[linux] 01/02: netfilter: nft_ct: add notrack support (Closes: #845500)
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Thu Mar 30 00:53:21 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch sid
in repository linux.
commit f294506bfa43d290568c9f56ed00296f28782036
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Thu Mar 30 01:40:57 2017 +0100
netfilter: nft_ct: add notrack support (Closes: #845500)
---
debian/changelog | 1 +
.../all/netfilter-nft_ct-add-notrack-support.patch | 100 +++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 102 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 64ade01..ad6357f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -147,6 +147,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
* [arm64] rtc: tegra: Implement clock handling (Closes: #858514)
* [armhf] sound/soc: Enable SND_SUN4I_SPDIF as module (Closes: #857410)
* [arm64,x86] Enable CROS_KBD_LED_BACKLIGHT as module (Closes: #856906)
+ * netfilter: nft_ct: add notrack support (Closes: #845500)
[ James Clarke ]
* [sparc64] udeb: Re-add ufs-modules (Closes: #858049)
diff --git a/debian/patches/features/all/netfilter-nft_ct-add-notrack-support.patch b/debian/patches/features/all/netfilter-nft_ct-add-notrack-support.patch
new file mode 100644
index 0000000..fc8e922
--- /dev/null
+++ b/debian/patches/features/all/netfilter-nft_ct-add-notrack-support.patch
@@ -0,0 +1,100 @@
+From: Pablo Neira Ayuso <pablo at netfilter.org>
+Date: Thu, 20 Oct 2016 18:07:14 +0200
+Subject: netfilter: nft_ct: add notrack support
+Origin: https://git.kernel.org/linus/254432613c588640f8b8b5c3641a3c27bbe14688
+Bug-Debian: https://bugs.debian.org/845500
+
+This patch adds notrack support.
+
+I decided to add a new expression, given that this doesn't fit into the
+existing set operation. Notrack doesn't need a source register, and an
+hypothetical NFT_CT_NOTRACK key makes no sense since matching the
+untracked state is done through NFT_CT_STATE.
+
+I'm placing this new notrack expression into nft_ct.c, I think a single
+module is too much.
+
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nft_ct.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index d7b0d171172a..6837348c8993 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1,5 +1,6 @@
+ /*
+ * Copyright (c) 2008-2009 Patrick McHardy <kaber at trash.net>
++ * Copyright (c) 2016 Pablo Neira Ayuso <pablo at netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+@@ -518,15 +519,61 @@ static struct nft_expr_type nft_ct_type __read_mostly = {
+ .owner = THIS_MODULE,
+ };
+
++static void nft_notrack_eval(const struct nft_expr *expr,
++ struct nft_regs *regs,
++ const struct nft_pktinfo *pkt)
++{
++ struct sk_buff *skb = pkt->skb;
++ enum ip_conntrack_info ctinfo;
++ struct nf_conn *ct;
++
++ ct = nf_ct_get(pkt->skb, &ctinfo);
++ /* Previously seen (loopback or untracked)? Ignore. */
++ if (ct)
++ return;
++
++ ct = nf_ct_untracked_get();
++ atomic_inc(&ct->ct_general.use);
++ skb->nfct = &ct->ct_general;
++ skb->nfctinfo = IP_CT_NEW;
++}
++
++static struct nft_expr_type nft_notrack_type;
++static const struct nft_expr_ops nft_notrack_ops = {
++ .type = &nft_notrack_type,
++ .size = NFT_EXPR_SIZE(0),
++ .eval = nft_notrack_eval,
++};
++
++static struct nft_expr_type nft_notrack_type __read_mostly = {
++ .name = "notrack",
++ .ops = &nft_notrack_ops,
++ .owner = THIS_MODULE,
++};
++
+ static int __init nft_ct_module_init(void)
+ {
++ int err;
++
+ BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
+
+- return nft_register_expr(&nft_ct_type);
++ err = nft_register_expr(&nft_ct_type);
++ if (err < 0)
++ return err;
++
++ err = nft_register_expr(&nft_notrack_type);
++ if (err < 0)
++ goto err1;
++
++ return 0;
++err1:
++ nft_unregister_expr(&nft_ct_type);
++ return err;
+ }
+
+ static void __exit nft_ct_module_exit(void)
+ {
++ nft_unregister_expr(&nft_notrack_type);
+ nft_unregister_expr(&nft_ct_type);
+ }
+
+@@ -536,3 +583,4 @@ module_exit(nft_ct_module_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Patrick McHardy <kaber at trash.net>");
+ MODULE_ALIAS_NFT_EXPR("ct");
++MODULE_ALIAS_NFT_EXPR("notrack");
diff --git a/debian/patches/series b/debian/patches/series
index be4c517..15dbe46 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -90,6 +90,7 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch
# Miscellaneous features
+features/all/netfilter-nft_ct-add-notrack-support.patch
# Securelevel patchset from mjg59
features/all/securelevel/add-bsd-style-securelevel-support.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list