Commit 8bbed40f authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for you net-next
tree:

1) Missing NFTA_RULE_POSITION_ID netlink attribute validation,
   from Phil Sutter.

2) Restrict matching on tunnel metadata to rx/tx path, from wenxu.

3) Avoid indirect calls for IPV6=y, from Florian Westphal.

4) Add two indirections to prepare merger of IPV4 and IPV6 nat
   modules, from Florian Westphal.

5) Broken indentation in ctnetlink, from Colin Ian King.

6) Patches to use struct_size() from netfilter and IPVS,
   from Gustavo A. R. Silva.

7) Display kernel splat only once in case of racing to confirm
   conntrack from bridge plus nfqueue setups, from Chieh-Min Wang.

8) Skip checksum validation for layer 4 protocols that don't need it,
   patch from Alin Nastac.

9) Sparse warning due to symbol that should be static in CLUSTERIP,
   from Wei Yongjun.

10) Add new toggle to disable SDP payload translation when media
    endpoint is reachable though the same interface as the signalling
    peer, from Alin Nastac.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents e511f17b a3419ce3

include/linux/netfilter_ipv6.h

+52 −8
Original line number Diff line number Diff line
@@ -25,23 +25,24 @@ struct nf_queue_entry; 
 * if IPv6 is a module.

 */

struct nf_ipv6_ops {

#if IS_MODULE(CONFIG_IPV6)

	int (*chk_addr)(struct net *net, const struct in6_addr *addr,

			const struct net_device *dev, int strict);

	int (*route_me_harder)(struct net *net, struct sk_buff *skb);

	int (*dev_get_saddr)(struct net *net, const struct net_device *dev,

		       const struct in6_addr *daddr, unsigned int srcprefs,

		       struct in6_addr *saddr);

	int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,

		     bool strict);

#endif

	void (*route_input)(struct sk_buff *skb);

	int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb,

			int (*output)(struct net *, struct sock *, struct sk_buff *));

	int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,

		     bool strict);

	int (*reroute)(struct sk_buff *skb, const struct nf_queue_entry *entry);

};



#ifdef CONFIG_NETFILTER

int ip6_route_me_harder(struct net *net, struct sk_buff *skb);

__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,

			unsigned int dataoff, u_int8_t protocol);



int ipv6_netfilter_init(void);

void ipv6_netfilter_fini(void);

#include <net/addrconf.h>



extern const struct nf_ipv6_ops __rcu *nf_ipv6_ops;

static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void)
@@ -49,6 +50,49 @@ static inline const struct nf_ipv6_ops *nf_get_ipv6_ops(void) 
	return rcu_dereference(nf_ipv6_ops);

}



static inline int nf_ipv6_chk_addr(struct net *net, const struct in6_addr *addr,

				   const struct net_device *dev, int strict)

{

#if IS_MODULE(CONFIG_IPV6)

	const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops();



	if (!v6_ops)

		return 1;



	return v6_ops->chk_addr(net, addr, dev, strict);

#else

	return ipv6_chk_addr(net, addr, dev, strict);

#endif

}



int __nf_ip6_route(struct net *net, struct dst_entry **dst,

			       struct flowi *fl, bool strict);



static inline int nf_ip6_route(struct net *net, struct dst_entry **dst,

			       struct flowi *fl, bool strict)

{

#if IS_MODULE(CONFIG_IPV6)

	const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();



	if (v6ops)

		return v6ops->route(net, dst, fl, strict);



	return -EHOSTUNREACH;

#endif

#if IS_BUILTIN(CONFIG_IPV6)

	return __nf_ip6_route(net, dst, fl, strict);

#else

	return -EHOSTUNREACH;

#endif

}



int ip6_route_me_harder(struct net *net, struct sk_buff *skb);

__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,

			unsigned int dataoff, u_int8_t protocol);



int ipv6_netfilter_init(void);

void ipv6_netfilter_fini(void);



#else /* CONFIG_NETFILTER */

static inline int ipv6_netfilter_init(void) { return 0; }

static inline void ipv6_netfilter_fini(void) { return; }

include/net/netfilter/ipv4/nf_reject.h

+1 −0
Original line number Diff line number Diff line
@@ -5,6 +5,7 @@ 
#include <linux/skbuff.h>

#include <net/ip.h>

#include <net/icmp.h>

#include <net/netfilter/nf_reject.h>



void nf_send_unreach(struct sk_buff *skb_in, int code, int hook);

void nf_send_reset(struct net *net, struct sk_buff *oldskb, int hook);

include/net/netfilter/ipv6/nf_reject.h

+1 −0
Original line number Diff line number Diff line
@@ -3,6 +3,7 @@ 
#define _IPV6_NF_REJECT_H



#include <linux/icmpv6.h>

#include <net/netfilter/nf_reject.h>



void nf_send_unreach6(struct net *net, struct sk_buff *skb_in, unsigned char code,

		      unsigned int hooknum);

include/net/netfilter/nf_reject.h

0 → 100644
+27 −0
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

#ifndef _NF_REJECT_H

#define _NF_REJECT_H



static inline bool nf_reject_verify_csum(__u8 proto)

{

	/* Skip protocols that don't use 16-bit one's complement checksum

	 * of the entire payload.

	 */

	switch (proto) {

		/* Protocols with other integrity checks. */

		case IPPROTO_AH:

		case IPPROTO_ESP:

		case IPPROTO_SCTP:



		/* Protocols with partial checksums. */

		case IPPROTO_UDPLITE:

		case IPPROTO_DCCP:



		/* Protocols with optional checksums. */

		case IPPROTO_GRE:

			return false;

	}

	return true;

}



#endif /* _NF_REJECT_H */

include/uapi/linux/netfilter/nf_tables.h

+9 −0
Original line number Diff line number Diff line
@@ -1727,10 +1727,19 @@ enum nft_tunnel_keys { 
};

#define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)



enum nft_tunnel_mode {

	NFT_TUNNEL_MODE_NONE,

	NFT_TUNNEL_MODE_RX,

	NFT_TUNNEL_MODE_TX,

	__NFT_TUNNEL_MODE_MAX

};

#define NFT_TUNNEL_MODE_MAX	(__NFT_TUNNEL_MODE_MAX - 1)



enum nft_tunnel_attributes {

	NFTA_TUNNEL_UNSPEC,

	NFTA_TUNNEL_KEY,

	NFTA_TUNNEL_DREG,

	NFTA_TUNNEL_MODE,

	__NFTA_TUNNEL_MAX

};

#define NFTA_TUNNEL_MAX	(__NFTA_TUNNEL_MAX - 1)

CRA Git | Maintained and supported by SUSTech CRA and CCSE