From: Wang Hai <wanghai38@huawei.com> hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I8OWRC CVE: NA -------- Reserve some fields beforehand for net netfilter framework related structures prone to change. --------- Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com> --- include/linux/netfilter.h | 9 +++++++++ include/linux/netfilter/ipset/ip_set.h | 7 +++++++ include/linux/netfilter/nfnetlink.h | 5 +++++ include/linux/netfilter_ipv6.h | 3 +++ include/net/netfilter/nf_conntrack.h | 4 ++++ include/net/netns/netfilter.h | 3 +++ 6 files changed, 31 insertions(+) diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index d68644b7c299..8be96020e32f 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -16,6 +16,7 @@ #include <linux/netdevice.h> #include <linux/sockptr.h> #include <net/net_namespace.h> +#include <linux/kabi.h> static inline int NF_DROP_GETERR(int verdict) { @@ -179,6 +180,8 @@ struct nf_sockopt_ops { int (*get)(struct sock *sk, int optval, void __user *user, int *len); /* Use the module struct to lock set/get code in place */ struct module *owner; + + KABI_RESERVE(1) }; /* Function to register/unregister hook points. */ @@ -377,6 +380,8 @@ struct nf_nat_hook { enum nf_nat_manip_type mtype, enum ip_conntrack_dir dir); void (*remove_nat_bysrc)(struct nf_conn *ct); + + KABI_RESERVE(1) }; extern const struct nf_nat_hook __rcu *nf_nat_hook; @@ -464,6 +469,8 @@ struct nf_ct_hook { const struct sk_buff *); void (*attach)(struct sk_buff *nskb, const struct sk_buff *skb); void (*set_closing)(struct nf_conntrack *nfct); + + KABI_RESERVE(1) }; extern const struct nf_ct_hook __rcu *nf_ct_hook; @@ -479,6 +486,8 @@ struct nfnl_ct_hook { u32 portid, u32 report); void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, s32 off); + + KABI_RESERVE(1) }; extern const struct nfnl_ct_hook __rcu *nfnl_ct_hook; diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index e8c350a3ade1..23395a4393f2 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -16,6 +16,7 @@ #include <linux/vmalloc.h> #include <net/netlink.h> #include <uapi/linux/netfilter/ipset/ip_set.h> +#include <linux/kabi.h> #define _IP_SET_MODULE_DESC(a, b, c) \ MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) @@ -188,6 +189,8 @@ struct ip_set_type_variant { bool (*same_set)(const struct ip_set *a, const struct ip_set *b); /* Region-locking is used */ bool region_lock; + + KABI_RESERVE(1) }; struct ip_set_region { @@ -234,6 +237,8 @@ struct ip_set_type { /* Set this to THIS_MODULE if you are a module, otherwise NULL */ struct module *me; + + KABI_RESERVE(1) }; /* register and unregister set type */ @@ -276,6 +281,8 @@ struct ip_set { size_t offset[IPSET_EXT_ID_MAX]; /* The type specific data */ void *data; + + KABI_RESERVE(1) }; static inline void diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index e9a9ab34a7cc..fe320c791949 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -6,6 +6,7 @@ #include <linux/capability.h> #include <net/netlink.h> #include <uapi/linux/netfilter/nfnetlink.h> +#include <linux/kabi.h> struct nfnl_info { struct net *net; @@ -28,6 +29,8 @@ struct nfnl_callback { const struct nla_policy *policy; enum nfnl_callback_type type; __u16 attr_count; + + KABI_RESERVE(1) }; enum nfnl_abort_action { @@ -46,6 +49,8 @@ struct nfnetlink_subsystem { int (*abort)(struct net *net, struct sk_buff *skb, enum nfnl_abort_action action); bool (*valid_genid)(struct net *net, u32 genid); + + KABI_RESERVE(1) }; int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 7834c0be2831..cbb47065664d 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -9,6 +9,7 @@ #include <uapi/linux/netfilter_ipv6.h> #include <net/tcp.h> +#include <linux/kabi.h> /* Check for an extension */ static inline int @@ -65,6 +66,8 @@ struct nf_ipv6_ops { const struct nf_bridge_frag_data *data, struct sk_buff *)); #endif + + KABI_RESERVE(1) }; #ifdef CONFIG_NETFILTER diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 4085765c3370..607e930d5b33 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -23,6 +23,7 @@ #include <linux/netfilter/nf_conntrack_proto_gre.h> #include <net/netfilter/nf_conntrack_tuple.h> +#include <linux/kabi.h> struct nf_ct_udp { unsigned long stream_ts; @@ -123,6 +124,9 @@ struct nf_conn { /* Storage reserved for other modules, must be the last member */ union nf_conntrack_proto proto; + + KABI_RESERVE(1) + KABI_RESERVE(2) }; static inline struct nf_conn * diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h index 02bbdc577f8e..ca829559e7ec 100644 --- a/include/net/netns/netfilter.h +++ b/include/net/netns/netfilter.h @@ -3,6 +3,7 @@ #define __NETNS_NETFILTER_H #include <linux/netfilter_defs.h> +#include <linux/kabi.h> struct proc_dir_entry; struct nf_logger; @@ -30,5 +31,7 @@ struct netns_nf { #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) unsigned int defrag_ipv6_users; #endif + + KABI_RESERVE(1) }; #endif -- 2.34.1