize = offsetof(struct xt_nfacct_match_info, nfacct), .destroy = nfacct_mt_destroy,
.me = THIS_MODULE, .matchsize = sizeof(struct xt_nfacct_match_info),
.usersize = offsetof(struct xt_nfacct_match_info, nfacct),
.me = THIS_MODULE,
},
{
.name = "nfacct",
.revision = 1,
.family = NFPROTO_UNSPEC,
.checkentry = nfacct_mt_checkentry,
.match = nfacct_mt,
.destroy = nfacct_mt_destroy,
.matchsize = sizeof(struct xt_nfacct_match_info_v1),
.usersize = offsetof(struct xt_nfacct_match_info_v1, nfacct),
.me = THIS_MODULE,
},
}; };
static int __init nfacct_mt_init(void) static int __init nfacct_mt_init(void)
{ {
return xt_register_match(&nfacct_mt_reg); return xt_register_matches(nfacct_mt_reg, ARRAY_SIZE(nfacct_mt_reg));
} }
static void __exit nfacct_mt_exit(void) static void __exit nfacct_mt_exit(void)
{ {
xt_unregister_match(&nfacct_mt_reg); xt_unregister_matches(nfacct_mt_reg, ARRAY_SIZE(nfacct_mt_reg));
} }
module_init(nfacct_mt_init); module_init(nfacct_mt_init);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment