kernel/linux.git/include/linux/netfilter.h, branch v6.1.53 Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.53 2023-03-11T12:55:24+00:00 netfilter: ctnetlink: make event listener tracking global 2023-03-11T12:55:24+00:00 Florian Westphal fw@strlen.de 2023-02-20T16:24:00+00:00 urn:sha1:ffba2d57902646bdf9b8e16fd09f7d63a12f7941 [ Upstream commit fdf6491193e411087ae77bcbc6468e3e1cff99ed ] pernet tracking doesn't work correctly because other netns might have set NETLINK_LISTEN_ALL_NSID on its event socket. In this case its expected that events originating in other net namespaces are also received. Making pernet-tracking work while also honoring NETLINK_LISTEN_ALL_NSID requires much more intrusive changes both in netlink and nfnetlink, f.e. adding a 'setsockopt' callback that lets nfnetlink know that the event socket entered (or left) ALL_NSID mode. Move to global tracking instead: if there is an event socket anywhere on the system, all net namespaces which have conntrack enabled and use autobind mode will allocate the ecache extension. netlink_has_listeners() returns false only if the given group has no subscribers in any net namespace, the 'net' argument passed to nfnetlink_has_listeners is only used to derive the protocol (nfnetlink), it has no other effect. For proper NETLINK_LISTEN_ALL_NSID-aware pernet tracking of event listeners a new netlink_has_net_listeners() is also needed. Fixes: 90d1daa45849 ("netfilter: conntrack: add nf_conntrack_events autodetect mode") Reported-by: Bryce Kahle <bryce.kahle@datadoghq.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> Remove DECnet support from kernel 2022-08-22T13:26:30+00:00 Stephen Hemminger stephen@networkplumber.org 2022-08-18T00:43:21+00:00 urn:sha1:1202cdd665315c525b5237e96e0bedc76d7e754f DECnet is an obsolete network protocol that receives more attention from kernel janitors than users. It belongs in computer protocol history museum not in Linux kernel. It has been "Orphaned" in kernel since 2010. The iproute2 support for DECnet was dropped in 5.0 release. The documentation link on Sourceforge says it is abandoned there as well. Leave the UAPI alone to keep userspace programs compiling. This means that there is still an empty neighbour table for AF_DECNET. The table of /proc/sys/net entries was updated to match current directories and reformatted to be alphabetical. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Acked-by: David Ahern <dsahern@kernel.org> Acked-by: Nikolay Aleksandrov <razor@blackwall.org> Signed-off-by: David S. Miller <davem@davemloft.net> netfilter: conntrack: handle ->destroy hook via nat_ops instead 2022-02-04T05:30:28+00:00 Florian Westphal fw@strlen.de 2022-01-20T12:07:01+00:00 urn:sha1:1bc91a5ddf3eaea0e0ea957cccf3abdcfcace00e The nat module already exposes a few functions to the conntrack core. Move the nat extension destroy hook to it. After this, no conntrack extension needs a destroy hook. 'struct nf_ct_ext_type' and the register/unregister api can be removed in a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: make function op structures const 2022-01-09T22:30:13+00:00 Florian Westphal fw@strlen.de 2022-01-07T04:03:24+00:00 urn:sha1:285c8a7a58158cb1805c97ff03875df2ba2ea1fe No functional changes, these structures should be const. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook 2022-01-09T22:30:13+00:00 Florian Westphal fw@strlen.de 2022-01-07T04:03:23+00:00 urn:sha1:3fce16493dc1aa2c9af3d7e7bd360dfe203a3e6a ip_ct_attach predates struct nf_ct_hook, we can place it there and remove the exported symbol. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: annotate nf_tables base hook ops 2021-06-07T10:23:38+00:00 Florian Westphal fw@strlen.de 2021-06-04T10:27:06+00:00 urn:sha1:7b4b2fa37587394fb89fa51a4bea0820a1b37a5d This will allow a followup patch to treat the 'ops->priv' pointer as nft_chain argument without having to first walk the table/chains to check if there is a matching base chain pointer. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: reduce size of nf_hook_state on 32bit platforms 2021-05-28T23:04:53+00:00 Florian Westphal fw@strlen.de 2021-05-28T10:30:04+00:00 urn:sha1:6802db48fc27b8d7f601e96a85771f2205702941 Reduce size from 28 to 24 bytes on 32bit platforms. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: ctnetlink: remove get_ct indirection 2021-01-25T21:06:11+00:00 Florian Westphal fw@strlen.de 2021-01-20T15:30:03+00:00 urn:sha1:83ace77f51175023c3757e2d08a92565f9b1c7f3 Use nf_ct_get() directly, its a small inline helper without dependencies. Add CONFIG_NF_CONNTRACK guards to elide the relevant part when conntrack isn't available at all. v2: add ifdef guard around nf_ct_get call (kernel test robot) Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: switch nf_setsockopt to sockptr_t 2020-07-24T22:41:54+00:00 Christoph Hellwig hch@lst.de 2020-07-23T06:08:54+00:00 urn:sha1:c2f12630c60ff33a9cafd221646053fc10ec59b6 Pass a sockptr_t to prepare for set_fs-less handling of the kernel pointer from bpf-cgroup. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net> netfilter: remove the compat_{get,set} methods 2020-07-20T01:16:40+00:00 Christoph Hellwig hch@lst.de 2020-07-17T06:23:20+00:00 urn:sha1:77d4df41d53e5c2af14db26f20fe50da52e382ba All instances handle compat sockopts via in_compat_syscall() now, so remove the compat_{get,set} methods as well as the compat_nf_{get,set}sockopt wrappers. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net>