linux/include/net/netfilter, branch v5.14 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.14 2021-07-02T00:07:01Z netfilter: conntrack: nf_ct_gre_keymap_flush() removal 2021-07-02T00:07:01Z Vasily Averin vvs@virtuozzo.com 2021-07-01T05:02:24Z urn:sha1:a23f89a9990684a0ca0cac4a2857c15d338ebe2d nf_ct_gre_keymap_flush() is useless. It is called from nf_conntrack_cleanup_net_list() only and tries to remove nf_ct_gre_keymap entries from pernet gre keymap list. Though: a) at this point the list should already be empty, all its entries were deleted during the conntracks cleanup, because nf_conntrack_cleanup_net_list() executes nf_ct_iterate_cleanup(kill_all) before nf_conntrack_proto_pernet_fini(): nf_conntrack_cleanup_net_list +- nf_ct_iterate_cleanup | nf_ct_put | nf_conntrack_put | nf_conntrack_destroy | destroy_conntrack | destroy_gre_conntrack | nf_ct_gre_keymap_destroy `- nf_conntrack_proto_pernet_fini nf_ct_gre_keymap_flush b) Let's say we find that the keymap list is not empty. This means netns still has a conntrack associated with gre, in which case we should not free its memory, because this will lead to a double free and related crashes. However I doubt it could have gone unnoticed for years, obviously this does not happen in real life. So I think we can remove both nf_ct_gre_keymap_flush() and nf_conntrack_proto_pernet_fini(). Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: pass hook state to log functions 2021-06-18T12:47:43Z Florian Westphal fw@strlen.de 2021-06-16T20:06:19Z urn:sha1:62eec0d73393a136b4523952cecbda1438f1f1b9 The packet logger backend is unable to provide the incoming (or outgoing) interface name because that information isn't available. Pass the hook state, it contains the network namespace, the protocol family, the network interfaces and other things. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: add last expression 2021-06-17T01:23:00Z Pablo Neira Ayuso pablo@netfilter.org 2021-06-16T20:25:05Z urn:sha1:836382dc24717af203ce06703530528827086955 Add a new optional expression that tells you when last matching on a given rule / set element element has happened. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2021-06-09T21:50:35Z David S. Miller davem@davemloft.net 2021-06-09T21:50:35Z urn:sha1:7f3579e1893f66edef95a0436a4e10073d085fda Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains Netfilter updates for net-next: 1) Add nfgenmsg field to nfnetlink's struct nfnl_info and use it. 2) Remove nft_ctx_init_from_elemattr() and nft_ctx_init_from_setattr() helper functions. 3) Add the nf_ct_pernet() helper function to fetch the conntrack pernetns data area. 4) Expose TCP and UDP flowtable offload timeouts through sysctl, from Oz Shlomo. 5) Add nfnetlink_hook subsystem to fetch the netfilter hook pipeline configuration, from Florian Westphal. This also includes a new field to annotate the hook type as metadata. 6) Fix unsafe memory access to non-linear skbuff in the new SCTP chunk support for nft_exthdr, from Phil Sutter. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net 2021-06-07T20:01:52Z David S. Miller davem@davemloft.net 2021-06-07T20:01:52Z urn:sha1:126285651b7f95282a0afe3a1b0221419b31d989 Bug fixes overlapping feature additions and refactoring, mostly. Signed-off-by: David S. Miller <davem@davemloft.net> netfilter: flowtable: Set offload timeouts according to proto values 2021-06-07T10:23:38Z Oz Shlomo ozsh@nvidia.com 2021-06-03T12:12:35Z urn:sha1:1d91d2e1a7f767aa8c11d8507ecf268f787734ec Currently the aging period for tcp/udp connections is hard coded to 30 seconds. Aged tcp/udp connections configure a hard coded 120/30 seconds pickup timeout for conntrack. This configuration may be too aggressive or permissive for some users. Dynamically configure the nf flow table GC timeout intervals according to the user defined values. Signed-off-by: Oz Shlomo <ozsh@nvidia.com> Reviewed-by: Paul Blakey <paulb@nvidia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nftables: add nf_ct_pernet() helper function 2021-06-07T10:23:37Z Pablo Neira Ayuso pablo@netfilter.org 2021-06-02T10:39:07Z urn:sha1:0418b989a467885292c294923dec66951c1c1398 Consolidate call to net_generic(net, nf_conntrack_net_id) in this wrapper function. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: remove xt_action_param from nft_pktinfo 2021-05-29T20:15:59Z Florian Westphal fw@strlen.de 2021-05-28T10:30:08Z urn:sha1:897389de48283d413728dae7520973872cef8eb2 Init it on demand in the nft_compat expression. This reduces size of nft_pktinfo from 48 to 24 bytes on x86_64. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: remove unused arg in nft_set_pktinfo_unspec() 2021-05-28T23:04:54Z Florian Westphal fw@strlen.de 2021-05-28T10:30:07Z urn:sha1:f06ad944b6a92dd9ce95f2e5f4164a8e70d32af5 The functions pass extra skb arg, but either its not used or the helpers can already access it via pkt->skb. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: add and use nft_thoff helper 2021-05-28T23:04:54Z Florian Westphal fw@strlen.de 2021-05-28T10:30:06Z urn:sha1:2d7b4ace0754ebaaf71c6824880178d46aa0ab33 This allows to change storage placement later on without changing readers. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>