From f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
Date: Tue, 8 May 2018 09:40:43 +0200
Subject: kernel: mark source kernel for netfilter backports
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This helps keeping track on patches & adding new kernels in the future.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
---
 ...f_tables-remove-hooks-from-family-definit.patch | 233 +++++++++++++++++++++
 1 file changed, 233 insertions(+)
 create mode 100644 target/linux/generic/backport-4.14/312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch

(limited to 'target/linux/generic/backport-4.14/312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch')

diff --git a/target/linux/generic/backport-4.14/312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch b/target/linux/generic/backport-4.14/312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch
new file mode 100644
index 0000000000..dd969c12a6
--- /dev/null
+++ b/target/linux/generic/backport-4.14/312-v4.16-netfilter-nf_tables-remove-hooks-from-family-definit.patch
@@ -0,0 +1,233 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Sat, 9 Dec 2017 15:43:17 +0100
+Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
+
+They don't belong to the family definition, move them to the filter
+chain type definition instead.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -870,7 +870,7 @@ enum nft_chain_type {
+  * 	@family: address family
+  * 	@owner: module owner
+  * 	@hook_mask: mask of valid hooks
+- * 	@hooks: hookfn overrides
++ * 	@hooks: array of hook functions
+  */
+ struct nf_chain_type {
+ 	const char			*name;
+@@ -964,7 +964,6 @@ enum nft_af_flags {
+  *	@owner: module owner
+  *	@tables: used internally
+  *	@flags: family flags
+- *	@hooks: hookfn overrides for packet validation
+  */
+ struct nft_af_info {
+ 	struct list_head		list;
+@@ -973,7 +972,6 @@ struct nft_af_info {
+ 	struct module			*owner;
+ 	struct list_head		tables;
+ 	u32				flags;
+-	nf_hookfn			*hooks[NF_MAX_HOOKS];
+ };
+ 
+ int nft_register_afinfo(struct net *, struct nft_af_info *);
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
+ 	.family		= NFPROTO_BRIDGE,
+ 	.nhooks		= NF_BR_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_BR_PRE_ROUTING]	= nft_do_chain_bridge,
+-		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,
+-		[NF_BR_FORWARD]		= nft_do_chain_bridge,
+-		[NF_BR_LOCAL_OUT]	= nft_do_chain_bridge,
+-		[NF_BR_POST_ROUTING]	= nft_do_chain_bridge,
+-	},
+ };
+ 
+ static int nf_tables_bridge_init_net(struct net *net)
+@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_BR_FORWARD) |
+ 			  (1 << NF_BR_LOCAL_OUT) |
+ 			  (1 << NF_BR_POST_ROUTING),
++	.hooks		= {
++		[NF_BR_PRE_ROUTING]	= nft_do_chain_bridge,
++		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,
++		[NF_BR_FORWARD]		= nft_do_chain_bridge,
++		[NF_BR_LOCAL_OUT]	= nft_do_chain_bridge,
++		[NF_BR_POST_ROUTING]	= nft_do_chain_bridge,
++	},
+ };
+ 
+ static int __init nf_tables_bridge_init(void)
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
+ 	.family		= NFPROTO_ARP,
+ 	.nhooks		= NF_ARP_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_ARP_IN]		= nft_do_chain_arp,
+-		[NF_ARP_OUT]		= nft_do_chain_arp,
+-	},
+ };
+ 
+ static int nf_tables_arp_init_net(struct net *net)
+@@ -72,6 +68,10 @@ static const struct nf_chain_type filter
+ 	.owner		= THIS_MODULE,
+ 	.hook_mask	= (1 << NF_ARP_IN) |
+ 			  (1 << NF_ARP_OUT),
++	.hooks		= {
++		[NF_ARP_IN]		= nft_do_chain_arp,
++		[NF_ARP_OUT]		= nft_do_chain_arp,
++	},
+ };
+ 
+ static int __init nf_tables_arp_init(void)
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
+ 	.family		= NFPROTO_IPV4,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
+-		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
+-		[NF_INET_FORWARD]	= nft_do_chain_ipv4,
+-		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv4,
+-		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
+-	},
+ };
+ 
+ static int nf_tables_ipv4_init_net(struct net *net)
+@@ -96,6 +89,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_FORWARD) |
+ 			  (1 << NF_INET_PRE_ROUTING) |
+ 			  (1 << NF_INET_POST_ROUTING),
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
++		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
++		[NF_INET_FORWARD]	= nft_do_chain_ipv4,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv4,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
++	},
+ };
+ 
+ static int __init nf_tables_ipv4_init(void)
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
+ 	.family		= NFPROTO_IPV6,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
+-		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
+-		[NF_INET_FORWARD]	= nft_do_chain_ipv6,
+-		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv6,
+-		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
+-	},
+ };
+ 
+ static int nf_tables_ipv6_init_net(struct net *net)
+@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_FORWARD) |
+ 			  (1 << NF_INET_PRE_ROUTING) |
+ 			  (1 << NF_INET_POST_ROUTING),
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
++		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
++		[NF_INET_FORWARD]	= nft_do_chain_ipv6,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv6,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
++	},
+ };
+ 
+ static int __init nf_tables_ipv6_init(void)
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1352,7 +1352,6 @@ static int nf_tables_addchain(struct nft
+ 	if (nla[NFTA_CHAIN_HOOK]) {
+ 		struct nft_chain_hook hook;
+ 		struct nf_hook_ops *ops;
+-		nf_hookfn *hookfn;
+ 
+ 		err = nft_chain_parse_hook(net, nla, afi, &hook, create);
+ 		if (err < 0)
+@@ -1378,7 +1377,6 @@ static int nf_tables_addchain(struct nft
+ 			static_branch_inc(&nft_counters_enabled);
+ 		}
+ 
+-		hookfn = hook.type->hooks[hook.num];
+ 		basechain->type = hook.type;
+ 		chain = &basechain->chain;
+ 
+@@ -1387,10 +1385,8 @@ static int nf_tables_addchain(struct nft
+ 		ops->hooknum	= hook.num;
+ 		ops->priority	= hook.priority;
+ 		ops->priv	= chain;
+-		ops->hook	= afi->hooks[ops->hooknum];
++		ops->hook	= hook.type->hooks[ops->hooknum];
+ 		ops->dev	= hook.dev;
+-		if (hookfn)
+-			ops->hook = hookfn;
+ 
+ 		if (basechain->type->type == NFT_CHAIN_T_NAT)
+ 			ops->nat_hook = true;
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
+ 	.family		= NFPROTO_INET,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
+-		[NF_INET_LOCAL_OUT]	= nft_inet_output,
+-		[NF_INET_FORWARD]	= nft_do_chain_inet,
+-		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
+-		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
+-        },
+ };
+ 
+ static int __net_init nf_tables_inet_init_net(struct net *net)
+@@ -121,6 +114,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_FORWARD) |
+ 			  (1 << NF_INET_PRE_ROUTING) |
+ 			  (1 << NF_INET_POST_ROUTING),
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
++		[NF_INET_LOCAL_OUT]	= nft_inet_output,
++		[NF_INET_FORWARD]	= nft_do_chain_inet,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
++        },
+ };
+ 
+ static int __init nf_tables_inet_init(void)
+--- a/net/netfilter/nf_tables_netdev.c
++++ b/net/netfilter/nf_tables_netdev.c
+@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
+ 	.nhooks		= NF_NETDEV_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ 	.flags		= NFT_AF_NEEDS_DEV,
+-	.hooks		= {
+-		[NF_NETDEV_INGRESS]	= nft_do_chain_netdev,
+-	},
+ };
+ 
+ static int nf_tables_netdev_init_net(struct net *net)
+@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
+ 	.family		= NFPROTO_NETDEV,
+ 	.owner		= THIS_MODULE,
+ 	.hook_mask	= (1 << NF_NETDEV_INGRESS),
++	.hooks		= {
++		[NF_NETDEV_INGRESS]	= nft_do_chain_netdev,
++	},
+ };
+ 
+ static void nft_netdev_event(unsigned long event, struct net_device *dev,
-- 
cgit v1.2.3