Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== pull request: Netfilter/IPVS fixes for net The following patchset contains seven Netfilter fixes for your net tree, they are: 1) Make the NAT infrastructure independent of x_tables, some users are already starting to test nf_tables with NAT without enabling x_tables. Without this patch for Kconfig, there's a superfluous dependency between NAT and x_tables. 2) Allow to use 0 in the cgroup match, the kernel rejects with -EINVAL with no good reason. From Daniel Borkmann. 3) Select CONFIG_NF_NAT from the nf_tables NAT expression, this also resolves another NAT dependency with x_tables. 4) Use HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL in the Netfilter hook code as elsewhere in the kernel to resolve toolchain problems, from Zhouyi Zhou. 5) Use iptunnel_handle_offloads() to set up tunnel encapsulation depending on the offload capabilities, reported by Alex Gartrell patch from Julian Anastasov. 6) Fix wrong family when registering the ip_vs_local_reply6() hook, also from Julian. 7) Select the NF_LOG_* symbols from NETFILTER_XT_TARGET_LOG. Rafał Miłecki reported that when jumping from 3.16 to 3.17-rc, his log target is not selected anymore due to changes in the previous development cycle to accomodate the full logging support for nf_tables. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
abccc5878a
11 changed files with 105 additions and 70 deletions
|
@ -9,6 +9,7 @@
|
|||
#include <linux/in6.h>
|
||||
#include <linux/wait.h>
|
||||
#include <linux/list.h>
|
||||
#include <linux/static_key.h>
|
||||
#include <uapi/linux/netfilter.h>
|
||||
#ifdef CONFIG_NETFILTER
|
||||
static inline int NF_DROP_GETERR(int verdict)
|
||||
|
@ -99,9 +100,9 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
|
|||
|
||||
extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
||||
|
||||
#if defined(CONFIG_JUMP_LABEL)
|
||||
#include <linux/static_key.h>
|
||||
#ifdef HAVE_JUMP_LABEL
|
||||
extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
||||
|
||||
static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)
|
||||
{
|
||||
if (__builtin_constant_p(pf) &&
|
||||
|
|
|
@ -82,6 +82,52 @@ config NF_TABLES_ARP
|
|||
help
|
||||
This option enables the ARP support for nf_tables.
|
||||
|
||||
config NF_NAT_IPV4
|
||||
tristate "IPv4 NAT"
|
||||
depends on NF_CONNTRACK_IPV4
|
||||
default m if NETFILTER_ADVANCED=n
|
||||
select NF_NAT
|
||||
help
|
||||
The IPv4 NAT option allows masquerading, port forwarding and other
|
||||
forms of full Network Address Port Translation. This can be
|
||||
controlled by iptables or nft.
|
||||
|
||||
if NF_NAT_IPV4
|
||||
|
||||
config NF_NAT_SNMP_BASIC
|
||||
tristate "Basic SNMP-ALG support"
|
||||
depends on NF_CONNTRACK_SNMP
|
||||
depends on NETFILTER_ADVANCED
|
||||
default NF_NAT && NF_CONNTRACK_SNMP
|
||||
---help---
|
||||
|
||||
This module implements an Application Layer Gateway (ALG) for
|
||||
SNMP payloads. In conjunction with NAT, it allows a network
|
||||
management system to access multiple private networks with
|
||||
conflicting addresses. It works by modifying IP addresses
|
||||
inside SNMP payloads to match IP-layer NAT mapping.
|
||||
|
||||
This is the "basic" form of SNMP-ALG, as described in RFC 2962
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
config NF_NAT_PROTO_GRE
|
||||
tristate
|
||||
depends on NF_CT_PROTO_GRE
|
||||
|
||||
config NF_NAT_PPTP
|
||||
tristate
|
||||
depends on NF_CONNTRACK
|
||||
default NF_CONNTRACK_PPTP
|
||||
select NF_NAT_PROTO_GRE
|
||||
|
||||
config NF_NAT_H323
|
||||
tristate
|
||||
depends on NF_CONNTRACK
|
||||
default NF_CONNTRACK_H323
|
||||
|
||||
endif # NF_NAT_IPV4
|
||||
|
||||
config IP_NF_IPTABLES
|
||||
tristate "IP tables support (required for filtering/masq/NAT)"
|
||||
default m if NETFILTER_ADVANCED=n
|
||||
|
@ -170,19 +216,21 @@ config IP_NF_TARGET_SYNPROXY
|
|||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
# NAT + specific targets: nf_conntrack
|
||||
config NF_NAT_IPV4
|
||||
tristate "IPv4 NAT"
|
||||
config IP_NF_NAT
|
||||
tristate "iptables NAT support"
|
||||
depends on NF_CONNTRACK_IPV4
|
||||
default m if NETFILTER_ADVANCED=n
|
||||
select NF_NAT
|
||||
select NF_NAT_IPV4
|
||||
select NETFILTER_XT_NAT
|
||||
help
|
||||
The IPv4 NAT option allows masquerading, port forwarding and other
|
||||
forms of full Network Address Port Translation. It is controlled by
|
||||
the `nat' table in iptables: see the man page for iptables(8).
|
||||
This enables the `nat' table in iptables. This allows masquerading,
|
||||
port forwarding and other forms of full Network Address Port
|
||||
Translation.
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
if NF_NAT_IPV4
|
||||
if IP_NF_NAT
|
||||
|
||||
config IP_NF_TARGET_MASQUERADE
|
||||
tristate "MASQUERADE target support"
|
||||
|
@ -214,47 +262,7 @@ config IP_NF_TARGET_REDIRECT
|
|||
(e.g. when running oldconfig). It selects
|
||||
CONFIG_NETFILTER_XT_TARGET_REDIRECT.
|
||||
|
||||
endif
|
||||
|
||||
config NF_NAT_SNMP_BASIC
|
||||
tristate "Basic SNMP-ALG support"
|
||||
depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
|
||||
depends on NETFILTER_ADVANCED
|
||||
default NF_NAT && NF_CONNTRACK_SNMP
|
||||
---help---
|
||||
|
||||
This module implements an Application Layer Gateway (ALG) for
|
||||
SNMP payloads. In conjunction with NAT, it allows a network
|
||||
management system to access multiple private networks with
|
||||
conflicting addresses. It works by modifying IP addresses
|
||||
inside SNMP payloads to match IP-layer NAT mapping.
|
||||
|
||||
This is the "basic" form of SNMP-ALG, as described in RFC 2962
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
|
||||
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
|
||||
# From kconfig-language.txt:
|
||||
#
|
||||
# <expr> '&&' <expr> (6)
|
||||
#
|
||||
# (6) Returns the result of min(/expr/, /expr/).
|
||||
|
||||
config NF_NAT_PROTO_GRE
|
||||
tristate
|
||||
depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
|
||||
|
||||
config NF_NAT_PPTP
|
||||
tristate
|
||||
depends on NF_CONNTRACK && NF_NAT_IPV4
|
||||
default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
|
||||
select NF_NAT_PROTO_GRE
|
||||
|
||||
config NF_NAT_H323
|
||||
tristate
|
||||
depends on NF_CONNTRACK && NF_NAT_IPV4
|
||||
default NF_NAT_IPV4 && NF_CONNTRACK_H323
|
||||
endif # IP_NF_NAT
|
||||
|
||||
# mangle + specific targets
|
||||
config IP_NF_MANGLE
|
||||
|
|
|
@ -43,7 +43,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
|
|||
# the three instances of ip_tables
|
||||
obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
|
||||
obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
|
||||
obj-$(CONFIG_NF_NAT_IPV4) += iptable_nat.o
|
||||
obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
|
||||
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
|
||||
obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
|
||||
|
||||
|
|
|
@ -60,6 +60,16 @@ config NF_LOG_IPV6
|
|||
depends on NETFILTER_ADVANCED
|
||||
select NF_LOG_COMMON
|
||||
|
||||
config NF_NAT_IPV6
|
||||
tristate "IPv6 NAT"
|
||||
depends on NF_CONNTRACK_IPV6
|
||||
depends on NETFILTER_ADVANCED
|
||||
select NF_NAT
|
||||
help
|
||||
The IPv6 NAT option allows masquerading, port forwarding and other
|
||||
forms of full Network Address Port Translation. This can be
|
||||
controlled by iptables or nft.
|
||||
|
||||
config IP6_NF_IPTABLES
|
||||
tristate "IP6 tables support (required for filtering)"
|
||||
depends on INET && IPV6
|
||||
|
@ -232,19 +242,21 @@ config IP6_NF_SECURITY
|
|||
|
||||
If unsure, say N.
|
||||
|
||||
config NF_NAT_IPV6
|
||||
tristate "IPv6 NAT"
|
||||
config IP6_NF_NAT
|
||||
tristate "ip6tables NAT support"
|
||||
depends on NF_CONNTRACK_IPV6
|
||||
depends on NETFILTER_ADVANCED
|
||||
select NF_NAT
|
||||
select NF_NAT_IPV6
|
||||
select NETFILTER_XT_NAT
|
||||
help
|
||||
The IPv6 NAT option allows masquerading, port forwarding and other
|
||||
forms of full Network Address Port Translation. It is controlled by
|
||||
the `nat' table in ip6tables, see the man page for ip6tables(8).
|
||||
This enables the `nat' table in ip6tables. This allows masquerading,
|
||||
port forwarding and other forms of full Network Address Port
|
||||
Translation.
|
||||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
if NF_NAT_IPV6
|
||||
if IP6_NF_NAT
|
||||
|
||||
config IP6_NF_TARGET_MASQUERADE
|
||||
tristate "MASQUERADE target support"
|
||||
|
@ -265,7 +277,7 @@ config IP6_NF_TARGET_NPT
|
|||
|
||||
To compile it as a module, choose M here. If unsure, say N.
|
||||
|
||||
endif # NF_NAT_IPV6
|
||||
endif # IP6_NF_NAT
|
||||
|
||||
endif # IP6_NF_IPTABLES
|
||||
|
||||
|
|
|
@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
|
|||
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
|
||||
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
|
||||
obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
|
||||
obj-$(CONFIG_NF_NAT_IPV6) += ip6table_nat.o
|
||||
obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o
|
||||
|
||||
# objects for l3 independent conntrack
|
||||
nf_conntrack_ipv6-y := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
|
||||
|
|
|
@ -499,7 +499,7 @@ config NFT_LIMIT
|
|||
config NFT_NAT
|
||||
depends on NF_TABLES
|
||||
depends on NF_CONNTRACK
|
||||
depends on NF_NAT
|
||||
select NF_NAT
|
||||
tristate "Netfilter nf_tables nat module"
|
||||
help
|
||||
This option adds the "nat" expression that you can use to perform
|
||||
|
@ -747,7 +747,9 @@ config NETFILTER_XT_TARGET_LED
|
|||
|
||||
config NETFILTER_XT_TARGET_LOG
|
||||
tristate "LOG target support"
|
||||
depends on NF_LOG_IPV4 && NF_LOG_IPV6
|
||||
select NF_LOG_COMMON
|
||||
select NF_LOG_IPV4
|
||||
select NF_LOG_IPV6 if IPV6
|
||||
default m if NETFILTER_ADVANCED=n
|
||||
help
|
||||
This option adds a `LOG' target, which allows you to create rules in
|
||||
|
|
|
@ -95,7 +95,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
|
|||
obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
|
||||
obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
|
||||
obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o
|
||||
obj-$(CONFIG_NF_NAT) += xt_nat.o
|
||||
obj-$(CONFIG_NETFILTER_XT_NAT) += xt_nat.o
|
||||
|
||||
# targets
|
||||
obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
|
||||
|
|
|
@ -54,7 +54,7 @@ EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
|
|||
struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
|
||||
EXPORT_SYMBOL(nf_hooks);
|
||||
|
||||
#if defined(CONFIG_JUMP_LABEL)
|
||||
#ifdef HAVE_JUMP_LABEL
|
||||
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
|
||||
EXPORT_SYMBOL(nf_hooks_needed);
|
||||
#endif
|
||||
|
@ -72,7 +72,7 @@ int nf_register_hook(struct nf_hook_ops *reg)
|
|||
}
|
||||
list_add_rcu(®->list, elem->list.prev);
|
||||
mutex_unlock(&nf_hook_mutex);
|
||||
#if defined(CONFIG_JUMP_LABEL)
|
||||
#ifdef HAVE_JUMP_LABEL
|
||||
static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
|
||||
#endif
|
||||
return 0;
|
||||
|
@ -84,7 +84,7 @@ void nf_unregister_hook(struct nf_hook_ops *reg)
|
|||
mutex_lock(&nf_hook_mutex);
|
||||
list_del_rcu(®->list);
|
||||
mutex_unlock(&nf_hook_mutex);
|
||||
#if defined(CONFIG_JUMP_LABEL)
|
||||
#ifdef HAVE_JUMP_LABEL
|
||||
static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
|
||||
#endif
|
||||
synchronize_net();
|
||||
|
|
|
@ -1906,7 +1906,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
|
|||
{
|
||||
.hook = ip_vs_local_reply6,
|
||||
.owner = THIS_MODULE,
|
||||
.pf = NFPROTO_IPV4,
|
||||
.pf = NFPROTO_IPV6,
|
||||
.hooknum = NF_INET_LOCAL_OUT,
|
||||
.priority = NF_IP6_PRI_NAT_DST + 1,
|
||||
},
|
||||
|
|
|
@ -38,6 +38,7 @@
|
|||
#include <net/route.h> /* for ip_route_output */
|
||||
#include <net/ipv6.h>
|
||||
#include <net/ip6_route.h>
|
||||
#include <net/ip_tunnels.h>
|
||||
#include <net/addrconf.h>
|
||||
#include <linux/icmpv6.h>
|
||||
#include <linux/netfilter.h>
|
||||
|
@ -862,11 +863,15 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
|
|||
old_iph = ip_hdr(skb);
|
||||
}
|
||||
|
||||
skb->transport_header = skb->network_header;
|
||||
|
||||
/* fix old IP header checksum */
|
||||
ip_send_check(old_iph);
|
||||
|
||||
skb = iptunnel_handle_offloads(skb, false, SKB_GSO_IPIP);
|
||||
if (IS_ERR(skb))
|
||||
goto tx_error;
|
||||
|
||||
skb->transport_header = skb->network_header;
|
||||
|
||||
skb_push(skb, sizeof(struct iphdr));
|
||||
skb_reset_network_header(skb);
|
||||
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
|
||||
|
@ -900,7 +905,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
|
|||
return NF_STOLEN;
|
||||
|
||||
tx_error:
|
||||
kfree_skb(skb);
|
||||
if (!IS_ERR(skb))
|
||||
kfree_skb(skb);
|
||||
rcu_read_unlock();
|
||||
LeaveFunction(10);
|
||||
return NF_STOLEN;
|
||||
|
@ -953,6 +959,11 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
|
|||
old_iph = ipv6_hdr(skb);
|
||||
}
|
||||
|
||||
/* GSO: we need to provide proper SKB_GSO_ value for IPv6 */
|
||||
skb = iptunnel_handle_offloads(skb, false, 0); /* SKB_GSO_SIT/IPV6 */
|
||||
if (IS_ERR(skb))
|
||||
goto tx_error;
|
||||
|
||||
skb->transport_header = skb->network_header;
|
||||
|
||||
skb_push(skb, sizeof(struct ipv6hdr));
|
||||
|
@ -988,7 +999,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
|
|||
return NF_STOLEN;
|
||||
|
||||
tx_error:
|
||||
kfree_skb(skb);
|
||||
if (!IS_ERR(skb))
|
||||
kfree_skb(skb);
|
||||
rcu_read_unlock();
|
||||
LeaveFunction(10);
|
||||
return NF_STOLEN;
|
||||
|
|
|
@ -31,7 +31,7 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
|
|||
if (info->invert & ~1)
|
||||
return -EINVAL;
|
||||
|
||||
return info->id ? 0 : -EINVAL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
static bool
|
||||
|
|
Loading…
Reference in a new issue