linux/include/net
David S. Miller bae97d8410 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

A final pull request, I know it's very late but this time I think it's worth a
bit of rush.

The following patchset contains Netfilter/nf_tables updates for net-next, more
specifically concatenation support and dynamic stateful expression
instantiation.

This also comes with a couple of small patches. One to fix the ebtables.h
userspace header and another to get rid of an obsolete example file in tree
that describes a nf_tables expression.

This time, I decided to paste the original descriptions. This will result in a
rather large commit description, but I think these bytes to keep.

Patrick McHardy says:

====================
netfilter: nf_tables: concatenation support

The following patches add support for concatenations, which allow multi
dimensional exact matches in O(1).

The basic idea is to split the data registers, currently consisting of
4 registers of 16 bytes each, into smaller units, 16 registers of 4
bytes each, and making sure each register store always leaves the
full 32 bit in a well defined state, meaning smaller stores will
zero the remaining bits.

Based on that, we can load multiple adjacent registers with different
values, thereby building a concatenated bigger value, and use that
value for set lookups.

Sets are changed to use variable sized extensions for their key and
data values, removing the fixed limit of 16 bytes while saving memory
if less space is needed.

As a side effect, these patches will allow some nice optimizations in
the future, like using jhash2 in nft_hash, removing the masking in
nft_cmp_fast, optimized data comparison using 32 bit word size etc.
These are not done so far however.

The patches are split up as follows:

 * the first five patches add length validation to register loads and
   stores to make sure we stay within bounds and prepare the validation
   functions for the new addressing mode

 * the next patches prepare for changing to 32 bit addressing by
   introducing a struct nft_regs, which holds the verdict register as
   well as the data registers. The verdict members are moved to a new
   struct nft_verdict to allow to pull struct nft_data out of the stack.

 * the next patches contain preparatory conversions of expressions and
   sets to use 32 bit addressing

 * the next patch introduces so far unused register conversion helpers
   for parsing and dumping register numbers over netlink

 * following is the real conversion to 32 bit addressing, consisting of
   replacing struct nft_data in struct nft_regs by an array of u32s and
   actually translating and validating the new register numbers.

 * the final two patches add support for variable sized data items and
   variable sized keys / data in set elements

The patches have been verified to work correctly with nft binaries using
both old and new addressing.
====================

Patrick McHardy says:

====================
netfilter: nf_tables: dynamic stateful expression instantiation

The following patches are the grand finale of my nf_tables set work,
using all the building blocks put in place by the previous patches
to support something like iptables hashlimit, but a lot more powerful.

Sets are extended to allow attaching expressions to set elements.
The dynset expression dynamically instantiates these expressions
based on a template when creating new set elements and evaluates
them for all new or updated set members.

In combination with concatenations this effectively creates state
tables for arbitrary combinations of keys, using the existing
expression types to maintain that state. Regular set GC takes care
of purging expired states.

We currently support two different stateful expressions, counter
and limit. Using limit as a template we can express the functionality
of hashlimit, but completely unrestricted in the combination of keys.
Using counter we can perform accounting for arbitrary flows.

The following examples from patch 5/5 show some possibilities.
Userspace syntax is still WIP, especially the listing of state
tables will most likely be seperated from normal set listings
and use a more structured format:

1. Limit the rate of new SSH connections per host, similar to iptables
   hashlimit:

        flow ip saddr timeout 60s \
        limit 10/second \
        accept

2. Account network traffic between each set of /24 networks:

        flow ip saddr & 255.255.255.0 . ip daddr & 255.255.255.0 \
        counter

3. Account traffic to each host per user:

        flow skuid . ip daddr \
        counter

4. Account traffic for each combination of source address and TCP flags:

        flow ip saddr . tcp flags \
        counter

The resulting set content after a Xmas-scan look like this:

{
        192.168.122.1 . fin | psh | urg : counter packets 1001 bytes 40040,
        192.168.122.1 . ack : counter packets 74 bytes 3848,
        192.168.122.1 . psh | ack : counter packets 35 bytes 3144
}

In the future the "expressions attached to elements" will be extended
to also support user created non-stateful expressions to allow to
efficiently select beween a set of parameter sets, f.i. a set of log
statements with different prefixes based on the interface, which currently
require one rule each. This will most likely have to wait until the next
kernel version though.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-04-14 18:51:19 -04:00
..
9p net/9p: remove a comment about pref member which doesn't exist 2014-11-06 14:59:19 -05:00
bluetooth Bluetooth: Read LE remote features during connection establishment 2015-04-09 08:36:54 +03:00
caif caif: fix a signedness bug in cfpkt_iterate() 2015-02-20 17:35:14 -05:00
irda irda: Convert function pointer arrays and uses to const 2014-12-10 15:33:16 -05:00
iucv af_iucv: fix recvmsg by replacing skb_pull() function 2013-04-08 17:16:57 -04:00
netfilter netfilter: nf_tables: mark stateful expressions 2015-04-13 20:12:31 +02:00
netns ipv6: introduce idgen_delay and idgen_retries knobs 2015-03-23 22:12:09 -04:00
nfc nfc: nci: Add comment to explain NCI_HCI_MAX_PIPES 2015-04-06 00:19:05 +02:00
phonet net: remove my future former mail address 2012-06-17 16:29:38 -07:00
sctp sctp: avoid to repeatedly declare external variables 2015-03-25 11:40:16 -04:00
tc_act act_bpf: add initial eBPF support for actions 2015-03-20 19:10:44 -04:00
6lowpan.h ieee802154: 6lowpan: rename process_data and lowpan_process_data 2014-10-27 15:51:16 +01:00
Space.h drivers: net: Include new header file in sbni.c 2013-12-19 18:51:20 -05:00
act_api.h net_sched: act: refuse to remove bound action outside 2014-02-12 19:23:32 -05:00
addrconf.h net: ipv6: allow explicitly choosing optimistic addresses 2015-02-05 15:37:41 -08:00
af_ieee802154.h ieee802154: mac802154: remove FSF address 2014-10-25 08:07:30 +02:00
af_rxrpc.h af_rxrpc.h: Remove extern from function prototypes 2013-07-31 17:50:01 -07:00
af_unix.h af_unix: improve STREAM behavior with fragmented memory 2013-08-10 01:16:44 -07:00
af_vsock.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
ah.h ipsec: Remove obsolete MAX_AH_AUTH_LEN 2014-09-18 10:54:36 +02:00
arp.h neigh: Factor out ___neigh_lookup_noref 2015-03-04 00:23:23 -05:00
atmclip.h
ax25.h ax25: Stop using magic neighbour cache operations. 2015-03-03 14:44:41 -05:00
ax88796.h
bond_3ad.h bonding: Implement port churn-machine (AD standard 43.4.17). 2015-02-24 16:05:48 -05:00
bond_alb.h net: Move bonding headers under include/net 2014-11-10 13:27:49 -05:00
bond_options.h net: Move bonding headers under include/net 2014-11-10 13:27:49 -05:00
bonding.h net/bonding: Fix potential bad memory access during bonding events 2015-02-09 14:03:53 -08:00
busy_poll.h sched, net: Fixup busy_loop_us_clock() 2014-01-13 17:39:11 +01:00
cfg80211-wext.h
cfg80211.h cfg80211: move IE split utilities here from mac80211 2015-04-07 13:56:41 +02:00
cfg802154.h nl802154: introduce support for cca settings 2014-12-19 00:19:23 +01:00
checksum.h net: Fix remcsum in GRO path to not change packet 2015-02-11 15:12:09 -08:00
cipso_ipv4.h cipso: don't use IPCB() to locate the CIPSO IP option 2015-02-11 14:46:37 -05:00
cls_cgroup.h cgroup: clean up cgroup_subsys names and initialization 2014-02-08 10:36:58 -05:00
codel.h net: use ktime_get_ns() and ktime_get_real_ns() helpers 2014-08-22 19:57:23 -07:00
compat.h net: switch importing msghdr from userland to {compat_,}import_iovec() 2015-04-09 00:02:26 -04:00
datalink.h net: Move prototype declaration to header file include/net/datalink.h from net/ipx/af_ipx.c 2014-02-09 17:32:50 -08:00
dcbevent.h include/net/: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
dcbnl.h net/dcb: Add IEEE QCN attribute 2015-03-06 21:50:02 -05:00
dn.h net: Move prototype declaration to header file include/net/dn.h from net/decnet/af_decnet.c 2014-02-09 17:32:49 -08:00
dn_dev.h dn_dev: add support for IFA_FLAGS nl attribute 2013-12-10 21:50:00 -05:00
dn_fib.h decnet (dn*.h): Remove extern from function prototypes 2013-09-20 14:49:32 -04:00
dn_neigh.h netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
dn_nsp.h decnet (dn*.h): Remove extern from function prototypes 2013-09-20 14:49:32 -04:00
dn_route.h net: Move prototype declaration to appropriate header file from decnet/af_decnet.c 2014-02-09 17:32:49 -08:00
dsa.h net: dsa: Add basic framework to support ndo_fdb functions 2015-03-29 13:23:54 -07:00
dsfield.h ipv6: Optimize ipv6_change_dsfield(). 2013-01-09 23:59:53 -08:00
dst.h xfrm: release dst_orig in case of error in xfrm_lookup() 2015-02-12 07:10:56 +01:00
dst_ops.h net: Remove protocol from struct dst_ops 2015-03-09 16:06:10 -04:00
esp.h net: move pskb_put() to core code 2013-11-07 19:28:58 -05:00
ethoc.h net: ethoc: set up MII management bus clock 2014-02-04 20:19:51 -08:00
fib_rules.h net: Kill hold_net release_net 2015-03-12 14:39:40 -04:00
firewire.h firewire net, ipv4 arp: Extend hardware address and remove driver-level packet inspection. 2013-03-26 12:32:13 -04:00
flow.h ipv4, fib: pass LOOPBACK_IFINDEX instead of 0 to flowi4_iif 2014-04-16 15:05:11 -04:00
flow_keys.h flow_keys: n_proto type should be __be16 2015-02-05 00:40:22 -08:00
flowcache.h flowcache: Make flow cache name space aware 2014-02-12 07:02:11 +01:00
fou.h ip_tunnel: Ops registration for secondary encap (fou, gue) 2014-11-12 15:01:35 -05:00
garp.h garp.h: Remove extern from function prototypes 2013-09-20 14:49:33 -04:00
gen_stats.h net: sched: enable per cpu qstats 2014-09-30 01:02:26 -04:00
genetlink.h net: Introduce possible_net_t 2015-03-12 14:39:40 -04:00
geneve.h openvswitch: Add support for checksums on UDP tunnels. 2015-01-28 23:04:15 -08:00
gre.h gre: Call gso_make_checksum 2014-06-04 22:46:38 -07:00
gro_cells.h ip_tunnel: Create percpu gro_cell 2015-01-18 01:56:32 -05:00
gue.h gue: Protocol constants for remote checksum offload 2014-11-05 16:30:03 -05:00
icmp.h icmp.h: Remove extern from function prototypes 2013-09-20 14:49:33 -04:00
ieee80211_radiotap.h mac80211: propagate STBC / LDPC flags to radiotap 2014-02-06 09:34:58 +01:00
ieee802154_netdev.h ieee802154: rework cca setting 2014-12-19 00:19:23 +01:00
if_inet6.h ipv6: do retries on stable privacy addresses 2015-03-23 22:12:09 -04:00
inet6_connection_sock.h inet: get rid of central tcp/dccp listener timer 2015-03-20 12:40:25 -04:00
inet6_hashtables.h ipv6: get rid of __inet6_hash() 2015-03-18 22:00:35 -04:00
inet_common.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
inet_connection_sock.h inet: get rid of central tcp/dccp listener timer 2015-03-20 12:40:25 -04:00
inet_ecn.h tunnel: fix RFC number in comment for INET_ECN_decapsulate() 2014-05-07 15:30:52 -04:00
inet_frag.h percpu_counter: add @gfp to percpu_counter_init() 2014-09-08 09:51:29 +09:00
inet_hashtables.h inet: get rid of last __inet_hash_connect() argument 2015-03-18 22:00:35 -04:00
inet_sock.h inet: fix request sock refcounting 2015-03-17 22:02:29 -04:00
inet_timewait_sock.h tcp/dccp: get rid of central timewait timer 2015-04-13 16:40:05 -04:00
inetpeer.h tcp: simplify inetpeer_addr_base use 2015-03-31 13:58:35 -04:00
ip.h netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
ip6_checksum.h net: add gro_compute_pseudo functions 2014-08-24 18:09:23 -07:00
ip6_fib.h net: fib6: convert cfg metric to u32 outside of table write lock 2015-01-05 22:55:24 -05:00
ip6_route.h netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00
ip6_tunnel.h udp_tunnel: Pass UDP socket down through udp_tunnel{, 6}_xmit_skb(). 2015-04-07 15:29:08 -04:00
ip_fib.h ipv4: FIB Local/MAIN table collapse 2015-03-11 16:22:14 -04:00
ip_tunnels.h ipip,gre,vti,sit: implement ndo_get_iflink 2015-04-02 14:05:00 -04:00
ip_vs.h net: Introduce possible_net_t 2015-03-12 14:39:40 -04:00
ipcomp.h
ipconfig.h
ipv6.h net: remove extra newlines 2015-04-07 22:24:37 -04:00
ipx.h switch ipxrtr_route_packet() from iovec to msghdr 2014-11-24 04:28:49 -05:00
iw_handler.h wext: add checked wrappers for adding events/points to streams 2015-02-28 21:31:12 +01:00
lapb.h lapb.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
lib80211.h lib80211: remove unused print_ssid() 2014-10-14 02:18:27 +02:00
llc.h llc: make lock static 2014-01-03 20:56:48 -05:00
llc_c_ac.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_c_ev.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_c_st.h llc: Make llc_conn_ev_qfyr_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_conn.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_if.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_pdu.h net: llc: fix order of evaluation in llc_conn_ac_inc_vr_by_1 2014-01-01 22:22:43 -05:00
llc_s_ac.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_s_ev.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
llc_s_st.h llc: Make llc_sap_action_t function pointer arrays const 2014-12-10 15:21:24 -05:00
llc_sap.h llc*.h: Remove extern from function prototypes 2013-09-21 14:01:38 -04:00
mac80211.h cfg80211: move IE split utilities here from mac80211 2015-04-07 13:56:41 +02:00
mac802154.h mac802154: fix transmission power datatype 2015-04-09 19:56:15 +02:00
mip6.h include/net/: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
mld.h ipv6: mld: answer mldv2 queries with mldv1 reports in mldv1 fallback 2014-09-22 16:23:15 -04:00
mpls.h openvswitch: Add basic MPLS support to kernel 2014-11-05 23:52:33 -08:00
mrp.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-10-01 17:06:14 -04:00
ndisc.h neigh: Factor out ___neigh_lookup_noref 2015-03-04 00:23:23 -05:00
neighbour.h net: neighbour: Add mcast_resolicit to configure the number of multicast resolicitations in PROBE state. 2015-03-20 21:47:40 -04:00
net_namespace.h net: Introduce possible_net_t 2015-03-12 14:39:40 -04:00
net_ratelimit.h
netevent.h netevent/netlink.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
netlabel.h netlabel: fix the netlbl_catmap_setlong() dummy function 2014-08-07 20:55:21 -04:00
netlink.h netlink: implement nla_get_in_addr and nla_get_in6_addr 2015-03-31 13:58:35 -04:00
netprio_cgroup.h cgroup: clean up cgroup_subsys names and initialization 2014-02-08 10:36:58 -05:00
netrom.h netrom.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
nexthop.h
nl802154.h nl802154: introduce support for cca settings 2014-12-19 00:19:23 +01:00
p8022.h p8022.h: Remove extern from function prototypes 2013-09-21 14:01:39 -04:00
ping.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
pkt_cls.h net: sched: remove tcf_proto from ematch calls 2014-10-06 18:02:32 -04:00
pkt_sched.h net: rename vlan_tx_* helpers since "tx" is misleading there 2015-01-13 17:51:08 -05:00
protocol.h net: Eliminate no_check from protosw 2014-05-23 16:28:53 -04:00
psnap.h psnap.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
raw.h raw/rawv6.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
rawv6.h raw/rawv6.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
red.h reciprocal_divide: update/correction of the algorithm 2014-01-21 23:17:20 -08:00
regulatory.h cfg80211: allow wiphy specific regdomain management 2014-12-17 11:49:55 +01:00
request_sock.h net: convert syn_wait_lock to a spinlock 2015-03-23 16:52:26 -04:00
rose.h rose.h: Remove extern from function prototypes 2013-09-23 01:51:08 -04:00
route.h ipv4: per cpu uncached list 2015-01-15 18:26:16 -05:00
rtnetlink.h rtnetlink: Mark name argument of rtnl_create_link() const 2015-04-10 12:42:40 -07:00
sch_generic.h net_sched: destroy proto tp when all filters are gone 2015-03-09 15:35:55 -04:00
scm.h scm.h: Remove extern from function prototypes 2013-09-23 01:51:09 -04:00
secure_seq.h inetpeer: get rid of ip_id_count 2014-06-02 11:00:41 -07:00
slhc_vj.h
snmp.h Merge branch 'for-3.18-consistent-ops' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu 2014-10-15 07:48:18 +02:00
sock.h Merge branch 'iocb' into for-davem 2015-04-09 00:01:38 -04:00
stp.h stp.h: Remove extern from function prototypes 2013-09-23 01:51:09 -04:00
switchdev.h switchdev: kernel-doc cleanup on swithdev ops 2015-03-20 21:36:53 -04:00
tcp.h tcp: RFC7413 option support for Fast Open client 2015-04-07 18:36:39 -04:00
tcp_memcontrol.h tcp_memcontrol: Kill struct tcp_memcontrol 2013-10-21 18:43:02 -04:00
tcp_states.h inet: add TCP_NEW_SYN_RECV state 2015-03-12 22:58:12 -04:00
timewait_sock.h [PATCH] tcp: Cache inetpeer in timewait socket, and only when necessary. 2012-06-09 14:56:12 -07:00
transp_v6.h ipv6: make IPV6_RECVPKTINFO work for ipv4 datagrams 2014-01-19 19:53:18 -08:00
tso.h net: Add a software TSO helper API 2014-05-22 14:57:15 -04:00
udp.h net: Remove iocb argument from sendmsg and recvmsg 2015-03-02 13:06:31 -05:00
udp_tunnel.h udp_tunnel: Pass UDP socket down through udp_tunnel{, 6}_xmit_skb(). 2015-04-07 15:29:08 -04:00
udplite.h net: switch memcpy_fromiovec()/memcpy_fromiovecend() users to copy_from_iter() 2015-02-04 01:34:15 -05:00
vsock_addr.h VSOCK: Move af_vsock.h and vsock_addr.h to include/net 2013-07-27 22:14:06 -07:00
vxlan.h udp_tunnel: Pass UDP socket down through udp_tunnel{, 6}_xmit_skb(). 2015-04-07 15:29:08 -04:00
wext.h wext.h: Remove extern from function prototypes 2013-09-23 16:29:40 -04:00
wimax.h net: treewide: Fix typo found in DocBook/networking.xml 2014-09-05 17:35:28 -07:00
x25.h x25.h: Remove extern from function prototypes 2013-09-23 16:29:41 -04:00
x25device.h
xfrm.h netfilter: Pass socket pointer down through okfn(). 2015-04-07 15:25:55 -04:00