kabi: net: reserve space for net netfilter subsystem related structure

hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue CVE: NA -------- Reserve some fields beforehand for net netfilter framework related structures prone to change. --------- Signed-off-by: N Wang Hai <wanghai38@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

kabi: net: reserve space for net netfilter subsystem related structure
hulk inclusion category: feature bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue CVE: NA -------- Reserve some fields beforehand for net netfilter framework related structures prone to change. --------- Signed-off-by: N Wang Hai <wanghai38@huawei.com> Reviewed-by: N Wei Yongjun <weiyongjun1@huawei.com> Reviewed-by: N Yue Haibing <yuehaibing@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
25374f86 · Wang Hai · Zheng Zengkai · 8b48fcfc · 25374f86 · 25374f86
6 changed file
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/sockptr.h>
 #include <net/net_namespace.h>
+#include <linux/kabi.h>

 static inline int NF_DROP_GETERR(int verdict)
 {
@@ -171,6 +172,8 @@ struct nf_sockopt_ops {
 	int (*get)(struct sock *sk, int optval, void __user *user, int *len);
 	/* Use the module struct to lock set/get code in place */
 	struct module *owner;
+
+	KABI_RESERVE(1)
 };

 /* Function to register/unregister hook points. */
@@ -373,6 +376,8 @@ struct nf_nat_hook {
 	unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct,
 				  enum nf_nat_manip_type mtype,
 				  enum ip_conntrack_dir dir);
+
+	KABI_RESERVE(1)
 };

 extern struct nf_nat_hook __rcu *nf_nat_hook;
@@ -457,6 +462,8 @@ struct nf_ct_hook {
 	void (*destroy)(struct nf_conntrack *);
 	bool (*get_tuple_skb)(struct nf_conntrack_tuple *,
 			      const struct sk_buff *);
+
+	KABI_RESERVE(1)
 };
 extern struct nf_ct_hook __rcu *nf_ct_hook;

@@ -474,6 +481,8 @@ struct nfnl_ct_hook {
 			     u32 portid, u32 report);
 	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
 			   enum ip_conntrack_info ctinfo, s32 off);
+
+	KABI_RESERVE(1)
 };
 extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;


--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -16,6 +16,7 @@
 #include <linux/vmalloc.h>
 #include <net/netlink.h>
 #include <uapi/linux/netfilter/ipset/ip_set.h>
+#include <linux/kabi.h>

 #define _IP_SET_MODULE_DESC(a, b, c)		\
 	MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
@@ -190,6 +191,8 @@ struct ip_set_type_variant {
 	bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
 	/* Region-locking is used */
 	bool region_lock;
+
+	KABI_RESERVE(1)
 };

 struct ip_set_region {
@@ -228,6 +231,8 @@ struct ip_set_type {

 	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
 	struct module *me;
+
+	KABI_RESERVE(1)
 };

 /* register and unregister set type */
@@ -270,6 +275,8 @@ struct ip_set {
 	size_t offset[IPSET_EXT_ID_MAX];
 	/* The type specific data */
 	void *data;
+
+	KABI_RESERVE(1)
 };

 static inline void

--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -6,6 +6,7 @@
 #include <linux/capability.h>
 #include <net/netlink.h>
 #include <uapi/linux/netfilter/nfnetlink.h>
+#include <linux/kabi.h>

 struct nfnl_callback {
 	int (*call)(struct net *net, struct sock *nl, struct sk_buff *skb,
@@ -22,6 +23,8 @@ struct nfnl_callback {
 			  struct netlink_ext_ack *extack);
 	const struct nla_policy *policy;	/* netlink attribute policy */
 	const u_int16_t attr_count;		/* number of nlattr's */
+
+	KABI_RESERVE(1)
 };

 enum nfnl_abort_action {
@@ -41,6 +44,8 @@ struct nfnetlink_subsystem {
 		     enum nfnl_abort_action action);
 	void (*cleanup)(struct net *net);
 	bool (*valid_genid)(struct net *net, u32 genid);
+
+	KABI_RESERVE(1)
 };

 int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);

--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -9,6 +9,7 @@

 #include <uapi/linux/netfilter_ipv6.h>
 #include <net/tcp.h>
+#include <linux/kabi.h>

 /* Check for an extension */
 static inline int
@@ -65,6 +66,8 @@ struct nf_ipv6_ops {
 					 const struct nf_bridge_frag_data *data,
 					 struct sk_buff *));
 #endif
+
+	KABI_RESERVE(1)
 };

 #ifdef CONFIG_NETFILTER

--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -23,6 +23,7 @@
 #include <linux/netfilter/nf_conntrack_proto_gre.h>

 #include <net/netfilter/nf_conntrack_tuple.h>
+#include <linux/kabi.h>

 struct nf_ct_udp {
 	unsigned long	stream_ts;
@@ -105,6 +106,9 @@ struct nf_conn {

 	/* Storage reserved for other modules, must be the last member */
 	union nf_conntrack_proto proto;
+
+	KABI_RESERVE(1)
+	KABI_RESERVE(2)
 };

 static inline struct nf_conn *

--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -3,6 +3,7 @@
 #define __NETNS_NETFILTER_H

 #include <linux/netfilter_defs.h>
+#include <linux/kabi.h>

 struct proc_dir_entry;
 struct nf_logger;
@@ -34,5 +35,7 @@ struct netns_nf {
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 	bool			defrag_ipv6;
 #endif
+
+	KABI_RESERVE(1)
 };
 #endif