* [PATCH 01/12] netfilter: nfnetlink_queue: add security context information
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 02/12] netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag Pablo Neira Ayuso
` (11 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Roman Kubiak <r.kubiak@samsung.com>
This patch adds an additional attribute when sending
packet information via netlink in netfilter_queue module.
It will send additional security context data, so that
userspace applications can verify this context against
their own security databases.
Signed-off-by: Roman Kubiak <r.kubiak@samsung.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nfnetlink_queue.h | 4 ++-
net/netfilter/nfnetlink_queue_core.c | 35 +++++++++++++++++++++++-
2 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index 8dd819e..b67a853 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -49,6 +49,7 @@ enum nfqnl_attr_type {
NFQA_EXP, /* nf_conntrack_netlink.h */
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
+ NFQA_SECCTX, /* security context string */
__NFQA_MAX
};
@@ -102,7 +103,8 @@ enum nfqnl_attr_config {
#define NFQA_CFG_F_CONNTRACK (1 << 1)
#define NFQA_CFG_F_GSO (1 << 2)
#define NFQA_CFG_F_UID_GID (1 << 3)
-#define NFQA_CFG_F_MAX (1 << 4)
+#define NFQA_CFG_F_SECCTX (1 << 4)
+#define NFQA_CFG_F_MAX (1 << 5)
/* flags for NFQA_SKB_INFO */
/* packet appears to have wrong checksums, but they are ok */
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 22a5ac7..6eccf0f 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -278,6 +278,23 @@ nla_put_failure:
return -1;
}
+static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
+{
+ u32 seclen = 0;
+#if IS_ENABLED(CONFIG_NETWORK_SECMARK)
+ if (!skb || !sk_fullsock(skb->sk))
+ return 0;
+
+ read_lock_bh(&skb->sk->sk_callback_lock);
+
+ if (skb->secmark)
+ security_secid_to_secctx(skb->secmark, secdata, &seclen);
+
+ read_unlock_bh(&skb->sk->sk_callback_lock);
+#endif
+ return seclen;
+}
+
static struct sk_buff *
nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
struct nf_queue_entry *entry,
@@ -297,6 +314,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
struct nf_conn *ct = NULL;
enum ip_conntrack_info uninitialized_var(ctinfo);
bool csum_verify;
+ char *secdata = NULL;
+ u32 seclen = 0;
size = nlmsg_total_size(sizeof(struct nfgenmsg))
+ nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
@@ -352,6 +371,12 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
+ nla_total_size(sizeof(u_int32_t))); /* gid */
}
+ if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
+ seclen = nfqnl_get_sk_secctx(entskb, &secdata);
+ if (seclen)
+ size += nla_total_size(seclen);
+ }
+
skb = nfnetlink_alloc_skb(net, size, queue->peer_portid,
GFP_ATOMIC);
if (!skb) {
@@ -479,6 +504,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
goto nla_put_failure;
+ if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
+ goto nla_put_failure;
+
if (ct && nfqnl_ct_put(skb, ct, ctinfo) < 0)
goto nla_put_failure;
@@ -1142,7 +1170,12 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
ret = -EOPNOTSUPP;
goto err_out_unlock;
}
-
+#if !IS_ENABLED(CONFIG_NETWORK_SECMARK)
+ if (flags & mask & NFQA_CFG_F_SECCTX) {
+ ret = -EOPNOTSUPP;
+ goto err_out_unlock;
+ }
+#endif
spin_lock_bh(&queue->lock);
queue->flags &= ~mask;
queue->flags |= flags & mask;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 02/12] netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 01/12] netfilter: nfnetlink_queue: add security context information Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 03/12] netfilter: x_tables: align per cpu xt_counter Pablo Neira Ayuso
` (10 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Harout Hedeshian <harouth@codeaurora.org>
xt_socket is useful for matching sockets with IP_TRANSPARENT and
taking some action on the matching packets. However, it lacks the
ability to match only a small subset of transparent sockets.
Suppose there are 2 applications, each with its own set of transparent
sockets. The first application wants all matching packets dropped,
while the second application wants them forwarded somewhere else.
Add the ability to retore the skb->mark from the sk_mark. The mark
is only restored if a matching socket is found and the transparent /
nowildcard conditions are satisfied.
Now the 2 hypothetical applications can differentiate their sockets
based on a mark value set with SO_MARK.
iptables -t mangle -I PREROUTING -m socket --transparent \
--restore-skmark -j action
iptables -t mangle -A action -m mark --mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Signed-off-by: Harout Hedeshian <harouth@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/xt_socket.h | 8 ++++
net/netfilter/xt_socket.c | 59 +++++++++++++++++++++++++++---
2 files changed, 61 insertions(+), 6 deletions(-)
diff --git a/include/uapi/linux/netfilter/xt_socket.h b/include/uapi/linux/netfilter/xt_socket.h
index 6315e2a..87644f8 100644
--- a/include/uapi/linux/netfilter/xt_socket.h
+++ b/include/uapi/linux/netfilter/xt_socket.h
@@ -6,6 +6,7 @@
enum {
XT_SOCKET_TRANSPARENT = 1 << 0,
XT_SOCKET_NOWILDCARD = 1 << 1,
+ XT_SOCKET_RESTORESKMARK = 1 << 2,
};
struct xt_socket_mtinfo1 {
@@ -18,4 +19,11 @@ struct xt_socket_mtinfo2 {
};
#define XT_SOCKET_FLAGS_V2 (XT_SOCKET_TRANSPARENT | XT_SOCKET_NOWILDCARD)
+struct xt_socket_mtinfo3 {
+ __u8 flags;
+};
+#define XT_SOCKET_FLAGS_V3 (XT_SOCKET_TRANSPARENT \
+ | XT_SOCKET_NOWILDCARD \
+ | XT_SOCKET_RESTORESKMARK)
+
#endif /* _XT_SOCKET_H */
diff --git a/net/netfilter/xt_socket.c b/net/netfilter/xt_socket.c
index e092cb0..43e26c8 100644
--- a/net/netfilter/xt_socket.c
+++ b/net/netfilter/xt_socket.c
@@ -205,6 +205,7 @@ static bool
socket_match(const struct sk_buff *skb, struct xt_action_param *par,
const struct xt_socket_mtinfo1 *info)
{
+ struct sk_buff *pskb = (struct sk_buff *)skb;
struct sock *sk = skb->sk;
if (!sk)
@@ -226,6 +227,10 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
if (info->flags & XT_SOCKET_TRANSPARENT)
transparent = xt_socket_sk_is_transparent(sk);
+ if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
+ transparent)
+ pskb->mark = sk->sk_mark;
+
if (sk != skb->sk)
sock_gen_put(sk);
@@ -247,7 +252,7 @@ socket_mt4_v0(const struct sk_buff *skb, struct xt_action_param *par)
}
static bool
-socket_mt4_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
+socket_mt4_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
{
return socket_match(skb, par, par->matchinfo);
}
@@ -371,9 +376,10 @@ static struct sock *xt_socket_lookup_slow_v6(const struct sk_buff *skb,
}
static bool
-socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
+socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
+ struct sk_buff *pskb = (struct sk_buff *)skb;
struct sock *sk = skb->sk;
if (!sk)
@@ -395,6 +401,10 @@ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
if (info->flags & XT_SOCKET_TRANSPARENT)
transparent = xt_socket_sk_is_transparent(sk);
+ if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
+ transparent)
+ pskb->mark = sk->sk_mark;
+
if (sk != skb->sk)
sock_gen_put(sk);
@@ -428,6 +438,19 @@ static int socket_mt_v2_check(const struct xt_mtchk_param *par)
return 0;
}
+static int socket_mt_v3_check(const struct xt_mtchk_param *par)
+{
+ const struct xt_socket_mtinfo3 *info =
+ (struct xt_socket_mtinfo3 *)par->matchinfo;
+
+ if (info->flags & ~XT_SOCKET_FLAGS_V3) {
+ pr_info("unknown flags 0x%x\n",
+ info->flags & ~XT_SOCKET_FLAGS_V3);
+ return -EINVAL;
+ }
+ return 0;
+}
+
static struct xt_match socket_mt_reg[] __read_mostly = {
{
.name = "socket",
@@ -442,7 +465,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.name = "socket",
.revision = 1,
.family = NFPROTO_IPV4,
- .match = socket_mt4_v1_v2,
+ .match = socket_mt4_v1_v2_v3,
.checkentry = socket_mt_v1_check,
.matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = (1 << NF_INET_PRE_ROUTING) |
@@ -454,7 +477,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.name = "socket",
.revision = 1,
.family = NFPROTO_IPV6,
- .match = socket_mt6_v1_v2,
+ .match = socket_mt6_v1_v2_v3,
.checkentry = socket_mt_v1_check,
.matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = (1 << NF_INET_PRE_ROUTING) |
@@ -466,7 +489,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.name = "socket",
.revision = 2,
.family = NFPROTO_IPV4,
- .match = socket_mt4_v1_v2,
+ .match = socket_mt4_v1_v2_v3,
.checkentry = socket_mt_v2_check,
.matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = (1 << NF_INET_PRE_ROUTING) |
@@ -478,7 +501,7 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.name = "socket",
.revision = 2,
.family = NFPROTO_IPV6,
- .match = socket_mt6_v1_v2,
+ .match = socket_mt6_v1_v2_v3,
.checkentry = socket_mt_v2_check,
.matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = (1 << NF_INET_PRE_ROUTING) |
@@ -486,6 +509,30 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.me = THIS_MODULE,
},
#endif
+ {
+ .name = "socket",
+ .revision = 3,
+ .family = NFPROTO_IPV4,
+ .match = socket_mt4_v1_v2_v3,
+ .checkentry = socket_mt_v3_check,
+ .matchsize = sizeof(struct xt_socket_mtinfo1),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN),
+ .me = THIS_MODULE,
+ },
+#ifdef XT_SOCKET_HAVE_IPV6
+ {
+ .name = "socket",
+ .revision = 3,
+ .family = NFPROTO_IPV6,
+ .match = socket_mt6_v1_v2_v3,
+ .checkentry = socket_mt_v3_check,
+ .matchsize = sizeof(struct xt_socket_mtinfo1),
+ .hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN),
+ .me = THIS_MODULE,
+ },
+#endif
};
static int __init socket_mt_init(void)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 03/12] netfilter: x_tables: align per cpu xt_counter
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 01/12] netfilter: nfnetlink_queue: add security context information Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 02/12] netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-22 11:49 ` David Laight
2015-06-19 17:17 ` [PATCH 04/12] netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c Pablo Neira Ayuso
` (9 subsequent siblings)
12 siblings, 1 reply; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Eric Dumazet <edumazet@google.com>
Let's force a 16 bytes alignment on xt_counter percpu allocations,
so that bytes and packets sit in same cache line.
xt_counter being exported to user space, we cannot add __align(16) on
the structure itself.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/x_tables.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 95693c4..1c97a22 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -356,7 +356,8 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
* so nothing needs to be done there.
*
* xt_percpu_counter_alloc returns the address of the percpu
- * counter, or 0 on !SMP.
+ * counter, or 0 on !SMP. We force an alignment of 16 bytes
+ * so that bytes/packets share a common cache line.
*
* Hence caller must use IS_ERR_VALUE to check for error, this
* allows us to return 0 for single core systems without forcing
@@ -365,7 +366,8 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
static inline u64 xt_percpu_counter_alloc(void)
{
if (nr_cpu_ids > 1) {
- void __percpu *res = alloc_percpu(struct xt_counters);
+ void __percpu *res = __alloc_percpu(sizeof(struct xt_counters),
+ sizeof(struct xt_counters));
if (res == NULL)
return (u64) -ENOMEM;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply related [flat|nested] 29+ messages in thread
* RE: [PATCH 03/12] netfilter: x_tables: align per cpu xt_counter
2015-06-19 17:17 ` [PATCH 03/12] netfilter: x_tables: align per cpu xt_counter Pablo Neira Ayuso
@ 2015-06-22 11:49 ` David Laight
2015-06-22 13:27 ` Eric Dumazet
0 siblings, 1 reply; 29+ messages in thread
From: David Laight @ 2015-06-22 11:49 UTC (permalink / raw)
To: 'Pablo Neira Ayuso', netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso
> Sent: 19 June 2015 18:18
> From: Eric Dumazet <edumazet@google.com>
>
> Let's force a 16 bytes alignment on xt_counter percpu allocations,
> so that bytes and packets sit in same cache line.
>
> xt_counter being exported to user space, we cannot add __align(16) on
> the structure itself.
You could allocate a wrapper structure that contains xt_counter
and is itself marked __align(16).
David
^ permalink raw reply [flat|nested] 29+ messages in thread
* Re: [PATCH 03/12] netfilter: x_tables: align per cpu xt_counter
2015-06-22 11:49 ` David Laight
@ 2015-06-22 13:27 ` Eric Dumazet
0 siblings, 0 replies; 29+ messages in thread
From: Eric Dumazet @ 2015-06-22 13:27 UTC (permalink / raw)
To: David Laight; +Cc: 'Pablo Neira Ayuso', netfilter-devel, davem, netdev
On Mon, 2015-06-22 at 11:49 +0000, David Laight wrote:
> From: Pablo Neira Ayuso
> > Sent: 19 June 2015 18:18
> > From: Eric Dumazet <edumazet@google.com>
> >
> > Let's force a 16 bytes alignment on xt_counter percpu allocations,
> > so that bytes and packets sit in same cache line.
> >
> > xt_counter being exported to user space, we cannot add __align(16) on
> > the structure itself.
>
> You could allocate a wrapper structure that contains xt_counter
> and is itself marked __align(16).
Sure. I took one solution, out of multiple ones.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply [flat|nested] 29+ messages in thread
* [PATCH 04/12] netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (2 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 03/12] netfilter: x_tables: align per cpu xt_counter Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 05/12] netfilter: bridge: split ipv6 code into separated file Pablo Neira Ayuso
` (8 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
To prepare separation of the IPv6 code into different file.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/Makefile | 1 +
net/bridge/{br_netfilter.c => br_netfilter_hooks.c} | 0
2 files changed, 1 insertion(+)
rename net/bridge/{br_netfilter.c => br_netfilter_hooks.c} (100%)
diff --git a/net/bridge/Makefile b/net/bridge/Makefile
index fd7ee03..c52577a 100644
--- a/net/bridge/Makefile
+++ b/net/bridge/Makefile
@@ -12,6 +12,7 @@ bridge-$(CONFIG_SYSFS) += br_sysfs_if.o br_sysfs_br.o
bridge-$(subst m,y,$(CONFIG_BRIDGE_NETFILTER)) += br_nf_core.o
+br_netfilter-y := br_netfilter_hooks.o
obj-$(CONFIG_BRIDGE_NETFILTER) += br_netfilter.o
bridge-$(CONFIG_BRIDGE_IGMP_SNOOPING) += br_multicast.o br_mdb.o
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter_hooks.c
similarity index 100%
rename from net/bridge/br_netfilter.c
rename to net/bridge/br_netfilter_hooks.c
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 05/12] netfilter: bridge: split ipv6 code into separated file
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (3 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 04/12] netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 06/12] netfilter: Kill unused copies of RCV_SKB_FAIL Pablo Neira Ayuso
` (7 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Resolve compilation breakage when CONFIG_IPV6 is not set by moving the IPv6
code into a separated br_netfilter_ipv6.c file.
Fixes: efb6de9b4ba0 ("netfilter: bridge: forward IPv6 fragmented packets")
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/br_netfilter.h | 60 ++++++++
net/bridge/Makefile | 1 +
net/bridge/br_netfilter_hooks.c | 248 ++--------------------------------
net/bridge/br_netfilter_ipv6.c | 245 +++++++++++++++++++++++++++++++++
4 files changed, 315 insertions(+), 239 deletions(-)
create mode 100644 net/bridge/br_netfilter_ipv6.c
diff --git a/include/net/netfilter/br_netfilter.h b/include/net/netfilter/br_netfilter.h
index 2aa6048..bab824b 100644
--- a/include/net/netfilter/br_netfilter.h
+++ b/include/net/netfilter/br_netfilter.h
@@ -1,6 +1,66 @@
#ifndef _BR_NETFILTER_H_
#define _BR_NETFILTER_H_
+#include "../../../net/bridge/br_private.h"
+
+static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
+{
+ skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
+
+ if (likely(skb->nf_bridge))
+ atomic_set(&(skb->nf_bridge->use), 1);
+
+ return skb->nf_bridge;
+}
+
+void nf_bridge_update_protocol(struct sk_buff *skb);
+
+static inline struct nf_bridge_info *
+nf_bridge_info_get(const struct sk_buff *skb)
+{
+ return skb->nf_bridge;
+}
+
+unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb);
+
+static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
+{
+ unsigned int len = nf_bridge_encap_header_len(skb);
+
+ skb_push(skb, len);
+ skb->network_header -= len;
+}
+
+int br_nf_pre_routing_finish_bridge(struct sock *sk, struct sk_buff *skb);
+
+static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
+{
+ struct net_bridge_port *port;
+
+ port = br_port_get_rcu(dev);
+ return port ? &port->br->fake_rtable : NULL;
+}
+
+struct net_device *setup_pre_routing(struct sk_buff *skb);
void br_netfilter_enable(void);
+#if IS_ENABLED(CONFIG_IPV6)
+int br_validate_ipv6(struct sk_buff *skb);
+unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state);
+#else
+static inline int br_validate_ipv6(struct sk_buff *skb)
+{
+ return -1;
+}
+
+static inline unsigned int
+br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops, struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ return NF_DROP;
+}
+#endif
+
#endif /* _BR_NETFILTER_H_ */
diff --git a/net/bridge/Makefile b/net/bridge/Makefile
index c52577a..a1cda5d 100644
--- a/net/bridge/Makefile
+++ b/net/bridge/Makefile
@@ -13,6 +13,7 @@ bridge-$(CONFIG_SYSFS) += br_sysfs_if.o br_sysfs_br.o
bridge-$(subst m,y,$(CONFIG_BRIDGE_NETFILTER)) += br_nf_core.o
br_netfilter-y := br_netfilter_hooks.o
+br_netfilter-$(subst m,y,$(CONFIG_IPV6)) += br_netfilter_ipv6.o
obj-$(CONFIG_BRIDGE_NETFILTER) += br_netfilter.o
bridge-$(CONFIG_BRIDGE_IGMP_SNOOPING) += br_multicast.o br_mdb.o
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index e4e5f2f..d89f4fa 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -123,11 +123,6 @@ struct brnf_frag_data {
static DEFINE_PER_CPU(struct brnf_frag_data, brnf_frag_data_storage);
#endif
-static struct nf_bridge_info *nf_bridge_info_get(const struct sk_buff *skb)
-{
- return skb->nf_bridge;
-}
-
static void nf_bridge_info_free(struct sk_buff *skb)
{
if (skb->nf_bridge) {
@@ -136,14 +131,6 @@ static void nf_bridge_info_free(struct sk_buff *skb)
}
}
-static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
-{
- struct net_bridge_port *port;
-
- port = br_port_get_rcu(dev);
- return port ? &port->br->fake_rtable : NULL;
-}
-
static inline struct net_device *bridge_parent(const struct net_device *dev)
{
struct net_bridge_port *port;
@@ -152,15 +139,6 @@ static inline struct net_device *bridge_parent(const struct net_device *dev)
return port ? port->br->dev : NULL;
}
-static inline struct nf_bridge_info *nf_bridge_alloc(struct sk_buff *skb)
-{
- skb->nf_bridge = kzalloc(sizeof(struct nf_bridge_info), GFP_ATOMIC);
- if (likely(skb->nf_bridge))
- atomic_set(&(skb->nf_bridge->use), 1);
-
- return skb->nf_bridge;
-}
-
static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
{
struct nf_bridge_info *nf_bridge = skb->nf_bridge;
@@ -178,7 +156,7 @@ static inline struct nf_bridge_info *nf_bridge_unshare(struct sk_buff *skb)
return nf_bridge;
}
-static unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
+unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
{
switch (skb->protocol) {
case __cpu_to_be16(ETH_P_8021Q):
@@ -190,14 +168,6 @@ static unsigned int nf_bridge_encap_header_len(const struct sk_buff *skb)
}
}
-static inline void nf_bridge_push_encap_header(struct sk_buff *skb)
-{
- unsigned int len = nf_bridge_encap_header_len(skb);
-
- skb_push(skb, len);
- skb->network_header -= len;
-}
-
static inline void nf_bridge_pull_encap_header(struct sk_buff *skb)
{
unsigned int len = nf_bridge_encap_header_len(skb);
@@ -267,112 +237,7 @@ drop:
return -1;
}
-/* We only check the length. A bridge shouldn't do any hop-by-hop stuff
- * anyway
- */
-static int check_hbh_len(struct sk_buff *skb)
-{
- unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
- u32 pkt_len;
- const unsigned char *nh = skb_network_header(skb);
- int off = raw - nh;
- int len = (raw[1] + 1) << 3;
-
- if ((raw + len) - skb->data > skb_headlen(skb))
- goto bad;
-
- off += 2;
- len -= 2;
-
- while (len > 0) {
- int optlen = nh[off + 1] + 2;
-
- switch (nh[off]) {
- case IPV6_TLV_PAD1:
- optlen = 1;
- break;
-
- case IPV6_TLV_PADN:
- break;
-
- case IPV6_TLV_JUMBO:
- if (nh[off + 1] != 4 || (off & 3) != 2)
- goto bad;
- pkt_len = ntohl(*(__be32 *)(nh + off + 2));
- if (pkt_len <= IPV6_MAXPLEN ||
- ipv6_hdr(skb)->payload_len)
- goto bad;
- if (pkt_len > skb->len - sizeof(struct ipv6hdr))
- goto bad;
- if (pskb_trim_rcsum(skb,
- pkt_len + sizeof(struct ipv6hdr)))
- goto bad;
- nh = skb_network_header(skb);
- break;
- default:
- if (optlen > len)
- goto bad;
- break;
- }
- off += optlen;
- len -= optlen;
- }
- if (len == 0)
- return 0;
-bad:
- return -1;
-}
-
-/* Equivalent to br_validate_ipv4 for IPv6 */
-static int br_validate_ipv6(struct sk_buff *skb)
-{
- const struct ipv6hdr *hdr;
- struct net_device *dev = skb->dev;
- struct inet6_dev *idev = in6_dev_get(skb->dev);
- u32 pkt_len;
- u8 ip6h_len = sizeof(struct ipv6hdr);
-
- if (!pskb_may_pull(skb, ip6h_len))
- goto inhdr_error;
-
- if (skb->len < ip6h_len)
- goto drop;
-
- hdr = ipv6_hdr(skb);
-
- if (hdr->version != 6)
- goto inhdr_error;
-
- pkt_len = ntohs(hdr->payload_len);
-
- if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
- if (pkt_len + ip6h_len > skb->len) {
- IP6_INC_STATS_BH(dev_net(dev), idev,
- IPSTATS_MIB_INTRUNCATEDPKTS);
- goto drop;
- }
- if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
- IP6_INC_STATS_BH(dev_net(dev), idev,
- IPSTATS_MIB_INDISCARDS);
- goto drop;
- }
- }
- if (hdr->nexthdr == NEXTHDR_HOP && check_hbh_len(skb))
- goto drop;
-
- memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
- /* No IP options in IPv6 header; however it should be
- * checked if some next headers need special treatment
- */
- return 0;
-
-inhdr_error:
- IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS);
-drop:
- return -1;
-}
-
-static void nf_bridge_update_protocol(struct sk_buff *skb)
+void nf_bridge_update_protocol(struct sk_buff *skb)
{
switch (skb->nf_bridge->orig_proto) {
case BRNF_PROTO_8021Q:
@@ -391,7 +256,7 @@ static void nf_bridge_update_protocol(struct sk_buff *skb)
* don't, we use the neighbour framework to find out. In both cases, we make
* sure that br_handle_frame_finish() is called afterwards.
*/
-static int br_nf_pre_routing_finish_bridge(struct sock *sk, struct sk_buff *skb)
+int br_nf_pre_routing_finish_bridge(struct sock *sk, struct sk_buff *skb)
{
struct neighbour *neigh;
struct dst_entry *dst;
@@ -431,77 +296,11 @@ free_skb:
return 0;
}
-static bool daddr_was_changed(const struct sk_buff *skb,
- const struct nf_bridge_info *nf_bridge)
+static inline bool
+br_nf_ipv4_daddr_was_changed(const struct sk_buff *skb,
+ const struct nf_bridge_info *nf_bridge)
{
- switch (skb->protocol) {
- case htons(ETH_P_IP):
- return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
- case htons(ETH_P_IPV6):
- return memcmp(&nf_bridge->ipv6_daddr, &ipv6_hdr(skb)->daddr,
- sizeof(ipv6_hdr(skb)->daddr)) != 0;
- default:
- return false;
- }
-}
-
-/* PF_BRIDGE/PRE_ROUTING: Undo the changes made for ip6tables
- * PREROUTING and continue the bridge PRE_ROUTING hook. See comment
- * for br_nf_pre_routing_finish(), same logic is used here but
- * equivalent IPv6 function ip6_route_input() called indirectly.
- */
-static int br_nf_pre_routing_finish_ipv6(struct sock *sk, struct sk_buff *skb)
-{
- struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
- struct rtable *rt;
- struct net_device *dev = skb->dev;
- const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
-
- nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
-
- if (nf_bridge->pkt_otherhost) {
- skb->pkt_type = PACKET_OTHERHOST;
- nf_bridge->pkt_otherhost = false;
- }
- nf_bridge->mask &= ~BRNF_NF_BRIDGE_PREROUTING;
- if (daddr_was_changed(skb, nf_bridge)) {
- skb_dst_drop(skb);
- v6ops->route_input(skb);
-
- if (skb_dst(skb)->error) {
- kfree_skb(skb);
- return 0;
- }
-
- if (skb_dst(skb)->dev == dev) {
- skb->dev = nf_bridge->physindev;
- nf_bridge_update_protocol(skb);
- nf_bridge_push_encap_header(skb);
- NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
- sk, skb, skb->dev, NULL,
- br_nf_pre_routing_finish_bridge,
- 1);
- return 0;
- }
- ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
- skb->pkt_type = PACKET_HOST;
- } else {
- rt = bridge_parent_rtable(nf_bridge->physindev);
- if (!rt) {
- kfree_skb(skb);
- return 0;
- }
- skb_dst_set_noref(skb, &rt->dst);
- }
-
- skb->dev = nf_bridge->physindev;
- nf_bridge_update_protocol(skb);
- nf_bridge_push_encap_header(skb);
- NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb,
- skb->dev, NULL,
- br_handle_frame_finish, 1);
-
- return 0;
+ return ip_hdr(skb)->daddr != nf_bridge->ipv4_daddr;
}
/* This requires some explaining. If DNAT has taken place,
@@ -558,7 +357,7 @@ static int br_nf_pre_routing_finish(struct sock *sk, struct sk_buff *skb)
nf_bridge->pkt_otherhost = false;
}
nf_bridge->mask &= ~BRNF_NF_BRIDGE_PREROUTING;
- if (daddr_was_changed(skb, nf_bridge)) {
+ if (br_nf_ipv4_daddr_was_changed(skb, nf_bridge)) {
if ((err = ip_route_input(skb, iph->daddr, iph->saddr, iph->tos, dev))) {
struct in_device *in_dev = __in_dev_get_rcu(dev);
@@ -636,7 +435,7 @@ static struct net_device *brnf_get_logical_dev(struct sk_buff *skb, const struct
}
/* Some common code for IPv4/IPv6 */
-static struct net_device *setup_pre_routing(struct sk_buff *skb)
+struct net_device *setup_pre_routing(struct sk_buff *skb)
{
struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
@@ -659,35 +458,6 @@ static struct net_device *setup_pre_routing(struct sk_buff *skb)
return skb->dev;
}
-/* Replicate the checks that IPv6 does on packet reception and pass the packet
- * to ip6tables.
- */
-static unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
- struct sk_buff *skb,
- const struct nf_hook_state *state)
-{
- struct nf_bridge_info *nf_bridge;
-
- if (br_validate_ipv6(skb))
- return NF_DROP;
-
- nf_bridge_put(skb->nf_bridge);
- if (!nf_bridge_alloc(skb))
- return NF_DROP;
- if (!setup_pre_routing(skb))
- return NF_DROP;
-
- nf_bridge = nf_bridge_info_get(skb);
- nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
-
- skb->protocol = htons(ETH_P_IPV6);
- NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->sk, skb,
- skb->dev, NULL,
- br_nf_pre_routing_finish_ipv6);
-
- return NF_STOLEN;
-}
-
/* Direct IPv6 traffic to br_nf_pre_routing_ipv6.
* Replicate the checks that IPv4 does on packet reception.
* Set skb->dev to the bridge device (i.e. parent of the
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
new file mode 100644
index 0000000..6d12d26
--- /dev/null
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -0,0 +1,245 @@
+/*
+ * Handle firewalling
+ * Linux ethernet bridge
+ *
+ * Authors:
+ * Lennert Buytenhek <buytenh@gnu.org>
+ * Bart De Schuymer <bdschuym@pandora.be>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ * Lennert dedicates this file to Kerstin Wurdinger.
+ */
+
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/slab.h>
+#include <linux/ip.h>
+#include <linux/netdevice.h>
+#include <linux/skbuff.h>
+#include <linux/if_arp.h>
+#include <linux/if_ether.h>
+#include <linux/if_vlan.h>
+#include <linux/if_pppox.h>
+#include <linux/ppp_defs.h>
+#include <linux/netfilter_bridge.h>
+#include <linux/netfilter_ipv4.h>
+#include <linux/netfilter_ipv6.h>
+#include <linux/netfilter_arp.h>
+#include <linux/in_route.h>
+#include <linux/inetdevice.h>
+
+#include <net/ip.h>
+#include <net/ipv6.h>
+#include <net/addrconf.h>
+#include <net/route.h>
+#include <net/netfilter/br_netfilter.h>
+
+#include <asm/uaccess.h>
+#include "br_private.h"
+#ifdef CONFIG_SYSCTL
+#include <linux/sysctl.h>
+#endif
+
+/* We only check the length. A bridge shouldn't do any hop-by-hop stuff
+ * anyway
+ */
+static int br_nf_check_hbh_len(struct sk_buff *skb)
+{
+ unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
+ u32 pkt_len;
+ const unsigned char *nh = skb_network_header(skb);
+ int off = raw - nh;
+ int len = (raw[1] + 1) << 3;
+
+ if ((raw + len) - skb->data > skb_headlen(skb))
+ goto bad;
+
+ off += 2;
+ len -= 2;
+
+ while (len > 0) {
+ int optlen = nh[off + 1] + 2;
+
+ switch (nh[off]) {
+ case IPV6_TLV_PAD1:
+ optlen = 1;
+ break;
+
+ case IPV6_TLV_PADN:
+ break;
+
+ case IPV6_TLV_JUMBO:
+ if (nh[off + 1] != 4 || (off & 3) != 2)
+ goto bad;
+ pkt_len = ntohl(*(__be32 *)(nh + off + 2));
+ if (pkt_len <= IPV6_MAXPLEN ||
+ ipv6_hdr(skb)->payload_len)
+ goto bad;
+ if (pkt_len > skb->len - sizeof(struct ipv6hdr))
+ goto bad;
+ if (pskb_trim_rcsum(skb,
+ pkt_len + sizeof(struct ipv6hdr)))
+ goto bad;
+ nh = skb_network_header(skb);
+ break;
+ default:
+ if (optlen > len)
+ goto bad;
+ break;
+ }
+ off += optlen;
+ len -= optlen;
+ }
+ if (len == 0)
+ return 0;
+bad:
+ return -1;
+}
+
+int br_validate_ipv6(struct sk_buff *skb)
+{
+ const struct ipv6hdr *hdr;
+ struct net_device *dev = skb->dev;
+ struct inet6_dev *idev = in6_dev_get(skb->dev);
+ u32 pkt_len;
+ u8 ip6h_len = sizeof(struct ipv6hdr);
+
+ if (!pskb_may_pull(skb, ip6h_len))
+ goto inhdr_error;
+
+ if (skb->len < ip6h_len)
+ goto drop;
+
+ hdr = ipv6_hdr(skb);
+
+ if (hdr->version != 6)
+ goto inhdr_error;
+
+ pkt_len = ntohs(hdr->payload_len);
+
+ if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
+ if (pkt_len + ip6h_len > skb->len) {
+ IP6_INC_STATS_BH(dev_net(dev), idev,
+ IPSTATS_MIB_INTRUNCATEDPKTS);
+ goto drop;
+ }
+ if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
+ IP6_INC_STATS_BH(dev_net(dev), idev,
+ IPSTATS_MIB_INDISCARDS);
+ goto drop;
+ }
+ }
+ if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb))
+ goto drop;
+
+ memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
+ /* No IP options in IPv6 header; however it should be
+ * checked if some next headers need special treatment
+ */
+ return 0;
+
+inhdr_error:
+ IP6_INC_STATS_BH(dev_net(dev), idev, IPSTATS_MIB_INHDRERRORS);
+drop:
+ return -1;
+}
+
+static inline bool
+br_nf_ipv6_daddr_was_changed(const struct sk_buff *skb,
+ const struct nf_bridge_info *nf_bridge)
+{
+ return memcmp(&nf_bridge->ipv6_daddr, &ipv6_hdr(skb)->daddr,
+ sizeof(ipv6_hdr(skb)->daddr)) != 0;
+}
+
+/* PF_BRIDGE/PRE_ROUTING: Undo the changes made for ip6tables
+ * PREROUTING and continue the bridge PRE_ROUTING hook. See comment
+ * for br_nf_pre_routing_finish(), same logic is used here but
+ * equivalent IPv6 function ip6_route_input() called indirectly.
+ */
+static int br_nf_pre_routing_finish_ipv6(struct sock *sk, struct sk_buff *skb)
+{
+ struct nf_bridge_info *nf_bridge = nf_bridge_info_get(skb);
+ struct rtable *rt;
+ struct net_device *dev = skb->dev;
+ const struct nf_ipv6_ops *v6ops = nf_get_ipv6_ops();
+
+ nf_bridge->frag_max_size = IP6CB(skb)->frag_max_size;
+
+ if (nf_bridge->pkt_otherhost) {
+ skb->pkt_type = PACKET_OTHERHOST;
+ nf_bridge->pkt_otherhost = false;
+ }
+ nf_bridge->mask &= ~BRNF_NF_BRIDGE_PREROUTING;
+ if (br_nf_ipv6_daddr_was_changed(skb, nf_bridge)) {
+ skb_dst_drop(skb);
+ v6ops->route_input(skb);
+
+ if (skb_dst(skb)->error) {
+ kfree_skb(skb);
+ return 0;
+ }
+
+ if (skb_dst(skb)->dev == dev) {
+ skb->dev = nf_bridge->physindev;
+ nf_bridge_update_protocol(skb);
+ nf_bridge_push_encap_header(skb);
+ NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING,
+ sk, skb, skb->dev, NULL,
+ br_nf_pre_routing_finish_bridge,
+ 1);
+ return 0;
+ }
+ ether_addr_copy(eth_hdr(skb)->h_dest, dev->dev_addr);
+ skb->pkt_type = PACKET_HOST;
+ } else {
+ rt = bridge_parent_rtable(nf_bridge->physindev);
+ if (!rt) {
+ kfree_skb(skb);
+ return 0;
+ }
+ skb_dst_set_noref(skb, &rt->dst);
+ }
+
+ skb->dev = nf_bridge->physindev;
+ nf_bridge_update_protocol(skb);
+ nf_bridge_push_encap_header(skb);
+ NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, sk, skb,
+ skb->dev, NULL,
+ br_handle_frame_finish, 1);
+
+ return 0;
+}
+
+/* Replicate the checks that IPv6 does on packet reception and pass the packet
+ * to ip6tables.
+ */
+unsigned int br_nf_pre_routing_ipv6(const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ struct nf_bridge_info *nf_bridge;
+
+ if (br_validate_ipv6(skb))
+ return NF_DROP;
+
+ nf_bridge_put(skb->nf_bridge);
+ if (!nf_bridge_alloc(skb))
+ return NF_DROP;
+ if (!setup_pre_routing(skb))
+ return NF_DROP;
+
+ nf_bridge = nf_bridge_info_get(skb);
+ nf_bridge->ipv6_daddr = ipv6_hdr(skb)->daddr;
+
+ skb->protocol = htons(ETH_P_IPV6);
+ NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, state->sk, skb,
+ skb->dev, NULL,
+ br_nf_pre_routing_finish_ipv6);
+
+ return NF_STOLEN;
+}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 06/12] netfilter: Kill unused copies of RCV_SKB_FAIL
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (4 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 05/12] netfilter: bridge: split ipv6 code into separated file Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 07/12] net: sched: Simplify em_ipset_match Pablo Neira Ayuso
` (6 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: "Eric W. Biederman" <ebiederm@xmission.com>
This appears to have been a dead macro in both nfnetlink_log.c and
nfnetlink_queue_core.c since these pieces of code were added in 2005.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_log.c | 2 --
net/netfilter/nfnetlink_queue_core.c | 2 --
2 files changed, 4 deletions(-)
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 4ef1fae..4670821 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -598,8 +598,6 @@ nla_put_failure:
return -1;
}
-#define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
-
static struct nf_loginfo default_loginfo = {
.type = NF_LOG_TYPE_ULOG,
.u = {
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 6eccf0f..e26a46e 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -834,8 +834,6 @@ nfqnl_dev_drop(struct net *net, int ifindex)
rcu_read_unlock();
}
-#define RCV_SKB_FAIL(err) do { netlink_ack(skb, nlh, (err)); return; } while (0)
-
static int
nfqnl_rcv_dev_event(struct notifier_block *this,
unsigned long event, void *ptr)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 07/12] net: sched: Simplify em_ipset_match
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (5 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 06/12] netfilter: Kill unused copies of RCV_SKB_FAIL Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 08/12] net: include missing headers in net/net_namespace.h Pablo Neira Ayuso
` (5 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: "Eric W. Biederman" <ebiederm@xmission.com>
em->net is always set and always available, use it in preference
to dev_net(skb->dev).
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/sched/em_ipset.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sched/em_ipset.c b/net/sched/em_ipset.c
index a3d79c8..df0328b 100644
--- a/net/sched/em_ipset.c
+++ b/net/sched/em_ipset.c
@@ -92,8 +92,8 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
rcu_read_lock();
- if (dev && skb->skb_iif)
- indev = dev_get_by_index_rcu(dev_net(dev), skb->skb_iif);
+ if (skb->skb_iif)
+ indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
acpar.in = indev ? indev : dev;
acpar.out = dev;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 08/12] net: include missing headers in net/net_namespace.h
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (6 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 07/12] net: sched: Simplify em_ipset_match Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 09/12] netfilter: use forward declaration instead of including linux/proc_fs.h Pablo Neira Ayuso
` (4 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Include linux/idr.h and linux/skbuff.h since they are required by objects that
are declared in the net structure.
struct net {
...
struct idr netns_ids;
...
struct sk_buff_head wext_nlevents;
...
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
include/net/net_namespace.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/net_namespace.h b/include/net/net_namespace.h
index 72eb237..e951453 100644
--- a/include/net/net_namespace.h
+++ b/include/net/net_namespace.h
@@ -28,6 +28,8 @@
#include <net/netns/xfrm.h>
#include <net/netns/mpls.h>
#include <linux/ns_common.h>
+#include <linux/idr.h>
+#include <linux/skbuff.h>
struct user_namespace;
struct proc_dir_entry;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 09/12] netfilter: use forward declaration instead of including linux/proc_fs.h
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (7 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 08/12] net: include missing headers in net/net_namespace.h Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 10/12] netfilter: don't pull include/linux/netfilter.h from netns headers Pablo Neira Ayuso
` (3 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
We don't need to pull the full definitions in that file, a simple forward
declaration is enough.
Moreover, include linux/procfs.h from nf_synproxy_core, otherwise this hits a
compilation error due to missing declarations, ie.
net/netfilter/nf_synproxy_core.c: In function ‘synproxy_proc_init’:
net/netfilter/nf_synproxy_core.c:326:2: error: implicit declaration of function ‘proc_create’ [-Werror=implicit-function-declaration]
if (!proc_create("synproxy", S_IRUGO, net->proc_net_stat,
^
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
include/net/netns/netfilter.h | 2 +-
net/netfilter/nf_synproxy_core.c | 1 +
2 files changed, 2 insertions(+), 1 deletion(-)
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index 8874002..cf25b5e 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -1,9 +1,9 @@
#ifndef __NETNS_NETFILTER_H
#define __NETNS_NETFILTER_H
-#include <linux/proc_fs.h>
#include <linux/netfilter.h>
+struct proc_dir_entry;
struct nf_logger;
struct netns_nf {
diff --git a/net/netfilter/nf_synproxy_core.c b/net/netfilter/nf_synproxy_core.c
index 52e20c9..789feea 100644
--- a/net/netfilter/nf_synproxy_core.c
+++ b/net/netfilter/nf_synproxy_core.c
@@ -11,6 +11,7 @@
#include <asm/unaligned.h>
#include <net/tcp.h>
#include <net/netns/generic.h>
+#include <linux/proc_fs.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/x_tables.h>
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 10/12] netfilter: don't pull include/linux/netfilter.h from netns headers
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (8 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 09/12] netfilter: use forward declaration instead of including linux/proc_fs.h Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 11/12] netfilter: Remove spurios included of netfilter.h Pablo Neira Ayuso
` (2 subsequent siblings)
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
This pulls the full hook netfilter definitions from all those that include
net_namespace.h.
Instead let's just include the bare minimum required in the new
linux/netfilter_defs.h file, and use it from the netfilter netns header files.
I also needed to include in.h and in6.h from linux/netfilter.h otherwise we hit
this compilation error:
In file included from include/linux/netfilter_defs.h:4:0,
from include/net/netns/netfilter.h:4,
from include/net/net_namespace.h:22,
from include/linux/netdevice.h:43,
from net/netfilter/nfnetlink_queue_core.c:23:
include/uapi/linux/netfilter.h:76:17: error: field ‘in’ has incomplete type struct in_addr in;
And also explicit include linux/netfilter.h in several spots.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
---
include/linux/netfilter.h | 6 ++----
include/linux/netfilter_defs.h | 9 +++++++++
include/net/netns/netfilter.h | 2 +-
include/net/netns/x_tables.h | 2 +-
include/uapi/linux/netfilter.h | 3 ++-
net/ipv6/output_core.c | 1 +
6 files changed, 16 insertions(+), 7 deletions(-)
create mode 100644 include/linux/netfilter_defs.h
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index f5ff5d1..00050df 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -10,7 +10,8 @@
#include <linux/wait.h>
#include <linux/list.h>
#include <linux/static_key.h>
-#include <uapi/linux/netfilter.h>
+#include <linux/netfilter_defs.h>
+
#ifdef CONFIG_NETFILTER
static inline int NF_DROP_GETERR(int verdict)
{
@@ -38,9 +39,6 @@ static inline void nf_inet_addr_mask(const union nf_inet_addr *a1,
int netfilter_init(void);
-/* Largest hook number + 1 */
-#define NF_MAX_HOOKS 8
-
struct sk_buff;
struct nf_hook_ops;
diff --git a/include/linux/netfilter_defs.h b/include/linux/netfilter_defs.h
new file mode 100644
index 0000000..d3a7f85
--- /dev/null
+++ b/include/linux/netfilter_defs.h
@@ -0,0 +1,9 @@
+#ifndef __LINUX_NETFILTER_CORE_H_
+#define __LINUX_NETFILTER_CORE_H_
+
+#include <uapi/linux/netfilter.h>
+
+/* Largest hook number + 1, see uapi/linux/netfilter_decnet.h */
+#define NF_MAX_HOOKS 8
+
+#endif
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index cf25b5e..532e4ba 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -1,7 +1,7 @@
#ifndef __NETNS_NETFILTER_H
#define __NETNS_NETFILTER_H
-#include <linux/netfilter.h>
+#include <linux/netfilter_defs.h>
struct proc_dir_entry;
struct nf_logger;
diff --git a/include/net/netns/x_tables.h b/include/net/netns/x_tables.h
index 4d6597a..c8a7681 100644
--- a/include/net/netns/x_tables.h
+++ b/include/net/netns/x_tables.h
@@ -2,7 +2,7 @@
#define __NETNS_X_TABLES_H
#include <linux/list.h>
-#include <linux/netfilter.h>
+#include <linux/netfilter_defs.h>
struct ebt_table;
diff --git a/include/uapi/linux/netfilter.h b/include/uapi/linux/netfilter.h
index 177027c..d93f949 100644
--- a/include/uapi/linux/netfilter.h
+++ b/include/uapi/linux/netfilter.h
@@ -4,7 +4,8 @@
#include <linux/types.h>
#include <linux/compiler.h>
#include <linux/sysctl.h>
-
+#include <linux/in.h>
+#include <linux/in6.h>
/* Responses from hook functions. */
#define NF_DROP 0
diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 21678ac..928a0fb 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -8,6 +8,7 @@
#include <net/ip6_fib.h>
#include <net/addrconf.h>
#include <net/secure_seq.h>
+#include <linux/netfilter.h>
static u32 __ipv6_select_ident(struct net *net, u32 hashrnd,
const struct in6_addr *dst,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 11/12] netfilter: Remove spurios included of netfilter.h
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (9 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 10/12] netfilter: don't pull include/linux/netfilter.h from netns headers Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-19 17:17 ` [PATCH 12/12] netfilter: xtables: fix warnings on 32bit platforms Pablo Neira Ayuso
2015-06-20 22:40 ` [PATCH 00/12] Netfilter updates for net-next David Miller
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Eric W Biederman <ebiederm@xmission.com>
While testing my netfilter changes I noticed several files where
recompiling unncessarily because they unncessarily included
netfilter.h.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
drivers/net/hamradio/bpqether.c | 1 -
drivers/net/ppp/pptp.c | 2 --
drivers/net/wan/lapbether.c | 1 -
net/ax25/af_ax25.c | 1 -
net/ax25/ax25_in.c | 1 -
net/ax25/ax25_ip.c | 1 -
net/ax25/ax25_out.c | 1 -
net/ax25/ax25_uid.c | 1 -
net/netrom/nr_route.c | 1 -
net/rose/rose_link.c | 1 -
net/rose/rose_route.c | 1 -
security/selinux/xfrm.c | 3 ---
12 files changed, 15 deletions(-)
diff --git a/drivers/net/hamradio/bpqether.c b/drivers/net/hamradio/bpqether.c
index 63ff08a..7856b6c 100644
--- a/drivers/net/hamradio/bpqether.c
+++ b/drivers/net/hamradio/bpqether.c
@@ -76,7 +76,6 @@
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/stat.h>
-#include <linux/netfilter.h>
#include <linux/module.h>
#include <linux/init.h>
#include <linux/rtnetlink.h>
diff --git a/drivers/net/ppp/pptp.c b/drivers/net/ppp/pptp.c
index 14839bc..686f37d 100644
--- a/drivers/net/ppp/pptp.c
+++ b/drivers/net/ppp/pptp.c
@@ -28,8 +28,6 @@
#include <linux/file.h>
#include <linux/in.h>
#include <linux/ip.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4.h>
#include <linux/rcupdate.h>
#include <linux/spinlock.h>
diff --git a/drivers/net/wan/lapbether.c b/drivers/net/wan/lapbether.c
index 2f5eda8..6676607 100644
--- a/drivers/net/wan/lapbether.c
+++ b/drivers/net/wan/lapbether.c
@@ -40,7 +40,6 @@
#include <linux/interrupt.h>
#include <linux/notifier.h>
#include <linux/stat.h>
-#include <linux/netfilter.h>
#include <linux/module.h>
#include <linux/lapb.h>
#include <linux/init.h>
diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c
index 4273533..9c891d0 100644
--- a/net/ax25/af_ax25.c
+++ b/net/ax25/af_ax25.c
@@ -40,7 +40,6 @@
#include <linux/notifier.h>
#include <linux/proc_fs.h>
#include <linux/stat.h>
-#include <linux/netfilter.h>
#include <linux/sysctl.h>
#include <linux/init.h>
#include <linux/spinlock.h>
diff --git a/net/ax25/ax25_in.c b/net/ax25/ax25_in.c
index 7ed8ab7..29a3687 100644
--- a/net/ax25/ax25_in.c
+++ b/net/ax25/ax25_in.c
@@ -23,7 +23,6 @@
#include <linux/inet.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
-#include <linux/netfilter.h>
#include <net/sock.h>
#include <net/tcp_states.h>
#include <asm/uaccess.h>
diff --git a/net/ax25/ax25_ip.c b/net/ax25/ax25_ip.c
index 7c646bb..b563a3f 100644
--- a/net/ax25/ax25_ip.c
+++ b/net/ax25/ax25_ip.c
@@ -31,7 +31,6 @@
#include <linux/notifier.h>
#include <linux/proc_fs.h>
#include <linux/stat.h>
-#include <linux/netfilter.h>
#include <linux/sysctl.h>
#include <net/ip.h>
#include <net/arp.h>
diff --git a/net/ax25/ax25_out.c b/net/ax25/ax25_out.c
index be2acab..8ddd41b 100644
--- a/net/ax25/ax25_out.c
+++ b/net/ax25/ax25_out.c
@@ -24,7 +24,6 @@
#include <linux/inet.h>
#include <linux/netdevice.h>
#include <linux/skbuff.h>
-#include <linux/netfilter.h>
#include <net/sock.h>
#include <asm/uaccess.h>
#include <linux/fcntl.h>
diff --git a/net/ax25/ax25_uid.c b/net/ax25/ax25_uid.c
index 71c4bad..4ad2fb7 100644
--- a/net/ax25/ax25_uid.c
+++ b/net/ax25/ax25_uid.c
@@ -34,7 +34,6 @@
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/stat.h>
-#include <linux/netfilter.h>
#include <linux/sysctl.h>
#include <linux/export.h>
#include <net/ip.h>
diff --git a/net/netrom/nr_route.c b/net/netrom/nr_route.c
index 96b64d2..d72a4f1 100644
--- a/net/netrom/nr_route.c
+++ b/net/netrom/nr_route.c
@@ -31,7 +31,6 @@
#include <linux/mm.h>
#include <linux/interrupt.h>
#include <linux/notifier.h>
-#include <linux/netfilter.h>
#include <linux/init.h>
#include <linux/spinlock.h>
#include <net/netrom.h>
diff --git a/net/rose/rose_link.c b/net/rose/rose_link.c
index e873d7d..c76638c 100644
--- a/net/rose/rose_link.c
+++ b/net/rose/rose_link.c
@@ -25,7 +25,6 @@
#include <linux/fcntl.h>
#include <linux/mm.h>
#include <linux/interrupt.h>
-#include <linux/netfilter.h>
#include <net/rose.h>
static void rose_ftimer_expiry(unsigned long);
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c
index 40148932..0fc76d8 100644
--- a/net/rose/rose_route.c
+++ b/net/rose/rose_route.c
@@ -31,7 +31,6 @@
#include <linux/mm.h>
#include <linux/interrupt.h>
#include <linux/notifier.h>
-#include <linux/netfilter.h>
#include <linux/init.h>
#include <net/rose.h>
#include <linux/seq_file.h>
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index 98b0426..56e354f 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -35,9 +35,6 @@
#include <linux/init.h>
#include <linux/security.h>
#include <linux/types.h>
-#include <linux/netfilter.h>
-#include <linux/netfilter_ipv4.h>
-#include <linux/netfilter_ipv6.h>
#include <linux/slab.h>
#include <linux/ip.h>
#include <linux/tcp.h>
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* [PATCH 12/12] netfilter: xtables: fix warnings on 32bit platforms
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (10 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 11/12] netfilter: Remove spurios included of netfilter.h Pablo Neira Ayuso
@ 2015-06-19 17:17 ` Pablo Neira Ayuso
2015-06-20 22:40 ` [PATCH 00/12] Netfilter updates for net-next David Miller
12 siblings, 0 replies; 29+ messages in thread
From: Pablo Neira Ayuso @ 2015-06-19 17:17 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
On 32bit archs gcc complains due to cast from void* to u64.
Add intermediate casts to long to silence these warnings.
include/linux/netfilter/x_tables.h:376:10: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast]
include/linux/netfilter/x_tables.h:384:15: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
include/linux/netfilter/x_tables.h:391:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
include/linux/netfilter/x_tables.h:400:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
Fixes: 71ae0dff02d756e ("netfilter: xtables: use percpu rule counters")
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/x_tables.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 1c97a22..286098a 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -372,7 +372,7 @@ static inline u64 xt_percpu_counter_alloc(void)
if (res == NULL)
return (u64) -ENOMEM;
- return (__force u64) res;
+ return (u64) (__force unsigned long) res;
}
return 0;
@@ -380,14 +380,14 @@ static inline u64 xt_percpu_counter_alloc(void)
static inline void xt_percpu_counter_free(u64 pcnt)
{
if (nr_cpu_ids > 1)
- free_percpu((void __percpu *) pcnt);
+ free_percpu((void __percpu *) (unsigned long) pcnt);
}
static inline struct xt_counters *
xt_get_this_cpu_counter(struct xt_counters *cnt)
{
if (nr_cpu_ids > 1)
- return this_cpu_ptr((void __percpu *) cnt->pcnt);
+ return this_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt);
return cnt;
}
@@ -396,7 +396,7 @@ static inline struct xt_counters *
xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
{
if (nr_cpu_ids > 1)
- return per_cpu_ptr((void __percpu *) cnt->pcnt, cpu);
+ return per_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt, cpu);
return cnt;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 29+ messages in thread
* Re: [PATCH 00/12] Netfilter updates for net-next
2015-06-19 17:17 [PATCH 00/12] Netfilter updates for net-next Pablo Neira Ayuso
` (11 preceding siblings ...)
2015-06-19 17:17 ` [PATCH 12/12] netfilter: xtables: fix warnings on 32bit platforms Pablo Neira Ayuso
@ 2015-06-20 22:40 ` David Miller
12 siblings, 0 replies; 29+ messages in thread
From: David Miller @ 2015-06-20 22:40 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 19 Jun 2015 19:17:37 +0200
> The following patchset contains a final Netfilter pull request for net-next
> 4.2. This mostly addresses some fallout from the previous pull request, small
> netns updates and a couple of new features for nfnetlink_log and the socket
> match that didn't get in time for the previous pull request. More specifically
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Pulled, thanks a lot Pablo.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
^ permalink raw reply [flat|nested] 29+ messages in thread