Hi David,
The following patchset contains Netfilter updates for net-next:
1) Remove the broute pseudo hook, implement this from the bridge
prerouting hook instead. Now broute becomes real table in ebtables,
from Florian Westphal. This also includes a size reduction patch for the
bridge control buffer area via squashing boolean into bitfields and
a selftest.
2) Add OS passive fingerprint version matching, from Fernando Fernandez.
3) Support for gue encapsulation for IPVS, from Jacky Hu.
4) Add support for NAT to the inet family, from Florian Westphal.
This includes support for masquerade, redirect and nat extensions.
5) Skip interface lookup in flowtable, use device in the dst object.
6) Add jiffies64_to_msecs() and use it, from Li RongQing.
7) Remove unused parameter in nf_tables_set_desc_parse(), from Colin Ian King.
8) Statify several functions, patches from YueHaibing and Florian Westphal.
9) Add an optimized version of nf_inet_addr_cmp(), from Li RongQing.
10) Merge route extension to core, also from Florian.
11) Use IS_ENABLED(CONFIG_NF_NAT) instead of NF_NAT_NEEDED, from Florian.
12) Merge ip/ip6 masquerade extensions, from Florian. This includes
netdevice notifier unification.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit ed514fc5615d7688b7c227a76863e98a92fb0d54:
cxgb4: Don't return EAGAIN when TCAM is full. (2019-04-08 10:01:50 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to dc2f4189dcd2c87e211d30d9524ae8ebe19af577:
bridge: only include nf_queue.h if needed (2019-04-15 18:47:36 +0200)
----------------------------------------------------------------
Colin Ian King (1):
netfilter: nf_tables: remove unused parameter ctx
Fernando Fernandez Mancera (1):
netfilter: nft_osf: Add version option support
Florian Westphal (14):
netfilter: nat: add inet family nat support
netfilter: nf_tables: merge route type into core
netfilter: replace NF_NAT_NEEDED with IS_ENABLED(CONFIG_NF_NAT)
netfilter: nft_masq: add inet support
netfilter: nft_redir: add inet support
kselftests: extend nft_nat with inet family based nat hooks
netfilter: make two functions static
netfilter: nf_nat: merge ip/ip6 masquerade headers
netfilter: x_tables: merge ip and ipv6 masquerade modules
netfilter: nf_nat_masquerade: unify ipv4/6 notifier registration
selftests: netfilter: add ebtables broute test case
bridge: reduce size of input cb to 16 bytes
bridge: netfilter: unroll NF_HOOK helper in bridge input path
bridge: broute: make broute a real ebtables table
Jacky Hu (1):
ipvs: allow tunneling with gue encapsulation
Li RongQing (2):
time: Introduce jiffies64_to_msecs()
netfilter: optimize nf_inet_addr_cmp
Pablo Neira Ayuso (1):
netfilter: nf_flowtable: skip device lookup from interface index
Stephen Rothwell (1):
bridge: only include nf_queue.h if needed
YueHaibing (1):
netfilter: nft_redir: Make nft_redir_dump static
include/linux/if_bridge.h | 3 -
include/linux/jiffies.h | 1 +
include/linux/netfilter.h | 9 +-
include/linux/netfilter/nfnetlink_osf.h | 11 +-
include/linux/netfilter/x_tables.h | 1 -
include/linux/netfilter_ipv6.h | 15 ++
include/net/ip_vs.h | 5 +
include/net/netfilter/ipv4/nf_nat_masquerade.h | 15 --
include/net/netfilter/ipv6/nf_nat_masquerade.h | 11 --
include/net/netfilter/nf_conntrack_expect.h | 2 +-
include/net/netfilter/nf_nat.h | 7 +-
include/net/netfilter/nf_nat_masquerade.h | 19 +++
include/net/netfilter/nf_queue.h | 3 +
include/net/netfilter/nf_tables.h | 4 +-
include/uapi/linux/ip_vs.h | 11 ++
include/uapi/linux/netfilter/nf_tables.h | 6 +
kernel/time/time.c | 10 ++
net/bridge/br_arp_nd_proxy.c | 18 +--
net/bridge/br_input.c | 77 +++++++---
net/bridge/br_private.h | 15 +-
net/bridge/netfilter/ebtable_broute.c | 63 +++++---
net/bridge/netfilter/ebtables.c | 7 +-
net/ipv4/netfilter/Kconfig | 20 +--
net/ipv4/netfilter/Makefile | 2 -
net/ipv4/netfilter/nft_chain_route_ipv4.c | 89 -----------
net/ipv6/netfilter/Kconfig | 19 +--
net/ipv6/netfilter/Makefile | 2 -
net/ipv6/netfilter/ip6t_MASQUERADE.c | 81 ----------
net/ipv6/netfilter/nft_chain_route_ipv6.c | 91 -----------
net/netfilter/Kconfig | 19 ++-
net/netfilter/Makefile | 4 +-
net/netfilter/core.c | 1 +
net/netfilter/ipvs/ip_vs_ctl.c | 35 ++++-
net/netfilter/ipvs/ip_vs_xmit.c | 84 +++++++++-
net/netfilter/nf_conntrack_expect.c | 2 +-
net/netfilter/nf_conntrack_netlink.c | 16 +-
net/netfilter/nf_conntrack_sip.c | 2 +-
net/netfilter/nf_flow_table_ip.c | 10 +-
net/netfilter/nf_internals.h | 3 -
net/netfilter/nf_nat_core.c | 16 +-
net/netfilter/nf_nat_masquerade.c | 104 +++++--------
net/netfilter/nf_nat_proto.c | 59 ++++---
net/netfilter/nf_queue.c | 1 +
net/netfilter/nf_tables_api.c | 16 +-
net/netfilter/nfnetlink_osf.c | 14 +-
net/netfilter/nft_chain_nat.c | 36 +++++
net/netfilter/nft_chain_route.c | 169 +++++++++++++++++++++
net/netfilter/nft_masq.c | 83 ++++++++--
net/netfilter/nft_nat.c | 58 ++++++-
net/netfilter/nft_osf.c | 30 +++-
net/netfilter/nft_redir.c | 63 +++++++-
net/netfilter/x_tables.c | 3 +-
.../ipt_MASQUERADE.c => netfilter/xt_MASQUERADE.c} | 84 ++++++----
net/openvswitch/conntrack.c | 18 +--
tools/testing/selftests/netfilter/Makefile | 2 +-
.../testing/selftests/netfilter/bridge_brouter.sh | 146 ++++++++++++++++++
tools/testing/selftests/netfilter/nft_nat.sh | 130 +++++++++++-----
57 files changed, 1187 insertions(+), 638 deletions(-)
delete mode 100644 include/net/netfilter/ipv4/nf_nat_masquerade.h
delete mode 100644 include/net/netfilter/ipv6/nf_nat_masquerade.h
create mode 100644 include/net/netfilter/nf_nat_masquerade.h
delete mode 100644 net/ipv4/netfilter/nft_chain_route_ipv4.c
delete mode 100644 net/ipv6/netfilter/ip6t_MASQUERADE.c
delete mode 100644 net/ipv6/netfilter/nft_chain_route_ipv6.c
create mode 100644 net/netfilter/nft_chain_route.c
rename net/{ipv4/netfilter/ipt_MASQUERADE.c => netfilter/xt_MASQUERADE.c} (52%)
create mode 100755 tools/testing/selftests/netfilter/bridge_brouter.sh
