Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.11 2021-01-16T17:57:26Z 2021-01-16T17:57:26Z Pablo Neira Ayuso pablo@netfilter.org 2021-01-16T11:26:46Z urn:sha1:fca05d4d61e65fa573a3768f9019a42143c03349 If the set definition contains stateful expressions, allocate them for the newly added entries from the packet path. Fixes: 65038428b2c6 ("netfilter: nf_tables: allow to specify stateful expression in set definition") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-12-14T23:43:21Z Jakub Kicinski kuba@kernel.org 2020-12-14T23:43:20Z urn:sha1:7bca5021a4e653a323492cb500cfc387331481b9 Pablo Neira Ayuso says: ==================== Netfilter/IPVS updates for net-next 1) Missing dependencies in NFT_BRIDGE_REJECT, from Randy Dunlap. 2) Use atomic_inc_return() instead of atomic_add_return() in IPVS, from Yejune Deng. 3) Simplify check for overquota in xt_nfacct, from Kaixu Xia. 4) Move nfnl_acct_list away from struct net, from Miao Wang. 5) Pass actual sk in reject actions, from Jan Engelhardt. 6) Add timeout and protoinfo to ctnetlink destroy events, from Florian Westphal. 7) Four patches to generalize set infrastructure to support for multiple expressions per set element. * git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next: netfilter: nftables: netlink support for several set element expressions netfilter: nftables: generalize set extension to support for several expressions netfilter: nftables: move nft_expr before nft_set netfilter: nftables: generalize set expressions support netfilter: ctnetlink: add timeout and protoinfo to destroy events netfilter: use actual socket sk for REJECT action netfilter: nfnl_acct: remove data from struct net netfilter: Remove unnecessary conversion to bool ipvs: replace atomic_add_return() netfilter: nft_reject_bridge: fix build errors due to code movement ==================== Link: https://lore.kernel.org/r/20201212230513.3465-1-pablo@netfilter.org Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2020-12-12T18:20:24Z Pablo Neira Ayuso pablo@netfilter.org 2020-12-09T19:10:27Z urn:sha1:563125a73ac30d7036ae69ca35c40500562c1de4 This patch replaces NFT_SET_EXPR by NFT_SET_EXT_EXPRESSIONS. This new extension allows to attach several expressions to one set element (not only one single expression as NFT_SET_EXPR provides). This patch prepares for support for several expressions per set element in the netlink userspace API. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-12-12T10:44:42Z Pablo Neira Ayuso pablo@netfilter.org 2020-12-07T16:37:05Z urn:sha1:92b211a28992b82a693547e3fe5ff97646961785 Move the nft_expr structure definition before nft_set. Expressions are used by rules and sets, remove unnecessary forward declarations. This comes as preparation to support for multiple expressions per set element. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-12-12T10:44:42Z Pablo Neira Ayuso pablo@netfilter.org 2020-12-07T16:37:01Z urn:sha1:8cfd9b0f8515e7c361bba27e2a2684cbd427fe01 Currently, the set infrastucture allows for one single expressions per element. This patch extends the existing infrastructure to allow for up to two expressions. This is not updating the netlink API yet, this is coming as an initial preparation patch. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-12-12T10:44:42Z Florian Westphal fw@strlen.de 2020-12-10T13:43:23Z urn:sha1:86d21fc7474563cb5d054ff001d8ad7b69206717 DESTROY events do not include the remaining timeout. Add the timeout if the entry was removed explicitly. This can happen when a conntrack gets deleted prematurely, e.g. due to a tcp reset, module removal, netdev notifier (nat/masquerade device went down), ctnetlink and so on. Add the protocol state too for the destroy message to check for abnormal state on connection termination. Joint work with Pablo. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-12-12T06:29:38Z Jakub Kicinski kuba@kernel.org 2020-12-12T04:12:36Z urn:sha1:46d5e62dd3c34770f3bfd0642daa9a7772a00362 xdp_return_frame_bulk() needs to pass a xdp_buff to __xdp_return(). strlcpy got converted to strscpy but here it makes no functional difference, so just keep the right code. Conflicts: net/netfilter/nf_tables_api.c Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2020-12-08T19:42:11Z Pablo Neira Ayuso pablo@netfilter.org 2020-12-08T17:25:53Z urn:sha1:917d80d376ffbaa9725fde9e3c0282f63643f278 Use nf_msecs_to_jiffies64 and nf_jiffies64_to_msecs as provided by 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days"), otherwise ruleset listing breaks. Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ != 1000") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-12-03T23:44:09Z Jakub Kicinski kuba@kernel.org 2020-12-03T23:42:13Z urn:sha1:55fd59b003f6e8fd88cf16590e79823d7ccf3026 Conflicts: drivers/net/ethernet/ibm/ibmvnic.c Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2020-12-01T13:33:55Z Jan Engelhardt jengelh@inai.de 2020-11-21T11:11:51Z urn:sha1:04295878beac396dae47ba93141cae0d9386e7ef True to the message of commit v5.10-rc1-105-g46d6c5ae953c, _do_ actually make use of state->sk when possible, such as in the REJECT modules. Reported-by: Minqiang Chen <ptpt52@gmail.com> Cc: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>