tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for net:
1) Incorrect output device in nf_egress hook, from Phill Sutter.
2) Preserve liberal flag in TCP conntrack state, reported by Sven Auhagen.
3) Use GFP_KERNEL_ACCOUNT flag for nf_tables objects, from Vasily Averin.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
+37
-28
+1
-1
include/linux/netfilter_netdev.h
+1
-1
include/linux/netfilter_netdev.h
+1
-1
net/netfilter/core.c
+1
-1
net/netfilter/core.c
+13
-4
net/netfilter/nf_conntrack_proto_tcp.c
+13
-4
net/netfilter/nf_conntrack_proto_tcp.c
···
341
341
if (!ptr)
342
342
return;
343
343
344
-
state->td_scale =
345
-
state->flags = 0;
344
+
state->td_scale = 0;
345
+
state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL;
346
346
347
347
while (length > 0) {
348
348
int opcode=*ptr++;
···
862
862
return false;
863
863
}
864
864
865
+
static void nf_ct_tcp_state_reset(struct ip_ct_tcp_state *state)
866
+
{
867
+
state->td_end = 0;
868
+
state->td_maxend = 0;
869
+
state->td_maxwin = 0;
870
+
state->td_maxack = 0;
871
+
state->td_scale = 0;
872
+
state->flags &= IP_CT_TCP_FLAG_BE_LIBERAL;
873
+
}
874
+
865
875
/* Returns verdict for packet, or -1 for invalid. */
866
876
int nf_conntrack_tcp_packet(struct nf_conn *ct,
867
877
struct sk_buff *skb,
···
978
968
ct->proto.tcp.last_flags &= ~IP_CT_EXP_CHALLENGE_ACK;
979
969
ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
980
970
ct->proto.tcp.last_flags;
981
-
memset(&ct->proto.tcp.seen[dir], 0,
982
-
sizeof(struct ip_ct_tcp_state));
971
+
nf_ct_tcp_state_reset(&ct->proto.tcp.seen[dir]);
983
972
break;
984
973
}
985
974
ct->proto.tcp.last_index = index;
+22
-22
net/netfilter/nf_tables_api.c
+22
-22
net/netfilter/nf_tables_api.c
···
1192
1192
}
1193
1193
1194
1194
err = -ENOMEM;
1195
-
table = kzalloc(sizeof(*table), GFP_KERNEL);
1195
+
table = kzalloc(sizeof(*table), GFP_KERNEL_ACCOUNT);
1196
1196
if (table == NULL)
1197
1197
goto err_kzalloc;
1198
1198
1199
-
table->name = nla_strdup(attr, GFP_KERNEL);
1199
+
table->name = nla_strdup(attr, GFP_KERNEL_ACCOUNT);
1200
1200
if (table->name == NULL)
1201
1201
goto err_strdup;
1202
1202
1203
1203
if (nla[NFTA_TABLE_USERDATA]) {
1204
-
table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL);
1204
+
table->udata = nla_memdup(nla[NFTA_TABLE_USERDATA], GFP_KERNEL_ACCOUNT);
1205
1205
if (table->udata == NULL)
1206
1206
goto err_table_udata;
1207
1207
···
1882
1882
struct nft_hook *hook;
1883
1883
int err;
1884
1884
1885
-
hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL);
1885
+
hook = kmalloc(sizeof(struct nft_hook), GFP_KERNEL_ACCOUNT);
1886
1886
if (!hook) {
1887
1887
err = -ENOMEM;
1888
1888
goto err_hook_alloc;
···
2105
2105
if (size > INT_MAX)
2106
2106
return NULL;
2107
2107
2108
-
blob = kvmalloc(size, GFP_KERNEL);
2108
+
blob = kvmalloc(size, GFP_KERNEL_ACCOUNT);
2109
2109
if (!blob)
2110
2110
return NULL;
2111
2111
···
2205
2205
if (err < 0)
2206
2206
return err;
2207
2207
2208
-
basechain = kzalloc(sizeof(*basechain), GFP_KERNEL);
2208
+
basechain = kzalloc(sizeof(*basechain), GFP_KERNEL_ACCOUNT);
2209
2209
if (basechain == NULL) {
2210
2210
nft_chain_release_hook(&hook);
2211
2211
return -ENOMEM;
···
2235
2235
if (flags & NFT_CHAIN_HW_OFFLOAD)
2236
2236
return -EOPNOTSUPP;
2237
2237
2238
-
chain = kzalloc(sizeof(*chain), GFP_KERNEL);
2238
+
chain = kzalloc(sizeof(*chain), GFP_KERNEL_ACCOUNT);
2239
2239
if (chain == NULL)
2240
2240
return -ENOMEM;
2241
2241
···
2248
2248
chain->table = table;
2249
2249
2250
2250
if (nla[NFTA_CHAIN_NAME]) {
2251
-
chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2251
+
chain->name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2252
2252
} else {
2253
2253
if (!(flags & NFT_CHAIN_BINDING)) {
2254
2254
err = -EINVAL;
···
2256
2256
}
2257
2257
2258
2258
snprintf(name, sizeof(name), "__chain%llu", ++chain_id);
2259
-
chain->name = kstrdup(name, GFP_KERNEL);
2259
+
chain->name = kstrdup(name, GFP_KERNEL_ACCOUNT);
2260
2260
}
2261
2261
2262
2262
if (!chain->name) {
···
2265
2265
}
2266
2266
2267
2267
if (nla[NFTA_CHAIN_USERDATA]) {
2268
-
chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL);
2268
+
chain->udata = nla_memdup(nla[NFTA_CHAIN_USERDATA], GFP_KERNEL_ACCOUNT);
2269
2269
if (chain->udata == NULL) {
2270
2270
err = -ENOMEM;
2271
2271
goto err_destroy_chain;
···
2428
2428
char *name;
2429
2429
2430
2430
err = -ENOMEM;
2431
-
name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL);
2431
+
name = nla_strdup(nla[NFTA_CHAIN_NAME], GFP_KERNEL_ACCOUNT);
2432
2432
if (!name)
2433
2433
goto err;
2434
2434
···
2876
2876
goto err1;
2877
2877
2878
2878
err = -ENOMEM;
2879
-
expr = kzalloc(expr_info.ops->size, GFP_KERNEL);
2879
+
expr = kzalloc(expr_info.ops->size, GFP_KERNEL_ACCOUNT);
2880
2880
if (expr == NULL)
2881
2881
goto err2;
2882
2882
···
3484
3484
}
3485
3485
3486
3486
err = -ENOMEM;
3487
-
rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL);
3487
+
rule = kzalloc(sizeof(*rule) + size + usize, GFP_KERNEL_ACCOUNT);
3488
3488
if (rule == NULL)
3489
3489
goto err_release_expr;
3490
3490
···
3897
3897
free_page((unsigned long)inuse);
3898
3898
}
3899
3899
3900
-
set->name = kasprintf(GFP_KERNEL, name, min + n);
3900
+
set->name = kasprintf(GFP_KERNEL_ACCOUNT, name, min + n);
3901
3901
if (!set->name)
3902
3902
return -ENOMEM;
3903
3903
···
4461
4461
alloc_size = sizeof(*set) + size + udlen;
4462
4462
if (alloc_size < size || alloc_size > INT_MAX)
4463
4463
return -ENOMEM;
4464
-
set = kvzalloc(alloc_size, GFP_KERNEL);
4464
+
set = kvzalloc(alloc_size, GFP_KERNEL_ACCOUNT);
4465
4465
if (!set)
4466
4466
return -ENOMEM;
4467
4467
4468
-
name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL);
4468
+
name = nla_strdup(nla[NFTA_SET_NAME], GFP_KERNEL_ACCOUNT);
4469
4469
if (!name) {
4470
4470
err = -ENOMEM;
4471
4471
goto err_set_name;
···
6000
6000
err = -ENOMEM;
6001
6001
elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6002
6002
elem.key_end.val.data, elem.data.val.data,
6003
-
timeout, expiration, GFP_KERNEL);
6003
+
timeout, expiration, GFP_KERNEL_ACCOUNT);
6004
6004
if (elem.priv == NULL)
6005
6005
goto err_parse_data;
6006
6006
···
6244
6244
err = -ENOMEM;
6245
6245
elem.priv = nft_set_elem_init(set, &tmpl, elem.key.val.data,
6246
6246
elem.key_end.val.data, NULL, 0, 0,
6247
-
GFP_KERNEL);
6247
+
GFP_KERNEL_ACCOUNT);
6248
6248
if (elem.priv == NULL)
6249
6249
goto fail_elem;
6250
6250
···
6556
6556
}
6557
6557
6558
6558
err = -ENOMEM;
6559
-
obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL);
6559
+
obj = kzalloc(sizeof(*obj) + ops->size, GFP_KERNEL_ACCOUNT);
6560
6560
if (!obj)
6561
6561
goto err2;
6562
6562
···
6722
6722
obj->key.table = table;
6723
6723
obj->handle = nf_tables_alloc_handle(table);
6724
6724
6725
-
obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL);
6725
+
obj->key.name = nla_strdup(nla[NFTA_OBJ_NAME], GFP_KERNEL_ACCOUNT);
6726
6726
if (!obj->key.name) {
6727
6727
err = -ENOMEM;
6728
6728
goto err_strdup;
···
7483
7483
7484
7484
nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
7485
7485
7486
-
flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL);
7486
+
flowtable = kzalloc(sizeof(*flowtable), GFP_KERNEL_ACCOUNT);
7487
7487
if (!flowtable)
7488
7488
return -ENOMEM;
7489
7489
···
7491
7491
flowtable->handle = nf_tables_alloc_handle(table);
7492
7492
INIT_LIST_HEAD(&flowtable->hook_list);
7493
7493
7494
-
flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL);
7494
+
flowtable->name = nla_strdup(nla[NFTA_FLOWTABLE_NAME], GFP_KERNEL_ACCOUNT);
7495
7495
if (!flowtable->name) {
7496
7496
err = -ENOMEM;
7497
7497
goto err1;