diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2023-05-19 00:05:48 +0300 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2023-05-19 00:05:49 +0300 |
| commit | 1ecaf17d097c91a7bd2979c57f7c81c5eeaf526b (patch) | |
| tree | 379efe7cfe3b5acbb01658200c423c15aa6d7d3f /include | |
| parent | 02f8fc1a67c160b2faab2c9e9439026deb076971 (diff) | |
| parent | e05b5362166b18a224c30502e81416e4d622d3e4 (diff) | |
| download | linux-1ecaf17d097c91a7bd2979c57f7c81c5eeaf526b.tar.xz | |
Merge tag 'nf-next-2023-05-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Florian Westphal says:
====================
Netfilter updates for net-next
nftables updates:
1. Allow key existence checks with maps.
At the moment the kernel requires userspace to pass a destination
register for the associated value, make this optional so userspace
can query if the key exists, just like with normal sets.
2. nftables maintains a counter per set that holds the number of
elements. This counter gets decremented on element removal,
but its only incremented if the set has a upper maximum value.
Increment unconditionally, this will allow us to update the
maximum value later on.
3. At DCCP option maching, from Jeremy Sowden.
4. use struct_size macro, from Christophe JAILLET.
Conntrack:
5. Squash holes in struct nf_conntrack_expect, also Christophe JAILLET.
6. Allow clash resolution for GRE Protocol to avoid a packet drop,
from Faicker Mo.
Flowtable:
Simplify route logic and split large functions into smaller
chunks, from Pablo Neira Ayuso.
* tag 'nf-next-2023-05-18' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: flowtable: split IPv6 datapath in helper functions
netfilter: flowtable: split IPv4 datapath in helper functions
netfilter: flowtable: simplify route logic
netfilter: conntrack: allow insertion clash of gre protocol
netfilter: nft_set_pipapo: Use struct_size()
netfilter: Reorder fields in 'struct nf_conntrack_expect'
netfilter: nft_exthdr: add boolean DCCP option matching
netfilter: nf_tables: always increment set element count
netfilter: nf_tables: relax set/map validation checks
====================
Link: https://lore.kernel.org/r/20230518100759.84858-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 18 | ||||
| -rw-r--r-- | include/net/netfilter/nf_flow_table.h | 4 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 2 |
3 files changed, 13 insertions, 11 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 0855b60fba17..cf0d81be5a96 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h @@ -26,6 +26,15 @@ struct nf_conntrack_expect { struct nf_conntrack_tuple tuple; struct nf_conntrack_tuple_mask mask; + /* Usage count. */ + refcount_t use; + + /* Flags */ + unsigned int flags; + + /* Expectation class */ + unsigned int class; + /* Function to call after setup and insertion */ void (*expectfn)(struct nf_conn *new, struct nf_conntrack_expect *this); @@ -39,15 +48,6 @@ struct nf_conntrack_expect { /* Timer function; deletes the expectation. */ struct timer_list timeout; - /* Usage count. */ - refcount_t use; - - /* Flags */ - unsigned int flags; - - /* Expectation class */ - unsigned int class; - #if IS_ENABLED(CONFIG_NF_NAT) union nf_inet_addr saved_addr; /* This is the original per-proto part, used to map the diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h index ebb28ec5b6fa..546fc4a9b939 100644 --- a/include/net/netfilter/nf_flow_table.h +++ b/include/net/netfilter/nf_flow_table.h @@ -263,8 +263,8 @@ nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, up_write(&flow_table->flow_block_lock); } -int flow_offload_route_init(struct flow_offload *flow, - const struct nf_flow_route *route); +void flow_offload_route_init(struct flow_offload *flow, + const struct nf_flow_route *route); int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow); void flow_offload_refresh(struct nf_flowtable *flow_table, diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index c4d4d8e42dc8..e059dc2644df 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -859,12 +859,14 @@ enum nft_exthdr_flags { * @NFT_EXTHDR_OP_TCP: match against tcp options * @NFT_EXTHDR_OP_IPV4: match against ipv4 options * @NFT_EXTHDR_OP_SCTP: match against sctp chunks + * @NFT_EXTHDR_OP_DCCP: match against dccp otions */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, NFT_EXTHDR_OP_IPV4, NFT_EXTHDR_OP_SCTP, + NFT_EXTHDR_OP_DCCP, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) |