tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for net-next:
1) Rename mss field to mss_option field in synproxy, from Fernando Mancera.
2) Use SYSCTL_{ZERO,ONE} definitions in conntrack, from Matteo Croce.
3) More strict validation of IPVS sysctl values, from Junwei Hu.
4) Remove unnecessary spaces after on the right hand side of assignments,
from yangxingwu.
5) Add offload support for bitwise operation.
6) Extend the nft_offload_reg structure to store immediate date.
7) Collapse several ip_set header files into ip_set.h, from
Jeremy Sowden.
8) Make netfilter headers compile with CONFIG_KERNEL_HEADER_TEST=y,
from Jeremy Sowden.
9) Fix several sparse warnings due to missing prototypes, from
Valdis Kletnieks.
10) Use static lock initialiser to ensure connlabel spinlock is
initialized on boot time to fix sched/act_ct.c, patch
from Florian Westphal.
====================
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
+527
-480
-74
include/Kbuild
-74
include/Kbuild
···
386
386
header-test- += linux/mxm-wmi.h
387
387
header-test- += linux/n_r3964.h
388
388
header-test- += linux/ndctl.h
389
-
header-test- += linux/netfilter/ipset/ip_set.h
390
-
header-test- += linux/netfilter/ipset/ip_set_bitmap.h
391
-
header-test- += linux/netfilter/ipset/ip_set_comment.h
392
-
header-test- += linux/netfilter/ipset/ip_set_counter.h
393
-
header-test- += linux/netfilter/ipset/ip_set_getport.h
394
-
header-test- += linux/netfilter/ipset/ip_set_hash.h
395
-
header-test- += linux/netfilter/ipset/ip_set_list.h
396
-
header-test- += linux/netfilter/ipset/ip_set_skbinfo.h
397
-
header-test- += linux/netfilter/ipset/ip_set_timeout.h
398
-
header-test- += linux/netfilter/nf_conntrack_amanda.h
399
-
header-test- += linux/netfilter/nf_conntrack_ftp.h
400
-
header-test- += linux/netfilter/nf_conntrack_h323.h
401
-
header-test- += linux/netfilter/nf_conntrack_h323_asn1.h
402
-
header-test- += linux/netfilter/nf_conntrack_irc.h
403
-
header-test- += linux/netfilter/nf_conntrack_pptp.h
404
-
header-test- += linux/netfilter/nf_conntrack_proto_gre.h
405
-
header-test- += linux/netfilter/nf_conntrack_sip.h
406
-
header-test- += linux/netfilter/nf_conntrack_snmp.h
407
-
header-test- += linux/netfilter/nf_conntrack_tftp.h
408
-
header-test- += linux/netfilter/x_tables.h
409
-
header-test- += linux/netfilter_arp/arp_tables.h
410
-
header-test- += linux/netfilter_bridge/ebtables.h
411
-
header-test- += linux/netfilter_ipv4/ip4_tables.h
412
-
header-test- += linux/netfilter_ipv4/ip_tables.h
413
-
header-test- += linux/netfilter_ipv6/ip6_tables.h
414
389
header-test- += linux/nfs.h
415
390
header-test- += linux/nfs_fs_i.h
416
391
header-test- += linux/nfs_fs_sb.h
···
849
874
header-test- += net/mrp.h
850
875
header-test- += net/ncsi.h
851
876
header-test- += net/netevent.h
852
-
header-test- += net/netfilter/br_netfilter.h
853
-
header-test- += net/netfilter/ipv4/nf_dup_ipv4.h
854
-
header-test- += net/netfilter/ipv6/nf_defrag_ipv6.h
855
-
header-test- += net/netfilter/ipv6/nf_dup_ipv6.h
856
-
header-test- += net/netfilter/nf_conntrack.h
857
-
header-test- += net/netfilter/nf_conntrack_acct.h
858
-
header-test- += net/netfilter/nf_conntrack_bridge.h
859
-
header-test- += net/netfilter/nf_conntrack_core.h
860
-
header-test- += net/netfilter/nf_conntrack_count.h
861
-
header-test- += net/netfilter/nf_conntrack_ecache.h
862
-
header-test- += net/netfilter/nf_conntrack_expect.h
863
-
header-test- += net/netfilter/nf_conntrack_extend.h
864
-
header-test- += net/netfilter/nf_conntrack_helper.h
865
-
header-test- += net/netfilter/nf_conntrack_l4proto.h
866
-
header-test- += net/netfilter/nf_conntrack_labels.h
867
-
header-test- += net/netfilter/nf_conntrack_seqadj.h
868
-
header-test- += net/netfilter/nf_conntrack_synproxy.h
869
-
header-test- += net/netfilter/nf_conntrack_timeout.h
870
-
header-test- += net/netfilter/nf_conntrack_timestamp.h
871
-
header-test- += net/netfilter/nf_conntrack_tuple.h
872
-
header-test- += net/netfilter/nf_dup_netdev.h
873
-
header-test- += net/netfilter/nf_flow_table.h
874
-
header-test- += net/netfilter/nf_nat.h
875
-
header-test- += net/netfilter/nf_nat_helper.h
876
-
header-test- += net/netfilter/nf_nat_masquerade.h
877
-
header-test- += net/netfilter/nf_nat_redirect.h
878
-
header-test- += net/netfilter/nf_queue.h
879
-
header-test- += net/netfilter/nf_reject.h
880
-
header-test- += net/netfilter/nf_synproxy.h
881
-
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables.h
882
-
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables_core.h
883
-
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables_ipv4.h
884
-
header-test- += net/netfilter/nf_tables_ipv6.h
885
-
header-test-$(CONFIG_NF_TABLES) += net/netfilter/nf_tables_offload.h
886
-
header-test- += net/netfilter/nft_fib.h
887
-
header-test- += net/netfilter/nft_meta.h
888
-
header-test- += net/netfilter/nft_reject.h
889
877
header-test- += net/netns/can.h
890
878
header-test- += net/netns/generic.h
891
879
header-test- += net/netns/ieee802154_6lowpan.h
···
1078
1140
header-test- += uapi/linux/lightnvm.h
1079
1141
header-test- += uapi/linux/mic_common.h
1080
1142
header-test- += uapi/linux/mman.h
1081
-
header-test- += uapi/linux/netfilter/ipset/ip_set_bitmap.h
1082
-
header-test- += uapi/linux/netfilter/ipset/ip_set_hash.h
1083
-
header-test- += uapi/linux/netfilter/ipset/ip_set_list.h
1084
-
header-test- += uapi/linux/netfilter/nf_synproxy.h
1085
-
header-test- += uapi/linux/netfilter/xt_policy.h
1086
-
header-test- += uapi/linux/netfilter/xt_set.h
1087
-
header-test- += uapi/linux/netfilter_arp/arp_tables.h
1088
-
header-test- += uapi/linux/netfilter_arp/arpt_mangle.h
1089
-
header-test- += uapi/linux/netfilter_ipv4/ip_tables.h
1090
-
header-test- += uapi/linux/netfilter_ipv4/ipt_LOG.h
1091
-
header-test- += uapi/linux/netfilter_ipv6/ip6_tables.h
1092
-
header-test- += uapi/linux/netfilter_ipv6/ip6t_LOG.h
1093
1143
header-test- += uapi/linux/nilfs2_ondisk.h
1094
1144
header-test- += uapi/linux/patchkey.h
1095
1145
header-test- += uapi/linux/ptrace.h
+234
-4
include/linux/netfilter/ipset/ip_set.h
+234
-4
include/linux/netfilter/ipset/ip_set.h
···
452
452
return 4 * ((((b - a + 8) / 8) + 3) / 4);
453
453
}
454
454
455
-
#include <linux/netfilter/ipset/ip_set_timeout.h>
456
-
#include <linux/netfilter/ipset/ip_set_comment.h>
457
-
#include <linux/netfilter/ipset/ip_set_counter.h>
458
-
#include <linux/netfilter/ipset/ip_set_skbinfo.h>
455
+
/* How often should the gc be run by default */
456
+
#define IPSET_GC_TIME (3 * 60)
457
+
458
+
/* Timeout period depending on the timeout value of the given set */
459
+
#define IPSET_GC_PERIOD(timeout) \
460
+
((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1)
461
+
462
+
/* Entry is set with no timeout value */
463
+
#define IPSET_ELEM_PERMANENT 0
464
+
465
+
/* Set is defined with timeout support: timeout value may be 0 */
466
+
#define IPSET_NO_TIMEOUT UINT_MAX
467
+
468
+
/* Max timeout value, see msecs_to_jiffies() in jiffies.h */
469
+
#define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC
470
+
471
+
#define ip_set_adt_opt_timeout(opt, set) \
472
+
((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
473
+
474
+
static inline unsigned int
475
+
ip_set_timeout_uget(struct nlattr *tb)
476
+
{
477
+
unsigned int timeout = ip_set_get_h32(tb);
478
+
479
+
/* Normalize to fit into jiffies */
480
+
if (timeout > IPSET_MAX_TIMEOUT)
481
+
timeout = IPSET_MAX_TIMEOUT;
482
+
483
+
return timeout;
484
+
}
485
+
486
+
static inline bool
487
+
ip_set_timeout_expired(const unsigned long *t)
488
+
{
489
+
return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t);
490
+
}
491
+
492
+
static inline void
493
+
ip_set_timeout_set(unsigned long *timeout, u32 value)
494
+
{
495
+
unsigned long t;
496
+
497
+
if (!value) {
498
+
*timeout = IPSET_ELEM_PERMANENT;
499
+
return;
500
+
}
501
+
502
+
t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies;
503
+
if (t == IPSET_ELEM_PERMANENT)
504
+
/* Bingo! :-) */
505
+
t--;
506
+
*timeout = t;
507
+
}
508
+
509
+
static inline u32
510
+
ip_set_timeout_get(const unsigned long *timeout)
511
+
{
512
+
u32 t;
513
+
514
+
if (*timeout == IPSET_ELEM_PERMANENT)
515
+
return 0;
516
+
517
+
t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
518
+
/* Zero value in userspace means no timeout */
519
+
return t == 0 ? 1 : t;
520
+
}
521
+
522
+
static inline char*
523
+
ip_set_comment_uget(struct nlattr *tb)
524
+
{
525
+
return nla_data(tb);
526
+
}
527
+
528
+
/* Called from uadd only, protected by the set spinlock.
529
+
* The kadt functions don't use the comment extensions in any way.
530
+
*/
531
+
static inline void
532
+
ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment,
533
+
const struct ip_set_ext *ext)
534
+
{
535
+
struct ip_set_comment_rcu *c = rcu_dereference_protected(comment->c, 1);
536
+
size_t len = ext->comment ? strlen(ext->comment) : 0;
537
+
538
+
if (unlikely(c)) {
539
+
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
540
+
kfree_rcu(c, rcu);
541
+
rcu_assign_pointer(comment->c, NULL);
542
+
}
543
+
if (!len)
544
+
return;
545
+
if (unlikely(len > IPSET_MAX_COMMENT_SIZE))
546
+
len = IPSET_MAX_COMMENT_SIZE;
547
+
c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC);
548
+
if (unlikely(!c))
549
+
return;
550
+
strlcpy(c->str, ext->comment, len + 1);
551
+
set->ext_size += sizeof(*c) + strlen(c->str) + 1;
552
+
rcu_assign_pointer(comment->c, c);
553
+
}
554
+
555
+
/* Used only when dumping a set, protected by rcu_read_lock() */
556
+
static inline int
557
+
ip_set_put_comment(struct sk_buff *skb, const struct ip_set_comment *comment)
558
+
{
559
+
struct ip_set_comment_rcu *c = rcu_dereference(comment->c);
560
+
561
+
if (!c)
562
+
return 0;
563
+
return nla_put_string(skb, IPSET_ATTR_COMMENT, c->str);
564
+
}
565
+
566
+
/* Called from uadd/udel, flush or the garbage collectors protected
567
+
* by the set spinlock.
568
+
* Called when the set is destroyed and when there can't be any user
569
+
* of the set data anymore.
570
+
*/
571
+
static inline void
572
+
ip_set_comment_free(struct ip_set *set, struct ip_set_comment *comment)
573
+
{
574
+
struct ip_set_comment_rcu *c;
575
+
576
+
c = rcu_dereference_protected(comment->c, 1);
577
+
if (unlikely(!c))
578
+
return;
579
+
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
580
+
kfree_rcu(c, rcu);
581
+
rcu_assign_pointer(comment->c, NULL);
582
+
}
583
+
584
+
static inline void
585
+
ip_set_add_bytes(u64 bytes, struct ip_set_counter *counter)
586
+
{
587
+
atomic64_add((long long)bytes, &(counter)->bytes);
588
+
}
589
+
590
+
static inline void
591
+
ip_set_add_packets(u64 packets, struct ip_set_counter *counter)
592
+
{
593
+
atomic64_add((long long)packets, &(counter)->packets);
594
+
}
595
+
596
+
static inline u64
597
+
ip_set_get_bytes(const struct ip_set_counter *counter)
598
+
{
599
+
return (u64)atomic64_read(&(counter)->bytes);
600
+
}
601
+
602
+
static inline u64
603
+
ip_set_get_packets(const struct ip_set_counter *counter)
604
+
{
605
+
return (u64)atomic64_read(&(counter)->packets);
606
+
}
607
+
608
+
static inline bool
609
+
ip_set_match_counter(u64 counter, u64 match, u8 op)
610
+
{
611
+
switch (op) {
612
+
case IPSET_COUNTER_NONE:
613
+
return true;
614
+
case IPSET_COUNTER_EQ:
615
+
return counter == match;
616
+
case IPSET_COUNTER_NE:
617
+
return counter != match;
618
+
case IPSET_COUNTER_LT:
619
+
return counter < match;
620
+
case IPSET_COUNTER_GT:
621
+
return counter > match;
622
+
}
623
+
return false;
624
+
}
625
+
626
+
static inline void
627
+
ip_set_update_counter(struct ip_set_counter *counter,
628
+
const struct ip_set_ext *ext, u32 flags)
629
+
{
630
+
if (ext->packets != ULLONG_MAX &&
631
+
!(flags & IPSET_FLAG_SKIP_COUNTER_UPDATE)) {
632
+
ip_set_add_bytes(ext->bytes, counter);
633
+
ip_set_add_packets(ext->packets, counter);
634
+
}
635
+
}
636
+
637
+
static inline bool
638
+
ip_set_put_counter(struct sk_buff *skb, const struct ip_set_counter *counter)
639
+
{
640
+
return nla_put_net64(skb, IPSET_ATTR_BYTES,
641
+
cpu_to_be64(ip_set_get_bytes(counter)),
642
+
IPSET_ATTR_PAD) ||
643
+
nla_put_net64(skb, IPSET_ATTR_PACKETS,
644
+
cpu_to_be64(ip_set_get_packets(counter)),
645
+
IPSET_ATTR_PAD);
646
+
}
647
+
648
+
static inline void
649
+
ip_set_init_counter(struct ip_set_counter *counter,
650
+
const struct ip_set_ext *ext)
651
+
{
652
+
if (ext->bytes != ULLONG_MAX)
653
+
atomic64_set(&(counter)->bytes, (long long)(ext->bytes));
654
+
if (ext->packets != ULLONG_MAX)
655
+
atomic64_set(&(counter)->packets, (long long)(ext->packets));
656
+
}
657
+
658
+
static inline void
659
+
ip_set_get_skbinfo(struct ip_set_skbinfo *skbinfo,
660
+
const struct ip_set_ext *ext,
661
+
struct ip_set_ext *mext, u32 flags)
662
+
{
663
+
mext->skbinfo = *skbinfo;
664
+
}
665
+
666
+
static inline bool
667
+
ip_set_put_skbinfo(struct sk_buff *skb, const struct ip_set_skbinfo *skbinfo)
668
+
{
669
+
/* Send nonzero parameters only */
670
+
return ((skbinfo->skbmark || skbinfo->skbmarkmask) &&
671
+
nla_put_net64(skb, IPSET_ATTR_SKBMARK,
672
+
cpu_to_be64((u64)skbinfo->skbmark << 32 |
673
+
skbinfo->skbmarkmask),
674
+
IPSET_ATTR_PAD)) ||
675
+
(skbinfo->skbprio &&
676
+
nla_put_net32(skb, IPSET_ATTR_SKBPRIO,
677
+
cpu_to_be32(skbinfo->skbprio))) ||
678
+
(skbinfo->skbqueue &&
679
+
nla_put_net16(skb, IPSET_ATTR_SKBQUEUE,
680
+
cpu_to_be16(skbinfo->skbqueue)));
681
+
}
682
+
683
+
static inline void
684
+
ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo,
685
+
const struct ip_set_ext *ext)
686
+
{
687
+
*skbinfo = ext->skbinfo;
688
+
}
459
689
460
690
#define IP_SET_INIT_KEXT(skb, opt, set) \
461
691
{ .bytes = (skb)->len, .packets = 1, \
-73
include/linux/netfilter/ipset/ip_set_comment.h
-73
include/linux/netfilter/ipset/ip_set_comment.h
···
1
-
/* SPDX-License-Identifier: GPL-2.0-only */
2
-
#ifndef _IP_SET_COMMENT_H
3
-
#define _IP_SET_COMMENT_H
4
-
5
-
/* Copyright (C) 2013 Oliver Smith <oliver@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
6
-
*/
7
-
8
-
#ifdef __KERNEL__
9
-
10
-
static inline char*
11
-
ip_set_comment_uget(struct nlattr *tb)
12
-
{
13
-
return nla_data(tb);
14
-
}
15
-
16
-
/* Called from uadd only, protected by the set spinlock.
17
-
* The kadt functions don't use the comment extensions in any way.
18
-
*/
19
-
static inline void
20
-
ip_set_init_comment(struct ip_set *set, struct ip_set_comment *comment,
21
-
const struct ip_set_ext *ext)
22
-
{
23
-
struct ip_set_comment_rcu *c = rcu_dereference_protected(comment->c, 1);
24
-
size_t len = ext->comment ? strlen(ext->comment) : 0;
25
-
26
-
if (unlikely(c)) {
27
-
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
28
-
kfree_rcu(c, rcu);
29
-
rcu_assign_pointer(comment->c, NULL);
30
-
}
31
-
if (!len)
32
-
return;
33
-
if (unlikely(len > IPSET_MAX_COMMENT_SIZE))
34
-
len = IPSET_MAX_COMMENT_SIZE;
35
-
c = kmalloc(sizeof(*c) + len + 1, GFP_ATOMIC);
36
-
if (unlikely(!c))
37
-
return;
38
-
strlcpy(c->str, ext->comment, len + 1);
39
-
set->ext_size += sizeof(*c) + strlen(c->str) + 1;
40
-
rcu_assign_pointer(comment->c, c);
41
-
}
42
-
43
-
/* Used only when dumping a set, protected by rcu_read_lock() */
44
-
static inline int
45
-
ip_set_put_comment(struct sk_buff *skb, const struct ip_set_comment *comment)
46
-
{
47
-
struct ip_set_comment_rcu *c = rcu_dereference(comment->c);
48
-
49
-
if (!c)
50
-
return 0;
51
-
return nla_put_string(skb, IPSET_ATTR_COMMENT, c->str);
52
-
}
53
-
54
-
/* Called from uadd/udel, flush or the garbage collectors protected
55
-
* by the set spinlock.
56
-
* Called when the set is destroyed and when there can't be any user
57
-
* of the set data anymore.
58
-
*/
59
-
static inline void
60
-
ip_set_comment_free(struct ip_set *set, struct ip_set_comment *comment)
61
-
{
62
-
struct ip_set_comment_rcu *c;
63
-
64
-
c = rcu_dereference_protected(comment->c, 1);
65
-
if (unlikely(!c))
66
-
return;
67
-
set->ext_size -= sizeof(*c) + strlen(c->str) + 1;
68
-
kfree_rcu(c, rcu);
69
-
rcu_assign_pointer(comment->c, NULL);
70
-
}
71
-
72
-
#endif
73
-
#endif
-84
include/linux/netfilter/ipset/ip_set_counter.h
-84
include/linux/netfilter/ipset/ip_set_counter.h
···
1
-
/* SPDX-License-Identifier: GPL-2.0-only */
2
-
#ifndef _IP_SET_COUNTER_H
3
-
#define _IP_SET_COUNTER_H
4
-
5
-
/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@netfilter.org> */
6
-
7
-
#ifdef __KERNEL__
8
-
9
-
static inline void
10
-
ip_set_add_bytes(u64 bytes, struct ip_set_counter *counter)
11
-
{
12
-
atomic64_add((long long)bytes, &(counter)->bytes);
13
-
}
14
-
15
-
static inline void
16
-
ip_set_add_packets(u64 packets, struct ip_set_counter *counter)
17
-
{
18
-
atomic64_add((long long)packets, &(counter)->packets);
19
-
}
20
-
21
-
static inline u64
22
-
ip_set_get_bytes(const struct ip_set_counter *counter)
23
-
{
24
-
return (u64)atomic64_read(&(counter)->bytes);
25
-
}
26
-
27
-
static inline u64
28
-
ip_set_get_packets(const struct ip_set_counter *counter)
29
-
{
30
-
return (u64)atomic64_read(&(counter)->packets);
31
-
}
32
-
33
-
static inline bool
34
-
ip_set_match_counter(u64 counter, u64 match, u8 op)
35
-
{
36
-
switch (op) {
37
-
case IPSET_COUNTER_NONE:
38
-
return true;
39
-
case IPSET_COUNTER_EQ:
40
-
return counter == match;
41
-
case IPSET_COUNTER_NE:
42
-
return counter != match;
43
-
case IPSET_COUNTER_LT:
44
-
return counter < match;
45
-
case IPSET_COUNTER_GT:
46
-
return counter > match;
47
-
}
48
-
return false;
49
-
}
50
-
51
-
static inline void
52
-
ip_set_update_counter(struct ip_set_counter *counter,
53
-
const struct ip_set_ext *ext, u32 flags)
54
-
{
55
-
if (ext->packets != ULLONG_MAX &&
56
-
!(flags & IPSET_FLAG_SKIP_COUNTER_UPDATE)) {
57
-
ip_set_add_bytes(ext->bytes, counter);
58
-
ip_set_add_packets(ext->packets, counter);
59
-
}
60
-
}
61
-
62
-
static inline bool
63
-
ip_set_put_counter(struct sk_buff *skb, const struct ip_set_counter *counter)
64
-
{
65
-
return nla_put_net64(skb, IPSET_ATTR_BYTES,
66
-
cpu_to_be64(ip_set_get_bytes(counter)),
67
-
IPSET_ATTR_PAD) ||
68
-
nla_put_net64(skb, IPSET_ATTR_PACKETS,
69
-
cpu_to_be64(ip_set_get_packets(counter)),
70
-
IPSET_ATTR_PAD);
71
-
}
72
-
73
-
static inline void
74
-
ip_set_init_counter(struct ip_set_counter *counter,
75
-
const struct ip_set_ext *ext)
76
-
{
77
-
if (ext->bytes != ULLONG_MAX)
78
-
atomic64_set(&(counter)->bytes, (long long)(ext->bytes));
79
-
if (ext->packets != ULLONG_MAX)
80
-
atomic64_set(&(counter)->packets, (long long)(ext->packets));
81
-
}
82
-
83
-
#endif /* __KERNEL__ */
84
-
#endif /* _IP_SET_COUNTER_H */
+4
include/linux/netfilter/ipset/ip_set_getport.h
+4
include/linux/netfilter/ipset/ip_set_getport.h
-42
include/linux/netfilter/ipset/ip_set_skbinfo.h
-42
include/linux/netfilter/ipset/ip_set_skbinfo.h
···
1
-
/* SPDX-License-Identifier: GPL-2.0-only */
2
-
#ifndef _IP_SET_SKBINFO_H
3
-
#define _IP_SET_SKBINFO_H
4
-
5
-
/* Copyright (C) 2015 Jozsef Kadlecsik <kadlec@netfilter.org> */
6
-
7
-
#ifdef __KERNEL__
8
-
9
-
static inline void
10
-
ip_set_get_skbinfo(struct ip_set_skbinfo *skbinfo,
11
-
const struct ip_set_ext *ext,
12
-
struct ip_set_ext *mext, u32 flags)
13
-
{
14
-
mext->skbinfo = *skbinfo;
15
-
}
16
-
17
-
static inline bool
18
-
ip_set_put_skbinfo(struct sk_buff *skb, const struct ip_set_skbinfo *skbinfo)
19
-
{
20
-
/* Send nonzero parameters only */
21
-
return ((skbinfo->skbmark || skbinfo->skbmarkmask) &&
22
-
nla_put_net64(skb, IPSET_ATTR_SKBMARK,
23
-
cpu_to_be64((u64)skbinfo->skbmark << 32 |
24
-
skbinfo->skbmarkmask),
25
-
IPSET_ATTR_PAD)) ||
26
-
(skbinfo->skbprio &&
27
-
nla_put_net32(skb, IPSET_ATTR_SKBPRIO,
28
-
cpu_to_be32(skbinfo->skbprio))) ||
29
-
(skbinfo->skbqueue &&
30
-
nla_put_net16(skb, IPSET_ATTR_SKBQUEUE,
31
-
cpu_to_be16(skbinfo->skbqueue)));
32
-
}
33
-
34
-
static inline void
35
-
ip_set_init_skbinfo(struct ip_set_skbinfo *skbinfo,
36
-
const struct ip_set_ext *ext)
37
-
{
38
-
*skbinfo = ext->skbinfo;
39
-
}
40
-
41
-
#endif /* __KERNEL__ */
42
-
#endif /* _IP_SET_SKBINFO_H */
-77
include/linux/netfilter/ipset/ip_set_timeout.h
-77
include/linux/netfilter/ipset/ip_set_timeout.h
···
1
-
/* SPDX-License-Identifier: GPL-2.0-only */
2
-
#ifndef _IP_SET_TIMEOUT_H
3
-
#define _IP_SET_TIMEOUT_H
4
-
5
-
/* Copyright (C) 2003-2013 Jozsef Kadlecsik <kadlec@netfilter.org> */
6
-
7
-
#ifdef __KERNEL__
8
-
9
-
/* How often should the gc be run by default */
10
-
#define IPSET_GC_TIME (3 * 60)
11
-
12
-
/* Timeout period depending on the timeout value of the given set */
13
-
#define IPSET_GC_PERIOD(timeout) \
14
-
((timeout/3) ? min_t(u32, (timeout)/3, IPSET_GC_TIME) : 1)
15
-
16
-
/* Entry is set with no timeout value */
17
-
#define IPSET_ELEM_PERMANENT 0
18
-
19
-
/* Set is defined with timeout support: timeout value may be 0 */
20
-
#define IPSET_NO_TIMEOUT UINT_MAX
21
-
22
-
/* Max timeout value, see msecs_to_jiffies() in jiffies.h */
23
-
#define IPSET_MAX_TIMEOUT (UINT_MAX >> 1)/MSEC_PER_SEC
24
-
25
-
#define ip_set_adt_opt_timeout(opt, set) \
26
-
((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
27
-
28
-
static inline unsigned int
29
-
ip_set_timeout_uget(struct nlattr *tb)
30
-
{
31
-
unsigned int timeout = ip_set_get_h32(tb);
32
-
33
-
/* Normalize to fit into jiffies */
34
-
if (timeout > IPSET_MAX_TIMEOUT)
35
-
timeout = IPSET_MAX_TIMEOUT;
36
-
37
-
return timeout;
38
-
}
39
-
40
-
static inline bool
41
-
ip_set_timeout_expired(const unsigned long *t)
42
-
{
43
-
return *t != IPSET_ELEM_PERMANENT && time_is_before_jiffies(*t);
44
-
}
45
-
46
-
static inline void
47
-
ip_set_timeout_set(unsigned long *timeout, u32 value)
48
-
{
49
-
unsigned long t;
50
-
51
-
if (!value) {
52
-
*timeout = IPSET_ELEM_PERMANENT;
53
-
return;
54
-
}
55
-
56
-
t = msecs_to_jiffies(value * MSEC_PER_SEC) + jiffies;
57
-
if (t == IPSET_ELEM_PERMANENT)
58
-
/* Bingo! :-) */
59
-
t--;
60
-
*timeout = t;
61
-
}
62
-
63
-
static inline u32
64
-
ip_set_timeout_get(const unsigned long *timeout)
65
-
{
66
-
u32 t;
67
-
68
-
if (*timeout == IPSET_ELEM_PERMANENT)
69
-
return 0;
70
-
71
-
t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;
72
-
/* Zero value in userspace means no timeout */
73
-
return t == 0 ? 1 : t;
74
-
}
75
-
76
-
#endif /* __KERNEL__ */
77
-
#endif /* _IP_SET_TIMEOUT_H */
+4
include/linux/netfilter/nf_conntrack_amanda.h
+4
include/linux/netfilter/nf_conntrack_amanda.h
···
3
3
#define _NF_CONNTRACK_AMANDA_H
4
4
/* AMANDA tracking. */
5
5
6
+
#include <linux/netfilter.h>
7
+
#include <linux/skbuff.h>
8
+
#include <net/netfilter/nf_conntrack_expect.h>
9
+
6
10
extern unsigned int (*nf_nat_amanda_hook)(struct sk_buff *skb,
7
11
enum ip_conntrack_info ctinfo,
8
12
unsigned int protoff,
-3
include/linux/netfilter/nf_conntrack_dccp.h
-3
include/linux/netfilter/nf_conntrack_dccp.h
···
25
25
};
26
26
#define CT_DCCP_ROLE_MAX (__CT_DCCP_ROLE_MAX - 1)
27
27
28
-
#ifdef __KERNEL__
29
28
#include <linux/netfilter/nf_conntrack_tuple_common.h>
30
29
31
30
struct nf_ct_dccp {
···
34
35
u_int8_t last_dir;
35
36
u_int64_t handshake_seq;
36
37
};
37
-
38
-
#endif /* __KERNEL__ */
39
38
40
39
#endif /* _NF_CONNTRACK_DCCP_H */
+5
-3
include/linux/netfilter/nf_conntrack_ftp.h
+5
-3
include/linux/netfilter/nf_conntrack_ftp.h
···
2
2
#ifndef _NF_CONNTRACK_FTP_H
3
3
#define _NF_CONNTRACK_FTP_H
4
4
5
+
#include <linux/netfilter.h>
6
+
#include <linux/skbuff.h>
7
+
#include <linux/types.h>
8
+
#include <net/netfilter/nf_conntrack_expect.h>
5
9
#include <uapi/linux/netfilter/nf_conntrack_ftp.h>
6
-
10
+
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
7
11
8
12
#define FTP_PORT 21
9
13
···
23
19
/* pickup sequence tracking, useful for conntrackd */
24
20
u_int16_t flags[IP_CT_DIR_MAX];
25
21
};
26
-
27
-
struct nf_conntrack_expect;
28
22
29
23
/* For NAT to hook in when we find a packet which describes what other
30
24
* connection we should expect. */
+5
-6
include/linux/netfilter/nf_conntrack_h323.h
+5
-6
include/linux/netfilter/nf_conntrack_h323.h
···
2
2
#ifndef _NF_CONNTRACK_H323_H
3
3
#define _NF_CONNTRACK_H323_H
4
4
5
-
#ifdef __KERNEL__
6
-
5
+
#include <linux/netfilter.h>
6
+
#include <linux/skbuff.h>
7
+
#include <linux/types.h>
7
8
#include <linux/netfilter/nf_conntrack_h323_asn1.h>
9
+
#include <net/netfilter/nf_conntrack_expect.h>
10
+
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
8
11
9
12
#define RAS_PORT 1719
10
13
#define Q931_PORT 1720
···
30
27
u_int16_t tpkt_len[IP_CT_DIR_MAX];
31
28
};
32
29
};
33
-
34
-
struct nf_conn;
35
30
36
31
int get_h225_addr(struct nf_conn *ct, unsigned char *data,
37
32
TransportAddress *taddr, union nf_inet_addr *addr,
···
93
92
unsigned char **data, TransportAddress *taddr,
94
93
int idx, __be16 port,
95
94
struct nf_conntrack_expect *exp);
96
-
97
-
#endif
98
95
99
96
#endif
+2
include/linux/netfilter/nf_conntrack_h323_asn1.h
+2
include/linux/netfilter/nf_conntrack_h323_asn1.h
···
37
37
/*****************************************************************************
38
38
* H.323 Types
39
39
****************************************************************************/
40
+
41
+
#include <linux/types.h>
40
42
#include <linux/netfilter/nf_conntrack_h323_types.h>
41
43
42
44
typedef struct {
+3
-2
include/linux/netfilter/nf_conntrack_irc.h
+3
-2
include/linux/netfilter/nf_conntrack_irc.h
···
2
2
#ifndef _NF_CONNTRACK_IRC_H
3
3
#define _NF_CONNTRACK_IRC_H
4
4
5
-
#ifdef __KERNEL__
5
+
#include <linux/netfilter.h>
6
+
#include <linux/skbuff.h>
7
+
#include <net/netfilter/nf_conntrack_expect.h>
6
8
7
9
#define IRC_PORT 6667
8
10
···
15
13
unsigned int matchlen,
16
14
struct nf_conntrack_expect *exp);
17
15
18
-
#endif /* __KERNEL__ */
19
16
#endif /* _NF_CONNTRACK_IRC_H */
+5
-7
include/linux/netfilter/nf_conntrack_pptp.h
+5
-7
include/linux/netfilter/nf_conntrack_pptp.h
···
3
3
#ifndef _NF_CONNTRACK_PPTP_H
4
4
#define _NF_CONNTRACK_PPTP_H
5
5
6
+
#include <linux/netfilter.h>
7
+
#include <linux/skbuff.h>
8
+
#include <linux/types.h>
6
9
#include <linux/netfilter/nf_conntrack_common.h>
10
+
#include <net/netfilter/nf_conntrack_expect.h>
11
+
#include <uapi/linux/netfilter/nf_conntrack_tuple_common.h>
7
12
8
13
extern const char *const pptp_msg_name[];
9
14
···
49
44
__be16 pns_call_id; /* NAT'ed PNS call id */
50
45
__be16 pac_call_id; /* NAT'ed PAC call id */
51
46
};
52
-
53
-
#ifdef __KERNEL__
54
47
55
48
#define PPTP_CONTROL_PORT 1723
56
49
···
300
297
struct PptpSetLinkInfo setlink;
301
298
};
302
299
303
-
/* crap needed for nf_conntrack_compat.h */
304
-
struct nf_conn;
305
-
struct nf_conntrack_expect;
306
-
307
300
extern int
308
301
(*nf_nat_pptp_hook_outbound)(struct sk_buff *skb,
309
302
struct nf_conn *ct, enum ip_conntrack_info ctinfo,
···
322
323
(*nf_nat_pptp_hook_expectfn)(struct nf_conn *ct,
323
324
struct nf_conntrack_expect *exp);
324
325
325
-
#endif /* __KERNEL__ */
326
326
#endif /* _NF_CONNTRACK_PPTP_H */
-2
include/linux/netfilter/nf_conntrack_proto_gre.h
-2
include/linux/netfilter/nf_conntrack_proto_gre.h
···
10
10
unsigned int timeout;
11
11
};
12
12
13
-
#ifdef __KERNEL__
14
13
#include <net/netfilter/nf_conntrack_tuple.h>
15
14
16
15
struct nf_conn;
···
31
32
32
33
bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
33
34
struct net *net, struct nf_conntrack_tuple *tuple);
34
-
#endif /* __KERNEL__ */
35
35
#endif /* _CONNTRACK_PROTO_GRE_H */
-4
include/linux/netfilter/nf_conntrack_sane.h
-4
include/linux/netfilter/nf_conntrack_sane.h
···
3
3
#define _NF_CONNTRACK_SANE_H
4
4
/* SANE tracking. */
5
5
6
-
#ifdef __KERNEL__
7
-
8
6
#define SANE_PORT 6566
9
7
10
8
enum sane_state {
···
14
16
struct nf_ct_sane_master {
15
17
enum sane_state state;
16
18
};
17
-
18
-
#endif /* __KERNEL__ */
19
19
20
20
#endif /* _NF_CONNTRACK_SANE_H */
+2
-4
include/linux/netfilter/nf_conntrack_sip.h
+2
-4
include/linux/netfilter/nf_conntrack_sip.h
···
1
1
/* SPDX-License-Identifier: GPL-2.0 */
2
2
#ifndef __NF_CONNTRACK_SIP_H__
3
3
#define __NF_CONNTRACK_SIP_H__
4
-
#ifdef __KERNEL__
5
4
6
-
#include <net/netfilter/nf_conntrack_expect.h>
7
-
5
+
#include <linux/skbuff.h>
8
6
#include <linux/types.h>
7
+
#include <net/netfilter/nf_conntrack_expect.h>
9
8
10
9
#define SIP_PORT 5060
11
10
#define SIP_TIMEOUT 3600
···
195
196
enum sdp_header_types term,
196
197
unsigned int *matchoff, unsigned int *matchlen);
197
198
198
-
#endif /* __KERNEL__ */
199
199
#endif /* __NF_CONNTRACK_SIP_H__ */
+3
include/linux/netfilter/nf_conntrack_snmp.h
+3
include/linux/netfilter/nf_conntrack_snmp.h
+5
include/linux/netfilter/nf_conntrack_tftp.h
+5
include/linux/netfilter/nf_conntrack_tftp.h
+6
include/linux/netfilter/x_tables.h
+6
include/linux/netfilter/x_tables.h
···
35
35
union {
36
36
const void *matchinfo, *targinfo;
37
37
};
38
+
#if IS_ENABLED(CONFIG_NETFILTER)
38
39
const struct nf_hook_state *state;
40
+
#endif
39
41
int fragoff;
40
42
unsigned int thoff;
41
43
bool hotdrop;
42
44
};
43
45
46
+
#if IS_ENABLED(CONFIG_NETFILTER)
44
47
static inline struct net *xt_net(const struct xt_action_param *par)
45
48
{
46
49
return par->state->net;
···
78
75
{
79
76
return par->state->pf;
80
77
}
78
+
#endif
81
79
82
80
/**
83
81
* struct xt_mtchk_param - parameters for match extensions'
···
450
446
return cnt;
451
447
}
452
448
449
+
#if IS_ENABLED(CONFIG_NETFILTER)
453
450
struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
451
+
#endif
454
452
455
453
#ifdef CONFIG_COMPAT
456
454
#include <net/compat.h>
+2
include/linux/netfilter_arp/arp_tables.h
+2
include/linux/netfilter_arp/arp_tables.h
···
49
49
}
50
50
51
51
extern void *arpt_alloc_initial_table(const struct xt_table *);
52
+
#if IS_ENABLED(CONFIG_NETFILTER)
52
53
int arpt_register_table(struct net *net, const struct xt_table *table,
53
54
const struct arpt_replace *repl,
54
55
const struct nf_hook_ops *ops, struct xt_table **res);
···
58
57
extern unsigned int arpt_do_table(struct sk_buff *skb,
59
58
const struct nf_hook_state *state,
60
59
struct xt_table *table);
60
+
#endif
61
61
62
62
#ifdef CONFIG_COMPAT
63
63
#include <net/compat.h>
+2
include/linux/netfilter_bridge/ebtables.h
+2
include/linux/netfilter_bridge/ebtables.h
···
105
105
106
106
#define EBT_ALIGN(s) (((s) + (__alignof__(struct _xt_align)-1)) & \
107
107
~(__alignof__(struct _xt_align)-1))
108
+
#if IS_ENABLED(CONFIG_NETFILTER)
108
109
extern int ebt_register_table(struct net *net,
109
110
const struct ebt_table *table,
110
111
const struct nf_hook_ops *ops,
···
115
114
extern unsigned int ebt_do_table(struct sk_buff *skb,
116
115
const struct nf_hook_state *state,
117
116
struct ebt_table *table);
117
+
#endif
118
118
119
119
/* True if the hook mask denotes that the rule is in a base chain,
120
120
* used in the check() functions */
+4
include/linux/netfilter_ipv4/ip_tables.h
+4
include/linux/netfilter_ipv4/ip_tables.h
···
25
25
26
26
extern void ipt_init(void) __init;
27
27
28
+
#if IS_ENABLED(CONFIG_NETFILTER)
28
29
int ipt_register_table(struct net *net, const struct xt_table *table,
29
30
const struct ipt_replace *repl,
30
31
const struct nf_hook_ops *ops, struct xt_table **res);
31
32
void ipt_unregister_table(struct net *net, struct xt_table *table,
32
33
const struct nf_hook_ops *ops);
34
+
#endif
33
35
34
36
/* Standard entry. */
35
37
struct ipt_standard {
···
67
65
}
68
66
69
67
extern void *ipt_alloc_initial_table(const struct xt_table *);
68
+
#if IS_ENABLED(CONFIG_NETFILTER)
70
69
extern unsigned int ipt_do_table(struct sk_buff *skb,
71
70
const struct nf_hook_state *state,
72
71
struct xt_table *table);
72
+
#endif
73
73
74
74
#ifdef CONFIG_COMPAT
75
75
#include <net/compat.h>
+2
include/linux/netfilter_ipv6/ip6_tables.h
+2
include/linux/netfilter_ipv6/ip6_tables.h
···
26
26
extern void ip6t_init(void) __init;
27
27
28
28
extern void *ip6t_alloc_initial_table(const struct xt_table *);
29
+
#if IS_ENABLED(CONFIG_NETFILTER)
29
30
int ip6t_register_table(struct net *net, const struct xt_table *table,
30
31
const struct ip6t_replace *repl,
31
32
const struct nf_hook_ops *ops, struct xt_table **res);
···
35
34
extern unsigned int ip6t_do_table(struct sk_buff *skb,
36
35
const struct nf_hook_state *state,
37
36
struct xt_table *table);
37
+
#endif
38
38
39
39
/* Check for an extension */
40
40
static inline int
+12
include/net/netfilter/br_netfilter.h
+12
include/net/netfilter/br_netfilter.h
···
2
2
#ifndef _BR_NETFILTER_H_
3
3
#define _BR_NETFILTER_H_
4
4
5
+
#include <linux/netfilter.h>
6
+
5
7
#include "../../../net/bridge/br_private.h"
6
8
7
9
static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
8
10
{
11
+
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
9
12
struct nf_bridge_info *b = skb_ext_add(skb, SKB_EXT_BRIDGE_NF);
10
13
11
14
if (b)
12
15
memset(b, 0, sizeof(*b));
13
16
14
17
return b;
18
+
#else
19
+
return NULL;
20
+
#endif
15
21
}
16
22
17
23
void nf_bridge_update_protocol(struct sk_buff *skb);
···
42
36
43
37
static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
44
38
{
39
+
#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
45
40
struct net_bridge_port *port;
46
41
47
42
port = br_port_get_rcu(dev);
48
43
return port ? &port->br->fake_rtable : NULL;
44
+
#else
45
+
return NULL;
46
+
#endif
49
47
}
50
48
51
49
struct net_device *setup_pre_routing(struct sk_buff *skb,
52
50
const struct net *net);
53
51
52
+
#if IS_ENABLED(CONFIG_NETFILTER)
54
53
#if IS_ENABLED(CONFIG_IPV6)
55
54
int br_validate_ipv6(struct net *net, struct sk_buff *skb);
56
55
unsigned int br_nf_pre_routing_ipv6(void *priv,
···
73
62
{
74
63
return NF_ACCEPT;
75
64
}
65
+
#endif
76
66
#endif
77
67
78
68
#endif /* _BR_NETFILTER_H_ */
+3
include/net/netfilter/ipv4/nf_dup_ipv4.h
+3
include/net/netfilter/ipv4/nf_dup_ipv4.h
+3
-1
include/net/netfilter/ipv6/nf_defrag_ipv6.h
+3
-1
include/net/netfilter/ipv6/nf_defrag_ipv6.h
+2
include/net/netfilter/ipv6/nf_dup_ipv6.h
+2
include/net/netfilter/ipv6/nf_dup_ipv6.h
+10
include/net/netfilter/nf_conntrack.h
+10
include/net/netfilter/nf_conntrack.h
···
59
59
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
60
60
61
61
struct nf_conn {
62
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
62
63
/* Usage count in here is 1 for hash table, 1 per skb,
63
64
* plus 1 for any connection(s) we are `master' for
64
65
*
···
69
68
* beware nf_ct_get() is different and don't inc refcnt.
70
69
*/
71
70
struct nf_conntrack ct_general;
71
+
#endif
72
72
73
73
spinlock_t lock;
74
74
/* jiffies32 when this ct is considered dead */
···
150
148
int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
151
149
const struct nf_conn *ignored_conntrack);
152
150
151
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
152
+
153
153
#define NFCT_INFOMASK 7UL
154
154
#define NFCT_PTRMASK ~(NFCT_INFOMASK)
155
155
···
170
166
WARN_ON(!ct);
171
167
nf_conntrack_put(&ct->ct_general);
172
168
}
169
+
170
+
#endif
173
171
174
172
/* Protocol module loading */
175
173
int nf_ct_l3proto_try_module_get(unsigned short l3proto);
···
324
318
325
319
u32 nf_ct_get_id(const struct nf_conn *ct);
326
320
321
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
322
+
327
323
static inline void
328
324
nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
329
325
{
330
326
skb->_nfct = (unsigned long)ct | info;
331
327
}
328
+
329
+
#endif
332
330
333
331
#define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
334
332
#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
+13
include/net/netfilter/nf_conntrack_acct.h
+13
include/net/netfilter/nf_conntrack_acct.h
···
29
29
static inline
30
30
struct nf_conn_acct *nf_ct_acct_ext_add(struct nf_conn *ct, gfp_t gfp)
31
31
{
32
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
32
33
struct net *net = nf_ct_net(ct);
33
34
struct nf_conn_acct *acct;
34
35
···
42
41
43
42
44
43
return acct;
44
+
#else
45
+
return NULL;
46
+
#endif
45
47
};
46
48
47
49
/* Check if connection tracking accounting is enabled */
48
50
static inline bool nf_ct_acct_enabled(struct net *net)
49
51
{
52
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
50
53
return net->ct.sysctl_acct != 0;
54
+
#else
55
+
return false;
56
+
#endif
51
57
}
52
58
53
59
/* Enable/disable connection tracking accounting */
54
60
static inline void nf_ct_set_acct(struct net *net, bool enable)
55
61
{
62
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
56
63
net->ct.sysctl_acct = enable;
64
+
#endif
57
65
}
58
66
67
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
59
68
void nf_conntrack_acct_pernet_init(struct net *net);
60
69
61
70
int nf_conntrack_acct_init(void);
62
71
void nf_conntrack_acct_fini(void);
72
+
#endif /* IS_ENABLED(CONFIG_NF_CONNTRACK) */
73
+
63
74
#endif /* _NF_CONNTRACK_ACCT_H */
+6
include/net/netfilter/nf_conntrack_bridge.h
+6
include/net/netfilter/nf_conntrack_bridge.h
···
1
1
#ifndef NF_CONNTRACK_BRIDGE_
2
2
#define NF_CONNTRACK_BRIDGE_
3
3
4
+
#include <linux/module.h>
5
+
#include <linux/types.h>
6
+
#include <uapi/linux/if_ether.h>
7
+
4
8
struct nf_ct_bridge_info {
9
+
#if IS_ENABLED(CONFIG_NETFILTER)
5
10
struct nf_hook_ops *ops;
11
+
#endif
6
12
unsigned int ops_size;
7
13
struct module *me;
8
14
};
+3
include/net/netfilter/nf_conntrack_core.h
+3
include/net/netfilter/nf_conntrack_core.h
···
20
20
/* This header is used to share core functionality between the
21
21
standalone connection tracking module, and the compatibility layer's use
22
22
of connection tracking. */
23
+
24
+
#if IS_ENABLED(CONFIG_NETFILTER)
23
25
unsigned int nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state);
26
+
#endif
24
27
25
28
int nf_conntrack_init_net(struct net *net);
26
29
void nf_conntrack_cleanup_net(struct net *net);
+3
include/net/netfilter/nf_conntrack_count.h
+3
include/net/netfilter/nf_conntrack_count.h
+4
include/net/netfilter/nf_conntrack_l4proto.h
+4
include/net/netfilter/nf_conntrack_l4proto.h
···
75
75
bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple,
76
76
const struct nf_conntrack_tuple *orig);
77
77
78
+
#if IS_ENABLED(CONFIG_NETFILTER)
78
79
int nf_conntrack_inet_error(struct nf_conn *tmpl, struct sk_buff *skb,
79
80
unsigned int dataoff,
80
81
const struct nf_hook_state *state,
···
132
131
unsigned int dataoff,
133
132
enum ip_conntrack_info ctinfo,
134
133
const struct nf_hook_state *state);
134
+
#endif
135
135
136
136
void nf_conntrack_generic_init_net(struct net *net);
137
137
void nf_conntrack_tcp_init_net(struct net *net);
···
178
176
const char *fmt, ...) { }
179
177
#endif /* CONFIG_SYSCTL */
180
178
179
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
181
180
static inline struct nf_generic_net *nf_generic_pernet(struct net *net)
182
181
{
183
182
return &net->ct.nf_ct_proto.generic;
···
203
200
{
204
201
return &net->ct.nf_ct_proto.icmpv6;
205
202
}
203
+
#endif
206
204
207
205
#ifdef CONFIG_NF_CT_PROTO_DCCP
208
206
static inline struct nf_dccp_net *nf_dccp_pernet(struct net *net)
+1
-1
include/net/netfilter/nf_conntrack_synproxy.h
+1
-1
include/net/netfilter/nf_conntrack_synproxy.h
+6
include/net/netfilter/nf_conntrack_timestamp.h
+6
include/net/netfilter/nf_conntrack_timestamp.h
···
40
40
41
41
static inline bool nf_ct_tstamp_enabled(struct net *net)
42
42
{
43
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
43
44
return net->ct.sysctl_tstamp != 0;
45
+
#else
46
+
return false;
47
+
#endif
44
48
}
45
49
46
50
static inline void nf_ct_set_tstamp(struct net *net, bool enable)
47
51
{
52
+
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
48
53
net->ct.sysctl_tstamp = enable;
54
+
#endif
49
55
}
50
56
51
57
#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
+2
include/net/netfilter/nf_conntrack_tuple.h
+2
include/net/netfilter/nf_conntrack_tuple.h
···
121
121
struct nf_conntrack_tuple tuple;
122
122
};
123
123
124
+
#if IS_ENABLED(CONFIG_NETFILTER)
124
125
static inline bool __nf_ct_tuple_src_equal(const struct nf_conntrack_tuple *t1,
125
126
const struct nf_conntrack_tuple *t2)
126
127
{
···
184
183
return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
185
184
__nf_ct_tuple_dst_equal(t, tuple);
186
185
}
186
+
#endif
187
187
188
188
#endif /* _NF_CONNTRACK_TUPLE_H */
+2
include/net/netfilter/nf_dup_netdev.h
+2
include/net/netfilter/nf_dup_netdev.h
+5
include/net/netfilter/nf_flow_table.h
+5
include/net/netfilter/nf_flow_table.h
···
6
6
#include <linux/netdevice.h>
7
7
#include <linux/rhashtable-types.h>
8
8
#include <linux/rcupdate.h>
9
+
#include <linux/netfilter.h>
9
10
#include <linux/netfilter/nf_conntrack_tuple_common.h>
10
11
#include <net/dst.h>
11
12
···
17
16
int family;
18
17
int (*init)(struct nf_flowtable *ft);
19
18
void (*free)(struct nf_flowtable *ft);
19
+
#if IS_ENABLED(CONFIG_NETFILTER)
20
20
nf_hookfn *hook;
21
+
#endif
21
22
struct module *owner;
22
23
};
23
24
···
117
114
__be16 source, dest;
118
115
};
119
116
117
+
#if IS_ENABLED(CONFIG_NETFILTER)
120
118
unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
121
119
const struct nf_hook_state *state);
122
120
unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
123
121
const struct nf_hook_state *state);
122
+
#endif
124
123
125
124
#define MODULE_ALIAS_NF_FLOWTABLE(family) \
126
125
MODULE_ALIAS("nf-flowtable-" __stringify(family))
+4
include/net/netfilter/nf_nat.h
+4
include/net/netfilter/nf_nat.h
···
69
69
#endif
70
70
}
71
71
72
+
#if IS_ENABLED(CONFIG_NETFILTER)
72
73
int nf_nat_register_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
73
74
const struct nf_hook_ops *nat_ops, unsigned int ops_count);
74
75
void nf_nat_unregister_fn(struct net *net, u8 pf, const struct nf_hook_ops *ops,
75
76
unsigned int ops_count);
77
+
#endif
76
78
77
79
unsigned int nf_nat_packet(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
78
80
unsigned int hooknum, struct sk_buff *skb);
···
94
92
enum ip_conntrack_info ctinfo,
95
93
unsigned int hooknum, unsigned int hdrlen);
96
94
95
+
#if IS_ENABLED(CONFIG_NETFILTER)
97
96
int nf_nat_ipv4_register_fn(struct net *net, const struct nf_hook_ops *ops);
98
97
void nf_nat_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
99
98
···
107
104
unsigned int
108
105
nf_nat_inet_fn(void *priv, struct sk_buff *skb,
109
106
const struct nf_hook_state *state);
107
+
#endif
110
108
111
109
int nf_xfrm_me_harder(struct net *n, struct sk_buff *s, unsigned int family);
112
110
+2
-2
include/net/netfilter/nf_nat_helper.h
+2
-2
include/net/netfilter/nf_nat_helper.h
···
3
3
#define _NF_NAT_HELPER_H
4
4
/* NAT protocol helper routines. */
5
5
6
+
#include <linux/skbuff.h>
6
7
#include <net/netfilter/nf_conntrack.h>
7
-
8
-
struct sk_buff;
8
+
#include <net/netfilter/nf_conntrack_expect.h>
9
9
10
10
/* These return true or false. */
11
11
bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb, struct nf_conn *ct,
+3
include/net/netfilter/nf_nat_redirect.h
+3
include/net/netfilter/nf_nat_redirect.h
+7
include/net/netfilter/nf_queue.h
+7
include/net/netfilter/nf_queue.h
···
5
5
#include <linux/ip.h>
6
6
#include <linux/ipv6.h>
7
7
#include <linux/jhash.h>
8
+
#include <linux/netfilter.h>
9
+
#include <linux/skbuff.h>
8
10
9
11
/* Each queued (to userspace) skbuff has one of these. */
10
12
struct nf_queue_entry {
···
15
13
unsigned int id;
16
14
unsigned int hook_index; /* index in hook_entries->hook[] */
17
15
16
+
#if IS_ENABLED(CONFIG_NETFILTER)
18
17
struct nf_hook_state state;
18
+
#endif
19
19
u16 size; /* sizeof(entry) + saved route keys */
20
20
21
21
/* extra space to store route keys */
···
123
119
return queue;
124
120
}
125
121
122
+
#if IS_ENABLED(CONFIG_NETFILTER)
126
123
int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
127
124
unsigned int index, unsigned int verdict);
125
+
#endif
126
+
128
127
#endif /* _NF_QUEUE_H */
+3
include/net/netfilter/nf_reject.h
+3
include/net/netfilter/nf_reject.h
+4
include/net/netfilter/nf_synproxy.h
+4
include/net/netfilter/nf_synproxy.h
···
20
20
const struct tcphdr *th,
21
21
struct synproxy_options *opts, u32 recv_seq);
22
22
23
+
#if IS_ENABLED(CONFIG_NETFILTER)
23
24
unsigned int ipv4_synproxy_hook(void *priv, struct sk_buff *skb,
24
25
const struct nf_hook_state *nhs);
26
+
#endif
25
27
int nf_synproxy_ipv4_init(struct synproxy_net *snet, struct net *net);
26
28
void nf_synproxy_ipv4_fini(struct synproxy_net *snet, struct net *net);
27
29
···
37
35
const struct tcphdr *th,
38
36
struct synproxy_options *opts, u32 recv_seq);
39
37
38
+
#if IS_ENABLED(CONFIG_NETFILTER)
40
39
unsigned int ipv6_synproxy_hook(void *priv, struct sk_buff *skb,
41
40
const struct nf_hook_state *nhs);
41
+
#endif
42
42
int nf_synproxy_ipv6_init(struct synproxy_net *snet, struct net *net);
43
43
void nf_synproxy_ipv6_fini(struct synproxy_net *snet, struct net *net);
44
44
#else
+12
include/net/netfilter/nf_tables.h
+12
include/net/netfilter/nf_tables.h
···
25
25
struct xt_action_param xt;
26
26
};
27
27
28
+
#if IS_ENABLED(CONFIG_NETFILTER)
28
29
static inline struct net *nft_net(const struct nft_pktinfo *pkt)
29
30
{
30
31
return pkt->xt.state->net;
···
58
57
pkt->skb = skb;
59
58
pkt->xt.state = state;
60
59
}
60
+
#endif
61
61
62
62
static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
63
63
struct sk_buff *skb)
···
929
927
int family;
930
928
struct module *owner;
931
929
unsigned int hook_mask;
930
+
#if IS_ENABLED(CONFIG_NETFILTER)
932
931
nf_hookfn *hooks[NF_MAX_HOOKS];
933
932
int (*ops_register)(struct net *net, const struct nf_hook_ops *ops);
934
933
void (*ops_unregister)(struct net *net, const struct nf_hook_ops *ops);
934
+
#endif
935
935
};
936
936
937
937
int nft_chain_validate_dependency(const struct nft_chain *chain,
···
959
955
* @flow_block: flow block (for hardware offload)
960
956
*/
961
957
struct nft_base_chain {
958
+
#if IS_ENABLED(CONFIG_NETFILTER)
962
959
struct nf_hook_ops ops;
960
+
#endif
963
961
const struct nft_chain_type *type;
964
962
u8 policy;
965
963
u8 flags;
···
1158
1152
use:30;
1159
1153
u64 handle;
1160
1154
/* runtime data below here */
1155
+
#if IS_ENABLED(CONFIG_NETFILTER)
1161
1156
struct nf_hook_ops *ops ____cacheline_aligned;
1157
+
#endif
1162
1158
struct nf_flowtable data;
1163
1159
};
1164
1160
···
1214
1206
1215
1207
#define MODULE_ALIAS_NFT_OBJ(type) \
1216
1208
MODULE_ALIAS("nft-obj-" __stringify(type))
1209
+
1210
+
#if IS_ENABLED(CONFIG_NF_TABLES)
1217
1211
1218
1212
/*
1219
1213
* The gencursor defines two generations, the currently active and the
···
1289
1279
{
1290
1280
ext->genmask ^= nft_genmask_next(net);
1291
1281
}
1282
+
1283
+
#endif /* IS_ENABLED(CONFIG_NF_TABLES) */
1292
1284
1293
1285
/*
1294
1286
* We use a free bit in the genmask field to indicate the element
+1
include/net/netfilter/nf_tables_ipv6.h
+1
include/net/netfilter/nf_tables_ipv6.h
+1
include/net/netfilter/nf_tables_offload.h
+1
include/net/netfilter/nf_tables_offload.h
+2
include/net/netfilter/nft_fib.h
+2
include/net/netfilter/nft_fib.h
+2
include/net/netfilter/nft_meta.h
+2
include/net/netfilter/nft_meta.h
+5
include/net/netfilter/nft_reject.h
+5
include/net/netfilter/nft_reject.h
+1
include/uapi/linux/netfilter/xt_policy.h
+1
include/uapi/linux/netfilter/xt_policy.h
+2
-2
net/ipv4/netfilter/ipt_SYNPROXY.c
+2
-2
net/ipv4/netfilter/ipt_SYNPROXY.c
···
36
36
opts.options |= XT_SYNPROXY_OPT_ECN;
37
37
38
38
opts.options &= info->options;
39
-
opts.mss_encode = opts.mss;
40
-
opts.mss = info->mss;
39
+
opts.mss_encode = opts.mss_option;
40
+
opts.mss_option = info->mss;
41
41
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
42
42
synproxy_init_timestamp_cookie(info, &opts);
43
43
else
+2
-2
net/ipv6/netfilter/ip6t_SYNPROXY.c
+2
-2
net/ipv6/netfilter/ip6t_SYNPROXY.c
···
36
36
opts.options |= XT_SYNPROXY_OPT_ECN;
37
37
38
38
opts.options &= info->options;
39
-
opts.mss_encode = opts.mss;
40
-
opts.mss = info->mss;
39
+
opts.mss_encode = opts.mss_option;
40
+
opts.mss_option = info->mss;
41
41
if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
42
42
synproxy_init_timestamp_cookie(info, &opts);
43
43
else
+2
-2
net/netfilter/ipset/ip_set_hash_gen.h
+2
-2
net/netfilter/ipset/ip_set_hash_gen.h
···
7
7
#include <linux/rcupdate.h>
8
8
#include <linux/jhash.h>
9
9
#include <linux/types.h>
10
-
#include <linux/netfilter/ipset/ip_set_timeout.h>
10
+
#include <linux/netfilter/ipset/ip_set.h>
11
11
12
12
#define __ipset_dereference_protected(p, c) rcu_dereference_protected(p, c)
13
13
#define ipset_dereference_protected(p, set) \
···
953
953
mtype_data_netmask(d, NCIDR_GET(h->nets[j].cidr[0]));
954
954
#endif
955
955
key = HKEY(d, h->initval, t->htable_bits);
956
-
n = rcu_dereference_bh(hbucket(t, key));
956
+
n = rcu_dereference_bh(hbucket(t, key));
957
957
if (!n)
958
958
continue;
959
959
for (i = 0; i < n->pos; i++) {
+1
-1
net/netfilter/ipset/ip_set_list_set.c
+1
-1
net/netfilter/ipset/ip_set_list_set.c
+1
-1
net/netfilter/ipvs/ip_vs_core.c
+1
-1
net/netfilter/ipvs/ip_vs_core.c
···
617
617
unsigned int flags = (svc->flags & IP_VS_SVC_F_ONEPACKET &&
618
618
iph->protocol == IPPROTO_UDP) ?
619
619
IP_VS_CONN_F_ONE_PACKET : 0;
620
-
union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
620
+
union nf_inet_addr daddr = { .all = { 0, 0, 0, 0 } };
621
621
622
622
/* create a new connection entry */
623
623
IP_VS_DBG(6, "%s(): create a cache_bypass entry\n", __func__);
+35
-34
net/netfilter/ipvs/ip_vs_ctl.c
+35
-34
net/netfilter/ipvs/ip_vs_ctl.c
···
1737
1737
int val = *valp;
1738
1738
int rc;
1739
1739
1740
-
rc = proc_dointvec(table, write, buffer, lenp, ppos);
1740
+
struct ctl_table tmp = {
1741
+
.data = &val,
1742
+
.maxlen = sizeof(int),
1743
+
.mode = table->mode,
1744
+
};
1745
+
1746
+
rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
1741
1747
if (write && (*valp != val)) {
1742
-
if ((*valp < 0) || (*valp > 3)) {
1743
-
/* Restore the correct value */
1744
-
*valp = val;
1748
+
if (val < 0 || val > 3) {
1749
+
rc = -EINVAL;
1745
1750
} else {
1751
+
*valp = val;
1746
1752
update_defense_level(ipvs);
1747
1753
}
1748
1754
}
···
1762
1756
int *valp = table->data;
1763
1757
int val[2];
1764
1758
int rc;
1759
+
struct ctl_table tmp = {
1760
+
.data = &val,
1761
+
.maxlen = table->maxlen,
1762
+
.mode = table->mode,
1763
+
};
1765
1764
1766
-
/* backup the value first */
1767
1765
memcpy(val, valp, sizeof(val));
1768
-
1769
-
rc = proc_dointvec(table, write, buffer, lenp, ppos);
1770
-
if (write && (valp[0] < 0 || valp[1] < 0 ||
1771
-
(valp[0] >= valp[1] && valp[1]))) {
1772
-
/* Restore the correct value */
1773
-
memcpy(valp, val, sizeof(val));
1774
-
}
1775
-
return rc;
1776
-
}
1777
-
1778
-
static int
1779
-
proc_do_sync_mode(struct ctl_table *table, int write,
1780
-
void __user *buffer, size_t *lenp, loff_t *ppos)
1781
-
{
1782
-
int *valp = table->data;
1783
-
int val = *valp;
1784
-
int rc;
1785
-
1786
-
rc = proc_dointvec(table, write, buffer, lenp, ppos);
1787
-
if (write && (*valp != val)) {
1788
-
if ((*valp < 0) || (*valp > 1)) {
1789
-
/* Restore the correct value */
1790
-
*valp = val;
1791
-
}
1766
+
rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
1767
+
if (write) {
1768
+
if (val[0] < 0 || val[1] < 0 ||
1769
+
(val[0] >= val[1] && val[1]))
1770
+
rc = -EINVAL;
1771
+
else
1772
+
memcpy(valp, val, sizeof(val));
1792
1773
}
1793
1774
return rc;
1794
1775
}
···
1788
1795
int val = *valp;
1789
1796
int rc;
1790
1797
1791
-
rc = proc_dointvec(table, write, buffer, lenp, ppos);
1798
+
struct ctl_table tmp = {
1799
+
.data = &val,
1800
+
.maxlen = sizeof(int),
1801
+
.mode = table->mode,
1802
+
};
1803
+
1804
+
rc = proc_dointvec(&tmp, write, buffer, lenp, ppos);
1792
1805
if (write && (*valp != val)) {
1793
-
if (*valp < 1 || !is_power_of_2(*valp)) {
1794
-
/* Restore the correct value */
1806
+
if (val < 1 || !is_power_of_2(val))
1807
+
rc = -EINVAL;
1808
+
else
1795
1809
*valp = val;
1796
-
}
1797
1810
}
1798
1811
return rc;
1799
1812
}
···
1859
1860
.procname = "sync_version",
1860
1861
.maxlen = sizeof(int),
1861
1862
.mode = 0644,
1862
-
.proc_handler = proc_do_sync_mode,
1863
+
.proc_handler = proc_dointvec_minmax,
1864
+
.extra1 = SYSCTL_ZERO,
1865
+
.extra2 = SYSCTL_ONE,
1863
1866
},
1864
1867
{
1865
1868
.procname = "sync_ports",
+2
-2
net/netfilter/ipvs/ip_vs_mh.c
+2
-2
net/netfilter/ipvs/ip_vs_mh.c
+1
-1
net/netfilter/ipvs/ip_vs_proto_tcp.c
+1
-1
net/netfilter/ipvs/ip_vs_proto_tcp.c
+1
-1
net/netfilter/nf_conntrack_ftp.c
+1
-1
net/netfilter/nf_conntrack_ftp.c
···
162
162
if (length == 0)
163
163
return 0;
164
164
165
-
cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |
165
+
cmd->u3.ip = htonl((array[0] << 24) | (array[1] << 16) |
166
166
(array[2] << 8) | array[3]);
167
167
cmd->u.tcp.port = htons((array[4] << 8) | array[5]);
168
168
return length;
+1
-2
net/netfilter/nf_conntrack_labels.c
+1
-2
net/netfilter/nf_conntrack_labels.c
···
11
11
#include <net/netfilter/nf_conntrack_ecache.h>
12
12
#include <net/netfilter/nf_conntrack_labels.h>
13
13
14
-
static spinlock_t nf_connlabels_lock;
14
+
static __read_mostly DEFINE_SPINLOCK(nf_connlabels_lock);
15
15
16
16
static int replace_u32(u32 *address, u32 mask, u32 new)
17
17
{
···
89
89
{
90
90
BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE / sizeof(long) >= U8_MAX);
91
91
92
-
spin_lock_init(&nf_connlabels_lock);
93
92
return nf_ct_extend_register(&labels_extend);
94
93
}
95
94
+1
-1
net/netfilter/nf_conntrack_proto_tcp.c
+1
-1
net/netfilter/nf_conntrack_proto_tcp.c
···
1227
1227
[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
1228
1228
[CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
1229
1229
[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
1230
-
[CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
1230
+
[CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
1231
1231
};
1232
1232
1233
1233
#define TCP_NLATTR_SIZE ( \
+16
-18
net/netfilter/nf_conntrack_standalone.c
+16
-18
net/netfilter/nf_conntrack_standalone.c
···
511
511
/* Log invalid packets of a given protocol */
512
512
static int log_invalid_proto_min __read_mostly;
513
513
static int log_invalid_proto_max __read_mostly = 255;
514
-
static int zero;
515
-
static int one = 1;
516
514
517
515
/* size the user *wants to set */
518
516
static unsigned int nf_conntrack_htable_size_user __read_mostly;
···
627
629
.maxlen = sizeof(int),
628
630
.mode = 0644,
629
631
.proc_handler = proc_dointvec_minmax,
630
-
.extra1 = &zero,
631
-
.extra2 = &one,
632
+
.extra1 = SYSCTL_ZERO,
633
+
.extra2 = SYSCTL_ONE,
632
634
},
633
635
[NF_SYSCTL_CT_LOG_INVALID] = {
634
636
.procname = "nf_conntrack_log_invalid",
···
652
654
.maxlen = sizeof(int),
653
655
.mode = 0644,
654
656
.proc_handler = proc_dointvec_minmax,
655
-
.extra1 = &zero,
656
-
.extra2 = &one,
657
+
.extra1 = SYSCTL_ZERO,
658
+
.extra2 = SYSCTL_ONE,
657
659
},
658
660
[NF_SYSCTL_CT_HELPER] = {
659
661
.procname = "nf_conntrack_helper",
···
661
663
.maxlen = sizeof(int),
662
664
.mode = 0644,
663
665
.proc_handler = proc_dointvec_minmax,
664
-
.extra1 = &zero,
665
-
.extra2 = &one,
666
+
.extra1 = SYSCTL_ZERO,
667
+
.extra2 = SYSCTL_ONE,
666
668
},
667
669
#ifdef CONFIG_NF_CONNTRACK_EVENTS
668
670
[NF_SYSCTL_CT_EVENTS] = {
···
671
673
.maxlen = sizeof(int),
672
674
.mode = 0644,
673
675
.proc_handler = proc_dointvec_minmax,
674
-
.extra1 = &zero,
675
-
.extra2 = &one,
676
+
.extra1 = SYSCTL_ZERO,
677
+
.extra2 = SYSCTL_ONE,
676
678
},
677
679
#endif
678
680
#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
···
682
684
.maxlen = sizeof(int),
683
685
.mode = 0644,
684
686
.proc_handler = proc_dointvec_minmax,
685
-
.extra1 = &zero,
686
-
.extra2 = &one,
687
+
.extra1 = SYSCTL_ZERO,
688
+
.extra2 = SYSCTL_ONE,
687
689
},
688
690
#endif
689
691
[NF_SYSCTL_CT_PROTO_TIMEOUT_GENERIC] = {
···
757
759
.maxlen = sizeof(int),
758
760
.mode = 0644,
759
761
.proc_handler = proc_dointvec_minmax,
760
-
.extra1 = &zero,
761
-
.extra2 = &one,
762
+
.extra1 = SYSCTL_ZERO,
763
+
.extra2 = SYSCTL_ONE,
762
764
},
763
765
[NF_SYSCTL_CT_PROTO_TCP_LIBERAL] = {
764
766
.procname = "nf_conntrack_tcp_be_liberal",
765
767
.maxlen = sizeof(int),
766
768
.mode = 0644,
767
769
.proc_handler = proc_dointvec_minmax,
768
-
.extra1 = &zero,
769
-
.extra2 = &one,
770
+
.extra1 = SYSCTL_ZERO,
771
+
.extra2 = SYSCTL_ONE,
770
772
},
771
773
[NF_SYSCTL_CT_PROTO_TCP_MAX_RETRANS] = {
772
774
.procname = "nf_conntrack_tcp_max_retrans",
···
902
904
.maxlen = sizeof(int),
903
905
.mode = 0644,
904
906
.proc_handler = proc_dointvec_minmax,
905
-
.extra1 = &zero,
906
-
.extra2 = &one,
907
+
.extra1 = SYSCTL_ZERO,
908
+
.extra2 = SYSCTL_ONE,
907
909
},
908
910
#endif
909
911
#ifdef CONFIG_NF_CT_PROTO_GRE
+2
-2
net/netfilter/nf_nat_proto.c
+2
-2
net/netfilter/nf_nat_proto.c
···
722
722
return ret;
723
723
}
724
724
725
-
const struct nf_hook_ops nf_nat_ipv4_ops[] = {
725
+
static const struct nf_hook_ops nf_nat_ipv4_ops[] = {
726
726
/* Before packet filtering, change destination */
727
727
{
728
728
.hook = nf_nat_ipv4_in,
···
961
961
return ret;
962
962
}
963
963
964
-
const struct nf_hook_ops nf_nat_ipv6_ops[] = {
964
+
static const struct nf_hook_ops nf_nat_ipv6_ops[] = {
965
965
/* Before packet filtering, change destination */
966
966
{
967
967
.hook = nf_nat_ipv6_in,
+4
-4
net/netfilter/nf_synproxy_core.c
+4
-4
net/netfilter/nf_synproxy_core.c
···
56
56
switch (opcode) {
57
57
case TCPOPT_MSS:
58
58
if (opsize == TCPOLEN_MSS) {
59
-
opts->mss = get_unaligned_be16(ptr);
59
+
opts->mss_option = get_unaligned_be16(ptr);
60
60
opts->options |= NF_SYNPROXY_OPT_MSS;
61
61
}
62
62
break;
···
115
115
if (options & NF_SYNPROXY_OPT_MSS)
116
116
*ptr++ = htonl((TCPOPT_MSS << 24) |
117
117
(TCPOLEN_MSS << 16) |
118
-
opts->mss);
118
+
opts->mss_option);
119
119
120
120
if (options & NF_SYNPROXY_OPT_TIMESTAMP) {
121
121
if (options & NF_SYNPROXY_OPT_SACK_PERM)
···
642
642
}
643
643
644
644
this_cpu_inc(snet->stats->cookie_valid);
645
-
opts->mss = mss;
645
+
opts->mss_option = mss;
646
646
opts->options |= NF_SYNPROXY_OPT_MSS;
647
647
648
648
if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)
···
1060
1060
}
1061
1061
1062
1062
this_cpu_inc(snet->stats->cookie_valid);
1063
-
opts->mss = mss;
1063
+
opts->mss_option = mss;
1064
1064
opts->options |= NF_SYNPROXY_OPT_MSS;
1065
1065
1066
1066
if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)
+2
-2
net/netfilter/nfnetlink_log.c
+2
-2
net/netfilter/nfnetlink_log.c
···
651
651
/* FIXME: do we want to make the size calculation conditional based on
652
652
* what is actually present? way more branches and checks, but more
653
653
* memory efficient... */
654
-
size = nlmsg_total_size(sizeof(struct nfgenmsg))
654
+
size = nlmsg_total_size(sizeof(struct nfgenmsg))
655
655
+ nla_total_size(sizeof(struct nfulnl_msg_packet_hdr))
656
656
+ nla_total_size(sizeof(u_int32_t)) /* ifindex */
657
657
+ nla_total_size(sizeof(u_int32_t)) /* ifindex */
···
668
668
+ nla_total_size(sizeof(struct nfgenmsg)); /* NLMSG_DONE */
669
669
670
670
if (in && skb_mac_header_was_set(skb)) {
671
-
size += nla_total_size(skb->dev->hard_header_len)
671
+
size += nla_total_size(skb->dev->hard_header_len)
672
672
+ nla_total_size(sizeof(u_int16_t)) /* hwtype */
673
673
+ nla_total_size(sizeof(u_int16_t)); /* hwlen */
674
674
}
+2
-2
net/netfilter/nfnetlink_queue.c
+2
-2
net/netfilter/nfnetlink_queue.c
···
394
394
char *secdata = NULL;
395
395
u32 seclen = 0;
396
396
397
-
size = nlmsg_total_size(sizeof(struct nfgenmsg))
397
+
size = nlmsg_total_size(sizeof(struct nfgenmsg))
398
398
+ nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
399
399
+ nla_total_size(sizeof(u_int32_t)) /* ifindex */
400
400
+ nla_total_size(sizeof(u_int32_t)) /* ifindex */
···
453
453
}
454
454
455
455
if (queue->flags & NFQA_CFG_F_UID_GID) {
456
-
size += (nla_total_size(sizeof(u_int32_t)) /* uid */
456
+
size += (nla_total_size(sizeof(u_int32_t)) /* uid */
457
457
+ nla_total_size(sizeof(u_int32_t))); /* gid */
458
458
}
459
459
+19
net/netfilter/nft_bitwise.c
+19
net/netfilter/nft_bitwise.c
···
13
13
#include <linux/netfilter/nf_tables.h>
14
14
#include <net/netfilter/nf_tables_core.h>
15
15
#include <net/netfilter/nf_tables.h>
16
+
#include <net/netfilter/nf_tables_offload.h>
16
17
17
18
struct nft_bitwise {
18
19
enum nft_registers sreg:8;
···
127
126
return -1;
128
127
}
129
128
129
+
static struct nft_data zero;
130
+
131
+
static int nft_bitwise_offload(struct nft_offload_ctx *ctx,
132
+
struct nft_flow_rule *flow,
133
+
const struct nft_expr *expr)
134
+
{
135
+
const struct nft_bitwise *priv = nft_expr_priv(expr);
136
+
137
+
if (memcmp(&priv->xor, &zero, sizeof(priv->xor) ||
138
+
priv->sreg != priv->dreg))
139
+
return -EOPNOTSUPP;
140
+
141
+
memcpy(&ctx->regs[priv->dreg].mask, &priv->mask, sizeof(priv->mask));
142
+
143
+
return 0;
144
+
}
145
+
130
146
static const struct nft_expr_ops nft_bitwise_ops = {
131
147
.type = &nft_bitwise_type,
132
148
.size = NFT_EXPR_SIZE(sizeof(struct nft_bitwise)),
133
149
.eval = nft_bitwise_eval,
134
150
.init = nft_bitwise_init,
135
151
.dump = nft_bitwise_dump,
152
+
.offload = nft_bitwise_offload,
136
153
};
137
154
138
155
struct nft_expr_type nft_bitwise_type __read_mostly = {
+17
-7
net/netfilter/nft_immediate.c
+17
-7
net/netfilter/nft_immediate.c
···
125
125
return 0;
126
126
}
127
127
128
-
static int nft_immediate_offload(struct nft_offload_ctx *ctx,
129
-
struct nft_flow_rule *flow,
130
-
const struct nft_expr *expr)
128
+
static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
129
+
struct nft_flow_rule *flow,
130
+
const struct nft_immediate_expr *priv)
131
131
{
132
-
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
133
132
struct flow_action_entry *entry;
134
133
const struct nft_data *data;
135
-
136
-
if (priv->dreg != NFT_REG_VERDICT)
137
-
return -EOPNOTSUPP;
138
134
139
135
entry = &flow->rule->action.entries[ctx->num_actions++];
140
136
···
145
149
default:
146
150
return -EOPNOTSUPP;
147
151
}
152
+
153
+
return 0;
154
+
}
155
+
156
+
static int nft_immediate_offload(struct nft_offload_ctx *ctx,
157
+
struct nft_flow_rule *flow,
158
+
const struct nft_expr *expr)
159
+
{
160
+
const struct nft_immediate_expr *priv = nft_expr_priv(expr);
161
+
162
+
if (priv->dreg == NFT_REG_VERDICT)
163
+
return nft_immediate_offload_verdict(ctx, flow, priv);
164
+
165
+
memcpy(&ctx->regs[priv->dreg].data, &priv->data, sizeof(priv->data));
148
166
149
167
return 0;
150
168
}
+1
-1
net/netfilter/nft_set_bitmap.c
+1
-1
net/netfilter/nft_set_bitmap.c
+1
-1
net/netfilter/nft_set_hash.c
+1
-1
net/netfilter/nft_set_hash.c
···
16
16
#include <linux/rhashtable.h>
17
17
#include <linux/netfilter.h>
18
18
#include <linux/netfilter/nf_tables.h>
19
-
#include <net/netfilter/nf_tables.h>
19
+
#include <net/netfilter/nf_tables_core.h>
20
20
21
21
/* We target a hash table size of 4, element hint is 75% of final size */
22
22
#define NFT_RHASH_ELEMENT_HINT 3
+1
-1
net/netfilter/nft_set_rbtree.c
+1
-1
net/netfilter/nft_set_rbtree.c
+2
-2
net/netfilter/nft_synproxy.c
+2
-2
net/netfilter/nft_synproxy.c
···
31
31
opts->options |= NF_SYNPROXY_OPT_ECN;
32
32
33
33
opts->options &= priv->info.options;
34
-
opts->mss_encode = opts->mss;
35
-
opts->mss = info->mss;
34
+
opts->mss_encode = opts->mss_option;
35
+
opts->mss_option = info->mss;
36
36
if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP)
37
37
synproxy_init_timestamp_cookie(info, opts);
38
38
else
+1
-1
net/netfilter/xt_IDLETIMER.c
+1
-1
net/netfilter/xt_IDLETIMER.c