linux/include/net/netfilter, branch v4.4

netfilter: nf_tables: add clone interface to expression operations

2015-11-10T22:47:32Z

With the conversion of the counter expressions to make it percpu, we need to clone the percpu memory area, otherwise we crash when using counters from flow tables. Signed-off-by: Pablo Neira Ayuso

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

2015-10-17T12:28:03Z

This merge resolves conflicts with 75aec9df3a78 ("bridge: Remove br_nf_push_frag_xmit_sk") as part of Eric Biederman's effort to improve netns support in the network stack that reached upstream via David's net-next tree. Signed-off-by: Pablo Neira Ayuso Conflicts: net/bridge/br_netfilter_hooks.c

netfilter: make nf_queue_entry_get_refs return void

2015-10-16T16:22:23Z

We don't care if module is being unloaded anymore since hook unregister handling will destroy queue entries using that hook. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

ipv6: Pass struct net into nf_ct_frag6_gather

2015-10-13T02:44:17Z

The function nf_ct_frag6_gather is called on both the input and the output paths of the networking stack. In particular ipv6_defrag which calls nf_ct_frag6_gather is called from both the the PRE_ROUTING chain on input and the LOCAL_OUT chain on output. The addition of a net parameter makes it explicit which network namespace the packets are being reassembled in, and removes the need for nf_ct_frag6_gather to guess. Signed-off-by: "Eric W. Biederman" Acked-by: Pablo Neira Ayuso Signed-off-by: David S. Miller

netfilter: conntrack: fix crash on timeout object removal

2015-10-12T15:04:34Z

The object and module refcounts are updated for each conntrack template, however, if we delete the iptables rules and we flush the timeout database, we may end up with invalid references to timeout object that are just gone. Resolve this problem by setting the timeout reference to NULL when the custom timeout entry is removed from our base. This patch requires some RCU trickery to ensure safe pointer handling. This handling is similar to what we already do with conntrack helpers, the idea is to avoid bumping the timeout object reference counter from the packet path to avoid the cost of atomic ops. Reported-by: Stephen Hemminger Signed-off-by: Pablo Neira Ayuso

netfilter: remove dead code

2015-10-05T15:32:01Z

Remove __nf_conntrack_find() from headers. Fixes: dcd93ed4cd1 ("netfilter: nf_conntrack: remove dead code") Signed-off-by: Flavio Leitner Signed-off-by: Pablo Neira Ayuso

netfilter: nfnetlink_queue: get rid of nfnetlink_queue_ct.c

2015-10-04T19:45:44Z

The original intention was to avoid dependencies between nfnetlink_queue and conntrack without ifdef pollution. However, we can achieve this by moving the conntrack dependent code into ctnetlink and keep some glue code to access the nfq_ct indirection from nfqueue. After this patch, the nfq_ct indirection is always compiled in the netfilter core to avoid polluting nfqueue with ifdefs. Thus, if nf_conntrack is not compiled this results in only 8-bytes of memory waste in x86_64. This patch also adds ctnetlink_nfqueue_seqadj() to avoid that the nf_conn structure layout if exposed to nf_queue, which creates another dependency with nf_conntrack at compilation time. Signed-off-by: Pablo Neira Ayuso

bridge: Pass net into br_validate_ipv4 and br_validate_ipv6

2015-09-29T18:21:32Z

The network namespace is easiliy available in state->net so use it. Signed-off-by: "Eric W. Biederman" Signed-off-by: Pablo Neira Ayuso

ipv4: Push struct net down into nf_send_reset

2015-09-29T18:21:31Z

This is needed so struct net can be pushed down into ip_route_me_harder. Signed-off-by: "Eric W. Biederman" Signed-off-by: Pablo Neira Ayuso

netfilter: Pass net into nf_xfrm_me_harder

2015-09-18T20:00:22Z

Instead of calling dev_net on a likley looking network device pass state->net into nf_xfrm_me_harder. Signed-off-by: "Eric W. Biederman" Signed-off-by: Pablo Neira Ayuso