Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains Netfilter updates for net-next: 1) Add nft_reg_store64() and nft_reg_load64() helpers, from Ander Juaristi. 2) Time matching support, also from Ander Juaristi. 3) VLAN support for nfnetlink_log, from Michael Braun. 4) Support for set element deletions from the packet path, also from Ander. 5) Remove __read_mostly from conntrack spinlock, from Li RongQing. 6) Support for updating stateful objects, this also includes the initial client for this infrastructure: the quota extension. A follow up fix for the control plane also comes in this batch. Patches from Fernando Fernandez Mancera. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
このコミットが含まれているのは:
David S. Miller
@@ -2,6 +2,7 @@
|
||||
#ifndef _NET_NF_TABLES_H
|
||||
#define _NET_NF_TABLES_H
|
||||
|
||||
#include <asm/unaligned.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/netfilter.h>
|
||||
#include <linux/netfilter/nfnetlink.h>
|
||||
@@ -102,33 +103,43 @@ struct nft_regs {
|
||||
};
|
||||
};
|
||||
|
||||
/* Store/load an u16 or u8 integer to/from the u32 data register.
|
||||
/* Store/load an u8, u16 or u64 integer to/from the u32 data register.
|
||||
*
|
||||
* Note, when using concatenations, register allocation happens at 32-bit
|
||||
* level. So for store instruction, pad the rest part with zero to avoid
|
||||
* garbage values.
|
||||
*/
|
||||
|
||||
static inline void nft_reg_store16(u32 *dreg, u16 val)
|
||||
{
|
||||
*dreg = 0;
|
||||
*(u16 *)dreg = val;
|
||||
}
|
||||
|
||||
static inline void nft_reg_store8(u32 *dreg, u8 val)
|
||||
{
|
||||
*dreg = 0;
|
||||
*(u8 *)dreg = val;
|
||||
}
|
||||
|
||||
static inline u8 nft_reg_load8(u32 *sreg)
|
||||
{
|
||||
return *(u8 *)sreg;
|
||||
}
|
||||
|
||||
static inline void nft_reg_store16(u32 *dreg, u16 val)
|
||||
{
|
||||
*dreg = 0;
|
||||
*(u16 *)dreg = val;
|
||||
}
|
||||
|
||||
static inline u16 nft_reg_load16(u32 *sreg)
|
||||
{
|
||||
return *(u16 *)sreg;
|
||||
}
|
||||
|
||||
static inline u8 nft_reg_load8(u32 *sreg)
|
||||
static inline void nft_reg_store64(u32 *dreg, u64 val)
|
||||
{
|
||||
return *(u8 *)sreg;
|
||||
put_unaligned(val, (u64 *)dreg);
|
||||
}
|
||||
|
||||
static inline u64 nft_reg_load64(u32 *sreg)
|
||||
{
|
||||
return get_unaligned((u64 *)sreg);
|
||||
}
|
||||
|
||||
static inline void nft_data_copy(u32 *dst, const struct nft_data *src,
|
||||
@@ -291,17 +302,23 @@ struct nft_expr;
|
||||
* struct nft_set_ops - nf_tables set operations
|
||||
*
|
||||
* @lookup: look up an element within the set
|
||||
* @update: update an element if exists, add it if doesn't exist
|
||||
* @delete: delete an element
|
||||
* @insert: insert new element into set
|
||||
* @activate: activate new element in the next generation
|
||||
* @deactivate: lookup for element and deactivate it in the next generation
|
||||
* @flush: deactivate element in the next generation
|
||||
* @remove: remove element from set
|
||||
* @walk: iterate over all set elemeennts
|
||||
* @walk: iterate over all set elements
|
||||
* @get: get set elements
|
||||
* @privsize: function to return size of set private data
|
||||
* @init: initialize private data of new set instance
|
||||
* @destroy: destroy private data of set instance
|
||||
* @elemsize: element private size
|
||||
*
|
||||
* Operations lookup, update and delete have simpler interfaces, are faster
|
||||
* and currently only used in the packet path. All the rest are slower,
|
||||
* control plane functions.
|
||||
*/
|
||||
struct nft_set_ops {
|
||||
bool (*lookup)(const struct net *net,
|
||||
@@ -316,6 +333,8 @@ struct nft_set_ops {
|
||||
const struct nft_expr *expr,
|
||||
struct nft_regs *regs,
|
||||
const struct nft_set_ext **ext);
|
||||
bool (*delete)(const struct nft_set *set,
|
||||
const u32 *key);
|
||||
|
||||
int (*insert)(const struct net *net,
|
||||
const struct nft_set *set,
|
||||
@@ -1108,6 +1127,7 @@ struct nft_object_type {
|
||||
* @init: initialize object from netlink attributes
|
||||
* @destroy: release existing stateful object
|
||||
* @dump: netlink dump stateful object
|
||||
* @update: update stateful object
|
||||
*/
|
||||
struct nft_object_ops {
|
||||
void (*eval)(struct nft_object *obj,
|
||||
@@ -1122,6 +1142,8 @@ struct nft_object_ops {
|
||||
int (*dump)(struct sk_buff *skb,
|
||||
struct nft_object *obj,
|
||||
bool reset);
|
||||
void (*update)(struct nft_object *obj,
|
||||
struct nft_object *newobj);
|
||||
const struct nft_object_type *type;
|
||||
};
|
||||
|
||||
@@ -1410,10 +1432,16 @@ struct nft_trans_elem {
|
||||
|
||||
struct nft_trans_obj {
|
||||
struct nft_object *obj;
|
||||
struct nft_object *newobj;
|
||||
bool update;
|
||||
};
|
||||
|
||||
#define nft_trans_obj(trans) \
|
||||
(((struct nft_trans_obj *)trans->data)->obj)
|
||||
#define nft_trans_obj_newobj(trans) \
|
||||
(((struct nft_trans_obj *)trans->data)->newobj)
|
||||
#define nft_trans_obj_update(trans) \
|
||||
(((struct nft_trans_obj *)trans->data)->update)
|
||||
|
||||
struct nft_trans_flowtable {
|
||||
struct nft_flowtable *flowtable;
|
||||
|
||||
新しいイシューから参照
ユーザーをブロックする