Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Add NFT_CHAIN_POLICY_UNSET to replace hardcoded -1 to specify that the chain policy is unset. The chain policy field is actually defined as an 8-bit unsigned integer. 2) Remove always true condition reported by smatch in chain policy check. 3) Fix element lookup on dynamic sets, from Florian Westphal. 4) Use __u8 in ebtables uapi header, from Masahiro Yamada. 5) Bogus EBUSY when removing flowtable after chain flush, from Laura Garcia Liebana. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
c5f095baa8
|
@ -889,6 +889,8 @@ enum nft_chain_flags {
|
|||
NFT_CHAIN_HW_OFFLOAD = 0x2,
|
||||
};
|
||||
|
||||
#define NFT_CHAIN_POLICY_UNSET U8_MAX
|
||||
|
||||
/**
|
||||
* struct nft_chain - nf_tables chain
|
||||
*
|
||||
|
@ -1181,6 +1183,10 @@ struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
|
|||
const struct nlattr *nla,
|
||||
u8 genmask);
|
||||
|
||||
void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
|
||||
struct nft_flowtable *flowtable,
|
||||
enum nft_trans_phase phase);
|
||||
|
||||
void nft_register_flowtable_type(struct nf_flowtable_type *type);
|
||||
void nft_unregister_flowtable_type(struct nf_flowtable_type *type);
|
||||
|
||||
|
|
|
@ -123,7 +123,7 @@ struct ebt_entry_match {
|
|||
union {
|
||||
struct {
|
||||
char name[EBT_EXTENSION_MAXNAMELEN];
|
||||
uint8_t revision;
|
||||
__u8 revision;
|
||||
};
|
||||
struct xt_match *match;
|
||||
} u;
|
||||
|
@ -136,7 +136,7 @@ struct ebt_entry_watcher {
|
|||
union {
|
||||
struct {
|
||||
char name[EBT_EXTENSION_MAXNAMELEN];
|
||||
uint8_t revision;
|
||||
__u8 revision;
|
||||
};
|
||||
struct xt_target *watcher;
|
||||
} u;
|
||||
|
@ -149,7 +149,7 @@ struct ebt_entry_target {
|
|||
union {
|
||||
struct {
|
||||
char name[EBT_EXTENSION_MAXNAMELEN];
|
||||
uint8_t revision;
|
||||
__u8 revision;
|
||||
};
|
||||
struct xt_target *target;
|
||||
} u;
|
||||
|
|
|
@ -1715,7 +1715,7 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
|
|||
goto err2;
|
||||
}
|
||||
|
||||
nft_trans_chain_policy(trans) = -1;
|
||||
nft_trans_chain_policy(trans) = NFT_CHAIN_POLICY_UNSET;
|
||||
if (nft_is_base_chain(chain))
|
||||
nft_trans_chain_policy(trans) = policy;
|
||||
|
||||
|
@ -3562,8 +3562,11 @@ static int nf_tables_newset(struct net *net, struct sock *nlsk,
|
|||
NFT_SET_OBJECT))
|
||||
return -EINVAL;
|
||||
/* Only one of these operations is supported */
|
||||
if ((flags & (NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT)) ==
|
||||
(NFT_SET_MAP | NFT_SET_EVAL | NFT_SET_OBJECT))
|
||||
if ((flags & (NFT_SET_MAP | NFT_SET_OBJECT)) ==
|
||||
(NFT_SET_MAP | NFT_SET_OBJECT))
|
||||
return -EOPNOTSUPP;
|
||||
if ((flags & (NFT_SET_EVAL | NFT_SET_OBJECT)) ==
|
||||
(NFT_SET_EVAL | NFT_SET_OBJECT))
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
|
@ -5595,6 +5598,22 @@ struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table,
|
|||
}
|
||||
EXPORT_SYMBOL_GPL(nft_flowtable_lookup);
|
||||
|
||||
void nf_tables_deactivate_flowtable(const struct nft_ctx *ctx,
|
||||
struct nft_flowtable *flowtable,
|
||||
enum nft_trans_phase phase)
|
||||
{
|
||||
switch (phase) {
|
||||
case NFT_TRANS_PREPARE:
|
||||
case NFT_TRANS_ABORT:
|
||||
case NFT_TRANS_RELEASE:
|
||||
flowtable->use--;
|
||||
/* fall through */
|
||||
default:
|
||||
return;
|
||||
}
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nf_tables_deactivate_flowtable);
|
||||
|
||||
static struct nft_flowtable *
|
||||
nft_flowtable_lookup_byhandle(const struct nft_table *table,
|
||||
const struct nlattr *nla, u8 genmask)
|
||||
|
|
|
@ -313,7 +313,7 @@ static int nft_flow_offload_chain(struct nft_chain *chain,
|
|||
policy = ppolicy ? *ppolicy : basechain->policy;
|
||||
|
||||
/* Only default policy to accept is supported for now. */
|
||||
if (cmd == FLOW_BLOCK_BIND && policy != -1 && policy != NF_ACCEPT)
|
||||
if (cmd == FLOW_BLOCK_BIND && policy == NF_DROP)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (dev->netdev_ops->ndo_setup_tc)
|
||||
|
|
|
@ -177,6 +177,23 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx,
|
|||
return nf_ct_netns_get(ctx->net, ctx->family);
|
||||
}
|
||||
|
||||
static void nft_flow_offload_deactivate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr,
|
||||
enum nft_trans_phase phase)
|
||||
{
|
||||
struct nft_flow_offload *priv = nft_expr_priv(expr);
|
||||
|
||||
nf_tables_deactivate_flowtable(ctx, priv->flowtable, phase);
|
||||
}
|
||||
|
||||
static void nft_flow_offload_activate(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
struct nft_flow_offload *priv = nft_expr_priv(expr);
|
||||
|
||||
priv->flowtable->use++;
|
||||
}
|
||||
|
||||
static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
|
||||
const struct nft_expr *expr)
|
||||
{
|
||||
|
@ -205,6 +222,8 @@ static const struct nft_expr_ops nft_flow_offload_ops = {
|
|||
.size = NFT_EXPR_SIZE(sizeof(struct nft_flow_offload)),
|
||||
.eval = nft_flow_offload_eval,
|
||||
.init = nft_flow_offload_init,
|
||||
.activate = nft_flow_offload_activate,
|
||||
.deactivate = nft_flow_offload_deactivate,
|
||||
.destroy = nft_flow_offload_destroy,
|
||||
.validate = nft_flow_offload_validate,
|
||||
.dump = nft_flow_offload_dump,
|
||||
|
|
|
@ -73,9 +73,6 @@ static int nft_lookup_init(const struct nft_ctx *ctx,
|
|||
if (IS_ERR(set))
|
||||
return PTR_ERR(set);
|
||||
|
||||
if (set->flags & NFT_SET_EVAL)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
priv->sreg = nft_parse_register(tb[NFTA_LOOKUP_SREG]);
|
||||
err = nft_validate_register_load(priv->sreg, set->klen);
|
||||
if (err < 0)
|
||||
|
|
|
@ -38,7 +38,6 @@ header-test- += linux/ivtv.h
|
|||
header-test- += linux/jffs2.h
|
||||
header-test- += linux/kexec.h
|
||||
header-test- += linux/matroxfb.h
|
||||
header-test- += linux/netfilter_bridge/ebtables.h
|
||||
header-test- += linux/netfilter_ipv4/ipt_LOG.h
|
||||
header-test- += linux/netfilter_ipv6/ip6t_LOG.h
|
||||
header-test- += linux/nfc.h
|
||||
|
|
Loading…
Reference in New Issue