kernel/linux.git/include/net/netfilter, branch v5.4.50

netfilter: conntrack: avoid gcc-10 zero-length-bounds warning

2020-05-20T06:20:23+00:00

[ Upstream commit 2c407aca64977ede9b9f35158e919773cae2082f ] gcc-10 warns around a suspicious access to an empty struct member: net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc': net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds] 1522 | memset(&ct->__nfct_init_offset[0], 0, | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from net/netfilter/nf_conntrack_core.c:37: include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset' 90 | u8 __nfct_init_offset[0]; | ^~~~~~~~~~~~~~~~~~ The code is correct but a bit unusual. Rework it slightly in a way that does not trigger the warning, using an empty struct instead of an empty array. There are probably more elegant ways to do this, but this is the smallest change. Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer") Signed-off-by: Arnd Bergmann Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin

netfilter: nf_tables: Align nft_expr private data to 64-bit

2019-11-04T19:58:32+00:00

Invoking the following commands on a 32-bit architecture with strict alignment requirements (such as an ARMv7-based Raspberry Pi) results in an alignment exception: # nft add table ip test-ip4 # nft add chain ip test-ip4 output { type filter hook output priority 0; } # nft add rule ip test-ip4 output quota 1025 bytes Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>] Unhandled fault: alignment exception (0x001) at 0xb832e824 Internal error: : 1 [#1] PREEMPT SMP ARM Hardware name: BCM2835 [<7f4473fc>] (nft_quota_do_init [nft_quota]) [<7f447448>] (nft_quota_init [nft_quota]) [<7f4260d0>] (nf_tables_newrule [nf_tables]) [<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink]) [<7f416bd0>] (nfnetlink_rcv [nfnetlink]) [<8078b334>] (netlink_unicast) [<8078b664>] (netlink_sendmsg) [<8071b47c>] (sock_sendmsg) [<8071bd18>] (___sys_sendmsg) [<8071ce3c>] (__sys_sendmsg) [<8071ce94>] (sys_sendmsg) The reason is that nft_quota_do_init() calls atomic64_set() on an atomic64_t which is only aligned to 32-bit, not 64-bit, because it succeeds struct nft_expr in memory which only contains a 32-bit pointer. Fix by aligning the nft_expr private data to 64-bit. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Lukas Wunner Cc: stable@vger.kernel.org # v3.13+ Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush

2019-09-25T09:01:19+00:00

The deletion of a flowtable after a flush in the same transaction results in EBUSY. This patch adds an activation and deactivation of flowtables in order to update the _use_ counter. Signed-off-by: Laura Garcia Liebana Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: add NFT_CHAIN_POLICY_UNSET and use it

2019-09-20T08:20:02+00:00

Default policy is defined as a unsigned 8-bit field, do not use a negative value to leave it unset, use this new NFT_CHAIN_POLICY_UNSET instead. Signed-off-by: Pablo Neira Ayuso

netfilter: conntrack: remove two unused functions from nf_conntrack_timestamp.h.

2019-09-13T10:48:09+00:00

Two inline functions defined in nf_conntrack_timestamp.h, `nf_ct_tstamp_enabled` and `nf_ct_set_tstamp`, are not called anywhere. Remove them. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

netfilter: conntrack: remove CONFIG_NF_CONNTRACK checks from nf_conntrack_zones.h.

2019-09-13T10:47:41+00:00

nf_conntrack_zones.h was wrapped in a CONFIG_NF_CONNTRACK check in order to fix compilation failures: 37ee3d5b3e97 ("netfilter: nf_defrag_ipv4: fix compilation error with NF_CONNTRACK=n") Subsequent changes mean that these failures will no longer occur and the check is unnecessary. Remove it. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

netfilter: remove CONFIG_NETFILTER checks from headers.

2019-09-13T10:47:36+00:00

`struct nf_hook_ops`, `struct nf_hook_state` and the `nf_hookfn` function typedef appear in function and struct declarations and definitions in a number of netfilter headers. The structs and typedef themselves are defined by linux/netfilter.h but only when CONFIG_NETFILTER is enabled. Define them unconditionally and add forward declarations in order to remove CONFIG_NETFILTER conditionals from the other headers. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

netfilter: conntrack: remove CONFIG_NF_CONNTRACK check from nf_conntrack_acct.h.

2019-09-13T10:47:18+00:00

There is a superfluous `#if IS_ENABLED(CONFIG_NF_CONNTRACK)` check wrapping some function declarations. Remove it. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

netfilter: conntrack: move code to linux/nf_conntrack_common.h.

2019-09-13T10:47:11+00:00

Move some `struct nf_conntrack` code from linux/skbuff.h to linux/nf_conntrack_common.h. Together with a couple of helpers for getting and setting skb->_nfct, it allows us to remove CONFIG_NF_CONNTRACK checks from net/netfilter/nf_conntrack.h. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

netfilter: br_netfilter: update stub br_nf_pre_routing_ipv6 parameter to `void *priv`.

2019-09-13T10:47:11+00:00

The real br_nf_pre_routing_ipv6 function, defined when CONFIG_IPV6 is enabled, expects `void *priv`, not `const struct nf_hook_ops *ops`. Update the stub br_nf_pre_routing_ipv6, defined when CONFIG_IPV6 is disabled, to match. Fixes: 06198b34a3e0 ("netfilter: Pass priv instead of nf_hook_ops to netfilter hooks") Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso