From f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
Date: Tue, 8 May 2018 09:40:43 +0200
Subject: kernel: mark source kernel for netfilter backports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This helps keeping track on patches & adding new kernels in the future.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---
 ...f_tables_inet-don-t-use-multihook-infrast.patch | 161 +++++++++++++++++++++
 1 file changed, 161 insertions(+)
 create mode 100644 target/linux/generic/backport-4.14/302-v4.16-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch

(limited to 'target/linux/generic/backport-4.14/302-v4.16-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch')

diff --git a/target/linux/generic/backport-4.14/302-v4.16-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch b/target/linux/generic/backport-4.14/302-v4.16-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch
new file mode 100644
index 0000000000..17d8b21a0f
--- /dev/null
+++ b/target/linux/generic/backport-4.14/302-v4.16-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch
@@ -0,0 +1,161 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 9 Dec 2017 15:36:24 +0100
+Subject: [PATCH] netfilter: nf_tables_inet: don't use multihook infrastructure
+ anymore
+
+Use new native NFPROTO_INET support in netfilter core, this gets rid of
+ad-hoc code in the nf_tables API codebase.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/include/net/netfilter/nf_tables_ipv4.h
++++ b/include/net/netfilter/nf_tables_ipv4.h
+@@ -53,6 +53,4 @@ static inline void nft_set_pktinfo_ipv4_
+ 		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+-extern struct nft_af_info nft_af_ipv4;
+-
+ #endif
+--- a/include/net/netfilter/nf_tables_ipv6.h
++++ b/include/net/netfilter/nf_tables_ipv6.h
+@@ -69,6 +69,4 @@ static inline void nft_set_pktinfo_ipv6_
+ 		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+-extern struct nft_af_info nft_af_ipv6;
+-
+ #endif
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -45,7 +45,7 @@ static unsigned int nft_ipv4_output(void
+ 	return nft_do_chain_ipv4(priv, skb, state);
+ }
+ 
+-struct nft_af_info nft_af_ipv4 __read_mostly = {
++static struct nft_af_info nft_af_ipv4 __read_mostly = {
+ 	.family		= NFPROTO_IPV4,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+@@ -58,7 +58,6 @@ struct nft_af_info nft_af_ipv4 __read_mo
+ 		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
+ 	},
+ };
+-EXPORT_SYMBOL_GPL(nft_af_ipv4);
+ 
+ static int nf_tables_ipv4_init_net(struct net *net)
+ {
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -42,7 +42,7 @@ static unsigned int nft_ipv6_output(void
+ 	return nft_do_chain_ipv6(priv, skb, state);
+ }
+ 
+-struct nft_af_info nft_af_ipv6 __read_mostly = {
++static struct nft_af_info nft_af_ipv6 __read_mostly = {
+ 	.family		= NFPROTO_IPV6,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+@@ -55,7 +55,6 @@ struct nft_af_info nft_af_ipv6 __read_mo
+ 		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
+ 	},
+ };
+-EXPORT_SYMBOL_GPL(nft_af_ipv6);
+ 
+ static int nf_tables_ipv6_init_net(struct net *net)
+ {
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -9,6 +9,7 @@
+ #include <linux/init.h>
+ #include <linux/module.h>
+ #include <linux/ip.h>
++#include <linux/ipv6.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/netfilter_ipv6.h>
+ #include <net/netfilter/nf_tables.h>
+@@ -16,26 +17,71 @@
+ #include <net/netfilter/nf_tables_ipv6.h>
+ #include <net/ip.h>
+ 
+-static void nft_inet_hook_ops_init(struct nf_hook_ops *ops, unsigned int n)
++static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb,
++				      const struct nf_hook_state *state)
+ {
+-	struct nft_af_info *afi;
++	struct nft_pktinfo pkt;
+ 
+-	if (n == 1)
+-		afi = &nft_af_ipv4;
+-	else
+-		afi = &nft_af_ipv6;
+-
+-	ops->pf = afi->family;
+-	if (afi->hooks[ops->hooknum])
+-		ops->hook = afi->hooks[ops->hooknum];
++	nft_set_pktinfo(&pkt, skb, state);
++
++	switch (state->pf) {
++	case NFPROTO_IPV4:
++		nft_set_pktinfo_ipv4(&pkt, skb);
++		break;
++	case NFPROTO_IPV6:
++		nft_set_pktinfo_ipv6(&pkt, skb);
++		break;
++	default:
++		break;
++	}
++
++	return nft_do_chain(&pkt, priv);
++}
++
++static unsigned int nft_inet_output(void *priv, struct sk_buff *skb,
++				    const struct nf_hook_state *state)
++{
++	struct nft_pktinfo pkt;
++
++	nft_set_pktinfo(&pkt, skb, state);
++
++	switch (state->pf) {
++	case NFPROTO_IPV4:
++		if (unlikely(skb->len < sizeof(struct iphdr) ||
++			     ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
++			if (net_ratelimit())
++				pr_info("ignoring short SOCK_RAW packet\n");
++			return NF_ACCEPT;
++		}
++		nft_set_pktinfo_ipv4(&pkt, skb);
++		break;
++	case NFPROTO_IPV6:
++	        if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
++			if (net_ratelimit())
++				pr_info("ignoring short SOCK_RAW packet\n");
++			return NF_ACCEPT;
++		}
++		nft_set_pktinfo_ipv6(&pkt, skb);
++		break;
++	default:
++		break;
++	}
++
++	return nft_do_chain(&pkt, priv);
+ }
+ 
+ static struct nft_af_info nft_af_inet __read_mostly = {
+ 	.family		= NFPROTO_INET,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.nops		= 2,
+-	.hook_ops_init	= nft_inet_hook_ops_init,
++	.nops		= 1,
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
++		[NF_INET_LOCAL_OUT]	= nft_inet_output,
++		[NF_INET_FORWARD]	= nft_do_chain_inet,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
++        },
+ };
+ 
+ static int __net_init nf_tables_inet_init_net(struct net *net)
-- 
cgit v1.2.3