tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'nf-next-26-04-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Florian Westphal says:

====================
netfilter: updates for net-next

1) Fix ancient sparse warnings in nf conntrack nat modules, from
Sun Jian.

2) Fix typo in enum description, from Jelle van der Waa.

3) remove redundant refetch of netns pointer in nf_conntrack_sip.

4) add a deprecation warning for dccp match.
We can extend the deadline later if needed, but plan atm is to
remove the feature.

5) remove nf_conntrack_h323 debug code that can read out-of-bounds
with malformed messages. This code was commented out, but better
remove this.

6+7) add more netlink policy validations in netfilter.
This could theoretically cause issues when a client sends e.g.
unsupported feature flags that were previously ignored, so we
may have to relax some changes. For now, try to be stricter and
reject upfront.

8+9) minor code cleanup in nft_set_pipapo (an nftables set backend).

10) Add nftables matching support fro double-tagged vlan and pppoe
frames, from Pablo Neira Ayuso.

11) Fix up indentation of debug messages in nf_conntrack_h323 conntrack
helper, from David Laight.

12) Add a helper to iterate to next flow action and bail out if the
maximum number of actions is reached, also from Pablo.

* tag 'nf-next-26-04-08' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: nf_tables_offload: add nft_flow_action_entry_next() and use it
netfilter: nf_conntrack_h323: Correct indentation when H323_TRACE defined
netfilter: nft_meta: add double-tagged vlan and pppoe support
netfilter: nft_set_pipapo_avx2: remove redundant loop in lookup_slow
netfilter: nft_set_pipapo: increment data in one step
netfilter: nf_tables: add netlink policy based cap on registers
netfilter: add more netlink-based policy range checks
netfilter: nf_conntrack_h323: remove unreliable debug code in decode_octstr
netfilter: add deprecation warning for dccp support
netfilter: nf_conntrack_sip: remove net variable shadowing
netfilter: nf_tables: Fix typo in enum description
netfilter: use function typedefs for __rcu NAT helper hook pointers
====================

Link: https://patch.msgid.link/20260408060419.25258-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 1795654f ea0f90d1

+262 -191
+9 -6
include/linux/netfilter/nf_conntrack_amanda.h
··· 7 7 #include <linux/skbuff.h> 8 8 #include <net/netfilter/nf_conntrack_expect.h> 9 9 10 - extern unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb, 11 - enum ip_conntrack_info ctinfo, 12 - unsigned int protoff, 13 - unsigned int matchoff, 14 - unsigned int matchlen, 15 - struct nf_conntrack_expect *exp); 10 + typedef unsigned int 11 + nf_nat_amanda_hook_fn(struct sk_buff *skb, 12 + enum ip_conntrack_info ctinfo, 13 + unsigned int protoff, 14 + unsigned int matchoff, 15 + unsigned int matchlen, 16 + struct nf_conntrack_expect *exp); 17 + 18 + extern nf_nat_amanda_hook_fn __rcu *nf_nat_amanda_hook; 16 19 #endif /* _NF_CONNTRACK_AMANDA_H */
+10 -7
include/linux/netfilter/nf_conntrack_ftp.h
··· 26 26 27 27 /* For NAT to hook in when we find a packet which describes what other 28 28 * connection we should expect. */ 29 - extern unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb, 30 - enum ip_conntrack_info ctinfo, 31 - enum nf_ct_ftp_type type, 32 - unsigned int protoff, 33 - unsigned int matchoff, 34 - unsigned int matchlen, 35 - struct nf_conntrack_expect *exp); 29 + typedef unsigned int 30 + nf_nat_ftp_hook_fn(struct sk_buff *skb, 31 + enum ip_conntrack_info ctinfo, 32 + enum nf_ct_ftp_type type, 33 + unsigned int protoff, 34 + unsigned int matchoff, 35 + unsigned int matchlen, 36 + struct nf_conntrack_expect *exp); 37 + 38 + extern nf_nat_ftp_hook_fn __rcu *nf_nat_ftp_hook; 36 39 #endif /* _NF_CONNTRACK_FTP_H */
+9 -6
include/linux/netfilter/nf_conntrack_irc.h
··· 8 8 9 9 #define IRC_PORT 6667 10 10 11 - extern unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb, 12 - enum ip_conntrack_info ctinfo, 13 - unsigned int protoff, 14 - unsigned int matchoff, 15 - unsigned int matchlen, 16 - struct nf_conntrack_expect *exp); 11 + typedef unsigned int 12 + nf_nat_irc_hook_fn(struct sk_buff *skb, 13 + enum ip_conntrack_info ctinfo, 14 + unsigned int protoff, 15 + unsigned int matchoff, 16 + unsigned int matchlen, 17 + struct nf_conntrack_expect *exp); 18 + 19 + extern nf_nat_irc_hook_fn __rcu *nf_nat_irc_hook; 17 20 18 21 #endif /* _NF_CONNTRACK_IRC_H */
+7 -4
include/linux/netfilter/nf_conntrack_snmp.h
··· 5 5 #include <linux/netfilter.h> 6 6 #include <linux/skbuff.h> 7 7 8 - extern int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb, 9 - unsigned int protoff, 10 - struct nf_conn *ct, 11 - enum ip_conntrack_info ctinfo); 8 + typedef int 9 + nf_nat_snmp_hook_fn(struct sk_buff *skb, 10 + unsigned int protoff, 11 + struct nf_conn *ct, 12 + enum ip_conntrack_info ctinfo); 13 + 14 + extern nf_nat_snmp_hook_fn __rcu *nf_nat_snmp_hook; 12 15 13 16 #endif /* _NF_CONNTRACK_SNMP_H */
+6 -3
include/linux/netfilter/nf_conntrack_tftp.h
··· 19 19 #define TFTP_OPCODE_ACK 4 20 20 #define TFTP_OPCODE_ERROR 5 21 21 22 - extern unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb, 23 - enum ip_conntrack_info ctinfo, 24 - struct nf_conntrack_expect *exp); 22 + typedef unsigned int 23 + nf_nat_tftp_hook_fn(struct sk_buff *skb, 24 + enum ip_conntrack_info ctinfo, 25 + struct nf_conntrack_expect *exp); 26 + 27 + extern nf_nat_tftp_hook_fn __rcu *nf_nat_tftp_hook; 25 28 26 29 #endif /* _NF_CONNTRACK_TFTP_H */
+4
include/net/netfilter/nf_tables.h
··· 31 31 const struct nf_hook_state *state; 32 32 u8 flags; 33 33 u8 tprot; 34 + __be16 ethertype; 34 35 u16 fragoff; 36 + u16 nhoff; 35 37 u16 thoff; 36 38 u16 inneroff; 37 39 }; ··· 85 83 { 86 84 pkt->flags = 0; 87 85 pkt->tprot = 0; 86 + pkt->ethertype = pkt->skb->protocol; 87 + pkt->nhoff = 0; 88 88 pkt->thoff = 0; 89 89 pkt->fragoff = 0; 90 90 }
+12 -5
include/net/netfilter/nf_tables_ipv4.h
··· 12 12 ip = ip_hdr(pkt->skb); 13 13 pkt->flags = NFT_PKTINFO_L4PROTO; 14 14 pkt->tprot = ip->protocol; 15 + pkt->ethertype = pkt->skb->protocol; 16 + pkt->nhoff = 0; 15 17 pkt->thoff = ip_hdrlen(pkt->skb); 16 18 pkt->fragoff = ntohs(ip->frag_off) & IP_OFFSET; 17 19 } 18 20 19 - static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt) 21 + static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt, 22 + int nhoff) 20 23 { 21 24 struct iphdr *iph, _iph; 22 25 u32 len, thoff, skb_len; 23 26 24 - iph = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb), 27 + iph = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb) + nhoff, 25 28 sizeof(*iph), &_iph); 26 29 if (!iph) 27 30 return -1; ··· 34 31 35 32 len = iph_totlen(pkt->skb, iph); 36 33 thoff = iph->ihl * 4; 37 - skb_len = pkt->skb->len - skb_network_offset(pkt->skb); 34 + skb_len = pkt->skb->len - skb_network_offset(pkt->skb) - nhoff; 38 35 39 36 if (skb_len < len) 40 37 return -1; ··· 45 42 46 43 pkt->flags = NFT_PKTINFO_L4PROTO; 47 44 pkt->tprot = iph->protocol; 48 - pkt->thoff = skb_network_offset(pkt->skb) + thoff; 45 + pkt->ethertype = pkt->skb->protocol; 46 + pkt->nhoff = nhoff; 47 + pkt->thoff = skb_network_offset(pkt->skb) + nhoff + thoff; 49 48 pkt->fragoff = ntohs(iph->frag_off) & IP_OFFSET; 50 49 51 50 return 0; ··· 55 50 56 51 static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt) 57 52 { 58 - if (__nft_set_pktinfo_ipv4_validate(pkt) < 0) 53 + if (__nft_set_pktinfo_ipv4_validate(pkt, 0) < 0) 59 54 nft_set_pktinfo_unspec(pkt); 60 55 } 61 56 ··· 83 78 } 84 79 85 80 pkt->flags = NFT_PKTINFO_L4PROTO; 81 + pkt->ethertype = pkt->skb->protocol; 82 + pkt->nhoff = 0; 86 83 pkt->tprot = iph->protocol; 87 84 pkt->thoff = thoff; 88 85 pkt->fragoff = ntohs(iph->frag_off) & IP_OFFSET;
+11 -5
include/net/netfilter/nf_tables_ipv6.h
··· 20 20 21 21 pkt->flags = NFT_PKTINFO_L4PROTO; 22 22 pkt->tprot = protohdr; 23 + pkt->ethertype = pkt->skb->protocol; 24 + pkt->nhoff = 0; 23 25 pkt->thoff = thoff; 24 26 pkt->fragoff = frag_off; 25 27 } 26 28 27 - static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt) 29 + static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt, int nhoff) 28 30 { 29 31 #if IS_ENABLED(CONFIG_IPV6) 30 32 unsigned int flags = IP6_FH_F_AUTH; 31 33 struct ipv6hdr *ip6h, _ip6h; 32 - unsigned int thoff = 0; 34 + unsigned int thoff = nhoff; 33 35 unsigned short frag_off; 34 36 u32 pkt_len, skb_len; 35 37 int protohdr; 36 38 37 - ip6h = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb), 39 + ip6h = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb) + nhoff, 38 40 sizeof(*ip6h), &_ip6h); 39 41 if (!ip6h) 40 42 return -1; ··· 45 43 return -1; 46 44 47 45 pkt_len = ipv6_payload_len(pkt->skb, ip6h); 48 - skb_len = pkt->skb->len - skb_network_offset(pkt->skb); 46 + skb_len = pkt->skb->len - skb_network_offset(pkt->skb) - nhoff; 49 47 if (pkt_len + sizeof(*ip6h) > skb_len) 50 48 return -1; 51 49 ··· 55 53 56 54 pkt->flags = NFT_PKTINFO_L4PROTO; 57 55 pkt->tprot = protohdr; 56 + pkt->ethertype = pkt->skb->protocol; 57 + pkt->nhoff = nhoff; 58 58 pkt->thoff = thoff; 59 59 pkt->fragoff = frag_off; 60 60 ··· 68 64 69 65 static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt) 70 66 { 71 - if (__nft_set_pktinfo_ipv6_validate(pkt) < 0) 67 + if (__nft_set_pktinfo_ipv6_validate(pkt, 0) < 0) 72 68 nft_set_pktinfo_unspec(pkt); 73 69 } 74 70 ··· 103 99 104 100 pkt->flags = NFT_PKTINFO_L4PROTO; 105 101 pkt->tprot = protohdr; 102 + pkt->ethertype = pkt->skb->protocol; 103 + pkt->nhoff = 0; 106 104 pkt->thoff = thoff; 107 105 pkt->fragoff = frag_off; 108 106
+10
include/net/netfilter/nf_tables_offload.h
··· 67 67 struct flow_rule *rule; 68 68 }; 69 69 70 + static inline struct flow_action_entry * 71 + nft_flow_action_entry_next(struct nft_offload_ctx *ctx, 72 + struct nft_flow_rule *flow) 73 + { 74 + if (unlikely(ctx->num_actions >= flow->rule->action.num_entries)) 75 + return NULL; 76 + 77 + return &flow->rule->action.entries[ctx->num_actions++]; 78 + } 79 + 70 80 void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow, 71 81 enum flow_dissector_key_id addr_type); 72 82
+5 -1
include/uapi/linux/netfilter/nf_tables.h
··· 46 46 }; 47 47 #define NFT_REG_MAX (__NFT_REG_MAX - 1) 48 48 49 + #ifdef __KERNEL__ 50 + #define NFT_REG32_MAX NFT_REG32_15 51 + #endif 52 + 49 53 #define NFT_REG_SIZE 16 50 54 #define NFT_REG32_SIZE 4 51 55 #define NFT_REG32_COUNT (NFT_REG32_15 - NFT_REG32_00 + 1) ··· 888 884 * @NFT_EXTHDR_OP_TCPOPT: match against tcp options 889 885 * @NFT_EXTHDR_OP_IPV4: match against ipv4 options 890 886 * @NFT_EXTHDR_OP_SCTP: match against sctp chunks 891 - * @NFT_EXTHDR_OP_DCCP: match against dccp otions 887 + * @NFT_EXTHDR_OP_DCCP: match against dccp options 892 888 */ 893 889 enum nft_exthdr_op { 894 890 NFT_EXTHDR_OP_IPV6,
+1 -1
net/netfilter/ipset/ip_set_core.c
··· 985 985 .len = IPSET_MAXNAMELEN - 1 }, 986 986 [IPSET_ATTR_TYPENAME] = { .type = NLA_NUL_STRING, 987 987 .len = IPSET_MAXNAMELEN - 1}, 988 - [IPSET_ATTR_REVISION] = { .type = NLA_U8 }, 988 + [IPSET_ATTR_REVISION] = NLA_POLICY_MAX(NLA_U8, IPSET_REVISION_MAX), 989 989 [IPSET_ATTR_FAMILY] = { .type = NLA_U8 }, 990 990 [IPSET_ATTR_DATA] = { .type = NLA_NESTED }, 991 991 };
+2 -8
net/netfilter/nf_conntrack_amanda.c
··· 37 37 module_param(ts_algo, charp, 0400); 38 38 MODULE_PARM_DESC(ts_algo, "textsearch algorithm to use (default kmp)"); 39 39 40 - unsigned int (__rcu *nf_nat_amanda_hook)(struct sk_buff *skb, 41 - enum ip_conntrack_info ctinfo, 42 - unsigned int protoff, 43 - unsigned int matchoff, 44 - unsigned int matchlen, 45 - struct nf_conntrack_expect *exp) 46 - __read_mostly; 40 + nf_nat_amanda_hook_fn __rcu *nf_nat_amanda_hook __read_mostly; 47 41 EXPORT_SYMBOL_GPL(nf_nat_amanda_hook); 48 42 49 43 enum amanda_strings { ··· 92 98 u_int16_t len; 93 99 __be16 port; 94 100 int ret = NF_ACCEPT; 95 - typeof(nf_nat_amanda_hook) nf_nat_amanda; 101 + nf_nat_amanda_hook_fn *nf_nat_amanda; 96 102 97 103 /* Only look at packets from the Amanda server */ 98 104 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
+2 -8
net/netfilter/nf_conntrack_ftp.c
··· 43 43 static bool loose; 44 44 module_param(loose, bool, 0600); 45 45 46 - unsigned int (__rcu *nf_nat_ftp_hook)(struct sk_buff *skb, 47 - enum ip_conntrack_info ctinfo, 48 - enum nf_ct_ftp_type type, 49 - unsigned int protoff, 50 - unsigned int matchoff, 51 - unsigned int matchlen, 52 - struct nf_conntrack_expect *exp); 46 + nf_nat_ftp_hook_fn __rcu *nf_nat_ftp_hook; 53 47 EXPORT_SYMBOL_GPL(nf_nat_ftp_hook); 54 48 55 49 static int try_rfc959(const char *, size_t, struct nf_conntrack_man *, ··· 379 385 struct nf_conntrack_man cmd = {}; 380 386 unsigned int i; 381 387 int found = 0, ends_in_nl; 382 - typeof(nf_nat_ftp_hook) nf_nat_ftp; 388 + nf_nat_ftp_hook_fn *nf_nat_ftp; 383 389 384 390 /* Until there's been traffic both ways, don't look in packets. */ 385 391 if (ctinfo != IP_CT_ESTABLISHED &&
+19 -26
net/netfilter/nf_conntrack_h323_asn1.c
··· 21 21 22 22 #if H323_TRACE 23 23 #define TAB_SIZE 4 24 - #define IFTHEN(cond, act) if(cond){act;} 25 24 #ifdef __KERNEL__ 26 25 #define PRINT printk 27 26 #else ··· 28 29 #endif 29 30 #define FNAME(name) name, 30 31 #else 31 - #define IFTHEN(cond, act) 32 32 #define PRINT(fmt, args...) 33 33 #define FNAME(name) 34 34 #endif ··· 274 276 static int decode_nul(struct bitstr *bs, const struct field_t *f, 275 277 char *base, int level) 276 278 { 277 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 279 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 278 280 279 281 return H323_ERROR_NONE; 280 282 } ··· 282 284 static int decode_bool(struct bitstr *bs, const struct field_t *f, 283 285 char *base, int level) 284 286 { 285 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 287 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 286 288 287 289 INC_BIT(bs); 288 290 if (nf_h323_error_boundary(bs, 0, 0)) ··· 295 297 { 296 298 int len; 297 299 298 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 300 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 299 301 300 302 BYTE_ALIGN(bs); 301 303 if (nf_h323_error_boundary(bs, 1, 0)) ··· 314 316 { 315 317 unsigned int len; 316 318 317 - PRINT("%*.s%s", level * TAB_SIZE, " ", f->name); 319 + PRINT("%*s%s", level * TAB_SIZE, " ", f->name); 318 320 319 321 switch (f->sz) { 320 322 case BYTE: /* Range == 256 */ ··· 361 363 static int decode_enum(struct bitstr *bs, const struct field_t *f, 362 364 char *base, int level) 363 365 { 364 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 366 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 365 367 366 368 if ((f->attr & EXT) && get_bit(bs)) { 367 369 INC_BITS(bs, 7); ··· 379 381 { 380 382 unsigned int len; 381 383 382 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 384 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 383 385 384 386 BYTE_ALIGN(bs); 385 387 switch (f->sz) { ··· 415 417 { 416 418 unsigned int len; 417 419 418 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 420 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 419 421 420 422 /* 2 <= Range <= 255 */ 421 423 if (nf_h323_error_boundary(bs, 0, f->sz)) ··· 435 437 { 436 438 unsigned int len; 437 439 438 - PRINT("%*.s%s", level * TAB_SIZE, " ", f->name); 440 + PRINT("%*s%s", level * TAB_SIZE, " ", f->name); 439 441 440 442 switch (f->sz) { 441 443 case FIXD: /* Range == 1 */ ··· 443 445 BYTE_ALIGN(bs); 444 446 if (base && (f->attr & DECODE)) { 445 447 /* The IP Address */ 446 - IFTHEN(f->lb == 4, 447 - PRINT(" = %d.%d.%d.%d:%d", 448 - bs->cur[0], bs->cur[1], 449 - bs->cur[2], bs->cur[3], 450 - bs->cur[4] * 256 + bs->cur[5])); 451 448 *((unsigned int *)(base + f->offset)) = 452 449 bs->cur - bs->buf; 453 450 } ··· 483 490 { 484 491 unsigned int len; 485 492 486 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 493 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 487 494 488 495 switch (f->sz) { 489 496 case BYTE: /* Range == 256 */ ··· 515 522 const struct field_t *son; 516 523 unsigned char *beg = NULL; 517 524 518 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 525 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 519 526 520 527 /* Decode? */ 521 528 base = (base && (f->attr & DECODE)) ? base + f->offset : NULL; ··· 537 544 /* Decode the root components */ 538 545 for (i = opt = 0, son = f->fields; i < f->lb; i++, son++) { 539 546 if (son->attr & STOP) { 540 - PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", 547 + PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ", 541 548 son->name); 542 549 return H323_ERROR_STOP; 543 550 } ··· 555 562 if (nf_h323_error_boundary(bs, len, 0)) 556 563 return H323_ERROR_BOUND; 557 564 if (!base || !(son->attr & DECODE)) { 558 - PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, 565 + PRINT("%*s%s\n", (level + 1) * TAB_SIZE, 559 566 " ", son->name); 560 567 bs->cur += len; 561 568 continue; ··· 608 615 } 609 616 610 617 if (son->attr & STOP) { 611 - PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", 618 + PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ", 612 619 son->name); 613 620 return H323_ERROR_STOP; 614 621 } ··· 622 629 if (nf_h323_error_boundary(bs, len, 0)) 623 630 return H323_ERROR_BOUND; 624 631 if (!base || !(son->attr & DECODE)) { 625 - PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", 632 + PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ", 626 633 son->name); 627 634 bs->cur += len; 628 635 continue; ··· 648 655 const struct field_t *son; 649 656 unsigned char *beg = NULL; 650 657 651 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 658 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 652 659 653 660 /* Decode? */ 654 661 base = (base && (f->attr & DECODE)) ? base + f->offset : NULL; ··· 703 710 if (nf_h323_error_boundary(bs, len, 0)) 704 711 return H323_ERROR_BOUND; 705 712 if (!base || !(son->attr & DECODE)) { 706 - PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, 713 + PRINT("%*s%s\n", (level + 1) * TAB_SIZE, 707 714 " ", son->name); 708 715 bs->cur += len; 709 716 continue; ··· 744 751 const struct field_t *son; 745 752 unsigned char *beg = NULL; 746 753 747 - PRINT("%*.s%s\n", level * TAB_SIZE, " ", f->name); 754 + PRINT("%*s%s\n", level * TAB_SIZE, " ", f->name); 748 755 749 756 /* Decode? */ 750 757 base = (base && (f->attr & DECODE)) ? base + f->offset : NULL; ··· 785 792 /* Transfer to son level */ 786 793 son = &f->fields[type]; 787 794 if (son->attr & STOP) { 788 - PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", son->name); 795 + PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ", son->name); 789 796 return H323_ERROR_STOP; 790 797 } 791 798 ··· 797 804 if (nf_h323_error_boundary(bs, len, 0)) 798 805 return H323_ERROR_BOUND; 799 806 if (!base || !(son->attr & DECODE)) { 800 - PRINT("%*.s%s\n", (level + 1) * TAB_SIZE, " ", 807 + PRINT("%*s%s\n", (level + 1) * TAB_SIZE, " ", 801 808 son->name); 802 809 bs->cur += len; 803 810 return H323_ERROR_NONE;
+2 -8
net/netfilter/nf_conntrack_irc.c
··· 30 30 static char *irc_buffer; 31 31 static DEFINE_SPINLOCK(irc_buffer_lock); 32 32 33 - unsigned int (__rcu *nf_nat_irc_hook)(struct sk_buff *skb, 34 - enum ip_conntrack_info ctinfo, 35 - unsigned int protoff, 36 - unsigned int matchoff, 37 - unsigned int matchlen, 38 - struct nf_conntrack_expect *exp) 39 - __read_mostly; 33 + nf_nat_irc_hook_fn __rcu *nf_nat_irc_hook __read_mostly; 40 34 EXPORT_SYMBOL_GPL(nf_nat_irc_hook); 41 35 42 36 #define HELPER_NAME "irc" ··· 116 122 __be16 port; 117 123 int i, ret = NF_ACCEPT; 118 124 char *addr_beg_p, *addr_end_p; 119 - typeof(nf_nat_irc_hook) nf_nat_irc; 125 + nf_nat_irc_hook_fn *nf_nat_irc; 120 126 unsigned int datalen; 121 127 122 128 /* If packet is coming from IRC server */
+1 -2
net/netfilter/nf_conntrack_sip.c
··· 869 869 saddr = &ct->tuplehash[!dir].tuple.src.u3; 870 870 } else if (sip_external_media) { 871 871 struct net_device *dev = skb_dst(skb)->dev; 872 - struct net *net = dev_net(dev); 873 - struct flowi fl; 874 872 struct dst_entry *dst = NULL; 873 + struct flowi fl; 875 874 876 875 memset(&fl, 0, sizeof(fl)); 877 876
+2 -5
net/netfilter/nf_conntrack_snmp.c
··· 25 25 module_param(timeout, uint, 0400); 26 26 MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds"); 27 27 28 - int (__rcu *nf_nat_snmp_hook)(struct sk_buff *skb, 29 - unsigned int protoff, 30 - struct nf_conn *ct, 31 - enum ip_conntrack_info ctinfo); 28 + nf_nat_snmp_hook_fn __rcu *nf_nat_snmp_hook; 32 29 EXPORT_SYMBOL_GPL(nf_nat_snmp_hook); 33 30 34 31 static int snmp_conntrack_help(struct sk_buff *skb, unsigned int protoff, 35 32 struct nf_conn *ct, 36 33 enum ip_conntrack_info ctinfo) 37 34 { 38 - typeof(nf_nat_snmp_hook) nf_nat_snmp; 35 + nf_nat_snmp_hook_fn *nf_nat_snmp; 39 36 40 37 nf_conntrack_broadcast_help(skb, ct, ctinfo, timeout); 41 38
+2 -5
net/netfilter/nf_conntrack_tftp.c
··· 32 32 module_param_array(ports, ushort, &ports_c, 0400); 33 33 MODULE_PARM_DESC(ports, "Port numbers of TFTP servers"); 34 34 35 - unsigned int (__rcu *nf_nat_tftp_hook)(struct sk_buff *skb, 36 - enum ip_conntrack_info ctinfo, 37 - struct nf_conntrack_expect *exp) 38 - __read_mostly; 35 + nf_nat_tftp_hook_fn __rcu *nf_nat_tftp_hook __read_mostly; 39 36 EXPORT_SYMBOL_GPL(nf_nat_tftp_hook); 40 37 41 38 static int tftp_help(struct sk_buff *skb, ··· 45 48 struct nf_conntrack_expect *exp; 46 49 struct nf_conntrack_tuple *tuple; 47 50 unsigned int ret = NF_ACCEPT; 48 - typeof(nf_nat_tftp_hook) nf_nat_tftp; 51 + nf_nat_tftp_hook_fn *nf_nat_tftp; 49 52 50 53 tfh = skb_header_pointer(skb, protoff + sizeof(struct udphdr), 51 54 sizeof(_tftph), &_tftph);
+4 -1
net/netfilter/nf_dup_netdev.c
··· 95 95 if (!dev) 96 96 return -EOPNOTSUPP; 97 97 98 - entry = &flow->rule->action.entries[ctx->num_actions++]; 98 + entry = nft_flow_action_entry_next(ctx, flow); 99 + if (!entry) 100 + return -E2BIG; 101 + 99 102 entry->id = id; 100 103 entry->dev = dev; 101 104
+15 -5
net/netfilter/nf_tables_api.c
··· 1112 1112 static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { 1113 1113 [NFTA_TABLE_NAME] = { .type = NLA_STRING, 1114 1114 .len = NFT_TABLE_MAXNAMELEN - 1 }, 1115 - [NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, 1115 + [NFTA_TABLE_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_TABLE_F_MASK), 1116 1116 [NFTA_TABLE_HANDLE] = { .type = NLA_U64 }, 1117 1117 [NFTA_TABLE_USERDATA] = { .type = NLA_BINARY, 1118 1118 .len = NFT_USERDATA_MAXLEN } ··· 1878 1878 [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, 1879 1879 .len = NFT_MODULE_AUTOLOAD_LIMIT }, 1880 1880 [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, 1881 - [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, 1881 + [NFTA_CHAIN_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_CHAIN_FLAGS), 1882 1882 [NFTA_CHAIN_ID] = { .type = NLA_U32 }, 1883 1883 [NFTA_CHAIN_USERDATA] = { .type = NLA_BINARY, 1884 1884 .len = NFT_USERDATA_MAXLEN }, ··· 4597 4597 .len = NFT_TABLE_MAXNAMELEN - 1 }, 4598 4598 [NFTA_SET_NAME] = { .type = NLA_STRING, 4599 4599 .len = NFT_SET_MAXNAMELEN - 1 }, 4600 - [NFTA_SET_FLAGS] = { .type = NLA_U32 }, 4600 + [NFTA_SET_FLAGS] = NLA_POLICY_MASK(NLA_BE32, 4601 + NFT_SET_ANONYMOUS | 4602 + NFT_SET_CONSTANT | 4603 + NFT_SET_INTERVAL | 4604 + NFT_SET_MAP | 4605 + NFT_SET_TIMEOUT | 4606 + NFT_SET_EVAL | 4607 + NFT_SET_OBJECT | 4608 + NFT_SET_CONCAT | 4609 + NFT_SET_EXPR), 4601 4610 [NFTA_SET_KEY_TYPE] = { .type = NLA_U32 }, 4602 4611 [NFTA_SET_KEY_LEN] = { .type = NLA_U32 }, 4603 4612 [NFTA_SET_DATA_TYPE] = { .type = NLA_U32 }, ··· 5938 5929 static const struct nla_policy nft_set_elem_policy[NFTA_SET_ELEM_MAX + 1] = { 5939 5930 [NFTA_SET_ELEM_KEY] = { .type = NLA_NESTED }, 5940 5931 [NFTA_SET_ELEM_DATA] = { .type = NLA_NESTED }, 5941 - [NFTA_SET_ELEM_FLAGS] = { .type = NLA_U32 }, 5932 + [NFTA_SET_ELEM_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_SET_ELEM_INTERVAL_END | 5933 + NFT_SET_ELEM_CATCHALL), 5942 5934 [NFTA_SET_ELEM_TIMEOUT] = { .type = NLA_U64 }, 5943 5935 [NFTA_SET_ELEM_EXPIRATION] = { .type = NLA_U64 }, 5944 5936 [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, ··· 8659 8649 .len = NFT_NAME_MAXLEN - 1 }, 8660 8650 [NFTA_FLOWTABLE_HOOK] = { .type = NLA_NESTED }, 8661 8651 [NFTA_FLOWTABLE_HANDLE] = { .type = NLA_U64 }, 8662 - [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 8652 + [NFTA_FLOWTABLE_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_FLOWTABLE_MASK), 8663 8653 }; 8664 8654 8665 8655 struct nft_flowtable *nft_flowtable_lookup(const struct net *net,
+1 -1
net/netfilter/nf_tables_core.c
··· 151 151 unsigned char *ptr; 152 152 153 153 if (priv->base == NFT_PAYLOAD_NETWORK_HEADER) 154 - ptr = skb_network_header(skb); 154 + ptr = skb_network_header(skb) + pkt->nhoff; 155 155 else { 156 156 if (!(pkt->flags & NFT_PKTINFO_L4PROTO)) 157 157 return false;
+3 -3
net/netfilter/nft_bitwise.c
··· 125 125 } 126 126 127 127 static const struct nla_policy nft_bitwise_policy[NFTA_BITWISE_MAX + 1] = { 128 - [NFTA_BITWISE_SREG] = { .type = NLA_U32 }, 129 - [NFTA_BITWISE_SREG2] = { .type = NLA_U32 }, 130 - [NFTA_BITWISE_DREG] = { .type = NLA_U32 }, 128 + [NFTA_BITWISE_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 129 + [NFTA_BITWISE_SREG2] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 130 + [NFTA_BITWISE_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 131 131 [NFTA_BITWISE_LEN] = { .type = NLA_U32 }, 132 132 [NFTA_BITWISE_MASK] = { .type = NLA_NESTED }, 133 133 [NFTA_BITWISE_XOR] = { .type = NLA_NESTED },
+2 -2
net/netfilter/nft_byteorder.c
··· 87 87 } 88 88 89 89 static const struct nla_policy nft_byteorder_policy[NFTA_BYTEORDER_MAX + 1] = { 90 - [NFTA_BYTEORDER_SREG] = { .type = NLA_U32 }, 91 - [NFTA_BYTEORDER_DREG] = { .type = NLA_U32 }, 90 + [NFTA_BYTEORDER_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 91 + [NFTA_BYTEORDER_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 92 92 [NFTA_BYTEORDER_OP] = NLA_POLICY_MAX(NLA_BE32, 255), 93 93 [NFTA_BYTEORDER_LEN] = NLA_POLICY_MAX(NLA_BE32, 255), 94 94 [NFTA_BYTEORDER_SIZE] = NLA_POLICY_MAX(NLA_BE32, 255),
+1 -1
net/netfilter/nft_cmp.c
··· 64 64 } 65 65 66 66 static const struct nla_policy nft_cmp_policy[NFTA_CMP_MAX + 1] = { 67 - [NFTA_CMP_SREG] = { .type = NLA_U32 }, 67 + [NFTA_CMP_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 68 68 [NFTA_CMP_OP] = { .type = NLA_U32 }, 69 69 [NFTA_CMP_DATA] = { .type = NLA_NESTED }, 70 70 };
+1 -1
net/netfilter/nft_compat.c
··· 195 195 196 196 static const struct nla_policy nft_rule_compat_policy[NFTA_RULE_COMPAT_MAX + 1] = { 197 197 [NFTA_RULE_COMPAT_PROTO] = { .type = NLA_U32 }, 198 - [NFTA_RULE_COMPAT_FLAGS] = { .type = NLA_U32 }, 198 + [NFTA_RULE_COMPAT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_RULE_COMPAT_F_MASK), 199 199 }; 200 200 201 201 static int nft_parse_compat(const struct nlattr *attr, u16 *proto, bool *inv)
+1 -1
net/netfilter/nft_connlimit.c
··· 159 159 160 160 static const struct nla_policy nft_connlimit_policy[NFTA_CONNLIMIT_MAX + 1] = { 161 161 [NFTA_CONNLIMIT_COUNT] = { .type = NLA_U32 }, 162 - [NFTA_CONNLIMIT_FLAGS] = { .type = NLA_U32 }, 162 + [NFTA_CONNLIMIT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_CONNLIMIT_F_INV), 163 163 }; 164 164 165 165 static struct nft_object_type nft_connlimit_obj_type;
+3 -3
net/netfilter/nft_ct.c
··· 336 336 } 337 337 338 338 static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = { 339 - [NFTA_CT_DREG] = { .type = NLA_U32 }, 339 + [NFTA_CT_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 340 340 [NFTA_CT_KEY] = NLA_POLICY_MAX(NLA_BE32, 255), 341 - [NFTA_CT_DIRECTION] = { .type = NLA_U8 }, 342 - [NFTA_CT_SREG] = { .type = NLA_U32 }, 341 + [NFTA_CT_DIRECTION] = NLA_POLICY_MAX(NLA_U8, IP_CT_DIR_REPLY), 342 + [NFTA_CT_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 343 343 }; 344 344 345 345 #ifdef CONFIG_NF_CONNTRACK_ZONES
+2 -1
net/netfilter/nft_dynset.c
··· 163 163 [NFTA_DYNSET_SREG_DATA] = { .type = NLA_U32 }, 164 164 [NFTA_DYNSET_TIMEOUT] = { .type = NLA_U64 }, 165 165 [NFTA_DYNSET_EXPR] = { .type = NLA_NESTED }, 166 - [NFTA_DYNSET_FLAGS] = { .type = NLA_U32 }, 166 + [NFTA_DYNSET_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_DYNSET_F_INV | 167 + NFT_DYNSET_F_EXPR), 167 168 [NFTA_DYNSET_EXPRESSIONS] = { .type = NLA_NESTED }, 168 169 }; 169 170
+6 -3
net/netfilter/nft_exthdr.c
··· 486 486 #endif 487 487 488 488 static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { 489 - [NFTA_EXTHDR_DREG] = { .type = NLA_U32 }, 489 + [NFTA_EXTHDR_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 490 490 [NFTA_EXTHDR_TYPE] = { .type = NLA_U8 }, 491 491 [NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 }, 492 492 [NFTA_EXTHDR_LEN] = NLA_POLICY_MAX(NLA_BE32, 255), 493 - [NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 }, 493 + [NFTA_EXTHDR_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_EXTHDR_F_PRESENT), 494 494 [NFTA_EXTHDR_OP] = NLA_POLICY_MAX(NLA_BE32, 255), 495 - [NFTA_EXTHDR_SREG] = { .type = NLA_U32 }, 495 + [NFTA_EXTHDR_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 496 496 }; 497 497 498 498 static int nft_exthdr_init(const struct nft_ctx *ctx, ··· 796 796 break; 797 797 #ifdef CONFIG_NFT_EXTHDR_DCCP 798 798 case NFT_EXTHDR_OP_DCCP: 799 + pr_warn_once("The dccp option matching is deprecated and scheduled to be removed in 2027.\n" 800 + "Please contact the netfilter-devel mailing list or update your nftables rules.\n"); 801 + 799 802 if (tb[NFTA_EXTHDR_DREG]) 800 803 return &nft_exthdr_dccp_ops; 801 804 break;
+1 -1
net/netfilter/nft_fib.c
··· 19 19 NFTA_FIB_F_PRESENT) 20 20 21 21 const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = { 22 - [NFTA_FIB_DREG] = { .type = NLA_U32 }, 22 + [NFTA_FIB_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 23 23 [NFTA_FIB_RESULT] = { .type = NLA_U32 }, 24 24 [NFTA_FIB_FLAGS] = 25 25 NLA_POLICY_MASK(NLA_BE32, NFTA_FIB_F_ALL),
+2 -2
net/netfilter/nft_hash.c
··· 58 58 } 59 59 60 60 static const struct nla_policy nft_hash_policy[NFTA_HASH_MAX + 1] = { 61 - [NFTA_HASH_SREG] = { .type = NLA_U32 }, 62 - [NFTA_HASH_DREG] = { .type = NLA_U32 }, 61 + [NFTA_HASH_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 62 + [NFTA_HASH_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 63 63 [NFTA_HASH_LEN] = NLA_POLICY_MAX(NLA_BE32, 255), 64 64 [NFTA_HASH_MODULUS] = { .type = NLA_U32 }, 65 65 [NFTA_HASH_SEED] = { .type = NLA_U32 },
+4 -2
net/netfilter/nft_immediate.c
··· 25 25 } 26 26 27 27 static const struct nla_policy nft_immediate_policy[NFTA_IMMEDIATE_MAX + 1] = { 28 - [NFTA_IMMEDIATE_DREG] = { .type = NLA_U32 }, 28 + [NFTA_IMMEDIATE_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 29 29 [NFTA_IMMEDIATE_DATA] = { .type = NLA_NESTED }, 30 30 }; 31 31 ··· 279 279 struct flow_action_entry *entry; 280 280 const struct nft_data *data; 281 281 282 - entry = &flow->rule->action.entries[ctx->num_actions++]; 282 + entry = nft_flow_action_entry_next(ctx, flow); 283 + if (!entry) 284 + return -E2BIG; 283 285 284 286 data = &priv->data; 285 287 switch (data->verdict.code) {
+1 -1
net/netfilter/nft_inner.c
··· 321 321 322 322 static const struct nla_policy nft_inner_policy[NFTA_INNER_MAX + 1] = { 323 323 [NFTA_INNER_NUM] = { .type = NLA_U32 }, 324 - [NFTA_INNER_FLAGS] = { .type = NLA_U32 }, 324 + [NFTA_INNER_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_INNER_MASK), 325 325 [NFTA_INNER_HDRSIZE] = { .type = NLA_U32 }, 326 326 [NFTA_INNER_TYPE] = { .type = NLA_U32 }, 327 327 [NFTA_INNER_EXPR] = { .type = NLA_NESTED },
+1 -1
net/netfilter/nft_limit.c
··· 189 189 [NFTA_LIMIT_UNIT] = { .type = NLA_U64 }, 190 190 [NFTA_LIMIT_BURST] = { .type = NLA_U32 }, 191 191 [NFTA_LIMIT_TYPE] = { .type = NLA_U32 }, 192 - [NFTA_LIMIT_FLAGS] = { .type = NLA_U32 }, 192 + [NFTA_LIMIT_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_LIMIT_F_INV), 193 193 }; 194 194 195 195 static int nft_limit_pkts_init(const struct nft_ctx *ctx,
+1 -1
net/netfilter/nft_log.c
··· 69 69 [NFTA_LOG_SNAPLEN] = { .type = NLA_U32 }, 70 70 [NFTA_LOG_QTHRESHOLD] = { .type = NLA_U16 }, 71 71 [NFTA_LOG_LEVEL] = { .type = NLA_U32 }, 72 - [NFTA_LOG_FLAGS] = { .type = NLA_U32 }, 72 + [NFTA_LOG_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NF_LOG_MASK), 73 73 }; 74 74 75 75 static int nft_log_modprobe(struct net *net, enum nf_log_type t)
+2 -2
net/netfilter/nft_lookup.c
··· 125 125 [NFTA_LOOKUP_SET] = { .type = NLA_STRING, 126 126 .len = NFT_SET_MAXNAMELEN - 1 }, 127 127 [NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 }, 128 - [NFTA_LOOKUP_SREG] = { .type = NLA_U32 }, 129 - [NFTA_LOOKUP_DREG] = { .type = NLA_U32 }, 128 + [NFTA_LOOKUP_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 129 + [NFTA_LOOKUP_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 130 130 [NFTA_LOOKUP_FLAGS] = 131 131 NLA_POLICY_MASK(NLA_BE32, NFT_LOOKUP_F_INV), 132 132 };
+55 -3
net/netfilter/nft_meta.c
··· 23 23 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */ 24 24 #include <net/netfilter/nf_tables.h> 25 25 #include <net/netfilter/nf_tables_core.h> 26 + #include <net/netfilter/nf_tables_ipv4.h> 27 + #include <net/netfilter/nf_tables_ipv6.h> 26 28 #include <net/netfilter/nft_meta.h> 27 29 #include <net/netfilter/nf_tables_offload.h> 28 30 ··· 311 309 nft_meta_store_ifname(dest, dev); 312 310 } 313 311 312 + static void nft_meta_pktinfo_may_update(struct nft_pktinfo *pkt) 313 + { 314 + struct sk_buff *skb = pkt->skb; 315 + struct vlan_ethhdr *veth; 316 + __be16 ethertype; 317 + int nhoff; 318 + 319 + /* Is this an IP packet? Then, skip. */ 320 + if (pkt->flags) 321 + return; 322 + 323 + /* ... else maybe an IP packet over PPPoE or Q-in-Q? */ 324 + switch (skb->protocol) { 325 + case htons(ETH_P_8021Q): 326 + if (!pskb_may_pull(skb, skb_mac_offset(skb) + sizeof(*veth))) 327 + return; 328 + 329 + veth = (struct vlan_ethhdr *)skb_mac_header(skb); 330 + nhoff = VLAN_HLEN; 331 + ethertype = veth->h_vlan_encapsulated_proto; 332 + break; 333 + case htons(ETH_P_PPP_SES): 334 + if (!nf_flow_pppoe_proto(skb, &ethertype)) 335 + return; 336 + 337 + nhoff = PPPOE_SES_HLEN; 338 + break; 339 + default: 340 + return; 341 + } 342 + 343 + nhoff += skb_network_offset(skb); 344 + switch (ethertype) { 345 + case htons(ETH_P_IP): 346 + if (__nft_set_pktinfo_ipv4_validate(pkt, nhoff)) 347 + nft_set_pktinfo_unspec(pkt); 348 + break; 349 + case htons(ETH_P_IPV6): 350 + if (__nft_set_pktinfo_ipv6_validate(pkt, nhoff)) 351 + nft_set_pktinfo_unspec(pkt); 352 + break; 353 + default: 354 + break; 355 + } 356 + 357 + pkt->ethertype = ethertype; 358 + } 359 + 314 360 void nft_meta_get_eval(const struct nft_expr *expr, 315 361 struct nft_regs *regs, 316 362 const struct nft_pktinfo *pkt) ··· 372 322 *dest = skb->len; 373 323 break; 374 324 case NFT_META_PROTOCOL: 375 - nft_reg_store16(dest, (__force u16)skb->protocol); 325 + nft_meta_pktinfo_may_update((struct nft_pktinfo *)pkt); 326 + nft_reg_store16(dest, (__force u16)pkt->ethertype); 376 327 break; 377 328 case NFT_META_NFPROTO: 378 329 nft_reg_store8(dest, nft_pf(pkt)); 379 330 break; 380 331 case NFT_META_L4PROTO: 332 + nft_meta_pktinfo_may_update((struct nft_pktinfo *)pkt); 381 333 if (!(pkt->flags & NFT_PKTINFO_L4PROTO)) 382 334 goto err; 383 335 nft_reg_store8(dest, pkt->tprot); ··· 512 460 EXPORT_SYMBOL_GPL(nft_meta_set_eval); 513 461 514 462 const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = { 515 - [NFTA_META_DREG] = { .type = NLA_U32 }, 463 + [NFTA_META_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 516 464 [NFTA_META_KEY] = NLA_POLICY_MAX(NLA_BE32, 255), 517 - [NFTA_META_SREG] = { .type = NLA_U32 }, 465 + [NFTA_META_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 518 466 }; 519 467 EXPORT_SYMBOL_GPL(nft_meta_policy); 520 468
+1 -1
net/netfilter/nft_numgen.c
··· 43 43 } 44 44 45 45 static const struct nla_policy nft_ng_policy[NFTA_NG_MAX + 1] = { 46 - [NFTA_NG_DREG] = { .type = NLA_U32 }, 46 + [NFTA_NG_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 47 47 [NFTA_NG_MODULUS] = { .type = NLA_U32 }, 48 48 [NFTA_NG_TYPE] = { .type = NLA_U32 }, 49 49 [NFTA_NG_OFFSET] = { .type = NLA_U32 },
+1 -1
net/netfilter/nft_objref.c
··· 265 265 [NFTA_OBJREF_IMM_NAME] = { .type = NLA_STRING, 266 266 .len = NFT_OBJ_MAXNAMELEN - 1 }, 267 267 [NFTA_OBJREF_IMM_TYPE] = { .type = NLA_U32 }, 268 - [NFTA_OBJREF_SET_SREG] = { .type = NLA_U32 }, 268 + [NFTA_OBJREF_SET_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 269 269 [NFTA_OBJREF_SET_NAME] = { .type = NLA_STRING, 270 270 .len = NFT_SET_MAXNAMELEN - 1 }, 271 271 [NFTA_OBJREF_SET_ID] = { .type = NLA_U32 },
+2 -2
net/netfilter/nft_osf.c
··· 12 12 }; 13 13 14 14 static const struct nla_policy nft_osf_policy[NFTA_OSF_MAX + 1] = { 15 - [NFTA_OSF_DREG] = { .type = NLA_U32 }, 15 + [NFTA_OSF_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 16 16 [NFTA_OSF_TTL] = { .type = NLA_U8 }, 17 - [NFTA_OSF_FLAGS] = { .type = NLA_U32 }, 17 + [NFTA_OSF_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_OSF_F_VERSION), 18 18 }; 19 19 20 20 static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
+4 -4
net/netfilter/nft_payload.c
··· 183 183 offset = skb_mac_header(skb) - skb->data; 184 184 break; 185 185 case NFT_PAYLOAD_NETWORK_HEADER: 186 - offset = skb_network_offset(skb); 186 + offset = skb_network_offset(skb) + pkt->nhoff; 187 187 break; 188 188 case NFT_PAYLOAD_TRANSPORT_HEADER: 189 189 if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff) ··· 209 209 } 210 210 211 211 static const struct nla_policy nft_payload_policy[NFTA_PAYLOAD_MAX + 1] = { 212 - [NFTA_PAYLOAD_SREG] = { .type = NLA_U32 }, 213 - [NFTA_PAYLOAD_DREG] = { .type = NLA_U32 }, 212 + [NFTA_PAYLOAD_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 213 + [NFTA_PAYLOAD_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 214 214 [NFTA_PAYLOAD_BASE] = { .type = NLA_U32 }, 215 215 [NFTA_PAYLOAD_OFFSET] = { .type = NLA_BE32 }, 216 216 [NFTA_PAYLOAD_LEN] = NLA_POLICY_MAX(NLA_BE32, 255), 217 217 [NFTA_PAYLOAD_CSUM_TYPE] = { .type = NLA_U32 }, 218 218 [NFTA_PAYLOAD_CSUM_OFFSET] = NLA_POLICY_MAX(NLA_BE32, 255), 219 - [NFTA_PAYLOAD_CSUM_FLAGS] = { .type = NLA_U32 }, 219 + [NFTA_PAYLOAD_CSUM_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_PAYLOAD_L4CSUM_PSEUDOHDR), 220 220 }; 221 221 222 222 static int nft_payload_init(const struct nft_ctx *ctx,
+1 -1
net/netfilter/nft_queue.c
··· 95 95 static const struct nla_policy nft_queue_policy[NFTA_QUEUE_MAX + 1] = { 96 96 [NFTA_QUEUE_NUM] = { .type = NLA_U16 }, 97 97 [NFTA_QUEUE_TOTAL] = { .type = NLA_U16 }, 98 - [NFTA_QUEUE_FLAGS] = { .type = NLA_U16 }, 98 + [NFTA_QUEUE_FLAGS] = NLA_POLICY_MASK(NLA_BE16, NFT_QUEUE_FLAG_MASK), 99 99 [NFTA_QUEUE_SREG_QNUM] = { .type = NLA_U32 }, 100 100 }; 101 101
+1 -1
net/netfilter/nft_quota.c
··· 46 46 47 47 static const struct nla_policy nft_quota_policy[NFTA_QUOTA_MAX + 1] = { 48 48 [NFTA_QUOTA_BYTES] = { .type = NLA_U64 }, 49 - [NFTA_QUOTA_FLAGS] = { .type = NLA_U32 }, 49 + [NFTA_QUOTA_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_QUOTA_F_INV), 50 50 [NFTA_QUOTA_CONSUMED] = { .type = NLA_U64 }, 51 51 }; 52 52
+1 -1
net/netfilter/nft_range.c
··· 41 41 } 42 42 43 43 static const struct nla_policy nft_range_policy[NFTA_RANGE_MAX + 1] = { 44 - [NFTA_RANGE_SREG] = { .type = NLA_U32 }, 44 + [NFTA_RANGE_SREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 45 45 [NFTA_RANGE_OP] = NLA_POLICY_MAX(NLA_BE32, 255), 46 46 [NFTA_RANGE_FROM_DATA] = { .type = NLA_NESTED }, 47 47 [NFTA_RANGE_TO_DATA] = { .type = NLA_NESTED },
+1 -1
net/netfilter/nft_rt.c
··· 103 103 } 104 104 105 105 static const struct nla_policy nft_rt_policy[NFTA_RT_MAX + 1] = { 106 - [NFTA_RT_DREG] = { .type = NLA_U32 }, 106 + [NFTA_RT_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 107 107 [NFTA_RT_KEY] = NLA_POLICY_MAX(NLA_BE32, 255), 108 108 }; 109 109
+1 -3
net/netfilter/nft_set_pipapo.c
··· 452 452 pipapo_and_field_buckets_4bit(f, res_map, data); 453 453 NFT_PIPAPO_GROUP_BITS_ARE_8_OR_4; 454 454 455 - data += f->groups / NFT_PIPAPO_GROUPS_PER_BYTE(f); 456 - 457 455 /* Now populate the bitmap for the next field, unless this is 458 456 * the last field, in which case return the matched 'ext' 459 457 * pointer if any. ··· 496 498 map_index = !map_index; 497 499 swap(res_map, fill_map); 498 500 499 - data += NFT_PIPAPO_GROUPS_PADDING(f); 501 + data += NFT_PIPAPO_GROUPS_PADDED_SIZE(f); 500 502 } 501 503 502 504 __local_unlock_nested_bh(&scratch->bh_lock);
-3
net/netfilter/nft_set_pipapo.h
··· 42 42 /* Fields are padded to 32 bits in input registers */ 43 43 #define NFT_PIPAPO_GROUPS_PADDED_SIZE(f) \ 44 44 (round_up((f)->groups / NFT_PIPAPO_GROUPS_PER_BYTE(f), sizeof(u32))) 45 - #define NFT_PIPAPO_GROUPS_PADDING(f) \ 46 - (NFT_PIPAPO_GROUPS_PADDED_SIZE(f) - (f)->groups / \ 47 - NFT_PIPAPO_GROUPS_PER_BYTE(f)) 48 45 49 46 /* Number of buckets given by 2 ^ n, with n bucket bits */ 50 47 #define NFT_PIPAPO_BUCKETS(bb) (1 << (bb))
+9 -23
net/netfilter/nft_set_pipapo_avx2.c
··· 1041 1041 * @map: Previous match result, used as initial bitmap 1042 1042 * @fill: Destination bitmap to be filled with current match result 1043 1043 * @f: Field, containing lookup and mapping tables 1044 - * @offset: Ignore buckets before the given index, no bits are filled there 1045 1044 * @pkt: Packet data, pointer to input nftables register 1046 1045 * @first: If this is the first field, don't source previous result 1047 1046 * @last: Last field: stop at the first match and return bit index ··· 1055 1056 static int nft_pipapo_avx2_lookup_slow(const struct nft_pipapo_match *mdata, 1056 1057 unsigned long *map, unsigned long *fill, 1057 1058 const struct nft_pipapo_field *f, 1058 - int offset, const u8 *pkt, 1059 + const u8 *pkt, 1059 1060 bool first, bool last) 1060 1061 { 1061 - unsigned long bsize = f->bsize; 1062 - int i, ret = -1, b; 1063 - 1064 1062 if (first) 1065 1063 pipapo_resmap_init(mdata, map); 1066 1064 1067 - for (i = offset; i < bsize; i++) { 1068 - if (f->bb == 8) 1069 - pipapo_and_field_buckets_8bit(f, map, pkt); 1070 - else 1071 - pipapo_and_field_buckets_4bit(f, map, pkt); 1072 - NFT_PIPAPO_GROUP_BITS_ARE_8_OR_4; 1065 + if (f->bb == 8) 1066 + pipapo_and_field_buckets_8bit(f, map, pkt); 1067 + else 1068 + pipapo_and_field_buckets_4bit(f, map, pkt); 1069 + NFT_PIPAPO_GROUP_BITS_ARE_8_OR_4; 1073 1070 1074 - b = pipapo_refill(map, bsize, f->rules, fill, f->mt, last); 1075 - 1076 - if (last) 1077 - return b; 1078 - 1079 - if (ret == -1) 1080 - ret = b / XSAVE_YMM_SIZE; 1081 - } 1082 - 1083 - return ret; 1071 + return pipapo_refill(map, f->bsize, f->rules, fill, f->mt, last); 1084 1072 } 1085 1073 1086 1074 /** ··· 1187 1201 NFT_SET_PIPAPO_AVX2_LOOKUP(8, 16); 1188 1202 } else { 1189 1203 ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f, 1190 - ret, data, 1204 + data, 1191 1205 first, last); 1192 1206 } 1193 1207 } else { ··· 1203 1217 NFT_SET_PIPAPO_AVX2_LOOKUP(4, 32); 1204 1218 } else { 1205 1219 ret = nft_pipapo_avx2_lookup_slow(m, res, fill, f, 1206 - ret, data, 1220 + data, 1207 1221 first, last); 1208 1222 } 1209 1223 }
+1 -1
net/netfilter/nft_socket.c
··· 163 163 164 164 static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = { 165 165 [NFTA_SOCKET_KEY] = NLA_POLICY_MAX(NLA_BE32, 255), 166 - [NFTA_SOCKET_DREG] = { .type = NLA_U32 }, 166 + [NFTA_SOCKET_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 167 167 [NFTA_SOCKET_LEVEL] = NLA_POLICY_MAX(NLA_BE32, 255), 168 168 }; 169 169
+2 -2
net/netfilter/nft_synproxy.c
··· 17 17 18 18 static const struct nla_policy nft_synproxy_policy[NFTA_SYNPROXY_MAX + 1] = { 19 19 [NFTA_SYNPROXY_MSS] = { .type = NLA_U16 }, 20 - [NFTA_SYNPROXY_WSCALE] = { .type = NLA_U8 }, 21 - [NFTA_SYNPROXY_FLAGS] = { .type = NLA_U32 }, 20 + [NFTA_SYNPROXY_WSCALE] = NLA_POLICY_MAX(NLA_U8, TCP_MAX_WSCALE), 21 + [NFTA_SYNPROXY_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NF_SYNPROXY_OPT_MASK), 22 22 }; 23 23 24 24 static void nft_synproxy_tcp_options(struct synproxy_options *opts,
+3 -3
net/netfilter/nft_tunnel.c
··· 67 67 68 68 static const struct nla_policy nft_tunnel_policy[NFTA_TUNNEL_MAX + 1] = { 69 69 [NFTA_TUNNEL_KEY] = NLA_POLICY_MAX(NLA_BE32, 255), 70 - [NFTA_TUNNEL_DREG] = { .type = NLA_U32 }, 71 - [NFTA_TUNNEL_MODE] = NLA_POLICY_MAX(NLA_BE32, 255), 70 + [NFTA_TUNNEL_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 71 + [NFTA_TUNNEL_MODE] = NLA_POLICY_MAX(NLA_BE32, NFT_TUNNEL_MODE_MAX), 72 72 }; 73 73 74 74 static int nft_tunnel_get_init(const struct nft_ctx *ctx, ··· 408 408 [NFTA_TUNNEL_KEY_IP] = { .type = NLA_NESTED, }, 409 409 [NFTA_TUNNEL_KEY_IP6] = { .type = NLA_NESTED, }, 410 410 [NFTA_TUNNEL_KEY_ID] = { .type = NLA_U32, }, 411 - [NFTA_TUNNEL_KEY_FLAGS] = { .type = NLA_U32, }, 411 + [NFTA_TUNNEL_KEY_FLAGS] = NLA_POLICY_MASK(NLA_BE32, NFT_TUNNEL_F_MASK), 412 412 [NFTA_TUNNEL_KEY_TOS] = { .type = NLA_U8, }, 413 413 [NFTA_TUNNEL_KEY_TTL] = { .type = NLA_U8, }, 414 414 [NFTA_TUNNEL_KEY_SPORT] = { .type = NLA_U16, },
+3 -3
net/netfilter/nft_xfrm.c
··· 17 17 18 18 static const struct nla_policy nft_xfrm_policy[NFTA_XFRM_MAX + 1] = { 19 19 [NFTA_XFRM_KEY] = NLA_POLICY_MAX(NLA_BE32, 255), 20 - [NFTA_XFRM_DIR] = { .type = NLA_U8 }, 21 - [NFTA_XFRM_SPNUM] = NLA_POLICY_MAX(NLA_BE32, 255), 22 - [NFTA_XFRM_DREG] = { .type = NLA_U32 }, 20 + [NFTA_XFRM_DIR] = NLA_POLICY_MAX(NLA_U8, XFRM_POLICY_OUT), 21 + [NFTA_XFRM_SPNUM] = NLA_POLICY_MAX(NLA_BE32, XFRM_MAX_DEPTH - 1), 22 + [NFTA_XFRM_DREG] = NLA_POLICY_MAX(NLA_BE32, NFT_REG32_MAX), 23 23 }; 24 24 25 25 struct nft_xfrm {
+3
net/netfilter/xt_dccp.c
··· 159 159 { 160 160 int ret; 161 161 162 + pr_warn_once("The DCCP match is deprecated and scheduled to be removed in 2027.\n" 163 + "Please contact the netfilter-devel mailing list or update your iptables rules\n"); 164 + 162 165 /* doff is 8 bits, so the maximum option size is (4*256). Don't put 163 166 * this in BSS since DaveM is worried about locked TLB's for kernel 164 167 * BSS. */