* [PATCH 00/21] Netfilter updates for net-next
@ 2015-05-18 16:25 Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 01/21] netfilter: ipset: Fix sparse warning Pablo Neira Ayuso
` (21 more replies)
0 siblings, 22 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter updates for net-next. Briefly
speaking, cleanups and minor fixes for ipset from Jozsef Kadlecsik and
Serget Popovich, more incremental updates to make br_netfilter a better
place from Florian Westphal, ARP support to the x_tables mark match /
target from and context Zhang Chunyu and the addition of context to know
that the x_tables runs through nft_compat. More specifically, they are:
1) Fix sparse warning in ipset/ip_set_hash_ipmark.c when fetching the
IPSET_ATTR_MARK netlink attribute, from Jozsef Kadlecsik.
2) Rename STREQ macro to STRNCMP in ipset, also from Jozsef.
3) Use skb->network_header to calculate the transport offset in
ip_set_get_ip{4,6}_port(). From Alexander Drozdov.
4) Reduce memory consumption per element due to size miscalculation,
this patch and follow up patches from Sergey Popovich.
5) Expand nomatch field from 1 bit to 8 bits to allow to simplify
mtype_data_reset_flags(), also from Sergey.
6) Small clean for ipset macro trickery.
7) Fix error reporting when both ip_set_get_hostipaddr4() and
ip_set_get_extensions() from per-set uadt functions.
8) Simplify IPSET_ATTR_PORT netlink attribute validation.
9) Introduce HOST_MASK instead of hardcoded 32 in ipset.
10) Return true/false instead of 0/1 in functions that return boolean
in the ipset code.
11) Validate maximum length of the IPSET_ATTR_COMMENT netlink attribute.
12) Allow to dereference from ext_*() ipset macros.
13) Get rid of incorrect definitions of HKEY_DATALEN.
14) Include linux/netfilter/ipset/ip_set.h in the x_tables set match.
15) Reduce nf_bridge_info size in br_netfilter, from Florian Westphal.
16) Release nf_bridge_info after POSTROUTING since this is only needed
from the physdev match, also from Florian.
17) Reduce size of ipset code by deinlining ip_set_put_extensions(),
from Denys Vlasenko.
18) Oneliner to add ARP support to the x_tables mark match/target, from
Zhang Chunyu.
19) Add context to know if the x_tables extension runs from nft_compat,
to address minor problems with three existing extensions.
20) Correct return value in several seqfile *_show() functions in the
netfilter tree, from Joe Perches.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit 9449c3cd90472141cf081af88181a56163ff7132:
net: make skb_dst_pop routine static (2015-05-12 23:19:49 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
for you to fetch changes up to 861fb1078fd4ea09b442987b3e20fced0f15eb92:
netfilter: Use correct return for seq_show functions (2015-05-17 17:25:35 +0200)
----------------------------------------------------------------
Alexander Drozdov (1):
netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset
Denys Vlasenko (1):
netfilter: ipset: deinline ip_set_put_extensions()
Florian Westphal (2):
netfilter: bridge: neigh_head and physoutdev can't be used at same time
netfilter: bridge: free nf_bridge info on xmit
Joe Perches (1):
netfilter: Use correct return for seq_show functions
Jozsef Kadlecsik (3):
netfilter: ipset: Fix sparse warning
netfilter: ipset: Give a better name to a macro in ip_set_core.c
netfilter: ipset: Use better include files in xt_set.c
Pablo Neira Ayuso (1):
netfilter: x_tables: add context to know if extension runs from nft_compat
Sergey Popovich (11):
netfilter: ipset: Properly calculate extensions offsets and total length
netfilter: ipset: No need to make nomatch bitfield
netfilter: ipset: Preprocessor directices cleanup
netfilter: ipset: Return ipset error instead of bool
netfilter: ipset: Check IPSET_ATTR_PORT only once
netfilter: ipset: Use HOST_MASK literal to represent host address CIDR len
netfilter: ipset: Return bool values instead of int
netfilter: ipset: Check for comment netlink attribute length
netfilter: ipset: Fix ext_*() macros
netfilter: ipset: Fix hashing for ipv6 sets
netfilter: ipset: Improve preprocessor macros checks
Zhang Chunyu (1):
netfilter: xt_MARK: Add ARP support
include/linux/netfilter/ipset/ip_set.h | 32 +++-------------
include/linux/netfilter/x_tables.h | 2 +
include/linux/skbuff.h | 8 ++--
net/bridge/br_netfilter.c | 19 +++++++++-
net/bridge/netfilter/ebt_stp.c | 6 ++-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 +++
net/netfilter/ipset/ip_set_bitmap_ip.c | 17 ++++++---
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 13 +++++--
net/netfilter/ipset/ip_set_bitmap_port.c | 3 +-
net/netfilter/ipset/ip_set_core.c | 49 ++++++++++++++++++------
net/netfilter/ipset/ip_set_getport.c | 6 ++-
net/netfilter/ipset/ip_set_hash_gen.h | 22 +++++++++--
net/netfilter/ipset/ip_set_hash_ip.c | 33 ++++++++--------
net/netfilter/ipset/ip_set_hash_ipmark.c | 43 ++++++++++-----------
net/netfilter/ipset/ip_set_hash_ipport.c | 49 +++++++++++-------------
net/netfilter/ipset/ip_set_hash_ipportip.c | 40 ++++++++++----------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 40 ++++++++++----------
net/netfilter/ipset/ip_set_hash_mac.c | 11 ++++--
net/netfilter/ipset/ip_set_hash_net.c | 28 ++++++++------
net/netfilter/ipset/ip_set_hash_netiface.c | 29 +++++++-------
net/netfilter/ipset/ip_set_hash_netnet.c | 30 ++++++++++-----
net/netfilter/ipset/ip_set_hash_netport.c | 38 +++++++++----------
net/netfilter/ipset/ip_set_hash_netportnet.c | 52 ++++++++++++++------------
net/netfilter/ipset/ip_set_list_set.c | 3 +-
net/netfilter/nfnetlink_queue_core.c | 2 +-
net/netfilter/nft_compat.c | 2 +
net/netfilter/x_tables.c | 18 +++------
net/netfilter/xt_TCPMSS.c | 6 +++
net/netfilter/xt_mark.c | 1 +
net/netfilter/xt_set.c | 3 +-
30 files changed, 346 insertions(+), 264 deletions(-)
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 01/21] netfilter: ipset: Fix sparse warning
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 02/21] netfilter: ipset: Give a better name to a macro in ip_set_core.c Pablo Neira Ayuso
` (20 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
"warning: cast to restricted __be32" warnings are fixed
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_ipmark.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index 7abf978..2ec4ac5 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -128,7 +128,7 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret)
return ret;
- e.mark = ntohl(nla_get_u32(tb[IPSET_ATTR_MARK]));
+ e.mark = ntohl(nla_get_be32(tb[IPSET_ATTR_MARK]));
e.mark &= h->markmask;
if (adt == IPSET_TEST ||
@@ -263,7 +263,7 @@ hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret)
return ret;
- e.mark = ntohl(nla_get_u32(tb[IPSET_ATTR_MARK]));
+ e.mark = ntohl(nla_get_be32(tb[IPSET_ATTR_MARK]));
e.mark &= h->markmask;
if (adt == IPSET_TEST) {
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 02/21] netfilter: ipset: Give a better name to a macro in ip_set_core.c
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 01/21] netfilter: ipset: Fix sparse warning Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 03/21] netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset Pablo Neira Ayuso
` (19 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index d259da3..ed05f1e 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -42,7 +42,7 @@ static inline struct ip_set_net *ip_set_pernet(struct net *net)
}
#define IP_SET_INC 64
-#define STREQ(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
+#define STRNCMP(a, b) (strncmp(a, b, IPSET_MAXNAMELEN) == 0)
static unsigned int max_sets;
@@ -85,7 +85,7 @@ find_set_type(const char *name, u8 family, u8 revision)
struct ip_set_type *type;
list_for_each_entry_rcu(type, &ip_set_type_list, list)
- if (STREQ(type->name, name) &&
+ if (STRNCMP(type->name, name) &&
(type->family == family ||
type->family == NFPROTO_UNSPEC) &&
revision >= type->revision_min &&
@@ -132,7 +132,7 @@ __find_set_type_get(const char *name, u8 family, u8 revision,
/* Make sure the type is already loaded
* but we don't support the revision */
list_for_each_entry_rcu(type, &ip_set_type_list, list)
- if (STREQ(type->name, name)) {
+ if (STRNCMP(type->name, name)) {
err = -IPSET_ERR_FIND_TYPE;
goto unlock;
}
@@ -166,7 +166,7 @@ __find_set_type_minmax(const char *name, u8 family, u8 *min, u8 *max,
*min = 255; *max = 0;
rcu_read_lock();
list_for_each_entry_rcu(type, &ip_set_type_list, list)
- if (STREQ(type->name, name) &&
+ if (STRNCMP(type->name, name) &&
(type->family == family ||
type->family == NFPROTO_UNSPEC)) {
found = true;
@@ -581,7 +581,7 @@ ip_set_get_byname(struct net *net, const char *name, struct ip_set **set)
rcu_read_lock();
for (i = 0; i < inst->ip_set_max; i++) {
s = rcu_dereference(inst->ip_set_list)[i];
- if (s != NULL && STREQ(s->name, name)) {
+ if (s != NULL && STRNCMP(s->name, name)) {
__ip_set_get(s);
index = i;
*set = s;
@@ -758,7 +758,7 @@ find_set_and_id(struct ip_set_net *inst, const char *name, ip_set_id_t *id)
*id = IPSET_INVALID_ID;
for (i = 0; i < inst->ip_set_max; i++) {
set = ip_set(inst, i);
- if (set != NULL && STREQ(set->name, name)) {
+ if (set != NULL && STRNCMP(set->name, name)) {
*id = i;
break;
}
@@ -787,7 +787,7 @@ find_free_id(struct ip_set_net *inst, const char *name, ip_set_id_t *index,
if (s == NULL) {
if (*index == IPSET_INVALID_ID)
*index = i;
- } else if (STREQ(name, s->name)) {
+ } else if (STRNCMP(name, s->name)) {
/* Name clash */
*set = s;
return -EEXIST;
@@ -887,7 +887,7 @@ ip_set_create(struct sock *ctnl, struct sk_buff *skb,
if (ret == -EEXIST) {
/* If this is the same set and requested, ignore error */
if ((flags & IPSET_FLAG_EXIST) &&
- STREQ(set->type->name, clash->type->name) &&
+ STRNCMP(set->type->name, clash->type->name) &&
set->type->family == clash->type->family &&
set->type->revision_min == clash->type->revision_min &&
set->type->revision_max == clash->type->revision_max &&
@@ -1098,7 +1098,7 @@ ip_set_rename(struct sock *ctnl, struct sk_buff *skb,
name2 = nla_data(attr[IPSET_ATTR_SETNAME2]);
for (i = 0; i < inst->ip_set_max; i++) {
s = ip_set(inst, i);
- if (s != NULL && STREQ(s->name, name2)) {
+ if (s != NULL && STRNCMP(s->name, name2)) {
ret = -IPSET_ERR_EXIST_SETNAME2;
goto out;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 03/21] netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 01/21] netfilter: ipset: Fix sparse warning Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 02/21] netfilter: ipset: Give a better name to a macro in ip_set_core.c Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 04/21] netfilter: ipset: Properly calculate extensions offsets and total length Pablo Neira Ayuso
` (18 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Alexander Drozdov <al.drozdov@gmail.com>
All the ipset functions respect skb->network_header value,
except for ip_set_get_ip4_port() & ip_set_get_ip6_port(). The
functions should use skb_network_offset() to get the transport
header offset.
Signed-off-by: Alexander Drozdov <al.drozdov@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_getport.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_getport.c b/net/netfilter/ipset/ip_set_getport.c
index 29fb01d..1981f02 100644
--- a/net/netfilter/ipset/ip_set_getport.c
+++ b/net/netfilter/ipset/ip_set_getport.c
@@ -98,7 +98,7 @@ ip_set_get_ip4_port(const struct sk_buff *skb, bool src,
__be16 *port, u8 *proto)
{
const struct iphdr *iph = ip_hdr(skb);
- unsigned int protooff = ip_hdrlen(skb);
+ unsigned int protooff = skb_network_offset(skb) + ip_hdrlen(skb);
int protocol = iph->protocol;
/* See comments at tcp_match in ip_tables.c */
@@ -135,7 +135,9 @@ ip_set_get_ip6_port(const struct sk_buff *skb, bool src,
__be16 frag_off = 0;
nexthdr = ipv6_hdr(skb)->nexthdr;
- protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
+ protoff = ipv6_skip_exthdr(skb,
+ skb_network_offset(skb) +
+ sizeof(struct ipv6hdr), &nexthdr,
&frag_off);
if (protoff < 0 || (frag_off & htons(~0x7)) != 0)
return false;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 04/21] netfilter: ipset: Properly calculate extensions offsets and total length
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (2 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 03/21] netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 05/21] netfilter: ipset: No need to make nomatch bitfield Pablo Neira Ayuso
` (17 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
Offsets and total length returned by the ip_set_elem_len()
calculated incorrectly as initial set element length (i.e.
len parameter) is used multiple times in offset calculations,
also affecting set element total length.
Use initial set element length as start offset, do not add aligned
extension offset to the offset. Return offset as total length of
the set element.
This reduces memory requirements on per element basic for the
hash:* type of sets.
For example output from 'ipset -terse list test-1' on 64-bit PC,
where test-1 is generated via following script:
#!/bin/bash
set_name='test-1'
ipset create "$set_name" hash:net family inet \
timeout 10800 counters comment \
hashsize 65536 maxelem 65536
declare -i o3 o4
fmt="add $set_name 192.168.%u.%u\n"
for ((o3 = 0; o3 < 256; o3++)); do
for ((o4 = 0; o4 < 256; o4++)); do
printf "$fmt" $o3 $o4
done
done |ipset -exist restore
BEFORE this patch is applied
# ipset -terse list test-1
Name: test-1
Type: hash:net
Revision: 6
Header: family inet hashsize 65536 maxelem 65536
timeout 10800 counters comment
Size in memory: 26348440
and AFTER applying patch
# ipset -terse list test-1
Name: test-1
Type: hash:net
Revision: 6
Header: family inet hashsize 65536 maxelem 65536
timeout 10800 counters comment
Size in memory: 7706392
References: 0
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_core.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index ed05f1e..7f9c056 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -365,7 +365,7 @@ size_t
ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len)
{
enum ip_set_ext_id id;
- size_t offset = 0;
+ size_t offset = len;
u32 cadt_flags = 0;
if (tb[IPSET_ATTR_CADT_FLAGS])
@@ -375,12 +375,12 @@ ip_set_elem_len(struct ip_set *set, struct nlattr *tb[], size_t len)
for (id = 0; id < IPSET_EXT_ID_MAX; id++) {
if (!add_extension(id, cadt_flags, tb))
continue;
- offset += ALIGN(len + offset, ip_set_extensions[id].align);
+ offset = ALIGN(offset, ip_set_extensions[id].align);
set->offset[id] = offset;
set->extensions |= ip_set_extensions[id].type;
offset += ip_set_extensions[id].len;
}
- return len + offset;
+ return offset;
}
EXPORT_SYMBOL_GPL(ip_set_elem_len);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 05/21] netfilter: ipset: No need to make nomatch bitfield
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (3 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 04/21] netfilter: ipset: Properly calculate extensions offsets and total length Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 06/21] netfilter: ipset: Preprocessor directices cleanup Pablo Neira Ayuso
` (16 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
We do not store cidr packed with no match, so there is no
need to make nomatch bitfield.
This simplifies mtype_data_reset_flags() a bit.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_netportnet.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index bfaa94c..7cfd2df 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -54,7 +54,7 @@ struct hash_netportnet4_elem {
u16 ccmp;
};
u16 padding;
- u8 nomatch:1;
+ u8 nomatch;
u8 proto;
};
@@ -326,7 +326,7 @@ struct hash_netportnet6_elem {
u16 ccmp;
};
u16 padding;
- u8 nomatch:1;
+ u8 nomatch;
u8 proto;
};
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 06/21] netfilter: ipset: Preprocessor directices cleanup
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (4 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 05/21] netfilter: ipset: No need to make nomatch bitfield Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 07/21] netfilter: ipset: Return ipset error instead of bool Pablo Neira Ayuso
` (15 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
* Undefine mtype_data_reset_elem before defining.
* Remove duplicated mtype_gc_init undefine, move
mtype_gc_init define closer to mtype_gc define.
* Use htype instead of HTYPE in IPSET_TOKEN(HTYPE, _create)().
* Remove PF definition from sets: no more used.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_gen.h | 7 ++++---
net/netfilter/ipset/ip_set_hash_ip.c | 3 ---
net/netfilter/ipset/ip_set_hash_ipmark.c | 3 ---
net/netfilter/ipset/ip_set_hash_ipport.c | 3 ---
net/netfilter/ipset/ip_set_hash_ipportip.c | 3 ---
net/netfilter/ipset/ip_set_hash_ipportnet.c | 3 ---
net/netfilter/ipset/ip_set_hash_mac.c | 1 -
net/netfilter/ipset/ip_set_hash_net.c | 3 ---
net/netfilter/ipset/ip_set_hash_netiface.c | 3 ---
net/netfilter/ipset/ip_set_hash_netnet.c | 3 ---
net/netfilter/ipset/ip_set_hash_netport.c | 3 ---
net/netfilter/ipset/ip_set_hash_netportnet.c | 3 ---
12 files changed, 4 insertions(+), 34 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 974ff38..a043065 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -180,6 +180,7 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
#undef mtype_data_equal
#undef mtype_do_data_match
#undef mtype_data_set_flags
+#undef mtype_data_reset_elem
#undef mtype_data_reset_flags
#undef mtype_data_netmask
#undef mtype_data_list
@@ -193,7 +194,6 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
#undef mtype_ahash_memsize
#undef mtype_flush
#undef mtype_destroy
-#undef mtype_gc_init
#undef mtype_same_set
#undef mtype_kadt
#undef mtype_uadt
@@ -227,6 +227,7 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
#define mtype_data_list IPSET_TOKEN(MTYPE, _data_list)
#define mtype_data_next IPSET_TOKEN(MTYPE, _data_next)
#define mtype_elem IPSET_TOKEN(MTYPE, _elem)
+
#define mtype_ahash_destroy IPSET_TOKEN(MTYPE, _ahash_destroy)
#define mtype_ext_cleanup IPSET_TOKEN(MTYPE, _ext_cleanup)
#define mtype_add_cidr IPSET_TOKEN(MTYPE, _add_cidr)
@@ -234,7 +235,6 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
#define mtype_ahash_memsize IPSET_TOKEN(MTYPE, _ahash_memsize)
#define mtype_flush IPSET_TOKEN(MTYPE, _flush)
#define mtype_destroy IPSET_TOKEN(MTYPE, _destroy)
-#define mtype_gc_init IPSET_TOKEN(MTYPE, _gc_init)
#define mtype_same_set IPSET_TOKEN(MTYPE, _same_set)
#define mtype_kadt IPSET_TOKEN(MTYPE, _kadt)
#define mtype_uadt IPSET_TOKEN(MTYPE, _uadt)
@@ -249,6 +249,7 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
#define mtype_head IPSET_TOKEN(MTYPE, _head)
#define mtype_list IPSET_TOKEN(MTYPE, _list)
#define mtype_gc IPSET_TOKEN(MTYPE, _gc)
+#define mtype_gc_init IPSET_TOKEN(MTYPE, _gc_init)
#define mtype_variant IPSET_TOKEN(MTYPE, _variant)
#define mtype_data_match IPSET_TOKEN(MTYPE, _data_match)
@@ -1045,7 +1046,7 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
u8 netmask;
#endif
size_t hsize;
- struct HTYPE *h;
+ struct htype *h;
struct htable *t;
#ifndef IP_SET_PROTO_UNDEF
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index 76959d7..d21d1e6 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -74,7 +74,6 @@ hash_ip4_data_next(struct hash_ip4_elem *next, const struct hash_ip4_elem *e)
}
#define MTYPE hash_ip4
-#define PF 4
#define HOST_MASK 32
#include "ip_set_hash_gen.h"
@@ -208,12 +207,10 @@ hash_ip6_data_next(struct hash_ip4_elem *next, const struct hash_ip6_elem *e)
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#undef HKEY_DATALEN
#define MTYPE hash_ip6
-#define PF 6
#define HOST_MASK 128
#define IP_SET_EMIT_CREATE
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index 2ec4ac5..e408bcf 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -77,7 +77,6 @@ hash_ipmark4_data_next(struct hash_ipmark4_elem *next,
}
#define MTYPE hash_ipmark4
-#define PF 4
#define HOST_MASK 32
#define HKEY_DATALEN sizeof(struct hash_ipmark4_elem)
#include "ip_set_hash_gen.h"
@@ -204,12 +203,10 @@ hash_ipmark6_data_next(struct hash_ipmark4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#undef HKEY_DATALEN
#define MTYPE hash_ipmark6
-#define PF 6
#define HOST_MASK 128
#define HKEY_DATALEN sizeof(struct hash_ipmark6_elem)
#define IP_SET_EMIT_CREATE
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index dcbcceb..c4383ad 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -84,7 +84,6 @@ hash_ipport4_data_next(struct hash_ipport4_elem *next,
}
#define MTYPE hash_ipport4
-#define PF 4
#define HOST_MASK 32
#define HKEY_DATALEN sizeof(struct hash_ipport4_elem)
#include "ip_set_hash_gen.h"
@@ -245,12 +244,10 @@ hash_ipport6_data_next(struct hash_ipport4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#undef HKEY_DATALEN
#define MTYPE hash_ipport6
-#define PF 6
#define HOST_MASK 128
#define HKEY_DATALEN sizeof(struct hash_ipport6_elem)
#define IP_SET_EMIT_CREATE
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 7ef93fc..c48ff45 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -86,7 +86,6 @@ hash_ipportip4_data_next(struct hash_ipportip4_elem *next,
/* Common functions */
#define MTYPE hash_ipportip4
-#define PF 4
#define HOST_MASK 32
#include "ip_set_hash_gen.h"
@@ -254,11 +253,9 @@ hash_ipportip6_data_next(struct hash_ipportip4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#define MTYPE hash_ipportip6
-#define PF 6
#define HOST_MASK 128
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index b6012ad..adc3f76 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -130,7 +130,6 @@ hash_ipportnet4_data_next(struct hash_ipportnet4_elem *next,
}
#define MTYPE hash_ipportnet4
-#define PF 4
#define HOST_MASK 32
#include "ip_set_hash_gen.h"
@@ -381,11 +380,9 @@ hash_ipportnet6_data_next(struct hash_ipportnet4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#define MTYPE hash_ipportnet6
-#define PF 6
#define HOST_MASK 128
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_mac.c b/net/netfilter/ipset/ip_set_hash_mac.c
index 65690b5..2b96234 100644
--- a/net/netfilter/ipset/ip_set_hash_mac.c
+++ b/net/netfilter/ipset/ip_set_hash_mac.c
@@ -62,7 +62,6 @@ hash_mac4_data_next(struct hash_mac4_elem *next,
}
#define MTYPE hash_mac4
-#define PF 4
#define HOST_MASK 32
#define IP_SET_EMIT_CREATE
#define IP_SET_PROTO_UNDEF
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 6b3ac10..1abfe74 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -109,7 +109,6 @@ hash_net4_data_next(struct hash_net4_elem *next,
}
#define MTYPE hash_net4
-#define PF 4
#define HOST_MASK 32
#include "ip_set_hash_gen.h"
@@ -277,11 +276,9 @@ hash_net6_data_next(struct hash_net4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#define MTYPE hash_net6
-#define PF 6
#define HOST_MASK 128
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 380ef51..0ba6c58 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -207,7 +207,6 @@ hash_netiface4_data_next(struct hash_netiface4_elem *next,
}
#define MTYPE hash_netiface4
-#define PF 4
#define HOST_MASK 32
#define HKEY_DATALEN sizeof(struct hash_netiface4_elem_hashed)
#include "ip_set_hash_gen.h"
@@ -457,12 +456,10 @@ hash_netiface6_data_next(struct hash_netiface4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#undef HKEY_DATALEN
#define MTYPE hash_netiface6
-#define PF 6
#define HOST_MASK 128
#define HKEY_DATALEN sizeof(struct hash_netiface6_elem_hashed)
#define IP_SET_EMIT_CREATE
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
index ea8772a..9c6da0c 100644
--- a/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -128,7 +128,6 @@ hash_netnet4_data_next(struct hash_netnet4_elem *next,
}
#define MTYPE hash_netnet4
-#define PF 4
#define HOST_MASK 32
#include "ip_set_hash_gen.h"
@@ -354,11 +353,9 @@ hash_netnet6_data_next(struct hash_netnet4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#define MTYPE hash_netnet6
-#define PF 6
#define HOST_MASK 128
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index c0ddb58..f77afd4 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -125,7 +125,6 @@ hash_netport4_data_next(struct hash_netport4_elem *next,
}
#define MTYPE hash_netport4
-#define PF 4
#define HOST_MASK 32
#include "ip_set_hash_gen.h"
@@ -340,11 +339,9 @@ hash_netport6_data_next(struct hash_netport4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#define MTYPE hash_netport6
-#define PF 6
#define HOST_MASK 128
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 7cfd2df..69e544f 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -139,7 +139,6 @@ hash_netportnet4_data_next(struct hash_netportnet4_elem *next,
}
#define MTYPE hash_netportnet4
-#define PF 4
#define HOST_MASK 32
#include "ip_set_hash_gen.h"
@@ -411,11 +410,9 @@ hash_netportnet6_data_next(struct hash_netportnet4_elem *next,
}
#undef MTYPE
-#undef PF
#undef HOST_MASK
#define MTYPE hash_netportnet6
-#define PF 6
#define HOST_MASK 128
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 07/21] netfilter: ipset: Return ipset error instead of bool
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (5 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 06/21] netfilter: ipset: Preprocessor directices cleanup Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 08/21] netfilter: ipset: Check IPSET_ATTR_PORT only once Pablo Neira Ayuso
` (14 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
Statement ret = func1() || func2() returns 0 when both func1()
and func2() return 0, or 1 if func1() or func2() returns non-zero.
However in our case func1() and func2() returns error code on
failure, so it seems good to propagate such error codes, rather
than returning 1 in case of failure.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_bitmap_ip.c | 7 +++++--
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 7 +++++--
net/netfilter/ipset/ip_set_hash_ip.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_ipmark.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_ipport.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_ipportip.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_ipportnet.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_net.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_netiface.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_netnet.c | 24 ++++++++++++++++++------
net/netfilter/ipset/ip_set_hash_netport.c | 14 ++++++++++----
net/netfilter/ipset/ip_set_hash_netportnet.c | 24 ++++++++++++++++++------
12 files changed, 126 insertions(+), 48 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index 55b083e..306a1bf 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -149,8 +149,11 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 8610474..c5f6a06 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -250,8 +250,11 @@ bitmap_ipmac_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index d21d1e6..1c469df 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -120,8 +120,11 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -258,8 +261,11 @@ hash_ip6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index e408bcf..82ef5b3 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -122,8 +122,11 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -255,8 +258,11 @@ hash_ipmark6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index c4383ad..5b36a4e 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -131,8 +131,11 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -298,8 +301,11 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index c48ff45..6a580e5 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -133,8 +133,11 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr4(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -306,8 +309,11 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index adc3f76..2b90a1d 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -188,8 +188,11 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -445,8 +448,11 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 1abfe74..15382e2 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -159,8 +159,11 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -330,8 +333,11 @@ hash_net6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 0ba6c58..66ac8dd 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -307,8 +307,11 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -543,8 +546,11 @@ hash_netiface6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
index 9c6da0c..f065024 100644
--- a/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -181,9 +181,15 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -408,9 +414,15 @@ hash_netnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) ||
- ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index f77afd4..624eb5b 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -181,8 +181,11 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -401,8 +404,11 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 69e544f..7eed11b 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -199,9 +199,15 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip) ||
- ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP], &ip);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_hostipaddr4(tb[IPSET_ATTR_IP2], &ip2_from);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
@@ -474,9 +480,15 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_LINENO])
*lineno = nla_get_u32(tb[IPSET_ATTR_LINENO]);
- ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]) ||
- ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]) ||
- ip_set_get_extensions(set, tb, &ext);
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP], &e.ip[0]);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_ipaddr6(tb[IPSET_ATTR_IP2], &e.ip[1]);
+ if (ret)
+ return ret;
+
+ ret = ip_set_get_extensions(set, tb, &ext);
if (ret)
return ret;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 08/21] netfilter: ipset: Check IPSET_ATTR_PORT only once
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (6 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 07/21] netfilter: ipset: Return ipset error instead of bool Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 09/21] netfilter: ipset: Use HOST_MASK literal to represent host address CIDR len Pablo Neira Ayuso
` (13 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
We do not need to check tb[IPSET_ATTR_PORT] != NULL before
retrieving port, as this attribute is known to exist due to
ip_set_attr_netorder() returning true only when attribute
exists and it is in network byte order.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_ipport.c | 10 ++--------
net/netfilter/ipset/ip_set_hash_ipportip.c | 10 ++--------
net/netfilter/ipset/ip_set_hash_ipportnet.c | 10 ++--------
net/netfilter/ipset/ip_set_hash_netport.c | 10 ++--------
net/netfilter/ipset/ip_set_hash_netportnet.c | 10 ++--------
5 files changed, 10 insertions(+), 40 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 5b36a4e..299fab6 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -139,10 +139,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret)
return ret;
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
@@ -309,10 +306,7 @@ hash_ipport6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret)
return ret;
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 6a580e5..cb79466 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -145,10 +145,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret)
return ret;
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
@@ -321,10 +318,7 @@ hash_ipportip6_uadt(struct ip_set *set, struct nlattr *tb[],
if (ret)
return ret;
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 2b90a1d..2c39cae 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -207,10 +207,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
e.cidr = cidr - 1;
}
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
@@ -469,10 +466,7 @@ hash_ipportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
ip6_netmask(&e.ip2, e.cidr + 1);
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index 624eb5b..91c901c 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -196,10 +196,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
e.cidr = cidr - 1;
}
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
@@ -420,10 +417,7 @@ hash_netport6_uadt(struct ip_set *set, struct nlattr *tb[],
}
ip6_netmask(&e.ip, e.cidr + 1);
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 7eed11b..1233442 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -225,10 +225,7 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
e.cidr[1] = cidr;
}
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
@@ -505,10 +502,7 @@ hash_netportnet6_uadt(struct ip_set *set, struct nlattr *tb[],
ip6_netmask(&e.ip[0], e.cidr[0]);
ip6_netmask(&e.ip[1], e.cidr[1]);
- if (tb[IPSET_ATTR_PORT])
- e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
- else
- return -IPSET_ERR_PROTOCOL;
+ e.port = nla_get_be16(tb[IPSET_ATTR_PORT]);
if (tb[IPSET_ATTR_PROTO]) {
e.proto = nla_get_u8(tb[IPSET_ATTR_PROTO]);
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 09/21] netfilter: ipset: Use HOST_MASK literal to represent host address CIDR len
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (7 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 08/21] netfilter: ipset: Check IPSET_ATTR_PORT only once Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 10/21] netfilter: ipset: Return bool values instead of int Pablo Neira Ayuso
` (12 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_bitmap_ip.c | 7 ++++---
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 3 ++-
net/netfilter/ipset/ip_set_hash_ip.c | 2 +-
net/netfilter/ipset/ip_set_hash_ipmark.c | 2 +-
net/netfilter/ipset/ip_set_hash_ipport.c | 2 +-
net/netfilter/ipset/ip_set_hash_ipportip.c | 2 +-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 2 +-
7 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index 306a1bf..01b88ba 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -36,6 +36,7 @@ IP_SET_MODULE_DESC("bitmap:ip", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
MODULE_ALIAS("ip_set_bitmap:ip");
#define MTYPE bitmap_ip
+#define HOST_MASK 32
/* Type structure */
struct bitmap_ip {
@@ -177,7 +178,7 @@ bitmap_ip_uadt(struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!cidr || cidr > 32)
+ if (!cidr || cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
} else
@@ -280,7 +281,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (cidr >= 32)
+ if (cidr >= HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(first_ip, last_ip, cidr);
} else
@@ -289,7 +290,7 @@ bitmap_ip_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
if (tb[IPSET_ATTR_NETMASK]) {
netmask = nla_get_u8(tb[IPSET_ATTR_NETMASK]);
- if (netmask > 32)
+ if (netmask > HOST_MASK)
return -IPSET_ERR_INVALID_NETMASK;
first_ip &= ip_set_hostmask(netmask);
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index c5f6a06..46868b3 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -36,6 +36,7 @@ IP_SET_MODULE_DESC("bitmap:ip,mac", IPSET_TYPE_REV_MIN, IPSET_TYPE_REV_MAX);
MODULE_ALIAS("ip_set_bitmap:ip,mac");
#define MTYPE bitmap_ipmac
+#define HOST_MASK 32
#define IP_SET_BITMAP_STORED_TIMEOUT
enum {
@@ -346,7 +347,7 @@ bitmap_ipmac_create(struct net *net, struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (cidr >= 32)
+ if (cidr >= HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(first_ip, last_ip, cidr);
} else
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index 1c469df..1a9ef0c 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -147,7 +147,7 @@ hash_ip4_uadt(struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!cidr || cidr > 32)
+ if (!cidr || cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
}
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index 82ef5b3..4499373 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -149,7 +149,7 @@ hash_ipmark4_uadt(struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!cidr || cidr > 32)
+ if (!cidr || cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
}
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 299fab6..4ae423c 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -170,7 +170,7 @@ hash_ipport4_uadt(struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!cidr || cidr > 32)
+ if (!cidr || cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
}
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index cb79466..fb921a5 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -176,7 +176,7 @@ hash_ipportip4_uadt(struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
u8 cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!cidr || cidr > 32)
+ if (!cidr || cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
}
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 2c39cae..4ae9804 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -248,7 +248,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
} else if (tb[IPSET_ATTR_CIDR]) {
cidr = nla_get_u8(tb[IPSET_ATTR_CIDR]);
- if (!cidr || cidr > 32)
+ if (!cidr || cidr > HOST_MASK)
return -IPSET_ERR_INVALID_CIDR;
ip_set_mask_from_to(ip, ip_to, cidr);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 10/21] netfilter: ipset: Return bool values instead of int
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (8 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 09/21] netfilter: ipset: Use HOST_MASK literal to represent host address CIDR len Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:31 ` Joe Perches
2015-05-18 16:25 ` [PATCH 11/21] netfilter: ipset: Check for comment netlink attribute length Pablo Neira Ayuso
` (11 subsequent siblings)
21 siblings, 1 reply; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_ip.c | 10 +++++-----
net/netfilter/ipset/ip_set_hash_ipmark.c | 8 ++++----
net/netfilter/ipset/ip_set_hash_ipport.c | 8 ++++----
net/netfilter/ipset/ip_set_hash_ipportip.c | 8 ++++----
net/netfilter/ipset/ip_set_hash_ipportnet.c | 8 ++++----
net/netfilter/ipset/ip_set_hash_mac.c | 7 ++++++-
net/netfilter/ipset/ip_set_hash_net.c | 8 ++++----
net/netfilter/ipset/ip_set_hash_netiface.c | 8 ++++----
net/netfilter/ipset/ip_set_hash_netport.c | 8 ++++----
net/netfilter/ipset/ip_set_hash_netportnet.c | 8 ++++----
10 files changed, 43 insertions(+), 38 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index 1a9ef0c..e90a82a 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -56,15 +56,15 @@ hash_ip4_data_equal(const struct hash_ip4_elem *e1,
return e1->ip == e2->ip;
}
-static inline bool
+static bool
hash_ip4_data_list(struct sk_buff *skb, const struct hash_ip4_elem *e)
{
if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, e->ip))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -198,10 +198,10 @@ hash_ip6_data_list(struct sk_buff *skb, const struct hash_ip6_elem *e)
{
if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &e->ip.in6))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index 4499373..8584284 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -63,10 +63,10 @@ hash_ipmark4_data_list(struct sk_buff *skb,
if (nla_put_ipaddr4(skb, IPSET_ATTR_IP, data->ip) ||
nla_put_net32(skb, IPSET_ATTR_MARK, htonl(data->mark)))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -193,10 +193,10 @@ hash_ipmark6_data_list(struct sk_buff *skb,
if (nla_put_ipaddr6(skb, IPSET_ATTR_IP, &data->ip.in6) ||
nla_put_net32(skb, IPSET_ATTR_MARK, htonl(data->mark)))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 4ae423c..73e4d86 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -69,10 +69,10 @@ hash_ipport4_data_list(struct sk_buff *skb,
nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -230,10 +230,10 @@ hash_ipport6_data_list(struct sk_buff *skb,
nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index fb921a5..4f8e584 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -70,10 +70,10 @@ hash_ipportip4_data_list(struct sk_buff *skb,
nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -239,10 +239,10 @@ hash_ipportip6_data_list(struct sk_buff *skb,
nla_put_net16(skb, IPSET_ATTR_PORT, data->port) ||
nla_put_u8(skb, IPSET_ATTR_PROTO, data->proto))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 4ae9804..4363a18 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -114,10 +114,10 @@ hash_ipportnet4_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -366,10 +366,10 @@ hash_ipportnet6_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_mac.c b/net/netfilter/ipset/ip_set_hash_mac.c
index 2b96234..3614683 100644
--- a/net/netfilter/ipset/ip_set_hash_mac.c
+++ b/net/netfilter/ipset/ip_set_hash_mac.c
@@ -52,7 +52,12 @@ hash_mac4_data_equal(const struct hash_mac4_elem *e1,
static inline bool
hash_mac4_data_list(struct sk_buff *skb, const struct hash_mac4_elem *e)
{
- return nla_put(skb, IPSET_ATTR_ETHER, ETH_ALEN, e->ether);
+ if (nla_put(skb, IPSET_ATTR_ETHER, ETH_ALEN, e->ether))
+ goto nla_put_failure;
+ return false;
+
+nla_put_failure:
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 15382e2..2feaed3 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -95,10 +95,10 @@ hash_net4_data_list(struct sk_buff *skb, const struct hash_net4_elem *data)
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -266,10 +266,10 @@ hash_net6_data_list(struct sk_buff *skb, const struct hash_net6_elem *data)
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 66ac8dd..322b773 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -193,10 +193,10 @@ hash_netiface4_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -446,10 +446,10 @@ hash_netiface6_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index 91c901c..bd45465 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -110,10 +110,10 @@ hash_netport4_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -325,10 +325,10 @@ hash_netport6_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 1233442..dd64ba9 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -124,10 +124,10 @@ hash_netportnet4_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
@@ -399,10 +399,10 @@ hash_netportnet6_data_list(struct sk_buff *skb,
(flags &&
nla_put_net32(skb, IPSET_ATTR_CADT_FLAGS, htonl(flags))))
goto nla_put_failure;
- return 0;
+ return false;
nla_put_failure:
- return 1;
+ return true;
}
static inline void
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 11/21] netfilter: ipset: Check for comment netlink attribute length
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (9 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 10/21] netfilter: ipset: Return bool values instead of int Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 12/21] netfilter: ipset: Fix ext_*() macros Pablo Neira Ayuso
` (10 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
Ensure userspace supplies string not longer than
IPSET_MAX_COMMENT_SIZE.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_bitmap_ip.c | 3 ++-
net/netfilter/ipset/ip_set_bitmap_ipmac.c | 3 ++-
net/netfilter/ipset/ip_set_bitmap_port.c | 3 ++-
net/netfilter/ipset/ip_set_hash_ip.c | 3 ++-
net/netfilter/ipset/ip_set_hash_ipmark.c | 3 ++-
net/netfilter/ipset/ip_set_hash_ipport.c | 3 ++-
net/netfilter/ipset/ip_set_hash_ipportip.c | 3 ++-
net/netfilter/ipset/ip_set_hash_ipportnet.c | 3 ++-
net/netfilter/ipset/ip_set_hash_mac.c | 3 ++-
net/netfilter/ipset/ip_set_hash_net.c | 3 ++-
net/netfilter/ipset/ip_set_hash_netiface.c | 3 ++-
net/netfilter/ipset/ip_set_hash_netnet.c | 3 ++-
net/netfilter/ipset/ip_set_hash_netport.c | 3 ++-
net/netfilter/ipset/ip_set_hash_netportnet.c | 3 ++-
net/netfilter/ipset/ip_set_list_set.c | 3 ++-
15 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_bitmap_ip.c b/net/netfilter/ipset/ip_set_bitmap_ip.c
index 01b88ba..2fe6de4 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -364,7 +364,8 @@ static struct ip_set_type bitmap_ip_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index 46868b3..eb18856 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -401,7 +401,8 @@ static struct ip_set_type bitmap_ipmac_type = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_bitmap_port.c b/net/netfilter/ipset/ip_set_bitmap_port.c
index 005dd36..898edb6 100644
--- a/net/netfilter/ipset/ip_set_bitmap_port.c
+++ b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -294,7 +294,8 @@ static struct ip_set_type bitmap_port_type = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index e90a82a..ee7a72b 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -304,7 +304,8 @@ static struct ip_set_type hash_ip_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index 8584284..6ac7073 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -310,7 +310,8 @@ static struct ip_set_type hash_ipmark_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index 73e4d86..a3117d4e 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -373,7 +373,8 @@ static struct ip_set_type hash_ipport_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_ipportip.c b/net/netfilter/ipset/ip_set_hash_ipportip.c
index 4f8e584..89615f1 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportip.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportip.c
@@ -385,7 +385,8 @@ static struct ip_set_type hash_ipportip_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 4363a18..6ba7a7e 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -544,7 +544,8 @@ static struct ip_set_type hash_ipportnet_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_mac.c b/net/netfilter/ipset/ip_set_hash_mac.c
index 3614683..1f8668d 100644
--- a/net/netfilter/ipset/ip_set_hash_mac.c
+++ b/net/netfilter/ipset/ip_set_hash_mac.c
@@ -153,7 +153,8 @@ static struct ip_set_type hash_mac_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 2feaed3..2e63dad 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -386,7 +386,8 @@ static struct ip_set_type hash_net_type __read_mostly = {
[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 322b773..07920b6 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -616,7 +616,8 @@ static struct ip_set_type hash_netiface_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
index f065024..8470474 100644
--- a/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -479,7 +479,8 @@ static struct ip_set_type hash_netnet_type __read_mostly = {
[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index bd45465..8273819 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -492,7 +492,8 @@ static struct ip_set_type hash_netport_type __read_mostly = {
[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index dd64ba9..1451a8a 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -580,7 +580,8 @@ static struct ip_set_type hash_netportnet_type __read_mostly = {
[IPSET_ATTR_LINENO] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index f8f6828..5bd3b1e 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -678,7 +678,8 @@ static struct ip_set_type list_set_type __read_mostly = {
[IPSET_ATTR_CADT_FLAGS] = { .type = NLA_U32 },
[IPSET_ATTR_BYTES] = { .type = NLA_U64 },
[IPSET_ATTR_PACKETS] = { .type = NLA_U64 },
- [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING },
+ [IPSET_ATTR_COMMENT] = { .type = NLA_NUL_STRING,
+ .len = IPSET_MAX_COMMENT_SIZE },
[IPSET_ATTR_SKBMARK] = { .type = NLA_U64 },
[IPSET_ATTR_SKBPRIO] = { .type = NLA_U32 },
[IPSET_ATTR_SKBQUEUE] = { .type = NLA_U16 },
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 12/21] netfilter: ipset: Fix ext_*() macros
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (10 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 11/21] netfilter: ipset: Check for comment netlink attribute length Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 13/21] netfilter: ipset: Fix hashing for ipv6 sets Pablo Neira Ayuso
` (9 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
So pointers returned by these macros could be
referenced with -> directly.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/ipset/ip_set.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 34b1723..f88be72 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -122,13 +122,13 @@ struct ip_set_skbinfo {
struct ip_set;
#define ext_timeout(e, s) \
-(unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT])
+((unsigned long *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_TIMEOUT]))
#define ext_counter(e, s) \
-(struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER])
+((struct ip_set_counter *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COUNTER]))
#define ext_comment(e, s) \
-(struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT])
+((struct ip_set_comment *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_COMMENT]))
#define ext_skbinfo(e, s) \
-(struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO])
+((struct ip_set_skbinfo *)(((void *)(e)) + (s)->offset[IPSET_EXT_ID_SKBINFO]))
typedef int (*ipset_adtfn)(struct ip_set *set, void *value,
const struct ip_set_ext *ext,
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 13/21] netfilter: ipset: Fix hashing for ipv6 sets
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (11 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 12/21] netfilter: ipset: Fix ext_*() macros Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 14/21] netfilter: ipset: Improve preprocessor macros checks Pablo Neira Ayuso
` (8 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
HKEY_DATALEN remains defined after first inclusion
of ip_set_hash_gen.h, so it is incorrectly reused
for IPv6 code.
Undefine HKEY_DATALEN in ip_set_hash_gen.h at the end.
Also remove some useless defines of HKEY_DATALEN in
ip_set_hash_{ip{,mark,port},netiface}.c as ip_set_hash_gen.h
defines it correctly for such set types anyway.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_gen.h | 2 ++
net/netfilter/ipset/ip_set_hash_ip.c | 1 -
net/netfilter/ipset/ip_set_hash_ipmark.c | 3 ---
net/netfilter/ipset/ip_set_hash_ipport.c | 3 ---
net/netfilter/ipset/ip_set_hash_netiface.c | 1 -
5 files changed, 2 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index a043065..7b72209 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -1166,3 +1166,5 @@ IPSET_TOKEN(HTYPE, _create)(struct net *net, struct ip_set *set,
return 0;
}
#endif /* IP_SET_EMIT_CREATE */
+
+#undef HKEY_DATALEN
diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
index ee7a72b..54df48b 100644
--- a/net/netfilter/ipset/ip_set_hash_ip.c
+++ b/net/netfilter/ipset/ip_set_hash_ip.c
@@ -211,7 +211,6 @@ hash_ip6_data_next(struct hash_ip4_elem *next, const struct hash_ip6_elem *e)
#undef MTYPE
#undef HOST_MASK
-#undef HKEY_DATALEN
#define MTYPE hash_ip6
#define HOST_MASK 128
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index 6ac7073..061e7e8 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -78,7 +78,6 @@ hash_ipmark4_data_next(struct hash_ipmark4_elem *next,
#define MTYPE hash_ipmark4
#define HOST_MASK 32
-#define HKEY_DATALEN sizeof(struct hash_ipmark4_elem)
#include "ip_set_hash_gen.h"
static int
@@ -207,11 +206,9 @@ hash_ipmark6_data_next(struct hash_ipmark4_elem *next,
#undef MTYPE
#undef HOST_MASK
-#undef HKEY_DATALEN
#define MTYPE hash_ipmark6
#define HOST_MASK 128
-#define HKEY_DATALEN sizeof(struct hash_ipmark6_elem)
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index a3117d4e..e58704e 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -85,7 +85,6 @@ hash_ipport4_data_next(struct hash_ipport4_elem *next,
#define MTYPE hash_ipport4
#define HOST_MASK 32
-#define HKEY_DATALEN sizeof(struct hash_ipport4_elem)
#include "ip_set_hash_gen.h"
static int
@@ -245,11 +244,9 @@ hash_ipport6_data_next(struct hash_ipport4_elem *next,
#undef MTYPE
#undef HOST_MASK
-#undef HKEY_DATALEN
#define MTYPE hash_ipport6
#define HOST_MASK 128
-#define HKEY_DATALEN sizeof(struct hash_ipport6_elem)
#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index 07920b6..fe481f6 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -460,7 +460,6 @@ hash_netiface6_data_next(struct hash_netiface4_elem *next,
#undef MTYPE
#undef HOST_MASK
-#undef HKEY_DATALEN
#define MTYPE hash_netiface6
#define HOST_MASK 128
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 14/21] netfilter: ipset: Improve preprocessor macros checks
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (12 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 13/21] netfilter: ipset: Fix hashing for ipv6 sets Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 15/21] netfilter: ipset: Use better include files in xt_set.c Pablo Neira Ayuso
` (7 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Sergey Popovich <popovich_sergei@mail.ua>
Check if mandatory MTYPE, HTYPE and HOST_MASK macros
defined.
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_gen.h | 13 ++++++++++++-
net/netfilter/ipset/ip_set_hash_ipmark.c | 6 +++---
net/netfilter/ipset/ip_set_hash_ipport.c | 6 +++---
3 files changed, 18 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 7b72209..7952869 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -253,6 +253,14 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
#define mtype_variant IPSET_TOKEN(MTYPE, _variant)
#define mtype_data_match IPSET_TOKEN(MTYPE, _data_match)
+#ifndef MTYPE
+#error "MTYPE is not defined!"
+#endif
+
+#ifndef HOST_MASK
+#error "HOST_MASK is not defined!"
+#endif
+
#ifndef HKEY_DATALEN
#define HKEY_DATALEN sizeof(struct mtype_elem)
#endif
@@ -262,6 +270,9 @@ hbucket_elem_add(struct hbucket *n, u8 ahash_max, size_t dsize)
& jhash_mask(htable_bits))
#ifndef htype
+#ifndef HTYPE
+#error "HTYPE is not defined!"
+#endif /* HTYPE */
#define htype HTYPE
/* The generic hash structure */
@@ -288,7 +299,7 @@ struct htype {
struct net_prefixes nets[0]; /* book-keeping of prefixes */
#endif
};
-#endif
+#endif /* htype */
#ifdef IP_SET_HASH_WITH_NETS
/* Network cidr size book keeping when the hash stores different
diff --git a/net/netfilter/ipset/ip_set_hash_ipmark.c b/net/netfilter/ipset/ip_set_hash_ipmark.c
index 061e7e8..d231248 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmark.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmark.c
@@ -76,8 +76,8 @@ hash_ipmark4_data_next(struct hash_ipmark4_elem *next,
next->ip = d->ip;
}
-#define MTYPE hash_ipmark4
-#define HOST_MASK 32
+#define MTYPE hash_ipmark4
+#define HOST_MASK 32
#include "ip_set_hash_gen.h"
static int
@@ -209,7 +209,7 @@ hash_ipmark6_data_next(struct hash_ipmark4_elem *next,
#define MTYPE hash_ipmark6
#define HOST_MASK 128
-#define IP_SET_EMIT_CREATE
+#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
diff --git a/net/netfilter/ipset/ip_set_hash_ipport.c b/net/netfilter/ipset/ip_set_hash_ipport.c
index e58704e..a47c29f 100644
--- a/net/netfilter/ipset/ip_set_hash_ipport.c
+++ b/net/netfilter/ipset/ip_set_hash_ipport.c
@@ -83,8 +83,8 @@ hash_ipport4_data_next(struct hash_ipport4_elem *next,
next->port = d->port;
}
-#define MTYPE hash_ipport4
-#define HOST_MASK 32
+#define MTYPE hash_ipport4
+#define HOST_MASK 32
#include "ip_set_hash_gen.h"
static int
@@ -247,7 +247,7 @@ hash_ipport6_data_next(struct hash_ipport4_elem *next,
#define MTYPE hash_ipport6
#define HOST_MASK 128
-#define IP_SET_EMIT_CREATE
+#define IP_SET_EMIT_CREATE
#include "ip_set_hash_gen.h"
static int
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 15/21] netfilter: ipset: Use better include files in xt_set.c
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (13 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 14/21] netfilter: ipset: Improve preprocessor macros checks Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 16/21] netfilter: bridge: neigh_head and physoutdev can't be used at same time Pablo Neira Ayuso
` (6 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_set.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 8904598..b103e96 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -15,8 +15,9 @@
#include <linux/skbuff.h>
#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set.h>
#include <linux/netfilter/ipset/ip_set_timeout.h>
+#include <uapi/linux/netfilter/xt_set.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 16/21] netfilter: bridge: neigh_head and physoutdev can't be used at same time
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (14 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 15/21] netfilter: ipset: Use better include files in xt_set.c Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 17/21] netfilter: bridge: free nf_bridge info on xmit Pablo Neira Ayuso
` (5 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
The neigh_header is only needed when we detect DNAT after prerouting
and neigh cache didn't have a mac address for us.
The output port has not been chosen yet so we can re-use the storage
area, bringing struct size down to 32 bytes on x86_64.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/skbuff.h | 8 +++++---
net/bridge/br_netfilter.c | 2 ++
2 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h
index c0b574a..3d932e6 100644
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -170,12 +170,14 @@ struct nf_bridge_info {
BRNF_PROTO_UNCHANGED,
BRNF_PROTO_8021Q,
BRNF_PROTO_PPPOE
- } orig_proto;
+ } orig_proto:8;
bool pkt_otherhost;
unsigned int mask;
struct net_device *physindev;
- struct net_device *physoutdev;
- char neigh_header[8];
+ union {
+ struct net_device *physoutdev;
+ char neigh_header[8];
+ };
};
#endif
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index ab55e24..13973da 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -973,6 +973,8 @@ static void br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
nf_bridge->neigh_header,
ETH_HLEN - ETH_ALEN);
skb->dev = nf_bridge->physindev;
+
+ nf_bridge->physoutdev = NULL;
br_handle_frame_finish(NULL, skb);
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 17/21] netfilter: bridge: free nf_bridge info on xmit
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (15 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 16/21] netfilter: bridge: neigh_head and physoutdev can't be used at same time Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 18/21] netfilter: ipset: deinline ip_set_put_extensions() Pablo Neira Ayuso
` (4 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Florian Westphal <fw@strlen.de>
nf_bridge information is only needed for -m physdev, so we can always free
it after POST_ROUTING. This has the advantage that allocation and free will
typically happen on the same cpu.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/bridge/br_netfilter.c | 17 +++++++++++++++--
1 file changed, 15 insertions(+), 2 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 13973da..2b0e8bb 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -129,6 +129,14 @@ static struct nf_bridge_info *nf_bridge_info_get(const struct sk_buff *skb)
return skb->nf_bridge;
}
+static void nf_bridge_info_free(struct sk_buff *skb)
+{
+ if (skb->nf_bridge) {
+ nf_bridge_put(skb->nf_bridge);
+ skb->nf_bridge = NULL;
+ }
+}
+
static inline struct rtable *bridge_parent_rtable(const struct net_device *dev)
{
struct net_bridge_port *port;
@@ -841,6 +849,7 @@ static int br_nf_push_frag_xmit(struct sock *sk, struct sk_buff *skb)
skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);
__skb_push(skb, data->encap_size);
+ nf_bridge_info_free(skb);
return br_dev_queue_push_xmit(sk, skb);
}
@@ -850,8 +859,10 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
int frag_max_size;
unsigned int mtu_reserved;
- if (skb_is_gso(skb) || skb->protocol != htons(ETH_P_IP))
+ if (skb_is_gso(skb) || skb->protocol != htons(ETH_P_IP)) {
+ nf_bridge_info_free(skb);
return br_dev_queue_push_xmit(sk, skb);
+ }
mtu_reserved = nf_bridge_mtu_reduction(skb);
/* This is wrong! We should preserve the original fragment
@@ -877,6 +888,7 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
ret = ip_fragment(sk, skb, br_nf_push_frag_xmit);
} else {
+ nf_bridge_info_free(skb);
ret = br_dev_queue_push_xmit(sk, skb);
}
@@ -885,7 +897,8 @@ static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
#else
static int br_nf_dev_queue_xmit(struct sock *sk, struct sk_buff *skb)
{
- return br_dev_queue_push_xmit(sk, skb);
+ nf_bridge_info_free(skb);
+ return br_dev_queue_push_xmit(sk, skb);
}
#endif
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 18/21] netfilter: ipset: deinline ip_set_put_extensions()
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (16 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 17/21] netfilter: bridge: free nf_bridge info on xmit Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 19/21] netfilter: xt_MARK: Add ARP support Pablo Neira Ayuso
` (3 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Denys Vlasenko <dvlasenk@redhat.com>
On x86 allyesconfig build:
The function compiles to 489 bytes of machine code.
It has 25 callsites.
text data bss dec hex filename
82441375 22255384 20627456 125324215 7784bb7 vmlinux.before
82434909 22255384 20627456 125317749 7783275 vmlinux
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
CC: Eric W. Biederman <ebiederm@xmission.com>
CC: David S. Miller <davem@davemloft.net>
CC: Jan Engelhardt <jengelh@medozas.de>
CC: Jiri Pirko <jpirko@redhat.com>
CC: linux-kernel@vger.kernel.org
CC: netdev@vger.kernel.org
CC: netfilter-devel@vger.kernel.org
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/netfilter/ipset/ip_set.h | 24 ++----------------------
net/netfilter/ipset/ip_set_core.c | 25 +++++++++++++++++++++++++
2 files changed, 27 insertions(+), 22 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index f88be72..ffdfdc2 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -533,29 +533,9 @@ bitmap_bytes(u32 a, u32 b)
#include <linux/netfilter/ipset/ip_set_timeout.h>
#include <linux/netfilter/ipset/ip_set_comment.h>
-static inline int
+int
ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
- const void *e, bool active)
-{
- if (SET_WITH_TIMEOUT(set)) {
- unsigned long *timeout = ext_timeout(e, set);
-
- if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
- htonl(active ? ip_set_timeout_get(timeout)
- : *timeout)))
- return -EMSGSIZE;
- }
- if (SET_WITH_COUNTER(set) &&
- ip_set_put_counter(skb, ext_counter(e, set)))
- return -EMSGSIZE;
- if (SET_WITH_COMMENT(set) &&
- ip_set_put_comment(skb, ext_comment(e, set)))
- return -EMSGSIZE;
- if (SET_WITH_SKBINFO(set) &&
- ip_set_put_skbinfo(skb, ext_skbinfo(e, set)))
- return -EMSGSIZE;
- return 0;
-}
+ const void *e, bool active);
#define IP_SET_INIT_KEXT(skb, opt, set) \
{ .bytes = (skb)->len, .packets = 1, \
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index 7f9c056..475e496 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -432,6 +432,31 @@ ip_set_get_extensions(struct ip_set *set, struct nlattr *tb[],
}
EXPORT_SYMBOL_GPL(ip_set_get_extensions);
+int
+ip_set_put_extensions(struct sk_buff *skb, const struct ip_set *set,
+ const void *e, bool active)
+{
+ if (SET_WITH_TIMEOUT(set)) {
+ unsigned long *timeout = ext_timeout(e, set);
+
+ if (nla_put_net32(skb, IPSET_ATTR_TIMEOUT,
+ htonl(active ? ip_set_timeout_get(timeout)
+ : *timeout)))
+ return -EMSGSIZE;
+ }
+ if (SET_WITH_COUNTER(set) &&
+ ip_set_put_counter(skb, ext_counter(e, set)))
+ return -EMSGSIZE;
+ if (SET_WITH_COMMENT(set) &&
+ ip_set_put_comment(skb, ext_comment(e, set)))
+ return -EMSGSIZE;
+ if (SET_WITH_SKBINFO(set) &&
+ ip_set_put_skbinfo(skb, ext_skbinfo(e, set)))
+ return -EMSGSIZE;
+ return 0;
+}
+EXPORT_SYMBOL_GPL(ip_set_put_extensions);
+
/*
* Creating/destroying/renaming/swapping affect the existence and
* the properties of a set. All of these can be executed from userspace
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 19/21] netfilter: xt_MARK: Add ARP support
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (17 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 18/21] netfilter: ipset: deinline ip_set_put_extensions() Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 20/21] netfilter: x_tables: add context to know if extension runs from nft_compat Pablo Neira Ayuso
` (2 subsequent siblings)
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Zhang Chunyu <zhangcy@cn.fujitsu.com>
Add arpt_MARK to xt_mark.
The corresponding userspace update is available at:
http://git.netfilter.org/arptables/commit/?id=4bb2f8340783fd3a3f70aa6f8807428a280f8474
Signed-off-by: Zhang Chunyu <zhangcy@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_mark.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 2334523..ebd41dc 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -23,6 +23,7 @@ MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
+MODULE_ALIAS("arpt_MARK");
static unsigned int
mark_tg(struct sk_buff *skb, const struct xt_action_param *par)
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 20/21] netfilter: x_tables: add context to know if extension runs from nft_compat
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (18 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 19/21] netfilter: xt_MARK: Add ARP support Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 21/21] netfilter: Use correct return for seq_show functions Pablo Neira Ayuso
2015-05-18 18:48 ` [PATCH 00/21] Netfilter updates for net-next David Miller
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Currently, we have four xtables extensions that cannot be used from the
xt over nft compat layer. The problem is that they need real access to
the full blown xt_entry to validate that the rule comes with the right
dependencies. This check was introduced to overcome the lack of
sufficient userspace dependency validation in iptables.
To resolve this problem, this patch introduces a new field to the
xt_tgchk_param structure that tell us if the extension is run from
nft_compat context.
The three affected extensions are:
1) CLUSTERIP, this target has been superseded by xt_cluster. So just
bail out by returning -EINVAL.
2) TCPMSS. Relax the checking when used from nft_compat. If used with
the wrong configuration, it will corrupt !syn packets by adding TCP
MSS option.
3) ebt_stp. Relax the check to make sure it uses the reserved
destination MAC address for STP.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tested-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
---
include/linux/netfilter/x_tables.h | 2 ++
net/bridge/netfilter/ebt_stp.c | 6 ++++--
net/ipv4/netfilter/ipt_CLUSTERIP.c | 5 +++++
net/netfilter/nft_compat.c | 2 ++
net/netfilter/xt_TCPMSS.c | 6 ++++++
5 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index a3e215b..09f3820 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -62,6 +62,7 @@ struct xt_mtchk_param {
void *matchinfo;
unsigned int hook_mask;
u_int8_t family;
+ bool nft_compat;
};
/**
@@ -92,6 +93,7 @@ struct xt_tgchk_param {
void *targinfo;
unsigned int hook_mask;
u_int8_t family;
+ bool nft_compat;
};
/* Target destructor parameters */
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c
index 071d872..0c40570 100644
--- a/net/bridge/netfilter/ebt_stp.c
+++ b/net/bridge/netfilter/ebt_stp.c
@@ -164,8 +164,10 @@ static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
!(info->bitmask & EBT_STP_MASK))
return -EINVAL;
/* Make sure the match only receives stp frames */
- if (!ether_addr_equal(e->destmac, bridge_ula) ||
- !ether_addr_equal(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
+ if (!par->nft_compat &&
+ (!ether_addr_equal(e->destmac, bridge_ula) ||
+ !ether_addr_equal(e->destmsk, msk) ||
+ !(e->bitmask & EBT_DESTMAC)))
return -EINVAL;
return 0;
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 771ab3d..45cb16a 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -367,6 +367,11 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
struct clusterip_config *config;
int ret;
+ if (par->nft_compat) {
+ pr_err("cannot use CLUSTERIP target from nftables compat\n");
+ return -EOPNOTSUPP;
+ }
+
if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 7f29cfc..66def31 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -161,6 +161,7 @@ nft_target_set_tgchk_param(struct xt_tgchk_param *par,
par->hook_mask = 0;
}
par->family = ctx->afi->family;
+ par->nft_compat = true;
}
static void target_compat_from_user(struct xt_target *t, void *in, void *out)
@@ -377,6 +378,7 @@ nft_match_set_mtchk_param(struct xt_mtchk_param *par, const struct nft_ctx *ctx,
par->hook_mask = 0;
}
par->family = ctx->afi->family;
+ par->nft_compat = true;
}
static void match_compat_from_user(struct xt_match *m, void *in, void *out)
diff --git a/net/netfilter/xt_TCPMSS.c b/net/netfilter/xt_TCPMSS.c
index e762de5..8c3190e 100644
--- a/net/netfilter/xt_TCPMSS.c
+++ b/net/netfilter/xt_TCPMSS.c
@@ -277,6 +277,9 @@ static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks\n");
return -EINVAL;
}
+ if (par->nft_compat)
+ return 0;
+
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
return 0;
@@ -299,6 +302,9 @@ static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks\n");
return -EINVAL;
}
+ if (par->nft_compat)
+ return 0;
+
xt_ematch_foreach(ematch, e)
if (find_syn_match(ematch))
return 0;
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* [PATCH 21/21] netfilter: Use correct return for seq_show functions
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (19 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 20/21] netfilter: x_tables: add context to know if extension runs from nft_compat Pablo Neira Ayuso
@ 2015-05-18 16:25 ` Pablo Neira Ayuso
2015-05-18 18:48 ` [PATCH 00/21] Netfilter updates for net-next David Miller
21 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Joe Perches <joe@perches.com>
Using seq_has_overflowed doesn't produce the right return value.
Either 0 or -1 is, but 0 is much more common and works well when
seq allocation retries.
I believe this doesn't matter as the initial allocation is always
sufficient, this is just a correctness patch.
Miscellanea:
o Don't use strlen, use *ptr to determine if a string
should be emitted like all the other tests here
o Delete unnecessary return statements
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_queue_core.c | 2 +-
net/netfilter/x_tables.c | 18 ++++++------------
2 files changed, 7 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nfnetlink_queue_core.c b/net/netfilter/nfnetlink_queue_core.c
index 0b98c74..bec7c60 100644
--- a/net/netfilter/nfnetlink_queue_core.c
+++ b/net/netfilter/nfnetlink_queue_core.c
@@ -1257,7 +1257,7 @@ static int seq_show(struct seq_file *s, void *v)
inst->copy_mode, inst->copy_range,
inst->queue_dropped, inst->queue_user_dropped,
inst->id_sequence, 1);
- return seq_has_overflowed(s);
+ return 0;
}
static const struct seq_operations nfqnl_seq_ops = {
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 51a459c..8303246 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -947,11 +947,9 @@ static int xt_table_seq_show(struct seq_file *seq, void *v)
{
struct xt_table *table = list_entry(v, struct xt_table, list);
- if (strlen(table->name)) {
+ if (*table->name)
seq_printf(seq, "%s\n", table->name);
- return seq_has_overflowed(seq);
- } else
- return 0;
+ return 0;
}
static const struct seq_operations xt_table_seq_ops = {
@@ -1087,10 +1085,8 @@ static int xt_match_seq_show(struct seq_file *seq, void *v)
if (trav->curr == trav->head)
return 0;
match = list_entry(trav->curr, struct xt_match, list);
- if (*match->name == '\0')
- return 0;
- seq_printf(seq, "%s\n", match->name);
- return seq_has_overflowed(seq);
+ if (*match->name)
+ seq_printf(seq, "%s\n", match->name);
}
return 0;
}
@@ -1142,10 +1138,8 @@ static int xt_target_seq_show(struct seq_file *seq, void *v)
if (trav->curr == trav->head)
return 0;
target = list_entry(trav->curr, struct xt_target, list);
- if (*target->name == '\0')
- return 0;
- seq_printf(seq, "%s\n", target->name);
- return seq_has_overflowed(seq);
+ if (*target->name)
+ seq_printf(seq, "%s\n", target->name);
}
return 0;
}
--
1.7.10.4
^ permalink raw reply related [flat|nested] 35+ messages in thread
* Re: [PATCH 10/21] netfilter: ipset: Return bool values instead of int
2015-05-18 16:25 ` [PATCH 10/21] netfilter: ipset: Return bool values instead of int Pablo Neira Ayuso
@ 2015-05-18 16:31 ` Joe Perches
2015-05-18 16:52 ` Pablo Neira Ayuso
0 siblings, 1 reply; 35+ messages in thread
From: Joe Perches @ 2015-05-18 16:31 UTC (permalink / raw)
To: Pablo Neira Ayuso, Sergey Popovich; +Cc: netfilter-devel, davem, netdev
On Mon, 2015-05-18 at 18:25 +0200, Pablo Neira Ayuso wrote:
> From: Sergey Popovich <popovich_sergei@mail.ua>
[]
> diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
[]
> @@ -56,15 +56,15 @@ hash_ip4_data_equal(const struct hash_ip4_elem *e1,
> return e1->ip == e2->ip;
> }
>
> -static inline bool
> +static bool
It's nicer when a change like this, which doesn't fit the
subject description, is explained or described in the commit log.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 10/21] netfilter: ipset: Return bool values instead of int
2015-05-18 16:31 ` Joe Perches
@ 2015-05-18 16:52 ` Pablo Neira Ayuso
0 siblings, 0 replies; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-05-18 16:52 UTC (permalink / raw)
To: Joe Perches; +Cc: Sergey Popovich, netfilter-devel, davem, netdev
On Mon, May 18, 2015 at 09:31:30AM -0700, Joe Perches wrote:
> On Mon, 2015-05-18 at 18:25 +0200, Pablo Neira Ayuso wrote:
> > From: Sergey Popovich <popovich_sergei@mail.ua>
> []
> > diff --git a/net/netfilter/ipset/ip_set_hash_ip.c b/net/netfilter/ipset/ip_set_hash_ip.c
> []
> > @@ -56,15 +56,15 @@ hash_ip4_data_equal(const struct hash_ip4_elem *e1,
> > return e1->ip == e2->ip;
> > }
> >
> > -static inline bool
> > +static bool
>
> It's nicer when a change like this, which doesn't fit the
> subject description, is explained or described in the commit log.
I indicated this in the patchset description:
"10) Return true/false instead of 0/1 in functions that return boolean
in the ipset code."
but I agree that this should show in the description as well to make
this self-contained.
I'll put a closer look on this next time, sorry.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 00/21] Netfilter updates for net-next
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
` (20 preceding siblings ...)
2015-05-18 16:25 ` [PATCH 21/21] netfilter: Use correct return for seq_show functions Pablo Neira Ayuso
@ 2015-05-18 18:48 ` David Miller
21 siblings, 0 replies; 35+ messages in thread
From: David Miller @ 2015-05-18 18:48 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 18 May 2015 18:25:03 +0200
> The following patchset contains Netfilter updates for net-next. Briefly
> speaking, cleanups and minor fixes for ipset from Jozsef Kadlecsik and
> Serget Popovich, more incremental updates to make br_netfilter a better
> place from Florian Westphal, ARP support to the x_tables mark match /
> target from and context Zhang Chunyu and the addition of context to know
> that the x_tables runs through nft_compat. More specifically, they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 00/21] Netfilter updates for net-next
2020-01-18 20:13 Pablo Neira Ayuso
@ 2020-01-19 9:33 ` David Miller
0 siblings, 0 replies; 35+ messages in thread
From: David Miller @ 2020-01-19 9:33 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sat, 18 Jan 2020 21:13:56 +0100
> The following patchset contains Netfilter updates for net-next, they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 00/21] Netfilter updates for net-next
@ 2020-01-18 20:13 Pablo Neira Ayuso
2020-01-19 9:33 ` David Miller
0 siblings, 1 reply; 35+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-18 20:13 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter updates for net-next, they are:
1) Incorrect uapi header comment in bitwise, from Jeremy Sowden.
2) Fetch flow statistics if flow is still active.
3) Restrict flow matching on hardware based on input device.
4) Add nf_flow_offload_work_alloc() helper function.
5) Remove the last client of the FLOW_OFFLOAD_DYING flag, use teardown
instead.
6) Use atomic bitwise operation to operate with flow flags.
7) Add nf_flowtable_hw_offload() helper function to check for the
NF_FLOWTABLE_HW_OFFLOAD flag.
8) Add NF_FLOW_HW_REFRESH to retry hardware offload from the flowtable
software datapath.
9) Remove indirect calls in xt_hashlimit, from Florian Westphal.
10) Add nf_flow_offload_tuple() helper to consolidate code.
11) Add nf_flow_table_offload_cmd() helper function.
12) A few whitespace cleanups in nf_tables in bitwise and the bitmap/hash
set types, from Jeremy Sowden.
13) Cleanup netlink attribute checks in bitwise, from Jeremy Sowden.
14) Replace goto by return in error path of nft_bitwise_dump(), from
Jeremy Sowden.
15) Add bitwise operation netlink attribute, also from Jeremy.
16) Add nft_bitwise_init_bool(), from Jeremy Sowden.
17) Add nft_bitwise_eval_bool(), also from Jeremy.
18) Add nft_bitwise_dump_bool(), from Jeremy Sowden.
19) Disallow hardware offload for other that NFT_BITWISE_BOOL,
from Jeremy Sowden.
20) Add NFTA_BITWISE_DATA netlink attribute, again from Jeremy.
21) Add support for bitwise shift operation, from Jeremy Sowden.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thank you.
----------------------------------------------------------------
The following changes since commit 6bc8038035267d12df2bf78a8e1a5f07069fabb8:
sfc: remove duplicated include from efx.c (2020-01-16 10:06:18 +0100)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to 567d746b55bc66d3800c9ae91d50f0c5deb2fd93:
netfilter: bitwise: add support for shifts. (2020-01-16 15:52:02 +0100)
----------------------------------------------------------------
Florian Westphal (1):
netfilter: hashlimit: do not use indirect calls during gc
Jeremy Sowden (11):
netfilter: nft_bitwise: correct uapi header comment.
netfilter: nf_tables: white-space fixes.
netfilter: bitwise: remove NULL comparisons from attribute checks.
netfilter: bitwise: replace gotos with returns.
netfilter: bitwise: add NFTA_BITWISE_OP netlink attribute.
netfilter: bitwise: add helper for initializing boolean operations.
netfilter: bitwise: add helper for evaluating boolean operations.
netfilter: bitwise: add helper for dumping boolean operations.
netfilter: bitwise: only offload boolean operations.
netfilter: bitwise: add NFTA_BITWISE_DATA attribute.
netfilter: bitwise: add support for shifts.
Pablo Neira Ayuso (9):
netfilter: flowtable: fetch stats only if flow is still alive
netfilter: flowtable: restrict flow dissector match on meta ingress device
netfilter: flowtable: add nf_flow_offload_work_alloc()
netfilter: flowtable: remove dying bit, use teardown bit instead
netfilter: flowtable: use atomic bitwise operations for flow flags
netfilter: flowtable: add nf_flowtable_hw_offload() helper function
netfilter: flowtable: refresh flow if hardware offload fails
netfilter: flowtable: add nf_flow_offload_tuple() helper
netfilter: flowtable: add nf_flow_table_offload_cmd()
include/net/netfilter/nf_flow_table.h | 27 ++--
include/uapi/linux/netfilter/nf_tables.h | 26 +++-
net/netfilter/nf_flow_table_core.c | 31 +++--
net/netfilter/nf_flow_table_ip.c | 21 ++-
net/netfilter/nf_flow_table_offload.c | 164 ++++++++++++----------
net/netfilter/nft_bitwise.c | 224 +++++++++++++++++++++++++------
net/netfilter/nft_set_bitmap.c | 4 +-
net/netfilter/nft_set_hash.c | 2 +-
net/netfilter/xt_hashlimit.c | 22 +--
9 files changed, 352 insertions(+), 169 deletions(-)
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 00/21] Netfilter updates for net-next
2018-08-05 21:21 Pablo Neira Ayuso
@ 2018-08-06 0:06 ` David Miller
0 siblings, 0 replies; 35+ messages in thread
From: David Miller @ 2018-08-06 0:06 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 5 Aug 2018 23:21:20 +0200
> The following patchset contains Netfilter updates for your net-next tree:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 00/21] Netfilter updates for net-next
@ 2018-08-05 21:21 Pablo Neira Ayuso
2018-08-06 0:06 ` David Miller
0 siblings, 1 reply; 35+ messages in thread
From: Pablo Neira Ayuso @ 2018-08-05 21:21 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter updates for your net-next tree:
1) Support for transparent proxying for nf_tables, from Mate Eckl.
2) Patchset to add OS passive fingerprint recognition for nf_tables,
from Fernando Fernandez. This takes common code from xt_osf and
place it into the new nfnetlink_osf module for codebase sharing.
3) Lightweight tunneling support for nf_tables.
4) meta and lookup are likely going to be used in rulesets, make them
direct calls. From Florian Westphal.
A bunch of incremental updates:
5) use PTR_ERR_OR_ZERO() from nft_numgen, from YueHaibing.
6) Use kvmalloc_array() to allocate hashtables, from Li RongQing.
7) Explicit dependencies between nfnetlink_cttimeout and conntrack
timeout extensions, from Harsha Sharma.
8) Simplify NLM_F_CREATE handling in nf_tables.
9) Removed unused variable in the get element command, from
YueHaibing.
10) Expose bridge hook priorities through uapi, from Mate Eckl.
And a few fixes for previous Netfilter batch for net-next:
11) Use per-netns mutex from flowtable event, from Florian Westphal.
12) Remove explicit dependency on iptables CT target from conntrack
zones, from Florian.
13) Fix use-after-free in rmmod nf_conntrack path, also from Florian.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks.
----------------------------------------------------------------
The following changes since commit ecbcd689d74a394b711d2360aef7e5d007ec9d98:
Merge tag 'mlx5e-updates-2018-07-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux (2018-07-26 21:33:24 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to 483f3fdcc70b3c3a1f314235ab0066f3dbd4cfbe:
netfilter: nft_tunnel: fix sparse errors (2018-08-04 00:53:29 +0200)
----------------------------------------------------------------
Fernando Fernandez Mancera (5):
netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c
netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c
netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf
netfilter: nf_osf: move nf_osf_fingers to non-uapi header file
netfilter: nfnetlink_osf: rename nf_osf header file to nfnetlink_osf
Florian Westphal (4):
netfilter: nf_tables: handle meta/lookup with direct call
netfilter: nf_tables: flow event notifier must use transaction mutex
netfilter: kconfig: remove ct zone/label dependencies
netfilter: conntrack: avoid use-after free on rmmod
Harsha Sharma (1):
netfilter: cttimeout: Make NF_CT_NETLINK_TIMEOUT depend on NF_CONNTRACK_TIMEOUT
Li RongQing (1):
netfilter: use kvmalloc_array to allocate memory for hashtable
Máté Eckl (3):
netfilter: nf_tables: Add native tproxy support
netfilter: nft_tproxy: Add missing config check
netfilter: bridge: Expose nf_tables bridge hook priorities through uapi
Pablo Neira Ayuso (5):
netfilter: nf_osf: add nf_osf_find()
netfilter: nf_tables: add tunnel support
netfilter: nf_tables: match on tunnel metadata
netfilter: nf_tables: simplify NLM_F_CREATE handling
netfilter: nft_tunnel: fix sparse errors
YueHaibing (2):
netfilter: use PTR_ERR_OR_ZERO()
netfilter: nf_tables: remove unused variable
.../linux/netfilter/{nf_osf.h => nfnetlink_osf.h} | 13 +-
include/linux/netfilter_bridge.h | 11 -
include/net/netfilter/nf_conntrack.h | 2 -
include/net/netfilter/nf_tables_core.h | 7 +
include/uapi/linux/netfilter/nf_tables.h | 107 +++-
.../linux/netfilter/{nf_osf.h => nfnetlink_osf.h} | 9 +
include/uapi/linux/netfilter/xt_osf.h | 11 +-
include/uapi/linux/netfilter_bridge.h | 11 +
net/bridge/br_netfilter_hooks.c | 1 +
net/bridge/netfilter/ebtable_filter.c | 1 +
net/bridge/netfilter/ebtable_nat.c | 1 +
net/core/dst.c | 1 +
net/netfilter/Kconfig | 45 +-
net/netfilter/Makefile | 5 +-
net/netfilter/nf_conntrack_core.c | 29 +-
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nf_conntrack_helper.c | 4 +-
net/netfilter/nf_conntrack_proto.c | 7 +-
net/netfilter/nf_nat_core.c | 4 +-
net/netfilter/nf_tables_api.c | 35 +-
net/netfilter/nf_tables_core.c | 16 +-
net/netfilter/nfnetlink_cttimeout.c | 6 -
net/netfilter/{nf_osf.c => nfnetlink_osf.c} | 186 ++++++-
net/netfilter/nft_lookup.c | 6 +-
net/netfilter/nft_meta.c | 6 +-
net/netfilter/nft_numgen.c | 4 +-
net/netfilter/nft_osf.c | 106 ++++
net/netfilter/nft_tproxy.c | 316 ++++++++++++
net/netfilter/nft_tunnel.c | 566 +++++++++++++++++++++
net/netfilter/xt_connlimit.c | 4 +-
net/netfilter/xt_osf.c | 149 +-----
31 files changed, 1417 insertions(+), 254 deletions(-)
rename include/linux/netfilter/{nf_osf.h => nfnetlink_osf.h} (74%)
rename include/uapi/linux/netfilter/{nf_osf.h => nfnetlink_osf.h} (94%)
rename net/netfilter/{nf_osf.c => nfnetlink_osf.c} (58%)
create mode 100644 net/netfilter/nft_osf.c
create mode 100644 net/netfilter/nft_tproxy.c
create mode 100644 net/netfilter/nft_tunnel.c
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 00/21] Netfilter updates for net-next
2017-02-12 19:42 Pablo Neira Ayuso
@ 2017-02-13 3:12 ` David Miller
0 siblings, 0 replies; 35+ messages in thread
From: David Miller @ 2017-02-13 3:12 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 12 Feb 2017 20:42:32 +0100
> The following patchset contains Netfilter updates for your net-next
> tree, most relevantly they are:
..
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Pulled, I really like the RULE_ID generation count stuff for
userspace.
Thanks.
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 00/21] Netfilter updates for net-next
@ 2017-02-12 19:42 Pablo Neira Ayuso
2017-02-13 3:12 ` David Miller
0 siblings, 1 reply; 35+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-12 19:42 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter updates for your net-next
tree, most relevantly they are:
1) Extend nft_exthdr to allow to match TCP options bitfields, from
Manuel Messner.
2) Allow to check if IPv6 extension header is present in nf_tables,
from Phil Sutter.
3) Allow to set and match conntrack zone in nf_tables, patches from
Florian Westphal.
4) Several patches for the nf_tables set infrastructure, this includes
cleanup and preparatory patches to add the new bitmap set type.
5) Add optional ruleset generation ID check to nf_tables and allow to
delete rules that got no public handle yet via NFTA_RULE_ID. These
patches add the missing kernel infrastructure to support rule
deletion by description from userspace.
6) Missing NFT_SET_OBJECT flag to select the right backend when sets
stores an object map.
7) A couple of cleanups for the expectation and SIP helper, from Gao
feng.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit 6e7bc478c9a006c701c14476ec9d389a484b4864:
net: skb_needs_check() accepts CHECKSUM_NONE for tx (2017-02-03 17:33:01 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to 7286ff7fde9f963736c7e575572899d8e16b06b7:
netfilter: nf_tables: honor NFT_SET_OBJECT in set backend selection (2017-02-12 14:45:14 +0100)
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nft_ct: add zone id get support
netfilter: nft_ct: prepare for key-dependent error unwind
netfilter: nft_ct: add zone id set support
Gao Feng (2):
netfilter: nf_ct_sip: Use mod_timer_pending()
netfilter: nf_ct_expect: nf_ct_expect_insert() returns void
Manuel Messner (1):
netfilter: nft_exthdr: add TCP option matching
Pablo Neira Ayuso (14):
netfilter: nf_tables: pass netns to set->ops->remove()
netfilter: nf_tables: use struct nft_set_iter in set element flush
netfilter: nf_tables: rename deactivate_one() to flush()
netfilter: nf_tables: add flush field to struct nft_set_iter
netfilter: nf_tables: rename struct nft_set_estimate class field
netfilter: nf_tables: add space notation to sets
netfilter: nf_tables: add bitmap set type
netfilter: nfnetlink: get rid of u_intX_t types
netfilter: nfnetlink: add nfnetlink_rcv_skb_batch()
netfilter: nfnetlink: allow to check for generation ID
netfilter: nf_tables: add check_genid to the nfnetlink subsystem
netfilter: nf_tables: add NFTA_RULE_ID attribute
netfilter: update MAINTAINERS
netfilter: nf_tables: honor NFT_SET_OBJECT in set backend selection
Phil Sutter (1):
netfilter: nft_exthdr: Add support for existence check
MAINTAINERS | 3 +-
include/linux/netfilter/nfnetlink.h | 1 +
include/net/netfilter/nf_tables.h | 21 ++-
include/uapi/linux/netfilter/nf_tables.h | 27 ++-
include/uapi/linux/netfilter/nfnetlink.h | 12 ++
net/netfilter/Kconfig | 10 +-
net/netfilter/Makefile | 1 +
net/netfilter/nf_conntrack_expect.c | 8 +-
net/netfilter/nf_conntrack_sip.c | 12 +-
net/netfilter/nf_tables_api.c | 89 ++++++---
net/netfilter/nfnetlink.c | 90 ++++++---
net/netfilter/nft_ct.c | 195 +++++++++++++++++--
net/netfilter/nft_exthdr.c | 139 ++++++++++++--
net/netfilter/nft_set_bitmap.c | 314 +++++++++++++++++++++++++++++++
net/netfilter/nft_set_hash.c | 16 +-
net/netfilter/nft_set_rbtree.c | 16 +-
16 files changed, 832 insertions(+), 122 deletions(-)
create mode 100644 net/netfilter/nft_set_bitmap.c
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 00/21] Netfilter updates for net-next
2015-04-13 19:29 Pablo Neira Ayuso
@ 2015-04-14 2:18 ` David Miller
0 siblings, 0 replies; 35+ messages in thread
From: David Miller @ 2015-04-14 2:18 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 13 Apr 2015 21:29:39 +0200
> A final pull request, I know it's very late but this time I think
> it's worth a bit of rush.
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 00/21] Netfilter updates for net-next
@ 2015-04-13 19:29 Pablo Neira Ayuso
2015-04-14 2:18 ` David Miller
0 siblings, 1 reply; 35+ messages in thread
From: Pablo Neira Ayuso @ 2015-04-13 19:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
A final pull request, I know it's very late but this time I think it's worth a
bit of rush.
The following patchset contains Netfilter/nf_tables updates for net-next, more
specifically concatenation support and dynamic stateful expression
instantiation.
This also comes with a couple of small patches. One to fix the ebtables.h
userspace header and another to get rid of an obsolete example file in tree
that describes a nf_tables expression.
This time, I decided to paste the original descriptions. This will result in a
rather large commit description, but I think these bytes to keep.
Patrick McHardy says:
====================
netfilter: nf_tables: concatenation support
The following patches add support for concatenations, which allow multi
dimensional exact matches in O(1).
The basic idea is to split the data registers, currently consisting of
4 registers of 16 bytes each, into smaller units, 16 registers of 4
bytes each, and making sure each register store always leaves the
full 32 bit in a well defined state, meaning smaller stores will
zero the remaining bits.
Based on that, we can load multiple adjacent registers with different
values, thereby building a concatenated bigger value, and use that
value for set lookups.
Sets are changed to use variable sized extensions for their key and
data values, removing the fixed limit of 16 bytes while saving memory
if less space is needed.
As a side effect, these patches will allow some nice optimizations in
the future, like using jhash2 in nft_hash, removing the masking in
nft_cmp_fast, optimized data comparison using 32 bit word size etc.
These are not done so far however.
The patches are split up as follows:
* the first five patches add length validation to register loads and
stores to make sure we stay within bounds and prepare the validation
functions for the new addressing mode
* the next patches prepare for changing to 32 bit addressing by
introducing a struct nft_regs, which holds the verdict register as
well as the data registers. The verdict members are moved to a new
struct nft_verdict to allow to pull struct nft_data out of the stack.
* the next patches contain preparatory conversions of expressions and
sets to use 32 bit addressing
* the next patch introduces so far unused register conversion helpers
for parsing and dumping register numbers over netlink
* following is the real conversion to 32 bit addressing, consisting of
replacing struct nft_data in struct nft_regs by an array of u32s and
actually translating and validating the new register numbers.
* the final two patches add support for variable sized data items and
variable sized keys / data in set elements
The patches have been verified to work correctly with nft binaries using
both old and new addressing.
====================
Patrick McHardy says:
====================
netfilter: nf_tables: dynamic stateful expression instantiation
The following patches are the grand finale of my nf_tables set work,
using all the building blocks put in place by the previous patches
to support something like iptables hashlimit, but a lot more powerful.
Sets are extended to allow attaching expressions to set elements.
The dynset expression dynamically instantiates these expressions
based on a template when creating new set elements and evaluates
them for all new or updated set members.
In combination with concatenations this effectively creates state
tables for arbitrary combinations of keys, using the existing
expression types to maintain that state. Regular set GC takes care
of purging expired states.
We currently support two different stateful expressions, counter
and limit. Using limit as a template we can express the functionality
of hashlimit, but completely unrestricted in the combination of keys.
Using counter we can perform accounting for arbitrary flows.
The following examples from patch 5/5 show some possibilities.
Userspace syntax is still WIP, especially the listing of state
tables will most likely be seperated from normal set listings
and use a more structured format:
1. Limit the rate of new SSH connections per host, similar to iptables
hashlimit:
# nft filter input tcp dport ssh ct state new \
flow ip saddr timeout 60s \
limit 10/second \
accept
2. Account network traffic between each set of /24 networks:
# nft filter forward \
flow ip saddr & 255.255.255.0 . ip daddr & 255.255.255.0 \
counter
3. Account traffic to each host per user:
# nft filter output \
flow skuid . ip daddr \
counter
4. Account traffic for each combination of source address and TCP flags:
# nft filter input \
flow ip saddr . tcp flags \
counter
The resulting set content after a Xmas-scan look like this:
{
192.168.122.1 . fin | psh | urg : counter packets 1001 bytes 40040,
192.168.122.1 . ack : counter packets 74 bytes 3848,
192.168.122.1 . psh | ack : counter packets 35 bytes 3144
}
In the future the "expressions attached to elements" will be extended
to also support user created non-stateful expressions to allow to
efficiently select beween a set of parameter sets, f.i. a set of log
statements with different prefixes based on the interface, which currently
require one rule each. This will most likely have to wait until the next
kernel version though.
====================
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
Thanks!
----------------------------------------------------------------
The following changes since commit e60a9de49c3744aa44128eaaed3aca965911ca2e:
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue (2015-04-12 21:36:57 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
for you to fetch changes up to 97bb43c3e06e9bfdc9e3140a312004df462685b9:
netfilter: nf_tables: get rid of the expression example code (2015-04-13 20:20:09 +0200)
----------------------------------------------------------------
Pablo Neira Ayuso (2):
uapi: ebtables: don't include linux/if.h
netfilter: nf_tables: get rid of the expression example code
Patrick McHardy (19):
netfilter: nf_tables: validate len in nft_validate_data_load()
netfilter: nf_tables: rename nft_validate_data_load()
netfilter: nft_lookup: use nft_validate_register_store() to validate types
netfilter: nf_tables: kill nft_validate_output_register()
netfilter: nf_tables: introduce nft_validate_register_load()
netfilter: nf_tables: get rid of NFT_REG_VERDICT usage
netfilter: nf_tables: use struct nft_verdict within struct nft_data
netfilter: nf_tables: convert expressions to u32 register pointers
netfilter: nf_tables: kill nft_data_cmp()
netfilter: nf_tables: convert sets to u32 data pointers
netfilter: nf_tables: add register parsing/dumping helpers
netfilter: nf_tables: switch registers to 32 bit addressing
netfilter: nf_tables: support variable sized data in nft_data_init()
netfilter: nf_tables: variable sized set element keys / data
netfilter: nf_tables: add helper functions for expression handling
netfilter: nf_tables: prepare for expressions associated to set elements
netfilter: nf_tables: mark stateful expressions
netfilter: nf_tables: add flag to indicate set contains expressions
netfilter: nft_dynset: dynamic stateful expression instantiation
include/linux/netfilter_bridge/ebtables.h | 3 +-
include/net/netfilter/nf_tables.h | 103 ++++++---
include/net/netfilter/nft_meta.h | 4 +-
include/uapi/linux/netfilter/nf_tables.h | 40 +++-
include/uapi/linux/netfilter_bridge/ebtables.h | 2 -
net/bridge/netfilter/nft_meta_bridge.c | 26 +--
net/bridge/netfilter/nft_reject_bridge.c | 6 +-
net/ipv4/netfilter/nft_masq_ipv4.c | 9 +-
net/ipv4/netfilter/nft_redir_ipv4.c | 11 +-
net/ipv4/netfilter/nft_reject_ipv4.c | 4 +-
net/ipv6/netfilter/nft_masq_ipv6.c | 7 +-
net/ipv6/netfilter/nft_redir_ipv6.c | 11 +-
net/ipv6/netfilter/nft_reject_ipv6.c | 4 +-
net/netfilter/nf_tables_api.c | 271 +++++++++++++++++-------
net/netfilter/nf_tables_core.c | 41 ++--
net/netfilter/nft_bitwise.c | 37 ++--
net/netfilter/nft_byteorder.c | 40 ++--
net/netfilter/nft_cmp.c | 44 ++--
net/netfilter/nft_compat.c | 26 +--
net/netfilter/nft_counter.c | 3 +-
net/netfilter/nft_ct.c | 110 ++++++----
net/netfilter/nft_dynset.c | 79 +++++--
net/netfilter/nft_expr_template.c | 94 --------
net/netfilter/nft_exthdr.c | 23 +-
net/netfilter/nft_hash.c | 19 +-
net/netfilter/nft_immediate.c | 18 +-
net/netfilter/nft_limit.c | 5 +-
net/netfilter/nft_log.c | 2 +-
net/netfilter/nft_lookup.c | 31 ++-
net/netfilter/nft_meta.c | 107 +++++-----
net/netfilter/nft_nat.c | 71 ++++---
net/netfilter/nft_payload.c | 24 +--
net/netfilter/nft_queue.c | 4 +-
net/netfilter/nft_rbtree.c | 15 +-
net/netfilter/nft_redir.c | 19 +-
net/netfilter/nft_reject_inet.c | 5 +-
36 files changed, 739 insertions(+), 579 deletions(-)
delete mode 100644 net/netfilter/nft_expr_template.c
^ permalink raw reply [flat|nested] 35+ messages in thread
* Re: [PATCH 00/21] netfilter updates for net-next
2013-01-25 13:54 [PATCH 00/21] netfilter " pablo
@ 2013-01-27 5:56 ` David Miller
0 siblings, 0 replies; 35+ messages in thread
From: David Miller @ 2013-01-27 5:56 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: pablo@netfilter.org
Date: Fri, 25 Jan 2013 14:54:32 +0100
> * The new connlabel extension for x_tables, that allows us to attach
> labels to each conntrack flow. The kernel implementation uses a
> bitmask and there's a file in user-space that maps the bits with the
> corresponding string for each existing label. By now, you can attach
> up to 128 overlapping labels. From Florian Westphal.
>
> * A new round of improvements for the netns support for conntrack.
> Gao feng has moved many of the initialization code of each module
> of the netns init path. He also made several code refactoring, that
> code looks cleaner to me now.
>
> * Added documentation for all possible tweaks for nf_conntrack via
> sysctl, from Jiri Pirko.
>
> * Cisco 7941/7945 IP phone support for our SIP conntrack helper,
> from Kevin Cernekee.
>
> * Missing header file in the snmp helper, from Stephen Hemminger.
>
> * Finally, a couple of fixes to resolve minor issues with these
> changes, from myself.
>
> You can pull these changes from:
>
> git://1984.lsi.us.es/nf-next master
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 35+ messages in thread
* [PATCH 00/21] netfilter updates for net-next
@ 2013-01-25 13:54 pablo
2013-01-27 5:56 ` David Miller
0 siblings, 1 reply; 35+ messages in thread
From: pablo @ 2013-01-25 13:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi David,
This batch contains netfilter updates for you net-next tree, they are:
* The new connlabel extension for x_tables, that allows us to attach
labels to each conntrack flow. The kernel implementation uses a
bitmask and there's a file in user-space that maps the bits with the
corresponding string for each existing label. By now, you can attach
up to 128 overlapping labels. From Florian Westphal.
* A new round of improvements for the netns support for conntrack.
Gao feng has moved many of the initialization code of each module
of the netns init path. He also made several code refactoring, that
code looks cleaner to me now.
* Added documentation for all possible tweaks for nf_conntrack via
sysctl, from Jiri Pirko.
* Cisco 7941/7945 IP phone support for our SIP conntrack helper,
from Kevin Cernekee.
* Missing header file in the snmp helper, from Stephen Hemminger.
* Finally, a couple of fixes to resolve minor issues with these
changes, from myself.
You can pull these changes from:
git://1984.lsi.us.es/nf-next master
Thanks!
Florian Westphal (3):
netfilter: add connlabel conntrack extension
netfilter: ctnetlink: deliver labels to userspace
netfilter: ctnetlink: allow userspace to modify labels
Gao feng (11):
netfilter: nf_conntrack: move initialization out of pernet operations
netfilter: nf_ct_expect: move initialization out of pernet_operations
netfilter: nf_ct_acct: move initialization out of pernet_operations
netfilter: nf_ct_tstamp: move initialization out of pernet_operations
netfilter: nf_ct_ecache: move initialization out of pernet_operations
netfilter: nf_ct_timeout: move initialization out of pernet_operations
netfilter: nf_ct_helper: move initialization out of pernet_operations
netfilter: nf_ct_labels: move initialization out of pernet_operations
netfilter: nf_ct_proto: move initialization out of pernet_operations
netfilter: nf_conntrack: refactor l3proto support for netns
netfilter: nf_conntrack: refactor l4proto support for netns
Jiri Pirko (1):
netfilter: doc: add nf_conntrack sysctl api documentation
Kevin Cernekee (1):
netfilter: nf_ct_sip: support Cisco 7941/7945 IP phones
Pablo Neira Ayuso (3):
netfilter: add missing xt_bpf.h header in installation
netfilter: add missing xt_connlabel.h header in installation
netfilter: nf_conntrack: fix compilation if sysctl are disabled
Willem de Bruijn (1):
netfilter: x_tables: add xt_bpf match
stephen hemminger (1):
netfilter: nf_ct_snmp: add include file
Documentation/networking/nf_conntrack-sysctl.txt | 176 ++++++++++++++++++
include/linux/netfilter/nf_conntrack_sip.h | 3 +
include/net/netfilter/nf_conntrack_acct.h | 6 +-
include/net/netfilter/nf_conntrack_core.h | 15 +-
include/net/netfilter/nf_conntrack_ecache.h | 19 +-
include/net/netfilter/nf_conntrack_expect.h | 7 +-
include/net/netfilter/nf_conntrack_extend.h | 4 +
include/net/netfilter/nf_conntrack_helper.h | 7 +-
include/net/netfilter/nf_conntrack_l3proto.h | 11 +-
include/net/netfilter/nf_conntrack_l4proto.h | 10 +-
include/net/netfilter/nf_conntrack_labels.h | 58 ++++++
include/net/netfilter/nf_conntrack_timeout.h | 8 +-
include/net/netfilter/nf_conntrack_timestamp.h | 21 ++-
include/net/netns/conntrack.h | 4 +
include/uapi/linux/netfilter/Kbuild | 2 +
include/uapi/linux/netfilter/nf_conntrack_common.h | 1 +
include/uapi/linux/netfilter/nfnetlink_conntrack.h | 2 +
include/uapi/linux/netfilter/xt_bpf.h | 17 ++
include/uapi/linux/netfilter/xt_connlabel.h | 12 ++
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 82 ++++++---
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 86 ++++++---
net/netfilter/Kconfig | 27 +++
net/netfilter/Makefile | 3 +
net/netfilter/nf_conntrack_acct.c | 36 ++--
net/netfilter/nf_conntrack_core.c | 191 ++++++++++++--------
net/netfilter/nf_conntrack_ecache.c | 37 ++--
net/netfilter/nf_conntrack_expect.c | 53 +++---
net/netfilter/nf_conntrack_helper.c | 53 +++---
net/netfilter/nf_conntrack_labels.c | 112 ++++++++++++
net/netfilter/nf_conntrack_netlink.c | 88 +++++++++
net/netfilter/nf_conntrack_proto.c | 92 ++++------
net/netfilter/nf_conntrack_proto_dccp.c | 43 +++--
net/netfilter/nf_conntrack_proto_gre.c | 23 ++-
net/netfilter/nf_conntrack_proto_sctp.c | 43 +++--
net/netfilter/nf_conntrack_proto_udplite.c | 40 +++-
net/netfilter/nf_conntrack_sip.c | 17 ++
net/netfilter/nf_conntrack_snmp.c | 1 +
net/netfilter/nf_conntrack_standalone.c | 63 ++++---
net/netfilter/nf_conntrack_timeout.c | 23 +--
net/netfilter/nf_conntrack_timestamp.c | 39 ++--
net/netfilter/nf_nat_sip.c | 27 ++-
net/netfilter/xt_bpf.c | 73 ++++++++
net/netfilter/xt_connlabel.c | 99 ++++++++++
43 files changed, 1305 insertions(+), 429 deletions(-)
create mode 100644 Documentation/networking/nf_conntrack-sysctl.txt
create mode 100644 include/net/netfilter/nf_conntrack_labels.h
create mode 100644 include/uapi/linux/netfilter/xt_bpf.h
create mode 100644 include/uapi/linux/netfilter/xt_connlabel.h
create mode 100644 net/netfilter/nf_conntrack_labels.c
create mode 100644 net/netfilter/xt_bpf.c
create mode 100644 net/netfilter/xt_connlabel.c
--
1.7.10.4
^ permalink raw reply [flat|nested] 35+ messages in thread
end of thread, other threads:[~2020-01-19 9:35 UTC | newest]
Thread overview: 35+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-18 16:25 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 01/21] netfilter: ipset: Fix sparse warning Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 02/21] netfilter: ipset: Give a better name to a macro in ip_set_core.c Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 03/21] netfilter: ipset: make ip_set_get_ip*_port to use skb_network_offset Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 04/21] netfilter: ipset: Properly calculate extensions offsets and total length Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 05/21] netfilter: ipset: No need to make nomatch bitfield Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 06/21] netfilter: ipset: Preprocessor directices cleanup Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 07/21] netfilter: ipset: Return ipset error instead of bool Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 08/21] netfilter: ipset: Check IPSET_ATTR_PORT only once Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 09/21] netfilter: ipset: Use HOST_MASK literal to represent host address CIDR len Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 10/21] netfilter: ipset: Return bool values instead of int Pablo Neira Ayuso
2015-05-18 16:31 ` Joe Perches
2015-05-18 16:52 ` Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 11/21] netfilter: ipset: Check for comment netlink attribute length Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 12/21] netfilter: ipset: Fix ext_*() macros Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 13/21] netfilter: ipset: Fix hashing for ipv6 sets Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 14/21] netfilter: ipset: Improve preprocessor macros checks Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 15/21] netfilter: ipset: Use better include files in xt_set.c Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 16/21] netfilter: bridge: neigh_head and physoutdev can't be used at same time Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 17/21] netfilter: bridge: free nf_bridge info on xmit Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 18/21] netfilter: ipset: deinline ip_set_put_extensions() Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 19/21] netfilter: xt_MARK: Add ARP support Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 20/21] netfilter: x_tables: add context to know if extension runs from nft_compat Pablo Neira Ayuso
2015-05-18 16:25 ` [PATCH 21/21] netfilter: Use correct return for seq_show functions Pablo Neira Ayuso
2015-05-18 18:48 ` [PATCH 00/21] Netfilter updates for net-next David Miller
-- strict thread matches above, loose matches on Subject: below --
2020-01-18 20:13 Pablo Neira Ayuso
2020-01-19 9:33 ` David Miller
2018-08-05 21:21 Pablo Neira Ayuso
2018-08-06 0:06 ` David Miller
2017-02-12 19:42 Pablo Neira Ayuso
2017-02-13 3:12 ` David Miller
2015-04-13 19:29 Pablo Neira Ayuso
2015-04-14 2:18 ` David Miller
2013-01-25 13:54 [PATCH 00/21] netfilter " pablo
2013-01-27 5:56 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.