Commit b2ede25b authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge tag 'nf-next-24-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next 

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following batch contains Netfilter updates for net-next:

Patch #1 fix checksum calculation in nfnetlink_queue with SCTP,
	 segment GSO packet since skb_zerocopy() does not support
	 GSO_BY_FRAGS, from Antonio Ojea.

Patch #2 extend nfnetlink_queue coverage to handle SCTP packets,
	 from Antonio Ojea.

Patch #3 uses consume_skb() instead of kfree_skb() in nfnetlink,
         from Donald Hunter.

Patch #4 adds a dedicate commit list for sets to speed up
	 intra-transaction lookups, from Florian Westphal.

Patch #5 skips removal of element from abort path for the pipapo
         backend, ditching the shadow copy of this datastructure
	 is sufficient.

Patch #6 moves nf_ct_netns_get() out of nf_conncount_init() to
	 let users of conncoiunt decide when to enable conntrack,
	 this is needed by openvswitch, from Xin Long.

Patch #7 pass context to all nft_parse_register_load() in
	 preparation for the next patch.

Patches #8 and #9 reject loads from uninitialized registers from
	 control plane to remove register initialization from
	 datapath. From Florian Westphal.

* tag 'nf-next-24-08-23' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nf_tables: don't initialize registers in nft_do_chain()
  netfilter: nf_tables: allow loads only when register is initialized
  netfilter: nf_tables: pass context structure to nft_parse_register_load
  netfilter: move nf_ct_netns_get out of nf_conncount_init
  netfilter: nf_tables: do not remove elements if set backend implements .abort
  netfilter: nf_tables: store new sets in dedicated list
  netfilter: nfnetlink: convert kfree_skb to consume_skb
  selftests: netfilter: nft_queue.sh: sctp coverage
  netfilter: nfnetlink_queue: unbreak SCTP traffic
====================

Link: https://patch.msgid.link/20240822221939.157858-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 18aaa82b c88baabf

include/net/netfilter/nf_conntrack_count.h

+2 −4
Original line number Diff line number Diff line
@@ -15,10 +15,8 @@ struct nf_conncount_list { 
	unsigned int count;	/* length of list */

};



struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int family,

					    unsigned int keylen);

void nf_conncount_destroy(struct net *net, unsigned int family,

			  struct nf_conncount_data *data);

struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen);

void nf_conncount_destroy(struct net *net, struct nf_conncount_data *data);



unsigned int nf_conncount_count(struct net *net,

				struct nf_conncount_data *data,

include/net/netfilter/nf_tables.h

+5 −1
Original line number Diff line number Diff line
@@ -221,6 +221,7 @@ struct nft_ctx { 
	u8				family;

	u8				level;

	bool				report;

	DECLARE_BITMAP(reg_inited, NFT_REG32_NUM);

};



enum nft_data_desc_flags {
@@ -254,7 +255,8 @@ static inline enum nft_registers nft_type_to_reg(enum nft_data_types type) 
int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest);

int nft_dump_register(struct sk_buff *skb, unsigned int attr, unsigned int reg);



int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len);

int nft_parse_register_load(const struct nft_ctx *ctx,

			    const struct nlattr *attr, u8 *sreg, u32 len);

int nft_parse_register_store(const struct nft_ctx *ctx,

			     const struct nlattr *attr, u8 *dreg,

			     const struct nft_data *data,
@@ -1674,6 +1676,7 @@ struct nft_trans_rule { 


struct nft_trans_set {

	struct nft_trans_binding	nft_trans_binding;

	struct list_head		list_trans_newset;

	struct nft_set			*set;

	u32				set_id;

	u32				gc_int;
@@ -1875,6 +1878,7 @@ static inline int nft_request_module(struct net *net, const char *fmt, ...) { re 
struct nftables_pernet {

	struct list_head	tables;

	struct list_head	commit_list;

	struct list_head	commit_set_list;

	struct list_head	binding_list;

	struct list_head	module_list;

	struct list_head	notify_list;

net/bridge/netfilter/nft_meta_bridge.c

+1 −1
Original line number Diff line number Diff line
@@ -142,7 +142,7 @@ static int nft_meta_bridge_set_init(const struct nft_ctx *ctx, 
	}



	priv->len = len;

	err = nft_parse_register_load(tb[NFTA_META_SREG], &priv->sreg, len);

	err = nft_parse_register_load(ctx, tb[NFTA_META_SREG], &priv->sreg, len);

	if (err < 0)

		return err;

net/core/dev.c

+1 −0
Original line number Diff line number Diff line
@@ -3387,6 +3387,7 @@ int skb_crc32c_csum_help(struct sk_buff *skb) 
out:

	return ret;

}

EXPORT_SYMBOL(skb_crc32c_csum_help);



__be16 skb_network_protocol(struct sk_buff *skb, int *depth)

{

net/ipv4/netfilter/nft_dup_ipv4.c

+2 −2
Original line number Diff line number Diff line
@@ -40,13 +40,13 @@ static int nft_dup_ipv4_init(const struct nft_ctx *ctx, 
	if (tb[NFTA_DUP_SREG_ADDR] == NULL)

		return -EINVAL;



	err = nft_parse_register_load(tb[NFTA_DUP_SREG_ADDR], &priv->sreg_addr,

	err = nft_parse_register_load(ctx, tb[NFTA_DUP_SREG_ADDR], &priv->sreg_addr,

				      sizeof(struct in_addr));

	if (err < 0)

		return err;



	if (tb[NFTA_DUP_SREG_DEV])

		err = nft_parse_register_load(tb[NFTA_DUP_SREG_DEV],

		err = nft_parse_register_load(ctx, tb[NFTA_DUP_SREG_DEV],

					      &priv->sreg_dev, sizeof(int));



	return err;