Commit 99638e9d authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 



Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next:

1) Wildcard support for the net,iface set from Kristian Evensen.

2) Offload support for matching on the input interface.

3) Simplify matching on vlan header fields.

4) Add nft_payload_rebuild_vlan_hdr() function to rebuild the vlan
   header from the vlan sk_buff metadata.

5) Pass extack to nft_flow_cls_offload_setup().

6) Add C-VLAN matching support.

7) Use time64_t in xt_time to fix y2038 overflow, from Arnd Bergmann.

8) Use time_t in nft_meta to fix y2038 overflow, also from Arnd.

9) Add flow_action_entry_next() helper function to flowtable offload
   infrastructure.

10) Add IPv6 support to the flowtable offload infrastructure.

11) Support for input interface matching from postrouting,
    from Phil Sutter.

12) Missing check for ndo callback in flowtable offload, from wenxu.

13) Remove conntrack parameter from flow_offload_fill_dir(), from wenxu.

14) Do not pass flow_rule object for rule removal, cookie is sufficient
    to achieve this.

15) Release flow_rule object in case of error from the offload commit
    path.

16) Undo offload ruleset updates if transaction fails.

17) Check for error when binding flowtable callbacks, from wenxu.

18) Always unbind flowtable callbacks when unregistering hooks.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 19b7e21c ff4bf2f4

include/net/netfilter/nf_flow_table.h

+6 −3
Original line number Diff line number Diff line
@@ -163,7 +163,10 @@ void nf_flow_table_offload_flush(struct nf_flowtable *flowtable); 
int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,

				struct net_device *dev,

				enum flow_block_command cmd);

int nf_flow_rule_route(struct net *net, const struct flow_offload *flow,

int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,

			    enum flow_offload_tuple_dir dir,

			    struct nf_flow_rule *flow_rule);

int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,

			    enum flow_offload_tuple_dir dir,

			    struct nf_flow_rule *flow_rule);

include/net/netfilter/nf_tables_offload.h

+1 −0
Original line number Diff line number Diff line
@@ -45,6 +45,7 @@ struct nft_flow_key { 
	struct flow_dissector_key_ip			ip;

	struct flow_dissector_key_vlan			vlan;

	struct flow_dissector_key_eth_addrs		eth_addrs;

	struct flow_dissector_key_meta			meta;

} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */



struct nft_flow_match {

include/uapi/linux/netfilter/ipset/ip_set.h

+2 −0
Original line number Diff line number Diff line
@@ -205,6 +205,8 @@ enum ipset_cadt_flags { 
	IPSET_FLAG_WITH_FORCEADD = (1 << IPSET_FLAG_BIT_WITH_FORCEADD),

	IPSET_FLAG_BIT_WITH_SKBINFO = 6,

	IPSET_FLAG_WITH_SKBINFO = (1 << IPSET_FLAG_BIT_WITH_SKBINFO),

	IPSET_FLAG_BIT_IFACE_WILDCARD = 7,

	IPSET_FLAG_IFACE_WILDCARD = (1 << IPSET_FLAG_BIT_IFACE_WILDCARD),

	IPSET_FLAG_CADT_MAX	= 15,

};

net/ipv4/ip_output.c

+2 −2
Original line number Diff line number Diff line
@@ -422,7 +422,7 @@ int ip_mc_output(struct net *net, struct sock *sk, struct sk_buff *skb) 


int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb)

{

	struct net_device *dev = skb_dst(skb)->dev;

	struct net_device *dev = skb_dst(skb)->dev, *indev = skb->dev;



	IP_UPD_PO_STATS(net, IPSTATS_MIB_OUT, skb->len);
@@ -430,7 +430,7 @@ int ip_output(struct net *net, struct sock *sk, struct sk_buff *skb) 
	skb->protocol = htons(ETH_P_IP);



	return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING,

			    net, sk, skb, NULL, dev,

			    net, sk, skb, indev, dev,

			    ip_finish_output,

			    !(IPCB(skb)->flags & IPSKB_REROUTED));

}

net/ipv4/netfilter/nf_flow_table_ipv4.c

+1 −1
Original line number Diff line number Diff line
@@ -10,7 +10,7 @@ static struct nf_flowtable_type flowtable_ipv4 = { 
	.family		= NFPROTO_IPV4,

	.init		= nf_flow_table_init,

	.setup		= nf_flow_table_offload_setup,

	.action		= nf_flow_rule_route,

	.action		= nf_flow_rule_route_ipv4,

	.free		= nf_flow_table_free,

	.hook		= nf_flow_offload_ip_hook,

	.owner		= THIS_MODULE,

CRA Git | Maintained and supported by SUSTech CRA and CCSE