Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains Netfilter updates for net-next, mostly rather small housekeeping patches: 1) Remove unused variable in IPVS, from GuoYong Zheng. 2) Use memset_after in conntrack, from Kees Cook. 3) Remove leftover function in nfnetlink_queue, from Florian Westphal. 4) Remove redundant test on bool in conntrack, from Bernard Zhao. 5) egress support for nft_fwd, from Lukas Wunner. 6) Make pppoe work for br_netfilter, from Florian Westphal. 7) Remove unused variable in conntrack resize routine, from luo penghao. * git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next: netfilter: conntrack: Remove useless assignment statements netfilter: bridge: add support for pppoe filtering netfilter: nft_fwd_netdev: Support egress hook netfilter: ctnetlink: remove useless type conversion to bool netfilter: nf_queue: remove leftover synchronize_rcu netfilter: conntrack: Use memset_startat() to zero struct nf_conn ipvs: remove unused variable for ip_vs_new_dest ==================== Link: https://lore.kernel.org/r/20211215234911.170741-1-pablo@netfilter.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains Netfilter updates for net-next, mostly rather small housekeeping patches: 1) Remove unused variable in IPVS, from GuoYong Zheng. 2) Use memset_after in conntrack, from Kees Cook. 3) Remove leftover function in nfnetlink_queue, from Florian Westphal. 4) Remove redundant test on bool in conntrack, from Bernard Zhao. 5) egress support for nft_fwd, from Lukas Wunner. 6) Make pppoe work for br_netfilter, from Florian Westphal. 7) Remove unused variable in conntrack resize routine, from luo penghao. * git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next: netfilter: conntrack: Remove useless assignment statements netfilter: bridge: add support for pppoe filtering netfilter: nft_fwd_netdev: Support egress hook netfilter: ctnetlink: remove useless type conversion to bool netfilter: nf_queue: remove leftover synchronize_rcu netfilter: conntrack: Use memset_startat() to zero struct nf_conn ipvs: remove unused variable for ip_vs_new_dest ==================== Link: https://lore.kernel.org/r/20211215234911.170741-1-pablo@netfilter.orgSigned-off-by: Jakub Kicinski <kuba@kernel.org>
bd1d97d8 · Jakub Kicinski · 3bc14ea0 · 284ca764 · bd1d97d8 · bd1d97d8
Commit bd1d97d8 authored Dec 15, 2021 by Jakub Kicinski
6 changed files
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -743,6 +743,9 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
 	if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu)
 		mtu = nf_bridge->frag_max_size;
+	nf_bridge_update_protocol(skb);
+	nf_bridge_push_encap_header(skb);
 	if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) {
 		nf_bridge_info_free(skb);
 		return br_dev_queue_push_xmit(net, sk, skb);
@@ -760,8 +763,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
 		IPCB(skb)->frag_max_size = nf_bridge->frag_max_size;
-		nf_bridge_update_protocol(skb);
 		data = this_cpu_ptr(&brnf_frag_data_storage);
 		if (skb_vlan_tag_present(skb)) {
@@ -789,8 +790,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff
 		IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size;
-		nf_bridge_update_protocol(skb);
 		data = this_cpu_ptr(&brnf_frag_data_storage);
 		data->encap_size = nf_bridge_encap_header_len(skb);
 		data->size = ETH_HLEN + data->encap_size;

--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -960,8 +960,7 @@ __ip_vs_update_dest(struct ip_vs_service *svc, struct ip_vs_dest *dest,
 *	Create a destination for the given service
 */
 static int
-ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
+ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
-	       struct ip_vs_dest **dest_p)
 {
 	struct ip_vs_dest *dest;
 	unsigned int atype, i;
@@ -1021,8 +1020,6 @@ ip_vs_new_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest,
 	spin_lock_init(&dest->stats.lock);
 	__ip_vs_update_dest(svc, dest, udest, 1);
-	*dest_p = dest;
 	LeaveFunction(2);
 	return 0;
@@ -1096,7 +1093,7 @@ ip_vs_add_dest(struct ip_vs_service *svc, struct ip_vs_dest_user_kern *udest)
 		/*
 		 * Allocate and initialize the dest structure
 		 */
-		ret = ip_vs_new_dest(svc, udest, &dest);
+		ret = ip_vs_new_dest(svc, udest);
 	}
 	LeaveFunction(2);

--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1562,9 +1562,7 @@ __nf_conntrack_alloc(struct net *net,
 	ct->status = 0;
 	WRITE_ONCE(ct->timeout, 0);
 	write_pnet(&ct->ct_net, net);
-	memset(&ct->__nfct_init_offset, 0,
+	memset_after(ct, 0, __nfct_init_offset);
-	       offsetof(struct nf_conn, proto) -
-	       offsetof(struct nf_conn, __nfct_init_offset));
 	nf_ct_zone_add(ct, zone);
@@ -2590,7 +2588,6 @@ int nf_conntrack_hash_resize(unsigned int hashsize)
 			hlist_nulls_add_head_rcu(&h->hnnode, &hash[bucket]);
 		}
 	}
-	old_size = nf_conntrack_htable_size;
 	old_hash = nf_conntrack_hash;
 	nf_conntrack_hash = hash;

--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1746,7 +1746,7 @@ ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying
 			res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
 						  cb->nlh->nlmsg_seq,
 						  NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
-						  ct, dying ? true : false, 0);
+						  ct, dying, 0);
 			if (res < 0) {
 				if (!atomic_inc_not_zero(&ct->ct_general.use))
 					continue;

--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -1527,15 +1527,9 @@ static void __net_exit nfnl_queue_net_exit(struct net *net)
 		WARN_ON_ONCE(!hlist_empty(&q->instance_table[i]));
 }
-static void nfnl_queue_net_exit_batch(struct list_head *net_exit_list)
-{
-	synchronize_rcu();
-}
 static struct pernet_operations nfnl_queue_net_ops = {
 	.init		= nfnl_queue_net_init,
 	.exit		= nfnl_queue_net_exit,
-	.exit_batch	= nfnl_queue_net_exit_batch,
 	.id		= &nfnl_queue_net_id,
 	.size		= sizeof(struct nfnl_queue_net),
 };

--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -27,9 +27,11 @@ static void nft_fwd_netdev_eval(const struct nft_expr *expr,
 {
 	struct nft_fwd_netdev *priv = nft_expr_priv(expr);
 	int oif = regs->data[priv->sreg_dev];
+	struct sk_buff *skb = pkt->skb;
 	/* This is used by ifb only. */
-	skb_set_redirected(pkt->skb, true);
+	skb->skb_iif = skb->dev->ifindex;
+	skb_set_redirected(skb, nft_hook(pkt) == NF_NETDEV_INGRESS);
 	nf_fwd_netdev_egress(pkt, oif);
 	regs->verdict.code = NF_STOLEN;
@@ -198,7 +200,8 @@ static int nft_fwd_validate(const struct nft_ctx *ctx,
 			    const struct nft_expr *expr,
 			    const struct nft_data **data)
 {
-	return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS));
+	return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) |
+						    (1 << NF_NETDEV_EGRESS));
 }
 static struct nft_expr_type nft_fwd_netdev_type;