wireguard-linux/include/linux/netfilter_ipv4, branch stable

netfilter: iptables: allow use of ipt_do_table as hookfn

2021-10-14T21:06:53Z

This is possible now that the xt_table structure is passed in via *priv. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: allow to turn off xtables compat layer

2021-04-26T16:16:56Z

The compat layer needs to parse untrusted input (the ruleset) to translate it to a 64bit compatible format. We had a number of bugs in this department in the past, so allow users to turn this feature off. Add CONFIG_NETFILTER_XTABLES_COMPAT kconfig knob and make it default to y to keep existing behaviour. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: ip_tables: pass table pointer via nf_hook_ops

2021-04-26T01:20:46Z

iptable_x modules rely on 'struct net' to contain a pointer to the table that should be evaluated. In order to remove these pointers from struct net, pass them via the 'priv' pointer in a similar fashion as nf_tables passes the rule data. To do that, duplicate the nf_hook_info array passed in from the iptable_x modules, update the ops->priv pointers of the copy to refer to the table and then change the hookfn implementations to just pass the 'priv' argument to the traverser. After this patch, the xt_table pointers can already be removed from struct net. However, changes to struct net result in re-compile of the entire network stack, so do the removal after arptables and ip6tables have been converted as well. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: iptables: unregister the tables by name

2021-04-26T01:20:46Z

xtables stores the xt_table structs in the struct net. This isn't needed anymore, the structures could be passed via the netfilter hook 'private' pointer to the hook functions, which would allow us to remove those pointers from struct net. As a first step, reduce the number of accesses to the net->ipv4.ip6table_{raw,filter,...} pointers. This allows the tables to get unregistered by name instead of having to pass the raw address. The xt_table structure cane looked up by name+address family instead. This patch is useless as-is (the backends still have the raw pointer address), but it lowers the bar to remove those. It also allows to put the 'was table registered in the first place' check into ip_tables.c rather than have it in each table sub module. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: x_tables: remove ipt_unregister_table

2021-04-26T01:20:08Z

Its the same function as ipt_unregister_table_exit. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers.

2020-06-24T22:50:31Z

The pre_exit will un-register the underlying hook and .exit will do the table freeing. The netns core does an unconditional synchronize_rcu after the pre_exit hooks insuring no packets are in flight that have picked up the pointer before completing the un-register. Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default") Signed-off-by: David Wilder Signed-off-by: Pablo Neira Ayuso

netfilter: Replace zero-length array with flexible-array member

2020-03-15T14:20:16Z

The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] Lastly, fix checkpatch.pl warning WARNING: __aligned(size) is preferred over __attribute__((aligned(size))) in net/bridge/netfilter/ebtables.c This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Pablo Neira Ayuso

netfilter: remove CONFIG_NETFILTER checks from headers.

2019-09-13T10:47:36Z

`struct nf_hook_ops`, `struct nf_hook_state` and the `nf_hookfn` function typedef appear in function and struct declarations and definitions in a number of netfilter headers. The structs and typedef themselves are defined by linux/netfilter.h but only when CONFIG_NETFILTER is enabled. Define them unconditionally and add forward declarations in order to remove CONFIG_NETFILTER conditionals from the other headers. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

netfilter: ip_tables: remove unused function declarations.

2019-09-13T10:31:24Z

Two headers include declarations of functions which are never defined. Remove them. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso

netfilter: add missing IS_ENABLED(CONFIG_NETFILTER) checks to some header-files.

2019-08-13T10:15:18Z

linux/netfilter.h defines a number of struct and inline function definitions which are only available is CONFIG_NETFILTER is enabled. These structs and functions are used in declarations and definitions in other header-files. Added preprocessor checks to make sure these headers will compile if CONFIG_NETFILTER is disabled. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso