Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter/IPVS updates for net-next

The following patchset contains Netfilter/IPVS updates for net-next:

1) Rename mss field to mss_option field in synproxy, from Fernando Mancera.

2) Use SYSCTL_{ZERO,ONE} definitions in conntrack, from Matteo Croce.

3) More strict validation of IPVS sysctl values, from Junwei Hu.

4) Remove unnecessary spaces after on the right hand side of assignments,
   from yangxingwu.

5) Add offload support for bitwise operation.

6) Extend the nft_offload_reg structure to store immediate date.

7) Collapse several ip_set header files into ip_set.h, from
   Jeremy Sowden.

8) Make netfilter headers compile with CONFIG_KERNEL_HEADER_TEST=y,
   from Jeremy Sowden.

9) Fix several sparse warnings due to missing prototypes, from
   Valdis Kletnieks.

10) Use static lock initialiser to ensure connlabel spinlock is
    initialized on boot time to fix sched/act_ct.c, patch
    from Florian Westphal.
====================

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
This commit is contained in:
Jakub Kicinski 2019-08-13 18:22:57 -07:00
commit c162610c7d
76 changed files with 527 additions and 480 deletions

View File

@ -386,31 +386,6 @@ header-test- += linux/mvebu-pmsu.h
header-test- += linux/mxm-wmi.h
header-test- += linux/n_r3964.h
header-test- += linux/ndctl.h
header-test- += linux/netfilter/ipset/ip_set.h
header-test- += linux/netfilter/ipset/ip_set_bitmap.h
header-test- += linux/netfilter/ipset/ip_set_comment.h
header-test- += linux/netfilter/ipset/ip_set_counter.h
header-test- += linux/netfilter/ipset/ip_set_getport.h
header-test- += linux/netfilter/ipset/ip_set_hash.h
header-test- += linux/netfilter/ipset/ip_set_list.h
header-test- += linux/netfilter/ipset/ip_set_skbinfo.h
header-test- += linux/netfilter/ipset/ip_set_timeout.h
header-test- += linux/netfilter/nf_conntrack_amanda.h
header-test- += linux/netfilter/nf_conntrack_ftp.h
header-test- += linux/netfilter/nf_conntrack_h323.h
header-test- += linux/netfilter/nf_conntrack_h323_asn1.h
header-test- += linux/netfilter/nf_conntrack_irc.h
header-test- += linux/netfilter/nf_conntrack_pptp.h
header-test- += linux/netfilter/nf_conntrack_proto_gre.h
header-test- += linux/netfilter/nf_conntrack_sip.h
header-test- += linux/netfilter/nf_conntrack_snmp.h
header-test- += linux/netfilter/nf_conntrack_tftp.h
header-test- += linux/netfilter/x_tables.h
header-test- += linux/netfilter_arp/arp_tables.h
header-test- += linux/netfilter_bridge/ebtables.h
header-test- += linux/netfilter_ipv4/ip4_tables.h
header-test- += linux/netfilter_ipv4/ip_tables.h
header-test- += linux/netfilter_ipv6/ip6_tables.h
header-test- += linux/nfs.h
header-test- += linux/nfs_fs_i.h
header-test- += linux/nfs_fs_sb.h
@ -874,43 +849,6 @@ header-test- += net/mpls_iptunnel.h
header-test- += net/mrp.h
header-test- += net/ncsi.h
header-test- += net/netevent.h
header-test- += net/netfilter/br_netfilter.h
header-test- += net/netfilter/ipv4/nf_dup_ipv4.h
header-test- += net/netfilter/ipv6/nf_defrag_ipv6.h
header-test- += net/netfilter/ipv6/nf_dup_ipv6.h
header-test- += net/netfilter/nf_conntrack.h
header-test- += net/netfilter/nf_conntrack_acct.h
header-test- += net/netfilter/nf_conntrack_bridge.h
header-test- += net/netfilter/nf_conntrack_core.h
header-test- += net/netfilter/nf_conntrack_count.h
header-test- += net/netfilter/nf_conntrack_ecache.h
header-test- += net/netfilter/nf_conntrack_expect.h
header-test- += net/netfilter/nf_conntrack_extend.h
header-test- += net/netfilter/nf_conntrack_helper.h
header-test- += net/netfilter/nf_conntrack_l4proto.h
header-test- += net/netfilter/nf_conntrack_labels.h
header-test- += net/netfilter/nf_conntrack_seqadj.h
header-test- += net/netfilter/nf_conntrack_synproxy.h
header-test- += net/netfilter/nf_conntrack_timeout.h
header-test- += net/netfilter/nf_conntrack_timestamp.h
header-test- += net/netfilter/nf_conntrack_tuple.h
header-test- += net/netfilter/nf_dup_netdev.h
header-test- += net/netfilter/nf_flow_table.h
header-test- += net/netfilter/nf_nat.h
header-test- += net/netfilter/nf_nat_helper.h
header-test- += net/netfilter/nf_nat_masquerade.h
header-test- += net/netfilter/nf_nat_redirect.h
header-test- += net/netfilter/nf_queue.h
header-test- += net/netfilter/nf_reject.h
header-test- += net/netfilter/nf_synproxy.h
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables.h
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables_core.h
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables_ipv4.h
header-test- += net/netfilter/nf_tables_ipv6.h
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables_offload.h
header-test- += net/netfilter/nft_fib.h
header-test- += net/netfilter/nft_meta.h
header-test- += net/netfilter/nft_reject.h
header-test- += net/netns/can.h
header-test- += net/netns/generic.h
header-test- += net/netns/ieee802154_6lowpan.h
@ -1140,18 +1078,6 @@ header-test- += uapi/linux/kvm_para.h
header-test- += uapi/linux/lightnvm.h
header-test- += uapi/linux/mic_common.h
header-test- += uapi/linux/mman.h
header-test- += uapi/linux/netfilter/ipset/ip_set_bitmap.h
header-test- += uapi/linux/netfilter/ipset/ip_set_hash.h
header-test- += uapi/linux/netfilter/ipset/ip_set_list.h
header-test- += uapi/linux/netfilter/nf_synproxy.h
header-test- += uapi/linux/netfilter/xt_policy.h
header-test- += uapi/linux/netfilter/xt_set.h
header-test- += uapi/linux/netfilter_arp/arp_tables.h
header-test- += uapi/linux/netfilter_arp/arpt_mangle.h
header-test- += uapi/linux/netfilter_ipv4/ip_tables.h
header-test- += uapi/linux/netfilter_ipv4/ipt_LOG.h
header-test- += uapi/linux/netfilter_ipv6/ip6_tables.h
header-test- += uapi/linux/netfilter_ipv6/ip6t_LOG.h
header-test- += uapi/linux/nilfs2_ondisk.h
header-test- += uapi/linux/patchkey.h
header-test- += uapi/linux/ptrace.h

View File

@ -452,10 +452,240 @@ bitmap_bytes(u32 a, u32 b)
return 4 * ((((b - a + 8) / 8) + 3) / 4);
}
#include <linux/netfilter/ipset/ip_set_timeout.h>
#include <linux/netfilter/ipset/ip_set_comment.h>
#include <linux/netfilter/ipset/ip_set_counter.h>
#include <linux/netfilter/ipset/ip_set_skbinfo.h>
/* How often should the gc be run by default */
#define IPSET_GC_TIME (3 * 60)
/* Timeout period depending on the timeout value of the given set */
#define IPSET_GC_PERIOD(timeout) \
((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1)
/* Entry is set with no timeout value */
#define IPSET_ELEM_PERMANENT 0
/* Set is defined with timeout support: timeout value may be 0 */
#define IPSET_NO_TIMEOUT UINT_MAX
/* Max timeout value, see msecs_to_jiffies() in jiffies.h */
#define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC
#define ip_set_adt_opt_timeout(opt, set) \
((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
static inline unsigned int
ip_set_timeout_uget(struct nlattr *tb)
{
unsigned int timeout = ip_set_get_h32(tb);
/* Normalize to fit into jiffies */
if (timeout > IPSET_MAX_TIMEOUT)
timeout = IPSET_MAX_TIMEOUT;
return timeout;
}
static inline bool
ip_set_timeout_expired(const unsigned long *t)
{
return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t);
}
static inline void
ip_set_timeout_set(unsigned long *timeout, u32 value)
{
unsigned long t;
if (!value) {
*timeout = IPSET_ELEM_PERMANENT;
return;
}
t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies;
if (t == IPSET_ELEM_PERMANENT)
/* Bingo! :-) */
t--;
*timeout = t;
}
static inline u32
ip_set_timeout_get(const unsigned long *timeout)
{
u32 t;
if (*timeout == IPSET_ELEM_PERMANENT)
return 0;
t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
/* Zero value in userspace means no timeout */
return t == 0 ? 1 : t;
}
static inline char*
ip_set_comment_uget(struct nlattr *tb)
{
return nla_data(tb);
}
/* Called from uadd only, protected by the set spinlock.
* The kadt functions don't use the comment extensions in any way.
*/
static inline void
ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment,
const struct ip_set_ext *ext)
{
struct ip_set_comment_rcu *c = rcu_dereference_protected(comment->c, 1);
size_t len = ext->comment ? strlen(ext->comment) : 0;
if (unlikely(c)) {
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
kfree_rcu(c, rcu);
rcu_assign_pointer(comment->c, NULL);
}
if (!len)
return;
if (unlikely(len > IPSET_MAX_COMMENT_SIZE))
len = IPSET_MAX_COMMENT_SIZE;
c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC);
if (unlikely(!c))
return;
strlcpy(c->str, ext->comment, len + 1);
set->ext_size += sizeof(*c) + strlen(c->str) + 1;
rcu_assign_pointer(comment->c, c);
}
/* Used only when dumping a set, protected by rcu_read_lock() */
static inline int
ip_set_put_comment(struct sk_buff *skb, const struct ip_set_comment *comment)
{
struct ip_set_comment_rcu *c = rcu_dereference(comment->c);
if (!c)
return 0;
return nla_put_string(skb, IPSET_ATTR_COMMENT, c->str);
}
/* Called from uadd/udel, flush or the garbage collectors protected
* by the set spinlock.
* Called when the set is destroyed and when there can't be any user
* of the set data anymore.
*/
static inline void
ip_set_comment_free(struct ip_set *set, struct ip_set_comment *comment)
{
struct ip_set_comment_rcu *c;
c = rcu_dereference_protected(comment->c, 1);
if (unlikely(!c))
return;
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
kfree_rcu(c, rcu);
rcu_assign_pointer(comment->c, NULL);
}
static inline void
ip_set_add_bytes(u64 bytes, struct ip_set_counter *counter)
{
atomic64_add((long long)bytes, &(counter)->bytes);
}
static inline void
ip_set_add_packets(u64 packets, struct ip_set_counter *counter)
{
atomic64_add((long long)packets, &(counter)->packets);
}
static inline u64
ip_set_get_bytes(const struct ip_set_counter *counter)
{
return (u64)atomic64_read(&(counter)->bytes);
}
static inline u64
ip_set_get_packets(const struct ip_set_counter *counter)
{
return (u64)atomic64_read(&(counter)->packets);
}
static inline bool
ip_set_match_counter(u64 counter, u64 match, u8 op)
{
switch (op) {
case IPSET_COUNTER_NONE:
return true;
case IPSET_COUNTER_EQ:
return counter == match;
case IPSET_COUNTER_NE:
return counter != match;
case IPSET_COUNTER_LT:
return counter < match;
case IPSET_COUNTER_GT:
return counter > match;
}
return false;
}
static inline void
ip_set_update_counter(struct ip_set_counter *counter,
const struct ip_set_ext *ext, u32 flags)
{
if (ext->packets != ULLONG_MAX &&
!(flags & IPSET_FLAG_SKIP_COUNTER_UPDATE)) {
ip_set_add_bytes(ext->bytes, counter);
ip_set_add_packets(ext->packets, counter);
}
}
static inline bool
ip_set_put_counter(struct sk_buff *skb, const struct ip_set_counter *counter)
{
return nla_put_net64(skb, IPSET_ATTR_BYTES,
cpu_to_be64(ip_set_get_bytes(counter)),
IPSET_ATTR_PAD) ||
nla_put_net64(skb, IPSET_ATTR_PACKETS,
cpu_to_be64(ip_set_get_packets(counter)),
IPSET_ATTR_PAD);
}
static inline void
ip_set_init_counter(struct ip_set_counter *counter,
const struct ip_set_ext *ext)
{
if (ext->bytes != ULLONG_MAX)
atomic64_set(&(counter)->bytes, (long long)(ext->bytes));
if (ext->packets != ULLONG_MAX)
atomic64_set(&(counter)->packets, (long long)(ext->packets));
}
static inline void
ip_set_get_skbinfo(struct ip_set_skbinfo *skbinfo,
const struct ip_set_ext *ext,
struct ip_set_ext *mext, u32 flags)
{
mext->skbinfo = *skbinfo;
}
static inline bool
ip_set_put_skbinfo(struct sk_buff *skb, const struct ip_set_skbinfo *skbinfo)
{
/* Send nonzero parameters only */
return ((skbinfo->skbmark || skbinfo->skbmarkmask) &&
nla_put_net64(skb, IPSET_ATTR_SKBMARK,
cpu_to_be64((u64)skbinfo->skbmark << 32 |
skbinfo->skbmarkmask),
IPSET_ATTR_PAD)) ||
(skbinfo->skbprio &&
nla_put_net32(skb, IPSET_ATTR_SKBPRIO,
cpu_to_be32(skbinfo->skbprio))) ||
(skbinfo->skbqueue &&
nla_put_net16(skb, IPSET_ATTR_SKBQUEUE,
cpu_to_be16(skbinfo->skbqueue)));
}
static inline void
ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo,
const struct ip_set_ext *ext)
{
*skbinfo = ext->skbinfo;
}
#define IP_SET_INIT_KEXT(skb, opt, set) \
{ .bytes = (skb)->len, .packets = 1, \

View File

@ -1,73 +0,0 @@
/* SPDX-License-Identifier: GPL-2.0-only */
#ifndef _IP_SET_COMMENT_H
#define _IP_SET_COMMENT_H
/* Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
*/
#ifdef __KERNEL__
static inline char*
ip_set_comment_uget(struct nlattr *tb)
{
return nla_data(tb);
}
/* Called from uadd only, protected by the set spinlock.
* The kadt functions don't use the comment extensions in any way.
*/
static inline void
ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment,
const struct ip_set_ext *ext)
{
struct ip_set_comment_rcu *c = rcu_dereference_protected(comment->c, 1);
size_t len = ext->comment ? strlen(ext->comment) : 0;
if (unlikely(c)) {
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
kfree_rcu(c, rcu);
rcu_assign_pointer(comment->c, NULL);
}
if (!len)
return;
if (unlikely(len > IPSET_MAX_COMMENT_SIZE))
len = IPSET_MAX_COMMENT_SIZE;
c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC);
if (unlikely(!c))
return;
strlcpy(c->str, ext->comment, len + 1);
set->ext_size += sizeof(*c) + strlen(c->str) + 1;
rcu_assign_pointer(comment->c, c);
}
/* Used only when dumping a set, protected by rcu_read_lock() */
static inline int
ip_set_put_comment(struct sk_buff *skb, const struct ip_set_comment *comment)
{
struct ip_set_comment_rcu *c = rcu_dereference(comment->c);
if (!c)
return 0;
return nla_put_string(skb, IPSET_ATTR_COMMENT, c->str);
}
/* Called from uadd/udel, flush or the garbage collectors protected
* by the set spinlock.
* Called when the set is destroyed and when there can't be any user
* of the set data anymore.
*/
static inline void
ip_set_comment_free(struct ip_set *set, struct ip_set_comment *comment)
{
struct ip_set_comment_rcu *c;
c = rcu_dereference_protected(comment->c, 1);
if (unlikely(!c))
return;
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
kfree_rcu(c, rcu);
rcu_assign_pointer(comment->c, NULL);
}
#endif
#endif

View File

@ -1,84 +0,0 @@
/* SPDX-License-Identifier: GPL-2.0-only */
#ifndef _IP_SET_COUNTER_H
#define _IP_SET_COUNTER_H
/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@netfilter.org> */
#ifdef __KERNEL__
static inline void
ip_set_add_bytes(u64 bytes, struct ip_set_counter *counter)
{
atomic64_add((long long)bytes, &(counter)->bytes);
}
static inline void
ip_set_add_packets(u64 packets, struct ip_set_counter *counter)
{
atomic64_add((long long)packets, &(counter)->packets);
}
static inline u64
ip_set_get_bytes(const struct ip_set_counter *counter)
{
return (u64)atomic64_read(&(counter)->bytes);
}
static inline u64
ip_set_get_packets(const struct ip_set_counter *counter)
{
return (u64)atomic64_read(&(counter)->packets);
}
static inline bool
ip_set_match_counter(u64 counter, u64 match, u8 op)
{
switch (op) {
case IPSET_COUNTER_NONE:
return true;
case IPSET_COUNTER_EQ:
return counter == match;
case IPSET_COUNTER_NE:
return counter != match;
case IPSET_COUNTER_LT:
return counter < match;
case IPSET_COUNTER_GT:
return counter > match;
}
return false;
}
static inline void
ip_set_update_counter(struct ip_set_counter *counter,
const struct ip_set_ext *ext, u32 flags)
{
if (ext->packets != ULLONG_MAX &&
!(flags & IPSET_FLAG_SKIP_COUNTER_UPDATE)) {
ip_set_add_bytes(ext->bytes, counter);
ip_set_add_packets(ext->packets, counter);
}
}
static inline bool
ip_set_put_counter(struct sk_buff *skb, const struct ip_set_counter *counter)
{
return nla_put_net64(skb, IPSET_ATTR_BYTES,
cpu_to_be64(ip_set_get_bytes(counter)),
IPSET_ATTR_PAD) ||
nla_put_net64(skb, IPSET_ATTR_PACKETS,
cpu_to_be64(ip_set_get_packets(counter)),
IPSET_ATTR_PAD);
}
static inline void
ip_set_init_counter(struct ip_set_counter *counter,
const struct ip_set_ext *ext)
{
if (ext->bytes != ULLONG_MAX)
atomic64_set(&(counter)->bytes, (long long)(ext->bytes));
if (ext->packets != ULLONG_MAX)
atomic64_set(&(counter)->packets, (long long)(ext->packets));
}
#endif /* __KERNEL__ */
#endif /* _IP_SET_COUNTER_H */

View File

@ -2,6 +2,10 @@
#ifndef _IP_SET_GETPORT_H
#define _IP_SET_GETPORT_H
#include <linux/skbuff.h>
#include <linux/types.h>
#include <uapi/linux/in.h>
extern bool ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
__be16 *port, u8 *proto);

View File

@ -1,42 +0,0 @@
/* SPDX-License-Identifier: GPL-2.0-only */
#ifndef _IP_SET_SKBINFO_H
#define _IP_SET_SKBINFO_H
/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@netfilter.org> */
#ifdef __KERNEL__
static inline void
ip_set_get_skbinfo(struct ip_set_skbinfo *skbinfo,
const struct ip_set_ext *ext,
struct ip_set_ext *mext, u32 flags)
{
mext->skbinfo = *skbinfo;
}
static inline bool
ip_set_put_skbinfo(struct sk_buff *skb, const struct ip_set_skbinfo *skbinfo)
{
/* Send nonzero parameters only */
return ((skbinfo->skbmark || skbinfo->skbmarkmask) &&
nla_put_net64(skb, IPSET_ATTR_SKBMARK,
cpu_to_be64((u64)skbinfo->skbmark << 32 |
skbinfo->skbmarkmask),
IPSET_ATTR_PAD)) ||
(skbinfo->skbprio &&
nla_put_net32(skb, IPSET_ATTR_SKBPRIO,
cpu_to_be32(skbinfo->skbprio))) ||
(skbinfo->skbqueue &&
nla_put_net16(skb, IPSET_ATTR_SKBQUEUE,
cpu_to_be16(skbinfo->skbqueue)));
}
static inline void
ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo,
const struct ip_set_ext *ext)
{
*skbinfo = ext->skbinfo;
}
#endif /* __KERNEL__ */
#endif /* _IP_SET_SKBINFO_H */

View File

@ -1,77 +0,0 @@
/* SPDX-License-Identifier: GPL-2.0-only */
#ifndef _IP_SET_TIMEOUT_H
#define _IP_SET_TIMEOUT_H
/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> */
#ifdef __KERNEL__
/* How often should the gc be run by default */
#define IPSET_GC_TIME (3 * 60)
/* Timeout period depending on the timeout value of the given set */
#define IPSET_GC_PERIOD(timeout) \
((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1)
/* Entry is set with no timeout value */
#define IPSET_ELEM_PERMANENT 0
/* Set is defined with timeout support: timeout value may be 0 */
#define IPSET_NO_TIMEOUT UINT_MAX
/* Max timeout value, see msecs_to_jiffies() in jiffies.h */
#define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC
#define ip_set_adt_opt_timeout(opt, set) \
((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
static inline unsigned int
ip_set_timeout_uget(struct nlattr *tb)
{
unsigned int timeout = ip_set_get_h32(tb);
/* Normalize to fit into jiffies */
if (timeout > IPSET_MAX_TIMEOUT)
timeout = IPSET_MAX_TIMEOUT;
return timeout;
}
static inline bool
ip_set_timeout_expired(const unsigned long *t)
{
return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t);
}
static inline void
ip_set_timeout_set(unsigned long *timeout, u32 value)
{
unsigned long t;
if (!value) {
*timeout = IPSET_ELEM_PERMANENT;
return;
}
t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies;
if (t == IPSET_ELEM_PERMANENT)
/* Bingo! :-) */
t--;
*timeout = t;
}
static inline u32
ip_set_timeout_get(const unsigned long *timeout)
{
u32 t;
if (*timeout == IPSET_ELEM_PERMANENT)
return 0;
t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
/* Zero value in userspace means no timeout */
return t == 0 ? 1 : t;
}
#endif /* __KERNEL__ */
#endif /* _IP_SET_TIMEOUT_H */

View File

@ -3,6 +3,10 @@
#define _NF_CONNTRACK_AMANDA_H
/* AMANDA tracking. */
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack_expect.h>
extern unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
unsigned int protoff,

View File

@ -25,7 +25,6 @@ enum ct_dccp_roles {
};
#define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1)
#ifdef __KERNEL__
#include <linux/netfilter/nf_conntrack_tuple_common.h>
struct nf_ct_dccp {
@ -36,6 +35,4 @@ struct nf_ct_dccp {
u_int64_t handshake_seq;
};
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_DCCP_H */

View File

@ -2,8 +2,12 @@
#ifndef _NF_CONNTRACK_FTP_H
#define _NF_CONNTRACK_FTP_H
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/types.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
#define FTP_PORT 21
@ -20,8 +24,6 @@ struct nf_ct_ftp_master {
u_int16_t flags[IP_CT_DIR_MAX];
};
struct nf_conntrack_expect;
/* For NAT to hook in when we find a packet which describes what other
* connection we should expect. */
extern unsigned int (*nf_nat_ftp_hook)(struct sk_buff *skb,

View File

@ -2,9 +2,12 @@
#ifndef _NF_CONNTRACK_H323_H
#define _NF_CONNTRACK_H323_H
#ifdef __KERNEL__
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/types.h>
#include <linux/netfilter/nf_conntrack_h323_asn1.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
#define RAS_PORT 1719
#define Q931_PORT 1720
@ -28,8 +31,6 @@ struct nf_ct_h323_master {
};
};
struct nf_conn;
int get_h225_addr(struct nf_conn *ct, unsigned char *data,
TransportAddress *taddr, union nf_inet_addr *addr,
__be16 *port);
@ -94,5 +95,3 @@ extern int (*nat_q931_hook) (struct sk_buff *skb, struct nf_conn *ct,
struct nf_conntrack_expect *exp);
#endif
#endif

View File

@ -37,6 +37,8 @@
/*****************************************************************************
* H.323 Types
****************************************************************************/
#include <linux/types.h>
#include <linux/netfilter/nf_conntrack_h323_types.h>
typedef struct {

View File

@ -2,7 +2,9 @@
#ifndef _NF_CONNTRACK_IRC_H
#define _NF_CONNTRACK_IRC_H
#ifdef __KERNEL__
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack_expect.h>
#define IRC_PORT 6667
@ -13,5 +15,4 @@ extern unsigned int (*nf_nat_irc_hook)(struct sk_buff *skb,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_IRC_H */

View File

@ -3,7 +3,12 @@
#ifndef _NF_CONNTRACK_PPTP_H
#define _NF_CONNTRACK_PPTP_H
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/types.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
extern const char *const pptp_msg_name[];
@ -45,8 +50,6 @@ struct nf_nat_pptp {
__be16 pac_call_id; /* NAT'ed PAC call id */
};
#ifdef __KERNEL__
#define PPTP_CONTROL_PORT 1723
#define PPTP_PACKET_CONTROL 1
@ -297,10 +300,6 @@ union pptp_ctrl_union {
struct PptpSetLinkInfo setlink;
};
/* crap needed for nf_conntrack_compat.h */
struct nf_conn;
struct nf_conntrack_expect;
extern int
(*nf_nat_pptp_hook_outbound)(struct sk_buff *skb,
struct nf_conn *ct, enum ip_conntrack_info ctinfo,
@ -323,5 +322,4 @@ extern void
(*nf_nat_pptp_hook_expectfn)(struct nf_conn *ct,
struct nf_conntrack_expect *exp);
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_PPTP_H */

View File

@ -10,7 +10,6 @@ struct nf_ct_gre {
unsigned int timeout;
};
#ifdef __KERNEL__
#include <net/netfilter/nf_conntrack_tuple.h>
struct nf_conn;
@ -32,5 +31,4 @@ void nf_ct_gre_keymap_destroy(struct nf_conn *ct);
bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
struct net *net, struct nf_conntrack_tuple *tuple);
#endif /* __KERNEL__ */
#endif /* _CONNTRACK_PROTO_GRE_H */

View File

@ -3,8 +3,6 @@
#define _NF_CONNTRACK_SANE_H
/* SANE tracking. */
#ifdef __KERNEL__
#define SANE_PORT 6566
enum sane_state {
@ -17,6 +15,4 @@ struct nf_ct_sane_master {
enum sane_state state;
};
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_SANE_H */

View File

@ -1,11 +1,10 @@
/* SPDX-License-Identifier: GPL-2.0 */
#ifndef __NF_CONNTRACK_SIP_H__
#define __NF_CONNTRACK_SIP_H__
#ifdef __KERNEL__
#include <net/netfilter/nf_conntrack_expect.h>
#include <linux/skbuff.h>
#include <linux/types.h>
#include <net/netfilter/nf_conntrack_expect.h>
#define SIP_PORT 5060
#define SIP_TIMEOUT 3600
@ -196,5 +195,4 @@ int ct_sip_get_sdp_header(const struct nf_conn *ct, const char *dptr,
enum sdp_header_types term,
unsigned int *matchoff, unsigned int *matchlen);
#endif /* __KERNEL__ */
#endif /* __NF_CONNTRACK_SIP_H__ */

View File

@ -2,6 +2,9 @@
#ifndef _NF_CONNTRACK_SNMP_H
#define _NF_CONNTRACK_SNMP_H
#include <linux/netfilter.h>
#include <linux/skbuff.h>
extern int (*nf_nat_snmp_hook)(struct sk_buff *skb,
unsigned int protoff,
struct nf_conn *ct,

View File

@ -4,6 +4,11 @@
#define TFTP_PORT 69
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/types.h>
#include <net/netfilter/nf_conntrack_expect.h>
struct tftphdr {
__be16 opcode;
};

View File

@ -35,12 +35,15 @@ struct xt_action_param {
union {
const void *matchinfo, *targinfo;
};
#if IS_ENABLED(CONFIG_NETFILTER)
const struct nf_hook_state *state;
#endif
int fragoff;
unsigned int thoff;
bool hotdrop;
};
#if IS_ENABLED(CONFIG_NETFILTER)
static inline struct net *xt_net(const struct xt_action_param *par)
{
return par->state->net;
@ -75,6 +78,7 @@ static inline u_int8_t xt_family(const struct xt_action_param *par)
{
return par->state->pf;
}
#endif
/**
* struct xt_mtchk_param - parameters for match extensions'
@ -446,7 +450,9 @@ xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
return cnt;
}
#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
#endif
#ifdef CONFIG_COMPAT
#include <net/compat.h>

View File

@ -49,6 +49,7 @@ struct arpt_error {
}
extern void *arpt_alloc_initial_table(const struct xt_table *);
#if IS_ENABLED(CONFIG_NETFILTER)
int arpt_register_table(struct net *net, const struct xt_table *table,
const struct arpt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
@ -57,6 +58,7 @@ void arpt_unregister_table(struct net *net, struct xt_table *table,
extern unsigned int arpt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct xt_table *table);
#endif
#ifdef CONFIG_COMPAT
#include <net/compat.h>

View File

@ -105,6 +105,7 @@ struct ebt_table {
#define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \
~(__alignof__(struct _xt_align)-1))
#if IS_ENABLED(CONFIG_NETFILTER)
extern int ebt_register_table(struct net *net,
const struct ebt_table *table,
const struct nf_hook_ops *ops,
@ -114,6 +115,7 @@ extern void ebt_unregister_table(struct net *net, struct ebt_table *table,
extern unsigned int ebt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct ebt_table *table);
#endif
/* True if the hook mask denotes that the rule is in a base chain,
* used in the check() functions */

View File

@ -25,11 +25,13 @@
extern void ipt_init(void) __init;
#if IS_ENABLED(CONFIG_NETFILTER)
int ipt_register_table(struct net *net, const struct xt_table *table,
const struct ipt_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
void ipt_unregister_table(struct net *net, struct xt_table *table,
const struct nf_hook_ops *ops);
#endif
/* Standard entry. */
struct ipt_standard {
@ -65,9 +67,11 @@ struct ipt_error {
}
extern void *ipt_alloc_initial_table(const struct xt_table *);
#if IS_ENABLED(CONFIG_NETFILTER)
extern unsigned int ipt_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct xt_table *table);
#endif
#ifdef CONFIG_COMPAT
#include <net/compat.h>

View File

@ -26,6 +26,7 @@
extern void ip6t_init(void) __init;
extern void *ip6t_alloc_initial_table(const struct xt_table *);
#if IS_ENABLED(CONFIG_NETFILTER)
int ip6t_register_table(struct net *net, const struct xt_table *table,
const struct ip6t_replace *repl,
const struct nf_hook_ops *ops, struct xt_table **res);
@ -34,6 +35,7 @@ void ip6t_unregister_table(struct net *net, struct xt_table *table,
extern unsigned int ip6t_do_table(struct sk_buff *skb,
const struct nf_hook_state *state,
struct xt_table *table);
#endif
/* Check for an extension */
static inline int

View File

@ -2,16 +2,22 @@
#ifndef _BR_NETFILTER_H_
#define _BR_NETFILTER_H_
#include <linux/netfilter.h>
#include "../../../net/bridge/br_private.h"
static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
{
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
struct nf_bridge_info *b = skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
if (b)
memset(b, 0, sizeof(*b));
return b;
#else
return NULL;
#endif
}
void nf_bridge_update_protocol(struct sk_buff *skb);
@ -36,15 +42,20 @@ int br_nf_pre_routing_finish_bridge(struct net *net, struct sock *sk, struct sk_
static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
{
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
struct net_bridge_port *port;
port = br_port_get_rcu(dev);
return port ? &port->br->fake_rtable : NULL;
#else
return NULL;
#endif
}
struct net_device *setup_pre_routing(struct sk_buff *skb,
const struct net *net);
#if IS_ENABLED(CONFIG_NETFILTER)
#if IS_ENABLED(CONFIG_IPV6)
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
unsigned int br_nf_pre_routing_ipv6(void *priv,
@ -63,5 +74,6 @@ br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
return NF_ACCEPT;
}
#endif
#endif
#endif /* _BR_NETFILTER_H_ */

View File

@ -2,6 +2,9 @@
#ifndef _NF_DUP_IPV4_H_
#define _NF_DUP_IPV4_H_
#include <linux/skbuff.h>
#include <uapi/linux/in.h>
void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in_addr *gw, int oif);

View File

@ -2,7 +2,9 @@
#ifndef _NF_DEFRAG_IPV6_H
#define _NF_DEFRAG_IPV6_H
struct net;
#include <linux/skbuff.h>
#include <linux/types.h>
int nf_defrag_ipv6_enable(struct net *);
int nf_ct_frag6_init(void);

View File

@ -2,6 +2,8 @@
#ifndef _NF_DUP_IPV6_H_
#define _NF_DUP_IPV6_H_
#include <linux/skbuff.h>
void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in6_addr *gw, int oif);

View File

@ -59,6 +59,7 @@ struct nf_conntrack_net {
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
struct nf_conn {
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Usage count in here is 1 for hash table, 1 per skb,
* plus 1 for any connection(s) we are `master' for
*
@ -68,6 +69,7 @@ struct nf_conn {
* beware nf_ct_get() is different and don't inc refcnt.
*/
struct nf_conntrack ct_general;
#endif
spinlock_t lock;
/* jiffies32 when this ct is considered dead */
@ -148,6 +150,8 @@ void nf_conntrack_alter_reply(struct nf_conn *ct,
int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
const struct nf_conn *ignored_conntrack);
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
#define NFCT_INFOMASK 7UL
#define NFCT_PTRMASK ~(NFCT_INFOMASK)
@ -167,6 +171,8 @@ static inline void nf_ct_put(struct nf_conn *ct)
nf_conntrack_put(&ct->ct_general);
}
#endif
/* Protocol module loading */
int nf_ct_l3proto_try_module_get(unsigned short l3proto);
void nf_ct_l3proto_module_put(unsigned short l3proto);
@ -318,12 +324,16 @@ void nf_ct_tmpl_free(struct nf_conn *tmpl);
u32 nf_ct_get_id(const struct nf_conn *ct);
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
static inline void
nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
{
skb->_nfct = (unsigned long)ct | info;
}
#endif
#define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
#define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))

View File

@ -29,6 +29,7 @@ struct nf_conn_acct *nf_conn_acct_find(const struct nf_conn *ct)
static inline
struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
{
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
struct net *net = nf_ct_net(ct);
struct nf_conn_acct *acct;
@ -41,22 +42,34 @@ struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
return acct;
#else
return NULL;
#endif
};
/* Check if connection tracking accounting is enabled */
static inline bool nf_ct_acct_enabled(struct net *net)
{
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
return net->ct.sysctl_acct != 0;
#else
return false;
#endif
}
/* Enable/disable connection tracking accounting */
static inline void nf_ct_set_acct(struct net *net, bool enable)
{
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
net->ct.sysctl_acct = enable;
#endif
}
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
void nf_conntrack_acct_pernet_init(struct net *net);
int nf_conntrack_acct_init(void);
void nf_conntrack_acct_fini(void);
#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
#endif /* _NF_CONNTRACK_ACCT_H */

View File

@ -1,8 +1,14 @@
#ifndef NF_CONNTRACK_BRIDGE_
#define NF_CONNTRACK_BRIDGE_
#include <linux/module.h>
#include <linux/types.h>
#include <uapi/linux/if_ether.h>
struct nf_ct_bridge_info {
#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops *ops;
#endif
unsigned int ops_size;
struct module *me;
};

View File

@ -20,7 +20,10 @@
/* This header is used to share core functionality between the
standalone connection tracking module, and the compatibility layer's use
of connection tracking. */
#if IS_ENABLED(CONFIG_NETFILTER)
unsigned int nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state);
#endif
int nf_conntrack_init_net(struct net *net);
void nf_conntrack_cleanup_net(struct net *net);

View File

@ -2,6 +2,9 @@
#define _NF_CONNTRACK_COUNT_H
#include <linux/list.h>
#include <linux/spinlock.h>
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_zones.h>
struct nf_conncount_data;

View File

@ -75,6 +75,7 @@ bool nf_conntrack_invert_icmp_tuple(struct nf_conntrack_tuple *tuple,
bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_tuple *orig);
#if IS_ENABLED(CONFIG_NETFILTER)
int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
unsigned int dataoff,
const struct nf_hook_state *state,
@ -131,6 +132,7 @@ int nf_conntrack_gre_packet(struct nf_conn *ct,
unsigned int dataoff,
enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state);
#endif
void nf_conntrack_generic_init_net(struct net *net);
void nf_conntrack_tcp_init_net(struct net *net);
@ -176,6 +178,7 @@ void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,
const char *fmt, ...) { }
#endif /* CONFIG_SYSCTL */
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
static inline struct nf_generic_net *nf_generic_pernet(struct net *net)
{
return &net->ct.nf_ct_proto.generic;
@ -200,6 +203,7 @@ static inline struct nf_icmp_net *nf_icmpv6_pernet(struct net *net)
{
return &net->ct.nf_ct_proto.icmpv6;
}
#endif
#ifdef CONFIG_NF_CT_PROTO_DCCP
static inline struct nf_dccp_net *nf_dccp_pernet(struct net *net)

View File

@ -67,7 +67,7 @@ static inline struct synproxy_net *synproxy_pernet(struct net *net)
struct synproxy_options {
u8 options;
u8 wscale;
u16 mss;
u16 mss_option;
u16 mss_encode;
u32 tsval;
u32 tsecr;

View File

@ -40,12 +40,18 @@ struct nf_conn_tstamp *nf_ct_tstamp_ext_add(struct nf_conn *ct, gfp_t gfp)
static inline bool nf_ct_tstamp_enabled(struct net *net)
{
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
return net->ct.sysctl_tstamp != 0;
#else
return false;
#endif
}
static inline void nf_ct_set_tstamp(struct net *net, bool enable)
{
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
net->ct.sysctl_tstamp = enable;
#endif
}
#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP

View File

@ -121,6 +121,7 @@ struct nf_conntrack_tuple_hash {
struct nf_conntrack_tuple tuple;
};
#if IS_ENABLED(CONFIG_NETFILTER)
static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
const struct nf_conntrack_tuple *t2)
{
@ -183,5 +184,6 @@ nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
__nf_ct_tuple_dst_equal(t, tuple);
}
#endif
#endif /* _NF_CONNTRACK_TUPLE_H */

View File

@ -2,6 +2,8 @@
#ifndef _NF_DUP_NETDEV_H_
#define _NF_DUP_NETDEV_H_
#include <net/netfilter/nf_tables.h>
void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif);
void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif);

View File

@ -6,6 +6,7 @@
#include <linux/netdevice.h>
#include <linux/rhashtable-types.h>
#include <linux/rcupdate.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <net/dst.h>
@ -16,7 +17,9 @@ struct nf_flowtable_type {
int family;
int (*init)(struct nf_flowtable *ft);
void (*free)(struct nf_flowtable *ft);
#if IS_ENABLED(CONFIG_NETFILTER)
nf_hookfn *hook;
#endif
struct module *owner;
};
@ -114,10 +117,12 @@ struct flow_ports {
__be16 source, dest;
};
#if IS_ENABLED(CONFIG_NETFILTER)
unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
#endif
#define MODULE_ALIAS_NF_FLOWTABLE(family) \
MODULE_ALIAS("nf-flowtable-" __stringify(family))

View File

@ -69,10 +69,12 @@ static inline bool nf_nat_oif_changed(unsigned int hooknum,
#endif
}
#if IS_ENABLED(CONFIG_NETFILTER)
int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
const struct nf_hook_ops *nat_ops, unsigned int ops_count);
void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
unsigned int ops_count);
#endif
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
unsigned int hooknum, struct sk_buff *skb);
@ -92,6 +94,7 @@ int nf_nat_icmpv6_reply_translation(struct sk_buff *skb, struct nf_conn *ct,
enum ip_conntrack_info ctinfo,
unsigned int hooknum, unsigned int hdrlen);
#if IS_ENABLED(CONFIG_NETFILTER)
int nf_nat_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
@ -104,6 +107,7 @@ void nf_nat_inet_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
unsigned int
nf_nat_inet_fn(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
#endif
int nf_xfrm_me_harder(struct net *n, struct sk_buff *s, unsigned int family);

View File

@ -3,9 +3,9 @@
#define _NF_NAT_HELPER_H
/* NAT protocol helper routines. */
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack.h>
struct sk_buff;
#include <net/netfilter/nf_conntrack_expect.h>
/* These return true or false. */
bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb, struct nf_conn *ct,

View File

@ -2,6 +2,9 @@
#ifndef _NF_NAT_REDIRECT_H_
#define _NF_NAT_REDIRECT_H_
#include <linux/skbuff.h>
#include <uapi/linux/netfilter/nf_nat.h>
unsigned int
nf_nat_redirect_ipv4(struct sk_buff *skb,
const struct nf_nat_ipv4_multi_range_compat *mr,

View File

@ -5,6 +5,8 @@
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <linux/jhash.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
/* Each queued (to userspace) skbuff has one of these. */
struct nf_queue_entry {
@ -13,7 +15,9 @@ struct nf_queue_entry {
unsigned int id;
unsigned int hook_index; /* index in hook_entries->hook[] */
#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_state state;
#endif
u16 size; /* sizeof(entry) + saved route keys */
/* extra space to store route keys */
@ -119,6 +123,9 @@ nfqueue_hash(const struct sk_buff *skb, u16 queue, u16 queues_total, u8 family,
return queue;
}
#if IS_ENABLED(CONFIG_NETFILTER)
int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
unsigned int index, unsigned int verdict);
#endif
#endif /* _NF_QUEUE_H */

View File

@ -2,6 +2,9 @@
#ifndef _NF_REJECT_H
#define _NF_REJECT_H
#include <linux/types.h>
#include <uapi/linux/in.h>
static inline bool nf_reject_verify_csum(__u8 proto)
{
/* Skip protocols that don't use 16-bit one's complement checksum

View File

@ -20,8 +20,10 @@ bool synproxy_recv_client_ack(struct net *net,
const struct tcphdr *th,
struct synproxy_options *opts, u32 recv_seq);
#if IS_ENABLED(CONFIG_NETFILTER)
unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *nhs);
#endif
int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net);
void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net);
@ -35,8 +37,10 @@ bool synproxy_recv_client_ack_ipv6(struct net *net, const struct sk_buff *skb,
const struct tcphdr *th,
struct synproxy_options *opts, u32 recv_seq);
#if IS_ENABLED(CONFIG_NETFILTER)
unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *nhs);
#endif
int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net);
void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net);
#else

View File

@ -25,6 +25,7 @@ struct nft_pktinfo {
struct xt_action_param xt;
};
#if IS_ENABLED(CONFIG_NETFILTER)
static inline struct net *nft_net(const struct nft_pktinfo *pkt)
{
return pkt->xt.state->net;
@ -57,6 +58,7 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
pkt->skb = skb;
pkt->xt.state = state;
}
#endif
static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
struct sk_buff *skb)
@ -927,9 +929,11 @@ struct nft_chain_type {
int family;
struct module *owner;
unsigned int hook_mask;
#if IS_ENABLED(CONFIG_NETFILTER)
nf_hookfn *hooks[NF_MAX_HOOKS];
int (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
#endif
};
int nft_chain_validate_dependency(const struct nft_chain *chain,
@ -955,7 +959,9 @@ struct nft_stats {
* @flow_block: flow block (for hardware offload)
*/
struct nft_base_chain {
#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops ops;
#endif
const struct nft_chain_type *type;
u8 policy;
u8 flags;
@ -1152,7 +1158,9 @@ struct nft_flowtable {
use:30;
u64 handle;
/* runtime data below here */
#if IS_ENABLED(CONFIG_NETFILTER)
struct nf_hook_ops *ops ____cacheline_aligned;
#endif
struct nf_flowtable data;
};
@ -1207,6 +1215,8 @@ void nft_trace_notify(struct nft_traceinfo *info);
#define MODULE_ALIAS_NFT_OBJ(type) \
MODULE_ALIAS("nft-obj-" __stringify(type))
#if IS_ENABLED(CONFIG_NF_TABLES)
/*
* The gencursor defines two generations, the currently active and the
* next one. Objects contain a bitmask of 2 bits specifying the generations
@ -1280,6 +1290,8 @@ static inline void nft_set_elem_change_active(const struct net *net,
ext->genmask ^= nft_genmask_next(net);
}
#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
/*
* We use a free bit in the genmask field to indicate the element
* is busy, meaning it is currently being processed either by

View File

@ -4,6 +4,7 @@
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <net/ipv6.h>
#include <net/netfilter/nf_tables.h>
static inline void nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
struct sk_buff *skb)

View File

@ -9,6 +9,7 @@ struct nft_offload_reg {
u32 len;
u32 base_offset;
u32 offset;
struct nft_data data;
struct nft_data mask;
};

View File

@ -2,6 +2,8 @@
#ifndef _NFT_FIB_H_
#define _NFT_FIB_H_
#include <net/netfilter/nf_tables.h>
struct nft_fib {
enum nft_registers dreg:8;
u8 result;

View File

@ -2,6 +2,8 @@
#ifndef _NFT_META_H_
#define _NFT_META_H_
#include <net/netfilter/nf_tables.h>
struct nft_meta {
enum nft_meta_keys key:8;
union {

View File

@ -2,6 +2,11 @@
#ifndef _NFT_REJECT_H_
#define _NFT_REJECT_H_
#include <linux/types.h>
#include <net/netlink.h>
#include <net/netfilter/nf_tables.h>
#include <uapi/linux/netfilter/nf_tables.h>
struct nft_reject {
enum nft_reject_types type:8;
u8 icmp_code;

View File

@ -2,6 +2,7 @@
#ifndef _XT_POLICY_H
#define _XT_POLICY_H
#include <linux/netfilter.h>
#include <linux/types.h>
#include <linux/in.h>
#include <linux/in6.h>

View File

@ -36,8 +36,8 @@ synproxy_tg4(struct sk_buff *skb, const struct xt_action_param *par)
opts.options |= XT_SYNPROXY_OPT_ECN;
opts.options &= info->options;
opts.mss_encode = opts.mss;
opts.mss = info->mss;
opts.mss_encode = opts.mss_option;
opts.mss_option = info->mss;
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, &opts);
else

View File

@ -36,8 +36,8 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
opts.options |= XT_SYNPROXY_OPT_ECN;
opts.options &= info->options;
opts.mss_encode = opts.mss;
opts.mss = info->mss;
opts.mss_encode = opts.mss_option;
opts.mss_option = info->mss;
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, &opts);
else

View File

@ -7,7 +7,7 @@
#include <linux/rcupdate.h>
#include <linux/jhash.h>
#include <linux/types.h>
#include <linux/netfilter/ipset/ip_set_timeout.h>
#include <linux/netfilter/ipset/ip_set.h>
#define __ipset_dereference_protected(p, c) rcu_dereference_protected(p, c)
#define ipset_dereference_protected(p, set) \

View File

@ -1737,12 +1737,18 @@ proc_do_defense_mode(struct ctl_table *table, int write,
int val = *valp;
int rc;
rc = proc_dointvec(table, write, buffer, lenp, ppos);
struct ctl_table tmp = {
.data = &val,
.maxlen = sizeof(int),
.mode = table->mode,
};
rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
if (write && (*valp != val)) {
if ((*valp < 0) || (*valp > 3)) {
/* Restore the correct value */
*valp = val;
if (val < 0 || val > 3) {
rc = -EINVAL;
} else {
*valp = val;
update_defense_level(ipvs);
}
}
@ -1756,37 +1762,24 @@ proc_do_sync_threshold(struct ctl_table *table, int write,
int *valp = table->data;
int val[2];
int rc;
struct ctl_table tmp = {
.data = &val,
.maxlen = table->maxlen,
.mode = table->mode,
};
/* backup the value first */
memcpy(val, valp, sizeof(val));
rc = proc_dointvec(table, write, buffer, lenp, ppos);
if (write && (valp[0] < 0 || valp[1] < 0 ||
(valp[0] >= valp[1] && valp[1]))) {
/* Restore the correct value */
rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
if (write) {
if (val[0] < 0 || val[1] < 0 ||
(val[0] >= val[1] && val[1]))
rc = -EINVAL;
else
memcpy(valp, val, sizeof(val));
}
return rc;
}
static int
proc_do_sync_mode(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
{
int *valp = table->data;
int val = *valp;
int rc;
rc = proc_dointvec(table, write, buffer, lenp, ppos);
if (write && (*valp != val)) {
if ((*valp < 0) || (*valp > 1)) {
/* Restore the correct value */
*valp = val;
}
}
return rc;
}
static int
proc_do_sync_ports(struct ctl_table *table, int write,
void __user *buffer, size_t *lenp, loff_t *ppos)
@ -1795,13 +1788,19 @@ proc_do_sync_ports(struct ctl_table *table, int write,
int val = *valp;
int rc;
rc = proc_dointvec(table, write, buffer, lenp, ppos);
struct ctl_table tmp = {
.data = &val,
.maxlen = sizeof(int),
.mode = table->mode,
};
rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
if (write && (*valp != val)) {
if (*valp < 1 || !is_power_of_2(*valp)) {
/* Restore the correct value */
if (val < 1 || !is_power_of_2(val))
rc = -EINVAL;
else
*valp = val;
}
}
return rc;
}
@ -1860,7 +1859,9 @@ static struct ctl_table vs_vars[] = {
.procname = "sync_version",
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_do_sync_mode,
.proc_handler = proc_dointvec_minmax,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
{
.procname = "sync_ports",

View File

@ -11,7 +11,7 @@
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_labels.h>
static spinlock_t nf_connlabels_lock;
static __read_mostly DEFINE_SPINLOCK(nf_connlabels_lock);
static int replace_u32(u32 *address, u32 mask, u32 new)
{
@ -89,7 +89,6 @@ int nf_conntrack_labels_init(void)
{
BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE / sizeof(long) >= U8_MAX);
spin_lock_init(&nf_connlabels_lock);
return nf_ct_extend_register(&labels_extend);
}

View File

@ -511,8 +511,6 @@ static void nf_conntrack_standalone_fini_proc(struct net *net)
/* Log invalid packets of a given protocol */
static int log_invalid_proto_min __read_mostly;
static int log_invalid_proto_max __read_mostly = 255;
static int zero;
static int one = 1;
/* size the user *wants to set */
static unsigned int nf_conntrack_htable_size_user __read_mostly;
@ -629,8 +627,8 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
[NF_SYSCTL_CT_LOG_INVALID] = {
.procname = "nf_conntrack_log_invalid",
@ -654,8 +652,8 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
[NF_SYSCTL_CT_HELPER] = {
.procname = "nf_conntrack_helper",
@ -663,8 +661,8 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
#ifdef CONFIG_NF_CONNTRACK_EVENTS
[NF_SYSCTL_CT_EVENTS] = {
@ -673,8 +671,8 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
#endif
#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
@ -684,8 +682,8 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
#endif
[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = {
@ -759,16 +757,16 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
[NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = {
.procname = "nf_conntrack_tcp_be_liberal",
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
[NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = {
.procname = "nf_conntrack_tcp_max_retrans",
@ -904,8 +902,8 @@ static struct ctl_table nf_ct_sysctl_table[] = {
.maxlen = sizeof(int),
.mode = 0644,
.proc_handler = proc_dointvec_minmax,
.extra1 = &zero,
.extra2 = &one,
.extra1 = SYSCTL_ZERO,
.extra2 = SYSCTL_ONE,
},
#endif
#ifdef CONFIG_NF_CT_PROTO_GRE

View File

@ -722,7 +722,7 @@ nf_nat_ipv4_local_fn(void *priv, struct sk_buff *skb,
return ret;
}
const struct nf_hook_ops nf_nat_ipv4_ops[] = {
static const struct nf_hook_ops nf_nat_ipv4_ops[] = {
/* Before packet filtering, change destination */
{
.hook = nf_nat_ipv4_in,
@ -961,7 +961,7 @@ nf_nat_ipv6_local_fn(void *priv, struct sk_buff *skb,
return ret;
}
const struct nf_hook_ops nf_nat_ipv6_ops[] = {
static const struct nf_hook_ops nf_nat_ipv6_ops[] = {
/* Before packet filtering, change destination */
{
.hook = nf_nat_ipv6_in,

View File

@ -56,7 +56,7 @@ synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
switch (opcode) {
case TCPOPT_MSS:
if (opsize == TCPOLEN_MSS) {
opts->mss = get_unaligned_be16(ptr);
opts->mss_option = get_unaligned_be16(ptr);
opts->options |= NF_SYNPROXY_OPT_MSS;
}
break;
@ -115,7 +115,7 @@ synproxy_build_options(struct tcphdr *th, const struct synproxy_options *opts)
if (options & NF_SYNPROXY_OPT_MSS)
*ptr++ = htonl((TCPOPT_MSS << 24) |
(TCPOLEN_MSS << 16) |
opts->mss);
opts->mss_option);
if (options & NF_SYNPROXY_OPT_TIMESTAMP) {
if (options & NF_SYNPROXY_OPT_SACK_PERM)
@ -642,7 +642,7 @@ synproxy_recv_client_ack(struct net *net,
}
this_cpu_inc(snet->stats->cookie_valid);
opts->mss = mss;
opts->mss_option = mss;
opts->options |= NF_SYNPROXY_OPT_MSS;
if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)
@ -1060,7 +1060,7 @@ synproxy_recv_client_ack_ipv6(struct net *net,
}
this_cpu_inc(snet->stats->cookie_valid);
opts->mss = mss;
opts->mss_option = mss;
opts->options |= NF_SYNPROXY_OPT_MSS;
if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)

View File

@ -13,6 +13,7 @@
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_offload.h>
struct nft_bitwise {
enum nft_registers sreg:8;
@ -126,12 +127,30 @@ nla_put_failure:
return -1;
}
static struct nft_data zero;
static int nft_bitwise_offload(struct nft_offload_ctx *ctx,
struct nft_flow_rule *flow,
const struct nft_expr *expr)
{
const struct nft_bitwise *priv = nft_expr_priv(expr);
if (memcmp(&priv->xor, &zero, sizeof(priv->xor) ||
priv->sreg != priv->dreg))
return -EOPNOTSUPP;
memcpy(&ctx->regs[priv->dreg].mask, &priv->mask, sizeof(priv->mask));
return 0;
}
static const struct nft_expr_ops nft_bitwise_ops = {
.type = &nft_bitwise_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_bitwise)),
.eval = nft_bitwise_eval,
.init = nft_bitwise_init,
.dump = nft_bitwise_dump,
.offload = nft_bitwise_offload,
};
struct nft_expr_type nft_bitwise_type __read_mostly = {

View File

@ -125,17 +125,13 @@ static int nft_immediate_validate(const struct nft_ctx *ctx,
return 0;
}
static int nft_immediate_offload(struct nft_offload_ctx *ctx,
static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
struct nft_flow_rule *flow,
const struct nft_expr *expr)
const struct nft_immediate_expr *priv)
{
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
struct flow_action_entry *entry;
const struct nft_data *data;
if (priv->dreg != NFT_REG_VERDICT)
return -EOPNOTSUPP;
entry = &flow->rule->action.entries[ctx->num_actions++];
data = &priv->data;
@ -153,6 +149,20 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx,
return 0;
}
static int nft_immediate_offload(struct nft_offload_ctx *ctx,
struct nft_flow_rule *flow,
const struct nft_expr *expr)
{
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
if (priv->dreg == NFT_REG_VERDICT)
return nft_immediate_offload_verdict(ctx, flow, priv);
memcpy(&ctx->regs[priv->dreg].data, &priv->data, sizeof(priv->data));
return 0;
}
static const struct nft_expr_ops nft_imm_ops = {
.type = &nft_imm_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)),

View File

@ -10,7 +10,7 @@
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
struct nft_bitmap_elem {
struct list_head head;

View File

@ -16,7 +16,7 @@
#include <linux/rhashtable.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
/* We target a hash table size of 4, element hint is 75% of final size */
#define NFT_RHASH_ELEMENT_HINT 3

View File

@ -13,7 +13,7 @@
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
struct nft_rbtree {
struct rb_root root;

View File

@ -31,8 +31,8 @@ static void nft_synproxy_tcp_options(struct synproxy_options *opts,
opts->options |= NF_SYNPROXY_OPT_ECN;
opts->options &= priv->info.options;
opts->mss_encode = opts->mss;
opts->mss = info->mss;
opts->mss_encode = opts->mss_option;
opts->mss_option = info->mss;
if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)
synproxy_init_timestamp_cookie(info, opts);
else

View File

@ -14,7 +14,6 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/ipset/ip_set.h>
#include <linux/netfilter/ipset/ip_set_timeout.h>
#include <uapi/linux/netfilter/xt_set.h>
MODULE_LICENSE("GPL");