tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: drop bridge nf reset from nf_reset

commit 174e23810cd31
("sk_buff: drop all skb extensions on free and skb scrubbing") made napi
recycle always drop skb extensions. The additional skb_ext_del() that is
performed via nf_reset on napi skb recycle is not needed anymore.

Most nf_reset() calls in the stack are there so queued skb won't block
'rmmod nf_conntrack' indefinitely.

This removes the skb_ext_del from nf_reset, and renames it to a more
fitting nf_reset_ct().

In a few selected places, add a call to skb_ext_reset to make sure that
no active extensions remain.

I am submitting this for "net", because we're still early in the release
cycle. The patch applies to net-next too, but I think the rename causes
needless divergence between those trees.

Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso 895b5c9f 9cfc3702

+40 -45
+2 -2
drivers/net/ppp/pptp.c
··· 238 238 skb_dst_drop(skb); 239 239 skb_dst_set(skb, &rt->dst); 240 240 241 - nf_reset(skb); 241 + nf_reset_ct(skb); 242 242 243 243 skb->ip_summed = CHECKSUM_NONE; 244 244 ip_select_ident(net, skb, NULL); ··· 358 358 po = lookup_chan(htons(header->call_id), iph->saddr); 359 359 if (po) { 360 360 skb_dst_drop(skb); 361 - nf_reset(skb); 361 + nf_reset_ct(skb); 362 362 return sk_receive_skb(sk_pppox(po), skb, 0); 363 363 } 364 364 drop:
+1 -1
drivers/net/tun.c
··· 1104 1104 */ 1105 1105 skb_orphan(skb); 1106 1106 1107 - nf_reset(skb); 1107 + nf_reset_ct(skb); 1108 1108 1109 1109 if (ptr_ring_produce(&tfile->tx_ring, skb)) 1110 1110 goto drop;
+1 -1
drivers/net/virtio_net.c
··· 1585 1585 /* Don't wait up for transmitted skbs to be freed. */ 1586 1586 if (!use_napi) { 1587 1587 skb_orphan(skb); 1588 - nf_reset(skb); 1588 + nf_reset_ct(skb); 1589 1589 } 1590 1590 1591 1591 /* If running out of space, stop queue to avoid getting packets that we
+4 -4
drivers/net/vrf.c
··· 366 366 struct neighbour *neigh; 367 367 int ret; 368 368 369 - nf_reset(skb); 369 + nf_reset_ct(skb); 370 370 371 371 skb->protocol = htons(ETH_P_IPV6); 372 372 skb->dev = dev; ··· 459 459 460 460 /* reset skb device */ 461 461 if (likely(err == 1)) 462 - nf_reset(skb); 462 + nf_reset_ct(skb); 463 463 else 464 464 skb = NULL; 465 465 ··· 560 560 bool is_v6gw = false; 561 561 int ret = -EINVAL; 562 562 563 - nf_reset(skb); 563 + nf_reset_ct(skb); 564 564 565 565 /* Be paranoid, rather than too clever. */ 566 566 if (unlikely(skb_headroom(skb) < hh_len && dev->header_ops)) { ··· 670 670 671 671 /* reset skb device */ 672 672 if (likely(err == 1)) 673 - nf_reset(skb); 673 + nf_reset_ct(skb); 674 674 else 675 675 skb = NULL; 676 676
+2 -2
drivers/net/wireless/mac80211_hwsim.c
··· 1261 1261 skb_orphan(skb); 1262 1262 skb_dst_drop(skb); 1263 1263 skb->mark = 0; 1264 - secpath_reset(skb); 1265 - nf_reset(skb); 1264 + skb_ext_reset(skb); 1265 + nf_reset_ct(skb); 1266 1266 1267 1267 /* 1268 1268 * Get absolute mactime here so all HWs RX at the "same time", and
+2 -4
drivers/staging/octeon/ethernet-tx.c
··· 349 349 */ 350 350 dst_release(skb_dst(skb)); 351 351 skb_dst_set(skb, NULL); 352 - #ifdef CONFIG_XFRM 353 - secpath_reset(skb); 354 - #endif 355 - nf_reset(skb); 352 + skb_ext_reset(skb); 353 + nf_reset_ct(skb); 356 354 357 355 #ifdef CONFIG_NET_SCHED 358 356 skb->tc_index = 0;
+1 -4
include/linux/skbuff.h
··· 4160 4160 static inline void skb_ext_copy(struct sk_buff *dst, const struct sk_buff *s) {} 4161 4161 #endif /* CONFIG_SKB_EXTENSIONS */ 4162 4162 4163 - static inline void nf_reset(struct sk_buff *skb) 4163 + static inline void nf_reset_ct(struct sk_buff *skb) 4164 4164 { 4165 4165 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 4166 4166 nf_conntrack_put(skb_nfct(skb)); 4167 4167 skb->_nfct = 0; 4168 - #endif 4169 - #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) 4170 - skb_ext_del(skb, SKB_EXT_BRIDGE_NF); 4171 4168 #endif 4172 4169 } 4173 4170
+1 -1
net/batman-adv/soft-interface.c
··· 436 436 /* clean the netfilter state now that the batman-adv header has been 437 437 * removed 438 438 */ 439 - nf_reset(skb); 439 + nf_reset_ct(skb); 440 440 441 441 if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) 442 442 goto dropped;
+1 -1
net/core/skbuff.c
··· 5120 5120 skb->ignore_df = 0; 5121 5121 skb_dst_drop(skb); 5122 5122 skb_ext_reset(skb); 5123 - nf_reset(skb); 5123 + nf_reset_ct(skb); 5124 5124 nf_reset_trace(skb); 5125 5125 5126 5126 #ifdef CONFIG_NET_SWITCHDEV
+1 -1
net/dccp/ipv4.c
··· 871 871 872 872 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) 873 873 goto discard_and_relse; 874 - nf_reset(skb); 874 + nf_reset_ct(skb); 875 875 876 876 return __sk_receive_skb(sk, skb, 1, dh->dccph_doff * 4, refcounted); 877 877
+1 -1
net/ipv4/ip_input.c
··· 199 199 kfree_skb(skb); 200 200 return; 201 201 } 202 - nf_reset(skb); 202 + nf_reset_ct(skb); 203 203 } 204 204 ret = INDIRECT_CALL_2(ipprot->handler, tcp_v4_rcv, udp_rcv, 205 205 skb);
+2 -2
net/ipv4/ipmr.c
··· 1794 1794 ip_send_check(iph); 1795 1795 1796 1796 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); 1797 - nf_reset(skb); 1797 + nf_reset_ct(skb); 1798 1798 } 1799 1799 1800 1800 static inline int ipmr_forward_finish(struct net *net, struct sock *sk, ··· 2140 2140 2141 2141 mroute_sk = rcu_dereference(mrt->mroute_sk); 2142 2142 if (mroute_sk) { 2143 - nf_reset(skb); 2143 + nf_reset_ct(skb); 2144 2144 raw_rcv(mroute_sk, skb); 2145 2145 return 0; 2146 2146 }
+1 -1
net/ipv4/netfilter/nf_dup_ipv4.c
··· 65 65 66 66 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 67 67 /* Avoid counting cloned packets towards the original connection. */ 68 - nf_reset(skb); 68 + nf_reset_ct(skb); 69 69 nf_ct_set(skb, NULL, IP_CT_UNTRACKED); 70 70 #endif 71 71 /*
+1 -1
net/ipv4/raw.c
··· 332 332 kfree_skb(skb); 333 333 return NET_RX_DROP; 334 334 } 335 - nf_reset(skb); 335 + nf_reset_ct(skb); 336 336 337 337 skb_push(skb, skb->data - skb_network_header(skb)); 338 338
+1 -1
net/ipv4/tcp_ipv4.c
··· 1916 1916 if (tcp_v4_inbound_md5_hash(sk, skb)) 1917 1917 goto discard_and_relse; 1918 1918 1919 - nf_reset(skb); 1919 + nf_reset_ct(skb); 1920 1920 1921 1921 if (tcp_filter(sk, skb)) 1922 1922 goto discard_and_relse;
+2 -2
net/ipv4/udp.c
··· 1969 1969 */ 1970 1970 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) 1971 1971 goto drop; 1972 - nf_reset(skb); 1972 + nf_reset_ct(skb); 1973 1973 1974 1974 if (static_branch_unlikely(&udp_encap_needed_key) && up->encap_type) { 1975 1975 int (*encap_rcv)(struct sock *sk, struct sk_buff *skb); ··· 2298 2298 2299 2299 if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) 2300 2300 goto drop; 2301 - nf_reset(skb); 2301 + nf_reset_ct(skb); 2302 2302 2303 2303 /* No socket. Drop packet silently, if checksum is wrong */ 2304 2304 if (udp_lib_checksum_complete(skb))
+1 -1
net/ipv6/ip6_input.c
··· 371 371 /* Free reference early: we don't need it any more, 372 372 and it may hold ip_conntrack module loaded 373 373 indefinitely. */ 374 - nf_reset(skb); 374 + nf_reset_ct(skb); 375 375 376 376 skb_postpull_rcsum(skb, skb_network_header(skb), 377 377 skb_network_header_len(skb));
+1 -1
net/ipv6/netfilter/nf_dup_ipv6.c
··· 54 54 return; 55 55 56 56 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 57 - nf_reset(skb); 57 + nf_reset_ct(skb); 58 58 nf_ct_set(skb, NULL, IP_CT_UNTRACKED); 59 59 #endif 60 60 if (hooknum == NF_INET_PRE_ROUTING ||
+1 -1
net/ipv6/raw.c
··· 215 215 216 216 /* Not releasing hash table! */ 217 217 if (clone) { 218 - nf_reset(clone); 218 + nf_reset_ct(clone); 219 219 rawv6_rcv(sk, clone); 220 220 } 221 221 }
+1 -1
net/l2tp/l2tp_core.c
··· 1078 1078 memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); 1079 1079 IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED | 1080 1080 IPSKB_REROUTED); 1081 - nf_reset(skb); 1081 + nf_reset_ct(skb); 1082 1082 1083 1083 bh_lock_sock(sk); 1084 1084 if (sock_owned_by_user(sk)) {
+1 -1
net/l2tp/l2tp_eth.c
··· 151 151 skb->ip_summed = CHECKSUM_NONE; 152 152 153 153 skb_dst_drop(skb); 154 - nf_reset(skb); 154 + nf_reset_ct(skb); 155 155 156 156 rcu_read_lock(); 157 157 dev = rcu_dereference(spriv->dev);
+1 -1
net/l2tp/l2tp_ip.c
··· 193 193 if (!xfrm4_policy_check(sk, XFRM_POLICY_IN, skb)) 194 194 goto discard_put; 195 195 196 - nf_reset(skb); 196 + nf_reset_ct(skb); 197 197 198 198 return sk_receive_skb(sk, skb, 1); 199 199
+1 -1
net/l2tp/l2tp_ip6.c
··· 206 206 if (!xfrm6_policy_check(sk, XFRM_POLICY_IN, skb)) 207 207 goto discard_put; 208 208 209 - nf_reset(skb); 209 + nf_reset_ct(skb); 210 210 211 211 return sk_receive_skb(sk, skb, 1); 212 212
+1 -1
net/netfilter/ipvs/ip_vs_xmit.c
··· 613 613 if (unlikely(cp->flags & IP_VS_CONN_F_NFCT)) 614 614 ret = ip_vs_confirm_conntrack(skb); 615 615 if (ret == NF_ACCEPT) { 616 - nf_reset(skb); 616 + nf_reset_ct(skb); 617 617 skb_forward_csum(skb); 618 618 } 619 619 return ret;
+1 -1
net/openvswitch/vport-internal_dev.c
··· 237 237 } 238 238 239 239 skb_dst_drop(skb); 240 - nf_reset(skb); 240 + nf_reset_ct(skb); 241 241 secpath_reset(skb); 242 242 243 243 skb->pkt_type = PACKET_HOST;
+2 -2
net/packet/af_packet.c
··· 1821 1821 skb_dst_drop(skb); 1822 1822 1823 1823 /* drop conntrack reference */ 1824 - nf_reset(skb); 1824 + nf_reset_ct(skb); 1825 1825 1826 1826 spkt = &PACKET_SKB_CB(skb)->sa.pkt; 1827 1827 ··· 2121 2121 skb_dst_drop(skb); 2122 2122 2123 2123 /* drop conntrack reference */ 2124 - nf_reset(skb); 2124 + nf_reset_ct(skb); 2125 2125 2126 2126 spin_lock(&sk->sk_receive_queue.lock); 2127 2127 po->stats.stats1.tp_packets++;
+1 -1
net/sctp/input.c
··· 201 201 202 202 if (!xfrm_policy_check(sk, XFRM_POLICY_IN, skb, family)) 203 203 goto discard_release; 204 - nf_reset(skb); 204 + nf_reset_ct(skb); 205 205 206 206 if (sk_filter(sk, skb)) 207 207 goto discard_release;
+1 -1
net/xfrm/xfrm_input.c
··· 706 706 if (err) 707 707 goto drop; 708 708 709 - nf_reset(skb); 709 + nf_reset_ct(skb); 710 710 711 711 if (decaps) { 712 712 sp = skb_sec_path(skb);
+1 -1
net/xfrm/xfrm_interface.c
··· 185 185 skb->skb_iif = 0; 186 186 skb->ignore_df = 0; 187 187 skb_dst_drop(skb); 188 - nf_reset(skb); 188 + nf_reset_ct(skb); 189 189 nf_reset_trace(skb); 190 190 191 191 if (!xnet)
+1 -1
net/xfrm/xfrm_output.c
··· 502 502 struct net *net = xs_net(skb_dst(skb)->xfrm); 503 503 504 504 while (likely((err = xfrm_output_one(skb, err)) == 0)) { 505 - nf_reset(skb); 505 + nf_reset_ct(skb); 506 506 507 507 err = skb_dst(skb)->ops->local_out(net, skb->sk, skb); 508 508 if (unlikely(err != 1))
+1 -1
net/xfrm/xfrm_policy.c
··· 2808 2808 continue; 2809 2809 } 2810 2810 2811 - nf_reset(skb); 2811 + nf_reset_ct(skb); 2812 2812 skb_dst_drop(skb); 2813 2813 skb_dst_set(skb, dst); 2814 2814