Commit c5f095ba authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Add NFT_CHAIN_POLICY_UNSET to replace hardcoded -1 to
   specify that the chain policy is unset. The chain policy
   field is actually defined as an 8-bit unsigned integer.

2) Remove always true condition reported by smatch in
   chain policy check.

3) Fix element lookup on dynamic sets, from Florian Westphal.

4) Use __u8 in ebtables uapi header, from Masahiro Yamada.

5) Bogus EBUSY when removing flowtable after chain flush,
   from Laura Garcia Liebana.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 8ce39eb5 9b05b6e1

include/net/netfilter/nf_tables.h

+6 −0
Original line number Diff line number Diff line
@@ -889,6 +889,8 @@ enum nft_chain_flags { 
	NFT_CHAIN_HW_OFFLOAD		= 0x2,

};



#define NFT_CHAIN_POLICY_UNSET		U8_MAX



/**

 *	struct nft_chain - nf_tables chain

 *
@@ -1181,6 +1183,10 @@ struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 
					   const struct nlattr *nla,

					   u8 genmask);



void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,

				    struct nft_flowtable *flowtable,

				    enum nft_trans_phase phase);



void nft_register_flowtable_type(struct nf_flowtable_type *type);

void nft_unregister_flowtable_type(struct nf_flowtable_type *type);

include/uapi/linux/netfilter_bridge/ebtables.h

+3 −3
Original line number Diff line number Diff line
@@ -123,7 +123,7 @@ struct ebt_entry_match { 
	union {

		struct {

			char name[EBT_EXTENSION_MAXNAMELEN];

			uint8_t revision;

			__u8 revision;

		};

		struct xt_match *match;

	} u;
@@ -136,7 +136,7 @@ struct ebt_entry_watcher { 
	union {

		struct {

			char name[EBT_EXTENSION_MAXNAMELEN];

			uint8_t revision;

			__u8 revision;

		};

		struct xt_target *watcher;

	} u;
@@ -149,7 +149,7 @@ struct ebt_entry_target { 
	union {

		struct {

			char name[EBT_EXTENSION_MAXNAMELEN];

			uint8_t revision;

			__u8 revision;

		};

		struct xt_target *target;

	} u;

net/netfilter/nf_tables_api.c

+22 −3
Original line number Diff line number Diff line
@@ -1715,7 +1715,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask, 
		goto err2;

	}



	nft_trans_chain_policy(trans) = -1;

	nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;

	if (nft_is_base_chain(chain))

		nft_trans_chain_policy(trans) = policy;
@@ -3562,8 +3562,11 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk, 
			      NFT_SET_OBJECT))

			return -EINVAL;

		/* Only one of these operations is supported */

		if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==

			     (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))

		if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==

			     (NFT_SET_MAP | NFT_SET_OBJECT))

			return -EOPNOTSUPP;

		if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==

			     (NFT_SET_EVAL | NFT_SET_OBJECT))

			return -EOPNOTSUPP;

	}
@@ -5595,6 +5598,22 @@ struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 
}

EXPORT_SYMBOL_GPL(nft_flowtable_lookup);



void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,

				    struct nft_flowtable *flowtable,

				    enum nft_trans_phase phase)

{

	switch (phase) {

	case NFT_TRANS_PREPARE:

	case NFT_TRANS_ABORT:

	case NFT_TRANS_RELEASE:

		flowtable->use--;

		/* fall through */

	default:

		return;

	}

}

EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);



static struct nft_flowtable *

nft_flowtable_lookup_byhandle(const struct nft_table *table,

			      const struct nlattr *nla, u8 genmask)

net/netfilter/nf_tables_offload.c

+1 −1
Original line number Diff line number Diff line
@@ -313,7 +313,7 @@ static int nft_flow_offload_chain(struct nft_chain *chain, 
	policy = ppolicy ? *ppolicy : basechain->policy;



	/* Only default policy to accept is supported for now. */

	if (cmd == FLOW_BLOCK_BIND && policy != -1 && policy != NF_ACCEPT)

	if (cmd == FLOW_BLOCK_BIND && policy == NF_DROP)

		return -EOPNOTSUPP;



	if (dev->netdev_ops->ndo_setup_tc)

net/netfilter/nft_flow_offload.c

+19 −0
Original line number Diff line number Diff line
@@ -177,6 +177,23 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx, 
	return nf_ct_netns_get(ctx->net, ctx->family);

}



static void nft_flow_offload_deactivate(const struct nft_ctx *ctx,

					const struct nft_expr *expr,

					enum nft_trans_phase phase)

{

	struct nft_flow_offload *priv = nft_expr_priv(expr);



	nf_tables_deactivate_flowtable(ctx, priv->flowtable, phase);

}



static void nft_flow_offload_activate(const struct nft_ctx *ctx,

				      const struct nft_expr *expr)

{

	struct nft_flow_offload *priv = nft_expr_priv(expr);



	priv->flowtable->use++;

}



static void nft_flow_offload_destroy(const struct nft_ctx *ctx,

				     const struct nft_expr *expr)

{
@@ -205,6 +222,8 @@ static const struct nft_expr_ops nft_flow_offload_ops = { 
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_flow_offload)),

	.eval		= nft_flow_offload_eval,

	.init		= nft_flow_offload_init,

	.activate	= nft_flow_offload_activate,

	.deactivate	= nft_flow_offload_deactivate,

	.destroy	= nft_flow_offload_destroy,

	.validate	= nft_flow_offload_validate,

	.dump		= nft_flow_offload_dump,

CRA Git | Maintained and supported by SUSTech CRA and CCSE