Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains two small Netfilter updates for your
net-next tree, they are:

1) Add ebtables support to nft_compat, from Arturo Borrero.

2) Fix missing validation of the SET_ID attribute in the lookup
expressions, from Patrick McHardy.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 11 years ago 4a3046d6 73b4f63a

+58 -6

2 changed files

expand all

net

netfilter

nft_compat.c

nft_lookup.c

+57 -6

net/netfilter/nft_compat.c

··· 19 19 #include <linux/netfilter/x_tables.h> 20 20 #include <linux/netfilter_ipv4/ip_tables.h> 21 21 #include <linux/netfilter_ipv6/ip6_tables.h> 22 + #include <linux/netfilter_bridge/ebtables.h> 22 23 #include <net/netfilter/nf_tables.h> 23 24 24 25 static int nft_compat_chain_validate_dependency(const char *tablename, ··· 41 40 union nft_entry { 42 41 struct ipt_entry e4; 43 42 struct ip6t_entry e6; 43 + struct ebt_entry ebt; 44 44 }; 45 45 46 46 static inline void ··· 52 50 par->hotdrop = false; 53 51 } 54 52 55 - static void nft_target_eval(const struct nft_expr *expr, 56 - struct nft_data data[NFT_REG_MAX + 1], 57 - const struct nft_pktinfo *pkt) 53 + static void nft_target_eval_xt(const struct nft_expr *expr, 54 + struct nft_data data[NFT_REG_MAX + 1], 55 + const struct nft_pktinfo *pkt) 58 56 { 59 57 void *info = nft_expr_priv(expr); 60 58 struct xt_target *target = expr->ops->data; ··· 68 66 if (pkt->xt.hotdrop) 69 67 ret = NF_DROP; 70 68 71 - switch(ret) { 69 + switch (ret) { 72 70 case XT_CONTINUE: 73 71 data[NFT_REG_VERDICT].verdict = NFT_CONTINUE; 74 72 break; ··· 76 74 data[NFT_REG_VERDICT].verdict = ret; 77 75 break; 78 76 } 79 - return; 77 + } 78 + 79 + static void nft_target_eval_bridge(const struct nft_expr *expr, 80 + struct nft_data data[NFT_REG_MAX + 1], 81 + const struct nft_pktinfo *pkt) 82 + { 83 + void *info = nft_expr_priv(expr); 84 + struct xt_target *target = expr->ops->data; 85 + struct sk_buff *skb = pkt->skb; 86 + int ret; 87 + 88 + nft_compat_set_par((struct xt_action_param *)&pkt->xt, target, info); 89 + 90 + ret = target->target(skb, &pkt->xt); 91 + 92 + if (pkt->xt.hotdrop) 93 + ret = NF_DROP; 94 + 95 + switch (ret) { 96 + case EBT_ACCEPT: 97 + data[NFT_REG_VERDICT].verdict = NF_ACCEPT; 98 + break; 99 + case EBT_DROP: 100 + data[NFT_REG_VERDICT].verdict = NF_DROP; 101 + break; 102 + case EBT_CONTINUE: 103 + data[NFT_REG_VERDICT].verdict = NFT_CONTINUE; 104 + break; 105 + case EBT_RETURN: 106 + data[NFT_REG_VERDICT].verdict = NFT_RETURN; 107 + break; 108 + default: 109 + data[NFT_REG_VERDICT].verdict = ret; 110 + break; 111 + } 80 112 } 81 113 82 114 static const struct nla_policy nft_target_policy[NFTA_TARGET_MAX + 1] = { ··· 135 99 case AF_INET6: 136 100 entry->e6.ipv6.proto = proto; 137 101 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0; 102 + break; 103 + case NFPROTO_BRIDGE: 104 + entry->ebt.ethproto = proto; 105 + entry->ebt.invflags = inv ? EBT_IPROTO : 0; 138 106 break; 139 107 } 140 108 par->entryinfo = entry; ··· 347 307 entry->e6.ipv6.proto = proto; 348 308 entry->e6.ipv6.invflags = inv ? IP6T_INV_PROTO : 0; 349 309 break; 310 + case NFPROTO_BRIDGE: 311 + entry->ebt.ethproto = proto; 312 + entry->ebt.invflags = inv ? EBT_IPROTO : 0; 313 + break; 350 314 } 351 315 par->entryinfo = entry; 352 316 par->match = match; ··· 534 490 case AF_INET6: 535 491 fmt = "ip6t_%s"; 536 492 break; 493 + case NFPROTO_BRIDGE: 494 + fmt = "ebt_%s"; 495 + break; 537 496 default: 538 497 pr_err("nft_compat: unsupported protocol %d\n", 539 498 nfmsg->nfgen_family); ··· 710 663 711 664 nft_target->ops.type = &nft_target_type; 712 665 nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize)); 713 - nft_target->ops.eval = nft_target_eval; 714 666 nft_target->ops.init = nft_target_init; 715 667 nft_target->ops.destroy = nft_target_destroy; 716 668 nft_target->ops.dump = nft_target_dump; 717 669 nft_target->ops.validate = nft_target_validate; 718 670 nft_target->ops.data = target; 671 + 672 + if (family == NFPROTO_BRIDGE) 673 + nft_target->ops.eval = nft_target_eval_bridge; 674 + else 675 + nft_target->ops.eval = nft_target_eval_xt; 719 676 720 677 list_add(&nft_target->head, &nft_target_list); 721 678

net/netfilter/nft_lookup.c

··· 39 39 40 40 static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = { 41 41 [NFTA_LOOKUP_SET] = { .type = NLA_STRING }, 42 + [NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 }, 42 43 [NFTA_LOOKUP_SREG] = { .type = NLA_U32 }, 43 44 [NFTA_LOOKUP_DREG] = { .type = NLA_U32 }, 44 45 };