Commit 21b2e262 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-23-10-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Florian Westphal says:

====================
netfilter updates for next

First 5 patches, from Phil Sutter, clean up nftables dumpers to
use the context buffer in the netlink_callback structure rather
than a kmalloc'd buffer.

Patch 6, from myself, zaps dead code and replaces the helper function
with a small inlined helper.

Patch 7, also from myself, removes another pr_debug and replaces it
with the existing nf_log-based debug helpers.

Last patch, from George Guo, gets nft_table comments back in
sync with the structure members.

* tag 'nf-next-23-10-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: cleanup struct nft_table
  netfilter: conntrack: prefer tcp_error_log to pr_debug
  netfilter: conntrack: simplify nf_conntrack_alter_reply
  netfilter: nf_tables: Don't allocate nft_rule_dump_ctx
  netfilter: nf_tables: Carry s_idx in nft_rule_dump_ctx
  netfilter: nf_tables: Carry reset flag in nft_rule_dump_ctx
  netfilter: nf_tables: Drop pointless memset when dumping rules
  netfilter: nf_tables: Always allocate nft_rule_dump_ctx
====================

Link: https://lore.kernel.org/r/20231010145343.12551-1-fw@strlen.de


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents d1fea38f 94ecde83

include/net/netfilter/nf_conntrack.h

+10 −4
Original line number Diff line number Diff line
@@ -160,10 +160,6 @@ static inline struct net *nf_ct_net(const struct nf_conn *ct) 
	return read_pnet(&ct->ct_net);

}



/* Alter reply tuple (maybe alter helper). */

void nf_conntrack_alter_reply(struct nf_conn *ct,

			      const struct nf_conntrack_tuple *newreply);



/* Is this tuple taken? (ignoring any belonging to the given

   conntrack). */

int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
@@ -284,6 +280,16 @@ static inline bool nf_is_loopback_packet(const struct sk_buff *skb) 
	return skb->dev && skb->skb_iif && skb->dev->flags & IFF_LOOPBACK;

}



static inline void nf_conntrack_alter_reply(struct nf_conn *ct,

					    const struct nf_conntrack_tuple *newreply)

{

	/* Must be unconfirmed, so not in hash table yet */

	if (WARN_ON(nf_ct_is_confirmed(ct)))

		return;



	ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;

}



#define nfct_time_stamp ((u32)(jiffies))



/* jiffies until ct expires, 0 if already expired */

include/net/netfilter/nf_tables.h

+4 −1
Original line number Diff line number Diff line
@@ -1198,10 +1198,13 @@ static inline void nft_use_inc_restore(u32 *use) 
 *	@hgenerator: handle generator state

 *	@handle: table handle

 *	@use: number of chain references to this table

 *	@family:address family

 *	@flags: table flag (see enum nft_table_flags)

 *	@genmask: generation mask

 *	@afinfo: address family info

 *	@nlpid: netlink port ID

 *	@name: name of the table

 *	@udlen: length of the user data

 *	@udata: user data

 *	@validate_state: internal, set when transaction adds jumps

 */

struct nft_table {

net/netfilter/nf_conntrack_core.c

+0 −18
Original line number Diff line number Diff line
@@ -2042,24 +2042,6 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state) 
}

EXPORT_SYMBOL_GPL(nf_conntrack_in);



/* Alter reply tuple (maybe alter helper).  This is for NAT, and is

   implicitly racy: see __nf_conntrack_confirm */

void nf_conntrack_alter_reply(struct nf_conn *ct,

			      const struct nf_conntrack_tuple *newreply)

{

	struct nf_conn_help *help = nfct_help(ct);



	/* Should be unconfirmed, so not in hash table yet */

	WARN_ON(nf_ct_is_confirmed(ct));



	nf_ct_dump_tuple(newreply);



	ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;

	if (ct->master || (help && !hlist_empty(&help->expectations)))

		return;

}

EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply);



/* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */

void __nf_ct_refresh_acct(struct nf_conn *ct,

			  enum ip_conntrack_info ctinfo,

net/netfilter/nf_conntrack_helper.c

+1 −6
Original line number Diff line number Diff line
@@ -194,12 +194,7 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, 
	struct nf_conntrack_helper *helper = NULL;

	struct nf_conn_help *help;



	/* We already got a helper explicitly attached. The function

	 * nf_conntrack_alter_reply - in case NAT is in use - asks for looking

	 * the helper up again. Since now the user is in full control of

	 * making consistent helper configurations, skip this automatic

	 * re-lookup, otherwise we'll lose the helper.

	 */

	/* We already got a helper explicitly attached (e.g. nft_ct) */

	if (test_bit(IPS_HELPER_BIT, &ct->status))

		return 0;

net/netfilter/nf_conntrack_proto_tcp.c

+4 −3
Original line number Diff line number Diff line
@@ -835,7 +835,8 @@ static bool tcp_error(const struct tcphdr *th, 


static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,

			     unsigned int dataoff,

			     const struct tcphdr *th)

			     const struct tcphdr *th,

			     const struct nf_hook_state *state)

{

	enum tcp_conntrack new_state;

	struct net *net = nf_ct_net(ct);
@@ -846,7 +847,7 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb, 


	/* Invalid: delete conntrack */

	if (new_state >= TCP_CONNTRACK_MAX) {

		pr_debug("nf_ct_tcp: invalid new deleting.\n");

		tcp_error_log(skb, state, "invalid new");

		return false;

	}
@@ -980,7 +981,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, 
	if (tcp_error(th, skb, dataoff, state))

		return -NF_ACCEPT;



	if (!nf_ct_is_confirmed(ct) && !tcp_new(ct, skb, dataoff, th))

	if (!nf_ct_is_confirmed(ct) && !tcp_new(ct, skb, dataoff, th, state))

		return -NF_ACCEPT;



	spin_lock_bh(&ct->lock);