Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
- include/net/netns/netfilter.h | 3 ++
- net/netfilter/core.c | 13 ++++-
- net/netfilter/nf_conntrack_standalone.c | 15 ------
- net/netfilter/nf_hooks_lwtunnel.c | 67 +++++++++++++++++++++++++
- net/netfilter/nf_internals.h | 6 +++
+ include/net/netns/netfilter.h | 3 +
+ net/netfilter/core.c | 13 +++++-
+ net/netfilter/nf_conntrack_standalone.c | 15 -------
+ net/netfilter/nf_hooks_lwtunnel.c | 67 ++++++++++++++++++++++++++++++++
+ net/netfilter/nf_internals.h | 6 ++
5 files changed, 87 insertions(+), 17 deletions(-)
-diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
-index 02bbdc577f8e2..a6a0bf4a247e5 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -15,6 +15,9 @@ struct netns_nf {
#endif
struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS];
struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS];
-diff --git a/net/netfilter/core.c b/net/netfilter/core.c
-index ef4e76e5aef9f..7bae43b00ebbe 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -815,12 +815,21 @@ int __init netfilter_init(void)
unregister_pernet_subsys(&netfilter_net_ops);
err:
return ret;
-diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
-index 2f226cfb32d04..f713df823daaf 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -22,9 +22,6 @@
- NF_SYSCTL_CT_LWTUNNEL,
-#endif
- NF_SYSCTL_CT_LAST_SYSCTL,
+ __NF_SYSCTL_CT_LAST_SYSCTL,
};
-@@ -946,15 +940,6 @@ static struct ctl_table nf_ct_sysctl_table[] = {
+@@ -948,15 +942,6 @@ static struct ctl_table nf_ct_sysctl_tab
.proc_handler = proc_dointvec_jiffies,
},
#endif
- .proc_handler = nf_hooks_lwtunnel_sysctl_handler,
- },
-#endif
+ {}
};
- static struct ctl_table nf_ct_netfilter_table[] = {
-diff --git a/net/netfilter/nf_hooks_lwtunnel.c b/net/netfilter/nf_hooks_lwtunnel.c
-index 00e89ffd78f69..7cdb59bb4459f 100644
--- a/net/netfilter/nf_hooks_lwtunnel.c
+++ b/net/netfilter/nf_hooks_lwtunnel.c
@@ -3,6 +3,9 @@
static inline int nf_hooks_lwtunnel_get(void)
{
-@@ -50,4 +53,68 @@ int nf_hooks_lwtunnel_sysctl_handler(struct ctl_table *table, int write,
+@@ -50,4 +53,68 @@ int nf_hooks_lwtunnel_sysctl_handler(str
return ret;
}
EXPORT_SYMBOL_GPL(nf_hooks_lwtunnel_sysctl_handler);
+ unregister_pernet_subsys(&nf_lwtunnel_net_ops);
+}
#endif /* CONFIG_SYSCTL */
-diff --git a/net/netfilter/nf_internals.h b/net/netfilter/nf_internals.h
-index 832ae64179f0f..25403023060b6 100644
--- a/net/netfilter/nf_internals.h
+++ b/net/netfilter/nf_internals.h
-@@ -29,6 +29,12 @@ void nf_queue_nf_hook_drop(struct net *net);
+@@ -29,6 +29,12 @@ void nf_queue_nf_hook_drop(struct net *n
/* nf_log.c */
int __init netfilter_log_init(void);
/* core.c */
void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp,
const struct nf_hook_ops *reg);
---
-2.43.0
-
+++ /dev/null
-From acebfc7a8b83df4199a3a8c7c5c109a844754f97 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 1 May 2024 11:29:30 +0200
-Subject: netfilter: Remove the now superfluous sentinel elements from
- ctl_table array
-
-From: Joel Granados <j.granados@samsung.com>
-
-[ Upstream commit 635470eb0aa71ba41c47593c66f65ac1e5d59dd7 ]
-
-This commit comes at the tail end of a greater effort to remove the
-empty elements at the end of the ctl_table arrays (sentinels) which will
-reduce the overall build time size of the kernel and run time memory
-bloat by ~64 bytes per sentinel (further information Link :
-https://lore.kernel.org/all/ZO5Yx5JFogGi%2FcBo@bombadil.infradead.org/)
-
-* Remove sentinel elements from ctl_table structs
-* Remove instances where an array element is zeroed out to make it look
- like a sentinel. This is not longer needed and is safe after commit
- c899710fe7f9 ("networking: Update to register_net_sysctl_sz") added
- the array size to the ctl_table registration
-* Remove the need for having __NF_SYSCTL_CT_LAST_SYSCTL as the
- sysctl array size is now in NF_SYSCTL_CT_LAST_SYSCTL
-* Remove extra element in ctl_table arrays declarations
-
-Acked-by: Kees Cook <keescook@chromium.org> # loadpin & yama
-Signed-off-by: Joel Granados <j.granados@samsung.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Stable-dep-of: a2225e0250c5 ("netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core")
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- net/bridge/br_netfilter_hooks.c | 1 -
- net/ipv6/netfilter/nf_conntrack_reasm.c | 1 -
- net/netfilter/ipvs/ip_vs_ctl.c | 5 +----
- net/netfilter/ipvs/ip_vs_lblc.c | 5 +----
- net/netfilter/ipvs/ip_vs_lblcr.c | 5 +----
- net/netfilter/nf_conntrack_standalone.c | 6 +-----
- net/netfilter/nf_log.c | 3 +--
- 7 files changed, 5 insertions(+), 21 deletions(-)
-
-diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
-index d848c84ed030d..9a875329d4193 100644
---- a/net/bridge/br_netfilter_hooks.c
-+++ b/net/bridge/br_netfilter_hooks.c
-@@ -1229,7 +1229,6 @@ static struct ctl_table brnf_table[] = {
- .mode = 0644,
- .proc_handler = brnf_sysctl_call_tables,
- },
-- { }
- };
-
- static inline void br_netfilter_sysctl_default(struct brnf_net *brnf)
-diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
-index efbec7ee27d0a..2379d8edbb175 100644
---- a/net/ipv6/netfilter/nf_conntrack_reasm.c
-+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
-@@ -62,7 +62,6 @@ static struct ctl_table nf_ct_frag6_sysctl_table[] = {
- .mode = 0644,
- .proc_handler = proc_doulongvec_minmax,
- },
-- { }
- };
-
- static int nf_ct_frag6_sysctl_register(struct net *net)
-diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
-index 143a341bbc0a4..50b5dbe40eb85 100644
---- a/net/netfilter/ipvs/ip_vs_ctl.c
-+++ b/net/netfilter/ipvs/ip_vs_ctl.c
-@@ -2263,7 +2263,6 @@ static struct ctl_table vs_vars[] = {
- .proc_handler = proc_dointvec,
- },
- #endif
-- { }
- };
-
- #endif
-@@ -4286,10 +4285,8 @@ static int __net_init ip_vs_control_net_init_sysctl(struct netns_ipvs *ipvs)
- return -ENOMEM;
-
- /* Don't export sysctls to unprivileged users */
-- if (net->user_ns != &init_user_ns) {
-- tbl[0].procname = NULL;
-+ if (net->user_ns != &init_user_ns)
- ctl_table_size = 0;
-- }
- } else
- tbl = vs_vars;
- /* Initialize sysctl defaults */
-diff --git a/net/netfilter/ipvs/ip_vs_lblc.c b/net/netfilter/ipvs/ip_vs_lblc.c
-index cf78ba4ce5ffd..86c50234241fb 100644
---- a/net/netfilter/ipvs/ip_vs_lblc.c
-+++ b/net/netfilter/ipvs/ip_vs_lblc.c
-@@ -123,7 +123,6 @@ static struct ctl_table vs_vars_table[] = {
- .mode = 0644,
- .proc_handler = proc_dointvec_jiffies,
- },
-- { }
- };
- #endif
-
-@@ -563,10 +562,8 @@ static int __net_init __ip_vs_lblc_init(struct net *net)
- return -ENOMEM;
-
- /* Don't export sysctls to unprivileged users */
-- if (net->user_ns != &init_user_ns) {
-- ipvs->lblc_ctl_table[0].procname = NULL;
-+ if (net->user_ns != &init_user_ns)
- vars_table_size = 0;
-- }
-
- } else
- ipvs->lblc_ctl_table = vs_vars_table;
-diff --git a/net/netfilter/ipvs/ip_vs_lblcr.c b/net/netfilter/ipvs/ip_vs_lblcr.c
-index 9eddf118b40ec..150849f1fb351 100644
---- a/net/netfilter/ipvs/ip_vs_lblcr.c
-+++ b/net/netfilter/ipvs/ip_vs_lblcr.c
-@@ -294,7 +294,6 @@ static struct ctl_table vs_vars_table[] = {
- .mode = 0644,
- .proc_handler = proc_dointvec_jiffies,
- },
-- { }
- };
- #endif
-
-@@ -749,10 +748,8 @@ static int __net_init __ip_vs_lblcr_init(struct net *net)
- return -ENOMEM;
-
- /* Don't export sysctls to unprivileged users */
-- if (net->user_ns != &init_user_ns) {
-- ipvs->lblcr_ctl_table[0].procname = NULL;
-+ if (net->user_ns != &init_user_ns)
- vars_table_size = 0;
-- }
- } else
- ipvs->lblcr_ctl_table = vs_vars_table;
- ipvs->sysctl_lblcr_expiration = DEFAULT_EXPIRATION;
-diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
-index 0ee98ce5b8165..2f226cfb32d04 100644
---- a/net/netfilter/nf_conntrack_standalone.c
-+++ b/net/netfilter/nf_conntrack_standalone.c
-@@ -616,11 +616,9 @@ enum nf_ct_sysctl_index {
- NF_SYSCTL_CT_LWTUNNEL,
- #endif
-
-- __NF_SYSCTL_CT_LAST_SYSCTL,
-+ NF_SYSCTL_CT_LAST_SYSCTL,
- };
-
--#define NF_SYSCTL_CT_LAST_SYSCTL (__NF_SYSCTL_CT_LAST_SYSCTL + 1)
--
- static struct ctl_table nf_ct_sysctl_table[] = {
- [NF_SYSCTL_CT_MAX] = {
- .procname = "nf_conntrack_max",
-@@ -957,7 +955,6 @@ static struct ctl_table nf_ct_sysctl_table[] = {
- .proc_handler = nf_hooks_lwtunnel_sysctl_handler,
- },
- #endif
-- {}
- };
-
- static struct ctl_table nf_ct_netfilter_table[] = {
-@@ -968,7 +965,6 @@ static struct ctl_table nf_ct_netfilter_table[] = {
- .mode = 0644,
- .proc_handler = proc_dointvec,
- },
-- { }
- };
-
- static void nf_conntrack_standalone_init_tcp_sysctl(struct net *net,
-diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
-index e16f158388bbe..0870a0e067a84 100644
---- a/net/netfilter/nf_log.c
-+++ b/net/netfilter/nf_log.c
-@@ -390,7 +390,7 @@ static const struct seq_operations nflog_seq_ops = {
-
- #ifdef CONFIG_SYSCTL
- static char nf_log_sysctl_fnames[NFPROTO_NUMPROTO-NFPROTO_UNSPEC][3];
--static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO+1];
-+static struct ctl_table nf_log_sysctl_table[NFPROTO_NUMPROTO];
- static struct ctl_table_header *nf_log_sysctl_fhdr;
-
- static struct ctl_table nf_log_sysctl_ftable[] = {
-@@ -401,7 +401,6 @@ static struct ctl_table nf_log_sysctl_ftable[] = {
- .mode = 0644,
- .proc_handler = proc_dointvec,
- },
-- { }
- };
-
- static int nf_log_proc_dostring(struct ctl_table *table, int write,
---
-2.43.0
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
