tjh.dev
-7
include/linux/netfilter/ipset/ip_set.h
-7
include/linux/netfilter/ipset/ip_set.h
···
426
426
sizeof(*addr));
427
427
}
428
428
429
-
/* Calculate the bytes required to store the inclusive range of a-b */
430
-
static inline int
431
-
bitmap_bytes(u32 a, u32 b)
432
-
{
433
-
return 4 * ((((b - a + 8) / 8) + 3) / 4);
434
-
}
435
-
436
429
/* How often should the gc be run by default */
437
430
#define IPSET_GC_TIME (3 * 60)
438
431
+1
-1
include/linux/netfilter/nfnetlink.h
+1
-1
include/linux/netfilter/nfnetlink.h
···
31
31
const struct nfnl_callback *cb; /* callback for individual types */
32
32
struct module *owner;
33
33
int (*commit)(struct net *net, struct sk_buff *skb);
34
-
int (*abort)(struct net *net, struct sk_buff *skb);
34
+
int (*abort)(struct net *net, struct sk_buff *skb, bool autoload);
35
35
void (*cleanup)(struct net *net);
36
36
bool (*valid_genid)(struct net *net, u32 genid);
37
37
};
+1
include/net/netns/nftables.h
+1
include/net/netns/nftables.h
+17
-3
net/core/utils.c
+17
-3
net/core/utils.c
···
438
438
}
439
439
EXPORT_SYMBOL(inet_proto_csum_replace4);
440
440
441
+
/**
442
+
* inet_proto_csum_replace16 - update layer 4 header checksum field
443
+
* @sum: Layer 4 header checksum field
444
+
* @skb: sk_buff for the packet
445
+
* @from: old IPv6 address
446
+
* @to: new IPv6 address
447
+
* @pseudohdr: True if layer 4 header checksum includes pseudoheader
448
+
*
449
+
* Update layer 4 header as per the update in IPv6 src/dst address.
450
+
*
451
+
* There is no need to update skb->csum in this function, because update in two
452
+
* fields a.) IPv6 src/dst address and b.) L4 header checksum cancels each other
453
+
* for skb->csum calculation. Whereas inet_proto_csum_replace4 function needs to
454
+
* update skb->csum, because update in 3 fields a.) IPv4 src/dst address,
455
+
* b.) IPv4 Header checksum and c.) L4 header checksum results in same diff as
456
+
* L4 Header checksum for skb->csum calculation.
457
+
*/
441
458
void inet_proto_csum_replace16(__sum16 *sum, struct sk_buff *skb,
442
459
const __be32 *from, const __be32 *to,
443
460
bool pseudohdr)
···
466
449
if (skb->ip_summed != CHECKSUM_PARTIAL) {
467
450
*sum = csum_fold(csum_partial(diff, sizeof(diff),
468
451
~csum_unfold(*sum)));
469
-
if (skb->ip_summed == CHECKSUM_COMPLETE && pseudohdr)
470
-
skb->csum = ~csum_partial(diff, sizeof(diff),
471
-
~skb->csum);
472
452
} else if (pseudohdr)
473
453
*sum = ~csum_fold(csum_partial(diff, sizeof(diff),
474
454
csum_unfold(*sum)));
+1
-1
net/netfilter/ipset/ip_set_bitmap_gen.h
+1
-1
net/netfilter/ipset/ip_set_bitmap_gen.h
+3
-3
net/netfilter/ipset/ip_set_bitmap_ip.c
+3
-3
net/netfilter/ipset/ip_set_bitmap_ip.c
···
37
37
38
38
/* Type structure */
39
39
struct bitmap_ip {
40
-
void *members; /* the set members */
40
+
unsigned long *members; /* the set members */
41
41
u32 first_ip; /* host byte order, included in range */
42
42
u32 last_ip; /* host byte order, included in range */
43
43
u32 elements; /* number of max elements in the set */
···
220
220
u32 first_ip, u32 last_ip,
221
221
u32 elements, u32 hosts, u8 netmask)
222
222
{
223
-
map->members = ip_set_alloc(map->memsize);
223
+
map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
224
224
if (!map->members)
225
225
return false;
226
226
map->first_ip = first_ip;
···
322
322
if (!map)
323
323
return -ENOMEM;
324
324
325
-
map->memsize = bitmap_bytes(0, elements - 1);
325
+
map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
326
326
set->variant = &bitmap_ip;
327
327
if (!init_map_ip(set, map, first_ip, last_ip,
328
328
elements, hosts, netmask)) {
+3
-3
net/netfilter/ipset/ip_set_bitmap_ipmac.c
+3
-3
net/netfilter/ipset/ip_set_bitmap_ipmac.c
···
42
42
43
43
/* Type structure */
44
44
struct bitmap_ipmac {
45
-
void *members; /* the set members */
45
+
unsigned long *members; /* the set members */
46
46
u32 first_ip; /* host byte order, included in range */
47
47
u32 last_ip; /* host byte order, included in range */
48
48
u32 elements; /* number of max elements in the set */
···
299
299
init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
300
300
u32 first_ip, u32 last_ip, u32 elements)
301
301
{
302
-
map->members = ip_set_alloc(map->memsize);
302
+
map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
303
303
if (!map->members)
304
304
return false;
305
305
map->first_ip = first_ip;
···
360
360
if (!map)
361
361
return -ENOMEM;
362
362
363
-
map->memsize = bitmap_bytes(0, elements - 1);
363
+
map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
364
364
set->variant = &bitmap_ipmac;
365
365
if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
366
366
kfree(map);
+3
-3
net/netfilter/ipset/ip_set_bitmap_port.c
+3
-3
net/netfilter/ipset/ip_set_bitmap_port.c
···
30
30
31
31
/* Type structure */
32
32
struct bitmap_port {
33
-
void *members; /* the set members */
33
+
unsigned long *members; /* the set members */
34
34
u16 first_port; /* host byte order, included in range */
35
35
u16 last_port; /* host byte order, included in range */
36
36
u32 elements; /* number of max elements in the set */
···
231
231
init_map_port(struct ip_set *set, struct bitmap_port *map,
232
232
u16 first_port, u16 last_port)
233
233
{
234
-
map->members = ip_set_alloc(map->memsize);
234
+
map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN);
235
235
if (!map->members)
236
236
return false;
237
237
map->first_port = first_port;
···
271
271
return -ENOMEM;
272
272
273
273
map->elements = elements;
274
-
map->memsize = bitmap_bytes(0, map->elements);
274
+
map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
275
275
set->variant = &bitmap_port;
276
276
if (!init_map_port(set, map, first_port, last_port)) {
277
277
kfree(map);
+3
-3
net/netfilter/nf_conntrack_proto_sctp.c
+3
-3
net/netfilter/nf_conntrack_proto_sctp.c
···
114
114
{
115
115
/* ORIGINAL */
116
116
/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
117
-
/* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
117
+
/* init */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCW, sHA},
118
118
/* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA, sCL, sHA},
119
119
/* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
120
120
/* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA, sCL, sSS},
···
130
130
/* REPLY */
131
131
/* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA, sHS, sHA */
132
132
/* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},/* INIT in sCL Big TODO */
133
-
/* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
133
+
/* init_ack */ {sIV, sCW, sCW, sCE, sES, sSS, sSR, sSA, sIV, sHA},
134
134
/* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sIV, sCL},
135
135
/* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA, sIV, sSR},
136
136
/* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA, sIV, sHA},
···
316
316
ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
317
317
}
318
318
319
-
ct->proto.sctp.state = new_state;
319
+
ct->proto.sctp.state = SCTP_CONNTRACK_NONE;
320
320
}
321
321
322
322
return true;
+107
-48
net/netfilter/nf_tables_api.c
+107
-48
net/netfilter/nf_tables_api.c
···
553
553
static const struct nft_chain_type *chain_type[NFPROTO_NUMPROTO][NFT_CHAIN_T_MAX];
554
554
555
555
static const struct nft_chain_type *
556
+
__nft_chain_type_get(u8 family, enum nft_chain_types type)
557
+
{
558
+
if (family >= NFPROTO_NUMPROTO ||
559
+
type >= NFT_CHAIN_T_MAX)
560
+
return NULL;
561
+
562
+
return chain_type[family][type];
563
+
}
564
+
565
+
static const struct nft_chain_type *
556
566
__nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
557
567
{
568
+
const struct nft_chain_type *type;
558
569
int i;
559
570
560
571
for (i = 0; i < NFT_CHAIN_T_MAX; i++) {
561
-
if (chain_type[family][i] != NULL &&
562
-
!nla_strcmp(nla, chain_type[family][i]->name))
563
-
return chain_type[family][i];
572
+
type = __nft_chain_type_get(family, i);
573
+
if (!type)
574
+
continue;
575
+
if (!nla_strcmp(nla, type->name))
576
+
return type;
564
577
}
565
578
return NULL;
566
579
}
567
580
568
-
/*
569
-
* Loading a module requires dropping mutex that guards the transaction.
570
-
* A different client might race to start a new transaction meanwhile. Zap the
571
-
* list of pending transaction and then restore it once the mutex is grabbed
572
-
* again. Users of this function return EAGAIN which implicitly triggers the
573
-
* transaction abort path to clean up the list of pending transactions.
574
-
*/
581
+
struct nft_module_request {
582
+
struct list_head list;
583
+
char module[MODULE_NAME_LEN];
584
+
bool done;
585
+
};
586
+
575
587
#ifdef CONFIG_MODULES
576
-
static void nft_request_module(struct net *net, const char *fmt, ...)
588
+
static int nft_request_module(struct net *net, const char *fmt, ...)
577
589
{
578
590
char module_name[MODULE_NAME_LEN];
579
-
LIST_HEAD(commit_list);
591
+
struct nft_module_request *req;
580
592
va_list args;
581
593
int ret;
582
-
583
-
list_splice_init(&net->nft.commit_list, &commit_list);
584
594
585
595
va_start(args, fmt);
586
596
ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
587
597
va_end(args);
588
598
if (ret >= MODULE_NAME_LEN)
589
-
return;
599
+
return 0;
590
600
591
-
mutex_unlock(&net->nft.commit_mutex);
592
-
request_module("%s", module_name);
593
-
mutex_lock(&net->nft.commit_mutex);
601
+
list_for_each_entry(req, &net->nft.module_list, list) {
602
+
if (!strcmp(req->module, module_name)) {
603
+
if (req->done)
604
+
return 0;
594
605
595
-
WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
596
-
list_splice(&commit_list, &net->nft.commit_list);
606
+
/* A request to load this module already exists. */
607
+
return -EAGAIN;
608
+
}
609
+
}
610
+
611
+
req = kmalloc(sizeof(*req), GFP_KERNEL);
612
+
if (!req)
613
+
return -ENOMEM;
614
+
615
+
req->done = false;
616
+
strlcpy(req->module, module_name, MODULE_NAME_LEN);
617
+
list_add_tail(&req->list, &net->nft.module_list);
618
+
619
+
return -EAGAIN;
597
620
}
598
621
#endif
599
622
···
640
617
lockdep_nfnl_nft_mutex_not_held();
641
618
#ifdef CONFIG_MODULES
642
619
if (autoload) {
643
-
nft_request_module(net, "nft-chain-%u-%.*s", family,
644
-
nla_len(nla), (const char *)nla_data(nla));
645
-
type = __nf_tables_chain_type_lookup(nla, family);
646
-
if (type != NULL)
620
+
if (nft_request_module(net, "nft-chain-%u-%.*s", family,
621
+
nla_len(nla),
622
+
(const char *)nla_data(nla)) == -EAGAIN)
647
623
return ERR_PTR(-EAGAIN);
648
624
}
649
625
#endif
···
1184
1162
1185
1163
void nft_register_chain_type(const struct nft_chain_type *ctype)
1186
1164
{
1187
-
if (WARN_ON(ctype->family >= NFPROTO_NUMPROTO))
1188
-
return;
1189
-
1190
1165
nfnl_lock(NFNL_SUBSYS_NFTABLES);
1191
-
if (WARN_ON(chain_type[ctype->family][ctype->type] != NULL)) {
1166
+
if (WARN_ON(__nft_chain_type_get(ctype->family, ctype->type))) {
1192
1167
nfnl_unlock(NFNL_SUBSYS_NFTABLES);
1193
1168
return;
1194
1169
}
···
1787
1768
hook->num = ntohl(nla_get_be32(ha[NFTA_HOOK_HOOKNUM]));
1788
1769
hook->priority = ntohl(nla_get_be32(ha[NFTA_HOOK_PRIORITY]));
1789
1770
1790
-
type = chain_type[family][NFT_CHAIN_T_DEFAULT];
1771
+
type = __nft_chain_type_get(family, NFT_CHAIN_T_DEFAULT);
1772
+
if (!type)
1773
+
return -EOPNOTSUPP;
1774
+
1791
1775
if (nla[NFTA_CHAIN_TYPE]) {
1792
1776
type = nf_tables_chain_type_lookup(net, nla[NFTA_CHAIN_TYPE],
1793
1777
family, autoload);
···
2350
2328
static int nft_expr_type_request_module(struct net *net, u8 family,
2351
2329
struct nlattr *nla)
2352
2330
{
2353
-
nft_request_module(net, "nft-expr-%u-%.*s", family,
2354
-
nla_len(nla), (char *)nla_data(nla));
2355
-
if (__nft_expr_type_get(family, nla))
2331
+
if (nft_request_module(net, "nft-expr-%u-%.*s", family,
2332
+
nla_len(nla), (char *)nla_data(nla)) == -EAGAIN)
2356
2333
return -EAGAIN;
2357
2334
2358
2335
return 0;
···
2377
2356
if (nft_expr_type_request_module(net, family, nla) == -EAGAIN)
2378
2357
return ERR_PTR(-EAGAIN);
2379
2358
2380
-
nft_request_module(net, "nft-expr-%.*s",
2381
-
nla_len(nla), (char *)nla_data(nla));
2382
-
if (__nft_expr_type_get(family, nla))
2359
+
if (nft_request_module(net, "nft-expr-%.*s",
2360
+
nla_len(nla),
2361
+
(char *)nla_data(nla)) == -EAGAIN)
2383
2362
return ERR_PTR(-EAGAIN);
2384
2363
}
2385
2364
#endif
···
2470
2449
err = PTR_ERR(ops);
2471
2450
#ifdef CONFIG_MODULES
2472
2451
if (err == -EAGAIN)
2473
-
nft_expr_type_request_module(ctx->net,
2474
-
ctx->family,
2475
-
tb[NFTA_EXPR_NAME]);
2452
+
if (nft_expr_type_request_module(ctx->net,
2453
+
ctx->family,
2454
+
tb[NFTA_EXPR_NAME]) != -EAGAIN)
2455
+
err = -ENOENT;
2476
2456
#endif
2477
2457
goto err1;
2478
2458
}
···
3310
3288
lockdep_nfnl_nft_mutex_not_held();
3311
3289
#ifdef CONFIG_MODULES
3312
3290
if (list_empty(&nf_tables_set_types)) {
3313
-
nft_request_module(ctx->net, "nft-set");
3314
-
if (!list_empty(&nf_tables_set_types))
3291
+
if (nft_request_module(ctx->net, "nft-set") == -EAGAIN)
3315
3292
return ERR_PTR(-EAGAIN);
3316
3293
}
3317
3294
#endif
···
5436
5415
lockdep_nfnl_nft_mutex_not_held();
5437
5416
#ifdef CONFIG_MODULES
5438
5417
if (type == NULL) {
5439
-
nft_request_module(net, "nft-obj-%u", objtype);
5440
-
if (__nft_obj_type_get(objtype))
5418
+
if (nft_request_module(net, "nft-obj-%u", objtype) == -EAGAIN)
5441
5419
return ERR_PTR(-EAGAIN);
5442
5420
}
5443
5421
#endif
···
6009
5989
lockdep_nfnl_nft_mutex_not_held();
6010
5990
#ifdef CONFIG_MODULES
6011
5991
if (type == NULL) {
6012
-
nft_request_module(net, "nf-flowtable-%u", family);
6013
-
if (__nft_flowtable_type_get(family))
5992
+
if (nft_request_module(net, "nf-flowtable-%u", family) == -EAGAIN)
6014
5993
return ERR_PTR(-EAGAIN);
6015
5994
}
6016
5995
#endif
···
7011
6992
list_del_rcu(&chain->list);
7012
6993
}
7013
6994
6995
+
static void nf_tables_module_autoload_cleanup(struct net *net)
6996
+
{
6997
+
struct nft_module_request *req, *next;
6998
+
6999
+
WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
7000
+
list_for_each_entry_safe(req, next, &net->nft.module_list, list) {
7001
+
WARN_ON_ONCE(!req->done);
7002
+
list_del(&req->list);
7003
+
kfree(req);
7004
+
}
7005
+
}
7006
+
7014
7007
static void nf_tables_commit_release(struct net *net)
7015
7008
{
7016
7009
struct nft_trans *trans;
···
7035
7004
* to prevent expensive synchronize_rcu() in commit phase.
7036
7005
*/
7037
7006
if (list_empty(&net->nft.commit_list)) {
7007
+
nf_tables_module_autoload_cleanup(net);
7038
7008
mutex_unlock(&net->nft.commit_mutex);
7039
7009
return;
7040
7010
}
···
7050
7018
list_splice_tail_init(&net->nft.commit_list, &nf_tables_destroy_list);
7051
7019
spin_unlock(&nf_tables_destroy_list_lock);
7052
7020
7021
+
nf_tables_module_autoload_cleanup(net);
7053
7022
mutex_unlock(&net->nft.commit_mutex);
7054
7023
7055
7024
schedule_work(&trans_destroy_work);
···
7242
7209
return 0;
7243
7210
}
7244
7211
7212
+
static void nf_tables_module_autoload(struct net *net)
7213
+
{
7214
+
struct nft_module_request *req, *next;
7215
+
LIST_HEAD(module_list);
7216
+
7217
+
list_splice_init(&net->nft.module_list, &module_list);
7218
+
mutex_unlock(&net->nft.commit_mutex);
7219
+
list_for_each_entry_safe(req, next, &module_list, list) {
7220
+
if (req->done) {
7221
+
list_del(&req->list);
7222
+
kfree(req);
7223
+
} else {
7224
+
request_module("%s", req->module);
7225
+
req->done = true;
7226
+
}
7227
+
}
7228
+
mutex_lock(&net->nft.commit_mutex);
7229
+
list_splice(&module_list, &net->nft.module_list);
7230
+
}
7231
+
7245
7232
static void nf_tables_abort_release(struct nft_trans *trans)
7246
7233
{
7247
7234
switch (trans->msg_type) {
···
7291
7238
kfree(trans);
7292
7239
}
7293
7240
7294
-
static int __nf_tables_abort(struct net *net)
7241
+
static int __nf_tables_abort(struct net *net, bool autoload)
7295
7242
{
7296
7243
struct nft_trans *trans, *next;
7297
7244
struct nft_trans_elem *te;
···
7413
7360
nf_tables_abort_release(trans);
7414
7361
}
7415
7362
7363
+
if (autoload)
7364
+
nf_tables_module_autoload(net);
7365
+
else
7366
+
nf_tables_module_autoload_cleanup(net);
7367
+
7416
7368
return 0;
7417
7369
}
7418
7370
···
7426
7368
nft_validate_state_update(net, NFT_VALIDATE_SKIP);
7427
7369
}
7428
7370
7429
-
static int nf_tables_abort(struct net *net, struct sk_buff *skb)
7371
+
static int nf_tables_abort(struct net *net, struct sk_buff *skb, bool autoload)
7430
7372
{
7431
-
int ret = __nf_tables_abort(net);
7373
+
int ret = __nf_tables_abort(net, autoload);
7432
7374
7433
7375
mutex_unlock(&net->nft.commit_mutex);
7434
7376
···
8023
7965
{
8024
7966
INIT_LIST_HEAD(&net->nft.tables);
8025
7967
INIT_LIST_HEAD(&net->nft.commit_list);
7968
+
INIT_LIST_HEAD(&net->nft.module_list);
8026
7969
mutex_init(&net->nft.commit_mutex);
8027
7970
net->nft.base_seq = 1;
8028
7971
net->nft.validate_state = NFT_VALIDATE_SKIP;
···
8035
7976
{
8036
7977
mutex_lock(&net->nft.commit_mutex);
8037
7978
if (!list_empty(&net->nft.commit_list))
8038
-
__nf_tables_abort(net);
7979
+
__nf_tables_abort(net, false);
8039
7980
__nft_release_tables(net);
8040
7981
mutex_unlock(&net->nft.commit_mutex);
8041
7982
WARN_ON_ONCE(!list_empty(&net->nft.tables));
+1
-1
net/netfilter/nf_tables_offload.c
+1
-1
net/netfilter/nf_tables_offload.c
+3
-3
net/netfilter/nfnetlink.c
+3
-3
net/netfilter/nfnetlink.c
···
476
476
}
477
477
done:
478
478
if (status & NFNL_BATCH_REPLAY) {
479
-
ss->abort(net, oskb);
479
+
ss->abort(net, oskb, true);
480
480
nfnl_err_reset(&err_list);
481
481
kfree_skb(skb);
482
482
module_put(ss->owner);
···
487
487
status |= NFNL_BATCH_REPLAY;
488
488
goto done;
489
489
} else if (err) {
490
-
ss->abort(net, oskb);
490
+
ss->abort(net, oskb, false);
491
491
netlink_ack(oskb, nlmsg_hdr(oskb), err, NULL);
492
492
}
493
493
} else {
494
-
ss->abort(net, oskb);
494
+
ss->abort(net, oskb, false);
495
495
}
496
496
if (ss->cleanup)
497
497
ss->cleanup(net);