diff options
| author | David S. Miller <davem@davemloft.net> | 2019-06-25 12:42:12 -0700 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-06-25 12:42:12 -0700 |
| commit | 27d92807f863173ecaf9eec5d3833bb5e31f440a (patch) | |
| tree | a645a1a2f7aea7faafcd67c6ba1bfd424b95cd7d /include/linux | |
| parent | 045df37e743c7448931131988e99e8fe0cc92a54 (diff) | |
| parent | 1c5ba67d2277ac2faf37c61076e8b5fa312be492 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter updates for net-next
The following patches contains Netfilter updates for net-next:
1) .br_defrag indirection depends on CONFIG_NF_DEFRAG_IPV6, from wenxu.
2) Remove unnecessary memset() in ipset, from Florent Fourcot.
3) Merge control plane addition and deletion in ipset, also from Florent.
4) A few missing check for nla_parse() in ipset, from Aditya Pakki
and Jozsef Kadlecsik.
5) Incorrect cleanup in error path of xt_set version 3, from Jozsef.
6) Memory accounting problems when resizing in ipset, from Stefano Brivio.
7) Jozsef updates his email to @netfilter.org, this batch comes with a
conflict resolution with recent SPDX header updates.
8) Add to create custom conntrack expectations via nftables, from
Stephane Veyret.
9) A lookup optimization for conntrack, from Florian Westphal.
10) Check for supported flags in xt_owner.
11) Support for pernet sysctl in br_netfilter, patches
from Christian Brauner.
12) Patches to move common synproxy infrastructure to nf_synproxy.c,
to prepare the synproxy support for nf_tables, patches from
Fernando Fernandez Mancera.
13) Support to restore expiration time in set element, from Laura Garcia.
14) Fix recent rewrite of netfilter IPv6 to avoid indirections
when CONFIG_IPV6 is unset, from Arnd Bergmann.
15) Always reset vlan tag on skbuff fraglist when refragmenting in
bridge conntrack, from wenxu.
16) Support to match IPv4 options in nf_tables, from Stephen Suryaputra.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/jhash.h | 2 | ||||
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set.h | 2 | ||||
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set_counter.h | 3 | ||||
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set_skbinfo.h | 3 | ||||
| -rw-r--r-- | include/linux/netfilter/ipset/ip_set_timeout.h | 3 | ||||
| -rw-r--r-- | include/linux/netfilter_ipv6.h | 54 |
6 files changed, 55 insertions, 12 deletions
diff --git a/include/linux/jhash.h b/include/linux/jhash.h index 8037850f3104..ba2f6a9776b6 100644 --- a/include/linux/jhash.h +++ b/include/linux/jhash.h @@ -17,7 +17,7 @@ * if SELF_TEST is defined. You can use this free for any purpose. It's in * the public domain. It has no warranty. * - * Copyright (C) 2009-2010 Jozsef Kadlecsik (kadlec@blackhole.kfki.hu) + * Copyright (C) 2009-2010 Jozsef Kadlecsik (kadlec@netfilter.org) * * I've modified Bob's hash to be useful in the Linux kernel, and * any bugs present are my fault. diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index f5e03809cdb2..12ad9b1853b4 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -2,7 +2,7 @@ /* Copyright (C) 2000-2002 Joakim Axelsson <gozem@linux.nu> * Patrick Schaaf <bof@bof.de> * Martin Josefsson <gandalf@wlug.westbo.se> - * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> + * Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> */ #ifndef _IP_SET_H #define _IP_SET_H diff --git a/include/linux/netfilter/ipset/ip_set_counter.h b/include/linux/netfilter/ipset/ip_set_counter.h index 5477492c8374..3400958c07be 100644 --- a/include/linux/netfilter/ipset/ip_set_counter.h +++ b/include/linux/netfilter/ipset/ip_set_counter.h @@ -2,8 +2,7 @@ #ifndef _IP_SET_COUNTER_H #define _IP_SET_COUNTER_H -/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - */ +/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@netfilter.org> */ #ifdef __KERNEL__ diff --git a/include/linux/netfilter/ipset/ip_set_skbinfo.h b/include/linux/netfilter/ipset/ip_set_skbinfo.h index aae081e085c6..3a2df02dbd55 100644 --- a/include/linux/netfilter/ipset/ip_set_skbinfo.h +++ b/include/linux/netfilter/ipset/ip_set_skbinfo.h @@ -2,8 +2,7 @@ #ifndef _IP_SET_SKBINFO_H #define _IP_SET_SKBINFO_H -/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - */ +/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@netfilter.org> */ #ifdef __KERNEL__ diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h b/include/linux/netfilter/ipset/ip_set_timeout.h index 88926b4c75f0..2be60e379ecf 100644 --- a/include/linux/netfilter/ipset/ip_set_timeout.h +++ b/include/linux/netfilter/ipset/ip_set_timeout.h @@ -2,8 +2,7 @@ #ifndef _IP_SET_TIMEOUT_H #define _IP_SET_TIMEOUT_H -/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> - */ +/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> */ #ifdef __KERNEL__ diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 3a3dc4b1f0e7..7beb681e1ce5 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -8,6 +8,7 @@ #define __LINUX_IP6_NETFILTER_H #include <uapi/linux/netfilter_ipv6.h> +#include <net/tcp.h> /* Extra routing may needed on local out, as the QUEUE target never returns * control to the table. @@ -35,6 +36,10 @@ struct nf_ipv6_ops { struct in6_addr *saddr); int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl, bool strict); + u32 (*cookie_init_sequence)(const struct ipv6hdr *iph, + const struct tcphdr *th, u16 *mssp); + int (*cookie_v6_check)(const struct ipv6hdr *iph, + const struct tcphdr *th, __u32 cookie); #endif void (*route_input)(struct sk_buff *skb); int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb, @@ -70,8 +75,10 @@ static inline int nf_ipv6_chk_addr(struct net *net, const struct in6_addr *addr, return 1; return v6_ops->chk_addr(net, addr, dev, strict); -#else +#elif IS_BUILTIN(CONFIG_IPV6) return ipv6_chk_addr(net, addr, dev, strict); +#else + return 1; #endif } @@ -108,8 +115,10 @@ static inline int nf_ipv6_br_defrag(struct net *net, struct sk_buff *skb, return 1; return v6_ops->br_defrag(net, skb, user); -#else +#elif IS_BUILTIN(CONFIG_IPV6) return nf_ct_frag6_gather(net, skb, user); +#else + return 1; #endif } @@ -133,8 +142,10 @@ static inline int nf_br_ip6_fragment(struct net *net, struct sock *sk, return 1; return v6_ops->br_fragment(net, sk, skb, data, output); -#else +#elif IS_BUILTIN(CONFIG_IPV6) return br_ip6_fragment(net, sk, skb, data, output); +#else + return 1; #endif } @@ -149,9 +160,44 @@ static inline int nf_ip6_route_me_harder(struct net *net, struct sk_buff *skb) return -EHOSTUNREACH; return v6_ops->route_me_harder(net, skb); -#else +#elif IS_BUILTIN(CONFIG_IPV6) return ip6_route_me_harder(net, skb); +#else + return -EHOSTUNREACH; +#endif +} + +static inline u32 nf_ipv6_cookie_init_sequence(const struct ipv6hdr *iph, + const struct tcphdr *th, + u16 *mssp) +{ +#if IS_ENABLED(CONFIG_SYN_COOKIES) +#if IS_MODULE(CONFIG_IPV6) + const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); + + if (v6_ops) + return v6_ops->cookie_init_sequence(iph, th, mssp); +#elif IS_BUILTIN(CONFIG_IPV6) + return __cookie_v6_init_sequence(iph, th, mssp); +#endif +#endif + return 0; +} + +static inline int nf_cookie_v6_check(const struct ipv6hdr *iph, + const struct tcphdr *th, __u32 cookie) +{ +#if IS_ENABLED(CONFIG_SYN_COOKIES) +#if IS_MODULE(CONFIG_IPV6) + const struct nf_ipv6_ops *v6_ops = nf_get_ipv6_ops(); + + if (v6_ops) + return v6_ops->cookie_v6_check(iph, th, cookie); +#elif IS_BUILTIN(CONFIG_IPV6) + return __cookie_v6_check(iph, th, cookie); +#endif #endif + return 0; } __sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook, |