nf-next pr 2024-01-29
-----BEGIN PGP SIGNATURE----- iQJBBAABCAArFiEEgKkgxbID4Gn1hq6fcJGo2a1f9gAFAmW3ugcNHGZ3QHN0cmxl bi5kZQAKCRBwkajZrV/2AP+IEADdlinxL+a5Rqx0W3I0gR4LiOrnHdl2SQesCjEE iBm8Fgx7pQh6jQpjsEl+dg85CFbqI4iVxgLV/uAVCOvRFELH5aR/WHjAdoXQjrTS 55bexDCG9q9KBYCm721h2mSUTdmmx+aKfndFYMhEULzQPfDy+cS2lIh4epQPnlFH Idc1zXuMNWM/QY0vvwkAxsZ6TMG61GIYDAH4PtEtfCUVksdkLRPG8qWs5tJJgKFp SIyqKSB3Ab4LqY9e/HG0FwcrMwrSmNhcbO4CwpDfIrHEuIUtMKCqOp6X4lU1ekeb xVTuQ7fU64KmO+a/sS4QH8rPfDgT31GnxaVfeL7AM9pQsiLhJGMTlfFqgItJjZrS uch7Jtx0iWMDfuP7OgIYnS46FYD2wXShuz4wIbHI8RSEkln7GBJ2KGpnvyoF07Tf V6ZrGQk0TnAr7MAEXHe8rd0WEVvbZuBiVHo1xpSxKI9rGJYDdgSRz16wMdBowhIW Q++nacicTs8ak64vlAsigI4bnDYTNXsHQO2S84tXTikaq88m1/f9EqIVr/V2uMoR xTQcAaob2TqaGirS/bx/9twEuiwB/gg/nbqmVHni285SO2JbdNQ/iglopc/+EMYS ES3wibdQzfPL9h61KyHMGUbZke3w72Gn5X5Fp3lnoi7+ZSLMMRTBoMFv4T+DLzqJ dyouYw== =iDKQ -----END PGP SIGNATURE----- Merge tag 'nf-next-24-01-29' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next Florian Westphal says: ==================== nf-next pr 2024-01-29 This batch contains updates for your *next* tree. First three changes, from Phil Sutter, allow userspace to define a table that is exclusively owned by a daemon (via netlink socket aliveness) without auto-removing this table when the userspace program exits. Such table gets marked as orphaned and a restarting management daemon may re-attach/reassume ownership. Next patch, from Pablo, passes already-validated flags variable around rather than having called code re-fetch it from netlnik message. Patches 5 and 6 update ipvs and nf_conncount to use the recently introduced KMEM_CACHE() macro. Last three patches, from myself, tweak kconfig logic a little to permit a kernel configuration that can run iptables-over-nftables but not classic (setsockopt) iptables. Such builds lack the builtin-filter/mangle/raw/nat/security tables, the set/getsockopt interface and the "old blob format" interpreter/traverser. For now, this is 'oldconfig friendly', users need to manually deselect existing config options for this. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
commit
84fc2408cf
@ -1271,6 +1271,12 @@ static inline bool nft_table_has_owner(const struct nft_table *table)
|
|||||||
return table->flags & NFT_TABLE_F_OWNER;
|
return table->flags & NFT_TABLE_F_OWNER;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline bool nft_table_is_orphan(const struct nft_table *table)
|
||||||
|
{
|
||||||
|
return (table->flags & (NFT_TABLE_F_OWNER | NFT_TABLE_F_PERSIST)) ==
|
||||||
|
NFT_TABLE_F_PERSIST;
|
||||||
|
}
|
||||||
|
|
||||||
static inline bool nft_base_chain_netdev(int family, u32 hooknum)
|
static inline bool nft_base_chain_netdev(int family, u32 hooknum)
|
||||||
{
|
{
|
||||||
return family == NFPROTO_NETDEV ||
|
return family == NFPROTO_NETDEV ||
|
||||||
|
@ -179,13 +179,17 @@ enum nft_hook_attributes {
|
|||||||
* enum nft_table_flags - nf_tables table flags
|
* enum nft_table_flags - nf_tables table flags
|
||||||
*
|
*
|
||||||
* @NFT_TABLE_F_DORMANT: this table is not active
|
* @NFT_TABLE_F_DORMANT: this table is not active
|
||||||
|
* @NFT_TABLE_F_OWNER: this table is owned by a process
|
||||||
|
* @NFT_TABLE_F_PERSIST: this table shall outlive its owner
|
||||||
*/
|
*/
|
||||||
enum nft_table_flags {
|
enum nft_table_flags {
|
||||||
NFT_TABLE_F_DORMANT = 0x1,
|
NFT_TABLE_F_DORMANT = 0x1,
|
||||||
NFT_TABLE_F_OWNER = 0x2,
|
NFT_TABLE_F_OWNER = 0x2,
|
||||||
|
NFT_TABLE_F_PERSIST = 0x4,
|
||||||
};
|
};
|
||||||
#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \
|
#define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \
|
||||||
NFT_TABLE_F_OWNER)
|
NFT_TABLE_F_OWNER | \
|
||||||
|
NFT_TABLE_F_PERSIST)
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* enum nft_table_attributes - nf_tables table netlink attributes
|
* enum nft_table_attributes - nf_tables table netlink attributes
|
||||||
|
@ -39,6 +39,10 @@ config NF_CONNTRACK_BRIDGE
|
|||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
|
# old sockopt interface and eval loop
|
||||||
|
config BRIDGE_NF_EBTABLES_LEGACY
|
||||||
|
tristate
|
||||||
|
|
||||||
menuconfig BRIDGE_NF_EBTABLES
|
menuconfig BRIDGE_NF_EBTABLES
|
||||||
tristate "Ethernet Bridge tables (ebtables) support"
|
tristate "Ethernet Bridge tables (ebtables) support"
|
||||||
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
|
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
|
||||||
@ -55,6 +59,7 @@ if BRIDGE_NF_EBTABLES
|
|||||||
#
|
#
|
||||||
config BRIDGE_EBT_BROUTE
|
config BRIDGE_EBT_BROUTE
|
||||||
tristate "ebt: broute table support"
|
tristate "ebt: broute table support"
|
||||||
|
select BRIDGE_NF_EBTABLES_LEGACY
|
||||||
help
|
help
|
||||||
The ebtables broute table is used to define rules that decide between
|
The ebtables broute table is used to define rules that decide between
|
||||||
bridging and routing frames, giving Linux the functionality of a
|
bridging and routing frames, giving Linux the functionality of a
|
||||||
@ -65,6 +70,7 @@ config BRIDGE_EBT_BROUTE
|
|||||||
|
|
||||||
config BRIDGE_EBT_T_FILTER
|
config BRIDGE_EBT_T_FILTER
|
||||||
tristate "ebt: filter table support"
|
tristate "ebt: filter table support"
|
||||||
|
select BRIDGE_NF_EBTABLES_LEGACY
|
||||||
help
|
help
|
||||||
The ebtables filter table is used to define frame filtering rules at
|
The ebtables filter table is used to define frame filtering rules at
|
||||||
local input, forwarding and local output. See the man page for
|
local input, forwarding and local output. See the man page for
|
||||||
@ -74,6 +80,7 @@ config BRIDGE_EBT_T_FILTER
|
|||||||
|
|
||||||
config BRIDGE_EBT_T_NAT
|
config BRIDGE_EBT_T_NAT
|
||||||
tristate "ebt: nat table support"
|
tristate "ebt: nat table support"
|
||||||
|
select BRIDGE_NF_EBTABLES_LEGACY
|
||||||
help
|
help
|
||||||
The ebtables nat table is used to define rules that alter the MAC
|
The ebtables nat table is used to define rules that alter the MAC
|
||||||
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
|
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
|
||||||
|
@ -9,7 +9,7 @@ obj-$(CONFIG_NFT_BRIDGE_REJECT) += nft_reject_bridge.o
|
|||||||
# connection tracking
|
# connection tracking
|
||||||
obj-$(CONFIG_NF_CONNTRACK_BRIDGE) += nf_conntrack_bridge.o
|
obj-$(CONFIG_NF_CONNTRACK_BRIDGE) += nf_conntrack_bridge.o
|
||||||
|
|
||||||
obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
|
obj-$(CONFIG_BRIDGE_NF_EBTABLES_LEGACY) += ebtables.o
|
||||||
|
|
||||||
# tables
|
# tables
|
||||||
obj-$(CONFIG_BRIDGE_EBT_BROUTE) += ebtable_broute.o
|
obj-$(CONFIG_BRIDGE_EBT_BROUTE) += ebtable_broute.o
|
||||||
|
@ -10,6 +10,10 @@ config NF_DEFRAG_IPV4
|
|||||||
tristate
|
tristate
|
||||||
default n
|
default n
|
||||||
|
|
||||||
|
# old sockopt interface and eval loop
|
||||||
|
config IP_NF_IPTABLES_LEGACY
|
||||||
|
tristate
|
||||||
|
|
||||||
config NF_SOCKET_IPV4
|
config NF_SOCKET_IPV4
|
||||||
tristate "IPv4 socket lookup support"
|
tristate "IPv4 socket lookup support"
|
||||||
help
|
help
|
||||||
@ -152,7 +156,7 @@ config IP_NF_MATCH_ECN
|
|||||||
config IP_NF_MATCH_RPFILTER
|
config IP_NF_MATCH_RPFILTER
|
||||||
tristate '"rpfilter" reverse path filter match support'
|
tristate '"rpfilter" reverse path filter match support'
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
depends on IP_NF_MANGLE || IP_NF_RAW
|
depends on IP_NF_MANGLE || IP_NF_RAW || NFT_COMPAT
|
||||||
help
|
help
|
||||||
This option allows you to match packets whose replies would
|
This option allows you to match packets whose replies would
|
||||||
go out via the interface the packet came in.
|
go out via the interface the packet came in.
|
||||||
@ -173,6 +177,7 @@ config IP_NF_MATCH_TTL
|
|||||||
config IP_NF_FILTER
|
config IP_NF_FILTER
|
||||||
tristate "Packet filtering"
|
tristate "Packet filtering"
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
|
select IP_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
Packet filtering defines a table `filter', which has a series of
|
Packet filtering defines a table `filter', which has a series of
|
||||||
rules for simple packet filtering at local input, forwarding and
|
rules for simple packet filtering at local input, forwarding and
|
||||||
@ -182,7 +187,7 @@ config IP_NF_FILTER
|
|||||||
|
|
||||||
config IP_NF_TARGET_REJECT
|
config IP_NF_TARGET_REJECT
|
||||||
tristate "REJECT target support"
|
tristate "REJECT target support"
|
||||||
depends on IP_NF_FILTER
|
depends on IP_NF_FILTER || NFT_COMPAT
|
||||||
select NF_REJECT_IPV4
|
select NF_REJECT_IPV4
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
help
|
help
|
||||||
@ -212,6 +217,7 @@ config IP_NF_NAT
|
|||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
select NF_NAT
|
select NF_NAT
|
||||||
select NETFILTER_XT_NAT
|
select NETFILTER_XT_NAT
|
||||||
|
select IP6_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
This enables the `nat' table in iptables. This allows masquerading,
|
This enables the `nat' table in iptables. This allows masquerading,
|
||||||
port forwarding and other forms of full Network Address Port
|
port forwarding and other forms of full Network Address Port
|
||||||
@ -252,6 +258,7 @@ endif # IP_NF_NAT
|
|||||||
config IP_NF_MANGLE
|
config IP_NF_MANGLE
|
||||||
tristate "Packet mangling"
|
tristate "Packet mangling"
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
|
select IP_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
This option adds a `mangle' table to iptables: see the man page for
|
This option adds a `mangle' table to iptables: see the man page for
|
||||||
iptables(8). This table is used for various packet alterations
|
iptables(8). This table is used for various packet alterations
|
||||||
@ -261,7 +268,7 @@ config IP_NF_MANGLE
|
|||||||
|
|
||||||
config IP_NF_TARGET_ECN
|
config IP_NF_TARGET_ECN
|
||||||
tristate "ECN target support"
|
tristate "ECN target support"
|
||||||
depends on IP_NF_MANGLE
|
depends on IP_NF_MANGLE || NFT_COMPAT
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
help
|
help
|
||||||
This option adds a `ECN' target, which can be used in the iptables mangle
|
This option adds a `ECN' target, which can be used in the iptables mangle
|
||||||
@ -286,6 +293,7 @@ config IP_NF_TARGET_TTL
|
|||||||
# raw + specific targets
|
# raw + specific targets
|
||||||
config IP_NF_RAW
|
config IP_NF_RAW
|
||||||
tristate 'raw table support (required for NOTRACK/TRACE)'
|
tristate 'raw table support (required for NOTRACK/TRACE)'
|
||||||
|
select IP_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
This option adds a `raw' table to iptables. This table is the very
|
This option adds a `raw' table to iptables. This table is the very
|
||||||
first in the netfilter framework and hooks in at the PREROUTING
|
first in the netfilter framework and hooks in at the PREROUTING
|
||||||
@ -299,6 +307,7 @@ config IP_NF_SECURITY
|
|||||||
tristate "Security table"
|
tristate "Security table"
|
||||||
depends on SECURITY
|
depends on SECURITY
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
|
select IP_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
This option adds a `security' table to iptables, for use
|
This option adds a `security' table to iptables, for use
|
||||||
with Mandatory Access Control (MAC) policy.
|
with Mandatory Access Control (MAC) policy.
|
||||||
@ -309,36 +318,34 @@ endif # IP_NF_IPTABLES
|
|||||||
|
|
||||||
# ARP tables
|
# ARP tables
|
||||||
config IP_NF_ARPTABLES
|
config IP_NF_ARPTABLES
|
||||||
tristate "ARP tables support"
|
tristate
|
||||||
select NETFILTER_XTABLES
|
|
||||||
select NETFILTER_FAMILY_ARP
|
|
||||||
depends on NETFILTER_ADVANCED
|
|
||||||
help
|
|
||||||
arptables is a general, extensible packet identification framework.
|
|
||||||
The ARP packet filtering and mangling (manipulation)subsystems
|
|
||||||
use this: say Y or M here if you want to use either of those.
|
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
config NFT_COMPAT_ARP
|
||||||
|
tristate
|
||||||
if IP_NF_ARPTABLES
|
depends on NF_TABLES_ARP && NFT_COMPAT
|
||||||
|
default m if NFT_COMPAT=m
|
||||||
|
default y if NFT_COMPAT=y
|
||||||
|
|
||||||
config IP_NF_ARPFILTER
|
config IP_NF_ARPFILTER
|
||||||
tristate "ARP packet filtering"
|
tristate "arptables-legacy packet filtering support"
|
||||||
|
select IP_NF_ARPTABLES
|
||||||
help
|
help
|
||||||
ARP packet filtering defines a table `filter', which has a series of
|
ARP packet filtering defines a table `filter', which has a series of
|
||||||
rules for simple ARP packet filtering at local input and
|
rules for simple ARP packet filtering at local input and
|
||||||
local output. On a bridge, you can also specify filtering rules
|
local output. This is only needed for arptables-legacy(8).
|
||||||
for forwarded ARP packets. See the man page for arptables(8).
|
Neither arptables-nft nor nftables need this to work.
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
config IP_NF_ARP_MANGLE
|
config IP_NF_ARP_MANGLE
|
||||||
tristate "ARP payload mangling"
|
tristate "ARP payload mangling"
|
||||||
|
depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP
|
||||||
help
|
help
|
||||||
Allows altering the ARP packet payload: source and destination
|
Allows altering the ARP packet payload: source and destination
|
||||||
hardware and network addresses.
|
hardware and network addresses.
|
||||||
|
|
||||||
endif # IP_NF_ARPTABLES
|
This option is needed by both arptables-legacy and arptables-nft.
|
||||||
|
It is not used by nftables.
|
||||||
|
|
||||||
endmenu
|
endmenu
|
||||||
|
|
||||||
|
@ -25,7 +25,7 @@ obj-$(CONFIG_NFT_FIB_IPV4) += nft_fib_ipv4.o
|
|||||||
obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
|
obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o
|
||||||
|
|
||||||
# generic IP tables
|
# generic IP tables
|
||||||
obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
|
obj-$(CONFIG_IP_NF_IPTABLES_LEGACY) += ip_tables.o
|
||||||
|
|
||||||
# the three instances of ip_tables
|
# the three instances of ip_tables
|
||||||
obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
|
obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
|
||||||
|
@ -6,6 +6,10 @@
|
|||||||
menu "IPv6: Netfilter Configuration"
|
menu "IPv6: Netfilter Configuration"
|
||||||
depends on INET && IPV6 && NETFILTER
|
depends on INET && IPV6 && NETFILTER
|
||||||
|
|
||||||
|
# old sockopt interface and eval loop
|
||||||
|
config IP6_NF_IPTABLES_LEGACY
|
||||||
|
tristate
|
||||||
|
|
||||||
config NF_SOCKET_IPV6
|
config NF_SOCKET_IPV6
|
||||||
tristate "IPv6 socket lookup support"
|
tristate "IPv6 socket lookup support"
|
||||||
help
|
help
|
||||||
@ -147,7 +151,7 @@ config IP6_NF_MATCH_MH
|
|||||||
config IP6_NF_MATCH_RPFILTER
|
config IP6_NF_MATCH_RPFILTER
|
||||||
tristate '"rpfilter" reverse path filter match support'
|
tristate '"rpfilter" reverse path filter match support'
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
depends on IP6_NF_MANGLE || IP6_NF_RAW
|
depends on IP6_NF_MANGLE || IP6_NF_RAW || NFT_COMPAT
|
||||||
help
|
help
|
||||||
This option allows you to match packets whose replies would
|
This option allows you to match packets whose replies would
|
||||||
go out via the interface the packet came in.
|
go out via the interface the packet came in.
|
||||||
@ -186,6 +190,8 @@ config IP6_NF_TARGET_HL
|
|||||||
config IP6_NF_FILTER
|
config IP6_NF_FILTER
|
||||||
tristate "Packet filtering"
|
tristate "Packet filtering"
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
|
select IP6_NF_IPTABLES_LEGACY
|
||||||
|
tristate
|
||||||
help
|
help
|
||||||
Packet filtering defines a table `filter', which has a series of
|
Packet filtering defines a table `filter', which has a series of
|
||||||
rules for simple packet filtering at local input, forwarding and
|
rules for simple packet filtering at local input, forwarding and
|
||||||
@ -195,7 +201,7 @@ config IP6_NF_FILTER
|
|||||||
|
|
||||||
config IP6_NF_TARGET_REJECT
|
config IP6_NF_TARGET_REJECT
|
||||||
tristate "REJECT target support"
|
tristate "REJECT target support"
|
||||||
depends on IP6_NF_FILTER
|
depends on IP6_NF_FILTER || NFT_COMPAT
|
||||||
select NF_REJECT_IPV6
|
select NF_REJECT_IPV6
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
help
|
help
|
||||||
@ -221,6 +227,7 @@ config IP6_NF_TARGET_SYNPROXY
|
|||||||
config IP6_NF_MANGLE
|
config IP6_NF_MANGLE
|
||||||
tristate "Packet mangling"
|
tristate "Packet mangling"
|
||||||
default m if NETFILTER_ADVANCED=n
|
default m if NETFILTER_ADVANCED=n
|
||||||
|
select IP6_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
This option adds a `mangle' table to iptables: see the man page for
|
This option adds a `mangle' table to iptables: see the man page for
|
||||||
iptables(8). This table is used for various packet alterations
|
iptables(8). This table is used for various packet alterations
|
||||||
@ -230,6 +237,7 @@ config IP6_NF_MANGLE
|
|||||||
|
|
||||||
config IP6_NF_RAW
|
config IP6_NF_RAW
|
||||||
tristate 'raw table support (required for TRACE)'
|
tristate 'raw table support (required for TRACE)'
|
||||||
|
select IP6_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
This option adds a `raw' table to ip6tables. This table is the very
|
This option adds a `raw' table to ip6tables. This table is the very
|
||||||
first in the netfilter framework and hooks in at the PREROUTING
|
first in the netfilter framework and hooks in at the PREROUTING
|
||||||
@ -243,6 +251,7 @@ config IP6_NF_SECURITY
|
|||||||
tristate "Security table"
|
tristate "Security table"
|
||||||
depends on SECURITY
|
depends on SECURITY
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
|
select IP6_NF_IPTABLES_LEGACY
|
||||||
help
|
help
|
||||||
This option adds a `security' table to iptables, for use
|
This option adds a `security' table to iptables, for use
|
||||||
with Mandatory Access Control (MAC) policy.
|
with Mandatory Access Control (MAC) policy.
|
||||||
@ -254,6 +263,7 @@ config IP6_NF_NAT
|
|||||||
depends on NF_CONNTRACK
|
depends on NF_CONNTRACK
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
select NF_NAT
|
select NF_NAT
|
||||||
|
select IP6_NF_IPTABLES_LEGACY
|
||||||
select NETFILTER_XT_NAT
|
select NETFILTER_XT_NAT
|
||||||
help
|
help
|
||||||
This enables the `nat' table in ip6tables. This allows masquerading,
|
This enables the `nat' table in ip6tables. This allows masquerading,
|
||||||
@ -262,25 +272,23 @@ config IP6_NF_NAT
|
|||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
if IP6_NF_NAT
|
|
||||||
|
|
||||||
config IP6_NF_TARGET_MASQUERADE
|
config IP6_NF_TARGET_MASQUERADE
|
||||||
tristate "MASQUERADE target support"
|
tristate "MASQUERADE target support"
|
||||||
select NETFILTER_XT_TARGET_MASQUERADE
|
select NETFILTER_XT_TARGET_MASQUERADE
|
||||||
|
depends on IP6_NF_NAT
|
||||||
help
|
help
|
||||||
This is a backwards-compat option for the user's convenience
|
This is a backwards-compat option for the user's convenience
|
||||||
(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
|
(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
|
||||||
|
|
||||||
config IP6_NF_TARGET_NPT
|
config IP6_NF_TARGET_NPT
|
||||||
tristate "NPT (Network Prefix translation) target support"
|
tristate "NPT (Network Prefix translation) target support"
|
||||||
|
depends on IP6_NF_NAT || NFT_COMPAT
|
||||||
help
|
help
|
||||||
This option adds the `SNPT' and `DNPT' target, which perform
|
This option adds the `SNPT' and `DNPT' target, which perform
|
||||||
stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
|
stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
|
||||||
|
|
||||||
To compile it as a module, choose M here. If unsure, say N.
|
To compile it as a module, choose M here. If unsure, say N.
|
||||||
|
|
||||||
endif # IP6_NF_NAT
|
|
||||||
|
|
||||||
endif # IP6_NF_IPTABLES
|
endif # IP6_NF_IPTABLES
|
||||||
endmenu
|
endmenu
|
||||||
|
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
# Link order matters here.
|
# Link order matters here.
|
||||||
obj-$(CONFIG_IP6_NF_IPTABLES) += ip6_tables.o
|
obj-$(CONFIG_IP6_NF_IPTABLES_LEGACY) += ip6_tables.o
|
||||||
obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
|
obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
|
||||||
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
|
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
|
||||||
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
|
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
|
||||||
|
@ -818,7 +818,7 @@ config NETFILTER_XT_TARGET_AUDIT
|
|||||||
|
|
||||||
config NETFILTER_XT_TARGET_CHECKSUM
|
config NETFILTER_XT_TARGET_CHECKSUM
|
||||||
tristate "CHECKSUM target support"
|
tristate "CHECKSUM target support"
|
||||||
depends on IP_NF_MANGLE || IP6_NF_MANGLE
|
depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
help
|
help
|
||||||
This option adds a `CHECKSUM' target, which can be used in the iptables mangle
|
This option adds a `CHECKSUM' target, which can be used in the iptables mangle
|
||||||
@ -869,7 +869,7 @@ config NETFILTER_XT_TARGET_CONNSECMARK
|
|||||||
config NETFILTER_XT_TARGET_CT
|
config NETFILTER_XT_TARGET_CT
|
||||||
tristate '"CT" target support'
|
tristate '"CT" target support'
|
||||||
depends on NF_CONNTRACK
|
depends on NF_CONNTRACK
|
||||||
depends on IP_NF_RAW || IP6_NF_RAW
|
depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
help
|
help
|
||||||
This options adds a `CT' target, which allows to specify initial
|
This options adds a `CT' target, which allows to specify initial
|
||||||
@ -880,7 +880,7 @@ config NETFILTER_XT_TARGET_CT
|
|||||||
|
|
||||||
config NETFILTER_XT_TARGET_DSCP
|
config NETFILTER_XT_TARGET_DSCP
|
||||||
tristate '"DSCP" and "TOS" target support'
|
tristate '"DSCP" and "TOS" target support'
|
||||||
depends on IP_NF_MANGLE || IP6_NF_MANGLE
|
depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
help
|
help
|
||||||
This option adds a `DSCP' target, which allows you to manipulate
|
This option adds a `DSCP' target, which allows you to manipulate
|
||||||
@ -896,7 +896,7 @@ config NETFILTER_XT_TARGET_DSCP
|
|||||||
|
|
||||||
config NETFILTER_XT_TARGET_HL
|
config NETFILTER_XT_TARGET_HL
|
||||||
tristate '"HL" hoplimit target support'
|
tristate '"HL" hoplimit target support'
|
||||||
depends on IP_NF_MANGLE || IP6_NF_MANGLE
|
depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
help
|
help
|
||||||
This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
|
This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
|
||||||
@ -1080,7 +1080,7 @@ config NETFILTER_XT_TARGET_TPROXY
|
|||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
depends on IPV6 || IPV6=n
|
depends on IPV6 || IPV6=n
|
||||||
depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
|
depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
|
||||||
depends on IP_NF_MANGLE
|
depends on IP_NF_MANGLE || NFT_COMPAT
|
||||||
select NF_DEFRAG_IPV4
|
select NF_DEFRAG_IPV4
|
||||||
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
|
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
|
||||||
select NF_TPROXY_IPV4
|
select NF_TPROXY_IPV4
|
||||||
@ -1147,7 +1147,7 @@ config NETFILTER_XT_TARGET_TCPMSS
|
|||||||
|
|
||||||
config NETFILTER_XT_TARGET_TCPOPTSTRIP
|
config NETFILTER_XT_TARGET_TCPOPTSTRIP
|
||||||
tristate '"TCPOPTSTRIP" target support'
|
tristate '"TCPOPTSTRIP" target support'
|
||||||
depends on IP_NF_MANGLE || IP6_NF_MANGLE
|
depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
|
||||||
depends on NETFILTER_ADVANCED
|
depends on NETFILTER_ADVANCED
|
||||||
help
|
help
|
||||||
This option adds a "TCPOPTSTRIP" target, which allows you to strip
|
This option adds a "TCPOPTSTRIP" target, which allows you to strip
|
||||||
|
@ -1511,9 +1511,7 @@ int __init ip_vs_conn_init(void)
|
|||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
/* Allocate ip_vs_conn slab cache */
|
/* Allocate ip_vs_conn slab cache */
|
||||||
ip_vs_conn_cachep = kmem_cache_create("ip_vs_conn",
|
ip_vs_conn_cachep = KMEM_CACHE(ip_vs_conn, SLAB_HWCACHE_ALIGN);
|
||||||
sizeof(struct ip_vs_conn), 0,
|
|
||||||
SLAB_HWCACHE_ALIGN, NULL);
|
|
||||||
if (!ip_vs_conn_cachep) {
|
if (!ip_vs_conn_cachep) {
|
||||||
kvfree(ip_vs_conn_tab);
|
kvfree(ip_vs_conn_tab);
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
@ -605,15 +605,11 @@ static int __init nf_conncount_modinit(void)
|
|||||||
for (i = 0; i < CONNCOUNT_SLOTS; ++i)
|
for (i = 0; i < CONNCOUNT_SLOTS; ++i)
|
||||||
spin_lock_init(&nf_conncount_locks[i]);
|
spin_lock_init(&nf_conncount_locks[i]);
|
||||||
|
|
||||||
conncount_conn_cachep = kmem_cache_create("nf_conncount_tuple",
|
conncount_conn_cachep = KMEM_CACHE(nf_conncount_tuple, 0);
|
||||||
sizeof(struct nf_conncount_tuple),
|
|
||||||
0, 0, NULL);
|
|
||||||
if (!conncount_conn_cachep)
|
if (!conncount_conn_cachep)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
conncount_rb_cachep = kmem_cache_create("nf_conncount_rb",
|
conncount_rb_cachep = KMEM_CACHE(nf_conncount_rb, 0);
|
||||||
sizeof(struct nf_conncount_rb),
|
|
||||||
0, 0, NULL);
|
|
||||||
if (!conncount_rb_cachep) {
|
if (!conncount_rb_cachep) {
|
||||||
kmem_cache_destroy(conncount_conn_cachep);
|
kmem_cache_destroy(conncount_conn_cachep);
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
@ -1194,8 +1194,10 @@ static void nf_tables_table_disable(struct net *net, struct nft_table *table)
|
|||||||
#define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
|
#define __NFT_TABLE_F_INTERNAL (NFT_TABLE_F_MASK + 1)
|
||||||
#define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
|
#define __NFT_TABLE_F_WAS_DORMANT (__NFT_TABLE_F_INTERNAL << 0)
|
||||||
#define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
|
#define __NFT_TABLE_F_WAS_AWAKEN (__NFT_TABLE_F_INTERNAL << 1)
|
||||||
|
#define __NFT_TABLE_F_WAS_ORPHAN (__NFT_TABLE_F_INTERNAL << 2)
|
||||||
#define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
|
#define __NFT_TABLE_F_UPDATE (__NFT_TABLE_F_WAS_DORMANT | \
|
||||||
__NFT_TABLE_F_WAS_AWAKEN)
|
__NFT_TABLE_F_WAS_AWAKEN | \
|
||||||
|
__NFT_TABLE_F_WAS_ORPHAN)
|
||||||
|
|
||||||
static int nf_tables_updtable(struct nft_ctx *ctx)
|
static int nf_tables_updtable(struct nft_ctx *ctx)
|
||||||
{
|
{
|
||||||
@ -1215,8 +1217,11 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
|
|||||||
|
|
||||||
if ((nft_table_has_owner(ctx->table) &&
|
if ((nft_table_has_owner(ctx->table) &&
|
||||||
!(flags & NFT_TABLE_F_OWNER)) ||
|
!(flags & NFT_TABLE_F_OWNER)) ||
|
||||||
(!nft_table_has_owner(ctx->table) &&
|
(flags & NFT_TABLE_F_OWNER &&
|
||||||
flags & NFT_TABLE_F_OWNER))
|
!nft_table_is_orphan(ctx->table)))
|
||||||
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
|
if ((flags ^ ctx->table->flags) & NFT_TABLE_F_PERSIST)
|
||||||
return -EOPNOTSUPP;
|
return -EOPNOTSUPP;
|
||||||
|
|
||||||
/* No dormant off/on/off/on games in single transaction */
|
/* No dormant off/on/off/on games in single transaction */
|
||||||
@ -1245,6 +1250,13 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ((flags & NFT_TABLE_F_OWNER) &&
|
||||||
|
!nft_table_has_owner(ctx->table)) {
|
||||||
|
ctx->table->nlpid = ctx->portid;
|
||||||
|
ctx->table->flags |= NFT_TABLE_F_OWNER |
|
||||||
|
__NFT_TABLE_F_WAS_ORPHAN;
|
||||||
|
}
|
||||||
|
|
||||||
nft_trans_table_update(trans) = true;
|
nft_trans_table_update(trans) = true;
|
||||||
nft_trans_commit_list_add_tail(ctx->net, trans);
|
nft_trans_commit_list_add_tail(ctx->net, trans);
|
||||||
|
|
||||||
@ -4235,23 +4247,18 @@ static bool nft_set_ops_candidate(const struct nft_set_type *type, u32 flags)
|
|||||||
* given, in that case the amount of memory per element is used.
|
* given, in that case the amount of memory per element is used.
|
||||||
*/
|
*/
|
||||||
static const struct nft_set_ops *
|
static const struct nft_set_ops *
|
||||||
nft_select_set_ops(const struct nft_ctx *ctx,
|
nft_select_set_ops(const struct nft_ctx *ctx, u32 flags,
|
||||||
const struct nlattr * const nla[],
|
|
||||||
const struct nft_set_desc *desc)
|
const struct nft_set_desc *desc)
|
||||||
{
|
{
|
||||||
struct nftables_pernet *nft_net = nft_pernet(ctx->net);
|
struct nftables_pernet *nft_net = nft_pernet(ctx->net);
|
||||||
const struct nft_set_ops *ops, *bops;
|
const struct nft_set_ops *ops, *bops;
|
||||||
struct nft_set_estimate est, best;
|
struct nft_set_estimate est, best;
|
||||||
const struct nft_set_type *type;
|
const struct nft_set_type *type;
|
||||||
u32 flags = 0;
|
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
lockdep_assert_held(&nft_net->commit_mutex);
|
lockdep_assert_held(&nft_net->commit_mutex);
|
||||||
lockdep_nfnl_nft_mutex_not_held();
|
lockdep_nfnl_nft_mutex_not_held();
|
||||||
|
|
||||||
if (nla[NFTA_SET_FLAGS] != NULL)
|
|
||||||
flags = ntohl(nla_get_be32(nla[NFTA_SET_FLAGS]));
|
|
||||||
|
|
||||||
bops = NULL;
|
bops = NULL;
|
||||||
best.size = ~0;
|
best.size = ~0;
|
||||||
best.lookup = ~0;
|
best.lookup = ~0;
|
||||||
@ -5137,7 +5144,7 @@ static int nf_tables_newset(struct sk_buff *skb, const struct nfnl_info *info,
|
|||||||
if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
|
if (!(info->nlh->nlmsg_flags & NLM_F_CREATE))
|
||||||
return -ENOENT;
|
return -ENOENT;
|
||||||
|
|
||||||
ops = nft_select_set_ops(&ctx, nla, &desc);
|
ops = nft_select_set_ops(&ctx, flags, &desc);
|
||||||
if (IS_ERR(ops))
|
if (IS_ERR(ops))
|
||||||
return PTR_ERR(ops);
|
return PTR_ERR(ops);
|
||||||
|
|
||||||
@ -10420,6 +10427,10 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
|
|||||||
} else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
|
} else if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_AWAKEN) {
|
||||||
trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
|
trans->ctx.table->flags &= ~NFT_TABLE_F_DORMANT;
|
||||||
}
|
}
|
||||||
|
if (trans->ctx.table->flags & __NFT_TABLE_F_WAS_ORPHAN) {
|
||||||
|
trans->ctx.table->flags &= ~NFT_TABLE_F_OWNER;
|
||||||
|
trans->ctx.table->nlpid = 0;
|
||||||
|
}
|
||||||
trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
|
trans->ctx.table->flags &= ~__NFT_TABLE_F_UPDATE;
|
||||||
nft_trans_destroy(trans);
|
nft_trans_destroy(trans);
|
||||||
} else {
|
} else {
|
||||||
@ -11345,6 +11356,10 @@ again:
|
|||||||
list_for_each_entry(table, &nft_net->tables, list) {
|
list_for_each_entry(table, &nft_net->tables, list) {
|
||||||
if (nft_table_has_owner(table) &&
|
if (nft_table_has_owner(table) &&
|
||||||
n->portid == table->nlpid) {
|
n->portid == table->nlpid) {
|
||||||
|
if (table->flags & NFT_TABLE_F_PERSIST) {
|
||||||
|
table->flags &= ~NFT_TABLE_F_OWNER;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
__nft_release_hook(net, table);
|
__nft_release_hook(net, table);
|
||||||
list_del_rcu(&table->list);
|
list_del_rcu(&table->list);
|
||||||
to_delete[deleted++] = table;
|
to_delete[deleted++] = table;
|
||||||
|
Loading…
Reference in New Issue
Block a user