Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

tjh.dev / kernel

fork atom

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

===================
Netfilter updates for net-next

The following batch contains Netfilter updates for net-next, they are:

1) Move nft_expr_clone() to nft_dynset, from Paul Gortmaker.

2) Do not include module.h from net/netfilter/nf_tables.h,
also from Paul.

3) Restrict conntrack sysctl entries to boolean, from Tonghao Zhang.

4) Several patches to add infrastructure to autoload NAT helper
modules from their respective conntrack helper, this also includes
the first client of this code in OVS, patches from Flavio Leitner.

5) Add support to match for conntrack ID, from Brett Mastbergen.

6) Spelling fix in connlabel, from Colin Ian King.

7) Use struct_size() from hashlimit, from Gustavo A. R. Silva.

8) Add optimized version of nf_inet_addr_mask(), from Li RongQing.
===================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 7 years ago 1ffad6d1 19ab5f40

+302 -89

26 changed files

expand all collapse all

include

linux

netfilter.h

net

netfilter

nf_conntrack_helper.h

nf_tables.h

netns

conntrack.h

uapi

linux

netfilter

nf_tables.h

net

ipv4

netfilter

nf_nat_h323.c

nf_nat_pptp.c

netfilter

nf_conntrack_amanda.c

nf_conntrack_ftp.c

nf_conntrack_helper.c

nf_conntrack_irc.c

nf_conntrack_sane.c

nf_conntrack_sip.c

nf_conntrack_standalone.c

nf_conntrack_tftp.c

nf_nat_amanda.c

nf_nat_ftp.c

nf_nat_irc.c

nf_nat_sip.c

nf_nat_tftp.c

nf_tables_set_core.c

nft_ct.c

nft_dynset.c

xt_connlabel.c

xt_hashlimit.c

openvswitch

conntrack.c

include/linux/netfilter.h

reviewed

··· 41 41 union nf_inet_addr *result, 42 42 const union nf_inet_addr *mask) 43 43 { 44 44 + #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 45 45 + const unsigned long *ua = (const unsigned long *)a1; 46 46 + unsigned long *ur = (unsigned long *)result; 47 47 + const unsigned long *um = (const unsigned long *)mask; 48 48 + 49 49 + ur[0] = ua[0] & um[0]; 50 50 + ur[1] = ua[1] & um[1]; 51 51 + #else 44 52 result->all[0] = a1->all[0] & mask->all[0]; 45 53 result->all[1] = a1->all[1] & mask->all[1]; 46 54 result->all[2] = a1->all[2] & mask->all[2]; 47 55 result->all[3] = a1->all[3] & mask->all[3]; 56 56 + #endif 48 57 } 49 58 50 59 int netfilter_init(void);

+24

include/net/netfilter/nf_conntrack_helper.h

reviewed

··· 15 15 #include <net/netfilter/nf_conntrack_extend.h> 16 16 #include <net/netfilter/nf_conntrack_expect.h> 17 17 18 18 + #define NF_NAT_HELPER_PREFIX "ip_nat_" 19 19 + #define NF_NAT_HELPER_NAME(name) NF_NAT_HELPER_PREFIX name 20 20 + #define MODULE_ALIAS_NF_NAT_HELPER(name) \ 21 21 + MODULE_ALIAS(NF_NAT_HELPER_NAME(name)) 22 22 + 18 23 struct module; 19 24 20 25 enum nf_ct_helper_flags { ··· 59 54 unsigned int queue_num; 60 55 /* length of userspace private data stored in nf_conn_help->data */ 61 56 u16 data_len; 57 57 + /* name of NAT helper module */ 58 58 + char nat_mod_name[NF_CT_HELPER_NAME_LEN]; 62 59 }; 63 60 64 61 /* Must be kept in sync with the classes defined by helpers */ ··· 160 153 extern struct hlist_head *nf_ct_helper_hash; 161 154 extern unsigned int nf_ct_helper_hsize; 162 155 156 156 + struct nf_conntrack_nat_helper { 157 157 + struct list_head list; 158 158 + char mod_name[NF_CT_HELPER_NAME_LEN]; /* module name */ 159 159 + struct module *module; /* pointer to self */ 160 160 + }; 161 161 + 162 162 + #define NF_CT_NAT_HELPER_INIT(name) \ 163 163 + { \ 164 164 + .mod_name = NF_NAT_HELPER_NAME(name), \ 165 165 + .module = THIS_MODULE \ 166 166 + } 167 167 + 168 168 + void nf_nat_helper_register(struct nf_conntrack_nat_helper *nat); 169 169 + void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat); 170 170 + int nf_nat_helper_try_module_get(const char *name, u16 l3num, 171 171 + u8 protonum); 172 172 + void nf_nat_helper_put(struct nf_conntrack_helper *helper); 163 173 #endif /*_NF_CONNTRACK_HELPER_H*/

+2 -18

include/net/netfilter/nf_tables.h

reviewed

··· 2 2 #ifndef _NET_NF_TABLES_H 3 3 #define _NET_NF_TABLES_H 4 4 5 5 - #include <linux/module.h> 6 5 #include <linux/list.h> 7 6 #include <linux/netfilter.h> 8 7 #include <linux/netfilter/nfnetlink.h> ··· 11 12 #include <linux/rhashtable.h> 12 13 #include <net/netfilter/nf_flow_table.h> 13 14 #include <net/netlink.h> 15 15 + 16 16 + struct module; 14 17 15 18 #define NFT_JUMP_STACK_SIZE 16 16 19 ··· 806 805 void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); 807 806 int nft_expr_dump(struct sk_buff *skb, unsigned int attr, 808 807 const struct nft_expr *expr); 809 809 - 810 810 - static inline int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 811 811 - { 812 812 - int err; 813 813 - 814 814 - if (src->ops->clone) { 815 815 - dst->ops = src->ops; 816 816 - err = src->ops->clone(dst, src); 817 817 - if (err < 0) 818 818 - return err; 819 819 - } else { 820 820 - memcpy(dst, src, src->ops->size); 821 821 - } 822 822 - 823 823 - __module_get(src->ops->type->owner); 824 824 - return 0; 825 825 - } 826 808 827 809 /** 828 810 * struct nft_rule - nf_tables rule

+3 -3

include/net/netns/conntrack.h

reviewed

··· 24 24 25 25 struct nf_tcp_net { 26 26 unsigned int timeouts[TCP_CONNTRACK_TIMEOUT_MAX]; 27 27 - unsigned int tcp_loose; 28 28 - unsigned int tcp_be_liberal; 29 29 - unsigned int tcp_max_retrans; 27 27 + int tcp_loose; 28 28 + int tcp_be_liberal; 29 29 + int tcp_max_retrans; 30 30 }; 31 31 32 32 enum udp_conntrack {

include/uapi/linux/netfilter/nf_tables.h

reviewed

··· 967 967 * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) 968 968 * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) 969 969 * @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack 970 970 + * @NFT_CT_ID: conntrack id 970 971 */ 971 972 enum nft_ct_keys { 972 973 NFT_CT_STATE, ··· 994 993 NFT_CT_SRC_IP6, 995 994 NFT_CT_DST_IP6, 996 995 NFT_CT_TIMEOUT, 996 996 + NFT_CT_ID, 997 997 __NFT_CT_MAX 998 998 }; 999 999 #define NFT_CT_MAX (__NFT_CT_MAX - 1)

+1 -1

net/ipv4/netfilter/nf_nat_h323.c

reviewed

··· 631 631 MODULE_AUTHOR("Jing Min Zhao <zhaojingmin@users.sourceforge.net>"); 632 632 MODULE_DESCRIPTION("H.323 NAT helper"); 633 633 MODULE_LICENSE("GPL"); 634 634 - MODULE_ALIAS("ip_nat_h323"); 634 634 + MODULE_ALIAS_NF_NAT_HELPER("h323");

+1 -1

net/ipv4/netfilter/nf_nat_pptp.c

reviewed

··· 37 37 MODULE_LICENSE("GPL"); 38 38 MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); 39 39 MODULE_DESCRIPTION("Netfilter NAT helper module for PPTP"); 40 40 - MODULE_ALIAS("ip_nat_pptp"); 40 40 + MODULE_ALIAS_NF_NAT_HELPER("pptp"); 41 41 42 42 static void pptp_nat_expected(struct nf_conn *ct, 43 43 struct nf_conntrack_expect *exp)

+6 -2

net/netfilter/nf_conntrack_amanda.c

reviewed

··· 28 28 static unsigned int master_timeout __read_mostly = 300; 29 29 static char *ts_algo = "kmp"; 30 30 31 31 + #define HELPER_NAME "amanda" 32 32 + 31 33 MODULE_AUTHOR("Brian J. Murrell <netfilter@interlinx.bc.ca>"); 32 34 MODULE_DESCRIPTION("Amanda connection tracking module"); 33 35 MODULE_LICENSE("GPL"); 34 36 MODULE_ALIAS("ip_conntrack_amanda"); 35 35 - MODULE_ALIAS_NFCT_HELPER("amanda"); 37 37 + MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 36 38 37 39 module_param(master_timeout, uint, 0600); 38 40 MODULE_PARM_DESC(master_timeout, "timeout for the master connection"); ··· 181 179 182 180 static struct nf_conntrack_helper amanda_helper[2] __read_mostly = { 183 181 { 184 184 - .name = "amanda", 182 182 + .name = HELPER_NAME, 185 183 .me = THIS_MODULE, 186 184 .help = amanda_help, 187 185 .tuple.src.l3num = AF_INET, 188 186 .tuple.src.u.udp.port = cpu_to_be16(10080), 189 187 .tuple.dst.protonum = IPPROTO_UDP, 190 188 .expect_policy = &amanda_exp_policy, 189 189 + .nat_mod_name = NF_NAT_HELPER_NAME(HELPER_NAME), 191 190 }, 192 191 { 193 192 .name = "amanda", ··· 198 195 .tuple.src.u.udp.port = cpu_to_be16(10080), 199 196 .tuple.dst.protonum = IPPROTO_UDP, 200 197 .expect_policy = &amanda_exp_policy, 198 198 + .nat_mod_name = NF_NAT_HELPER_NAME(HELPER_NAME), 201 199 }, 202 200 }; 203 201

+11 -7

net/netfilter/nf_conntrack_ftp.c

reviewed

··· 29 29 #include <net/netfilter/nf_conntrack_helper.h> 30 30 #include <linux/netfilter/nf_conntrack_ftp.h> 31 31 32 32 + #define HELPER_NAME "ftp" 33 33 + 32 34 MODULE_LICENSE("GPL"); 33 35 MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); 34 36 MODULE_DESCRIPTION("ftp connection tracking helper"); 35 37 MODULE_ALIAS("ip_conntrack_ftp"); 36 36 - MODULE_ALIAS_NFCT_HELPER("ftp"); 38 38 + MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 37 39 38 40 /* This is slow, but it's simple. --RR */ 39 41 static char *ftp_buffer; ··· 590 588 /* FIXME should be configurable whether IPv4 and IPv6 FTP connections 591 589 are tracked or not - YK */ 592 590 for (i = 0; i < ports_c; i++) { 593 593 - nf_ct_helper_init(&ftp[2 * i], AF_INET, IPPROTO_TCP, "ftp", 594 594 - FTP_PORT, ports[i], ports[i], &ftp_exp_policy, 595 595 - 0, help, nf_ct_ftp_from_nlattr, THIS_MODULE); 596 596 - nf_ct_helper_init(&ftp[2 * i + 1], AF_INET6, IPPROTO_TCP, "ftp", 597 597 - FTP_PORT, ports[i], ports[i], &ftp_exp_policy, 598 598 - 0, help, nf_ct_ftp_from_nlattr, THIS_MODULE); 591 591 + nf_ct_helper_init(&ftp[2 * i], AF_INET, IPPROTO_TCP, 592 592 + HELPER_NAME, FTP_PORT, ports[i], ports[i], 593 593 + &ftp_exp_policy, 0, help, 594 594 + nf_ct_ftp_from_nlattr, THIS_MODULE); 595 595 + nf_ct_helper_init(&ftp[2 * i + 1], AF_INET6, IPPROTO_TCP, 596 596 + HELPER_NAME, FTP_PORT, ports[i], ports[i], 597 597 + &ftp_exp_policy, 0, help, 598 598 + nf_ct_ftp_from_nlattr, THIS_MODULE); 599 599 } 600 600 601 601 ret = nf_conntrack_helpers_register(ftp, ports_c * 2);

+86

net/netfilter/nf_conntrack_helper.c

reviewed

··· 42 42 MODULE_PARM_DESC(nf_conntrack_helper, 43 43 "Enable automatic conntrack helper assignment (default 0)"); 44 44 45 45 + static DEFINE_MUTEX(nf_ct_nat_helpers_mutex); 46 46 + static struct list_head nf_ct_nat_helpers __read_mostly; 47 47 + 45 48 /* Stupid hash, but collision free for the default registrations of the 46 49 * helpers currently in the kernel. */ 47 50 static unsigned int helper_hash(const struct nf_conntrack_tuple *tuple) ··· 132 129 module_put(helper->me); 133 130 } 134 131 EXPORT_SYMBOL_GPL(nf_conntrack_helper_put); 132 132 + 133 133 + static struct nf_conntrack_nat_helper * 134 134 + nf_conntrack_nat_helper_find(const char *mod_name) 135 135 + { 136 136 + struct nf_conntrack_nat_helper *cur; 137 137 + bool found = false; 138 138 + 139 139 + list_for_each_entry_rcu(cur, &nf_ct_nat_helpers, list) { 140 140 + if (!strcmp(cur->mod_name, mod_name)) { 141 141 + found = true; 142 142 + break; 143 143 + } 144 144 + } 145 145 + return found ? cur : NULL; 146 146 + } 147 147 + 148 148 + int 149 149 + nf_nat_helper_try_module_get(const char *name, u16 l3num, u8 protonum) 150 150 + { 151 151 + struct nf_conntrack_helper *h; 152 152 + struct nf_conntrack_nat_helper *nat; 153 153 + char mod_name[NF_CT_HELPER_NAME_LEN]; 154 154 + int ret = 0; 155 155 + 156 156 + rcu_read_lock(); 157 157 + h = __nf_conntrack_helper_find(name, l3num, protonum); 158 158 + if (!h) { 159 159 + rcu_read_unlock(); 160 160 + return -ENOENT; 161 161 + } 162 162 + 163 163 + nat = nf_conntrack_nat_helper_find(h->nat_mod_name); 164 164 + if (!nat) { 165 165 + snprintf(mod_name, sizeof(mod_name), "%s", h->nat_mod_name); 166 166 + rcu_read_unlock(); 167 167 + request_module(mod_name); 168 168 + 169 169 + rcu_read_lock(); 170 170 + nat = nf_conntrack_nat_helper_find(mod_name); 171 171 + if (!nat) { 172 172 + rcu_read_unlock(); 173 173 + return -ENOENT; 174 174 + } 175 175 + } 176 176 + 177 177 + if (!try_module_get(nat->module)) 178 178 + ret = -ENOENT; 179 179 + 180 180 + rcu_read_unlock(); 181 181 + return ret; 182 182 + } 183 183 + EXPORT_SYMBOL_GPL(nf_nat_helper_try_module_get); 184 184 + 185 185 + void nf_nat_helper_put(struct nf_conntrack_helper *helper) 186 186 + { 187 187 + struct nf_conntrack_nat_helper *nat; 188 188 + 189 189 + nat = nf_conntrack_nat_helper_find(helper->nat_mod_name); 190 190 + if (WARN_ON_ONCE(!nat)) 191 191 + return; 192 192 + 193 193 + module_put(nat->module); 194 194 + } 195 195 + EXPORT_SYMBOL_GPL(nf_nat_helper_put); 135 196 136 197 struct nf_conn_help * 137 198 nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp) ··· 497 430 helper->help = help; 498 431 helper->from_nlattr = from_nlattr; 499 432 helper->me = module; 433 433 + snprintf(helper->nat_mod_name, sizeof(helper->nat_mod_name), 434 434 + NF_NAT_HELPER_PREFIX "%s", name); 500 435 501 436 if (spec_port == default_port) 502 437 snprintf(helper->name, sizeof(helper->name), "%s", name); ··· 535 466 } 536 467 EXPORT_SYMBOL_GPL(nf_conntrack_helpers_unregister); 537 468 469 469 + void nf_nat_helper_register(struct nf_conntrack_nat_helper *nat) 470 470 + { 471 471 + mutex_lock(&nf_ct_nat_helpers_mutex); 472 472 + list_add_rcu(&nat->list, &nf_ct_nat_helpers); 473 473 + mutex_unlock(&nf_ct_nat_helpers_mutex); 474 474 + } 475 475 + EXPORT_SYMBOL_GPL(nf_nat_helper_register); 476 476 + 477 477 + void nf_nat_helper_unregister(struct nf_conntrack_nat_helper *nat) 478 478 + { 479 479 + mutex_lock(&nf_ct_nat_helpers_mutex); 480 480 + list_del_rcu(&nat->list); 481 481 + mutex_unlock(&nf_ct_nat_helpers_mutex); 482 482 + } 483 483 + EXPORT_SYMBOL_GPL(nf_nat_helper_unregister); 484 484 + 538 485 static const struct nf_ct_ext_type helper_extend = { 539 486 .len = sizeof(struct nf_conn_help), 540 487 .align = __alignof__(struct nf_conn_help), ··· 578 493 goto out_extend; 579 494 } 580 495 496 496 + INIT_LIST_HEAD(&nf_ct_nat_helpers); 581 497 return 0; 582 498 out_extend: 583 499 kvfree(nf_ct_helper_hash);

+4 -2

net/netfilter/nf_conntrack_irc.c

reviewed

··· 42 42 struct nf_conntrack_expect *exp) __read_mostly; 43 43 EXPORT_SYMBOL_GPL(nf_nat_irc_hook); 44 44 45 45 + #define HELPER_NAME "irc" 46 46 + 45 47 MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>"); 46 48 MODULE_DESCRIPTION("IRC (DCC) connection tracking helper"); 47 49 MODULE_LICENSE("GPL"); 48 50 MODULE_ALIAS("ip_conntrack_irc"); 49 49 - MODULE_ALIAS_NFCT_HELPER("irc"); 51 51 + MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 50 52 51 53 module_param_array(ports, ushort, &ports_c, 0400); 52 54 MODULE_PARM_DESC(ports, "port numbers of IRC servers"); ··· 261 259 ports[ports_c++] = IRC_PORT; 262 260 263 261 for (i = 0; i < ports_c; i++) { 264 264 - nf_ct_helper_init(&irc[i], AF_INET, IPPROTO_TCP, "irc", 262 262 + nf_ct_helper_init(&irc[i], AF_INET, IPPROTO_TCP, HELPER_NAME, 265 263 IRC_PORT, ports[i], i, &irc_exp_policy, 266 264 0, help, NULL, THIS_MODULE); 267 265 }

+7 -5

net/netfilter/nf_conntrack_sane.c

reviewed

··· 30 30 #include <net/netfilter/nf_conntrack_expect.h> 31 31 #include <linux/netfilter/nf_conntrack_sane.h> 32 32 33 33 + #define HELPER_NAME "sane" 34 34 + 33 35 MODULE_LICENSE("GPL"); 34 36 MODULE_AUTHOR("Michal Schmidt <mschmidt@redhat.com>"); 35 37 MODULE_DESCRIPTION("SANE connection tracking helper"); 36 36 - MODULE_ALIAS_NFCT_HELPER("sane"); 38 38 + MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 37 39 38 40 static char *sane_buffer; 39 41 ··· 197 195 /* FIXME should be configurable whether IPv4 and IPv6 connections 198 196 are tracked or not - YK */ 199 197 for (i = 0; i < ports_c; i++) { 200 200 - nf_ct_helper_init(&sane[2 * i], AF_INET, IPPROTO_TCP, "sane", 201 201 - SANE_PORT, ports[i], ports[i], 198 198 + nf_ct_helper_init(&sane[2 * i], AF_INET, IPPROTO_TCP, 199 199 + HELPER_NAME, SANE_PORT, ports[i], ports[i], 202 200 &sane_exp_policy, 0, help, NULL, 203 201 THIS_MODULE); 204 204 - nf_ct_helper_init(&sane[2 * i + 1], AF_INET6, IPPROTO_TCP, "sane", 205 205 - SANE_PORT, ports[i], ports[i], 202 202 + nf_ct_helper_init(&sane[2 * i + 1], AF_INET6, IPPROTO_TCP, 203 203 + HELPER_NAME, SANE_PORT, ports[i], ports[i], 206 204 &sane_exp_policy, 0, help, NULL, 207 205 THIS_MODULE); 208 206 }

+15 -13

net/netfilter/nf_conntrack_sip.c

reviewed

··· 30 30 #include <net/netfilter/nf_conntrack_zones.h> 31 31 #include <linux/netfilter/nf_conntrack_sip.h> 32 32 33 33 + #define HELPER_NAME "sip" 34 34 + 33 35 MODULE_LICENSE("GPL"); 34 36 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); 35 37 MODULE_DESCRIPTION("SIP connection tracking helper"); 36 38 MODULE_ALIAS("ip_conntrack_sip"); 37 37 - MODULE_ALIAS_NFCT_HELPER("sip"); 39 39 + MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 38 40 39 41 #define MAX_PORTS 8 40 42 static unsigned short ports[MAX_PORTS]; ··· 1671 1669 ports[ports_c++] = SIP_PORT; 1672 1670 1673 1671 for (i = 0; i < ports_c; i++) { 1674 1674 - nf_ct_helper_init(&sip[4 * i], AF_INET, IPPROTO_UDP, "sip", 1675 1675 - SIP_PORT, ports[i], i, sip_exp_policy, 1676 1676 - SIP_EXPECT_MAX, sip_help_udp, 1672 1672 + nf_ct_helper_init(&sip[4 * i], AF_INET, IPPROTO_UDP, 1673 1673 + HELPER_NAME, SIP_PORT, ports[i], i, 1674 1674 + sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp, 1677 1675 NULL, THIS_MODULE); 1678 1678 - nf_ct_helper_init(&sip[4 * i + 1], AF_INET, IPPROTO_TCP, "sip", 1679 1679 - SIP_PORT, ports[i], i, sip_exp_policy, 1680 1680 - SIP_EXPECT_MAX, sip_help_tcp, 1676 1676 + nf_ct_helper_init(&sip[4 * i + 1], AF_INET, IPPROTO_TCP, 1677 1677 + HELPER_NAME, SIP_PORT, ports[i], i, 1678 1678 + sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp, 1681 1679 NULL, THIS_MODULE); 1682 1682 - nf_ct_helper_init(&sip[4 * i + 2], AF_INET6, IPPROTO_UDP, "sip", 1683 1683 - SIP_PORT, ports[i], i, sip_exp_policy, 1684 1684 - SIP_EXPECT_MAX, sip_help_udp, 1680 1680 + nf_ct_helper_init(&sip[4 * i + 2], AF_INET6, IPPROTO_UDP, 1681 1681 + HELPER_NAME, SIP_PORT, ports[i], i, 1682 1682 + sip_exp_policy, SIP_EXPECT_MAX, sip_help_udp, 1685 1683 NULL, THIS_MODULE); 1686 1686 - nf_ct_helper_init(&sip[4 * i + 3], AF_INET6, IPPROTO_TCP, "sip", 1687 1687 - SIP_PORT, ports[i], i, sip_exp_policy, 1688 1688 - SIP_EXPECT_MAX, sip_help_tcp, 1684 1684 + nf_ct_helper_init(&sip[4 * i + 3], AF_INET6, IPPROTO_TCP, 1685 1685 + HELPER_NAME, SIP_PORT, ports[i], i, 1686 1686 + sip_exp_policy, SIP_EXPECT_MAX, sip_help_tcp, 1689 1687 NULL, THIS_MODULE); 1690 1688 } 1691 1689

+33 -15

net/netfilter/nf_conntrack_standalone.c

reviewed

··· 511 511 /* Log invalid packets of a given protocol */ 512 512 static int log_invalid_proto_min __read_mostly; 513 513 static int log_invalid_proto_max __read_mostly = 255; 514 514 + static int zero; 515 515 + static int one = 1; 514 516 515 517 /* size the user *wants to set */ 516 518 static unsigned int nf_conntrack_htable_size_user __read_mostly; ··· 626 624 [NF_SYSCTL_CT_CHECKSUM] = { 627 625 .procname = "nf_conntrack_checksum", 628 626 .data = &init_net.ct.sysctl_checksum, 629 629 - .maxlen = sizeof(unsigned int), 627 627 + .maxlen = sizeof(int), 630 628 .mode = 0644, 631 631 - .proc_handler = proc_dointvec, 629 629 + .proc_handler = proc_dointvec_minmax, 630 630 + .extra1 = &zero, 631 631 + .extra2 = &one, 632 632 }, 633 633 [NF_SYSCTL_CT_LOG_INVALID] = { 634 634 .procname = "nf_conntrack_log_invalid", ··· 651 647 [NF_SYSCTL_CT_ACCT] = { 652 648 .procname = "nf_conntrack_acct", 653 649 .data = &init_net.ct.sysctl_acct, 654 654 - .maxlen = sizeof(unsigned int), 650 650 + .maxlen = sizeof(int), 655 651 .mode = 0644, 656 656 - .proc_handler = proc_dointvec, 652 652 + .proc_handler = proc_dointvec_minmax, 653 653 + .extra1 = &zero, 654 654 + .extra2 = &one, 657 655 }, 658 656 [NF_SYSCTL_CT_HELPER] = { 659 657 .procname = "nf_conntrack_helper", 660 658 .data = &init_net.ct.sysctl_auto_assign_helper, 661 661 - .maxlen = sizeof(unsigned int), 659 659 + .maxlen = sizeof(int), 662 660 .mode = 0644, 663 663 - .proc_handler = proc_dointvec, 661 661 + .proc_handler = proc_dointvec_minmax, 662 662 + .extra1 = &zero, 663 663 + .extra2 = &one, 664 664 }, 665 665 #ifdef CONFIG_NF_CONNTRACK_EVENTS 666 666 [NF_SYSCTL_CT_EVENTS] = { 667 667 .procname = "nf_conntrack_events", 668 668 .data = &init_net.ct.sysctl_events, 669 669 - .maxlen = sizeof(unsigned int), 669 669 + .maxlen = sizeof(int), 670 670 .mode = 0644, 671 671 - .proc_handler = proc_dointvec, 671 671 + .proc_handler = proc_dointvec_minmax, 672 672 + .extra1 = &zero, 673 673 + .extra2 = &one, 672 674 }, 673 675 #endif 674 676 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 675 677 [NF_SYSCTL_CT_TIMESTAMP] = { 676 678 .procname = "nf_conntrack_timestamp", 677 679 .data = &init_net.ct.sysctl_tstamp, 678 678 - .maxlen = sizeof(unsigned int), 680 680 + .maxlen = sizeof(int), 679 681 .mode = 0644, 680 680 - .proc_handler = proc_dointvec, 682 682 + .proc_handler = proc_dointvec_minmax, 683 683 + .extra1 = &zero, 684 684 + .extra2 = &one, 681 685 }, 682 686 #endif 683 687 [NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = { ··· 756 744 }, 757 745 [NF_SYSCTL_CT_PROTO_TCP_LOOSE] = { 758 746 .procname = "nf_conntrack_tcp_loose", 759 759 - .maxlen = sizeof(unsigned int), 747 747 + .maxlen = sizeof(int), 760 748 .mode = 0644, 761 761 - .proc_handler = proc_dointvec, 749 749 + .proc_handler = proc_dointvec_minmax, 750 750 + .extra1 = &zero, 751 751 + .extra2 = &one, 762 752 }, 763 753 [NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = { 764 754 .procname = "nf_conntrack_tcp_be_liberal", 765 765 - .maxlen = sizeof(unsigned int), 755 755 + .maxlen = sizeof(int), 766 756 .mode = 0644, 767 767 - .proc_handler = proc_dointvec, 757 757 + .proc_handler = proc_dointvec_minmax, 758 758 + .extra1 = &zero, 759 759 + .extra2 = &one, 768 760 }, 769 761 [NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = { 770 762 .procname = "nf_conntrack_tcp_max_retrans", ··· 903 887 .procname = "nf_conntrack_dccp_loose", 904 888 .maxlen = sizeof(int), 905 889 .mode = 0644, 906 906 - .proc_handler = proc_dointvec, 890 890 + .proc_handler = proc_dointvec_minmax, 891 891 + .extra1 = &zero, 892 892 + .extra2 = &one, 907 893 }, 908 894 #endif 909 895 #ifdef CONFIG_NF_CT_PROTO_GRE

+11 -7

net/netfilter/nf_conntrack_tftp.c

reviewed

··· 20 20 #include <net/netfilter/nf_conntrack_helper.h> 21 21 #include <linux/netfilter/nf_conntrack_tftp.h> 22 22 23 23 + #define HELPER_NAME "tftp" 24 24 + 23 25 MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>"); 24 26 MODULE_DESCRIPTION("TFTP connection tracking helper"); 25 27 MODULE_LICENSE("GPL"); 26 28 MODULE_ALIAS("ip_conntrack_tftp"); 27 27 - MODULE_ALIAS_NFCT_HELPER("tftp"); 29 29 + MODULE_ALIAS_NFCT_HELPER(HELPER_NAME); 28 30 29 31 #define MAX_PORTS 8 30 32 static unsigned short ports[MAX_PORTS]; ··· 121 119 ports[ports_c++] = TFTP_PORT; 122 120 123 121 for (i = 0; i < ports_c; i++) { 124 124 - nf_ct_helper_init(&tftp[2 * i], AF_INET, IPPROTO_UDP, "tftp", 125 125 - TFTP_PORT, ports[i], i, &tftp_exp_policy, 126 126 - 0, tftp_help, NULL, THIS_MODULE); 127 127 - nf_ct_helper_init(&tftp[2 * i + 1], AF_INET6, IPPROTO_UDP, "tftp", 128 128 - TFTP_PORT, ports[i], i, &tftp_exp_policy, 129 129 - 0, tftp_help, NULL, THIS_MODULE); 122 122 + nf_ct_helper_init(&tftp[2 * i], AF_INET, IPPROTO_UDP, 123 123 + HELPER_NAME, TFTP_PORT, ports[i], i, 124 124 + &tftp_exp_policy, 0, tftp_help, NULL, 125 125 + THIS_MODULE); 126 126 + nf_ct_helper_init(&tftp[2 * i + 1], AF_INET6, IPPROTO_UDP, 127 127 + HELPER_NAME, TFTP_PORT, ports[i], i, 128 128 + &tftp_exp_policy, 0, tftp_help, NULL, 129 129 + THIS_MODULE); 130 130 } 131 131 132 132 ret = nf_conntrack_helpers_register(tftp, ports_c * 2);

+8 -1

net/netfilter/nf_nat_amanda.c

reviewed

··· 19 19 #include <net/netfilter/nf_nat_helper.h> 20 20 #include <linux/netfilter/nf_conntrack_amanda.h> 21 21 22 22 + #define NAT_HELPER_NAME "amanda" 23 23 + 22 24 MODULE_AUTHOR("Brian J. Murrell <netfilter@interlinx.bc.ca>"); 23 25 MODULE_DESCRIPTION("Amanda NAT helper"); 24 26 MODULE_LICENSE("GPL"); 25 25 - MODULE_ALIAS("ip_nat_amanda"); 27 27 + MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); 28 28 + 29 29 + static struct nf_conntrack_nat_helper nat_helper_amanda = 30 30 + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); 26 31 27 32 static unsigned int help(struct sk_buff *skb, 28 33 enum ip_conntrack_info ctinfo, ··· 79 74 80 75 static void __exit nf_nat_amanda_fini(void) 81 76 { 77 77 + nf_nat_helper_unregister(&nat_helper_amanda); 82 78 RCU_INIT_POINTER(nf_nat_amanda_hook, NULL); 83 79 synchronize_rcu(); 84 80 } ··· 87 81 static int __init nf_nat_amanda_init(void) 88 82 { 89 83 BUG_ON(nf_nat_amanda_hook != NULL); 84 84 + nf_nat_helper_register(&nat_helper_amanda); 90 85 RCU_INIT_POINTER(nf_nat_amanda_hook, help); 91 86 return 0; 92 87 }

+8 -1

net/netfilter/nf_nat_ftp.c

reviewed

··· 21 21 #include <net/netfilter/nf_conntrack_expect.h> 22 22 #include <linux/netfilter/nf_conntrack_ftp.h> 23 23 24 24 + #define NAT_HELPER_NAME "ftp" 25 25 + 24 26 MODULE_LICENSE("GPL"); 25 27 MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>"); 26 28 MODULE_DESCRIPTION("ftp NAT helper"); 27 27 - MODULE_ALIAS("ip_nat_ftp"); 29 29 + MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); 28 30 29 31 /* FIXME: Time out? --RR */ 32 32 + 33 33 + static struct nf_conntrack_nat_helper nat_helper_ftp = 34 34 + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); 30 35 31 36 static int nf_nat_ftp_fmt_cmd(struct nf_conn *ct, enum nf_ct_ftp_type type, 32 37 char *buffer, size_t buflen, ··· 129 124 130 125 static void __exit nf_nat_ftp_fini(void) 131 126 { 127 127 + nf_nat_helper_unregister(&nat_helper_ftp); 132 128 RCU_INIT_POINTER(nf_nat_ftp_hook, NULL); 133 129 synchronize_rcu(); 134 130 } ··· 137 131 static int __init nf_nat_ftp_init(void) 138 132 { 139 133 BUG_ON(nf_nat_ftp_hook != NULL); 134 134 + nf_nat_helper_register(&nat_helper_ftp); 140 135 RCU_INIT_POINTER(nf_nat_ftp_hook, nf_nat_ftp); 141 136 return 0; 142 137 }

+8 -1

net/netfilter/nf_nat_irc.c

reviewed

··· 23 23 #include <net/netfilter/nf_conntrack_expect.h> 24 24 #include <linux/netfilter/nf_conntrack_irc.h> 25 25 26 26 + #define NAT_HELPER_NAME "irc" 27 27 + 26 28 MODULE_AUTHOR("Harald Welte <laforge@gnumonks.org>"); 27 29 MODULE_DESCRIPTION("IRC (DCC) NAT helper"); 28 30 MODULE_LICENSE("GPL"); 29 29 - MODULE_ALIAS("ip_nat_irc"); 31 31 + MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); 32 32 + 33 33 + static struct nf_conntrack_nat_helper nat_helper_irc = 34 34 + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); 30 35 31 36 static unsigned int help(struct sk_buff *skb, 32 37 enum ip_conntrack_info ctinfo, ··· 101 96 102 97 static void __exit nf_nat_irc_fini(void) 103 98 { 99 99 + nf_nat_helper_unregister(&nat_helper_irc); 104 100 RCU_INIT_POINTER(nf_nat_irc_hook, NULL); 105 101 synchronize_rcu(); 106 102 } ··· 109 103 static int __init nf_nat_irc_init(void) 110 104 { 111 105 BUG_ON(nf_nat_irc_hook != NULL); 106 106 + nf_nat_helper_register(&nat_helper_irc); 112 107 RCU_INIT_POINTER(nf_nat_irc_hook, help); 113 108 return 0; 114 109 }

+7 -2

net/netfilter/nf_nat_sip.c

reviewed

··· 24 24 #include <net/netfilter/nf_conntrack_seqadj.h> 25 25 #include <linux/netfilter/nf_conntrack_sip.h> 26 26 27 27 + #define NAT_HELPER_NAME "sip" 28 28 + 27 29 MODULE_LICENSE("GPL"); 28 30 MODULE_AUTHOR("Christian Hentschel <chentschel@arnet.com.ar>"); 29 31 MODULE_DESCRIPTION("SIP NAT helper"); 30 30 - MODULE_ALIAS("ip_nat_sip"); 32 32 + MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); 31 33 34 34 + static struct nf_conntrack_nat_helper nat_helper_sip = 35 35 + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); 32 36 33 37 static unsigned int mangle_packet(struct sk_buff *skb, unsigned int protoff, 34 38 unsigned int dataoff, ··· 660 656 661 657 static void __exit nf_nat_sip_fini(void) 662 658 { 659 659 + nf_nat_helper_unregister(&nat_helper_sip); 663 660 RCU_INIT_POINTER(nf_nat_sip_hooks, NULL); 664 664 - 665 661 nf_ct_helper_expectfn_unregister(&sip_nat); 666 662 synchronize_rcu(); 667 663 } ··· 679 675 static int __init nf_nat_sip_init(void) 680 676 { 681 677 BUG_ON(nf_nat_sip_hooks != NULL); 678 678 + nf_nat_helper_register(&nat_helper_sip); 682 679 RCU_INIT_POINTER(nf_nat_sip_hooks, &sip_hooks); 683 680 nf_ct_helper_expectfn_register(&sip_nat); 684 681 return 0;

+8 -1

net/netfilter/nf_nat_tftp.c

reviewed

··· 13 13 #include <net/netfilter/nf_nat_helper.h> 14 14 #include <linux/netfilter/nf_conntrack_tftp.h> 15 15 16 16 + #define NAT_HELPER_NAME "tftp" 17 17 + 16 18 MODULE_AUTHOR("Magnus Boden <mb@ozaba.mine.nu>"); 17 19 MODULE_DESCRIPTION("TFTP NAT helper"); 18 20 MODULE_LICENSE("GPL"); 19 19 - MODULE_ALIAS("ip_nat_tftp"); 21 21 + MODULE_ALIAS_NF_NAT_HELPER(NAT_HELPER_NAME); 22 22 + 23 23 + static struct nf_conntrack_nat_helper nat_helper_tftp = 24 24 + NF_CT_NAT_HELPER_INIT(NAT_HELPER_NAME); 20 25 21 26 static unsigned int help(struct sk_buff *skb, 22 27 enum ip_conntrack_info ctinfo, ··· 42 37 43 38 static void __exit nf_nat_tftp_fini(void) 44 39 { 40 40 + nf_nat_helper_unregister(&nat_helper_tftp); 45 41 RCU_INIT_POINTER(nf_nat_tftp_hook, NULL); 46 42 synchronize_rcu(); 47 43 } ··· 50 44 static int __init nf_nat_tftp_init(void) 51 45 { 52 46 BUG_ON(nf_nat_tftp_hook != NULL); 47 47 + nf_nat_helper_register(&nat_helper_tftp); 53 48 RCU_INIT_POINTER(nf_nat_tftp_hook, help); 54 49 return 0; 55 50 }

net/netfilter/nf_tables_set_core.c

reviewed

··· 1 1 /* SPDX-License-Identifier: GPL-2.0 */ 2 2 + #include <linux/module.h> 2 3 #include <net/netfilter/nf_tables_core.h> 3 4 4 5 static int __init nf_tables_set_module_init(void)

net/netfilter/nft_ct.c

reviewed

··· 178 178 return; 179 179 } 180 180 #endif 181 181 + case NFT_CT_ID: 182 182 + if (!nf_ct_is_confirmed(ct)) 183 183 + goto err; 184 184 + *dest = nf_ct_get_id(ct); 185 185 + return; 181 186 default: 182 187 break; 183 188 } ··· 484 479 len = sizeof(u16); 485 480 break; 486 481 #endif 482 482 + case NFT_CT_ID: 483 483 + len = sizeof(u32); 484 484 + break; 487 485 default: 488 486 return -EOPNOTSUPP; 489 487 }

+17

net/netfilter/nft_dynset.c

reviewed

··· 28 28 struct nft_set_binding binding; 29 29 }; 30 30 31 31 + static int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) 32 32 + { 33 33 + int err; 34 34 + 35 35 + if (src->ops->clone) { 36 36 + dst->ops = src->ops; 37 37 + err = src->ops->clone(dst, src); 38 38 + if (err < 0) 39 39 + return err; 40 40 + } else { 41 41 + memcpy(dst, src, src->ops->size); 42 42 + } 43 43 + 44 44 + __module_get(src->ops->type->owner); 45 45 + return 0; 46 46 + } 47 47 + 31 48 static void *nft_dynset_new(struct nft_set *set, const struct nft_expr *expr, 32 49 struct nft_regs *regs) 33 50 {

+1 -1

net/netfilter/xt_connlabel.c

reviewed

··· 15 15 16 16 MODULE_LICENSE("GPL"); 17 17 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); 18 18 - MODULE_DESCRIPTION("Xtables: add/match connection trackling labels"); 18 18 + MODULE_DESCRIPTION("Xtables: add/match connection tracking labels"); 19 19 MODULE_ALIAS("ipt_connlabel"); 20 20 MODULE_ALIAS("ip6t_connlabel"); 21 21

+1 -2

net/netfilter/xt_hashlimit.c

reviewed

··· 288 288 size = 16; 289 289 } 290 290 /* FIXME: don't use vmalloc() here or anywhere else -HW */ 291 291 - hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) + 292 292 - sizeof(struct hlist_head) * size); 291 291 + hinfo = vmalloc(struct_size(hinfo, hash, size)); 293 292 if (hinfo == NULL) 294 293 return -ENOMEM; 295 294 *out_hinfo = hinfo;

+20 -6

net/openvswitch/conntrack.c

reviewed

··· 1307 1307 { 1308 1308 struct nf_conntrack_helper *helper; 1309 1309 struct nf_conn_help *help; 1310 1310 + int ret = 0; 1310 1311 1311 1312 helper = nf_conntrack_helper_try_module_get(name, info->family, 1312 1313 key->ip.proto); ··· 1322 1321 return -ENOMEM; 1323 1322 } 1324 1323 1324 1324 + #ifdef CONFIG_NF_NAT_NEEDED 1325 1325 + if (info->nat) { 1326 1326 + ret = nf_nat_helper_try_module_get(name, info->family, 1327 1327 + key->ip.proto); 1328 1328 + if (ret) { 1329 1329 + nf_conntrack_helper_put(helper); 1330 1330 + OVS_NLERR(log, "Failed to load \"%s\" NAT helper, error: %d", 1331 1331 + name, ret); 1332 1332 + return ret; 1333 1333 + } 1334 1334 + } 1335 1335 + #endif 1325 1336 rcu_assign_pointer(help->helper, helper); 1326 1337 info->helper = helper; 1327 1327 - 1328 1328 - if (info->nat) 1329 1329 - request_module("ip_nat_%s", name); 1330 1330 - 1331 1331 - return 0; 1338 1338 + return ret; 1332 1339 } 1333 1340 1334 1341 #if IS_ENABLED(CONFIG_NF_NAT) ··· 1810 1801 1811 1802 static void __ovs_ct_free_action(struct ovs_conntrack_info *ct_info) 1812 1803 { 1813 1813 - if (ct_info->helper) 1804 1804 + if (ct_info->helper) { 1805 1805 + #ifdef CONFIG_NF_NAT_NEEDED 1806 1806 + if (ct_info->nat) 1807 1807 + nf_nat_helper_put(ct_info->helper); 1808 1808 + #endif 1814 1809 nf_conntrack_helper_put(ct_info->helper); 1810 1810 + } 1815 1811 if (ct_info->ct) { 1816 1812 if (ct_info->timeout[0]) 1817 1813 nf_ct_destroy_timeout(ct_info->ct);