kernel/linux.git/include/linux/netfilter, branch v5.13.16

netfilter: ipset: Limit the maximal range of consecutive elements to add/delete

2021-09-03T08:22:45+00:00

[ Upstream commit 5f7b51bf09baca8e4f80cbe879536842bafb5f31 ] The range size of consecutive elements were not limited. Thus one could define a huge range which may result soft lockup errors due to the long execution time. Now the range size is limited to 2^20 entries. Reported-by: Brad Spengler Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin

netfilter: allow to turn off xtables compat layer

2021-04-26T16:16:56+00:00

The compat layer needs to parse untrusted input (the ruleset) to translate it to a 64bit compatible format. We had a number of bugs in this department in the past, so allow users to turn this feature off. Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y to keep existing behaviour. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: consolidate callback types

2021-04-26T16:16:56+00:00

Add enum nfnl_callback_type to identify the callback type to provide one single callback. Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: pass struct nfnl_info to batch callbacks

2021-04-26T16:16:56+00:00

Update batch callbacks to use the nfnl_info structure. Rename one clashing info variable to expr_info. Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: pass struct nfnl_info to rcu callbacks

2021-04-26T16:16:52+00:00

Update rcu callbacks to use the nfnl_info structure. Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks

2021-04-26T01:58:17+00:00

Add a new structure to reduce callback footprint and to facilite extensions of the nfnetlink callback interface in the future. Signed-off-by: Pablo Neira Ayuso

netfilter: ip_tables: pass table pointer via nf_hook_ops

2021-04-26T01:20:46+00:00

iptable_x modules rely on 'struct net' to contain a pointer to the table that should be evaluated. In order to remove these pointers from struct net, pass them via the 'priv' pointer in a similar fashion as nf_tables passes the rule data. To do that, duplicate the nf_hook_info array passed in from the iptable_x modules, update the ops->priv pointers of the copy to refer to the table and then change the hookfn implementations to just pass the 'priv' argument to the traverser. After this patch, the xt_table pointers can already be removed from struct net. However, changes to struct net result in re-compile of the entire network stack, so do the removal after arptables and ip6tables have been converted as well. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: x_tables: add xt_find_table

2021-04-26T01:20:39+00:00

This will be used to obtain the xt_table struct given address family and table name. Followup patches will reduce the number of direct accesses to the xt_table structures via net->ipv{4,6}.ip(6)table_{nat,mangle,...} pointers, then remove them. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: add and use nfnetlink_broadcast

2021-04-05T22:34:51+00:00

This removes the only reference of net->nfnl outside of the nfnetlink module. This allows to move net->nfnl to net_generic infra. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: add helper function to set up the nfnetlink header and use it

2021-03-31T20:34:11+00:00

This patch adds a helper function to set up the netlink and nfnetlink headers. Update existing codebase to use it. Signed-off-by: Pablo Neira Ayuso