linux.git/include/linux/netfilter, branch v5.13 Linux kernel source tree netfilter: allow to turn off xtables compat layer 2021-04-26T16:16:56+00:00 Florian Westphal fw@strlen.de 2021-04-26T10:14:40+00:00 47a6959fa331fe892a4fc3b48ca08e92045c6bda The compat layer needs to parse untrusted input (the ruleset) to translate it to a 64bit compatible format. We had a number of bugs in this department in the past, so allow users to turn this feature off. Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y to keep existing behaviour. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The compat layer needs to parse untrusted input (the ruleset)
to translate it to a 64bit compatible format.

We had a number of bugs in this department in the past, so allow users
to turn this feature off.

Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y
to keep existing behaviour.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nfnetlink: consolidate callback types 2021-04-26T16:16:56+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-04-22T22:17:12+00:00 50f2db9e368f73ecbbaa92da365183fa953aaba7 Add enum nfnl_callback_type to identify the callback type to provide one single callback. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Add enum nfnl_callback_type to identify the callback type to provide one
single callback.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nfnetlink: pass struct nfnl_info to batch callbacks 2021-04-26T16:16:56+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-04-22T22:17:11+00:00 7dab8ee3b6e7ec856a616d07ebb9ebd736c92520 Update batch callbacks to use the nfnl_info structure. Rename one clashing info variable to expr_info. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Update batch callbacks to use the nfnl_info structure. Rename one
clashing info variable to expr_info.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nfnetlink: pass struct nfnl_info to rcu callbacks 2021-04-26T16:16:52+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-04-22T22:17:10+00:00 797d49805ddc6595b2fafe3e9ceff7f562be1f2c Update rcu callbacks to use the nfnl_info structure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Update rcu callbacks to use the nfnl_info structure.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks 2021-04-26T01:58:17+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-04-22T22:17:09+00:00 a655536571747575fcaac3c93252b0032d878545 Add a new structure to reduce callback footprint and to facilite extensions of the nfnetlink callback interface in the future. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Add a new structure to reduce callback footprint and to facilite
extensions of the nfnetlink callback interface in the future.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ip_tables: pass table pointer via nf_hook_ops 2021-04-26T01:20:46+00:00 Florian Westphal fw@strlen.de 2021-04-21T07:51:07+00:00 ae689334225ff0e4ef112459ecd24aea932c2b00 iptable_x modules rely on 'struct net' to contain a pointer to the table that should be evaluated. In order to remove these pointers from struct net, pass them via the 'priv' pointer in a similar fashion as nf_tables passes the rule data. To do that, duplicate the nf_hook_info array passed in from the iptable_x modules, update the ops->priv pointers of the copy to refer to the table and then change the hookfn implementations to just pass the 'priv' argument to the traverser. After this patch, the xt_table pointers can already be removed from struct net. However, changes to struct net result in re-compile of the entire network stack, so do the removal after arptables and ip6tables have been converted as well. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
iptable_x modules rely on 'struct net' to contain a pointer to the
table that should be evaluated.

In order to remove these pointers from struct net, pass them via
the 'priv' pointer in a similar fashion as nf_tables passes the
rule data.

To do that, duplicate the nf_hook_info array passed in from the
iptable_x modules, update the ops->priv pointers of the copy to
refer to the table and then change the hookfn implementations to
just pass the 'priv' argument to the traverser.

After this patch, the xt_table pointers can already be removed
from struct net.

However, changes to struct net result in re-compile of the entire
network stack, so do the removal after arptables and ip6tables
have been converted as well.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: x_tables: add xt_find_table 2021-04-26T01:20:39+00:00 Florian Westphal fw@strlen.de 2021-04-21T07:51:01+00:00 1ef4d6d1af2d0c0c7c9b391365a3894bea291e34 This will be used to obtain the xt_table struct given address family and table name. Followup patches will reduce the number of direct accesses to the xt_table structures via net->ipv{4,6}.ip(6)table_{nat,mangle,...} pointers, then remove them. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This will be used to obtain the xt_table struct given address family and
table name.

Followup patches will reduce the number of direct accesses to the xt_table
structures via net->ipv{4,6}.ip(6)table_{nat,mangle,...} pointers, then
remove them.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nfnetlink: add and use nfnetlink_broadcast 2021-04-05T22:34:51+00:00 Florian Westphal fw@strlen.de 2021-04-01T14:11:04+00:00 237c609f8744a8d5415f40a7ee731957934b0eef This removes the only reference of net->nfnl outside of the nfnetlink module. This allows to move net->nfnl to net_generic infra. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This removes the only reference of net->nfnl outside of the nfnetlink
module.  This allows to move net->nfnl to net_generic infra.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: add helper function to set up the nfnetlink header and use it 2021-03-31T20:34:11+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-03-30T14:58:37+00:00 19c28b1374fb1073a9ec873a6c10bf5f16b10b9d This patch adds a helper function to set up the netlink and nfnetlink headers. Update existing codebase to use it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This patch adds a helper function to set up the netlink and nfnetlink headers.
Update existing codebase to use it.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ipset: Remove duplicate declaration 2021-03-31T20:34:11+00:00 Wan Jiabing wanjiabing@vivo.com 2021-03-27T02:54:47+00:00 5c701e71961af0ec8227ea615f1646dbe98aea1a struct ip_set is declared twice. One is declared at 79th line, so remove the duplicate. Signed-off-by: Wan Jiabing <wanjiabing@vivo.com> Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
struct ip_set is declared twice. One is declared at 79th line,
so remove the duplicate.

Signed-off-by: Wan Jiabing <wanjiabing@vivo.com>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>