Commit f5b60d6a authored by Paolo Abeni's avatar Paolo Abeni
Browse files

Merge tag 'nf-next-25-05-23' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following batch contains Netfilter updates for net-next,
specifically 26 patches: 5 patches adding/updating selftests,
4 fixes, 3 PREEMPT_RT fixes, and 14 patches to enhance nf_tables):

1) Improve selftest coverage for pipapo 4 bit group format, from
   Florian Westphal.

2) Fix incorrect dependencies when compiling a kernel without
   legacy ip{6}tables support, also from Florian.

3) Two patches to fix nft_fib vrf issues, including selftest updates
   to improve coverage, also from Florian Westphal.

4) Fix incorrect nesting in nft_tunnel's GENEVE support, from
   Fernando F. Mancera.

5) Three patches to fix PREEMPT_RT issues with nf_dup infrastructure
   and nft_inner to match in inner headers, from Sebastian Andrzej Siewior.

6) Integrate conntrack information into nft trace infrastructure,
   from Florian Westphal.

7) A series of 13 patches to allow to specify wildcard netdevice in
   netdev basechain and flowtables, eg.

   table netdev filter {
       chain ingress {
           type filter hook ingress devices = { eth0, eth1, vlan* } priority 0; policy accept;
       }
   }

   This also allows for runtime hook registration on NETDEV_{UN}REGISTER
   event, from Phil Sutter.

netfilter pull request 25-05-23

* tag 'nf-next-25-05-23' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next: (26 commits)
  selftests: netfilter: Torture nftables netdev hooks
  netfilter: nf_tables: Add notifications for hook changes
  netfilter: nf_tables: Support wildcard netdev hook specs
  netfilter: nf_tables: Sort labels in nft_netdev_hook_alloc()
  netfilter: nf_tables: Handle NETDEV_CHANGENAME events
  netfilter: nf_tables: Wrap netdev notifiers
  netfilter: nf_tables: Respect NETDEV_REGISTER events
  netfilter: nf_tables: Prepare for handling NETDEV_REGISTER events
  netfilter: nf_tables: Have a list of nf_hook_ops in nft_hook
  netfilter: nf_tables: Pass nf_hook_ops to nft_unregister_flowtable_hook()
  netfilter: nf_tables: Introduce nft_register_flowtable_ops()
  netfilter: nf_tables: Introduce nft_hook_find_ops{,_rcu}()
  netfilter: nf_tables: Introduce functions freeing nft_hook objects
  netfilter: nf_tables: add packets conntrack state to debug trace info
  netfilter: conntrack: make nf_conntrack_id callable without a module dependency
  netfilter: nf_dup_netdev: Move the recursion counter struct netdev_xmit
  netfilter: nft_inner: Use nested-BH locking for nft_pcpu_tun_ctx
  netfilter: nf_dup{4, 6}: Move duplication check to task_struct
  netfilter: nft_tunnel: fix geneve_opt dump
  selftests: netfilter: nft_fib.sh: add type and oif tests with and without VRFs
  ...
====================

Link: https://patch.msgid.link/20250523132712.458507-1-pablo@netfilter.org


Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
parents fdb06119 73db1b5d

include/linux/netdevice_xmit.h

+3 −0
Original line number Diff line number Diff line
@@ -11,6 +11,9 @@ struct netdev_xmit { 
#if IS_ENABLED(CONFIG_NET_ACT_MIRRED)

	u8 sched_mirred_nest;

#endif

#if IS_ENABLED(CONFIG_NF_DUP_NETDEV)

	u8 nf_dup_skb_recursion;

#endif

};



#endif

include/linux/netfilter.h

+4 −11
Original line number Diff line number Diff line
@@ -95,6 +95,9 @@ enum nf_hook_ops_type { 
};



struct nf_hook_ops {

	struct list_head	list;

	struct rcu_head		rcu;



	/* User fills in from here down. */

	nf_hookfn		*hook;

	struct net_device	*dev;
@@ -470,6 +473,7 @@ struct nf_ct_hook { 
	void (*attach)(struct sk_buff *nskb, const struct sk_buff *skb);

	void (*set_closing)(struct nf_conntrack *nfct);

	int (*confirm)(struct sk_buff *skb);

	u32 (*get_id)(const struct nf_conntrack *nfct);

};

extern const struct nf_ct_hook __rcu *nf_ct_hook;
@@ -497,17 +501,6 @@ struct nf_defrag_hook { 
extern const struct nf_defrag_hook __rcu *nf_defrag_v4_hook;

extern const struct nf_defrag_hook __rcu *nf_defrag_v6_hook;



/*

 * nf_skb_duplicated - TEE target has sent a packet

 *

 * When a xtables target sends a packet, the OUTPUT and POSTROUTING

 * hooks are traversed again, i.e. nft and xtables are invoked recursively.

 *

 * This is used by xtables TEE target to prevent the duplicated skb from

 * being duplicated again.

 */

DECLARE_PER_CPU(bool, nf_skb_duplicated);



/*

 * Contains bitmask of ctnetlink event subscribers, if any.

 * Can't be pernet due to NETLINK_LISTEN_ALL_NSID setsockopt flag.

include/linux/sched.h

+1 −0
Original line number Diff line number Diff line
@@ -1044,6 +1044,7 @@ struct task_struct { 
	/* delay due to memory thrashing */

	unsigned                        in_thrashing:1;

#endif

	unsigned			in_nf_duplicate:1;

#ifdef CONFIG_PREEMPT_RT

	struct netdev_xmit		net_xmit;

#endif

include/net/netfilter/nf_tables.h

+11 −1
Original line number Diff line number Diff line
@@ -1142,6 +1142,11 @@ int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set); 
int nf_tables_bind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);

void nf_tables_unbind_chain(const struct nft_ctx *ctx, struct nft_chain *chain);



struct nft_hook;

void nf_tables_chain_device_notify(const struct nft_chain *chain,

				   const struct nft_hook *hook,

				   const struct net_device *dev, int event);



enum nft_chain_types {

	NFT_CHAIN_T_DEFAULT = 0,

	NFT_CHAIN_T_ROUTE,
@@ -1199,12 +1204,17 @@ struct nft_stats { 


struct nft_hook {

	struct list_head	list;

	struct nf_hook_ops	ops;

	struct list_head	ops_list;

	struct rcu_head		rcu;

	char			ifname[IFNAMSIZ];

	u8			ifnamelen;

};



struct nf_hook_ops *nft_hook_find_ops(const struct nft_hook *hook,

				      const struct net_device *dev);

struct nf_hook_ops *nft_hook_find_ops_rcu(const struct nft_hook *hook,

					  const struct net_device *dev);



/**

 *	struct nft_base_chain - nf_tables base chain

 *

include/net/netfilter/nft_fib.h

+9 −0
Original line number Diff line number Diff line
@@ -2,6 +2,7 @@ 
#ifndef _NFT_FIB_H_

#define _NFT_FIB_H_



#include <net/l3mdev.h>

#include <net/netfilter/nf_tables.h>



struct nft_fib {
@@ -39,6 +40,14 @@ static inline bool nft_fib_can_skip(const struct nft_pktinfo *pkt) 
	return nft_fib_is_loopback(pkt->skb, indev);

}



static inline int nft_fib_l3mdev_master_ifindex_rcu(const struct nft_pktinfo *pkt,

						    const struct net_device *iif)

{

	const struct net_device *dev = iif ? iif : pkt->skb->dev;



	return l3mdev_master_ifindex_rcu(dev);

}



int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset);

int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,

		 const struct nlattr * const tb[]);