github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-30 01:53:29 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

netfilter pull request nf-next-26-04-08

Browse Source 
-----BEGIN PGP SIGNATURE-----
 
 iQJdBAABCABHFiEEgKkgxbID4Gn1hq6fcJGo2a1f9gAFAmnV7OUbFIAAAAAABAAO
 bWFudTIsMi41KzEuMTEsMiwyDRxmd0BzdHJsZW4uZGUACgkQcJGo2a1f9gAyNRAA
 o6N4+o7gtMXGllbJnfONv/iuteS1h2u9aP0aXDGWYXnDu4xvMX4gcvZDSXqd8CLp
 XfHCYqOl18rqqMDvFk7xkR3kuS1w/rVwx7ApkofgkL3r0v2eRyTukhX/zpW/qsOk
 39i92odhHLnFea2RSTGrthrIkdjG7Q1JXpC69ZR1Ogomarabe7KTWIdBWrquqGOk
 mJxRXEvfLhI7onOt6VCswbpDt3QsKqIkzC/xygQHzdDXC2EnlsK964chN5umUq6I
 5prDzZOWxxI3IJmWS3EfKy+2jHZrBCzZ4fQ1x6tnnWpdoeBXQYuJKPkmAC/KR3a9
 OkFP0NNTewJeVd3wDe8yOoS+mVsAWtcIREoNQeTsPRk7L1Sw470sN4eAfdeHen3c
 icJcYkrTsW5s9cwvwyavJYSiAK+wwaZ8MOGzd4W+vrNb35b8qlHSCopDgMQZGOyp
 +H72J/703R3a1bUZbN8dYbx4XzzXLRQIEnbF81Vy9jJDIt0hYoivy1js6mv/uqal
 //nLIfhSQD5dCw4Dotsy+iKjpkMue4hMadMqBckyv0bUrQ63t3JV3tjp5WTRXp8N
 cqY3K2U6OvKJK9ov1+4HSmWRnF4b24kS0pQwzyXYjxBALN31gNa2ZirgSgCgtLWG
 RrH4c3LHPNwWWjFXhYobuA0BriQgBsVDnO2uQYxyyKY=
 =T6NA
 -----END PGP SIGNATURE-----

Merge tag 'nf-next-26-04-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Florian Westphal says:

====================
netfilter: updates for net-next

1) Fix ancient sparse warnings in nf conntrack nat modules, from
   Sun Jian.

2) Fix typo in enum description, from Jelle van der Waa.

3) remove redundant refetch of netns pointer in nf_conntrack_sip.

4) add a deprecation warning for dccp match.
   We can extend the deadline later if needed, but plan atm is to
   remove the feature.

5) remove nf_conntrack_h323 debug code that can read out-of-bounds
   with malformed messages. This code was commented out, but better
   remove this.

6+7) add more netlink policy validations in netfilter.
   This could theoretically cause issues when a client sends e.g.
   unsupported feature flags that were previously ignored, so we
   may have to relax some changes. For now, try to be stricter and
   reject upfront.

8+9) minor code cleanup in nft_set_pipapo (an nftables set backend).

10) Add nftables matching support fro double-tagged vlan and pppoe
    frames, from Pablo Neira Ayuso.

11) Fix up indentation of debug messages in nf_conntrack_h323 conntrack
    helper, from David Laight.

12) Add a helper to iterate to next flow action and bail out if the
    maximum number of actions is reached, also from Pablo.

* tag 'nf-next-26-04-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
  netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it
  netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined
  netfilter: nft_meta: add double-tagged vlan and pppoe support
  netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow
  netfilter: nft_set_pipapo: increment data in one step
  netfilter: nf_tables: add netlink policy based cap on registers
  netfilter: add more netlink-based policy range checks
  netfilter: nf_conntrack_h323: remove unreliable debug code in decode_octstr
  netfilter: add deprecation warning for dccp support
  netfilter: nf_conntrack_sip: remove net variable shadowing
  netfilter: nf_tables: Fix typo in enum description
  netfilter: use function typedefs for __rcu NAT helper hook pointers
====================

Link: https://patch.msgid.link/20260408060419.25258-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
This commit is contained in:
Jakub Kicinski 2026-04-08 18:58:08 -07:00
commit 1795654f00
59 changed files with 262 additions and 191 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
include/linux/netfilter/nf_conntrack_amanda.h
View File

@ -7,10 +7,13 @@
#include <linux/skbuff.h>
#include <net/netfilter/nf_conntrack_expect.h>
extern unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
typedef unsigned int
nf_nat_amanda_hook_fn(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
extern nf_nat_amanda_hook_fn __rcu *nf_nat_amanda_hook;
#endif /* _NF_CONNTRACK_AMANDA_H */

17
include/linux/netfilter/nf_conntrack_ftp.h
View File

@ -26,11 +26,14 @@ struct nf_ct_ftp_master {
/* For NAT to hook in when we find a packet which describes what other
* connection we should expect. */
extern unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
enum nf_ct_ftp_type type,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
typedef unsigned int
nf_nat_ftp_hook_fn(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
enum nf_ct_ftp_type type,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
extern nf_nat_ftp_hook_fn __rcu *nf_nat_ftp_hook;
#endif /* _NF_CONNTRACK_FTP_H */

15
include/linux/netfilter/nf_conntrack_irc.h
View File

@ -8,11 +8,14 @@
#define IRC_PORT 6667
extern unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
typedef unsigned int
nf_nat_irc_hook_fn(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
extern nf_nat_irc_hook_fn __rcu *nf_nat_irc_hook;
#endif /* _NF_CONNTRACK_IRC_H */

11
include/linux/netfilter/nf_conntrack_snmp.h
View File

@ -5,9 +5,12 @@
#include <linux/netfilter.h>
#include <linux/skbuff.h>
extern int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb,
unsigned int protoff,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo);
typedef int
nf_nat_snmp_hook_fn(struct sk_buff *skb,
unsigned int protoff,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo);
extern nf_nat_snmp_hook_fn __rcu *nf_nat_snmp_hook;
#endif /* _NF_CONNTRACK_SNMP_H */

9
include/linux/netfilter/nf_conntrack_tftp.h
View File

@ -19,8 +19,11 @@ struct tftphdr {
#define TFTP_OPCODE_ACK 4
#define TFTP_OPCODE_ERROR 5
extern unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
struct nf_conntrack_expect *exp);
typedef unsigned int
nf_nat_tftp_hook_fn(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
struct nf_conntrack_expect *exp);
extern nf_nat_tftp_hook_fn __rcu *nf_nat_tftp_hook;
#endif /* _NF_CONNTRACK_TFTP_H */

4
include/net/netfilter/nf_tables.h
View File

@ -31,7 +31,9 @@ struct nft_pktinfo {
const struct nf_hook_state *state;
u8 flags;
u8 tprot;
__be16 ethertype;
u16 fragoff;
u16 nhoff;
u16 thoff;
u16 inneroff;
};
@ -83,6 +85,8 @@ static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt)
{
pkt->flags = 0;
pkt->tprot = 0;
pkt->ethertype = pkt->skb->protocol;
pkt->nhoff = 0;
pkt->thoff = 0;
pkt->fragoff = 0;
}

17
include/net/netfilter/nf_tables_ipv4.h
View File

@ -12,16 +12,19 @@ static inline void nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt)
ip = ip_hdr(pkt->skb);
pkt->flags = NFT_PKTINFO_L4PROTO;
pkt->tprot = ip->protocol;
pkt->ethertype = pkt->skb->protocol;
pkt->nhoff = 0;
pkt->thoff = ip_hdrlen(pkt->skb);
pkt->fragoff = ntohs(ip->frag_off) & IP_OFFSET;
}
static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
int nhoff)
{
struct iphdr *iph, _iph;
u32 len, thoff, skb_len;
iph = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb),
iph = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb) + nhoff,
sizeof(*iph), &_iph);
if (!iph)
return -1;
@ -31,7 +34,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
len = iph_totlen(pkt->skb, iph);
thoff = iph->ihl * 4;
skb_len = pkt->skb->len - skb_network_offset(pkt->skb);
skb_len = pkt->skb->len - skb_network_offset(pkt->skb) - nhoff;
if (skb_len < len)
return -1;
@ -42,7 +45,9 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
pkt->flags = NFT_PKTINFO_L4PROTO;
pkt->tprot = iph->protocol;
pkt->thoff = skb_network_offset(pkt->skb) + thoff;
pkt->ethertype = pkt->skb->protocol;
pkt->nhoff = nhoff;
pkt->thoff = skb_network_offset(pkt->skb) + nhoff + thoff;
pkt->fragoff = ntohs(iph->frag_off) & IP_OFFSET;
return 0;
@ -50,7 +55,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
{
if (__nft_set_pktinfo_ipv4_validate(pkt) < 0)
if (__nft_set_pktinfo_ipv4_validate(pkt, 0) < 0)
nft_set_pktinfo_unspec(pkt);
}
@ -78,6 +83,8 @@ static inline int nft_set_pktinfo_ipv4_ingress(struct nft_pktinfo *pkt)
}
pkt->flags = NFT_PKTINFO_L4PROTO;
pkt->ethertype = pkt->skb->protocol;
pkt->nhoff = 0;
pkt->tprot = iph->protocol;
pkt->thoff = thoff;
pkt->fragoff = ntohs(iph->frag_off) & IP_OFFSET;

16
include/net/netfilter/nf_tables_ipv6.h
View File

@ -20,21 +20,23 @@ static inline void nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt)
pkt->flags = NFT_PKTINFO_L4PROTO;
pkt->tprot = protohdr;
pkt->ethertype = pkt->skb->protocol;
pkt->nhoff = 0;
pkt->thoff = thoff;
pkt->fragoff = frag_off;
}
static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt, int nhoff)
{
#if IS_ENABLED(CONFIG_IPV6)
unsigned int flags = IP6_FH_F_AUTH;
struct ipv6hdr *ip6h, _ip6h;
unsigned int thoff = 0;
unsigned int thoff = nhoff;
unsigned short frag_off;
u32 pkt_len, skb_len;
int protohdr;
ip6h = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb),
ip6h = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb) + nhoff,
sizeof(*ip6h), &_ip6h);
if (!ip6h)
return -1;
@ -43,7 +45,7 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
return -1;
pkt_len = ipv6_payload_len(pkt->skb, ip6h);
skb_len = pkt->skb->len - skb_network_offset(pkt->skb);
skb_len = pkt->skb->len - skb_network_offset(pkt->skb) - nhoff;
if (pkt_len + sizeof(*ip6h) > skb_len)
return -1;
@ -53,6 +55,8 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
pkt->flags = NFT_PKTINFO_L4PROTO;
pkt->tprot = protohdr;
pkt->ethertype = pkt->skb->protocol;
pkt->nhoff = nhoff;
pkt->thoff = thoff;
pkt->fragoff = frag_off;
@ -64,7 +68,7 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
{
if (__nft_set_pktinfo_ipv6_validate(pkt) < 0)
if (__nft_set_pktinfo_ipv6_validate(pkt, 0) < 0)
nft_set_pktinfo_unspec(pkt);
}
@ -99,6 +103,8 @@ static inline int nft_set_pktinfo_ipv6_ingress(struct nft_pktinfo *pkt)
pkt->flags = NFT_PKTINFO_L4PROTO;
pkt->tprot = protohdr;
pkt->ethertype = pkt->skb->protocol;
pkt->nhoff = 0;
pkt->thoff = thoff;
pkt->fragoff = frag_off;

10
include/net/netfilter/nf_tables_offload.h
View File

@ -67,6 +67,16 @@ struct nft_flow_rule {
struct flow_rule *rule;
};
static inline struct flow_action_entry *
nft_flow_action_entry_next(struct nft_offload_ctx *ctx,
struct nft_flow_rule *flow)
{
if (unlikely(ctx->num_actions >= flow->rule->action.num_entries))
return NULL;
return &flow->rule->action.entries[ctx->num_actions++];
}
void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
enum flow_dissector_key_id addr_type);

6
include/uapi/linux/netfilter/nf_tables.h
View File

@ -46,6 +46,10 @@ enum nft_registers {
};
#define NFT_REG_MAX (__NFT_REG_MAX - 1)
#ifdef __KERNEL__
#define NFT_REG32_MAX NFT_REG32_15
#endif
#define NFT_REG_SIZE 16
#define NFT_REG32_SIZE 4
#define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1)
@ -884,7 +888,7 @@ enum nft_exthdr_flags {
* @NFT_EXTHDR_OP_TCPOPT: match against tcp options
* @NFT_EXTHDR_OP_IPV4: match against ipv4 options
* @NFT_EXTHDR_OP_SCTP: match against sctp chunks
* @NFT_EXTHDR_OP_DCCP: match against dccp otions
* @NFT_EXTHDR_OP_DCCP: match against dccp options
*/
enum nft_exthdr_op {
NFT_EXTHDR_OP_IPV6,

2
net/netfilter/ipset/ip_set_core.c
View File

@ -985,7 +985,7 @@ static const struct nla_policy ip_set_create_policy[IPSET_ATTR_CMD_MAX + 1] = {
.len = IPSET_MAXNAMELEN - 1 },
[IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING,
.len = IPSET_MAXNAMELEN - 1},
[IPSET_ATTR_REVISION] = { .type = NLA_U8 },
[IPSET_ATTR_REVISION] = NLA_POLICY_MAX(NLA_U8, IPSET_REVISION_MAX),
[IPSET_ATTR_FAMILY] = { .type = NLA_U8 },
[IPSET_ATTR_DATA] = { .type = NLA_NESTED },
};

10
net/netfilter/nf_conntrack_amanda.c
View File

@ -37,13 +37,7 @@ MODULE_PARM_DESC(master_timeout, "timeout for the master connection");
module_param(ts_algo, charp, 0400);
MODULE_PARM_DESC(ts_algo, "textsearch algorithm to use (default kmp)");
unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp)
__read_mostly;
nf_nat_amanda_hook_fn __rcu *nf_nat_amanda_hook __read_mostly;
EXPORT_SYMBOL_GPL(nf_nat_amanda_hook);
enum amanda_strings {
@ -98,7 +92,7 @@ static int amanda_help(struct sk_buff *skb,
u_int16_t len;
__be16 port;
int ret = NF_ACCEPT;
typeof(nf_nat_amanda_hook) nf_nat_amanda;
nf_nat_amanda_hook_fn *nf_nat_amanda;
/* Only look at packets from the Amanda server */
if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)

10
net/netfilter/nf_conntrack_ftp.c
View File

@ -43,13 +43,7 @@ module_param_array(ports, ushort, &ports_c, 0400);
static bool loose;
module_param(loose, bool, 0600);
unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
enum nf_ct_ftp_type type,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp);
nf_nat_ftp_hook_fn __rcu *nf_nat_ftp_hook;
EXPORT_SYMBOL_GPL(nf_nat_ftp_hook);
static int try_rfc959(const char *, size_t, struct nf_conntrack_man *,
@ -385,7 +379,7 @@ static int help(struct sk_buff *skb,
struct nf_conntrack_man cmd = {};
unsigned int i;
int found = 0, ends_in_nl;
typeof(nf_nat_ftp_hook) nf_nat_ftp;
nf_nat_ftp_hook_fn *nf_nat_ftp;
/* Until there's been traffic both ways, don't look in packets. */
if (ctinfo != IP_CT_ESTABLISHED &&

45
net/netfilter/nf_conntrack_h323_asn1.c
View File

@ -21,7 +21,6 @@
#if H323_TRACE
#define TAB_SIZE 4
#define IFTHEN(cond, act) if(cond){act;}
#ifdef __KERNEL__
#define PRINT printk
#else
@ -29,7 +28,6 @@
#endif
#define FNAME(name) name,
#else
#define IFTHEN(cond, act)
#define PRINT(fmt, args...)
#define FNAME(name)
#endif
@ -276,7 +274,7 @@ static unsigned int get_uint(struct bitstr *bs, int b)
static int decode_nul(struct bitstr *bs, const struct field_t *f,
char *base, int level)
{
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
return H323_ERROR_NONE;
}
@ -284,7 +282,7 @@ static int decode_nul(struct bitstr *bs, const struct field_t *f,
static int decode_bool(struct bitstr *bs, const struct field_t *f,
char *base, int level)
{
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
INC_BIT(bs);
if (nf_h323_error_boundary(bs, 0, 0))
@ -297,7 +295,7 @@ static int decode_oid(struct bitstr *bs, const struct field_t *f,
{
int len;
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
BYTE_ALIGN(bs);
if (nf_h323_error_boundary(bs, 1, 0))
@ -316,7 +314,7 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
{
unsigned int len;
PRINT("%*.s%s", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s", level * TAB_SIZE, " ", f->name);
switch (f->sz) {
case BYTE: /* Range == 256 */
@ -363,7 +361,7 @@ static int decode_int(struct bitstr *bs, const struct field_t *f,
static int decode_enum(struct bitstr *bs, const struct field_t *f,
char *base, int level)
{
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
if ((f->attr & EXT) && get_bit(bs)) {
INC_BITS(bs, 7);
@ -381,7 +379,7 @@ static int decode_bitstr(struct bitstr *bs, const struct field_t *f,
{
unsigned int len;
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
BYTE_ALIGN(bs);
switch (f->sz) {
@ -417,7 +415,7 @@ static int decode_numstr(struct bitstr *bs, const struct field_t *f,
{
unsigned int len;
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
/* 2 <= Range <= 255 */
if (nf_h323_error_boundary(bs, 0, f->sz))
@ -437,7 +435,7 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f,
{
unsigned int len;
PRINT("%*.s%s", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s", level * TAB_SIZE, " ", f->name);
switch (f->sz) {
case FIXD: /* Range == 1 */
@ -445,11 +443,6 @@ static int decode_octstr(struct bitstr *bs, const struct field_t *f,
BYTE_ALIGN(bs);
if (base && (f->attr & DECODE)) {
/* The IP Address */
IFTHEN(f->lb == 4,
PRINT(" = %d.%d.%d.%d:%d",
bs->cur[0], bs->cur[1],
bs->cur[2], bs->cur[3],
bs->cur[4] * 256 + bs->cur[5]));
*((unsigned int *)(base + f->offset)) =
bs->cur - bs->buf;
}
@ -490,7 +483,7 @@ static int decode_bmpstr(struct bitstr *bs, const struct field_t *f,
{
unsigned int len;
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
switch (f->sz) {
case BYTE: /* Range == 256 */
@ -522,7 +515,7 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
const struct field_t *son;
unsigned char *beg = NULL;
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
/* Decode? */
base = (base && (f->attr & DECODE)) ? base + f->offset : NULL;
@ -544,7 +537,7 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
/* Decode the root components */
for (i = opt = 0, son = f->fields; i < f->lb; i++, son++) {
if (son->attr & STOP) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ",
son->name);
return H323_ERROR_STOP;
}
@ -562,7 +555,7 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
if (nf_h323_error_boundary(bs, len, 0))
return H323_ERROR_BOUND;
if (!base || !(son->attr & DECODE)) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
PRINT("%*s%s\n", (level + 1) * TAB_SIZE,
" ", son->name);
bs->cur += len;
continue;
@ -615,7 +608,7 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
}
if (son->attr & STOP) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ",
son->name);
return H323_ERROR_STOP;
}
@ -629,7 +622,7 @@ static int decode_seq(struct bitstr *bs, const struct field_t *f,
if (nf_h323_error_boundary(bs, len, 0))
return H323_ERROR_BOUND;
if (!base || !(son->attr & DECODE)) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ",
son->name);
bs->cur += len;
continue;
@ -655,7 +648,7 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f,
const struct field_t *son;
unsigned char *beg = NULL;
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
/* Decode? */
base = (base && (f->attr & DECODE)) ? base + f->offset : NULL;
@ -710,7 +703,7 @@ static int decode_seqof(struct bitstr *bs, const struct field_t *f,
if (nf_h323_error_boundary(bs, len, 0))
return H323_ERROR_BOUND;
if (!base || !(son->attr & DECODE)) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE,
PRINT("%*s%s\n", (level + 1) * TAB_SIZE,
" ", son->name);
bs->cur += len;
continue;
@ -751,7 +744,7 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f,
const struct field_t *son;
unsigned char *beg = NULL;
PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name);
PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name);
/* Decode? */
base = (base && (f->attr & DECODE)) ? base + f->offset : NULL;
@ -792,7 +785,7 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f,
/* Transfer to son level */
son = &f->fields[type];
if (son->attr & STOP) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", son->name);
PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ", son->name);
return H323_ERROR_STOP;
}
@ -804,7 +797,7 @@ static int decode_choice(struct bitstr *bs, const struct field_t *f,
if (nf_h323_error_boundary(bs, len, 0))
return H323_ERROR_BOUND;
if (!base || !(son->attr & DECODE)) {
PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ",
PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ",
son->name);
bs->cur += len;
return H323_ERROR_NONE;

10
net/netfilter/nf_conntrack_irc.c
View File

@ -30,13 +30,7 @@ static unsigned int dcc_timeout __read_mostly = 300;
static char *irc_buffer;
static DEFINE_SPINLOCK(irc_buffer_lock);
unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
unsigned int protoff,
unsigned int matchoff,
unsigned int matchlen,
struct nf_conntrack_expect *exp)
__read_mostly;
nf_nat_irc_hook_fn __rcu *nf_nat_irc_hook __read_mostly;
EXPORT_SYMBOL_GPL(nf_nat_irc_hook);
#define HELPER_NAME "irc"
@ -122,7 +116,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
__be16 port;
int i, ret = NF_ACCEPT;
char *addr_beg_p, *addr_end_p;
typeof(nf_nat_irc_hook) nf_nat_irc;
nf_nat_irc_hook_fn *nf_nat_irc;
unsigned int datalen;
/* If packet is coming from IRC server */

3
net/netfilter/nf_conntrack_sip.c
View File

@ -869,9 +869,8 @@ static int set_expected_rtp_rtcp(struct sk_buff *skb, unsigned int protoff,
saddr = &ct->tuplehash[!dir].tuple.src.u3;
} else if (sip_external_media) {
struct net_device *dev = skb_dst(skb)->dev;
struct net *net = dev_net(dev);
struct flowi fl;
struct dst_entry *dst = NULL;
struct flowi fl;
memset(&fl, 0, sizeof(fl));

7
net/netfilter/nf_conntrack_snmp.c
View File

@ -25,17 +25,14 @@ static unsigned int timeout __read_mostly = 30;
module_param(timeout, uint, 0400);
MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb,
unsigned int protoff,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo);
nf_nat_snmp_hook_fn __rcu *nf_nat_snmp_hook;
EXPORT_SYMBOL_GPL(nf_nat_snmp_hook);
static int snmp_conntrack_help(struct sk_buff *skb, unsigned int protoff,
struct nf_conn *ct,
enum ip_conntrack_info ctinfo)
{
typeof(nf_nat_snmp_hook) nf_nat_snmp;
nf_nat_snmp_hook_fn *nf_nat_snmp;
nf_conntrack_broadcast_help(skb, ct, ctinfo, timeout);

7
net/netfilter/nf_conntrack_tftp.c
View File

@ -32,10 +32,7 @@ static unsigned int ports_c;
module_param_array(ports, ushort, &ports_c, 0400);
MODULE_PARM_DESC(ports, "Port numbers of TFTP servers");
unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb,
enum ip_conntrack_info ctinfo,
struct nf_conntrack_expect *exp)
__read_mostly;
nf_nat_tftp_hook_fn __rcu *nf_nat_tftp_hook __read_mostly;
EXPORT_SYMBOL_GPL(nf_nat_tftp_hook);
static int tftp_help(struct sk_buff *skb,
@ -48,7 +45,7 @@ static int tftp_help(struct sk_buff *skb,
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple *tuple;
unsigned int ret = NF_ACCEPT;
typeof(nf_nat_tftp_hook) nf_nat_tftp;
nf_nat_tftp_hook_fn *nf_nat_tftp;
tfh = skb_header_pointer(skb, protoff + sizeof(struct udphdr),
sizeof(_tftph), &_tftph);

5
net/netfilter/nf_dup_netdev.c
View File

@ -95,7 +95,10 @@ int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
if (!dev)
return -EOPNOTSUPP;
entry = &flow->rule->action.entries[ctx->num_actions++];
entry = nft_flow_action_entry_next(ctx, flow);
if (!entry)
return -E2BIG;
entry->id = id;
entry->dev = dev;

20
net/netfilter/nf_tables_api.c
View File

@ -1112,7 +1112,7 @@ static __be16 nft_base_seq_be16(const struct net *net)
static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
[NFTA_TABLE_NAME] = { .type = NLA_STRING,
.len = NFT_TABLE_MAXNAMELEN - 1 },
[NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
[NFTA_TABLE_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_TABLE_F_MASK),
[NFTA_TABLE_HANDLE] = { .type = NLA_U64 },
[NFTA_TABLE_USERDATA] = { .type = NLA_BINARY,
.len = NFT_USERDATA_MAXLEN }
@ -1878,7 +1878,7 @@ static const struct nla_policy nft_chain_policy[NFTA_CHAIN_MAX + 1] = {
[NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
.len = NFT_MODULE_AUTOLOAD_LIMIT },
[NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
[NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
[NFTA_CHAIN_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_CHAIN_FLAGS),
[NFTA_CHAIN_ID] = { .type = NLA_U32 },
[NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY,
.len = NFT_USERDATA_MAXLEN },
@ -4597,7 +4597,16 @@ static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
.len = NFT_TABLE_MAXNAMELEN - 1 },
[NFTA_SET_NAME] = { .type = NLA_STRING,
.len = NFT_SET_MAXNAMELEN - 1 },
[NFTA_SET_FLAGS] = { .type = NLA_U32 },
[NFTA_SET_FLAGS] = NLA_POLICY_MASK(NLA_BE32,
NFT_SET_ANONYMOUS |
NFT_SET_CONSTANT |
NFT_SET_INTERVAL |
NFT_SET_MAP |
NFT_SET_TIMEOUT |
NFT_SET_EVAL |
NFT_SET_OBJECT |
NFT_SET_CONCAT |
NFT_SET_EXPR),
[NFTA_SET_KEY_TYPE] = { .type = NLA_U32 },
[NFTA_SET_KEY_LEN] = { .type = NLA_U32 },
[NFTA_SET_DATA_TYPE] = { .type = NLA_U32 },
@ -5929,7 +5938,8 @@ const struct nft_set_ext_type nft_set_ext_types[] = {
static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = {
[NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED },
[NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED },
[NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 },
[NFTA_SET_ELEM_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_SET_ELEM_INTERVAL_END |
NFT_SET_ELEM_CATCHALL),
[NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 },
[NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 },
[NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
@ -8649,7 +8659,7 @@ static const struct nla_policy nft_flowtable_policy[NFTA_FLOWTABLE_MAX + 1] = {
.len = NFT_NAME_MAXLEN - 1 },
[NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED },
[NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 },
[NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 },
[NFTA_FLOWTABLE_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_FLOWTABLE_MASK),
};
struct nft_flowtable *nft_flowtable_lookup(const struct net *net,

2
net/netfilter/nf_tables_core.c
View File

@ -151,7 +151,7 @@ static bool nft_payload_fast_eval(const struct nft_expr *expr,
unsigned char *ptr;
if (priv->base == NFT_PAYLOAD_NETWORK_HEADER)
ptr = skb_network_header(skb);
ptr = skb_network_header(skb) + pkt->nhoff;
else {
if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
return false;

2
net/netfilter/nfnetlink_acct.c
View File

@ -373,7 +373,7 @@ static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = {
[NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 },
[NFACCT_BYTES] = { .type = NLA_U64 },
[NFACCT_PKTS] = { .type = NLA_U64 },
[NFACCT_FLAGS] = { .type = NLA_U32 },
[NFACCT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFACCT_F_QUOTA),
[NFACCT_QUOTA] = { .type = NLA_U64 },
[NFACCT_FILTER] = {.type = NLA_NESTED },
};

2
net/netfilter/nfnetlink_cthelper.c
View File

@ -165,7 +165,7 @@ nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
static const struct nla_policy
nfnl_cthelper_expect_policy_set[NFCTH_POLICY_SET_MAX+1] = {
[NFCTH_POLICY_SET_NUM] = { .type = NLA_U32, },
[NFCTH_POLICY_SET_NUM] = NLA_POLICY_MAX(NLA_BE32, NF_CT_MAX_EXPECT_CLASSES),
};
static int

2
net/netfilter/nfnetlink_hook.c
View File

@ -24,7 +24,7 @@
#include <net/sock.h>
static const struct nla_policy nfnl_hook_nla_policy[NFNLA_HOOK_MAX + 1] = {
[NFNLA_HOOK_HOOKNUM] = { .type = NLA_U32 },
[NFNLA_HOOK_HOOKNUM] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFNLA_HOOK_PRIORITY] = { .type = NLA_U32 },
[NFNLA_HOOK_DEV] = { .type = NLA_STRING,
.len = IFNAMSIZ - 1 },

4
net/netfilter/nfnetlink_log.c
View File

@ -879,7 +879,9 @@ static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = {
[NFULA_CFG_TIMEOUT] = { .type = NLA_U32 },
[NFULA_CFG_QTHRESH] = { .type = NLA_U32 },
[NFULA_CFG_NLBUFSIZ] = { .type = NLA_U32 },
[NFULA_CFG_FLAGS] = { .type = NLA_U16 },
[NFULA_CFG_FLAGS] = NLA_POLICY_MASK(NLA_BE16, NFULNL_CFG_F_SEQ |
NFULNL_CFG_F_SEQ_GLOBAL |
NFULNL_CFG_F_CONNTRACK),
};
static int nfulnl_recv_config(struct sk_buff *skb, const struct nfnl_info *info,

2
net/netfilter/nfnetlink_osf.c
View File

@ -293,7 +293,7 @@ bool nf_osf_find(const struct sk_buff *skb,
EXPORT_SYMBOL_GPL(nf_osf_find);
static const struct nla_policy nfnl_osf_policy[OSF_ATTR_MAX + 1] = {
[OSF_ATTR_FINGER] = { .len = sizeof(struct nf_osf_user_finger) },
[OSF_ATTR_FINGER] = NLA_POLICY_EXACT_LEN(sizeof(struct nf_osf_user_finger)),
};
static int nfnl_osf_add_callback(struct sk_buff *skb,

2
net/netfilter/nfnetlink_queue.c
View File

@ -1599,7 +1599,7 @@ static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = {
[NFQA_CFG_PARAMS] = { .len = sizeof(struct nfqnl_msg_config_params) },
[NFQA_CFG_QUEUE_MAXLEN] = { .type = NLA_U32 },
[NFQA_CFG_MASK] = { .type = NLA_U32 },
[NFQA_CFG_FLAGS] = { .type = NLA_U32 },
[NFQA_CFG_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFQA_CFG_F_MAX - 1),
};
static const struct nf_queue_handler nfqh = {

6
net/netfilter/nft_bitwise.c
View File

@ -125,9 +125,9 @@ void nft_bitwise_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_bitwise_policy[NFTA_BITWISE_MAX + 1] = {
[NFTA_BITWISE_SREG] = { .type = NLA_U32 },
[NFTA_BITWISE_SREG2] = { .type = NLA_U32 },
[NFTA_BITWISE_DREG] = { .type = NLA_U32 },
[NFTA_BITWISE_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_BITWISE_SREG2] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_BITWISE_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_BITWISE_LEN] = { .type = NLA_U32 },
[NFTA_BITWISE_MASK] = { .type = NLA_NESTED },
[NFTA_BITWISE_XOR] = { .type = NLA_NESTED },

4
net/netfilter/nft_byteorder.c
View File

@ -87,8 +87,8 @@ void nft_byteorder_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_byteorder_policy[NFTA_BYTEORDER_MAX + 1] = {
[NFTA_BYTEORDER_SREG] = { .type = NLA_U32 },
[NFTA_BYTEORDER_DREG] = { .type = NLA_U32 },
[NFTA_BYTEORDER_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_BYTEORDER_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_BYTEORDER_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_BYTEORDER_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_BYTEORDER_SIZE] = NLA_POLICY_MAX(NLA_BE32, 255),

2
net/netfilter/nft_cmp.c
View File

@ -64,7 +64,7 @@ void nft_cmp_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_cmp_policy[NFTA_CMP_MAX + 1] = {
[NFTA_CMP_SREG] = { .type = NLA_U32 },
[NFTA_CMP_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_CMP_OP] = { .type = NLA_U32 },
[NFTA_CMP_DATA] = { .type = NLA_NESTED },
};

2
net/netfilter/nft_compat.c
View File

@ -195,7 +195,7 @@ static void target_compat_from_user(struct xt_target *t, void *in, void *out)
static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] = {
[NFTA_RULE_COMPAT_PROTO] = { .type = NLA_U32 },
[NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 },
[NFTA_RULE_COMPAT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_RULE_COMPAT_F_MASK),
};
static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)

2
net/netfilter/nft_connlimit.c
View File

@ -159,7 +159,7 @@ static int nft_connlimit_obj_dump(struct sk_buff *skb,
static const struct nla_policy nft_connlimit_policy[NFTA_CONNLIMIT_MAX + 1] = {
[NFTA_CONNLIMIT_COUNT] = { .type = NLA_U32 },
[NFTA_CONNLIMIT_FLAGS] = { .type = NLA_U32 },
[NFTA_CONNLIMIT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_CONNLIMIT_F_INV),
};
static struct nft_object_type nft_connlimit_obj_type;

6
net/netfilter/nft_ct.c
View File

@ -336,10 +336,10 @@ static void nft_ct_set_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
[NFTA_CT_DREG] = { .type = NLA_U32 },
[NFTA_CT_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_CT_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_CT_DIRECTION] = { .type = NLA_U8 },
[NFTA_CT_SREG] = { .type = NLA_U32 },
[NFTA_CT_DIRECTION] = NLA_POLICY_MAX(NLA_U8, IP_CT_DIR_REPLY),
[NFTA_CT_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
};
#ifdef CONFIG_NF_CONNTRACK_ZONES

3
net/netfilter/nft_dynset.c
View File

@ -163,7 +163,8 @@ static const struct nla_policy nft_dynset_policy[NFTA_DYNSET_MAX + 1] = {
[NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 },
[NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 },
[NFTA_DYNSET_EXPR] = { .type = NLA_NESTED },
[NFTA_DYNSET_FLAGS] = { .type = NLA_U32 },
[NFTA_DYNSET_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_DYNSET_F_INV |
NFT_DYNSET_F_EXPR),
[NFTA_DYNSET_EXPRESSIONS] = { .type = NLA_NESTED },
};

9
net/netfilter/nft_exthdr.c
View File

@ -486,13 +486,13 @@ static void nft_exthdr_dccp_eval(const struct nft_expr *expr,
#endif
static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
[NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
[NFTA_EXTHDR_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
[NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
[NFTA_EXTHDR_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
[NFTA_EXTHDR_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_EXTHDR_F_PRESENT),
[NFTA_EXTHDR_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_EXTHDR_SREG] = { .type = NLA_U32 },
[NFTA_EXTHDR_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
};
static int nft_exthdr_init(const struct nft_ctx *ctx,
@ -796,6 +796,9 @@ nft_exthdr_select_ops(const struct nft_ctx *ctx,
break;
#ifdef CONFIG_NFT_EXTHDR_DCCP
case NFT_EXTHDR_OP_DCCP:
pr_warn_once("The dccp option matching is deprecated and scheduled to be removed in 2027.\n"
"Please contact the netfilter-devel mailing list or update your nftables rules.\n");
if (tb[NFTA_EXTHDR_DREG])
return &nft_exthdr_dccp_ops;
break;

2
net/netfilter/nft_fib.c
View File

@ -19,7 +19,7 @@
NFTA_FIB_F_PRESENT)
const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = {
[NFTA_FIB_DREG] = { .type = NLA_U32 },
[NFTA_FIB_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_FIB_RESULT] = { .type = NLA_U32 },
[NFTA_FIB_FLAGS] =
NLA_POLICY_MASK(NLA_BE32, NFTA_FIB_F_ALL),

4
net/netfilter/nft_hash.c
View File

@ -58,8 +58,8 @@ static void nft_symhash_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = {
[NFTA_HASH_SREG] = { .type = NLA_U32 },
[NFTA_HASH_DREG] = { .type = NLA_U32 },
[NFTA_HASH_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_HASH_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_HASH_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_HASH_MODULUS] = { .type = NLA_U32 },
[NFTA_HASH_SEED] = { .type = NLA_U32 },

6
net/netfilter/nft_immediate.c
View File

@ -25,7 +25,7 @@ void nft_immediate_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_immediate_policy[NFTA_IMMEDIATE_MAX + 1] = {
[NFTA_IMMEDIATE_DREG] = { .type = NLA_U32 },
[NFTA_IMMEDIATE_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_IMMEDIATE_DATA] = { .type = NLA_NESTED },
};
@ -279,7 +279,9 @@ static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
struct flow_action_entry *entry;
const struct nft_data *data;
entry = &flow->rule->action.entries[ctx->num_actions++];
entry = nft_flow_action_entry_next(ctx, flow);
if (!entry)
return -E2BIG;
data = &priv->data;
switch (data->verdict.code) {

2
net/netfilter/nft_inner.c
View File

@ -321,7 +321,7 @@ static void nft_inner_eval(const struct nft_expr *expr, struct nft_regs *regs,
static const struct nla_policy nft_inner_policy[NFTA_INNER_MAX + 1] = {
[NFTA_INNER_NUM] = { .type = NLA_U32 },
[NFTA_INNER_FLAGS] = { .type = NLA_U32 },
[NFTA_INNER_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_INNER_MASK),
[NFTA_INNER_HDRSIZE] = { .type = NLA_U32 },
[NFTA_INNER_TYPE] = { .type = NLA_U32 },
[NFTA_INNER_EXPR] = { .type = NLA_NESTED },

2
net/netfilter/nft_limit.c
View File

@ -189,7 +189,7 @@ static const struct nla_policy nft_limit_policy[NFTA_LIMIT_MAX + 1] = {
[NFTA_LIMIT_UNIT] = { .type = NLA_U64 },
[NFTA_LIMIT_BURST] = { .type = NLA_U32 },
[NFTA_LIMIT_TYPE] = { .type = NLA_U32 },
[NFTA_LIMIT_FLAGS] = { .type = NLA_U32 },
[NFTA_LIMIT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_LIMIT_F_INV),
};
static int nft_limit_pkts_init(const struct nft_ctx *ctx,

2
net/netfilter/nft_log.c
View File

@ -69,7 +69,7 @@ static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = {
[NFTA_LOG_SNAPLEN] = { .type = NLA_U32 },
[NFTA_LOG_QTHRESHOLD] = { .type = NLA_U16 },
[NFTA_LOG_LEVEL] = { .type = NLA_U32 },
[NFTA_LOG_FLAGS] = { .type = NLA_U32 },
[NFTA_LOG_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NF_LOG_MASK),
};
static int nft_log_modprobe(struct net *net, enum nf_log_type t)

4
net/netfilter/nft_lookup.c
View File

@ -125,8 +125,8 @@ static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
[NFTA_LOOKUP_SET] = { .type = NLA_STRING,
.len = NFT_SET_MAXNAMELEN - 1 },
[NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 },
[NFTA_LOOKUP_SREG] = { .type = NLA_U32 },
[NFTA_LOOKUP_DREG] = { .type = NLA_U32 },
[NFTA_LOOKUP_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_LOOKUP_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_LOOKUP_FLAGS] =
NLA_POLICY_MASK(NLA_BE32, NFT_LOOKUP_F_INV),
};

58
net/netfilter/nft_meta.c
View File

@ -23,6 +23,8 @@
#include <net/tcp_states.h> /* for TCP_TIME_WAIT */
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables_ipv4.h>
#include <net/netfilter/nf_tables_ipv6.h>
#include <net/netfilter/nft_meta.h>
#include <net/netfilter/nf_tables_offload.h>
@ -309,6 +311,54 @@ nft_meta_get_eval_sdifname(u32 *dest, const struct nft_pktinfo *pkt)
nft_meta_store_ifname(dest, dev);
}
static void nft_meta_pktinfo_may_update(struct nft_pktinfo *pkt)
{
struct sk_buff *skb = pkt->skb;
struct vlan_ethhdr *veth;
__be16 ethertype;
int nhoff;
/* Is this an IP packet? Then, skip. */
if (pkt->flags)
return;
/* ... else maybe an IP packet over PPPoE or Q-in-Q? */
switch (skb->protocol) {
case htons(ETH_P_8021Q):
if (!pskb_may_pull(skb, skb_mac_offset(skb) + sizeof(*veth)))
return;
veth = (struct vlan_ethhdr *)skb_mac_header(skb);
nhoff = VLAN_HLEN;
ethertype = veth->h_vlan_encapsulated_proto;
break;
case htons(ETH_P_PPP_SES):
if (!nf_flow_pppoe_proto(skb, &ethertype))
return;
nhoff = PPPOE_SES_HLEN;
break;
default:
return;
}
nhoff += skb_network_offset(skb);
switch (ethertype) {
case htons(ETH_P_IP):
if (__nft_set_pktinfo_ipv4_validate(pkt, nhoff))
nft_set_pktinfo_unspec(pkt);
break;
case htons(ETH_P_IPV6):
if (__nft_set_pktinfo_ipv6_validate(pkt, nhoff))
nft_set_pktinfo_unspec(pkt);
break;
default:
break;
}
pkt->ethertype = ethertype;
}
void nft_meta_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
@ -322,12 +372,14 @@ void nft_meta_get_eval(const struct nft_expr *expr,
*dest = skb->len;
break;
case NFT_META_PROTOCOL:
nft_reg_store16(dest, (__force u16)skb->protocol);
nft_meta_pktinfo_may_update((struct nft_pktinfo *)pkt);
nft_reg_store16(dest, (__force u16)pkt->ethertype);
break;
case NFT_META_NFPROTO:
nft_reg_store8(dest, nft_pf(pkt));
break;
case NFT_META_L4PROTO:
nft_meta_pktinfo_may_update((struct nft_pktinfo *)pkt);
if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
goto err;
nft_reg_store8(dest, pkt->tprot);
@ -460,9 +512,9 @@ void nft_meta_set_eval(const struct nft_expr *expr,
EXPORT_SYMBOL_GPL(nft_meta_set_eval);
const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
[NFTA_META_DREG] = { .type = NLA_U32 },
[NFTA_META_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_META_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_META_SREG] = { .type = NLA_U32 },
[NFTA_META_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
};
EXPORT_SYMBOL_GPL(nft_meta_policy);

2
net/netfilter/nft_numgen.c
View File

@ -43,7 +43,7 @@ static void nft_ng_inc_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_ng_policy[NFTA_NG_MAX + 1] = {
[NFTA_NG_DREG] = { .type = NLA_U32 },
[NFTA_NG_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_NG_MODULUS] = { .type = NLA_U32 },
[NFTA_NG_TYPE] = { .type = NLA_U32 },
[NFTA_NG_OFFSET] = { .type = NLA_U32 },

2
net/netfilter/nft_objref.c
View File

@ -265,7 +265,7 @@ static const struct nla_policy nft_objref_policy[NFTA_OBJREF_MAX + 1] = {
[NFTA_OBJREF_IMM_NAME] = { .type = NLA_STRING,
.len = NFT_OBJ_MAXNAMELEN - 1 },
[NFTA_OBJREF_IMM_TYPE] = { .type = NLA_U32 },
[NFTA_OBJREF_SET_SREG] = { .type = NLA_U32 },
[NFTA_OBJREF_SET_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_OBJREF_SET_NAME] = { .type = NLA_STRING,
.len = NFT_SET_MAXNAMELEN - 1 },
[NFTA_OBJREF_SET_ID] = { .type = NLA_U32 },

4
net/netfilter/nft_osf.c
View File

@ -12,9 +12,9 @@ struct nft_osf {
};
static const struct nla_policy nft_osf_policy[NFTA_OSF_MAX + 1] = {
[NFTA_OSF_DREG] = { .type = NLA_U32 },
[NFTA_OSF_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_OSF_TTL] = { .type = NLA_U8 },
[NFTA_OSF_FLAGS] = { .type = NLA_U32 },
[NFTA_OSF_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_OSF_F_VERSION),
};
static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,

8
net/netfilter/nft_payload.c
View File

@ -183,7 +183,7 @@ void nft_payload_eval(const struct nft_expr *expr,
offset = skb_mac_header(skb) - skb->data;
break;
case NFT_PAYLOAD_NETWORK_HEADER:
offset = skb_network_offset(skb);
offset = skb_network_offset(skb) + pkt->nhoff;
break;
case NFT_PAYLOAD_TRANSPORT_HEADER:
if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)
@ -209,14 +209,14 @@ void nft_payload_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_payload_policy[NFTA_PAYLOAD_MAX + 1] = {
[NFTA_PAYLOAD_SREG] = { .type = NLA_U32 },
[NFTA_PAYLOAD_DREG] = { .type = NLA_U32 },
[NFTA_PAYLOAD_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_PAYLOAD_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_PAYLOAD_BASE] = { .type = NLA_U32 },
[NFTA_PAYLOAD_OFFSET] = { .type = NLA_BE32 },
[NFTA_PAYLOAD_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_PAYLOAD_CSUM_TYPE] = { .type = NLA_U32 },
[NFTA_PAYLOAD_CSUM_OFFSET] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_PAYLOAD_CSUM_FLAGS] = { .type = NLA_U32 },
[NFTA_PAYLOAD_CSUM_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_PAYLOAD_L4CSUM_PSEUDOHDR),
};
static int nft_payload_init(const struct nft_ctx *ctx,

2
net/netfilter/nft_queue.c
View File

@ -95,7 +95,7 @@ static int nft_queue_validate(const struct nft_ctx *ctx,
static const struct nla_policy nft_queue_policy[NFTA_QUEUE_MAX + 1] = {
[NFTA_QUEUE_NUM] = { .type = NLA_U16 },
[NFTA_QUEUE_TOTAL] = { .type = NLA_U16 },
[NFTA_QUEUE_FLAGS] = { .type = NLA_U16 },
[NFTA_QUEUE_FLAGS] = NLA_POLICY_MASK(NLA_BE16, NFT_QUEUE_FLAG_MASK),
[NFTA_QUEUE_SREG_QNUM] = { .type = NLA_U32 },
};

2
net/netfilter/nft_quota.c
View File

@ -46,7 +46,7 @@ static inline void nft_quota_do_eval(struct nft_quota *priv,
static const struct nla_policy nft_quota_policy[NFTA_QUOTA_MAX + 1] = {
[NFTA_QUOTA_BYTES] = { .type = NLA_U64 },
[NFTA_QUOTA_FLAGS] = { .type = NLA_U32 },
[NFTA_QUOTA_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_QUOTA_F_INV),
[NFTA_QUOTA_CONSUMED] = { .type = NLA_U64 },
};

2
net/netfilter/nft_range.c
View File

@ -41,7 +41,7 @@ void nft_range_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_range_policy[NFTA_RANGE_MAX + 1] = {
[NFTA_RANGE_SREG] = { .type = NLA_U32 },
[NFTA_RANGE_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_RANGE_OP] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_RANGE_FROM_DATA] = { .type = NLA_NESTED },
[NFTA_RANGE_TO_DATA] = { .type = NLA_NESTED },

2
net/netfilter/nft_rt.c
View File

@ -103,7 +103,7 @@ void nft_rt_get_eval(const struct nft_expr *expr,
}
static const struct nla_policy nft_rt_policy[NFTA_RT_MAX + 1] = {
[NFTA_RT_DREG] = { .type = NLA_U32 },
[NFTA_RT_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_RT_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
};

4
net/netfilter/nft_set_pipapo.c
View File

@ -452,8 +452,6 @@ static struct nft_pipapo_elem *pipapo_get_slow(const struct nft_pipapo_match *m,
pipapo_and_field_buckets_4bit(f, res_map, data);
NFT_PIPAPO_GROUP_BITS_ARE_8_OR_4;
data += f->groups / NFT_PIPAPO_GROUPS_PER_BYTE(f);
/* Now populate the bitmap for the next field, unless this is
* the last field, in which case return the matched 'ext'
* pointer if any.
@ -498,7 +496,7 @@ static struct nft_pipapo_elem *pipapo_get_slow(const struct nft_pipapo_match *m,
map_index = !map_index;
swap(res_map, fill_map);
data += NFT_PIPAPO_GROUPS_PADDING(f);
data += NFT_PIPAPO_GROUPS_PADDED_SIZE(f);
}
__local_unlock_nested_bh(&scratch->bh_lock);

3
net/netfilter/nft_set_pipapo.h
View File

@ -42,9 +42,6 @@
/* Fields are padded to 32 bits in input registers */
#define NFT_PIPAPO_GROUPS_PADDED_SIZE(f) \
(round_up((f)->groups / NFT_PIPAPO_GROUPS_PER_BYTE(f), sizeof(u32)))
#define NFT_PIPAPO_GROUPS_PADDING(f) \
(NFT_PIPAPO_GROUPS_PADDED_SIZE(f) - (f)->groups / \
NFT_PIPAPO_GROUPS_PER_BYTE(f))
/* Number of buckets given by 2 ^ n, with n bucket bits */
#define NFT_PIPAPO_BUCKETS(bb) (1 << (bb))

32
net/netfilter/nft_set_pipapo_avx2.c
View File

@ -1041,7 +1041,6 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
* @map: Previous match result, used as initial bitmap
* @fill: Destination bitmap to be filled with current match result
* @f: Field, containing lookup and mapping tables
* @offset: Ignore buckets before the given index, no bits are filled there
* @pkt: Packet data, pointer to input nftables register
* @first: If this is the first field, don't source previous result
* @last: Last field: stop at the first match and return bit index
@ -1056,32 +1055,19 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
static int nft_pipapo_avx2_lookup_slow(const struct nft_pipapo_match *mdata,
unsigned long *map, unsigned long *fill,
const struct nft_pipapo_field *f,
int offset, const u8 *pkt,
const u8 *pkt,
bool first, bool last)
{
unsigned long bsize = f->bsize;
int i, ret = -1, b;
if (first)
pipapo_resmap_init(mdata, map);
for (i = offset; i < bsize; i++) {
if (f->bb == 8)
pipapo_and_field_buckets_8bit(f, map, pkt);
else
pipapo_and_field_buckets_4bit(f, map, pkt);
NFT_PIPAPO_GROUP_BITS_ARE_8_OR_4;
if (f->bb == 8)
pipapo_and_field_buckets_8bit(f, map, pkt);
else
pipapo_and_field_buckets_4bit(f, map, pkt);
NFT_PIPAPO_GROUP_BITS_ARE_8_OR_4;
b = pipapo_refill(map, bsize, f->rules, fill, f->mt, last);
if (last)
return b;
if (ret == -1)
ret = b / XSAVE_YMM_SIZE;
}
return ret;
return pipapo_refill(map, f->bsize, f->rules, fill, f->mt, last);
}
/**
@ -1201,7 +1187,7 @@ struct nft_pipapo_elem *pipapo_get_avx2(const struct nft_pipapo_match *m,
NFT_SET_PIPAPO_AVX2_LOOKUP(8, 16);
} else {
ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f,
ret, data,
data,
first, last);
}
} else {
@ -1217,7 +1203,7 @@ struct nft_pipapo_elem *pipapo_get_avx2(const struct nft_pipapo_match *m,
NFT_SET_PIPAPO_AVX2_LOOKUP(4, 32);
} else {
ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f,
ret, data,
data,
first, last);
}
}

2
net/netfilter/nft_socket.c
View File

@ -163,7 +163,7 @@ static void nft_socket_eval(const struct nft_expr *expr,
static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
[NFTA_SOCKET_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_SOCKET_DREG] = { .type = NLA_U32 },
[NFTA_SOCKET_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_SOCKET_LEVEL] = NLA_POLICY_MAX(NLA_BE32, 255),
};

4
net/netfilter/nft_synproxy.c
View File

@ -17,8 +17,8 @@ struct nft_synproxy {
static const struct nla_policy nft_synproxy_policy[NFTA_SYNPROXY_MAX + 1] = {
[NFTA_SYNPROXY_MSS] = { .type = NLA_U16 },
[NFTA_SYNPROXY_WSCALE] = { .type = NLA_U8 },
[NFTA_SYNPROXY_FLAGS] = { .type = NLA_U32 },
[NFTA_SYNPROXY_WSCALE] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE),
[NFTA_SYNPROXY_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NF_SYNPROXY_OPT_MASK),
};
static void nft_synproxy_tcp_options(struct synproxy_options *opts,

6
net/netfilter/nft_tunnel.c
View File

@ -67,8 +67,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
static const struct nla_policy nft_tunnel_policy[NFTA_TUNNEL_MAX + 1] = {
[NFTA_TUNNEL_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_TUNNEL_DREG] = { .type = NLA_U32 },
[NFTA_TUNNEL_MODE] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_TUNNEL_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
[NFTA_TUNNEL_MODE] = NLA_POLICY_MAX(NLA_BE32, NFT_TUNNEL_MODE_MAX),
};
static int nft_tunnel_get_init(const struct nft_ctx *ctx,
@ -408,7 +408,7 @@ static const struct nla_policy nft_tunnel_key_policy[NFTA_TUNNEL_KEY_MAX + 1] =
[NFTA_TUNNEL_KEY_IP] = { .type = NLA_NESTED, },
[NFTA_TUNNEL_KEY_IP6] = { .type = NLA_NESTED, },
[NFTA_TUNNEL_KEY_ID] = { .type = NLA_U32, },
[NFTA_TUNNEL_KEY_FLAGS] = { .type = NLA_U32, },
[NFTA_TUNNEL_KEY_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_TUNNEL_F_MASK),
[NFTA_TUNNEL_KEY_TOS] = { .type = NLA_U8, },
[NFTA_TUNNEL_KEY_TTL] = { .type = NLA_U8, },
[NFTA_TUNNEL_KEY_SPORT] = { .type = NLA_U16, },

6
net/netfilter/nft_xfrm.c
View File

@ -17,9 +17,9 @@
static const struct nla_policy nft_xfrm_policy[NFTA_XFRM_MAX + 1] = {
[NFTA_XFRM_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_XFRM_DIR] = { .type = NLA_U8 },
[NFTA_XFRM_SPNUM] = NLA_POLICY_MAX(NLA_BE32, 255),
[NFTA_XFRM_DREG] = { .type = NLA_U32 },
[NFTA_XFRM_DIR] = NLA_POLICY_MAX(NLA_U8, XFRM_POLICY_OUT),
[NFTA_XFRM_SPNUM] = NLA_POLICY_MAX(NLA_BE32, XFRM_MAX_DEPTH - 1),
[NFTA_XFRM_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX),
};
struct nft_xfrm {

3
net/netfilter/xt_dccp.c
View File

@ -159,6 +159,9 @@ static int __init dccp_mt_init(void)
{
int ret;
pr_warn_once("The DCCP match is deprecated and scheduled to be removed in 2027.\n"
"Please contact the netfilter-devel mailing list or update your iptables rules\n");
/* doff is 8 bits, so the maximum option size is (4*256). Don't put
* this in BSS since DaveM is worried about locked TLB's for kernel
* BSS. */