[PATCH 00/12] Netfilter updates for net-next

[PATCH 00/12] Netfilter updates for net-next

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi David,

The following patchset contains Netfilter/IPVS updates for
your net-next tree, they are:

* Better performance in nfnetlink_queue by avoiding copy from the
  packet to netlink message, from Eric Dumazet.

* Remove unnecessary locking in the exit path of ebt_ulog, from Gao Feng.

* Use new function ipv6_iface_scope_id in nf_ct_ipv6, from Hannes Frederic Sowa.

* A couple of sparse fixes for IPVS, from Julian Anastasov.

* Use xor hashing in nfnetlink_queue, as suggested by Eric Dumazet, from
  myself.

* Allow to dump expectations per master conntrack via ctnetlink, from myself.

* A couple of cleanups to use PTR_RET in module init path, from Silviu-Mihai
  Popescu.

* Remove nf_conntrack module a bit faster if netns are in use, from
  Vladimir Davydov.

* Use checksum_partial in ip6t_NPT, from YOSHIFUJI Hideaki.

* Sparse fix for nf_conntrack, from Stephen Hemminger.

You can pull these changes from:

git://1984.lsi.us.es/nf-next master

Thanks!

Eric Dumazet (1):
  netfilter: nfnetlink_queue: zero copy support

Gao feng (1):
  netfilter: ebt_ulog: remove unnecessary spin lock protection

Hannes Frederic Sowa (1):
  netfilter: nf_ct_ipv6: use ipv6_iface_scope_id in conntrack to return scope id

Julian Anastasov (2):
  ipvs: fix hashing in ip_vs_svc_hashkey
  ipvs: fix some sparse warnings

Pablo Neira Ayuso (2):
  netfilter: nfnetlink_queue: use xor hash function to distribute instances
  netfilter: ctnetlink: allow to dump expectation per master conntrack

Silviu-Mihai Popescu (2):
  ipv4: netfilter: use PTR_RET instead of IS_ERR + PTR_ERR
  bridge: netfilter: use PTR_RET instead of IS_ERR + PTR_ERR

Vladimir Davydov (1):
  netfilter: nf_conntrack: speed up module removal path if netns in use

YOSHIFUJI Hideaki (1):
  netfilter: ip6t_NPT: Use csum_partial()

stephen hemminger (1):
  netfilter: nf_conntrack: add include to fix sparse warning

 include/net/ip_vs.h                            |    2 +-
 include/net/netfilter/nf_conntrack_core.h      |    1 +
 net/bridge/netfilter/ebt_ulog.c                |    3 +-
 net/bridge/netfilter/ebtable_broute.c          |    4 +-
 net/ipv4/netfilter/arptable_filter.c           |    4 +-
 net/ipv6/netfilter/ip6t_NPT.c                  |   11 +--
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    8 +-
 net/netfilter/ipvs/ip_vs_core.c                |    8 +-
 net/netfilter/ipvs/ip_vs_ctl.c                 |    8 +-
 net/netfilter/ipvs/ip_vs_est.c                 |    2 +-
 net/netfilter/nf_conntrack_core.c              |   47 +++++++----
 net/netfilter/nf_conntrack_netlink.c           |  100 ++++++++++++++++++++++--
 net/netfilter/nf_conntrack_standalone.c        |   16 ++--
 net/netfilter/nfnetlink_queue_core.c           |   96 +++++++++++++++++------
 14 files changed, 228 insertions(+), 82 deletions(-)

-- 
1.7.10.4

[PATCH 01/12] netfilter: ip6t_NPT: Use csum_partial()

[pablo]

From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

[ Some fixes went into mainstream before this patch, so I needed
  to rebase it upon the current tree, that's why it's different from
  the original one posted on the list --pablo ]

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv6/netfilter/ip6t_NPT.c |   11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/net/ipv6/netfilter/ip6t_NPT.c b/net/ipv6/netfilter/ip6t_NPT.c
index 83acc14..59286a1 100644
--- a/net/ipv6/netfilter/ip6t_NPT.c
+++ b/net/ipv6/netfilter/ip6t_NPT.c
@@ -18,9 +18,8 @@
 static int ip6t_npt_checkentry(const struct xt_tgchk_param *par)
 {
 	struct ip6t_npt_tginfo *npt = par->targinfo;
-	__wsum src_sum = 0, dst_sum = 0;
 	struct in6_addr pfx;
-	unsigned int i;
+	__wsum src_sum, dst_sum;
 
 	if (npt->src_pfx_len > 64 || npt->dst_pfx_len > 64)
 		return -EINVAL;
@@ -33,12 +32,8 @@ static int ip6t_npt_checkentry(const struct xt_tgchk_param *par)
 	if (!ipv6_addr_equal(&pfx, &npt->dst_pfx.in6))
 		return -EINVAL;
 
-	for (i = 0; i < ARRAY_SIZE(npt->src_pfx.in6.s6_addr16); i++) {
-		src_sum = csum_add(src_sum,
-				(__force __wsum)npt->src_pfx.in6.s6_addr16[i]);
-		dst_sum = csum_add(dst_sum,
-				(__force __wsum)npt->dst_pfx.in6.s6_addr16[i]);
-	}
+	src_sum = csum_partial(&npt->src_pfx.in6, sizeof(npt->src_pfx.in6), 0);
+	dst_sum = csum_partial(&npt->dst_pfx.in6, sizeof(npt->dst_pfx.in6), 0);
 
 	npt->adjustment = ~csum_fold(csum_sub(src_sum, dst_sum));
 	return 0;
-- 
1.7.10.4

[PATCH 02/12] ipv4: netfilter: use PTR_RET instead of IS_ERR + PTR_ERR

[pablo]

From: Silviu-Mihai Popescu <silviupopescu1990@gmail.com>

This uses PTR_RET instead of IS_ERR and PTR_ERR in order to increase
readability.

Signed-off-by: Silviu-Mihai Popescu <silviupopescu1990@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv4/netfilter/arptable_filter.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/arptable_filter.c b/net/ipv4/netfilter/arptable_filter.c
index 79ca5e7..eadab1e 100644
--- a/net/ipv4/netfilter/arptable_filter.c
+++ b/net/ipv4/netfilter/arptable_filter.c
@@ -48,9 +48,7 @@ static int __net_init arptable_filter_net_init(struct net *net)
 	net->ipv4.arptable_filter =
 		arpt_register_table(net, &packet_filter, repl);
 	kfree(repl);
-	if (IS_ERR(net->ipv4.arptable_filter))
-		return PTR_ERR(net->ipv4.arptable_filter);
-	return 0;
+	return PTR_RET(net->ipv4.arptable_filter);
 }
 
 static void __net_exit arptable_filter_net_exit(struct net *net)
-- 
1.7.10.4

[PATCH 03/12] bridge: netfilter: use PTR_RET instead of IS_ERR + PTR_ERR

[pablo]

From: Silviu-Mihai Popescu <silviupopescu1990@gmail.com>

This uses PTR_RET instead of IS_ERR and PTR_ERR in order to increase
readability.

Signed-off-by: Silviu-Mihai Popescu <silviupopescu1990@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/ebtable_broute.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/bridge/netfilter/ebtable_broute.c b/net/bridge/netfilter/ebtable_broute.c
index 40d8258..70f656c 100644
--- a/net/bridge/netfilter/ebtable_broute.c
+++ b/net/bridge/netfilter/ebtable_broute.c
@@ -64,9 +64,7 @@ static int ebt_broute(struct sk_buff *skb)
 static int __net_init broute_net_init(struct net *net)
 {
 	net->xt.broute_table = ebt_register_table(net, &broute_table);
-	if (IS_ERR(net->xt.broute_table))
-		return PTR_ERR(net->xt.broute_table);
-	return 0;
+	return PTR_RET(net->xt.broute_table);
 }
 
 static void __net_exit broute_net_exit(struct net *net)
-- 
1.7.10.4

[PATCH 04/12] netfilter: nf_ct_ipv6: use ipv6_iface_scope_id in conntrack to return scope id

[pablo]

From: Hannes Frederic Sowa <hannes@stressinduktion.org>

As in (842df07 ipv6: use newly introduced __ipv6_addr_needs_scope_id and
ipv6_iface_scope_id).

Cc: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |    8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 2b6c226..97bcf2b 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -330,12 +330,8 @@ ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
 					sizeof(sin6.sin6_addr));
 
 	nf_ct_put(ct);
-
-	if (ipv6_addr_type(&sin6.sin6_addr) & IPV6_ADDR_LINKLOCAL)
-		sin6.sin6_scope_id = sk->sk_bound_dev_if;
-	else
-		sin6.sin6_scope_id = 0;
-
+	sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr,
+						 sk->sk_bound_dev_if);
 	return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;
 }
 
-- 
1.7.10.4

[PATCH 05/12] netfilter: ebt_ulog: remove unnecessary spin lock protection

[pablo]

From: Gao feng <gaofeng@cn.fujitsu.com>

No need for spinlock to protect the netlink skb in the
ebt_ulog_fini path. We are sure there is noone using it
at that stage.

Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/ebt_ulog.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index 3bf43f7..442b032 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -319,12 +319,11 @@ static void __exit ebt_ulog_fini(void)
 	for (i = 0; i < EBT_ULOG_MAXNLGROUPS; i++) {
 		ub = &ulog_buffers[i];
 		del_timer(&ub->timer);
-		spin_lock_bh(&ub->lock);
+
 		if (ub->skb) {
 			kfree_skb(ub->skb);
 			ub->skb = NULL;
 		}
-		spin_unlock_bh(&ub->lock);
 	}
 	netlink_kernel_release(ebtulognl);
 }
-- 
1.7.10.4

[PATCH 06/12] netfilter: nfnetlink_queue: use xor hash function to distribute instances

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Thanks to Eric Dumazet for suggesting this during the NFWS.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_queue_core.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 858fd52..350c50f 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -73,7 +73,7 @@ static struct hlist_head instance_table[INSTANCE_BUCKETS] __read_mostly;
 
 static inline u_int8_t instance_hashfn(u_int16_t queue_num)
 {
-	return ((queue_num >> 8) | queue_num) % INSTANCE_BUCKETS;
+	return ((queue_num >> 8) ^ queue_num) % INSTANCE_BUCKETS;
 }
 
 static struct nfqnl_instance *
-- 
1.7.10.4

[PATCH 07/12] ipvs: fix hashing in ip_vs_svc_hashkey

[pablo]

From: Julian Anastasov <ja@ssi.bg>

net is a pointer in host order, mix it properly
with other keys in network order. Fixes sparse warning.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 net/netfilter/ipvs/ip_vs_ctl.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index c68198b..a528178 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -271,16 +271,18 @@ ip_vs_svc_hashkey(struct net *net, int af, unsigned int proto,
 {
 	register unsigned int porth = ntohs(port);
 	__be32 addr_fold = addr->ip;
+	__u32 ahash;
 
 #ifdef CONFIG_IP_VS_IPV6
 	if (af == AF_INET6)
 		addr_fold = addr->ip6[0]^addr->ip6[1]^
 			    addr->ip6[2]^addr->ip6[3];
 #endif
-	addr_fold ^= ((size_t)net>>8);
+	ahash = ntohl(addr_fold);
+	ahash ^= ((size_t) net >> 8);
 
-	return (proto^ntohl(addr_fold)^(porth>>IP_VS_SVC_TAB_BITS)^porth)
-		& IP_VS_SVC_TAB_MASK;
+	return (proto ^ ahash ^ (porth >> IP_VS_SVC_TAB_BITS) ^ porth) &
+	       IP_VS_SVC_TAB_MASK;
 }
 
 /*
-- 
1.7.10.4

[PATCH 08/12] ipvs: fix some sparse warnings

[pablo]

From: Julian Anastasov <ja@ssi.bg>

Add missing __percpu annotations and make ip_vs_net_id static.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
---
 include/net/ip_vs.h             |    2 +-
 net/netfilter/ipvs/ip_vs_core.c |    8 +-------
 net/netfilter/ipvs/ip_vs_est.c  |    2 +-
 3 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index 68c69d5..29bc055 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -459,7 +459,7 @@ struct ip_vs_estimator {
 struct ip_vs_stats {
 	struct ip_vs_stats_user	ustats;		/* statistics */
 	struct ip_vs_estimator	est;		/* estimator */
-	struct ip_vs_cpu_stats	*cpustats;	/* per cpu counters */
+	struct ip_vs_cpu_stats __percpu	*cpustats;	/* per cpu counters */
 	spinlock_t		lock;		/* spin lock */
 	struct ip_vs_stats_user	ustats0;	/* reset values */
 };
diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c
index 47edf5a..3e5e80b 100644
--- a/net/netfilter/ipvs/ip_vs_core.c
+++ b/net/netfilter/ipvs/ip_vs_core.c
@@ -69,10 +69,7 @@ EXPORT_SYMBOL(ip_vs_conn_put);
 EXPORT_SYMBOL(ip_vs_get_debug_level);
 #endif
 
-int ip_vs_net_id __read_mostly;
-#ifdef IP_VS_GENERIC_NETNS
-EXPORT_SYMBOL(ip_vs_net_id);
-#endif
+static int ip_vs_net_id __read_mostly;
 /* netns cnt used for uniqueness */
 static atomic_t ipvs_netns_cnt = ATOMIC_INIT(0);
 
@@ -1181,9 +1178,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af)
 						iph.len)))) {
 #ifdef CONFIG_IP_VS_IPV6
 				if (af == AF_INET6) {
-					struct net *net =
-						dev_net(skb_dst(skb)->dev);
-
 					if (!skb->dev)
 						skb->dev = net->loopback_dev;
 					icmpv6_send(skb,
diff --git a/net/netfilter/ipvs/ip_vs_est.c b/net/netfilter/ipvs/ip_vs_est.c
index 0fac601..6bee6d0 100644
--- a/net/netfilter/ipvs/ip_vs_est.c
+++ b/net/netfilter/ipvs/ip_vs_est.c
@@ -56,7 +56,7 @@
  * Make a summary from each cpu
  */
 static void ip_vs_read_cpu_stats(struct ip_vs_stats_user *sum,
-				 struct ip_vs_cpu_stats *stats)
+				 struct ip_vs_cpu_stats __percpu *stats)
 {
 	int i;
 
-- 
1.7.10.4

[PATCH 09/12] netfilter: ctnetlink: allow to dump expectation per master conntrack

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

This patch adds the ability to dump all existing expectations
per master conntrack.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_netlink.c |  100 ++++++++++++++++++++++++++++++++--
 1 file changed, 95 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 9904b15..6d0f8a1 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2409,6 +2409,92 @@ out:
 	return skb->len;
 }
 
+static int
+ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
+{
+	struct nf_conntrack_expect *exp, *last;
+	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
+	struct nf_conn *ct = cb->data;
+	struct nf_conn_help *help = nfct_help(ct);
+	u_int8_t l3proto = nfmsg->nfgen_family;
+
+	if (cb->args[0])
+		return 0;
+
+	rcu_read_lock();
+	last = (struct nf_conntrack_expect *)cb->args[1];
+restart:
+	hlist_for_each_entry(exp, &help->expectations, lnode) {
+		if (l3proto && exp->tuple.src.l3num != l3proto)
+			continue;
+		if (cb->args[1]) {
+			if (exp != last)
+				continue;
+			cb->args[1] = 0;
+		}
+		if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
+					    cb->nlh->nlmsg_seq,
+					    IPCTNL_MSG_EXP_NEW,
+					    exp) < 0) {
+			if (!atomic_inc_not_zero(&exp->use))
+				continue;
+			cb->args[1] = (unsigned long)exp;
+			goto out;
+		}
+	}
+	if (cb->args[1]) {
+		cb->args[1] = 0;
+		goto restart;
+	}
+	cb->args[0] = 1;
+out:
+	rcu_read_unlock();
+	if (last)
+		nf_ct_expect_put(last);
+
+	return skb->len;
+}
+
+static int ctnetlink_dump_exp_ct(struct sock *ctnl, struct sk_buff *skb,
+				 const struct nlmsghdr *nlh,
+				 const struct nlattr * const cda[])
+{
+	int err;
+	struct net *net = sock_net(ctnl);
+	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
+	u_int8_t u3 = nfmsg->nfgen_family;
+	struct nf_conntrack_tuple tuple;
+	struct nf_conntrack_tuple_hash *h;
+	struct nf_conn *ct;
+	u16 zone = 0;
+	struct netlink_dump_control c = {
+		.dump = ctnetlink_exp_ct_dump_table,
+		.done = ctnetlink_exp_done,
+	};
+
+	err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
+	if (err < 0)
+		return err;
+
+	if (cda[CTA_EXPECT_ZONE]) {
+		err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
+		if (err < 0)
+			return err;
+	}
+
+	h = nf_conntrack_find_get(net, zone, &tuple);
+	if (!h)
+		return -ENOENT;
+
+	ct = nf_ct_tuplehash_to_ctrack(h);
+	c.data = ct;
+
+	err = netlink_dump_start(ctnl, skb, nlh, &c);
+	nf_ct_put(ct);
+
+	return err;
+}
+
 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
 	[CTA_EXPECT_MASTER]	= { .type = NLA_NESTED },
 	[CTA_EXPECT_TUPLE]	= { .type = NLA_NESTED },
@@ -2439,11 +2525,15 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
 	int err;
 
 	if (nlh->nlmsg_flags & NLM_F_DUMP) {
-		struct netlink_dump_control c = {
-			.dump = ctnetlink_exp_dump_table,
-			.done = ctnetlink_exp_done,
-		};
-		return netlink_dump_start(ctnl, skb, nlh, &c);
+		if (cda[CTA_EXPECT_MASTER])
+			return ctnetlink_dump_exp_ct(ctnl, skb, nlh, cda);
+		else {
+			struct netlink_dump_control c = {
+				.dump = ctnetlink_exp_dump_table,
+				.done = ctnetlink_exp_done,
+			};
+			return netlink_dump_start(ctnl, skb, nlh, &c);
+		}
 	}
 
 	err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
-- 
1.7.10.4

[PATCH 10/12] netfilter: nfnetlink_queue: zero copy support

[pablo]

From: Eric Dumazet <edumazet@google.com>

nfqnl_build_packet_message() actually copy the packet
inside the netlink message, while it can instead use
zero copy.

Make sure the skb 'copy' is the last component of the
cooked netlink message, as we cant add anything after it.

Patch cooked in Copenhagen at Netfilter Workshop ;)

Still to be addressed in separate patches :

-GRO/GSO packets are segmented in nf_queue()
and checksummed in nfqnl_build_packet_message().

Proper support for GSO/GRO packets (no segmentation,
and no checksumming) needs application cooperation, if we
want no regressions.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_queue_core.c |   94 ++++++++++++++++++++++++++--------
 1 file changed, 72 insertions(+), 22 deletions(-)

diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 350c50f..da91b86 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -217,14 +217,59 @@ nfqnl_flush(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, unsigned long data)
 	spin_unlock_bh(&queue->lock);
 }
 
+static void
+nfqnl_zcopy(struct sk_buff *to, const struct sk_buff *from, int len, int hlen)
+{
+	int i, j = 0;
+	int plen = 0; /* length of skb->head fragment */
+	struct page *page;
+	unsigned int offset;
+
+	/* dont bother with small payloads */
+	if (len <= skb_tailroom(to)) {
+		skb_copy_bits(from, 0, skb_put(to, len), len);
+		return;
+	}
+
+	if (hlen) {
+		skb_copy_bits(from, 0, skb_put(to, hlen), hlen);
+		len -= hlen;
+	} else {
+		plen = min_t(int, skb_headlen(from), len);
+		if (plen) {
+			page = virt_to_head_page(from->head);
+			offset = from->data - (unsigned char *)page_address(page);
+			__skb_fill_page_desc(to, 0, page, offset, plen);
+			get_page(page);
+			j = 1;
+			len -= plen;
+		}
+	}
+
+	to->truesize += len + plen;
+	to->len += len + plen;
+	to->data_len += len + plen;
+
+	for (i = 0; i < skb_shinfo(from)->nr_frags; i++) {
+		if (!len)
+			break;
+		skb_shinfo(to)->frags[j] = skb_shinfo(from)->frags[i];
+		skb_shinfo(to)->frags[j].size = min_t(int, skb_shinfo(to)->frags[j].size, len);
+		len -= skb_shinfo(to)->frags[j].size;
+		skb_frag_ref(to, j);
+		j++;
+	}
+	skb_shinfo(to)->nr_frags = j;
+}
+
 static struct sk_buff *
 nfqnl_build_packet_message(struct nfqnl_instance *queue,
 			   struct nf_queue_entry *entry,
 			   __be32 **packet_id_ptr)
 {
-	sk_buff_data_t old_tail;
 	size_t size;
 	size_t data_len = 0, cap_len = 0;
+	int hlen = 0;
 	struct sk_buff *skb;
 	struct nlattr *nla;
 	struct nfqnl_msg_packet_hdr *pmsg;
@@ -246,8 +291,10 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 #endif
 		+ nla_total_size(sizeof(u_int32_t))	/* mark */
 		+ nla_total_size(sizeof(struct nfqnl_msg_packet_hw))
-		+ nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp)
-		+ nla_total_size(sizeof(u_int32_t)));	/* cap_len */
+		+ nla_total_size(sizeof(u_int32_t));	/* cap_len */
+
+	if (entskb->tstamp.tv64)
+		size += nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp));
 
 	outdev = entry->outdev;
 
@@ -265,7 +312,16 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 		if (data_len == 0 || data_len > entskb->len)
 			data_len = entskb->len;
 
-		size += nla_total_size(data_len);
+
+		if (!entskb->head_frag ||
+		    skb_headlen(entskb) < L1_CACHE_BYTES ||
+		    skb_shinfo(entskb)->nr_frags >= MAX_SKB_FRAGS)
+			hlen = skb_headlen(entskb);
+
+		if (skb_has_frag_list(entskb))
+			hlen = entskb->len;
+		hlen = min_t(int, data_len, hlen);
+		size += sizeof(struct nlattr) + hlen;
 		cap_len = entskb->len;
 		break;
 	}
@@ -277,7 +333,6 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 	if (!skb)
 		return NULL;
 
-	old_tail = skb->tail;
 	nlh = nlmsg_put(skb, 0, 0,
 			NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
 			sizeof(struct nfgenmsg), 0);
@@ -382,31 +437,26 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
 			goto nla_put_failure;
 	}
 
+	if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0)
+		goto nla_put_failure;
+
+	if (cap_len > 0 && nla_put_be32(skb, NFQA_CAP_LEN, htonl(cap_len)))
+		goto nla_put_failure;
+
 	if (data_len) {
 		struct nlattr *nla;
-		int sz = nla_attr_size(data_len);
 
-		if (skb_tailroom(skb) < nla_total_size(data_len)) {
-			printk(KERN_WARNING "nf_queue: no tailroom!\n");
-			kfree_skb(skb);
-			return NULL;
-		}
+		if (skb_tailroom(skb) < sizeof(*nla) + hlen)
+			goto nla_put_failure;
 
-		nla = (struct nlattr *)skb_put(skb, nla_total_size(data_len));
+		nla = (struct nlattr *)skb_put(skb, sizeof(*nla));
 		nla->nla_type = NFQA_PAYLOAD;
-		nla->nla_len = sz;
+		nla->nla_len = nla_attr_size(data_len);
 
-		if (skb_copy_bits(entskb, 0, nla_data(nla), data_len))
-			BUG();
+		nfqnl_zcopy(skb, entskb, data_len, hlen);
 	}
 
-	if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0)
-		goto nla_put_failure;
-
-	if (cap_len > 0 && nla_put_be32(skb, NFQA_CAP_LEN, htonl(cap_len)))
-		goto nla_put_failure;
-
-	nlh->nlmsg_len = skb->tail - old_tail;
+	nlh->nlmsg_len = skb->len;
 	return skb;
 
 nla_put_failure:
-- 
1.7.10.4

[PATCH 11/12] netfilter: nf_conntrack: add include to fix sparse warning

[pablo]

From: stephen hemminger <stephen@networkplumber.org>

Include header file to pickup prototype of nf_nat_seq_adjust_hook

Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_core.c |    1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index c8e001a..1068deb 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -48,6 +48,7 @@
 #include <net/netfilter/nf_conntrack_labels.h>
 #include <net/netfilter/nf_nat.h>
 #include <net/netfilter/nf_nat_core.h>
+#include <net/netfilter/nf_nat_helper.h>
 
 #define NF_CONNTRACK_VERSION	"0.5.0"
 
-- 
1.7.10.4

[PATCH 12/12] netfilter: nf_conntrack: speed up module removal path if netns in use

[pablo]

From: Vladimir Davydov <VDavydov@parallels.com>

The patch introduces nf_conntrack_cleanup_net_list(), which cleanups
nf_conntrack for a list of netns and calls synchronize_net() only once
for them all. This should reduce netns destruction time.

I've measured cleanup time for 1k dummy net ns. Here are the results:

 <without the patch>
 # modprobe nf_conntrack
 # time modprobe -r nf_conntrack

 real	0m10.337s
 user	0m0.000s
 sys	0m0.376s

 <with the patch>
 # modprobe nf_conntrack
 # time modprobe -r nf_conntrack

 real    0m5.661s
 user    0m0.000s
 sys     0m0.216s

Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Cc: Patrick McHardy <kaber@trash.net>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Acked-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_conntrack_core.h |    1 +
 net/netfilter/nf_conntrack_core.c         |   46 ++++++++++++++++++++---------
 net/netfilter/nf_conntrack_standalone.c   |   16 ++++++----
 3 files changed, 43 insertions(+), 20 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index 930275fa..fb2b623 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -27,6 +27,7 @@ extern unsigned int nf_conntrack_in(struct net *net,
 
 extern int nf_conntrack_init_net(struct net *net);
 extern void nf_conntrack_cleanup_net(struct net *net);
+extern void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list);
 
 extern int nf_conntrack_proto_pernet_init(struct net *net);
 extern void nf_conntrack_proto_pernet_fini(struct net *net);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 1068deb..007e8c4 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1365,30 +1365,48 @@ void nf_conntrack_cleanup_end(void)
  */
 void nf_conntrack_cleanup_net(struct net *net)
 {
+	LIST_HEAD(single);
+
+	list_add(&net->exit_list, &single);
+	nf_conntrack_cleanup_net_list(&single);
+}
+
+void nf_conntrack_cleanup_net_list(struct list_head *net_exit_list)
+{
+	int busy;
+	struct net *net;
+
 	/*
 	 * This makes sure all current packets have passed through
 	 *  netfilter framework.  Roll on, two-stage module
 	 *  delete...
 	 */
 	synchronize_net();
- i_see_dead_people:
-	nf_ct_iterate_cleanup(net, kill_all, NULL);
-	nf_ct_release_dying_list(net);
-	if (atomic_read(&net->ct.count) != 0) {
+i_see_dead_people:
+	busy = 0;
+	list_for_each_entry(net, net_exit_list, exit_list) {
+		nf_ct_iterate_cleanup(net, kill_all, NULL);
+		nf_ct_release_dying_list(net);
+		if (atomic_read(&net->ct.count) != 0)
+			busy = 1;
+	}
+	if (busy) {
 		schedule();
 		goto i_see_dead_people;
 	}
 
-	nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
-	nf_conntrack_proto_pernet_fini(net);
-	nf_conntrack_helper_pernet_fini(net);
-	nf_conntrack_ecache_pernet_fini(net);
-	nf_conntrack_tstamp_pernet_fini(net);
-	nf_conntrack_acct_pernet_fini(net);
-	nf_conntrack_expect_pernet_fini(net);
-	kmem_cache_destroy(net->ct.nf_conntrack_cachep);
-	kfree(net->ct.slabname);
-	free_percpu(net->ct.stat);
+	list_for_each_entry(net, net_exit_list, exit_list) {
+		nf_ct_free_hashtable(net->ct.hash, net->ct.htable_size);
+		nf_conntrack_proto_pernet_fini(net);
+		nf_conntrack_helper_pernet_fini(net);
+		nf_conntrack_ecache_pernet_fini(net);
+		nf_conntrack_tstamp_pernet_fini(net);
+		nf_conntrack_acct_pernet_fini(net);
+		nf_conntrack_expect_pernet_fini(net);
+		kmem_cache_destroy(net->ct.nf_conntrack_cachep);
+		kfree(net->ct.slabname);
+		free_percpu(net->ct.stat);
+	}
 }
 
 void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls)
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 6bcce40..6c69fbd 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -545,16 +545,20 @@ out_init:
 	return ret;
 }
 
-static void nf_conntrack_pernet_exit(struct net *net)
+static void nf_conntrack_pernet_exit(struct list_head *net_exit_list)
 {
-	nf_conntrack_standalone_fini_sysctl(net);
-	nf_conntrack_standalone_fini_proc(net);
-	nf_conntrack_cleanup_net(net);
+	struct net *net;
+
+	list_for_each_entry(net, net_exit_list, exit_list) {
+		nf_conntrack_standalone_fini_sysctl(net);
+		nf_conntrack_standalone_fini_proc(net);
+	}
+	nf_conntrack_cleanup_net_list(net_exit_list);
 }
 
 static struct pernet_operations nf_conntrack_net_ops = {
-	.init = nf_conntrack_pernet_init,
-	.exit = nf_conntrack_pernet_exit,
+	.init		= nf_conntrack_pernet_init,
+	.exit_batch	= nf_conntrack_pernet_exit,
 };
 
 static int __init nf_conntrack_standalone_init(void)
-- 
1.7.10.4

Re: [PATCH 00/12] Netfilter updates for net-next

[David Miller]

From: pablo@netfilter.org
Date: Mon, 25 Mar 2013 13:15:40 +0100

> The following patchset contains Netfilter/IPVS updates for
> your net-next tree, they are:
 ...
> You can pull these changes from:
> 
> git://1984.lsi.us.es/nf-next master

Pulled, thanks a lot Pablo.

Re: [PATCH 00/12] Netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon,  6 May 2019 01:32:53 +0200

> The following batch contains Netfilter updates for net-next, they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Pulled, thanks.

[PATCH 00/12] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

The following batch contains Netfilter updates for net-next, they are:

1) Move nft_expr_clone() to nft_dynset, from Paul Gortmaker.

2) Do not include module.h from net/netfilter/nf_tables.h,
   also from Paul.

3) Restrict conntrack sysctl entries to boolean, from Tonghao Zhang.

4) Several patches to add infrastructure to autoload NAT helper
   modules from their respective conntrack helper, this also includes
   the first client of this code in OVS, patches from Flavio Leitner.

5) Add support to match for conntrack ID, from Brett Mastbergen.

6) Spelling fix in connlabel, from Colin Ian King.

7) Use struct_size() from hashlimit, from Gustavo A. R. Silva.

8) Add optimized version of nf_inet_addr_mask(), from Li RongQing.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks!

----------------------------------------------------------------

The following changes since commit 7a1d8390d015a13c42b1effa1f22fda0858fe6f9:

  net: phy: micrel: make sure the factory test bit is cleared (2019-04-29 23:17:21 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD

for you to fetch changes up to 522e4077e8dcdfc5b8e96469d3bc2324bc5d6466:

  netfilter: slightly optimize nf_inet_addr_mask (2019-05-06 01:18:58 +0200)

----------------------------------------------------------------
Brett Mastbergen (1):
      netfilter: nft_ct: Add ct id support

Colin Ian King (1):
      netfilter: connlabels: fix spelling mistake "trackling" -> "tracking"

Flavio Leitner (4):
      netfilter: use macros to create module aliases.
      netfilter: add API to manage NAT helpers.
      netfilter: nf_nat: register NAT helpers.
      openvswitch: load and reference the NAT helper.

Gustavo A. R. Silva (1):
      netfilter: xt_hashlimit: use struct_size() helper

Li RongQing (1):
      netfilter: slightly optimize nf_inet_addr_mask

Paul Gortmaker (3):
      netfilter: nf_tables: relocate header content to consumer
      netfilter: nf_tables: fix implicit include of module.h
      netfilter: nf_tables: drop include of module.h from nf_tables.h

Tonghao Zhang (1):
      netfilter: conntrack: limit sysctl setting for boolean options

 include/linux/netfilter.h                   |  9 +++
 include/net/netfilter/nf_conntrack_helper.h | 24 ++++++++
 include/net/netfilter/nf_tables.h           | 20 +------
 include/net/netns/conntrack.h               |  6 +-
 include/uapi/linux/netfilter/nf_tables.h    |  2 +
 net/ipv4/netfilter/nf_nat_h323.c            |  2 +-
 net/ipv4/netfilter/nf_nat_pptp.c            |  2 +-
 net/netfilter/nf_conntrack_amanda.c         |  8 ++-
 net/netfilter/nf_conntrack_ftp.c            | 18 +++---
 net/netfilter/nf_conntrack_helper.c         | 86 +++++++++++++++++++++++++++++
 net/netfilter/nf_conntrack_irc.c            |  6 +-
 net/netfilter/nf_conntrack_sane.c           | 12 ++--
 net/netfilter/nf_conntrack_sip.c            | 28 +++++-----
 net/netfilter/nf_conntrack_standalone.c     | 48 +++++++++++-----
 net/netfilter/nf_conntrack_tftp.c           | 18 +++---
 net/netfilter/nf_nat_amanda.c               |  9 ++-
 net/netfilter/nf_nat_ftp.c                  |  9 ++-
 net/netfilter/nf_nat_irc.c                  |  9 ++-
 net/netfilter/nf_nat_sip.c                  |  9 ++-
 net/netfilter/nf_nat_tftp.c                 |  9 ++-
 net/netfilter/nf_tables_set_core.c          |  1 +
 net/netfilter/nft_ct.c                      |  8 +++
 net/netfilter/nft_dynset.c                  | 17 ++++++
 net/netfilter/xt_connlabel.c                |  2 +-
 net/netfilter/xt_hashlimit.c                |  3 +-
 net/openvswitch/conntrack.c                 | 26 +++++++--
 26 files changed, 302 insertions(+), 89 deletions(-)

Re: [PATCH 00/12] Netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue,  1 Nov 2016 22:26:21 +0100

> The following patchset contains Netfilter updates for your net-next
> tree. This includes better integration with the routing subsystem for
> nf_tables, explicit notrack support and smaller updates. More
> specifically, they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

The nft fib module looks really cool.

Pulled, thanks Pablo.

[PATCH 00/12] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter updates for your net-next
tree. This includes better integration with the routing subsystem for
nf_tables, explicit notrack support and smaller updates. More
specifically, they are:

1) Add fib lookup expression for nf_tables, from Florian Westphal. This
   new expression provides a native replacement for iptables addrtype
   and rp_filter matches. This is more flexible though, since we can
   populate the kernel flowi representation to inquire fib to
   accomodate new usecases, such as RTBH through skb mark.

2) Introduce rt expression for nf_tables, from Anders K. Pedersen. This
   new expression allow you to access skbuff route metadata, more
   specifically nexthop and classid fields.

3) Add notrack support for nf_tables, to skip conntracking, requested by
   many users already.

4) Add boilerplate code to allow to use nf_log infrastructure from
   nf_tables ingress.

5) Allow to mangle pkttype from nf_tables prerouting chain, to emulate
   the xtables cluster match, from Liping Zhang.

6) Move socket lookup code into generic nf_socket_* infrastructure so
   we can provide a native replacement for the xtables socket match.

7) Make sure nfnetlink_queue data that is updated on every packets is
   placed in a different cache from read-only data, from Florian Westphal.

8) Handle NF_STOLEN from nf_tables core, also from Florian Westphal.

9) Start round robin number generation in nft_numgen from zero,
   instead of n-1, for consistency with xtables statistics match,
   patch from Liping Zhang.

10) Set GFP_NOWARN flag in skbuff netlink allocations in nfnetlink_log,
    given we retry with a smaller allocation on failure, from Calvin Owens.

11) Cleanup xt_multiport to use switch(), from Gao feng.

12) Remove superfluous check in nft_immediate and nft_cmp, from
    Liping Zhang.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks!

----------------------------------------------------------------

The following changes since commit 432490f9d455fb842d70219f22d9d2c812371676:

  net: ip, diag -- Add diag interface for raw sockets (2016-10-23 19:35:24 -0400)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD

for you to fetch changes up to 886bc50348fd69972baa4616ce95b7dc9ff8afe7:

  netfilter: nf_queue: place volatile data in own cacheline (2016-11-01 20:50:33 +0100)

----------------------------------------------------------------
Anders K. Pedersen (1):
      netfilter: nf_tables: introduce routing expression

Calvin Owens (1):
      netfilter: nfnetlink_log: Use GFP_NOWARN for skb allocation

Florian Westphal (3):
      netfilter: nf_tables: allow expressions to return STOLEN
      netfilter: nf_tables: add fib expression
      netfilter: nf_queue: place volatile data in own cacheline

Gao Feng (1):
      netfilter: xt_multiport: Use switch case instead of multiple condition checks

Liping Zhang (3):
      netfilter: nft_numgen: start round robin from zero
      netfilter: nft_meta: permit pkttype mangling in ip/ip6 prerouting
      netfilter: nf_tables: remove useless U8_MAX validation

Pablo Neira Ayuso (3):
      netfilter: nft_ct: add notrack support
      netfilter: nf_log: add packet logging for netdev family
      netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c

 include/net/netfilter/nf_log.h           |   5 +
 include/net/netfilter/nf_socket.h        |  27 +++
 include/net/netfilter/nft_fib.h          |  31 ++++
 include/uapi/linux/netfilter/nf_tables.h |  63 +++++++
 net/bridge/netfilter/Kconfig             |   1 +
 net/bridge/netfilter/nf_log_bridge.c     |  16 +-
 net/ipv4/netfilter/Kconfig               |  14 ++
 net/ipv4/netfilter/Makefile              |   3 +
 net/ipv4/netfilter/nf_socket_ipv4.c      | 163 +++++++++++++++++
 net/ipv4/netfilter/nft_fib_ipv4.c        | 238 ++++++++++++++++++++++++
 net/ipv6/netfilter/Kconfig               |  14 ++
 net/ipv6/netfilter/Makefile              |   3 +
 net/ipv6/netfilter/nf_socket_ipv6.c      | 151 +++++++++++++++
 net/ipv6/netfilter/nft_fib_ipv6.c        | 275 ++++++++++++++++++++++++++++
 net/netfilter/Kconfig                    |  26 ++-
 net/netfilter/Makefile                   |   6 +
 net/netfilter/nf_log_common.c            |  27 +++
 net/netfilter/nf_log_netdev.c            |  80 ++++++++
 net/netfilter/nf_tables_core.c           |   1 +
 net/netfilter/nfnetlink_log.c            |   2 +-
 net/netfilter/nfnetlink_queue.c          |   2 +-
 net/netfilter/nft_cmp.c                  |   3 -
 net/netfilter/nft_ct.c                   |  50 ++++-
 net/netfilter/nft_fib.c                  | 159 ++++++++++++++++
 net/netfilter/nft_fib_inet.c             |  82 +++++++++
 net/netfilter/nft_immediate.c            |   3 -
 net/netfilter/nft_meta.c                 |   5 +
 net/netfilter/nft_numgen.c               |   2 +-
 net/netfilter/nft_rt.c                   | 153 ++++++++++++++++
 net/netfilter/xt_multiport.c             |  40 ++--
 net/netfilter/xt_socket.c                | 305 +------------------------------
 31 files changed, 1610 insertions(+), 340 deletions(-)
 create mode 100644 include/net/netfilter/nf_socket.h
 create mode 100644 include/net/netfilter/nft_fib.h
 create mode 100644 net/ipv4/netfilter/nf_socket_ipv4.c
 create mode 100644 net/ipv4/netfilter/nft_fib_ipv4.c
 create mode 100644 net/ipv6/netfilter/nf_socket_ipv6.c
 create mode 100644 net/ipv6/netfilter/nft_fib_ipv6.c
 create mode 100644 net/netfilter/nf_log_netdev.c
 create mode 100644 net/netfilter/nft_fib.c
 create mode 100644 net/netfilter/nft_fib_inet.c
 create mode 100644 net/netfilter/nft_rt.c

Re: [PATCH 00/12] Netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 19 Jun 2015 19:17:37 +0200

> The following patchset contains a final Netfilter pull request for net-next
> 4.2. This mostly addresses some fallout from the previous pull request, small
> netns updates and a couple of new features for nfnetlink_log and the socket
> match that didn't get in time for the previous pull request. More specifically
> they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Pulled, thanks a lot Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

[PATCH 00/12] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

The following patchset contains a final Netfilter pull request for net-next
4.2. This mostly addresses some fallout from the previous pull request, small
netns updates and a couple of new features for nfnetlink_log and the socket
match that didn't get in time for the previous pull request. More specifically
they are:

1) Add security context information to nfnetlink_queue, from Roman Kubiak.

2) Add support to restore the sk_mark into skb->mark through xt_socket,
   from Harout Hedeshian.

3) Force alignment of 16 bytes of per cpu xt_counters, from Eric Dumazet.

4) Rename br_netfilter.c to br_netfilter_hooks.c to prepare split of IPv6 code
   into a separated file.

5) Move the IPv6 code in br_netfilter into a separated file.

6) Remove unused RCV_SKB_FAIL() in nfnetlink_queue and nfetlink_log, from Eric
   Biederman.

7) Two liner to simplify netns logic in em_ipset_match().

8) Add missing includes to net/net_namespace.h to avoid compilation problems
   that result from not including linux/netfilter.h in netns headers.

9) Use a forward declaration instead of including linux/proc_fs.h from
   netns/netfilter.h

10) Add a new linux/netfilter_defs.h to replace the linux/netfilter.h inclusion
    in netns headers.

11) Remove spurious netfilter.h file included in the net tree, also from Eric
    Biederman.

12) Fix x_tables compilation warnings on 32 bits platforms that resulted from
    recent changes in x_tables counters, from Florian Westphal.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks!

----------------------------------------------------------------

The following changes since commit 89d256bb69f2596c3a31ac51466eac9e1791c388:

  bpf: disallow bpf tc programs access current->pid,uid (2015-06-15 20:51:20 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to dcb8f5c8139ef945cdfd55900fae265c4dbefc02:

  netfilter: xtables: fix warnings on 32bit platforms (2015-06-18 21:14:33 +0200)

----------------------------------------------------------------
Eric Dumazet (1):
      netfilter: x_tables: align per cpu xt_counter

Eric W Biederman (1):
      netfilter: Remove spurios included of netfilter.h

Eric W. Biederman (2):
      netfilter: Kill unused copies of RCV_SKB_FAIL
      net: sched: Simplify em_ipset_match

Florian Westphal (1):
      netfilter: xtables: fix warnings on 32bit platforms

Harout Hedeshian (1):
      netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag

Pablo Neira Ayuso (5):
      netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c
      netfilter: bridge: split ipv6 code into separated file
      net: include missing headers in net/net_namespace.h
      netfilter: use forward declaration instead of including linux/proc_fs.h
      netfilter: don't pull include/linux/netfilter.h from netns headers

Roman Kubiak (1):
      netfilter: nfnetlink_queue: add security context information

 drivers/net/hamradio/bpqether.c                    |    1 -
 drivers/net/ppp/pptp.c                             |    2 -
 drivers/net/wan/lapbether.c                        |    1 -
 include/linux/netfilter.h                          |    6 +-
 include/linux/netfilter/x_tables.h                 |   14 +-
 include/linux/netfilter_defs.h                     |    9 +
 include/net/net_namespace.h                        |    2 +
 include/net/netfilter/br_netfilter.h               |   60 +++++
 include/net/netns/netfilter.h                      |    4 +-
 include/net/netns/x_tables.h                       |    2 +-
 include/uapi/linux/netfilter.h                     |    3 +-
 include/uapi/linux/netfilter/nfnetlink_queue.h     |    4 +-
 include/uapi/linux/netfilter/xt_socket.h           |    8 +
 net/ax25/af_ax25.c                                 |    1 -
 net/ax25/ax25_in.c                                 |    1 -
 net/ax25/ax25_ip.c                                 |    1 -
 net/ax25/ax25_out.c                                |    1 -
 net/ax25/ax25_uid.c                                |    1 -
 net/bridge/Makefile                                |    2 +
 .../{br_netfilter.c => br_netfilter_hooks.c}       |  248 +-------------------
 net/bridge/br_netfilter_ipv6.c                     |  245 +++++++++++++++++++
 net/ipv6/output_core.c                             |    1 +
 net/netfilter/nf_synproxy_core.c                   |    1 +
 net/netfilter/nfnetlink_log.c                      |    2 -
 net/netfilter/nfnetlink_queue_core.c               |   37 ++-
 net/netfilter/xt_socket.c                          |   59 ++++-
 net/netrom/nr_route.c                              |    1 -
 net/rose/rose_link.c                               |    1 -
 net/rose/rose_route.c                              |    1 -
 net/sched/em_ipset.c                               |    4 +-
 security/selinux/xfrm.c                            |    3 -
 31 files changed, 444 insertions(+), 282 deletions(-)
 create mode 100644 include/linux/netfilter_defs.h
 rename net/bridge/{br_netfilter.c => br_netfilter_hooks.c} (82%)
 create mode 100644 net/bridge/br_netfilter_ipv6.c
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

Re: [PATCH 00/12] Netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon,  9 Mar 2015 18:14:23 +0100

> The following patchset contains Netfilter updates for your net-next
> tree. Basically, improvements for the packet rejection infrastructure,
> deprecation of CLUSTERIP, cleanups for nf_tables and some untangling for
> br_netfilter. More specifically they are:

Pulled, thanks.

> And I'd appreciate if you can pull net into net-next, Patrick has some
> pending changes that require patches already your net tree.

I anticipate this happening after takes a 'net' pull request from me
this evening.

[PATCH 00/12] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

The following patchset contains Netfilter updates for your net-next
tree. Basically, improvements for the packet rejection infrastructure,
deprecation of CLUSTERIP, cleanups for nf_tables and some untangling for
br_netfilter. More specifically they are:

1) Send packet to reset flow if checksum is valid, from Florian Westphal.

2) Fix nf_tables reject bridge from the input chain, also from Florian.

3) Deprecate the CLUSTERIP target, the cluster match supersedes it in
   functionality and it's known to have problems.

4) A couple of cleanups for nf_tables rule tracing infrastructure, from
   Patrick McHardy.

5) Another cleanup to place transaction declarations at the bottom of
   nf_tables.h, also from Patrick.

6) Consolidate Kconfig dependencies wrt. NF_TABLES.

7) Limit table names to 32 bytes in nf_tables.

8) mac header copying in bridge netfilter is already required when
   calling ip_fragment(), from Florian Westphal.

9) move nf_bridge_update_protocol() to br_netfilter.c, also from
   Florian.

10) Small refactor in br_netfilter in the transmission path, again from
    Florian.

11) Move br_nf_pre_routing_finish_bridge_slow() to br_netfilter.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

And I'd appreciate if you can pull net into net-next, Patrick has some
pending changes that require patches already your net tree.

Thanks a lot!

----------------------------------------------------------------

The following changes since commit b898441f4ece44933af90b116b467f7864dd1ae7:

  Merge branch 'neigh_cleanups' (2015-03-02 16:43:46 -0500)

are available in the git repository at:


  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to e5de75bf88858f5b3ab11e2504b86ec059f03102:

  netfilter: bridge: move DNAT helper to br_netfilter (2015-03-09 17:56:07 +0100)

----------------------------------------------------------------
Florian Westphal (5):
      netfilter: reject: don't send icmp error if csum is invalid
      netfilter: bridge: rework reject handling
      bridge: move mac header copying into br_netfilter
      netfilter: bridge: move nf_bridge_update_protocol to where its used
      netfilter: bridge: refactor conditional in br_nf_dev_queue_xmit

Pablo Neira Ayuso (4):
      netfilter: ipt_CLUSTERIP: deprecate it in favour of xt_cluster
      netfilter: nf_tables: consolidate Kconfig options
      netfilter: nf_tables: limit maximum table name length to 32 bytes
      netfilter: bridge: move DNAT helper to br_netfilter

Patrick McHardy (3):
      netfilter: nf_tables: minor tracing cleanups
      netfilter: nf_tables: consolidate tracing invocations
      netfilter: nf_tables: cleanup nf_tables.h

 include/linux/netfilter_bridge.h         |   51 ---------
 include/net/netfilter/ipv4/nf_reject.h   |    6 +-
 include/net/netfilter/ipv6/nf_reject.h   |   11 +-
 include/net/netfilter/nf_tables.h        |  176 +++++++++++++++---------------
 include/net/netns/x_tables.h             |    1 +
 include/uapi/linux/netfilter/nf_tables.h |    1 +
 net/bridge/br_device.c                   |    5 +-
 net/bridge/br_forward.c                  |    4 +-
 net/bridge/br_netfilter.c                |   78 ++++++++++++-
 net/bridge/br_private.h                  |    5 +
 net/bridge/netfilter/nft_reject_bridge.c |   84 +++++++++++---
 net/ipv4/netfilter/Kconfig               |   38 ++++---
 net/ipv4/netfilter/ipt_CLUSTERIP.c       |    7 ++
 net/ipv4/netfilter/ipt_REJECT.c          |   17 +--
 net/ipv4/netfilter/nf_reject_ipv4.c      |   23 ++++
 net/ipv4/netfilter/nft_reject_ipv4.c     |    3 +-
 net/ipv6/netfilter/Kconfig               |   18 +--
 net/ipv6/netfilter/nf_reject_ipv6.c      |   35 ++++++
 net/netfilter/Kconfig                    |   20 +---
 net/netfilter/nf_tables_api.c            |    7 +-
 net/netfilter/nf_tables_core.c           |  105 +++++++++---------
 net/netfilter/nft_reject_inet.c          |    6 +-
 22 files changed, 412 insertions(+), 289 deletions(-)

Re: [PATCH 00/12] Netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed,  3 Dec 2014 13:55:30 +0100

> The following batch contains netfilter updates for net-next. Basically,
> enhancements for xt_recent, skip zeroing of timer in conntrack, fix
> linking problem with recent redirect support for nf_tables, ipset
> updates and a couple of cleanups. More specifically, they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
> 
> Thanks!

Pulled, thanks a lot Pablo.

[PATCH 00/12] Netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

The following batch contains netfilter updates for net-next. Basically,
enhancements for xt_recent, skip zeroing of timer in conntrack, fix
linking problem with recent redirect support for nf_tables, ipset
updates and a couple of cleanups. More specifically, they are:

1) Rise maximum number per IP address to be remembered in xt_recent
   while retaining backward compatibility, from Florian Westphal.

2) Skip zeroing timer area in nf_conn objects, also from Florian.

3) Inspect IPv4 and IPv6 traffic from the bridge to allow filtering using
   using meta l4proto and transport layer header, from Alvaro Neira.

4) Fix linking problems in the new redirect support when CONFIG_IPV6=n
   and IP6_NF_IPTABLES=n.

And ipset updates from Jozsef Kadlecsik:

5) Support updating element extensions when the set is full (fixes
   netfilter bugzilla id 880).

6) Fix set match with 32-bits userspace / 64-bits kernel.

7) Indicate explicitly when /0 networks are supported in ipset.

8) Simplify cidr handling for hash:*net* types.

9) Allocate the proper size of memory when /0 networks are supported.

10) Explicitly add padding elements to hash:net,net and hash:net,port,
    because the elements must be u32 sized for the used hash function.

Jozsef is also cooking ipset RCU conversion which should land soon if
they reach the merge window in time.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git

Thanks!

----------------------------------------------------------------

The following changes since commit 3a611e26e958b0372d2e7600b87bbb4a84c7704b:

  net/smsc911x: Add minimal runtime PM support (2014-11-24 16:41:50 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to cac3763967362ace7996532ad3933f493a928a1b:

  netfilter: ipset: Explicitly add padding elements to hash:net, net and hash:net, port, net (2014-12-03 12:43:36 +0100)

----------------------------------------------------------------
Alvaro Neira (2):
      netfilter: nf_tables_bridge: export nft_reject_ip*hdr_validate functions
      netfilter: nf_tables_bridge: set the pktinfo for IPv4/IPv6 traffic

Florian Westphal (2):
      netfilter: xt_recent: relax ip_pkt_list_tot restrictions
      netfilter: conntrack: avoid zeroing timer

Jozsef Kadlecsik (6):
      netfilter: ipset: Support updating extensions when the set is full
      netfilter: ipset: Alignment problem between 64bit kernel 32bit userspace
      netfilter: ipset: Indicate when /0 networks are supported
      netfilter: ipset: Simplify cidr handling for hash:*net* types
      netfilter: ipset: Allocate the proper size of memory when /0 networks are supported
      netfilter: ipset: Explicitly add padding elements to hash:net, net and hash:net, port, net

Pablo Neira Ayuso (1):
      netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module

Steven Noonan (1):
      netfilter: nf_log_ipv6: correct typo in module description

 include/net/netfilter/ipv4/nf_nat_redirect.h       |    9 --
 include/net/netfilter/ipv6/nf_nat_redirect.h       |    8 --
 include/net/netfilter/nf_conntrack.h               |   15 +--
 include/net/netfilter/nf_nat_redirect.h            |   12 +++
 include/net/netfilter/nf_tables_bridge.h           |    7 ++
 include/uapi/linux/netfilter/ipset/ip_set.h        |    8 +-
 include/uapi/linux/netfilter/xt_set.h              |   13 ++-
 net/bridge/netfilter/nf_tables_bridge.c            |   88 ++++++++++++++++-
 net/bridge/netfilter/nft_reject_bridge.c           |   52 +---------
 net/ipv4/netfilter/Kconfig                         |    8 +-
 net/ipv4/netfilter/Makefile                        |    1 -
 net/ipv4/netfilter/nft_redir_ipv4.c                |    2 +-
 net/ipv6/netfilter/Kconfig                         |    8 +-
 net/ipv6/netfilter/Makefile                        |    1 -
 net/ipv6/netfilter/nf_log_ipv6.c                   |    2 +-
 net/ipv6/netfilter/nf_nat_redirect_ipv6.c          |   75 ---------------
 net/ipv6/netfilter/nft_redir_ipv6.c                |    2 +-
 net/netfilter/Kconfig                              |   10 +-
 net/netfilter/Makefile                             |    1 +
 net/netfilter/ipset/ip_set_hash_gen.h              |  101 +++++++++-----------
 net/netfilter/ipset/ip_set_hash_netiface.c         |    1 +
 net/netfilter/ipset/ip_set_hash_netnet.c           |    2 +
 net/netfilter/ipset/ip_set_hash_netportnet.c       |    2 +
 net/netfilter/nf_conntrack_core.c                  |   11 +--
 .../nf_nat_redirect.c}                             |   47 ++++++++-
 net/netfilter/xt_REDIRECT.c                        |    3 +-
 net/netfilter/xt_recent.c                          |   64 +++++++++----
 net/netfilter/xt_set.c                             |   73 +++++++++++++-
 28 files changed, 372 insertions(+), 254 deletions(-)
 delete mode 100644 include/net/netfilter/ipv4/nf_nat_redirect.h
 delete mode 100644 include/net/netfilter/ipv6/nf_nat_redirect.h
 create mode 100644 include/net/netfilter/nf_nat_redirect.h
 create mode 100644 include/net/netfilter/nf_tables_bridge.h
 delete mode 100644 net/ipv6/netfilter/nf_nat_redirect_ipv6.c
 rename net/{ipv4/netfilter/nf_nat_redirect_ipv4.c => netfilter/nf_nat_redirect.c} (67%)

[PATCH 00/12] netfilter updates for net-next

[Pablo Neira Ayuso]

[ forgot to attach the pull request to this email and cc netdev, resending ]

Hi David,

The following patchset contains Netfilter updates for your net-next tree,
they are:

* Add full port randomization support. Some crazy researchers found a way
  to reconstruct the secure ephemeral ports that are allocated in random mode
  by sending off-path bursts of UDP packets to overrun the socket buffer of
  the DNS resolver to trigger retransmissions, then if the timing for the
  DNS resolution done by a client is larger than usual, then they conclude
  that the port that received the burst of UDP packets is the one that was
  opened. It seems a bit aggressive method to me but it seems to work for
  them. As a result, Daniel Borkmann and Hannes Frederic Sowa came up with a
  new NAT mode to fully randomize ports using prandom.

* Add a new classifier to x_tables based on the socket net_cls set via
  cgroups. These includes two patches to prepare the field as requested by
  Zefan Li. Also from Daniel Borkmann.

* Use prandom instead of get_random_bytes in several locations of the
  netfilter code, from Florian Westphal.

* Allow to use the CTA_MARK_MASK in ctnetlink when mangling the conntrack
  mark, also from Florian Westphal.

* Fix compilation warning due to unused variable in IPVS, from Geert
  Uytterhoeven.

* Add support for UID/GID via nfnetlink_queue, from Valentina Giusti.

* Add IPComp extension to x_tables, from Fan Du.

* Several patches to remove dead code, by Stephen Hemminger.

* Reorder netns structure for conntrack, based on original patch from Eric
  Dumazet, from Jesper D. Brouer.

You can pull these changes from:

 git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

Thanks!

----------------------------------------------------------------

The following changes since commit 68536053600425c24aba031c45f053d447eedd9c:

  ipv6: fix incorrect type in declaration (2013-12-12 16:14:09 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to 82a37132f300ea53bdcd812917af5a6329ec80c3:

  netfilter: x_tables: lightweight process control group matching (2014-01-03 23:41:44 +0100)

----------------------------------------------------------------
Daniel Borkmann (4):
      netfilter: nf_nat: add full port randomization support
      net: net_cls: move cgroupfs classid handling into core
      net: netprio: rename config to be more consistent with cgroup configs
      netfilter: x_tables: lightweight process control group matching

Eric Leblond (1):
      netfilter: xt_CT: fix error value in xt_ct_tg_check()

Florian Westphal (2):
      netfilter: avoid get_random_bytes calls
      netfilter: ctnetlink: honor CTA_MARK_MASK when setting ctmark

Geert Uytterhoeven (1):
      ipvs: Remove unused variable ret from sync_thread_master()

Jesper Dangaard Brouer (1):
      net: reorder struct netns_ct for better cache-line usage

Valentina Giusti (1):
      netfilter: nfnetlink_queue: enable UID/GID socket info retrieval

fan.du (1):
      netfilter: add IPv4/6 IPComp extension match support

stephen hemminger (2):
      netfilter: ipset: remove unused code
      netfilter: nf_conntrack: remove dead code

 Documentation/cgroups/net_cls.txt              |    5 +
 include/linux/cgroup_subsys.h                  |    4 +-
 include/linux/netdevice.h                      |    2 +-
 include/linux/netfilter/ipset/ip_set.h         |    1 -
 include/net/cls_cgroup.h                       |   40 +++-----
 include/net/netfilter/ipv4/nf_conntrack_ipv4.h |    2 -
 include/net/netfilter/nf_conntrack_l3proto.h   |    1 -
 include/net/netns/conntrack.h                  |   33 +++----
 include/net/netprio_cgroup.h                   |   18 ++--
 include/net/sock.h                             |    2 +-
 include/uapi/linux/netfilter/Kbuild            |    2 +
 include/uapi/linux/netfilter/nf_nat.h          |   12 ++-
 include/uapi/linux/netfilter/nfnetlink_queue.h |    5 +-
 include/uapi/linux/netfilter/xt_cgroup.h       |   11 +++
 include/uapi/linux/netfilter/xt_ipcomp.h       |   16 ++++
 net/Kconfig                                    |   11 ++-
 net/core/Makefile                              |    3 +-
 net/core/dev.c                                 |    2 +-
 net/core/netclassid_cgroup.c                   |  120 ++++++++++++++++++++++++
 net/core/sock.c                                |   14 +--
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |    6 --
 net/netfilter/Kconfig                          |   19 ++++
 net/netfilter/Makefile                         |    2 +
 net/netfilter/ipset/ip_set_core.c              |   28 ------
 net/netfilter/ipvs/ip_vs_sync.c                |    5 +-
 net/netfilter/nf_conntrack_core.c              |   15 ---
 net/netfilter/nf_conntrack_netlink.c           |   12 ++-
 net/netfilter/nf_conntrack_proto.c             |    6 --
 net/netfilter/nf_nat_core.c                    |    4 +-
 net/netfilter/nf_nat_proto_common.c            |   10 +-
 net/netfilter/nfnetlink_log.c                  |    8 --
 net/netfilter/nfnetlink_queue_core.c           |   34 +++++++
 net/netfilter/nft_hash.c                       |    2 +-
 net/netfilter/xt_CT.c                          |    4 +-
 net/netfilter/xt_RATEEST.c                     |    2 +-
 net/netfilter/xt_cgroup.c                      |   71 ++++++++++++++
 net/netfilter/xt_connlimit.c                   |    2 +-
 net/netfilter/xt_hashlimit.c                   |    2 +-
 net/netfilter/xt_ipcomp.c                      |  111 ++++++++++++++++++++++
 net/netfilter/xt_recent.c                      |    2 +-
 net/sched/Kconfig                              |    1 +
 net/sched/cls_cgroup.c                         |  111 +---------------------
 42 files changed, 487 insertions(+), 274 deletions(-)
 create mode 100644 include/uapi/linux/netfilter/xt_cgroup.h
 create mode 100644 include/uapi/linux/netfilter/xt_ipcomp.h
 create mode 100644 net/core/netclassid_cgroup.c
 create mode 100644 net/netfilter/xt_cgroup.c
 create mode 100644 net/netfilter/xt_ipcomp.c

Re: [PATCH 00/12] netfilter updates for net-next

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon,  1 Jul 2013 01:54:29 +0200

> The following batch contains Netfilter/IPVS updates for net-next,
> they are:
 ...
> Please, consider pulling this batch from:
> 
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

Pulled, thanks Pablo!

[PATCH 00/12] netfilter updates for net-next

[Pablo Neira Ayuso]

Hi David,

The following batch contains Netfilter/IPVS updates for net-next,
they are:

* Enforce policy to several nfnetlink subsystem, from Daniel
  Borkmann.

* Use xt_socket to match the third packet (to perform simplistic
  socket-based stateful filtering), from Eric Dumazet.

* Avoid large timeout for picked up from the middle TCP flows,
  from Florian Westphal.

* Exclude IPVS from struct net if IPVS is disabled and removal
  of unnecessary included header file, from JunweiZhang.

* Release SCTP connection immediately under load, to mimic current
  TCP behaviour, from Julian Anastasov.

* Replace and enhance SCTP state machine, from Julian Anastasov.

* Add tweak to reduce sync traffic in the presence of persistence,
  also from Julian Anastasov.

* Add tweak for the IPVS SH scheduler not to reject connections
  directed to a server, choose a new one instead, from Alexander
  Frolkin.

* Add support for sloppy TCP and SCTP modes, that creates state
  information on any packet, not only initial handshake packets,
  from Alexander Frolkin.

Please, consider pulling this batch from:

git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

Thanks!

----------------------------------------------------------------

The following changes since commit fedaf4ffc224a194e2d13a3ec2abe5df0bc94258:

  ndisc: Convert use of typedef ctl_table to struct ctl_table (2013-06-19 23:18:07 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master

for you to fetch changes up to 496e4ae7dc944faa1721bfda7e9d834d5611a874:

  netfilter: nf_queue: add NFQA_SKB_CSUM_NOTVERIFIED info flag (2013-06-30 18:15:48 +0200)

----------------------------------------------------------------
Alexander Frolkin (2):
      ipvs: sloppy TCP and SCTP
      ipvs: SH fallback and L4 hashing

Daniel Borkmann (1):
      netfilter: check return code from nla_parse_tested

Eric Dumazet (1):
      netfilter: xt_socket: add XT_SOCKET_NOWILDCARD flag

Florian Westphal (2):
      netfilter: nf_conntrack: avoid large timeout for mid-stream pickup
      netfilter: nf_queue: add NFQA_SKB_CSUM_NOTVERIFIED info flag

Julian Anastasov (4):
      ipvs: provide iph to schedulers
      ipvs: replace the SCTP state machine
      ipvs: drop SCTP connections depending on state
      ipvs: add sync_persist_mode flag

JunweiZhang (2):
      kernel: remove unnecessary head file
      netns: exclude ipvs from struct net when IPVS disabled

 Documentation/networking/ipvs-sysctl.txt       |   13 +
 include/net/ip_vs.h                            |   84 ++-
 include/net/net_namespace.h                    |    2 +
 include/uapi/linux/ip_vs.h                     |    6 +
 include/uapi/linux/netfilter/nfnetlink_queue.h |    2 +
 include/uapi/linux/netfilter/xt_socket.h       |    7 +
 kernel/sysctl_binary.c                         |    1 -
 net/netfilter/ipvs/ip_vs_conn.c                |   12 +
 net/netfilter/ipvs/ip_vs_core.c                |    4 +-
 net/netfilter/ipvs/ip_vs_ctl.c                 |   21 +
 net/netfilter/ipvs/ip_vs_dh.c                  |   10 +-
 net/netfilter/ipvs/ip_vs_lblc.c                |   12 +-
 net/netfilter/ipvs/ip_vs_lblcr.c               |   12 +-
 net/netfilter/ipvs/ip_vs_lc.c                  |    3 +-
 net/netfilter/ipvs/ip_vs_nq.c                  |    3 +-
 net/netfilter/ipvs/ip_vs_proto_sctp.c          |  860 +++++-------------------
 net/netfilter/ipvs/ip_vs_proto_tcp.c           |   14 +-
 net/netfilter/ipvs/ip_vs_rr.c                  |    3 +-
 net/netfilter/ipvs/ip_vs_sed.c                 |    3 +-
 net/netfilter/ipvs/ip_vs_sh.c                  |  108 ++-
 net/netfilter/ipvs/ip_vs_sync.c                |   19 +-
 net/netfilter/ipvs/ip_vs_wlc.c                 |    3 +-
 net/netfilter/ipvs/ip_vs_wrr.c                 |    3 +-
 net/netfilter/nf_conntrack_netlink.c           |   30 +-
 net/netfilter/nf_conntrack_proto_tcp.c         |    6 +
 net/netfilter/nfnetlink_cthelper.c             |   16 +-
 net/netfilter/nfnetlink_cttimeout.c            |    6 +-
 net/netfilter/nfnetlink_queue_core.c           |   16 +-
 net/netfilter/xt_socket.c                      |   70 +-
 29 files changed, 529 insertions(+), 820 deletions(-)