| Message ID | 20190913113102.15776-1-pablo@netfilter.org |
|---|---|
| State | Accepted |
| Delegated to: | David Miller |
| Headers | show |
From: Pablo Neira Ayuso <pablo@netfilter.org> Date: Fri, 13 Sep 2019 13:30:35 +0200 > The following patchset contains Netfilter updates for net-next: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Looks good, pulled.
Hi, The following patchset contains Netfilter updates for net-next: 1) Fix error path of nf_tables_updobj(), from Dan Carpenter. 2) Move large structure away from stack in the nf_tables offload infrastructure, from Arnd Bergmann. 3) Move indirect flow_block logic to nf_tables_offload. 4) Support for synproxy objects, from Fernando Fernandez Mancera. 5) Support for fwd and dup offload. 6) Add __nft_offload_get_chain() helper, this implicitly fixes missing mutex and check for offload flags in the indirect block support, patch from wenxu. 7) Remove rules on device unregistration, from wenxu. This includes two preparation patches to reuse nft_flow_offload_chain() and nft_flow_offload_rule(). Large batch from Jeremy Sowden to make a second pass to the CONFIG_HEADER_TEST support and a bit of housekeeping: 8) Missing include guard in conntrack label header, from Jeremy Sowden. 9) A few coding style errors: trailing whitespace, incorrect indent in Kconfig, and semicolons at the end of function definitions. 10) Remove unused ipt_init() and ip6t_init() declarations. 11) Inline xt_hashlimit, ebt_802_3 and xt_physdev headers. They are only used once. 12) Update include directive in several netfilter files. 13) Remove unused include/net/netfilter/ipv6/nf_conntrack_icmpv6.h. 14) Move nf_ip6_ext_hdr() to include/linux/netfilter_ipv6.h 15) Move several synproxy structure definitions to nf_synproxy.h 16) Move nf_bridge_frag_data structure to include/linux/netfilter_bridge.h 17) Clean up static inline definitions in nf_conntrack_ecache.h. 18) Replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...). 19) Missing inline function conditional definitions based on Kconfig preferences in synproxy and nf_conntrack_timeout. 20) Update br_nf_pre_routing_ipv6() definition. 21) Move conntrack code in linux/skbuff.h to nf_conntrack headers. 22) Several patches to remove superfluous CONFIG_NETFILTER and CONFIG_NF_CONNTRACK checks in headers, coming from the initial batch support for CONFIG_HEADER_TEST for netfilter. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Thanks. ---------------------------------------------------------------- The following changes since commit 6703a605b5ab33502d7a327de880188013d7c377: Merge branch 'net-tls-small-TX-offload-optimizations' (2019-09-07 18:10:34 +0200) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD for you to fetch changes up to 0d32e7048d927418300b9f5415ca546e44621ef1: netfilter: conntrack: remove two unused functions from nf_conntrack_timestamp.h. (2019-09-13 12:48:09 +0200) ---------------------------------------------------------------- Arnd Bergmann (1): netfilter: nf_tables_offload: avoid excessive stack usage Dan Carpenter (1): netfilter: nf_tables: Fix an Oops in nf_tables_updobj() error handling Fernando Fernandez Mancera (1): netfilter: nft_synproxy: add synproxy stateful object support Jeremy Sowden (18): netfilter: fix include guards. netfilter: fix coding-style errors. netfilter: ip_tables: remove unused function declarations. netfilter: inline xt_hashlimit, ebt_802_3 and xt_physdev headers netfilter: update include directives. netfilter: remove nf_conntrack_icmpv6.h header. netfilter: move inline nf_ip6_ext_hdr() function to a more appropriate header. netfilter: synproxy: move code between headers. netfilter: move nf_bridge_frag_data struct definition to a more appropriate header. netfilter: conntrack: use consistent style when defining inline functions netfilter: replace defined(CONFIG...) || defined(CONFIG...MODULE) with IS_ENABLED(CONFIG...). netfilter: conntrack: wrap two inline functions in config checks. netfilter: br_netfilter: update stub br_nf_pre_routing_ipv6 parameter to `void *priv`. netfilter: conntrack: move code to linux/nf_conntrack_common.h. netfilter: conntrack: remove CONFIG_NF_CONNTRACK check from nf_conntrack_acct.h. netfilter: remove CONFIG_NETFILTER checks from headers. netfilter: conntrack: remove CONFIG_NF_CONNTRACK checks from nf_conntrack_zones.h. netfilter: conntrack: remove two unused functions from nf_conntrack_timestamp.h. Pablo Neira Ayuso (2): netfilter: nf_tables_offload: move indirect flow_block callback logic to core netfilter: nft_{fwd,dup}_netdev: add offload support wenxu (4): netfilter: nf_tables_offload: add __nft_offload_get_chain function netfilter: nf_tables_offload: refactor the nft_flow_offload_chain function netfilter: nf_tables_offload: refactor the nft_flow_offload_rule function netfilter: nf_tables_offload: remove rules when the device unregisters include/linux/netfilter.h | 4 +- include/linux/netfilter/ipset/ip_set_getport.h | 2 +- include/linux/netfilter/nf_conntrack_common.h | 20 +++ include/linux/netfilter/x_tables.h | 8 +- include/linux/netfilter/xt_hashlimit.h | 11 -- include/linux/netfilter/xt_physdev.h | 8 - include/linux/netfilter_arp/arp_tables.h | 2 - include/linux/netfilter_bridge.h | 7 + include/linux/netfilter_bridge/ebt_802_3.h | 12 -- include/linux/netfilter_bridge/ebtables.h | 3 +- include/linux/netfilter_ipv4/ip_tables.h | 9 +- include/linux/netfilter_ipv6.h | 28 +++- include/linux/netfilter_ipv6/ip6_tables.h | 20 +-- include/linux/skbuff.h | 32 ++-- include/net/netfilter/br_netfilter.h | 4 +- include/net/netfilter/ipv6/nf_conntrack_icmpv6.h | 21 --- include/net/netfilter/nf_conntrack.h | 25 +-- include/net/netfilter/nf_conntrack_acct.h | 4 +- include/net/netfilter/nf_conntrack_bridge.h | 11 +- include/net/netfilter/nf_conntrack_core.h | 8 +- include/net/netfilter/nf_conntrack_ecache.h | 84 ++++++---- include/net/netfilter/nf_conntrack_expect.h | 2 +- include/net/netfilter/nf_conntrack_extend.h | 2 +- include/net/netfilter/nf_conntrack_l4proto.h | 16 +- include/net/netfilter/nf_conntrack_labels.h | 11 +- include/net/netfilter/nf_conntrack_synproxy.h | 41 +---- include/net/netfilter/nf_conntrack_timeout.h | 4 + include/net/netfilter/nf_conntrack_timestamp.h | 16 -- include/net/netfilter/nf_conntrack_tuple.h | 4 +- include/net/netfilter/nf_conntrack_zones.h | 6 +- include/net/netfilter/nf_dup_netdev.h | 6 + include/net/netfilter/nf_flow_table.h | 6 +- include/net/netfilter/nf_nat.h | 21 +-- include/net/netfilter/nf_nat_masquerade.h | 1 + include/net/netfilter/nf_queue.h | 4 - include/net/netfilter/nf_synproxy.h | 44 +++++- include/net/netfilter/nf_tables.h | 8 - include/net/netfilter/nf_tables_offload.h | 10 +- include/uapi/linux/netfilter/nf_tables.h | 3 +- net/bridge/netfilter/ebt_802_3.c | 8 +- net/bridge/netfilter/nf_conntrack_bridge.c | 15 +- net/ipv4/netfilter/Kconfig | 8 +- net/ipv4/netfilter/Makefile | 2 +- net/ipv6/netfilter.c | 4 +- net/ipv6/netfilter/ip6t_ipv6header.c | 4 +- net/ipv6/netfilter/nf_log_ipv6.c | 4 +- net/ipv6/netfilter/nf_socket_ipv6.c | 1 - net/netfilter/Kconfig | 8 +- net/netfilter/Makefile | 2 +- net/netfilter/nf_conntrack_ecache.c | 1 + net/netfilter/nf_conntrack_expect.c | 2 + net/netfilter/nf_conntrack_helper.c | 5 +- net/netfilter/nf_conntrack_proto_icmpv6.c | 1 - net/netfilter/nf_conntrack_standalone.c | 1 - net/netfilter/nf_conntrack_timeout.c | 1 + net/netfilter/nf_dup_netdev.c | 21 +++ net/netfilter/nf_flow_table_core.c | 1 + net/netfilter/nf_nat_core.c | 6 +- net/netfilter/nf_tables_api.c | 25 +-- net/netfilter/nf_tables_offload.c | 186 ++++++++++++++++++----- net/netfilter/nft_dup_netdev.c | 12 ++ net/netfilter/nft_flow_offload.c | 3 +- net/netfilter/nft_fwd_netdev.c | 12 ++ net/netfilter/nft_synproxy.c | 143 ++++++++++++++--- net/netfilter/xt_connlimit.c | 2 + net/netfilter/xt_hashlimit.c | 7 +- net/netfilter/xt_physdev.c | 5 +- net/sched/act_ct.c | 2 +- 68 files changed, 603 insertions(+), 417 deletions(-) delete mode 100644 include/linux/netfilter/xt_hashlimit.h delete mode 100644 include/linux/netfilter/xt_physdev.h delete mode 100644 include/linux/netfilter_bridge/ebt_802_3.h delete mode 100644 include/net/netfilter/ipv6/nf_conntrack_icmpv6.h