pm24.git/include/net/netfilter, branch v4.16

netfilter: nf_tables: cache device name in flowtable object

2018-03-22T11:57:07Z

Devices going away have to grab the nfnl_lock from the netdev event path to avoid races with control plane updates. However, netlink dumps in netfilter do not hold nfnl_lock mutex. Cache the device name into the objects to avoid an use-after-free situation for a device that is going away. Signed-off-by: Pablo Neira Ayuso

netfilter: nf_flow_offload: fix use-after-free and a resource leak

2018-02-07T10:55:52Z

flow_offload_del frees the flow, so all associated resource must be freed before. Since the ct entry in struct flow_offload_entry was allocated by flow_offload_alloc, it should be freed by flow_offload_free to take care of the error handling path when flow_offload_add fails. While at it, make flow_offload_del static, since it should never be called directly, only from the gc step Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso

netfilter: remove useless prototype

2018-02-07T10:54:52Z

prototype nf_ct_nat_offset is not used anymore. Signed-off-by: Taehee Yoo

netfilter: nf_tables: fix flowtable free

2018-02-06T23:58:57Z

Every flow_offload entry is added into the table twice. Because of this, rhashtable_free_and_destroy can't be used, since it would call kfree for each flow_offload object twice. This patch cleans up the flowtable via nf_flow_table_iterate() to schedule removal of entries by setting on the dying bit, then there is an explicitly invocation of the garbage collector to release resources. Based on patch from Felix Fietkau. Signed-off-by: Pablo Neira Ayuso

netfilter: nft_flow_offload: move flowtable cleanup routines to nf_flow_table

2018-02-06T23:58:57Z

Move the flowtable cleanup routines to nf_flow_table and expose the nf_flow_table_cleanup() helper function. Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: allocate handle and delete objects via handle

2018-01-19T13:00:46Z

This patch allows deletion of objects via unique handle which can be listed via '-a' option. Signed-off-by: Harsha Sharma Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: get rid of struct nft_af_info abstraction

2018-01-10T14:32:11Z

Remove the infrastructure to register/unregister nft_af_info structure, this structure stores no useful information anymore. Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: get rid of pernet families

2018-01-10T14:32:10Z

Now that we have a single table list for each netns, we can get rid of one pointer per family and the global afinfo list, thus, shrinking struct netns for nftables that now becomes 64 bytes smaller. And call __nft_release_afinfo() from __net_exit path accordingly to release netnamespace objects on removal. Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: add single table list for all families

2018-01-10T14:32:08Z

Place all existing user defined tables in struct net *, instead of having one list per family. This saves us from one level of indentation in netlink dump functions. Place pointer to struct nft_af_info in struct nft_table temporarily, as we still need this to put back reference module reference counter on table removal. This patch comes in preparation for the removal of struct nft_af_info. Signed-off-by: Pablo Neira Ayuso

netfilter: nf_tables: remove flag field from struct nft_af_info

2018-01-10T14:32:05Z

Replace it by a direct check for the netdev protocol family. Signed-off-by: Pablo Neira Ayuso