Skip to content

Commit

Permalink
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Browse files Browse the repository at this point in the history
Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for your net-next
tree. This batch contains connection tracking updates for the cleanup
iteration path, patches from Florian Westphal:

X) Skip unconfirmed conntracks in nf_ct_iterate_cleanup_net(), just set
   dying bit to let the CPU release them.

X) Add nf_ct_iterate_destroy() to be used on module removal, to kill
   conntrack from all namespace.

X) Restart iteration on hashtable resizing, since both may occur at
   the same time.

X) Use the new nf_ct_iterate_destroy() to remove conntrack with NAT
   mapping on module removal.

X) Use nf_ct_iterate_destroy() to remove conntrack entries helper
   module removal, from Liping Zhang.

X) Use nf_ct_iterate_cleanup_net() to remove the timeout extension
   if user requests this, also from Liping.

X) Add net_ns_barrier() and use it from FTP helper, so make sure
   no concurrent namespace removal happens at the same time while
   the helper module is being removed.

X) Use NFPROTO_MAX in layer 3 conntrack protocol array, to reduce
   module size. Same thing in nf_tables.

Updates for the nf_tables infrastructure:

X) Prepare usage of the extended ACK reporting infrastructure for
   nf_tables.

X) Remove unnecessary forward declaration in nf_tables hash set.

X) Skip set size estimation if number of element is not specified.

X) Changes to accomodate a (faster) unresizable hash set implementation,
   for anonymous sets and dynamic size fixed sets with no timeouts.

X) Faster lookup function for unresizable hash table for 2 and 4
   bytes key.

And, finally, a bunch of asorted small updates and cleanups:

X) Do not hold reference to netdev from ipt_CLUSTER, instead subscribe
   to device events and look up for index from the packet path, this
   is fixing an issue that is present since the very beginning, patch
   from Xin Long.

X) Use nf_register_net_hook() in ipt_CLUSTER, from Florian Westphal.

X) Use ebt_invalid_target() whenever possible in the ebtables tree,
   from Gao Feng.

X) Calm down compilation warning in nf_dup infrastructure, patch from
   stephen hemminger.

X) Statify functions in nftables rt expression, also from stephen.

X) Update Makefile to use canonical method to specify nf_tables-objs.
   From Jike Song.

X) Use nf_conntrack_helpers_register() in amanda and H323.

X) Space cleanup for ctnetlink, from linzhang.
====================

Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
davem330 committed Jun 30, 2017
2 parents fcce2fd + 04ba724 commit 52a623b
Show file tree
Hide file tree
Showing 37 changed files with 945 additions and 494 deletions.
10 changes: 6 additions & 4 deletions include/linux/netfilter/nfnetlink.h
Original file line number Diff line number Diff line change
@@ -1,7 +1,6 @@
#ifndef _NFNETLINK_H
#define _NFNETLINK_H


#include <linux/netlink.h>
#include <linux/capability.h>
#include <net/netlink.h>
Expand All @@ -10,13 +9,16 @@
struct nfnl_callback {
int (*call)(struct net *net, struct sock *nl, struct sk_buff *skb,
const struct nlmsghdr *nlh,
const struct nlattr * const cda[]);
const struct nlattr * const cda[],
struct netlink_ext_ack *extack);
int (*call_rcu)(struct net *net, struct sock *nl, struct sk_buff *skb,
const struct nlmsghdr *nlh,
const struct nlattr * const cda[]);
const struct nlattr * const cda[],
struct netlink_ext_ack *extack);
int (*call_batch)(struct net *net, struct sock *nl, struct sk_buff *skb,
const struct nlmsghdr *nlh,
const struct nlattr * const cda[]);
const struct nlattr * const cda[],
struct netlink_ext_ack *extack);
const struct nla_policy *policy; /* netlink attribute policy */
const u_int16_t attr_count; /* number of nlattr's */
};
Expand Down
2 changes: 0 additions & 2 deletions include/linux/netfilter_bridge/ebtables.h
Original file line number Diff line number Diff line change
Expand Up @@ -122,8 +122,6 @@ extern unsigned int ebt_do_table(struct sk_buff *skb,
#define BASE_CHAIN (par->hook_mask & (1 << NF_BR_NUMHOOKS))
/* Clear the bit in the hook mask that tells if the rule is on a base chain */
#define CLEAR_BASE_CHAIN_BIT (par->hook_mask &= ~(1 << NF_BR_NUMHOOKS))
/* True if the target is not a standard target */
#define INVALID_TARGET (info->target < -NUM_STANDARD_TARGETS || info->target >= 0)

static inline bool ebt_invalid_target(int target)
{
Expand Down
3 changes: 3 additions & 0 deletions include/net/net_namespace.h
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,7 @@ extern struct net init_net;
struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns,
struct net *old_net);

void net_ns_barrier(void);
#else /* CONFIG_NET_NS */
#include <linux/sched.h>
#include <linux/nsproxy.h>
Expand All @@ -168,6 +169,8 @@ static inline struct net *copy_net_ns(unsigned long flags,
return ERR_PTR(-EINVAL);
return old_net;
}

static inline void net_ns_barrier(void) {}
#endif /* CONFIG_NET_NS */


Expand Down
10 changes: 7 additions & 3 deletions include/net/netfilter/nf_conntrack.h
Original file line number Diff line number Diff line change
Expand Up @@ -225,9 +225,13 @@ extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,
u32 seq);

/* Iterate over all conntracks: if iter returns true, it's deleted. */
void nf_ct_iterate_cleanup(struct net *net,
int (*iter)(struct nf_conn *i, void *data),
void *data, u32 portid, int report);
void nf_ct_iterate_cleanup_net(struct net *net,
int (*iter)(struct nf_conn *i, void *data),
void *data, u32 portid, int report);

/* also set unconfirmed conntracks as dying. Only use in module exit path. */
void nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data),
void *data);

struct nf_conntrack_zone;

Expand Down
4 changes: 2 additions & 2 deletions include/net/netfilter/nf_conntrack_l3proto.h
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ struct nf_conntrack_l3proto {
struct module *me;
};

extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX];
extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[NFPROTO_NUMPROTO];

#ifdef CONFIG_SYSCTL
/* Protocol pernet registration. */
Expand Down Expand Up @@ -100,7 +100,7 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_generic;
static inline struct nf_conntrack_l3proto *
__nf_ct_l3proto_find(u_int16_t l3proto)
{
if (unlikely(l3proto >= AF_MAX))
if (unlikely(l3proto >= NFPROTO_NUMPROTO))
return &nf_conntrack_l3proto_generic;
return rcu_dereference(nf_ct_l3protos[l3proto]);
}
Expand Down
29 changes: 22 additions & 7 deletions include/net/netfilter/nf_tables.h
Original file line number Diff line number Diff line change
Expand Up @@ -281,6 +281,23 @@ struct nft_set_estimate {
enum nft_set_class space;
};

/**
* struct nft_set_type - nf_tables set type
*
* @select_ops: function to select nft_set_ops
* @ops: default ops, used when no select_ops functions is present
* @list: used internally
* @owner: module reference
*/
struct nft_set_type {
const struct nft_set_ops *(*select_ops)(const struct nft_ctx *,
const struct nft_set_desc *desc,
u32 flags);
const struct nft_set_ops *ops;
struct list_head list;
struct module *owner;
};

struct nft_set_ext;
struct nft_expr;

Expand All @@ -297,8 +314,6 @@ struct nft_expr;
* @privsize: function to return size of set private data
* @init: initialize private data of new set instance
* @destroy: destroy private data of set instance
* @list: nf_tables_set_ops list node
* @owner: module reference
* @elemsize: element private size
* @features: features supported by the implementation
*/
Expand Down Expand Up @@ -336,7 +351,8 @@ struct nft_set_ops {
struct nft_set *set,
struct nft_set_iter *iter);

unsigned int (*privsize)(const struct nlattr * const nla[]);
unsigned int (*privsize)(const struct nlattr * const nla[],
const struct nft_set_desc *desc);
bool (*estimate)(const struct nft_set_desc *desc,
u32 features,
struct nft_set_estimate *est);
Expand All @@ -345,14 +361,13 @@ struct nft_set_ops {
const struct nlattr * const nla[]);
void (*destroy)(const struct nft_set *set);

struct list_head list;
struct module *owner;
unsigned int elemsize;
u32 features;
const struct nft_set_type *type;
};

int nft_register_set(struct nft_set_ops *ops);
void nft_unregister_set(struct nft_set_ops *ops);
int nft_register_set(struct nft_set_type *type);
void nft_unregister_set(struct nft_set_type *type);

/**
* struct nft_set - nf_tables set instance
Expand Down
2 changes: 1 addition & 1 deletion net/bridge/netfilter/ebt_dnat.c
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
(strcmp(par->table, "broute") != 0 ||
hook_mask & ~(1 << NF_BR_BROUTING)))
return -EINVAL;
if (INVALID_TARGET)
if (ebt_invalid_target(info->target))
return -EINVAL;
return 0;
}
Expand Down
2 changes: 1 addition & 1 deletion net/bridge/netfilter/ebt_mark.c
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
tmp = info->target | ~EBT_VERDICT_BITS;
if (BASE_CHAIN && tmp == EBT_RETURN)
return -EINVAL;
if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
if (ebt_invalid_target(tmp))
return -EINVAL;
tmp = info->target & ~EBT_VERDICT_BITS;
if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
Expand Down
2 changes: 1 addition & 1 deletion net/bridge/netfilter/ebt_redirect.c
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
(strcmp(par->table, "broute") != 0 ||
hook_mask & ~(1 << NF_BR_BROUTING)))
return -EINVAL;
if (INVALID_TARGET)
if (ebt_invalid_target(info->target))
return -EINVAL;
return 0;
}
Expand Down
2 changes: 1 addition & 1 deletion net/bridge/netfilter/ebt_snat.c
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
if (BASE_CHAIN && tmp == EBT_RETURN)
return -EINVAL;

if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
if (ebt_invalid_target(tmp))
return -EINVAL;
tmp = info->target | EBT_VERDICT_BITS;
if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
Expand Down
17 changes: 17 additions & 0 deletions net/core/net_namespace.c
Original file line number Diff line number Diff line change
Expand Up @@ -501,6 +501,23 @@ static void cleanup_net(struct work_struct *work)
net_drop_ns(net);
}
}

/**
* net_ns_barrier - wait until concurrent net_cleanup_work is done
*
* cleanup_net runs from work queue and will first remove namespaces
* from the global list, then run net exit functions.
*
* Call this in module exit path to make sure that all netns
* ->exit ops have been invoked before the function is removed.
*/
void net_ns_barrier(void)
{
mutex_lock(&net_mutex);
mutex_unlock(&net_mutex);
}
EXPORT_SYMBOL(net_ns_barrier);

static DECLARE_WORK(net_cleanup_work, cleanup_net);

void __put_net(struct net *net)
Expand Down
Loading

0 comments on commit 52a623b

Please sign in to comment.