linux/include/net/netfilter, branch v4.20 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.20 2018-11-26T23:35:19Z netfilter: add missing error handling code for register functions 2018-11-26T23:35:19Z Taehee Yoo ap420073@gmail.com 2018-11-22T10:59:46Z urn:sha1:584eab291c67894cb17cc87544b9d086228ea70f register_{netdevice/inetaddr/inet6addr}_notifier may return an error value, this patch adds the code to handle these error paths. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: add nf_{tcp,udp,sctp,icmp,dccp,icmpv6,generic}_pernet() 2018-11-03T12:28:02Z Pablo Neira Ayuso pablo@netfilter.org 2018-11-01T23:11:34Z urn:sha1:a95a7774d51e13f9cf4b7285666829b68852f07a Expose these functions to access conntrack protocol tracker netns area, nfnetlink_cttimeout needs this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nfnetlink_log: remove empty nfnetlink_log.h header file 2018-10-19T12:00:33Z Taehee Yoo ap420073@gmail.com 2018-10-18T13:29:59Z urn:sha1:468c041cff57e87f18e1022cacf9f5c98bf00b58 /include/net/netfilter/nfnetlink_log.h file is empty. so that it can be removed. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_flow_table: remove unnecessary parameter of nf_flow_table_cleanup() 2018-10-19T11:25:22Z Taehee Yoo ap420073@gmail.com 2018-10-11T18:01:54Z urn:sha1:5f1be84aad4b520a36246d0c289ad73641277630 parameter net of nf_flow_table_cleanup() is not used. So that it can be removed. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: add SECMARK support 2018-09-28T12:28:29Z Christian Göttsche cgzones@googlemail.com 2018-09-23T18:26:15Z urn:sha1:fb961945457f5177072c968aa38fee910ab893b9 Add the ability to set the security context of packets within the nf_tables framework. Add a nft_object for holding security contexts in the kernel and manipulating packets on the wire. Convert the security context strings at rule addition time to security identifiers. This is the same behavior like in xt_SECMARK and offers better performance than computing it per packet. Set the maximum security context length to 256. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: clamp l4proto array size at largers supported protocol 2018-09-20T16:08:14Z Florian Westphal fw@strlen.de 2018-09-12T13:19:14Z urn:sha1:93185c80a5f748620f5652e492f2a1c8d89db593 All higher l4proto numbers are handled by the generic tracker; the l4proto lookup function already returns generic one in case the l4proto number exceeds max size. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: remove l3->l4 mapping information 2018-09-20T16:07:35Z Florian Westphal fw@strlen.de 2018-09-17T10:02:54Z urn:sha1:dd2934a95701576203b2f61e8ded4e4a2f9183ea l4 protocols are demuxed by l3num, l4num pair. However, almost all l4 trackers are l3 agnostic. Only exceptions are: - gre, icmp (ipv4 only) - icmpv6 (ipv6 only) This commit gets rid of the l3 mapping, l4 trackers can now be looked up by their IPPROTO_XXX value alone, which gets rid of the additional l3 indirection. For icmp, ipcmp6 and gre, add a check on state->pf and return -NF_ACCEPT in case we're asked to track e.g. icmpv6-in-ipv4, this seems more fitting than using the generic tracker. Additionally we can kill the 2nd l4proto definitions that were needed for v4/v6 split -- they are now the same so we can use single l4proto struct for each protocol, rather than two. The EXPORT_SYMBOLs can be removed as all these object files are part of nf_conntrack with no external references. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: remove unused proto arg from netns init functions 2018-09-20T16:03:50Z Florian Westphal fw@strlen.de 2018-09-12T13:19:12Z urn:sha1:ca2ca6e1c04e64413f5fb9a5d54fb8b0bdd86467 Its unused, next patch will remove l4proto->l3proto number to simplify l4 protocol demuxer lookup. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: remove error callback and handle icmp from core 2018-09-20T16:02:57Z Florian Westphal fw@strlen.de 2018-09-12T13:19:11Z urn:sha1:6fe78fa484a5dad030b24e33e0cedc5d5bbd0fde icmp(v6) are the only two layer four protocols that need the error() callback (to handle icmp errors that are related to an established connections, e.g. packet too big, port unreachable and the like). Remove the error callback and handle these two special cases from the core. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: deconstify packet callback skb pointer 2018-09-20T16:02:22Z Florian Westphal fw@strlen.de 2018-09-12T13:19:09Z urn:sha1:83d213fd9d1a56108584cd812333462caa39a747 Only two protocols need the ->error() function: icmp and icmpv6. This is because icmp error mssages might be RELATED to an existing connection (e.g. PMTUD, port unreachable and the like), and their ->error() handlers do this. The error callback is already optional, so remove it for udp and call them from ->packet() instead. As the error() callback can call checksum functions that write to skb->csum*, the const qualifier has to be removed as well. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>