netfilter: nft_ct: add notrack support (Closes: #845500)

debian/changelog

@@ -147,6 +147,7 @@ linux (4.9.18-1) UNRELEASED; urgency=medium
   * [arm64] rtc: tegra: Implement clock handling (Closes: #858514)
   * [armhf] sound/soc: Enable SND_SUN4I_SPDIF as module (Closes: #857410)
   * [arm64,x86] Enable CROS_KBD_LED_BACKLIGHT as module (Closes: #856906)
+  * netfilter: nft_ct: add notrack support (Closes: #845500)
 
   [ James Clarke ]
   * [sparc64] udeb: Re-add ufs-modules (Closes: #858049)

debian/patches/features/all/netfilter-nft_ct-add-notrack-support.patch

@@ -0,0 +1,100 @@
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 20 Oct 2016 18:07:14 +0200
+Subject: netfilter: nft_ct: add notrack support
+Origin: https://git.kernel.org/linus/254432613c588640f8b8b5c3641a3c27bbe14688
+Bug-Debian: https://bugs.debian.org/845500
+
+This patch adds notrack support.
+
+I decided to add a new expression, given that this doesn't fit into the
+existing set operation. Notrack doesn't need a source register, and an
+hypothetical NFT_CT_NOTRACK key makes no sense since matching the
+untracked state is done through NFT_CT_STATE.
+
+I'm placing this new notrack expression into nft_ct.c, I think a single
+module is too much.
+
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+---
+ net/netfilter/nft_ct.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 49 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
+index d7b0d171172a..6837348c8993 100644
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -1,5 +1,6 @@
+ /*
+  * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
++ * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
+  *
+  * This program is free software; you can redistribute it and/or modify
+  * it under the terms of the GNU General Public License version 2 as
+@@ -518,15 +519,61 @@ static struct nft_expr_type nft_ct_type __read_mostly = {
+ 	.owner		= THIS_MODULE,
+ };
+ 
++static void nft_notrack_eval(const struct nft_expr *expr,
++			     struct nft_regs *regs,
++			     const struct nft_pktinfo *pkt)
++{
++	struct sk_buff *skb = pkt->skb;
++	enum ip_conntrack_info ctinfo;
++	struct nf_conn *ct;
++
++	ct = nf_ct_get(pkt->skb, &ctinfo);
++	/* Previously seen (loopback or untracked)?  Ignore. */
++	if (ct)
++		return;
++
++	ct = nf_ct_untracked_get();
++	atomic_inc(&ct->ct_general.use);
++	skb->nfct = &ct->ct_general;
++	skb->nfctinfo = IP_CT_NEW;
++}
++
++static struct nft_expr_type nft_notrack_type;
++static const struct nft_expr_ops nft_notrack_ops = {
++	.type		= &nft_notrack_type,
++	.size		= NFT_EXPR_SIZE(0),
++	.eval		= nft_notrack_eval,
++};
++
++static struct nft_expr_type nft_notrack_type __read_mostly = {
++	.name		= "notrack",
++	.ops		= &nft_notrack_ops,
++	.owner		= THIS_MODULE,
++};
++
+ static int __init nft_ct_module_init(void)
+ {
++	int err;
++
+ 	BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
+ 
+-	return nft_register_expr(&nft_ct_type);
++	err = nft_register_expr(&nft_ct_type);
++	if (err < 0)
++		return err;
++
++	err = nft_register_expr(&nft_notrack_type);
++	if (err < 0)
++		goto err1;
++
++	return 0;
++err1:
++	nft_unregister_expr(&nft_ct_type);
++	return err;
+ }
+ 
+ static void __exit nft_ct_module_exit(void)
+ {
++	nft_unregister_expr(&nft_notrack_type);
+ 	nft_unregister_expr(&nft_ct_type);
+ }
+ 
+@@ -536,3 +583,4 @@ module_exit(nft_ct_module_exit);
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+ MODULE_ALIAS_NFT_EXPR("ct");
++MODULE_ALIAS_NFT_EXPR("notrack");

debian/patches/series

@@ -90,6 +90,7 @@ bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 bugfix/all/ACPI-EC-Use-busy-polling-mode-when-GPE-is-not-enable.patch
 
 # Miscellaneous features
+features/all/netfilter-nft_ct-add-notrack-support.patch
 
 # Securelevel patchset from mjg59
 features/all/securelevel/add-bsd-style-securelevel-support.patch