kernel/linux.git/include/linux/netfilter, branch v5.14.8

netfilter: ipset: Limit the maximal range of consecutive elements to add/delete

2021-08-04T08:41:03+00:00

The range size of consecutive elements were not limited. Thus one could define a huge range which may result soft lockup errors due to the long execution time. Now the range size is limited to 2^20 entries. Reported-by: Brad Spengler Signed-off-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: add struct nfgenmsg to struct nfnl_info and use it

2021-06-07T10:23:36+00:00

Update the nfnl_info structure to add a pointer to the nfnetlink header. This simplifies the existing codebase since this header is usually accessed. Update existing clients to use this new field. Signed-off-by: Pablo Neira Ayuso

netfilter: x_tables: reduce xt_action_param by 8 byte

2021-05-28T23:04:53+00:00

The fragment offset in ipv4/ipv6 is a 16bit field, so use u16 instead of unsigned int. On 64bit: 40 bytes to 32 bytes. By extension this also reduces nft_pktinfo (56 to 48 byte). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: allow to turn off xtables compat layer

2021-04-26T16:16:56+00:00

The compat layer needs to parse untrusted input (the ruleset) to translate it to a 64bit compatible format. We had a number of bugs in this department in the past, so allow users to turn this feature off. Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y to keep existing behaviour. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: consolidate callback types

2021-04-26T16:16:56+00:00

Add enum nfnl_callback_type to identify the callback type to provide one single callback. Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: pass struct nfnl_info to batch callbacks

2021-04-26T16:16:56+00:00

Update batch callbacks to use the nfnl_info structure. Rename one clashing info variable to expr_info. Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: pass struct nfnl_info to rcu callbacks

2021-04-26T16:16:52+00:00

Update rcu callbacks to use the nfnl_info structure. Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks

2021-04-26T01:58:17+00:00

Add a new structure to reduce callback footprint and to facilite extensions of the nfnetlink callback interface in the future. Signed-off-by: Pablo Neira Ayuso

netfilter: ip_tables: pass table pointer via nf_hook_ops

2021-04-26T01:20:46+00:00

iptable_x modules rely on 'struct net' to contain a pointer to the table that should be evaluated. In order to remove these pointers from struct net, pass them via the 'priv' pointer in a similar fashion as nf_tables passes the rule data. To do that, duplicate the nf_hook_info array passed in from the iptable_x modules, update the ops->priv pointers of the copy to refer to the table and then change the hookfn implementations to just pass the 'priv' argument to the traverser. After this patch, the xt_table pointers can already be removed from struct net. However, changes to struct net result in re-compile of the entire network stack, so do the removal after arptables and ip6tables have been converted as well. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: x_tables: add xt_find_table

2021-04-26T01:20:39+00:00

This will be used to obtain the xt_table struct given address family and table name. Followup patches will reduce the number of direct accesses to the xt_table structures via net->ipv{4,6}.ip(6)table_{nat,mangle,...} pointers, then remove them. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso