Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.20.5 2019-01-22T20:09:47+00:00 2019-01-22T20:09:47+00:00 Pablo Neira Ayuso pablo@netfilter.org 2018-12-28T00:24:48+00:00 urn:sha1:385c1e4b7788a88bed1f7d1315f851ada1260643 commit c80f10bc973af2ace6b1414724eeff61eaa71837 upstream. Instead of removing a empty list node that might be reintroduced soon thereafter, tentatively place the empty list node on the list passed to tree_nodes_free(), then re-check if the list is empty again before erasing it from the tree. [ Florian: rebase on top of pending nf_conncount fixes ] Fixes: 5c789e131cbb9 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search") Reviewed-by: Shawn Bohrer <sbohrer@cloudflare.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-01-22T20:09:46+00:00 Florian Westphal fw@strlen.de 2018-12-28T00:24:46+00:00 urn:sha1:3409dd1ddb38211e461de1a34951e635fc6bcbfa commit df4a902509766897f7371fdfa4c3bf8bc321b55d upstream. 'lookup' is always followed by 'add'. Merge both and make the list-walk part of nf_conncount_add(). This also avoids one unneeded unlock/re-lock pair. Extra care needs to be taken in count_tree, as we only hold rcu read lock, i.e. we can only insert to an existing tree node after acquiring its lock and making sure it has a nonzero count. As a zero count should be rare, just fall back to insert_tree() (which acquires tree lock). This issue and its solution were pointed out by Shawn Bohrer during patch review. Reviewed-by: Shawn Bohrer <sbohrer@cloudflare.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-11-26T23:35:19+00:00 Taehee Yoo ap420073@gmail.com 2018-11-22T10:59:46+00:00 urn:sha1:584eab291c67894cb17cc87544b9d086228ea70f register_{netdevice/inetaddr/inet6addr}_notifier may return an error value, this patch adds the code to handle these error paths. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-11-03T12:28:02+00:00 Pablo Neira Ayuso pablo@netfilter.org 2018-11-01T23:11:34+00:00 urn:sha1:a95a7774d51e13f9cf4b7285666829b68852f07a Expose these functions to access conntrack protocol tracker netns area, nfnetlink_cttimeout needs this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-10-19T12:00:33+00:00 Taehee Yoo ap420073@gmail.com 2018-10-18T13:29:59+00:00 urn:sha1:468c041cff57e87f18e1022cacf9f5c98bf00b58 /include/net/netfilter/nfnetlink_log.h file is empty. so that it can be removed. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-10-19T11:25:22+00:00 Taehee Yoo ap420073@gmail.com 2018-10-11T18:01:54+00:00 urn:sha1:5f1be84aad4b520a36246d0c289ad73641277630 parameter net of nf_flow_table_cleanup() is not used. So that it can be removed. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-09-28T12:28:29+00:00 Christian Göttsche cgzones@googlemail.com 2018-09-23T18:26:15+00:00 urn:sha1:fb961945457f5177072c968aa38fee910ab893b9 Add the ability to set the security context of packets within the nf_tables framework. Add a nft_object for holding security contexts in the kernel and manipulating packets on the wire. Convert the security context strings at rule addition time to security identifiers. This is the same behavior like in xt_SECMARK and offers better performance than computing it per packet. Set the maximum security context length to 256. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-09-20T16:08:14+00:00 Florian Westphal fw@strlen.de 2018-09-12T13:19:14+00:00 urn:sha1:93185c80a5f748620f5652e492f2a1c8d89db593 All higher l4proto numbers are handled by the generic tracker; the l4proto lookup function already returns generic one in case the l4proto number exceeds max size. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-09-20T16:07:35+00:00 Florian Westphal fw@strlen.de 2018-09-17T10:02:54+00:00 urn:sha1:dd2934a95701576203b2f61e8ded4e4a2f9183ea l4 protocols are demuxed by l3num, l4num pair. However, almost all l4 trackers are l3 agnostic. Only exceptions are: - gre, icmp (ipv4 only) - icmpv6 (ipv6 only) This commit gets rid of the l3 mapping, l4 trackers can now be looked up by their IPPROTO_XXX value alone, which gets rid of the additional l3 indirection. For icmp, ipcmp6 and gre, add a check on state->pf and return -NF_ACCEPT in case we're asked to track e.g. icmpv6-in-ipv4, this seems more fitting than using the generic tracker. Additionally we can kill the 2nd l4proto definitions that were needed for v4/v6 split -- they are now the same so we can use single l4proto struct for each protocol, rather than two. The EXPORT_SYMBOLs can be removed as all these object files are part of nf_conntrack with no external references. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-09-20T16:03:50+00:00 Florian Westphal fw@strlen.de 2018-09-12T13:19:12+00:00 urn:sha1:ca2ca6e1c04e64413f5fb9a5d54fb8b0bdd86467 Its unused, next patch will remove l4proto->l3proto number to simplify l4 protocol demuxer lookup. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>