[linux] 01/02: netfilter: nft_ct: add notrack support (Closes: #845500)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Thu Mar 30 00:53:21 UTC 2017 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch sid
in repository linux.

commit f294506bfa43d290568c9f56ed00296f28782036
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Thu Mar 30 01:40:57 2017 +0100

    netfilter: nft_ct: add notrack support (Closes: #845500)
---
 debian/changelog                                   |   1 +
 .../all/netfilter-nft_ct-add-notrack-support.patch | 100 +++++++++++++++++++++
 debian/patches/series                              |   1 +
 3 files changed, 102 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 64ade01..ad6357f 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -147,6 +147,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
   * [arm64] rtc: tegra: Implement clock handling (Closes: #858514)
   * [armhf] sound/soc: Enable SND_SUN4I_SPDIF as module (Closes: #857410)
   * [arm64,x86] Enable CROS_KBD_LED_BACKLIGHT as module (Closes: #856906)
+  * netfilter: nft_ct: add notrack support (Closes: #845500)
 
   [ James Clarke ]
   * [sparc64] udeb: Re-add ufs-modules (Closes: #858049)
diff --git a/debian/patches/features/all/netfilter-nft_ct-add-notrack-support.patch b/debian/patches/features/all/netfilter-nft_ct-add-notrack-support.patch
new file mode 100644
index 0000000..fc8e922
--- /dev/null
+++ b/debian/patches/features/all/netfilter-nft_ct-add-notrack-support.patch
@@ -0,0 +1,100 @@
+From: Pablo Neira Ayuso <pablo at netfilter.org>
+Date: Thu, 20 Oct 2016 18:07:14 +0200
+Subject: netfilter: nft_ct: add notrack support
+Origin: https://git.kernel.org/linus/254432613c588640f8b8b5c3641a3c27bbe14688
+Bug-Debian: https://bugs.debian.org/845500
+
+This patch adds notrack support.
+
+I decided to add a new expression, given that this doesn't fit into the
+existing set operation. Notrack doesn't need a source register, and an
+hypothetical NFT_CT_NOTRACK key makes no sense since matching the
+untracked state is done through NFT_CT_STATE.
+
+I'm placing this new notrack expression into nft_ct.c, I think a single
+module is too much.
+
+Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
+---
+ net/netfilter/nft_ct.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index d7b0d171172a..6837348c8993 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1,5 +1,6 @@
+ /*
+  * Copyright (c) 2008-2009 Patrick McHardy <kaber at trash.net>
++ * Copyright (c) 2016 Pablo Neira Ayuso <pablo at netfilter.org>
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 as
+@@ -518,15 +519,61 @@ static struct nft_expr_type nft_ct_type __read_mostly = {
+ 	.owner		= THIS_MODULE,
+ };
+ 
++static void nft_notrack_eval(const struct nft_expr *expr,
++			     struct nft_regs *regs,
++			     const struct nft_pktinfo *pkt)
++{
++	struct sk_buff *skb = pkt->skb;
++	enum ip_conntrack_info ctinfo;
++	struct nf_conn *ct;
++
++	ct = nf_ct_get(pkt->skb, &ctinfo);
++	/* Previously seen (loopback or untracked)?  Ignore. */
++	if (ct)
++		return;
++
++	ct = nf_ct_untracked_get();
++	atomic_inc(&ct->ct_general.use);
++	skb->nfct = &ct->ct_general;
++	skb->nfctinfo = IP_CT_NEW;
++}
++
++static struct nft_expr_type nft_notrack_type;
++static const struct nft_expr_ops nft_notrack_ops = {
++	.type		= &nft_notrack_type,
++	.size		= NFT_EXPR_SIZE(0),
++	.eval		= nft_notrack_eval,
++};
++
++static struct nft_expr_type nft_notrack_type __read_mostly = {
++	.name		= "notrack",
++	.ops		= &nft_notrack_ops,
++	.owner		= THIS_MODULE,
++};
++
+ static int __init nft_ct_module_init(void)
+ {
++	int err;
++
+ 	BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
+ 
+-	return nft_register_expr(&nft_ct_type);
++	err = nft_register_expr(&nft_ct_type);
++	if (err < 0)
++		return err;
++
++	err = nft_register_expr(&nft_notrack_type);
++	if (err < 0)
++		goto err1;
++
++	return 0;
++err1:
++	nft_unregister_expr(&nft_ct_type);
++	return err;
+ }
+ 
+ static void __exit nft_ct_module_exit(void)
+ {
++	nft_unregister_expr(&nft_notrack_type);
+ 	nft_unregister_expr(&nft_ct_type);
+ }
+ 
+@@ -536,3 +583,4 @@ module_exit(nft_ct_module_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Patrick McHardy <kaber at trash.net>");
+ MODULE_ALIAS_NFT_EXPR("ct");
++MODULE_ALIAS_NFT_EXPR("notrack");
diff --git a/debian/patches/series b/debian/patches/series
index be4c517..15dbe46 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -90,6 +90,7 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch
 
 # Miscellaneous features
+features/all/netfilter-nft_ct-add-notrack-support.patch
 
 # Securelevel patchset from mjg59
 features/all/securelevel/add-bsd-style-securelevel-support.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list