From f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
Date: Tue, 8 May 2018 09:40:43 +0200
Subject: kernel: mark source kernel for netfilter backports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This helps keeping track on patches & adding new kernels in the future.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---
 ...f_tables-explicit-nft_set_pktinfo-call-fr.patch | 291 +++++++++++++++++++++
 1 file changed, 291 insertions(+)
 create mode 100644 target/linux/generic/backport-4.14/300-v4.16-netfilter-nf_tables-explicit-nft_set_pktinfo-call-fr.patch

(limited to 'target/linux/generic/backport-4.14/300-v4.16-netfilter-nf_tables-explicit-nft_set_pktinfo-call-fr.patch')

diff --git a/target/linux/generic/backport-4.14/300-v4.16-netfilter-nf_tables-explicit-nft_set_pktinfo-call-fr.patch b/target/linux/generic/backport-4.14/300-v4.16-netfilter-nf_tables-explicit-nft_set_pktinfo-call-fr.patch
new file mode 100644
index 0000000000..c0cb5bbeba
--- /dev/null
+++ b/target/linux/generic/backport-4.14/300-v4.16-netfilter-nf_tables-explicit-nft_set_pktinfo-call-fr.patch
@@ -0,0 +1,291 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sun, 10 Dec 2017 01:43:14 +0100
+Subject: [PATCH] netfilter: nf_tables: explicit nft_set_pktinfo() call from
+ hook path
+
+Instead of calling this function from the family specific variant, this
+reduces the code size in the fast path for the netdev, bridge and inet
+families. After this change, we must call nft_set_pktinfo() upfront from
+the chain hook indirection.
+
+Before:
+
+   text    data     bss     dec     hex filename
+   2145     208       0    2353     931 net/netfilter/nf_tables_netdev.o
+
+After:
+
+   text    data     bss     dec     hex filename
+   2125     208       0    2333     91d net/netfilter/nf_tables_netdev.o
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -54,8 +54,8 @@ static inline void nft_set_pktinfo(struc
+ 	pkt->xt.state = state;
+ }
+ 
+-static inline void nft_set_pktinfo_proto_unspec(struct nft_pktinfo *pkt,
+-						struct sk_buff *skb)
++static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
++					  struct sk_buff *skb)
+ {
+ 	pkt->tprot_set = false;
+ 	pkt->tprot = 0;
+@@ -63,14 +63,6 @@ static inline void nft_set_pktinfo_proto
+ 	pkt->xt.fragoff = 0;
+ }
+ 
+-static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
+-					  struct sk_buff *skb,
+-					  const struct nf_hook_state *state)
+-{
+-	nft_set_pktinfo(pkt, skb, state);
+-	nft_set_pktinfo_proto_unspec(pkt, skb);
+-}
+-
+ /**
+  * 	struct nft_verdict - nf_tables verdict
+  *
+--- a/include/net/netfilter/nf_tables_ipv4.h
++++ b/include/net/netfilter/nf_tables_ipv4.h
+@@ -5,15 +5,11 @@
+ #include <net/netfilter/nf_tables.h>
+ #include <net/ip.h>
+ 
+-static inline void
+-nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
+-		     struct sk_buff *skb,
+-		     const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
++					struct sk_buff *skb)
+ {
+ 	struct iphdr *ip;
+ 
+-	nft_set_pktinfo(pkt, skb, state);
+-
+ 	ip = ip_hdr(pkt->skb);
+ 	pkt->tprot_set = true;
+ 	pkt->tprot = ip->protocol;
+@@ -21,10 +17,8 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo
+ 	pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
+ }
+ 
+-static inline int
+-__nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
+-				struct sk_buff *skb,
+-				const struct nf_hook_state *state)
++static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
++						  struct sk_buff *skb)
+ {
+ 	struct iphdr *iph, _iph;
+ 	u32 len, thoff;
+@@ -52,14 +46,11 @@ __nft_set_pktinfo_ipv4_validate(struct n
+ 	return 0;
+ }
+ 
+-static inline void
+-nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
+-			      struct sk_buff *skb,
+-			      const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
++						 struct sk_buff *skb)
+ {
+-	nft_set_pktinfo(pkt, skb, state);
+-	if (__nft_set_pktinfo_ipv4_validate(pkt, skb, state) < 0)
+-		nft_set_pktinfo_proto_unspec(pkt, skb);
++	if (__nft_set_pktinfo_ipv4_validate(pkt, skb) < 0)
++		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+ extern struct nft_af_info nft_af_ipv4;
+--- a/include/net/netfilter/nf_tables_ipv6.h
++++ b/include/net/netfilter/nf_tables_ipv6.h
+@@ -5,20 +5,16 @@
+ #include <linux/netfilter_ipv6/ip6_tables.h>
+ #include <net/ipv6.h>
+ 
+-static inline void
+-nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
+-		     struct sk_buff *skb,
+-		     const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
++					struct sk_buff *skb)
+ {
+ 	unsigned int flags = IP6_FH_F_AUTH;
+ 	int protohdr, thoff = 0;
+ 	unsigned short frag_off;
+ 
+-	nft_set_pktinfo(pkt, skb, state);
+-
+ 	protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, &flags);
+ 	if (protohdr < 0) {
+-		nft_set_pktinfo_proto_unspec(pkt, skb);
++		nft_set_pktinfo_unspec(pkt, skb);
+ 		return;
+ 	}
+ 
+@@ -28,10 +24,8 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo
+ 	pkt->xt.fragoff = frag_off;
+ }
+ 
+-static inline int
+-__nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
+-				struct sk_buff *skb,
+-				const struct nf_hook_state *state)
++static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
++						  struct sk_buff *skb)
+ {
+ #if IS_ENABLED(CONFIG_IPV6)
+ 	unsigned int flags = IP6_FH_F_AUTH;
+@@ -68,14 +62,11 @@ __nft_set_pktinfo_ipv6_validate(struct n
+ #endif
+ }
+ 
+-static inline void
+-nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
+-			      struct sk_buff *skb,
+-			      const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
++						 struct sk_buff *skb)
+ {
+-	nft_set_pktinfo(pkt, skb, state);
+-	if (__nft_set_pktinfo_ipv6_validate(pkt, skb, state) < 0)
+-		nft_set_pktinfo_proto_unspec(pkt, skb);
++	if (__nft_set_pktinfo_ipv6_validate(pkt, skb) < 0)
++		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+ extern struct nft_af_info nft_af_ipv6;
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -25,15 +25,17 @@ nft_do_chain_bridge(void *priv,
+ {
+ 	struct nft_pktinfo pkt;
+ 
++	nft_set_pktinfo(&pkt, skb, state);
++
+ 	switch (eth_hdr(skb)->h_proto) {
+ 	case htons(ETH_P_IP):
+-		nft_set_pktinfo_ipv4_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv4_validate(&pkt, skb);
+ 		break;
+ 	case htons(ETH_P_IPV6):
+-		nft_set_pktinfo_ipv6_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv6_validate(&pkt, skb);
+ 		break;
+ 	default:
+-		nft_set_pktinfo_unspec(&pkt, skb, state);
++		nft_set_pktinfo_unspec(&pkt, skb);
+ 		break;
+ 	}
+ 
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -21,7 +21,8 @@ nft_do_chain_arp(void *priv,
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_unspec(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_unspec(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -24,7 +24,8 @@ static unsigned int nft_do_chain_ipv4(vo
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv4(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv4(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv4/netfilter/nft_chain_nat_ipv4.c
++++ b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
+@@ -33,7 +33,8 @@ static unsigned int nft_nat_do_chain(voi
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv4(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv4(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv4/netfilter/nft_chain_route_ipv4.c
++++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c
+@@ -38,7 +38,8 @@ static unsigned int nf_route_table_hook(
+ 	    ip_hdrlen(skb) < sizeof(struct iphdr))
+ 		return NF_ACCEPT;
+ 
+-	nft_set_pktinfo_ipv4(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv4(&pkt, skb);
+ 
+ 	mark = skb->mark;
+ 	iph = ip_hdr(skb);
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -22,7 +22,8 @@ static unsigned int nft_do_chain_ipv6(vo
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv6(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv6(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c
++++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
+@@ -31,7 +31,8 @@ static unsigned int nft_nat_do_chain(voi
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv6(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv6(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
++++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
+@@ -33,7 +33,8 @@ static unsigned int nf_route_table_hook(
+ 	u32 mark, flowlabel;
+ 	int err;
+ 
+-	nft_set_pktinfo_ipv6(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv6(&pkt, skb);
+ 
+ 	/* save source/dest address, mark, hoplimit, flowlabel, priority */
+ 	memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
+--- a/net/netfilter/nf_tables_netdev.c
++++ b/net/netfilter/nf_tables_netdev.c
+@@ -21,15 +21,17 @@ nft_do_chain_netdev(void *priv, struct s
+ {
+ 	struct nft_pktinfo pkt;
+ 
++	nft_set_pktinfo(&pkt, skb, state);
++
+ 	switch (skb->protocol) {
+ 	case htons(ETH_P_IP):
+-		nft_set_pktinfo_ipv4_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv4_validate(&pkt, skb);
+ 		break;
+ 	case htons(ETH_P_IPV6):
+-		nft_set_pktinfo_ipv6_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv6_validate(&pkt, skb);
+ 		break;
+ 	default:
+-		nft_set_pktinfo_unspec(&pkt, skb, state);
++		nft_set_pktinfo_unspec(&pkt, skb);
+ 		break;
+ 	}
+ 
-- 
cgit v1.2.3