From: Wang Hai wanghai38@huawei.com
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue CVE: NA
--------
Reserve some fields beforehand for net netfilter framework related structures prone to change.
---------
Signed-off-by: Wang Hai wanghai38@huawei.com Reviewed-by: Wei Yongjun weiyongjun1@huawei.com Reviewed-by: Yue Haibing yuehaibing@huawei.com Signed-off-by: Zheng Zengkai zhengzengkai@huawei.com --- include/linux/netfilter.h | 9 +++++++++ include/linux/netfilter/ipset/ip_set.h | 7 +++++++ include/linux/netfilter/nfnetlink.h | 5 +++++ include/linux/netfilter_ipv6.h | 3 +++ include/net/netfilter/nf_conntrack.h | 4 ++++ include/net/netns/netfilter.h | 3 +++ 6 files changed, 31 insertions(+)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h index 0101747de549..a1a7ab244fdb 100644 --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h @@ -15,6 +15,7 @@ #include <linux/netdevice.h> #include <linux/sockptr.h> #include <net/net_namespace.h> +#include <linux/kabi.h>
static inline int NF_DROP_GETERR(int verdict) { @@ -171,6 +172,8 @@ struct nf_sockopt_ops { int (*get)(struct sock *sk, int optval, void __user *user, int *len); /* Use the module struct to lock set/get code in place */ struct module *owner; + + KABI_RESERVE(1) };
/* Function to register/unregister hook points. */ @@ -373,6 +376,8 @@ struct nf_nat_hook { unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct, enum nf_nat_manip_type mtype, enum ip_conntrack_dir dir); + + KABI_RESERVE(1) };
extern struct nf_nat_hook __rcu *nf_nat_hook; @@ -457,6 +462,8 @@ struct nf_ct_hook { void (*destroy)(struct nf_conntrack *); bool (*get_tuple_skb)(struct nf_conntrack_tuple *, const struct sk_buff *); + + KABI_RESERVE(1) }; extern struct nf_ct_hook __rcu *nf_ct_hook;
@@ -474,6 +481,8 @@ struct nfnl_ct_hook { u32 portid, u32 report); void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info ctinfo, s32 off); + + KABI_RESERVE(1) }; extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h index ab192720e2d6..8123503c4ac4 100644 --- a/include/linux/netfilter/ipset/ip_set.h +++ b/include/linux/netfilter/ipset/ip_set.h @@ -16,6 +16,7 @@ #include <linux/vmalloc.h> #include <net/netlink.h> #include <uapi/linux/netfilter/ipset/ip_set.h> +#include <linux/kabi.h>
#define _IP_SET_MODULE_DESC(a, b, c) \ MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c) @@ -190,6 +191,8 @@ struct ip_set_type_variant { bool (*same_set)(const struct ip_set *a, const struct ip_set *b); /* Region-locking is used */ bool region_lock; + + KABI_RESERVE(1) };
struct ip_set_region { @@ -228,6 +231,8 @@ struct ip_set_type {
/* Set this to THIS_MODULE if you are a module, otherwise NULL */ struct module *me; + + KABI_RESERVE(1) };
/* register and unregister set type */ @@ -270,6 +275,8 @@ struct ip_set { size_t offset[IPSET_EXT_ID_MAX]; /* The type specific data */ void *data; + + KABI_RESERVE(1) };
static inline void diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index f6267e2883f2..90853fdaa971 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h @@ -6,6 +6,7 @@ #include <linux/capability.h> #include <net/netlink.h> #include <uapi/linux/netfilter/nfnetlink.h> +#include <linux/kabi.h>
struct nfnl_callback { int (*call)(struct net *net, struct sock *nl, struct sk_buff *skb, @@ -22,6 +23,8 @@ struct nfnl_callback { struct netlink_ext_ack *extack); const struct nla_policy *policy; /* netlink attribute policy */ const u_int16_t attr_count; /* number of nlattr's */ + + KABI_RESERVE(1) };
enum nfnl_abort_action { @@ -41,6 +44,8 @@ struct nfnetlink_subsystem { enum nfnl_abort_action action); void (*cleanup)(struct net *net); bool (*valid_genid)(struct net *net, u32 genid); + + KABI_RESERVE(1) };
int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n); diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h index 48314ade1506..b1d0b6dee583 100644 --- a/include/linux/netfilter_ipv6.h +++ b/include/linux/netfilter_ipv6.h @@ -9,6 +9,7 @@
#include <uapi/linux/netfilter_ipv6.h> #include <net/tcp.h> +#include <linux/kabi.h>
/* Check for an extension */ static inline int @@ -65,6 +66,8 @@ struct nf_ipv6_ops { const struct nf_bridge_frag_data *data, struct sk_buff *)); #endif + + KABI_RESERVE(1) };
#ifdef CONFIG_NETFILTER diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 439379ca9ffa..e37204d784cb 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -23,6 +23,7 @@ #include <linux/netfilter/nf_conntrack_proto_gre.h>
#include <net/netfilter/nf_conntrack_tuple.h> +#include <linux/kabi.h>
struct nf_ct_udp { unsigned long stream_ts; @@ -105,6 +106,9 @@ struct nf_conn {
/* Storage reserved for other modules, must be the last member */ union nf_conntrack_proto proto; + + KABI_RESERVE(1) + KABI_RESERVE(2) };
static inline struct nf_conn * diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h index ca043342c0eb..1b01427a0d4a 100644 --- a/include/net/netns/netfilter.h +++ b/include/net/netns/netfilter.h @@ -3,6 +3,7 @@ #define __NETNS_NETFILTER_H
#include <linux/netfilter_defs.h> +#include <linux/kabi.h>
struct proc_dir_entry; struct nf_logger; @@ -34,5 +35,7 @@ struct netns_nf { #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6) bool defrag_ipv6; #endif + + KABI_RESERVE(1) }; #endif