diff options
author | David S. Miller <davem@davemloft.net> | 2016-08-30 22:02:09 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2016-08-30 22:02:09 -0700 |
commit | 2df5d103a646998c672a34db74d15613cf7a716d (patch) | |
tree | d4aab51b02b7b93a046e9df3ae8cd3f72add4692 /include | |
parent | 15543692a010192b4264ade0d45390e8bb3dc639 (diff) | |
parent | c73c2484901139c28383b58eabcbf4d613e91518 (diff) | |
download | linux-stable-2df5d103a646998c672a34db74d15613cf7a716d.tar.gz linux-stable-2df5d103a646998c672a34db74d15613cf7a716d.tar.bz2 linux-stable-2df5d103a646998c672a34db74d15613cf7a716d.zip |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Allow nf_tables reject expression from input, forward and output hooks,
since only there the routing information is available, otherwise we crash.
2) Fix unsafe list iteration when flushing timeout and accouting objects.
3) Fix refcount leak on timeout policy parsing failure.
4) Unlink timeout object for unconfirmed conntracks too
5) Missing validation of pkttype mangling from bridge family.
6) Fix refcount leak on ebtables on second lookup for the specific
bridge match extension, this patch from Sabrina Dubroca.
7) Remove unnecessary ip_hdr() in nf_tables_netdev family.
Patches from 1-5 and 7 from Liping Zhang.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/net/netfilter/nft_meta.h | 4 | ||||
-rw-r--r-- | include/net/netfilter/nft_reject.h | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/include/net/netfilter/nft_meta.h b/include/net/netfilter/nft_meta.h index d27588c8dbd9..1139cde0fdc5 100644 --- a/include/net/netfilter/nft_meta.h +++ b/include/net/netfilter/nft_meta.h @@ -36,4 +36,8 @@ void nft_meta_set_eval(const struct nft_expr *expr, void nft_meta_set_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr); +int nft_meta_set_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data); + #endif diff --git a/include/net/netfilter/nft_reject.h b/include/net/netfilter/nft_reject.h index 60fa1530006b..02e28c529b29 100644 --- a/include/net/netfilter/nft_reject.h +++ b/include/net/netfilter/nft_reject.h @@ -8,6 +8,10 @@ struct nft_reject { extern const struct nla_policy nft_reject_policy[]; +int nft_reject_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data); + int nft_reject_init(const struct nft_ctx *ctx, const struct nft_expr *expr, const struct nlattr * const tb[]); |