Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next tree:

1) Support for matching on ipsec policy already set in the route, from
   Florian Westphal.

2) Split set destruction into deactivate and destroy phase to make it
   fit better into the transaction infrastructure, also from Florian.
   This includes a patch to warn on imbalance when setting the new
   activate and deactivate interfaces.

3) Release transaction list from the workqueue to remove expensive
   synchronize_rcu() from configuration plane path. This speeds up
   configuration plane quite a bit. From Florian Westphal.

4) Add new xfrm/ipsec extension, this new extension allows you to match
   for ipsec tunnel keys such as source and destination address, spi and
   reqid. From Máté Eckl and Florian Westphal.

5) Add secmark support, this includes connsecmark too, patches
   from Christian Gottsche.

6) Allow to specify remaining bytes in xt_quota, from Chenbo Feng.
   One follow up patch to calm a clang warning for this one, from
   Nathan Chancellor.

7) Flush conntrack entries based on layer 3 family, from Kristian Evensen.

8) New revision for cgroups2 to shrink the path field.

9) Get rid of obsolete need_conntrack(), as a result from recent
   demodularization works.

10) Use WARN_ON instead of BUG_ON, from Florian Westphal.

11) Unused exported symbol in nf_nat_ipv4_fn(), from Florian.

12) Remove superfluous check for timeout netlink parser and dump
    functions in layer 4 conntrack helpers.

13) Unnecessary redundant rcu read side locks in NAT redirect,
    from Taehee Yoo.

14) Pass nf_hook_state structure to error handlers, patch from
    Florian Westphal.

15) Remove ->new() interface from layer 4 protocol trackers. Place
    them in the ->packet() interface. From Florian.

16) Place conntrack ->error() handling in the ->packet() interface.
    Patches from Florian Westphal.

17) Remove unused parameter in the pernet initialization path,
    also from Florian.

18) Remove additional parameter to specify layer 3 protocol when
    looking up for protocol tracker. From Florian.

19) Shrink array of layer 4 protocol trackers, from Florian.

20) Check for linear skb only once from the ALG NAT mangling
    codebase, from Taehee Yoo.

21) Use rhashtable_walk_enter() instead of deprecated
    rhashtable_walk_init(), also from Taehee.

22) No need to flush all conntracks when only one single address
    is gone, from Tan Hu.

23) Remove redundant check for NAT flags in flowtable code, from
    Taehee Yoo.

24) Use rhashtable_lookup() instead of rhashtable_lookup_fast()
    from netfilter codebase, since rcu read lock side is already
    assumed in this path.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
2018-10-08 21:28:55 -07:00
53 changed files with 1561 additions and 1060 deletions

View File

@@ -826,12 +826,14 @@ enum nft_meta_keys {
* @NFT_RT_NEXTHOP4: routing nexthop for IPv4
* @NFT_RT_NEXTHOP6: routing nexthop for IPv6
* @NFT_RT_TCPMSS: fetch current path tcp mss
* @NFT_RT_XFRM: boolean, skb->dst->xfrm != NULL
*/
enum nft_rt_keys {
NFT_RT_CLASSID,
NFT_RT_NEXTHOP4,
NFT_RT_NEXTHOP6,
NFT_RT_TCPMSS,
NFT_RT_XFRM,
__NFT_RT_MAX
};
#define NFT_RT_MAX (__NFT_RT_MAX - 1)
@@ -1174,6 +1176,21 @@ enum nft_quota_attributes {
};
#define NFTA_QUOTA_MAX (__NFTA_QUOTA_MAX - 1)
/**
* enum nft_secmark_attributes - nf_tables secmark object netlink attributes
*
* @NFTA_SECMARK_CTX: security context (NLA_STRING)
*/
enum nft_secmark_attributes {
NFTA_SECMARK_UNSPEC,
NFTA_SECMARK_CTX,
__NFTA_SECMARK_MAX,
};
#define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
/* Max security context length */
#define NFT_SECMARK_CTX_MAXLEN 256
/**
* enum nft_reject_types - nf_tables reject expression reject types
*
@@ -1430,7 +1447,8 @@ enum nft_ct_timeout_timeout_attributes {
#define NFT_OBJECT_CONNLIMIT 5
#define NFT_OBJECT_TUNNEL 6
#define NFT_OBJECT_CT_TIMEOUT 7
#define __NFT_OBJECT_MAX 8
#define NFT_OBJECT_SECMARK 8
#define __NFT_OBJECT_MAX 9
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
/**
@@ -1512,6 +1530,35 @@ enum nft_devices_attributes {
};
#define NFTA_DEVICE_MAX (__NFTA_DEVICE_MAX - 1)
/*
* enum nft_xfrm_attributes - nf_tables xfrm expr netlink attributes
*
* @NFTA_XFRM_DREG: destination register (NLA_U32)
* @NFTA_XFRM_KEY: enum nft_xfrm_keys (NLA_U32)
* @NFTA_XFRM_DIR: direction (NLA_U8)
* @NFTA_XFRM_SPNUM: index in secpath array (NLA_U32)
*/
enum nft_xfrm_attributes {
NFTA_XFRM_UNSPEC,
NFTA_XFRM_DREG,
NFTA_XFRM_KEY,
NFTA_XFRM_DIR,
NFTA_XFRM_SPNUM,
__NFTA_XFRM_MAX
};
#define NFTA_XFRM_MAX (__NFTA_XFRM_MAX - 1)
enum nft_xfrm_keys {
NFT_XFRM_KEY_UNSPEC,
NFT_XFRM_KEY_DADDR_IP4,
NFT_XFRM_KEY_DADDR_IP6,
NFT_XFRM_KEY_SADDR_IP4,
NFT_XFRM_KEY_SADDR_IP6,
NFT_XFRM_KEY_REQID,
NFT_XFRM_KEY_SPI,
__NFT_XFRM_KEY_MAX,
};
#define NFT_XFRM_KEY_MAX (__NFT_XFRM_KEY_MAX - 1)
/**
* enum nft_trace_attributes - nf_tables trace netlink attributes

View File

@@ -22,4 +22,20 @@ struct xt_cgroup_info_v1 {
void *priv __attribute__((aligned(8)));
};
#define XT_CGROUP_PATH_MAX 512
struct xt_cgroup_info_v2 {
__u8 has_path;
__u8 has_classid;
__u8 invert_path;
__u8 invert_classid;
union {
char path[XT_CGROUP_PATH_MAX];
__u32 classid;
};
/* kernel internal data */
void *priv __attribute__((aligned(8)));
};
#endif /* _UAPI_XT_CGROUP_H */

View File

@@ -15,9 +15,11 @@ struct xt_quota_info {
__u32 flags;
__u32 pad;
__aligned_u64 quota;
/* Used internally by the kernel */
struct xt_quota_priv *master;
#ifdef __KERNEL__
atomic64_t counter;
#else
__aligned_u64 remain;
#endif
};
#endif /* _XT_QUOTA_H */