Hi Pablo,
Sorry for late review - found this email in my spam folder.
On Thu, Oct 10, 2024 at 02:58:58PM +0200, Pablo Neira Ayuso wrote:
> Fetch what we have in the kernel tree.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
> include/linux/netfilter/nf_tables.h | 46 +++++++++++++++++++++++------
> 1 file changed, 37 insertions(+), 9 deletions(-)
>
> diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
> index c48b19333630..9e9079321380 100644
> --- a/include/linux/netfilter/nf_tables.h
> +++ b/include/linux/netfilter/nf_tables.h
> @@ -97,6 +97,15 @@ enum nft_verdicts {
> * @NFT_MSG_NEWFLOWTABLE: add new flow table (enum nft_flowtable_attributes)
> * @NFT_MSG_GETFLOWTABLE: get flow table (enum nft_flowtable_attributes)
> * @NFT_MSG_DELFLOWTABLE: delete flow table (enum nft_flowtable_attributes)
> + * @NFT_MSG_GETRULE_RESET: get rules and reset stateful expressions (enum nft_obj_attributes)
> + * @NFT_MSG_DESTROYTABLE: destroy a table (enum nft_table_attributes)
> + * @NFT_MSG_DESTROYCHAIN: destroy a chain (enum nft_chain_attributes)
> + * @NFT_MSG_DESTROYRULE: destroy a rule (enum nft_rule_attributes)
> + * @NFT_MSG_DESTROYSET: destroy a set (enum nft_set_attributes)
> + * @NFT_MSG_DESTROYSETELEM: destroy a set element (enum nft_set_elem_attributes)
> + * @NFT_MSG_DESTROYOBJ: destroy a stateful object (enum nft_object_attributes)
> + * @NFT_MSG_DESTROYFLOWTABLE: destroy flow table (enum nft_flowtable_attributes)
> + * @NFT_MSG_GETSETELEM_RESET: get set elements and reset attached stateful expressions (enum nft_set_elem_attributes)
> */
> enum nf_tables_msg_types {
> NFT_MSG_NEWTABLE,
> @@ -124,6 +133,15 @@ enum nf_tables_msg_types {
> NFT_MSG_NEWFLOWTABLE,
> NFT_MSG_GETFLOWTABLE,
> NFT_MSG_DELFLOWTABLE,
> + NFT_MSG_GETRULE_RESET,
> + NFT_MSG_DESTROYTABLE,
> + NFT_MSG_DESTROYCHAIN,
> + NFT_MSG_DESTROYRULE,
> + NFT_MSG_DESTROYSET,
> + NFT_MSG_DESTROYSETELEM,
> + NFT_MSG_DESTROYOBJ,
> + NFT_MSG_DESTROYFLOWTABLE,
> + NFT_MSG_GETSETELEM_RESET,
> NFT_MSG_MAX,
> };
>
> @@ -161,13 +179,17 @@ enum nft_hook_attributes {
> * enum nft_table_flags - nf_tables table flags
> *
> * @NFT_TABLE_F_DORMANT: this table is not active
> + * @NFT_TABLE_F_OWNER: this table is owned by a process
> + * @NFT_TABLE_F_PERSIST: this table shall outlive its owner
> */
> enum nft_table_flags {
> NFT_TABLE_F_DORMANT = 0x1,
> NFT_TABLE_F_OWNER = 0x2,
> + NFT_TABLE_F_PERSIST = 0x4,
> };
> #define NFT_TABLE_F_MASK (NFT_TABLE_F_DORMANT | \
> - NFT_TABLE_F_OWNER)
> + NFT_TABLE_F_OWNER | \
> + NFT_TABLE_F_PERSIST)
>
> /**
> * enum nft_table_attributes - nf_tables table netlink attributes
> @@ -245,6 +267,7 @@ enum nft_chain_attributes {
> * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
> * @NFTA_RULE_ID: uniquely identifies a rule in a transaction (NLA_U32)
> * @NFTA_RULE_POSITION_ID: transaction unique identifier of the previous rule (NLA_U32)
> + * @NFTA_RULE_CHAIN_ID: add the rule to chain by ID, alternative to @NFTA_RULE_CHAIN (NLA_U32)
> */
> enum nft_rule_attributes {
> NFTA_RULE_UNSPEC,
> @@ -266,9 +289,11 @@ enum nft_rule_attributes {
> /**
> * enum nft_rule_compat_flags - nf_tables rule compat flags
> *
> + * @NFT_RULE_COMPAT_F_UNUSED: unused
> * @NFT_RULE_COMPAT_F_INV: invert the check result
> */
> enum nft_rule_compat_flags {
> + NFT_RULE_COMPAT_F_UNUSED = (1 << 0),
> NFT_RULE_COMPAT_F_INV = (1 << 1),
> NFT_RULE_COMPAT_F_MASK = NFT_RULE_COMPAT_F_INV,
> };
> @@ -411,7 +436,7 @@ enum nft_set_elem_flags {
> * @NFTA_SET_ELEM_KEY: key value (NLA_NESTED: nft_data)
> * @NFTA_SET_ELEM_DATA: data value of mapping (NLA_NESTED: nft_data_attributes)
> * @NFTA_SET_ELEM_FLAGS: bitmask of nft_set_elem_flags (NLA_U32)
> - * @NFTA_SET_ELEM_TIMEOUT: timeout value (NLA_U64)
> + * @NFTA_SET_ELEM_TIMEOUT: timeout value, zero means never times out (NLA_U64)
> * @NFTA_SET_ELEM_EXPIRATION: expiration time (NLA_U64)
> * @NFTA_SET_ELEM_USERDATA: user data (NLA_BINARY)
> * @NFTA_SET_ELEM_EXPR: expression (NLA_NESTED: nft_expr_attributes)
> @@ -669,7 +694,7 @@ enum nft_range_ops {
> * enum nft_range_attributes - nf_tables range expression netlink attributes
> *
> * @NFTA_RANGE_SREG: source register of data to compare (NLA_U32: nft_registers)
> - * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_cmp_ops)
> + * @NFTA_RANGE_OP: cmp operation (NLA_U32: nft_range_ops)
> * @NFTA_RANGE_FROM_DATA: data range from (NLA_NESTED: nft_data_attributes)
> * @NFTA_RANGE_TO_DATA: data range to (NLA_NESTED: nft_data_attributes)
> */
> @@ -783,6 +808,7 @@ enum nft_payload_csum_flags {
> enum nft_inner_type {
> NFT_INNER_UNSPEC = 0,
> NFT_INNER_VXLAN,
> + NFT_INNER_GENEVE,
> };
>
> enum nft_inner_flags {
> @@ -792,7 +818,7 @@ enum nft_inner_flags {
> NFT_INNER_TH = (1 << 3),
> };
> #define NFT_INNER_MASK (NFT_INNER_HDRSIZE | NFT_INNER_LL | \
> - NFT_INNER_NH | NFT_INNER_TH)
> + NFT_INNER_NH | NFT_INNER_TH)
>
> enum nft_inner_attributes {
> NFTA_INNER_UNSPEC,
> @@ -842,12 +868,14 @@ enum nft_exthdr_flags {
> * @NFT_EXTHDR_OP_TCP: match against tcp options
> * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
> * @NFT_EXTHDR_OP_SCTP: match against sctp chunks
> + * @NFT_EXTHDR_OP_DCCP: match against dccp otions
> */
> enum nft_exthdr_op {
> NFT_EXTHDR_OP_IPV6,
> NFT_EXTHDR_OP_TCPOPT,
> NFT_EXTHDR_OP_IPV4,
> NFT_EXTHDR_OP_SCTP,
> + NFT_EXTHDR_OP_DCCP,
> __NFT_EXTHDR_OP_MAX
> };
> #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1)
> @@ -861,7 +889,7 @@ enum nft_exthdr_op {
> * @NFTA_EXTHDR_LEN: extension header length (NLA_U32)
> * @NFTA_EXTHDR_FLAGS: extension header flags (NLA_U32)
> * @NFTA_EXTHDR_OP: option match type (NLA_U32)
> - * @NFTA_EXTHDR_SREG: option match type (NLA_U32)
> + * @NFTA_EXTHDR_SREG: source register (NLA_U32: nft_registers)
> */
> enum nft_exthdr_attributes {
> NFTA_EXTHDR_UNSPEC,
> @@ -1245,10 +1273,10 @@ enum nft_last_attributes {
> /**
> * enum nft_log_attributes - nf_tables log expression netlink attributes
> *
> - * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U32)
> + * @NFTA_LOG_GROUP: netlink group to send messages to (NLA_U16)
> * @NFTA_LOG_PREFIX: prefix to prepend to log messages (NLA_STRING)
> * @NFTA_LOG_SNAPLEN: length of payload to include in netlink message (NLA_U32)
> - * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U32)
> + * @NFTA_LOG_QTHRESHOLD: queue threshold (NLA_U16)
> * @NFTA_LOG_LEVEL: log level (NLA_U32)
> * @NFTA_LOG_FLAGS: logging flags (NLA_U32)
> */
> @@ -1348,7 +1376,7 @@ enum nft_secmark_attributes {
> #define NFTA_SECMARK_MAX (__NFTA_SECMARK_MAX - 1)
>
> /* Max security context length */
> -#define NFT_SECMARK_CTX_MAXLEN 256
> +#define NFT_SECMARK_CTX_MAXLEN 4096
>
> /**
> * enum nft_reject_types - nf_tables reject expression reject types
> @@ -1666,7 +1694,7 @@ enum nft_flowtable_flags {
> *
> * @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
> * @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
> - * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
> + * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
> * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
> * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
> * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
> --
> 2.30.2
>
>
Suggest a better patch would be to delete this file.
linux/netfilter/nf_tables.h is generated by kernel `make headers_install`, as is
linux/errno.h (required by errno.h) and asm/socket.h (required by sys/socket.h).
We don't cache linux/errno.h or asm/socket.h, so why cache
linux/netfilter/nf_tables.h?
Cheers ... Duncan.
