Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Add NFT_CHAIN_POLICY_UNSET to replace hardcoded -1 to
specify that the chain policy is unset. The chain policy
field is actually defined as an 8-bit unsigned integer.

2) Remove always true condition reported by smatch in
chain policy check.

3) Fix element lookup on dynamic sets, from Florian Westphal.

4) Use __u8 in ebtables uapi header, from Masahiro Yamada.

5) Bogus EBUSY when removing flowtable after chain flush,
from Laura Garcia Liebana.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

David S. Miller 6 years ago c5f095ba 8ce39eb5

+51 -11

7 changed files

expand all

include

net

netfilter

nf_tables.h

uapi

linux

netfilter_bridge

ebtables.h

net

netfilter

nf_tables_api.c

nf_tables_offload.c

nft_flow_offload.c

nft_lookup.c

usr

include

Makefile

include/net/netfilter/nf_tables.h

··· 889 889 NFT_CHAIN_HW_OFFLOAD = 0x2, 890 890 }; 891 891 892 + #define NFT_CHAIN_POLICY_UNSET U8_MAX 893 + 892 894 /** 893 895 * struct nft_chain - nf_tables chain 894 896 * ··· 1182 1180 struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 1183 1181 const struct nlattr *nla, 1184 1182 u8 genmask); 1183 + 1184 + void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 1185 + struct nft_flowtable *flowtable, 1186 + enum nft_trans_phase phase); 1185 1187 1186 1188 void nft_register_flowtable_type(struct nf_flowtable_type *type); 1187 1189 void nft_unregister_flowtable_type(struct nf_flowtable_type *type);

+3 -3

include/uapi/linux/netfilter_bridge/ebtables.h

··· 123 123 union { 124 124 struct { 125 125 char name[EBT_EXTENSION_MAXNAMELEN]; 126 - uint8_t revision; 126 + __u8 revision; 127 127 }; 128 128 struct xt_match *match; 129 129 } u; ··· 136 136 union { 137 137 struct { 138 138 char name[EBT_EXTENSION_MAXNAMELEN]; 139 - uint8_t revision; 139 + __u8 revision; 140 140 }; 141 141 struct xt_target *watcher; 142 142 } u; ··· 149 149 union { 150 150 struct { 151 151 char name[EBT_EXTENSION_MAXNAMELEN]; 152 - uint8_t revision; 152 + __u8 revision; 153 153 }; 154 154 struct xt_target *target; 155 155 } u;

+22 -3

net/netfilter/nf_tables_api.c

··· 1715 1715 goto err2; 1716 1716 } 1717 1717 1718 - nft_trans_chain_policy(trans) = -1; 1718 + nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET; 1719 1719 if (nft_is_base_chain(chain)) 1720 1720 nft_trans_chain_policy(trans) = policy; 1721 1721 ··· 3562 3562 NFT_SET_OBJECT)) 3563 3563 return -EINVAL; 3564 3564 /* Only one of these operations is supported */ 3565 - if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) == 3566 - (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) 3565 + if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) == 3566 + (NFT_SET_MAP | NFT_SET_OBJECT)) 3567 + return -EOPNOTSUPP; 3568 + if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) == 3569 + (NFT_SET_EVAL | NFT_SET_OBJECT)) 3567 3570 return -EOPNOTSUPP; 3568 3571 } 3569 3572 ··· 5597 5594 return ERR_PTR(-ENOENT); 5598 5595 } 5599 5596 EXPORT_SYMBOL_GPL(nft_flowtable_lookup); 5597 + 5598 + void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx, 5599 + struct nft_flowtable *flowtable, 5600 + enum nft_trans_phase phase) 5601 + { 5602 + switch (phase) { 5603 + case NFT_TRANS_PREPARE: 5604 + case NFT_TRANS_ABORT: 5605 + case NFT_TRANS_RELEASE: 5606 + flowtable->use--; 5607 + /* fall through */ 5608 + default: 5609 + return; 5610 + } 5611 + } 5612 + EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable); 5600 5613 5601 5614 static struct nft_flowtable * 5602 5615 nft_flowtable_lookup_byhandle(const struct nft_table *table,

+1 -1

net/netfilter/nf_tables_offload.c

··· 313 313 policy = ppolicy ? *ppolicy : basechain->policy; 314 314 315 315 /* Only default policy to accept is supported for now. */ 316 - if (cmd == FLOW_BLOCK_BIND && policy != -1 && policy != NF_ACCEPT) 316 + if (cmd == FLOW_BLOCK_BIND && policy == NF_DROP) 317 317 return -EOPNOTSUPP; 318 318 319 319 if (dev->netdev_ops->ndo_setup_tc)

+19

net/netfilter/nft_flow_offload.c

··· 177 177 return nf_ct_netns_get(ctx->net, ctx->family); 178 178 } 179 179 180 + static void nft_flow_offload_deactivate(const struct nft_ctx *ctx, 181 + const struct nft_expr *expr, 182 + enum nft_trans_phase phase) 183 + { 184 + struct nft_flow_offload *priv = nft_expr_priv(expr); 185 + 186 + nf_tables_deactivate_flowtable(ctx, priv->flowtable, phase); 187 + } 188 + 189 + static void nft_flow_offload_activate(const struct nft_ctx *ctx, 190 + const struct nft_expr *expr) 191 + { 192 + struct nft_flow_offload *priv = nft_expr_priv(expr); 193 + 194 + priv->flowtable->use++; 195 + } 196 + 180 197 static void nft_flow_offload_destroy(const struct nft_ctx *ctx, 181 198 const struct nft_expr *expr) 182 199 { ··· 222 205 .size = NFT_EXPR_SIZE(sizeof(struct nft_flow_offload)), 223 206 .eval = nft_flow_offload_eval, 224 207 .init = nft_flow_offload_init, 208 + .activate = nft_flow_offload_activate, 209 + .deactivate = nft_flow_offload_deactivate, 225 210 .destroy = nft_flow_offload_destroy, 226 211 .validate = nft_flow_offload_validate, 227 212 .dump = nft_flow_offload_dump,

-3

net/netfilter/nft_lookup.c

··· 73 73 if (IS_ERR(set)) 74 74 return PTR_ERR(set); 75 75 76 - if (set->flags & NFT_SET_EVAL) 77 - return -EOPNOTSUPP; 78 - 79 76 priv->sreg = nft_parse_register(tb[NFTA_LOOKUP_SREG]); 80 77 err = nft_validate_register_load(priv->sreg, set->klen); 81 78 if (err < 0)

-1

usr/include/Makefile

··· 38 38 header-test- += linux/jffs2.h 39 39 header-test- += linux/kexec.h 40 40 header-test- += linux/matroxfb.h 41 - header-test- += linux/netfilter_bridge/ebtables.h 42 41 header-test- += linux/netfilter_ipv4/ipt_LOG.h 43 42 header-test- += linux/netfilter_ipv6/ip6t_LOG.h 44 43 header-test- += linux/nfc.h