From 25374f868385ed000e10519f8b5900f5274154de Mon Sep 17 00:00:00 2001
From: Wang Hai <wanghai38@huawei.com>
Date: Fri, 31 Dec 2021 15:59:37 +0800
Subject: [PATCH] kabi: net: reserve space for net netfilter subsystem related
 structure

hulk inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/I4HE7P?from=project-issue
CVE: NA

--------

Reserve some fields beforehand for net netfilter framework related structures prone
to change.

---------

Signed-off-by: Wang Hai <wanghai38@huawei.com>
Reviewed-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Yue Haibing <yuehaibing@huawei.com>
Signed-off-by: Zheng Zengkai <zhengzengkai@huawei.com>
---
 include/linux/netfilter.h              | 9 +++++++++
 include/linux/netfilter/ipset/ip_set.h | 7 +++++++
 include/linux/netfilter/nfnetlink.h    | 5 +++++
 include/linux/netfilter_ipv6.h         | 3 +++
 include/net/netfilter/nf_conntrack.h   | 4 ++++
 include/net/netns/netfilter.h          | 3 +++
 6 files changed, 31 insertions(+)

diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 0101747de549..a1a7ab244fdb 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -15,6 +15,7 @@
 #include <linux/netdevice.h>
 #include <linux/sockptr.h>
 #include <net/net_namespace.h>
+#include <linux/kabi.h>
 
 static inline int NF_DROP_GETERR(int verdict)
 {
@@ -171,6 +172,8 @@ struct nf_sockopt_ops {
 	int (*get)(struct sock *sk, int optval, void __user *user, int *len);
 	/* Use the module struct to lock set/get code in place */
 	struct module *owner;
+
+	KABI_RESERVE(1)
 };
 
 /* Function to register/unregister hook points. */
@@ -373,6 +376,8 @@ struct nf_nat_hook {
 	unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct,
 				  enum nf_nat_manip_type mtype,
 				  enum ip_conntrack_dir dir);
+
+	KABI_RESERVE(1)
 };
 
 extern struct nf_nat_hook __rcu *nf_nat_hook;
@@ -457,6 +462,8 @@ struct nf_ct_hook {
 	void (*destroy)(struct nf_conntrack *);
 	bool (*get_tuple_skb)(struct nf_conntrack_tuple *,
 			      const struct sk_buff *);
+
+	KABI_RESERVE(1)
 };
 extern struct nf_ct_hook __rcu *nf_ct_hook;
 
@@ -474,6 +481,8 @@ struct nfnl_ct_hook {
 			     u32 portid, u32 report);
 	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
 			   enum ip_conntrack_info ctinfo, s32 off);
+
+	KABI_RESERVE(1)
 };
 extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
 
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index ab192720e2d6..8123503c4ac4 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -16,6 +16,7 @@
 #include <linux/vmalloc.h>
 #include <net/netlink.h>
 #include <uapi/linux/netfilter/ipset/ip_set.h>
+#include <linux/kabi.h>
 
 #define _IP_SET_MODULE_DESC(a, b, c)		\
 	MODULE_DESCRIPTION(a " type of IP sets, revisions " b "-" c)
@@ -190,6 +191,8 @@ struct ip_set_type_variant {
 	bool (*same_set)(const struct ip_set *a, const struct ip_set *b);
 	/* Region-locking is used */
 	bool region_lock;
+
+	KABI_RESERVE(1)
 };
 
 struct ip_set_region {
@@ -228,6 +231,8 @@ struct ip_set_type {
 
 	/* Set this to THIS_MODULE if you are a module, otherwise NULL */
 	struct module *me;
+
+	KABI_RESERVE(1)
 };
 
 /* register and unregister set type */
@@ -270,6 +275,8 @@ struct ip_set {
 	size_t offset[IPSET_EXT_ID_MAX];
 	/* The type specific data */
 	void *data;
+
+	KABI_RESERVE(1)
 };
 
 static inline void
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index f6267e2883f2..90853fdaa971 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -6,6 +6,7 @@
 #include <linux/capability.h>
 #include <net/netlink.h>
 #include <uapi/linux/netfilter/nfnetlink.h>
+#include <linux/kabi.h>
 
 struct nfnl_callback {
 	int (*call)(struct net *net, struct sock *nl, struct sk_buff *skb,
@@ -22,6 +23,8 @@ struct nfnl_callback {
 			  struct netlink_ext_ack *extack);
 	const struct nla_policy *policy;	/* netlink attribute policy */
 	const u_int16_t attr_count;		/* number of nlattr's */
+
+	KABI_RESERVE(1)
 };
 
 enum nfnl_abort_action {
@@ -41,6 +44,8 @@ struct nfnetlink_subsystem {
 		     enum nfnl_abort_action action);
 	void (*cleanup)(struct net *net);
 	bool (*valid_genid)(struct net *net, u32 genid);
+
+	KABI_RESERVE(1)
 };
 
 int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n);
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 48314ade1506..b1d0b6dee583 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -9,6 +9,7 @@
 
 #include <uapi/linux/netfilter_ipv6.h>
 #include <net/tcp.h>
+#include <linux/kabi.h>
 
 /* Check for an extension */
 static inline int
@@ -65,6 +66,8 @@ struct nf_ipv6_ops {
 					 const struct nf_bridge_frag_data *data,
 					 struct sk_buff *));
 #endif
+
+	KABI_RESERVE(1)
 };
 
 #ifdef CONFIG_NETFILTER
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 439379ca9ffa..e37204d784cb 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -23,6 +23,7 @@
 #include <linux/netfilter/nf_conntrack_proto_gre.h>
 
 #include <net/netfilter/nf_conntrack_tuple.h>
+#include <linux/kabi.h>
 
 struct nf_ct_udp {
 	unsigned long	stream_ts;
@@ -105,6 +106,9 @@ struct nf_conn {
 
 	/* Storage reserved for other modules, must be the last member */
 	union nf_conntrack_proto proto;
+
+	KABI_RESERVE(1)
+	KABI_RESERVE(2)
 };
 
 static inline struct nf_conn *
diff --git a/include/net/netns/netfilter.h b/include/net/netns/netfilter.h
index ca043342c0eb..1b01427a0d4a 100644
--- a/include/net/netns/netfilter.h
+++ b/include/net/netns/netfilter.h
@@ -3,6 +3,7 @@
 #define __NETNS_NETFILTER_H
 
 #include <linux/netfilter_defs.h>
+#include <linux/kabi.h>
 
 struct proc_dir_entry;
 struct nf_logger;
@@ -34,5 +35,7 @@ struct netns_nf {
 #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
 	bool			defrag_ipv6;
 #endif
+
+	KABI_RESERVE(1)
 };
 #endif
-- 
GitLab