Commit abccc587 authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
pull request: Netfilter/IPVS fixes for net

The following patchset contains seven Netfilter fixes for your net
tree, they are:

1) Make the NAT infrastructure independent of x_tables, some users are
   already starting to test nf_tables with NAT without enabling x_tables.
   Without this patch for Kconfig, there's a superfluous dependency
   between NAT and x_tables.
2) Allow to use 0 in the cgroup match, the kernel rejects with -EINVAL
   with no good reason. From Daniel Borkmann.

3) Select CONFIG_NF_NAT from the nf_tables NAT expression, this also
   resolves another NAT dependency with x_tables.

4) Use HAVE_JUMP_LABEL instead of CONFIG_JUMP_LABEL in the Netfilter hook
   code as elsewhere in the kernel to resolve toolchain problems, from
   Zhouyi Zhou.

5) Use iptunnel_handle_offloads() to set up tunnel encapsulation
   depending on the offload capabilities, reported by Alex Gartrell
   patch from Julian Anastasov.

6) Fix wrong family when registering the ip_vs_local_reply6() hook,
   also from Julian.

7) Select the NF_LOG_* symbols from NETFILTER_XT_TARGET_LOG. Rafał
   Miłecki reported that when jumping from 3.16 to 3.17-rc, his log
   target is not selected anymore due to changes in the previous
   development cycle to accomodate the full logging support for
   nf_tables.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 04860eb7 d79a61d6
...@@ -9,6 +9,7 @@ ...@@ -9,6 +9,7 @@
#include <linux/in6.h> #include <linux/in6.h>
#include <linux/wait.h> #include <linux/wait.h>
#include <linux/list.h> #include <linux/list.h>
#include <linux/static_key.h>
#include <uapi/linux/netfilter.h> #include <uapi/linux/netfilter.h>
#ifdef CONFIG_NETFILTER #ifdef CONFIG_NETFILTER
static inline int NF_DROP_GETERR(int verdict) static inline int NF_DROP_GETERR(int verdict)
...@@ -99,9 +100,9 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg); ...@@ -99,9 +100,9 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
#if defined(CONFIG_JUMP_LABEL) #ifdef HAVE_JUMP_LABEL
#include <linux/static_key.h>
extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook) static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook)
{ {
if (__builtin_constant_p(pf) && if (__builtin_constant_p(pf) &&
......
...@@ -82,6 +82,52 @@ config NF_TABLES_ARP ...@@ -82,6 +82,52 @@ config NF_TABLES_ARP
help help
This option enables the ARP support for nf_tables. This option enables the ARP support for nf_tables.
config NF_NAT_IPV4
tristate "IPv4 NAT"
depends on NF_CONNTRACK_IPV4
default m if NETFILTER_ADVANCED=n
select NF_NAT
help
The IPv4 NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation. This can be
controlled by iptables or nft.
if NF_NAT_IPV4
config NF_NAT_SNMP_BASIC
tristate "Basic SNMP-ALG support"
depends on NF_CONNTRACK_SNMP
depends on NETFILTER_ADVANCED
default NF_NAT && NF_CONNTRACK_SNMP
---help---
This module implements an Application Layer Gateway (ALG) for
SNMP payloads. In conjunction with NAT, it allows a network
management system to access multiple private networks with
conflicting addresses. It works by modifying IP addresses
inside SNMP payloads to match IP-layer NAT mapping.
This is the "basic" form of SNMP-ALG, as described in RFC 2962
To compile it as a module, choose M here. If unsure, say N.
config NF_NAT_PROTO_GRE
tristate
depends on NF_CT_PROTO_GRE
config NF_NAT_PPTP
tristate
depends on NF_CONNTRACK
default NF_CONNTRACK_PPTP
select NF_NAT_PROTO_GRE
config NF_NAT_H323
tristate
depends on NF_CONNTRACK
default NF_CONNTRACK_H323
endif # NF_NAT_IPV4
config IP_NF_IPTABLES config IP_NF_IPTABLES
tristate "IP tables support (required for filtering/masq/NAT)" tristate "IP tables support (required for filtering/masq/NAT)"
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
...@@ -170,19 +216,21 @@ config IP_NF_TARGET_SYNPROXY ...@@ -170,19 +216,21 @@ config IP_NF_TARGET_SYNPROXY
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
# NAT + specific targets: nf_conntrack # NAT + specific targets: nf_conntrack
config NF_NAT_IPV4 config IP_NF_NAT
tristate "IPv4 NAT" tristate "iptables NAT support"
depends on NF_CONNTRACK_IPV4 depends on NF_CONNTRACK_IPV4
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
select NF_NAT select NF_NAT
select NF_NAT_IPV4
select NETFILTER_XT_NAT
help help
The IPv4 NAT option allows masquerading, port forwarding and other This enables the `nat' table in iptables. This allows masquerading,
forms of full Network Address Port Translation. It is controlled by port forwarding and other forms of full Network Address Port
the `nat' table in iptables: see the man page for iptables(8). Translation.
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
if NF_NAT_IPV4 if IP_NF_NAT
config IP_NF_TARGET_MASQUERADE config IP_NF_TARGET_MASQUERADE
tristate "MASQUERADE target support" tristate "MASQUERADE target support"
...@@ -214,47 +262,7 @@ config IP_NF_TARGET_REDIRECT ...@@ -214,47 +262,7 @@ config IP_NF_TARGET_REDIRECT
(e.g. when running oldconfig). It selects (e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_REDIRECT. CONFIG_NETFILTER_XT_TARGET_REDIRECT.
endif endif # IP_NF_NAT
config NF_NAT_SNMP_BASIC
tristate "Basic SNMP-ALG support"
depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
depends on NETFILTER_ADVANCED
default NF_NAT && NF_CONNTRACK_SNMP
---help---
This module implements an Application Layer Gateway (ALG) for
SNMP payloads. In conjunction with NAT, it allows a network
management system to access multiple private networks with
conflicting addresses. It works by modifying IP addresses
inside SNMP payloads to match IP-layer NAT mapping.
This is the "basic" form of SNMP-ALG, as described in RFC 2962
To compile it as a module, choose M here. If unsure, say N.
# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
# From kconfig-language.txt:
#
# <expr> '&&' <expr> (6)
#
# (6) Returns the result of min(/expr/, /expr/).
config NF_NAT_PROTO_GRE
tristate
depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
config NF_NAT_PPTP
tristate
depends on NF_CONNTRACK && NF_NAT_IPV4
default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
select NF_NAT_PROTO_GRE
config NF_NAT_H323
tristate
depends on NF_CONNTRACK && NF_NAT_IPV4
default NF_NAT_IPV4 && NF_CONNTRACK_H323
# mangle + specific targets # mangle + specific targets
config IP_NF_MANGLE config IP_NF_MANGLE
......
...@@ -43,7 +43,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o ...@@ -43,7 +43,7 @@ obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o
# the three instances of ip_tables # the three instances of ip_tables
obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o obj-$(CONFIG_IP_NF_FILTER) += iptable_filter.o
obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o obj-$(CONFIG_IP_NF_MANGLE) += iptable_mangle.o
obj-$(CONFIG_NF_NAT_IPV4) += iptable_nat.o obj-$(CONFIG_IP_NF_NAT) += iptable_nat.o
obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o obj-$(CONFIG_IP_NF_RAW) += iptable_raw.o
obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
......
...@@ -60,6 +60,16 @@ config NF_LOG_IPV6 ...@@ -60,6 +60,16 @@ config NF_LOG_IPV6
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
select NF_LOG_COMMON select NF_LOG_COMMON
config NF_NAT_IPV6
tristate "IPv6 NAT"
depends on NF_CONNTRACK_IPV6
depends on NETFILTER_ADVANCED
select NF_NAT
help
The IPv6 NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation. This can be
controlled by iptables or nft.
config IP6_NF_IPTABLES config IP6_NF_IPTABLES
tristate "IP6 tables support (required for filtering)" tristate "IP6 tables support (required for filtering)"
depends on INET && IPV6 depends on INET && IPV6
...@@ -232,19 +242,21 @@ config IP6_NF_SECURITY ...@@ -232,19 +242,21 @@ config IP6_NF_SECURITY
If unsure, say N. If unsure, say N.
config NF_NAT_IPV6 config IP6_NF_NAT
tristate "IPv6 NAT" tristate "ip6tables NAT support"
depends on NF_CONNTRACK_IPV6 depends on NF_CONNTRACK_IPV6
depends on NETFILTER_ADVANCED depends on NETFILTER_ADVANCED
select NF_NAT select NF_NAT
select NF_NAT_IPV6
select NETFILTER_XT_NAT
help help
The IPv6 NAT option allows masquerading, port forwarding and other This enables the `nat' table in ip6tables. This allows masquerading,
forms of full Network Address Port Translation. It is controlled by port forwarding and other forms of full Network Address Port
the `nat' table in ip6tables, see the man page for ip6tables(8). Translation.
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
if NF_NAT_IPV6 if IP6_NF_NAT
config IP6_NF_TARGET_MASQUERADE config IP6_NF_TARGET_MASQUERADE
tristate "MASQUERADE target support" tristate "MASQUERADE target support"
...@@ -265,7 +277,7 @@ config IP6_NF_TARGET_NPT ...@@ -265,7 +277,7 @@ config IP6_NF_TARGET_NPT
To compile it as a module, choose M here. If unsure, say N. To compile it as a module, choose M here. If unsure, say N.
endif # NF_NAT_IPV6 endif # IP6_NF_NAT
endif # IP6_NF_IPTABLES endif # IP6_NF_IPTABLES
......
...@@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o ...@@ -8,7 +8,7 @@ obj-$(CONFIG_IP6_NF_FILTER) += ip6table_filter.o
obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o obj-$(CONFIG_IP6_NF_MANGLE) += ip6table_mangle.o
obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o obj-$(CONFIG_IP6_NF_RAW) += ip6table_raw.o
obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o obj-$(CONFIG_IP6_NF_SECURITY) += ip6table_security.o
obj-$(CONFIG_NF_NAT_IPV6) += ip6table_nat.o obj-$(CONFIG_IP6_NF_NAT) += ip6table_nat.o
# objects for l3 independent conntrack # objects for l3 independent conntrack
nf_conntrack_ipv6-y := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o nf_conntrack_ipv6-y := nf_conntrack_l3proto_ipv6.o nf_conntrack_proto_icmpv6.o
......
...@@ -499,7 +499,7 @@ config NFT_LIMIT ...@@ -499,7 +499,7 @@ config NFT_LIMIT
config NFT_NAT config NFT_NAT
depends on NF_TABLES depends on NF_TABLES
depends on NF_CONNTRACK depends on NF_CONNTRACK
depends on NF_NAT select NF_NAT
tristate "Netfilter nf_tables nat module" tristate "Netfilter nf_tables nat module"
help help
This option adds the "nat" expression that you can use to perform This option adds the "nat" expression that you can use to perform
...@@ -747,7 +747,9 @@ config NETFILTER_XT_TARGET_LED ...@@ -747,7 +747,9 @@ config NETFILTER_XT_TARGET_LED
config NETFILTER_XT_TARGET_LOG config NETFILTER_XT_TARGET_LOG
tristate "LOG target support" tristate "LOG target support"
depends on NF_LOG_IPV4 && NF_LOG_IPV6 select NF_LOG_COMMON
select NF_LOG_IPV4
select NF_LOG_IPV6 if IPV6
default m if NETFILTER_ADVANCED=n default m if NETFILTER_ADVANCED=n
help help
This option adds a `LOG' target, which allows you to create rules in This option adds a `LOG' target, which allows you to create rules in
......
...@@ -95,7 +95,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o ...@@ -95,7 +95,7 @@ obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o obj-$(CONFIG_NETFILTER_XT_SET) += xt_set.o
obj-$(CONFIG_NF_NAT) += xt_nat.o obj-$(CONFIG_NETFILTER_XT_NAT) += xt_nat.o
# targets # targets
obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o obj-$(CONFIG_NETFILTER_XT_TARGET_AUDIT) += xt_AUDIT.o
......
...@@ -54,7 +54,7 @@ EXPORT_SYMBOL_GPL(nf_unregister_afinfo); ...@@ -54,7 +54,7 @@ EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly; struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
EXPORT_SYMBOL(nf_hooks); EXPORT_SYMBOL(nf_hooks);
#if defined(CONFIG_JUMP_LABEL) #ifdef HAVE_JUMP_LABEL
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
EXPORT_SYMBOL(nf_hooks_needed); EXPORT_SYMBOL(nf_hooks_needed);
#endif #endif
...@@ -72,7 +72,7 @@ int nf_register_hook(struct nf_hook_ops *reg) ...@@ -72,7 +72,7 @@ int nf_register_hook(struct nf_hook_ops *reg)
} }
list_add_rcu(&reg->list, elem->list.prev); list_add_rcu(&reg->list, elem->list.prev);
mutex_unlock(&nf_hook_mutex); mutex_unlock(&nf_hook_mutex);
#if defined(CONFIG_JUMP_LABEL) #ifdef HAVE_JUMP_LABEL
static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
#endif #endif
return 0; return 0;
...@@ -84,7 +84,7 @@ void nf_unregister_hook(struct nf_hook_ops *reg) ...@@ -84,7 +84,7 @@ void nf_unregister_hook(struct nf_hook_ops *reg)
mutex_lock(&nf_hook_mutex); mutex_lock(&nf_hook_mutex);
list_del_rcu(&reg->list); list_del_rcu(&reg->list);
mutex_unlock(&nf_hook_mutex); mutex_unlock(&nf_hook_mutex);
#if defined(CONFIG_JUMP_LABEL) #ifdef HAVE_JUMP_LABEL
static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
#endif #endif
synchronize_net(); synchronize_net();
......
...@@ -1906,7 +1906,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = { ...@@ -1906,7 +1906,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
{ {
.hook = ip_vs_local_reply6, .hook = ip_vs_local_reply6,
.owner = THIS_MODULE, .owner = THIS_MODULE,
.pf = NFPROTO_IPV4, .pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT, .hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_NAT_DST + 1, .priority = NF_IP6_PRI_NAT_DST + 1,
}, },
......
...@@ -38,6 +38,7 @@ ...@@ -38,6 +38,7 @@
#include <net/route.h> /* for ip_route_output */ #include <net/route.h> /* for ip_route_output */
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/ip6_route.h> #include <net/ip6_route.h>
#include <net/ip_tunnels.h>
#include <net/addrconf.h> #include <net/addrconf.h>
#include <linux/icmpv6.h> #include <linux/icmpv6.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
...@@ -862,11 +863,15 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, ...@@ -862,11 +863,15 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
old_iph = ip_hdr(skb); old_iph = ip_hdr(skb);
} }
skb->transport_header = skb->network_header;
/* fix old IP header checksum */ /* fix old IP header checksum */
ip_send_check(old_iph); ip_send_check(old_iph);
skb = iptunnel_handle_offloads(skb, false, SKB_GSO_IPIP);
if (IS_ERR(skb))
goto tx_error;
skb->transport_header = skb->network_header;
skb_push(skb, sizeof(struct iphdr)); skb_push(skb, sizeof(struct iphdr));
skb_reset_network_header(skb); skb_reset_network_header(skb);
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt)); memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
...@@ -900,7 +905,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp, ...@@ -900,7 +905,8 @@ ip_vs_tunnel_xmit(struct sk_buff *skb, struct ip_vs_conn *cp,
return NF_STOLEN; return NF_STOLEN;
tx_error: tx_error:
kfree_skb(skb); if (!IS_ERR(skb))
kfree_skb(skb);
rcu_read_unlock(); rcu_read_unlock();
LeaveFunction(10); LeaveFunction(10);
return NF_STOLEN; return NF_STOLEN;
...@@ -953,6 +959,11 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, ...@@ -953,6 +959,11 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
old_iph = ipv6_hdr(skb); old_iph = ipv6_hdr(skb);
} }
/* GSO: we need to provide proper SKB_GSO_ value for IPv6 */
skb = iptunnel_handle_offloads(skb, false, 0); /* SKB_GSO_SIT/IPV6 */
if (IS_ERR(skb))
goto tx_error;
skb->transport_header = skb->network_header; skb->transport_header = skb->network_header;
skb_push(skb, sizeof(struct ipv6hdr)); skb_push(skb, sizeof(struct ipv6hdr));
...@@ -988,7 +999,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp, ...@@ -988,7 +999,8 @@ ip_vs_tunnel_xmit_v6(struct sk_buff *skb, struct ip_vs_conn *cp,
return NF_STOLEN; return NF_STOLEN;
tx_error: tx_error:
kfree_skb(skb); if (!IS_ERR(skb))
kfree_skb(skb);
rcu_read_unlock(); rcu_read_unlock();
LeaveFunction(10); LeaveFunction(10);
return NF_STOLEN; return NF_STOLEN;
......
...@@ -31,7 +31,7 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par) ...@@ -31,7 +31,7 @@ static int cgroup_mt_check(const struct xt_mtchk_param *par)
if (info->invert & ~1) if (info->invert & ~1)
return -EINVAL; return -EINVAL;
return info->id ? 0 : -EINVAL; return 0;
} }
static bool static bool
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment