Commit b65ca4c3 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

1) Move existing bridge packet reject infra to nf_reject_{ipv4,ipv6}.c
   from Jose M. Guisado.

2) Consolidate nft_reject_inet initialization and dump, also from Jose.

3) Add the netdev reject action, from Jose.

4) Allow to combine the exist flag and the destroy command in ipset,
   from Joszef Kadlecsik.

5) Expose bucket size parameter for hashtables, also from Jozsef.

6) Expose the init value for reproducible ipset listings, from Jozsef.

7) Use __printf attribute in nft_request_module, from Andrew Lunn.

8) Allow to use reject from the inet ingress chain.

* git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next:
  netfilter: nft_reject_inet: allow to use reject from inet ingress
  netfilter: nftables: Add __printf() attribute
  netfilter: ipset: Expose the initval hash parameter to userspace
  netfilter: ipset: Add bucketsize parameter to all hash types
  netfilter: ipset: Support the -exist flag with the destroy command
  netfilter: nft_reject: add reject verdict support for netdev
  netfilter: nft_reject: unify reject init and dump into nft_reject
  netfilter: nf_reject: add reject skbuff creation helpers
====================

Link: https://lore.kernel.org/r/20201104141149.30082-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents ae23b55c 117ca1f8

include/linux/netfilter/ipset/ip_set.h

+5 −0
Original line number Diff line number Diff line
@@ -198,6 +198,9 @@ struct ip_set_region { 
	u32 elements;		/* Number of elements vs timeout */

};



/* The max revision number supported by any set type + 1 */

#define IPSET_REVISION_MAX	9



/* The core set type structure */

struct ip_set_type {

	struct list_head list;
@@ -215,6 +218,8 @@ struct ip_set_type { 
	u8 family;

	/* Type revisions */

	u8 revision_min, revision_max;

	/* Revision-specific supported (create) flags */

	u8 create_flags[IPSET_REVISION_MAX+1];

	/* Set features to control swapping */

	u16 features;

include/net/netfilter/ipv4/nf_reject.h

+10 −0
Original line number Diff line number Diff line
@@ -18,4 +18,14 @@ struct iphdr *nf_reject_iphdr_put(struct sk_buff *nskb, 
void nf_reject_ip_tcphdr_put(struct sk_buff *nskb, const struct sk_buff *oldskb,

			     const struct tcphdr *oth);



struct sk_buff *nf_reject_skb_v4_unreach(struct net *net,

                                         struct sk_buff *oldskb,

                                         const struct net_device *dev,

                                         int hook, u8 code);

struct sk_buff *nf_reject_skb_v4_tcp_reset(struct net *net,

					   struct sk_buff *oldskb,

					   const struct net_device *dev,

					   int hook);





#endif /* _IPV4_NF_REJECT_H */

include/net/netfilter/ipv6/nf_reject.h

+9 −0
Original line number Diff line number Diff line
@@ -20,4 +20,13 @@ void nf_reject_ip6_tcphdr_put(struct sk_buff *nskb, 
			      const struct sk_buff *oldskb,

			      const struct tcphdr *oth, unsigned int otcplen);



struct sk_buff *nf_reject_skb_v6_tcp_reset(struct net *net,

					   struct sk_buff *oldskb,

					   const struct net_device *dev,

					   int hook);

struct sk_buff *nf_reject_skb_v6_unreach(struct net *net,

					 struct sk_buff *oldskb,

					 const struct net_device *dev,

					 int hook, u8 code);



#endif /* _IPV6_NF_REJECT_H */

include/uapi/linux/netfilter/ipset/ip_set.h

+4 −2
Original line number Diff line number Diff line
@@ -92,11 +92,11 @@ enum { 
	/* Reserve empty slots */

	IPSET_ATTR_CADT_MAX = 16,

	/* Create-only specific attributes */

	IPSET_ATTR_GC,

	IPSET_ATTR_INITVAL,	/* was unused IPSET_ATTR_GC */

	IPSET_ATTR_HASHSIZE,

	IPSET_ATTR_MAXELEM,

	IPSET_ATTR_NETMASK,

	IPSET_ATTR_PROBES,

	IPSET_ATTR_BUCKETSIZE,	/* was unused IPSET_ATTR_PROBES */

	IPSET_ATTR_RESIZE,

	IPSET_ATTR_SIZE,

	/* Kernel-only */
@@ -214,6 +214,8 @@ enum ipset_cadt_flags { 
enum ipset_create_flags {

	IPSET_CREATE_FLAG_BIT_FORCEADD = 0,

	IPSET_CREATE_FLAG_FORCEADD = (1 << IPSET_CREATE_FLAG_BIT_FORCEADD),

	IPSET_CREATE_FLAG_BIT_BUCKETSIZE = 1,

	IPSET_CREATE_FLAG_BUCKETSIZE = (1 << IPSET_CREATE_FLAG_BIT_BUCKETSIZE),

	IPSET_CREATE_FLAG_BIT_MAX = 7,

};

net/bridge/netfilter/Kconfig

+1 −1
Original line number Diff line number Diff line
@@ -17,7 +17,7 @@ config NFT_BRIDGE_META 


config NFT_BRIDGE_REJECT

	tristate "Netfilter nf_tables bridge reject support"

	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6

	depends on NFT_REJECT

	help

	  Add support to reject packets.

CRA Git | Maintained and supported by SUSTech CRA and CCSE