kernel: backport a series of netfilter cleanup patches to 4.14

Preparation for backporting upstream NAT offload support

Signed-off-by: Felix Fietkau <[email protected]>

target/linux/generic/backport-4.14/300-netfilter-nf_tables-explicit-nft_set_pktinfo-call-fr.patch

@@ -0,0 +1,291 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sun, 10 Dec 2017 01:43:14 +0100
+Subject: [PATCH] netfilter: nf_tables: explicit nft_set_pktinfo() call from
+ hook path
+
+Instead of calling this function from the family specific variant, this
+reduces the code size in the fast path for the netdev, bridge and inet
+families. After this change, we must call nft_set_pktinfo() upfront from
+the chain hook indirection.
+
+Before:
+
+   text    data     bss     dec     hex filename
+   2145     208       0    2353     931 net/netfilter/nf_tables_netdev.o
+
+After:
+
+   text    data     bss     dec     hex filename
+   2125     208       0    2333     91d net/netfilter/nf_tables_netdev.o
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -54,8 +54,8 @@ static inline void nft_set_pktinfo(struc
+ 	pkt->xt.state = state;
+ }
+ 
+-static inline void nft_set_pktinfo_proto_unspec(struct nft_pktinfo *pkt,
+-						struct sk_buff *skb)
++static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
++					  struct sk_buff *skb)
+ {
+ 	pkt->tprot_set = false;
+ 	pkt->tprot = 0;
+@@ -63,14 +63,6 @@ static inline void nft_set_pktinfo_proto
+ 	pkt->xt.fragoff = 0;
+ }
+ 
+-static inline void nft_set_pktinfo_unspec(struct nft_pktinfo *pkt,
+-					  struct sk_buff *skb,
+-					  const struct nf_hook_state *state)
+-{
+-	nft_set_pktinfo(pkt, skb, state);
+-	nft_set_pktinfo_proto_unspec(pkt, skb);
+-}
+-
+ /**
+  * 	struct nft_verdict - nf_tables verdict
+  *
+--- a/include/net/netfilter/nf_tables_ipv4.h
++++ b/include/net/netfilter/nf_tables_ipv4.h
+@@ -5,15 +5,11 @@
+ #include <net/netfilter/nf_tables.h>
+ #include <net/ip.h>
+ 
+-static inline void
+-nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
+-		     struct sk_buff *skb,
+-		     const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
++					struct sk_buff *skb)
+ {
+ 	struct iphdr *ip;
+ 
+-	nft_set_pktinfo(pkt, skb, state);
+-
+ 	ip = ip_hdr(pkt->skb);
+ 	pkt->tprot_set = true;
+ 	pkt->tprot = ip->protocol;
+@@ -21,10 +17,8 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo
+ 	pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
+ }
+ 
+-static inline int
+-__nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
+-				struct sk_buff *skb,
+-				const struct nf_hook_state *state)
++static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
++						  struct sk_buff *skb)
+ {
+ 	struct iphdr *iph, _iph;
+ 	u32 len, thoff;
+@@ -52,14 +46,11 @@ __nft_set_pktinfo_ipv4_validate(struct n
+ 	return 0;
+ }
+ 
+-static inline void
+-nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
+-			      struct sk_buff *skb,
+-			      const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
++						 struct sk_buff *skb)
+ {
+-	nft_set_pktinfo(pkt, skb, state);
+-	if (__nft_set_pktinfo_ipv4_validate(pkt, skb, state) < 0)
+-		nft_set_pktinfo_proto_unspec(pkt, skb);
++	if (__nft_set_pktinfo_ipv4_validate(pkt, skb) < 0)
++		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+ extern struct nft_af_info nft_af_ipv4;
+--- a/include/net/netfilter/nf_tables_ipv6.h
++++ b/include/net/netfilter/nf_tables_ipv6.h
+@@ -5,20 +5,16 @@
+ #include <linux/netfilter_ipv6/ip6_tables.h>
+ #include <net/ipv6.h>
+ 
+-static inline void
+-nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
+-		     struct sk_buff *skb,
+-		     const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
++					struct sk_buff *skb)
+ {
+ 	unsigned int flags = IP6_FH_F_AUTH;
+ 	int protohdr, thoff = 0;
+ 	unsigned short frag_off;
+ 
+-	nft_set_pktinfo(pkt, skb, state);
+-
+ 	protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, &flags);
+ 	if (protohdr < 0) {
+-		nft_set_pktinfo_proto_unspec(pkt, skb);
++		nft_set_pktinfo_unspec(pkt, skb);
+ 		return;
+ 	}
+ 
+@@ -28,10 +24,8 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo
+ 	pkt->xt.fragoff = frag_off;
+ }
+ 
+-static inline int
+-__nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
+-				struct sk_buff *skb,
+-				const struct nf_hook_state *state)
++static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
++						  struct sk_buff *skb)
+ {
+ #if IS_ENABLED(CONFIG_IPV6)
+ 	unsigned int flags = IP6_FH_F_AUTH;
+@@ -68,14 +62,11 @@ __nft_set_pktinfo_ipv6_validate(struct n
+ #endif
+ }
+ 
+-static inline void
+-nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
+-			      struct sk_buff *skb,
+-			      const struct nf_hook_state *state)
++static inline void nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
++						 struct sk_buff *skb)
+ {
+-	nft_set_pktinfo(pkt, skb, state);
+-	if (__nft_set_pktinfo_ipv6_validate(pkt, skb, state) < 0)
+-		nft_set_pktinfo_proto_unspec(pkt, skb);
++	if (__nft_set_pktinfo_ipv6_validate(pkt, skb) < 0)
++		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+ extern struct nft_af_info nft_af_ipv6;
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -25,15 +25,17 @@ nft_do_chain_bridge(void *priv,
+ {
+ 	struct nft_pktinfo pkt;
+ 
++	nft_set_pktinfo(&pkt, skb, state);
++
+ 	switch (eth_hdr(skb)->h_proto) {
+ 	case htons(ETH_P_IP):
+-		nft_set_pktinfo_ipv4_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv4_validate(&pkt, skb);
+ 		break;
+ 	case htons(ETH_P_IPV6):
+-		nft_set_pktinfo_ipv6_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv6_validate(&pkt, skb);
+ 		break;
+ 	default:
+-		nft_set_pktinfo_unspec(&pkt, skb, state);
++		nft_set_pktinfo_unspec(&pkt, skb);
+ 		break;
+ 	}
+ 
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -21,7 +21,8 @@ nft_do_chain_arp(void *priv,
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_unspec(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_unspec(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -24,7 +24,8 @@ static unsigned int nft_do_chain_ipv4(vo
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv4(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv4(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv4/netfilter/nft_chain_nat_ipv4.c
++++ b/net/ipv4/netfilter/nft_chain_nat_ipv4.c
+@@ -33,7 +33,8 @@ static unsigned int nft_nat_do_chain(voi
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv4(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv4(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv4/netfilter/nft_chain_route_ipv4.c
++++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c
+@@ -38,7 +38,8 @@ static unsigned int nf_route_table_hook(
+ 	    ip_hdrlen(skb) < sizeof(struct iphdr))
+ 		return NF_ACCEPT;
+ 
+-	nft_set_pktinfo_ipv4(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv4(&pkt, skb);
+ 
+ 	mark = skb->mark;
+ 	iph = ip_hdr(skb);
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -22,7 +22,8 @@ static unsigned int nft_do_chain_ipv6(vo
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv6(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv6(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv6/netfilter/nft_chain_nat_ipv6.c
++++ b/net/ipv6/netfilter/nft_chain_nat_ipv6.c
+@@ -31,7 +31,8 @@ static unsigned int nft_nat_do_chain(voi
+ {
+ 	struct nft_pktinfo pkt;
+ 
+-	nft_set_pktinfo_ipv6(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv6(&pkt, skb);
+ 
+ 	return nft_do_chain(&pkt, priv);
+ }
+--- a/net/ipv6/netfilter/nft_chain_route_ipv6.c
++++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c
+@@ -33,7 +33,8 @@ static unsigned int nf_route_table_hook(
+ 	u32 mark, flowlabel;
+ 	int err;
+ 
+-	nft_set_pktinfo_ipv6(&pkt, skb, state);
++	nft_set_pktinfo(&pkt, skb, state);
++	nft_set_pktinfo_ipv6(&pkt, skb);
+ 
+ 	/* save source/dest address, mark, hoplimit, flowlabel, priority */
+ 	memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
+--- a/net/netfilter/nf_tables_netdev.c
++++ b/net/netfilter/nf_tables_netdev.c
+@@ -21,15 +21,17 @@ nft_do_chain_netdev(void *priv, struct s
+ {
+ 	struct nft_pktinfo pkt;
+ 
++	nft_set_pktinfo(&pkt, skb, state);
++
+ 	switch (skb->protocol) {
+ 	case htons(ETH_P_IP):
+-		nft_set_pktinfo_ipv4_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv4_validate(&pkt, skb);
+ 		break;
+ 	case htons(ETH_P_IPV6):
+-		nft_set_pktinfo_ipv6_validate(&pkt, skb, state);
++		nft_set_pktinfo_ipv6_validate(&pkt, skb);
+ 		break;
+ 	default:
+-		nft_set_pktinfo_unspec(&pkt, skb, state);
++		nft_set_pktinfo_unspec(&pkt, skb);
+ 		break;
+ 	}
+ 

target/linux/generic/backport-4.14/301-netfilter-core-only-allow-one-nat-hook-per-hook-poin.patch

@@ -0,0 +1,146 @@
+From: Florian Westphal <[email protected]>
+Date: Fri, 8 Dec 2017 17:01:54 +0100
+Subject: [PATCH] netfilter: core: only allow one nat hook per hook point
+
+The netfilter NAT core cannot deal with more than one NAT hook per hook
+location (prerouting, input ...), because the NAT hooks install a NAT null
+binding in case the iptables nat table (iptable_nat hooks) or the
+corresponding nftables chain (nft nat hooks) doesn't specify a nat
+transformation.
+
+Null bindings are needed to detect port collsisions between NAT-ed and
+non-NAT-ed connections.
+
+This causes nftables NAT rules to not work when iptable_nat module is
+loaded, and vice versa because nat binding has already been attached
+when the second nat hook is consulted.
+
+The netfilter core is not really the correct location to handle this
+(hooks are just hooks, the core has no notion of what kinds of side
+ effects a hook implements), but its the only place where we can check
+for conflicts between both iptables hooks and nftables hooks without
+adding dependencies.
+
+So add nat annotation to hook_ops to describe those hooks that will
+add NAT bindings and then make core reject if such a hook already exists.
+The annotation fills a padding hole, in case further restrictions appar
+we might change this to a 'u8 type' instead of bool.
+
+iptables error if nft nat hook active:
+iptables -t nat -A POSTROUTING -j MASQUERADE
+iptables v1.4.21: can't initialize iptables table `nat': File exists
+Perhaps iptables or your kernel needs to be upgraded.
+
+nftables error if iptables nat table present:
+nft -f /etc/nftables/ipv4-nat
+/usr/etc/nftables/ipv4-nat:3:1-2: Error: Could not process rule: File exists
+table nat {
+^^
+
+Signed-off-by: Florian Westphal <[email protected]>
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -67,6 +67,7 @@ struct nf_hook_ops {
+ 	struct net_device	*dev;
+ 	void			*priv;
+ 	u_int8_t		pf;
++	bool			nat_hook;
+ 	unsigned int		hooknum;
+ 	/* Hooks are ordered in ascending priority. */
+ 	int			priority;
+--- a/net/ipv4/netfilter/iptable_nat.c
++++ b/net/ipv4/netfilter/iptable_nat.c
+@@ -72,6 +72,7 @@ static const struct nf_hook_ops nf_nat_i
+ 	{
+ 		.hook		= iptable_nat_ipv4_in,
+ 		.pf		= NFPROTO_IPV4,
++		.nat_hook	= true,
+ 		.hooknum	= NF_INET_PRE_ROUTING,
+ 		.priority	= NF_IP_PRI_NAT_DST,
+ 	},
+@@ -79,6 +80,7 @@ static const struct nf_hook_ops nf_nat_i
+ 	{
+ 		.hook		= iptable_nat_ipv4_out,
+ 		.pf		= NFPROTO_IPV4,
++		.nat_hook	= true,
+ 		.hooknum	= NF_INET_POST_ROUTING,
+ 		.priority	= NF_IP_PRI_NAT_SRC,
+ 	},
+@@ -86,6 +88,7 @@ static const struct nf_hook_ops nf_nat_i
+ 	{
+ 		.hook		= iptable_nat_ipv4_local_fn,
+ 		.pf		= NFPROTO_IPV4,
++		.nat_hook	= true,
+ 		.hooknum	= NF_INET_LOCAL_OUT,
+ 		.priority	= NF_IP_PRI_NAT_DST,
+ 	},
+@@ -93,6 +96,7 @@ static const struct nf_hook_ops nf_nat_i
+ 	{
+ 		.hook		= iptable_nat_ipv4_fn,
+ 		.pf		= NFPROTO_IPV4,
++		.nat_hook	= true,
+ 		.hooknum	= NF_INET_LOCAL_IN,
+ 		.priority	= NF_IP_PRI_NAT_SRC,
+ 	},
+--- a/net/ipv6/netfilter/ip6table_nat.c
++++ b/net/ipv6/netfilter/ip6table_nat.c
+@@ -74,6 +74,7 @@ static const struct nf_hook_ops nf_nat_i
+ 	{
+ 		.hook		= ip6table_nat_in,
+ 		.pf		= NFPROTO_IPV6,
++		.nat_hook	= true,
+ 		.hooknum	= NF_INET_PRE_ROUTING,
+ 		.priority	= NF_IP6_PRI_NAT_DST,
+ 	},
+@@ -81,6 +82,7 @@ static const struct nf_hook_ops nf_nat_i
+ 	{
+ 		.hook		= ip6table_nat_out,
+ 		.pf		= NFPROTO_IPV6,
++		.nat_hook	= true,
+ 		.hooknum	= NF_INET_POST_ROUTING,
+ 		.priority	= NF_IP6_PRI_NAT_SRC,
+ 	},
+@@ -88,12 +90,14 @@ static const struct nf_hook_ops nf_nat_i
+ 	{
+ 		.hook		= ip6table_nat_local_fn,
+ 		.pf		= NFPROTO_IPV6,
++		.nat_hook	= true,
+ 		.hooknum	= NF_INET_LOCAL_OUT,
+ 		.priority	= NF_IP6_PRI_NAT_DST,
+ 	},
+ 	/* After packet filtering, change source */
+ 	{
+ 		.hook		= ip6table_nat_fn,
++		.nat_hook	= true,
+ 		.pf		= NFPROTO_IPV6,
+ 		.hooknum	= NF_INET_LOCAL_IN,
+ 		.priority	= NF_IP6_PRI_NAT_SRC,
+--- a/net/netfilter/core.c
++++ b/net/netfilter/core.c
+@@ -135,6 +135,12 @@ nf_hook_entries_grow(const struct nf_hoo
+ 			++i;
+ 			continue;
+ 		}
++
++		if (reg->nat_hook && orig_ops[i]->nat_hook) {
++			kvfree(new);
++			return ERR_PTR(-EEXIST);
++		}
++
+ 		if (inserted || reg->priority > orig_ops[i]->priority) {
+ 			new_ops[nhooks] = (void *)orig_ops[i];
+ 			new->hooks[nhooks] = old->hooks[i];
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1400,6 +1400,8 @@ static int nf_tables_addchain(struct nft
+ 				ops->hook = hookfn;
+ 			if (afi->hook_ops_init)
+ 				afi->hook_ops_init(ops, i);
++			if (basechain->type->type == NFT_CHAIN_T_NAT)
++				ops->nat_hook = true;
+ 		}
+ 
+ 		chain->flags |= NFT_BASE_CHAIN;

target/linux/generic/backport-4.14/302-netfilter-nf_tables_inet-don-t-use-multihook-infrast.patch

@@ -0,0 +1,160 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sat, 9 Dec 2017 15:36:24 +0100
+Subject: [PATCH] netfilter: nf_tables_inet: don't use multihook infrastructure
+ anymore
+
+Use new native NFPROTO_INET support in netfilter core, this gets rid of
+ad-hoc code in the nf_tables API codebase.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/net/netfilter/nf_tables_ipv4.h
++++ b/include/net/netfilter/nf_tables_ipv4.h
+@@ -53,6 +53,4 @@ static inline void nft_set_pktinfo_ipv4_
+ 		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+-extern struct nft_af_info nft_af_ipv4;
+-
+ #endif
+--- a/include/net/netfilter/nf_tables_ipv6.h
++++ b/include/net/netfilter/nf_tables_ipv6.h
+@@ -69,6 +69,4 @@ static inline void nft_set_pktinfo_ipv6_
+ 		nft_set_pktinfo_unspec(pkt, skb);
+ }
+ 
+-extern struct nft_af_info nft_af_ipv6;
+-
+ #endif
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -45,7 +45,7 @@ static unsigned int nft_ipv4_output(void
+ 	return nft_do_chain_ipv4(priv, skb, state);
+ }
+ 
+-struct nft_af_info nft_af_ipv4 __read_mostly = {
++static struct nft_af_info nft_af_ipv4 __read_mostly = {
+ 	.family		= NFPROTO_IPV4,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+@@ -58,7 +58,6 @@ struct nft_af_info nft_af_ipv4 __read_mo
+ 		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
+ 	},
+ };
+-EXPORT_SYMBOL_GPL(nft_af_ipv4);
+ 
+ static int nf_tables_ipv4_init_net(struct net *net)
+ {
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -42,7 +42,7 @@ static unsigned int nft_ipv6_output(void
+ 	return nft_do_chain_ipv6(priv, skb, state);
+ }
+ 
+-struct nft_af_info nft_af_ipv6 __read_mostly = {
++static struct nft_af_info nft_af_ipv6 __read_mostly = {
+ 	.family		= NFPROTO_IPV6,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+@@ -55,7 +55,6 @@ struct nft_af_info nft_af_ipv6 __read_mo
+ 		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
+ 	},
+ };
+-EXPORT_SYMBOL_GPL(nft_af_ipv6);
+ 
+ static int nf_tables_ipv6_init_net(struct net *net)
+ {
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -9,6 +9,7 @@
+ #include <linux/init.h>
+ #include <linux/module.h>
+ #include <linux/ip.h>
++#include <linux/ipv6.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/netfilter_ipv6.h>
+ #include <net/netfilter/nf_tables.h>
+@@ -16,26 +17,71 @@
+ #include <net/netfilter/nf_tables_ipv6.h>
+ #include <net/ip.h>
+ 
+-static void nft_inet_hook_ops_init(struct nf_hook_ops *ops, unsigned int n)
++static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb,
++				      const struct nf_hook_state *state)
+ {
+-	struct nft_af_info *afi;
++	struct nft_pktinfo pkt;
+ 
+-	if (n == 1)
+-		afi = &nft_af_ipv4;
+-	else
+-		afi = &nft_af_ipv6;
++	nft_set_pktinfo(&pkt, skb, state);
+ 
+-	ops->pf = afi->family;
+-	if (afi->hooks[ops->hooknum])
+-		ops->hook = afi->hooks[ops->hooknum];
++	switch (state->pf) {
++	case NFPROTO_IPV4:
++		nft_set_pktinfo_ipv4(&pkt, skb);
++		break;
++	case NFPROTO_IPV6:
++		nft_set_pktinfo_ipv6(&pkt, skb);
++		break;
++	default:
++		break;
++	}
++
++	return nft_do_chain(&pkt, priv);
++}
++
++static unsigned int nft_inet_output(void *priv, struct sk_buff *skb,
++				    const struct nf_hook_state *state)
++{
++	struct nft_pktinfo pkt;
++
++	nft_set_pktinfo(&pkt, skb, state);
++
++	switch (state->pf) {
++	case NFPROTO_IPV4:
++		if (unlikely(skb->len < sizeof(struct iphdr) ||
++			     ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
++			if (net_ratelimit())
++				pr_info("ignoring short SOCK_RAW packet\n");
++			return NF_ACCEPT;
++		}
++		nft_set_pktinfo_ipv4(&pkt, skb);
++		break;
++	case NFPROTO_IPV6:
++	        if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
++			if (net_ratelimit())
++				pr_info("ignoring short SOCK_RAW packet\n");
++			return NF_ACCEPT;
++		}
++		nft_set_pktinfo_ipv6(&pkt, skb);
++		break;
++	default:
++		break;
++	}
++
++	return nft_do_chain(&pkt, priv);
+ }
+ 
+ static struct nft_af_info nft_af_inet __read_mostly = {
+ 	.family		= NFPROTO_INET,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.nops		= 2,
+-	.hook_ops_init	= nft_inet_hook_ops_init,
++	.nops		= 1,
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
++		[NF_INET_LOCAL_OUT]	= nft_inet_output,
++		[NF_INET_FORWARD]	= nft_do_chain_inet,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
++        },
+ };
+ 
+ static int __net_init nf_tables_inet_init_net(struct net *net)

target/linux/generic/backport-4.14/303-netfilter-nf_tables-remove-multihook-chains-and-fami.patch

@@ -0,0 +1,391 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sat, 9 Dec 2017 15:40:25 +0100
+Subject: [PATCH] netfilter: nf_tables: remove multihook chains and families
+
+Since NFPROTO_INET is handled from the core, we don't need to maintain
+extra infrastructure in nf_tables to handle the double hook
+registration, one for IPv4 and another for IPv6.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -892,8 +892,6 @@ struct nft_stats {
+ 	struct u64_stats_sync	syncp;
+ };
+ 
+-#define NFT_HOOK_OPS_MAX		2
+-
+ /**
+  *	struct nft_base_chain - nf_tables base chain
+  *
+@@ -905,7 +903,7 @@ struct nft_stats {
+  *	@dev_name: device name that this base chain is attached to (if any)
+  */
+ struct nft_base_chain {
+-	struct nf_hook_ops		ops[NFT_HOOK_OPS_MAX];
++	struct nf_hook_ops		ops;
+ 	const struct nf_chain_type	*type;
+ 	u8				policy;
+ 	u8				flags;
+@@ -966,8 +964,6 @@ enum nft_af_flags {
+  *	@owner: module owner
+  *	@tables: used internally
+  *	@flags: family flags
+- *	@nops: number of hook ops in this family
+- *	@hook_ops_init: initialization function for chain hook ops
+  *	@hooks: hookfn overrides for packet validation
+  */
+ struct nft_af_info {
+@@ -977,9 +973,6 @@ struct nft_af_info {
+ 	struct module			*owner;
+ 	struct list_head		tables;
+ 	u32				flags;
+-	unsigned int			nops;
+-	void				(*hook_ops_init)(struct nf_hook_ops *,
+-							 unsigned int);
+ 	nf_hookfn			*hooks[NF_MAX_HOOKS];
+ };
+ 
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -46,7 +46,6 @@ static struct nft_af_info nft_af_bridge
+ 	.family		= NFPROTO_BRIDGE,
+ 	.nhooks		= NF_BR_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.nops		= 1,
+ 	.hooks		= {
+ 		[NF_BR_PRE_ROUTING]	= nft_do_chain_bridge,
+ 		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -31,7 +31,6 @@ static struct nft_af_info nft_af_arp __r
+ 	.family		= NFPROTO_ARP,
+ 	.nhooks		= NF_ARP_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.nops		= 1,
+ 	.hooks		= {
+ 		[NF_ARP_IN]		= nft_do_chain_arp,
+ 		[NF_ARP_OUT]		= nft_do_chain_arp,
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -49,7 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
+ 	.family		= NFPROTO_IPV4,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.nops		= 1,
+ 	.hooks		= {
+ 		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
+ 		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -46,7 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
+ 	.family		= NFPROTO_IPV6,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.nops		= 1,
+ 	.hooks		= {
+ 		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
+ 		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -139,29 +139,26 @@ static void nft_trans_destroy(struct nft
+ 	kfree(trans);
+ }
+ 
+-static int nf_tables_register_hooks(struct net *net,
+-				    const struct nft_table *table,
+-				    struct nft_chain *chain,
+-				    unsigned int hook_nops)
++static int nf_tables_register_hook(struct net *net,
++				   const struct nft_table *table,
++				   struct nft_chain *chain)
+ {
+ 	if (table->flags & NFT_TABLE_F_DORMANT ||
+ 	    !nft_is_base_chain(chain))
+ 		return 0;
+ 
+-	return nf_register_net_hooks(net, nft_base_chain(chain)->ops,
+-				     hook_nops);
++	return nf_register_net_hook(net, &nft_base_chain(chain)->ops);
+ }
+ 
+-static void nf_tables_unregister_hooks(struct net *net,
+-				       const struct nft_table *table,
+-				       struct nft_chain *chain,
+-				       unsigned int hook_nops)
++static void nf_tables_unregister_hook(struct net *net,
++				      const struct nft_table *table,
++				      struct nft_chain *chain)
+ {
+ 	if (table->flags & NFT_TABLE_F_DORMANT ||
+ 	    !nft_is_base_chain(chain))
+ 		return;
+ 
+-	nf_unregister_net_hooks(net, nft_base_chain(chain)->ops, hook_nops);
++	nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
+ }
+ 
+ static int nft_trans_table_add(struct nft_ctx *ctx, int msg_type)
+@@ -595,8 +592,7 @@ static void _nf_tables_table_disable(str
+ 		if (cnt && i++ == cnt)
+ 			break;
+ 
+-		nf_unregister_net_hooks(net, nft_base_chain(chain)->ops,
+-					afi->nops);
++		nf_unregister_net_hook(net, &nft_base_chain(chain)->ops);
+ 	}
+ }
+ 
+@@ -613,8 +609,7 @@ static int nf_tables_table_enable(struct
+ 		if (!nft_is_base_chain(chain))
+ 			continue;
+ 
+-		err = nf_register_net_hooks(net, nft_base_chain(chain)->ops,
+-					    afi->nops);
++		err = nf_register_net_hook(net, &nft_base_chain(chain)->ops);
+ 		if (err < 0)
+ 			goto err;
+ 
+@@ -1026,7 +1021,7 @@ static int nf_tables_fill_chain_info(str
+ 
+ 	if (nft_is_base_chain(chain)) {
+ 		const struct nft_base_chain *basechain = nft_base_chain(chain);
+-		const struct nf_hook_ops *ops = &basechain->ops[0];
++		const struct nf_hook_ops *ops = &basechain->ops;
+ 		struct nlattr *nest;
+ 
+ 		nest = nla_nest_start(skb, NFTA_CHAIN_HOOK);
+@@ -1252,8 +1247,8 @@ static void nf_tables_chain_destroy(stru
+ 		free_percpu(basechain->stats);
+ 		if (basechain->stats)
+ 			static_branch_dec(&nft_counters_enabled);
+-		if (basechain->ops[0].dev != NULL)
+-			dev_put(basechain->ops[0].dev);
++		if (basechain->ops.dev != NULL)
++			dev_put(basechain->ops.dev);
+ 		kfree(chain->name);
+ 		kfree(basechain);
+ 	} else {
+@@ -1349,7 +1344,6 @@ static int nf_tables_addchain(struct nft
+ 	struct nft_stats __percpu *stats;
+ 	struct net *net = ctx->net;
+ 	struct nft_chain *chain;
+-	unsigned int i;
+ 	int err;
+ 
+ 	if (table->use == UINT_MAX)
+@@ -1388,21 +1382,18 @@ static int nf_tables_addchain(struct nft
+ 		basechain->type = hook.type;
+ 		chain = &basechain->chain;
+ 
+-		for (i = 0; i < afi->nops; i++) {
+-			ops = &basechain->ops[i];
+-			ops->pf		= family;
+-			ops->hooknum	= hook.num;
+-			ops->priority	= hook.priority;
+-			ops->priv	= chain;
+-			ops->hook	= afi->hooks[ops->hooknum];
+-			ops->dev	= hook.dev;
+-			if (hookfn)
+-				ops->hook = hookfn;
+-			if (afi->hook_ops_init)
+-				afi->hook_ops_init(ops, i);
+-			if (basechain->type->type == NFT_CHAIN_T_NAT)
+-				ops->nat_hook = true;
+-		}
++		ops		= &basechain->ops;
++		ops->pf		= family;
++		ops->hooknum	= hook.num;
++		ops->priority	= hook.priority;
++		ops->priv	= chain;
++		ops->hook	= afi->hooks[ops->hooknum];
++		ops->dev	= hook.dev;
++		if (hookfn)
++			ops->hook = hookfn;
++
++		if (basechain->type->type == NFT_CHAIN_T_NAT)
++			ops->nat_hook = true;
+ 
+ 		chain->flags |= NFT_BASE_CHAIN;
+ 		basechain->policy = policy;
+@@ -1420,7 +1411,7 @@ static int nf_tables_addchain(struct nft
+ 		goto err1;
+ 	}
+ 
+-	err = nf_tables_register_hooks(net, table, chain, afi->nops);
++	err = nf_tables_register_hook(net, table, chain);
+ 	if (err < 0)
+ 		goto err1;
+ 
+@@ -1434,7 +1425,7 @@ static int nf_tables_addchain(struct nft
+ 
+ 	return 0;
+ err2:
+-	nf_tables_unregister_hooks(net, table, chain, afi->nops);
++	nf_tables_unregister_hook(net, table, chain);
+ err1:
+ 	nf_tables_chain_destroy(chain);
+ 
+@@ -1447,14 +1438,13 @@ static int nf_tables_updchain(struct nft
+ 	const struct nlattr * const *nla = ctx->nla;
+ 	struct nft_table *table = ctx->table;
+ 	struct nft_chain *chain = ctx->chain;
+-	struct nft_af_info *afi = ctx->afi;
+ 	struct nft_base_chain *basechain;
+ 	struct nft_stats *stats = NULL;
+ 	struct nft_chain_hook hook;
+ 	const struct nlattr *name;
+ 	struct nf_hook_ops *ops;
+ 	struct nft_trans *trans;
+-	int err, i;
++	int err;
+ 
+ 	if (nla[NFTA_CHAIN_HOOK]) {
+ 		if (!nft_is_base_chain(chain))
+@@ -1471,14 +1461,12 @@ static int nf_tables_updchain(struct nft
+ 			return -EBUSY;
+ 		}
+ 
+-		for (i = 0; i < afi->nops; i++) {
+-			ops = &basechain->ops[i];
+-			if (ops->hooknum != hook.num ||
+-			    ops->priority != hook.priority ||
+-			    ops->dev != hook.dev) {
+-				nft_chain_release_hook(&hook);
+-				return -EBUSY;
+-			}
++		ops = &basechain->ops;
++		if (ops->hooknum != hook.num ||
++		    ops->priority != hook.priority ||
++		    ops->dev != hook.dev) {
++			nft_chain_release_hook(&hook);
++			return -EBUSY;
+ 		}
+ 		nft_chain_release_hook(&hook);
+ 	}
+@@ -5060,10 +5048,9 @@ static int nf_tables_commit(struct net *
+ 		case NFT_MSG_DELCHAIN:
+ 			list_del_rcu(&trans->ctx.chain->list);
+ 			nf_tables_chain_notify(&trans->ctx, NFT_MSG_DELCHAIN);
+-			nf_tables_unregister_hooks(trans->ctx.net,
+-						   trans->ctx.table,
+-						   trans->ctx.chain,
+-						   trans->ctx.afi->nops);
++			nf_tables_unregister_hook(trans->ctx.net,
++						  trans->ctx.table,
++						  trans->ctx.chain);
+ 			break;
+ 		case NFT_MSG_NEWRULE:
+ 			nft_clear(trans->ctx.net, nft_trans_rule(trans));
+@@ -5200,10 +5187,9 @@ static int nf_tables_abort(struct net *n
+ 			} else {
+ 				trans->ctx.table->use--;
+ 				list_del_rcu(&trans->ctx.chain->list);
+-				nf_tables_unregister_hooks(trans->ctx.net,
+-							   trans->ctx.table,
+-							   trans->ctx.chain,
+-							   trans->ctx.afi->nops);
++				nf_tables_unregister_hook(trans->ctx.net,
++							  trans->ctx.table,
++							  trans->ctx.chain);
+ 			}
+ 			break;
+ 		case NFT_MSG_DELCHAIN:
+@@ -5304,7 +5290,7 @@ int nft_chain_validate_hooks(const struc
+ 	if (nft_is_base_chain(chain)) {
+ 		basechain = nft_base_chain(chain);
+ 
+-		if ((1 << basechain->ops[0].hooknum) & hook_flags)
++		if ((1 << basechain->ops.hooknum) & hook_flags)
+ 			return 0;
+ 
+ 		return -EOPNOTSUPP;
+@@ -5786,8 +5772,7 @@ int __nft_release_basechain(struct nft_c
+ 
+ 	BUG_ON(!nft_is_base_chain(ctx->chain));
+ 
+-	nf_tables_unregister_hooks(ctx->net, ctx->chain->table, ctx->chain,
+-				   ctx->afi->nops);
++	nf_tables_unregister_hook(ctx->net, ctx->chain->table, ctx->chain);
+ 	list_for_each_entry_safe(rule, nr, &ctx->chain->rules, list) {
+ 		list_del(&rule->list);
+ 		ctx->chain->use--;
+@@ -5816,8 +5801,7 @@ static void __nft_release_afinfo(struct
+ 
+ 	list_for_each_entry_safe(table, nt, &afi->tables, list) {
+ 		list_for_each_entry(chain, &table->chains, list)
+-			nf_tables_unregister_hooks(net, table, chain,
+-						   afi->nops);
++			nf_tables_unregister_hook(net, table, chain);
+ 		/* No packets are walking on these chains anymore. */
+ 		ctx.table = table;
+ 		list_for_each_entry(chain, &table->chains, list) {
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -74,7 +74,6 @@ static struct nft_af_info nft_af_inet __
+ 	.family		= NFPROTO_INET,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.nops		= 1,
+ 	.hooks		= {
+ 		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
+ 		[NF_INET_LOCAL_OUT]	= nft_inet_output,
+--- a/net/netfilter/nf_tables_netdev.c
++++ b/net/netfilter/nf_tables_netdev.c
+@@ -43,7 +43,6 @@ static struct nft_af_info nft_af_netdev
+ 	.nhooks		= NF_NETDEV_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ 	.flags		= NFT_AF_NEEDS_DEV,
+-	.nops		= 1,
+ 	.hooks		= {
+ 		[NF_NETDEV_INGRESS]	= nft_do_chain_netdev,
+ 	},
+@@ -98,7 +97,7 @@ static void nft_netdev_event(unsigned lo
+ 		__nft_release_basechain(ctx);
+ 		break;
+ 	case NETDEV_CHANGENAME:
+-		if (dev->ifindex != basechain->ops[0].dev->ifindex)
++		if (dev->ifindex != basechain->ops.dev->ifindex)
+ 			return;
+ 
+ 		strncpy(basechain->dev_name, dev->name, IFNAMSIZ);
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -169,7 +169,7 @@ nft_target_set_tgchk_param(struct xt_tgc
+ 	if (nft_is_base_chain(ctx->chain)) {
+ 		const struct nft_base_chain *basechain =
+ 						nft_base_chain(ctx->chain);
+-		const struct nf_hook_ops *ops = &basechain->ops[0];
++		const struct nf_hook_ops *ops = &basechain->ops;
+ 
+ 		par->hook_mask = 1 << ops->hooknum;
+ 	} else {
+@@ -302,7 +302,7 @@ static int nft_target_validate(const str
+ 	if (nft_is_base_chain(ctx->chain)) {
+ 		const struct nft_base_chain *basechain =
+ 						nft_base_chain(ctx->chain);
+-		const struct nf_hook_ops *ops = &basechain->ops[0];
++		const struct nf_hook_ops *ops = &basechain->ops;
+ 
+ 		hook_mask = 1 << ops->hooknum;
+ 		if (target->hooks && !(hook_mask & target->hooks))
+@@ -383,7 +383,7 @@ nft_match_set_mtchk_param(struct xt_mtch
+ 	if (nft_is_base_chain(ctx->chain)) {
+ 		const struct nft_base_chain *basechain =
+ 						nft_base_chain(ctx->chain);
+-		const struct nf_hook_ops *ops = &basechain->ops[0];
++		const struct nf_hook_ops *ops = &basechain->ops;
+ 
+ 		par->hook_mask = 1 << ops->hooknum;
+ 	} else {
+@@ -481,7 +481,7 @@ static int nft_match_validate(const stru
+ 	if (nft_is_base_chain(ctx->chain)) {
+ 		const struct nft_base_chain *basechain =
+ 						nft_base_chain(ctx->chain);
+-		const struct nf_hook_ops *ops = &basechain->ops[0];
++		const struct nf_hook_ops *ops = &basechain->ops;
+ 
+ 		hook_mask = 1 << ops->hooknum;
+ 		if (match->hooks && !(hook_mask & match->hooks))

target/linux/generic/backport-4.14/304-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch

@@ -0,0 +1,171 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Mon, 27 Nov 2017 21:55:14 +0100
+Subject: [PATCH] netfilter: move checksum indirection to struct nf_ipv6_ops
+
+We cannot make a direct call to nf_ip6_checksum() because that would
+result in autoloading the 'ipv6' module because of symbol dependencies.
+Therefore, define checksum indirection in nf_ipv6_ops where this really
+belongs to.
+
+For IPv4, we can indeed make a direct function call, which is faster,
+given IPv4 is built-in in the networking code by default. Still,
+CONFIG_INET=n and CONFIG_NETFILTER=y is possible, so define empty inline
+stub for IPv4 in such case.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+ create mode 100644 net/netfilter/utils.c
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -274,8 +274,6 @@ struct nf_queue_entry;
+ 
+ struct nf_afinfo {
+ 	unsigned short	family;
+-	__sum16		(*checksum)(struct sk_buff *skb, unsigned int hook,
+-				    unsigned int dataoff, u_int8_t protocol);
+ 	__sum16		(*checksum_partial)(struct sk_buff *skb,
+ 					    unsigned int hook,
+ 					    unsigned int dataoff,
+@@ -296,20 +294,9 @@ static inline const struct nf_afinfo *nf
+ 	return rcu_dereference(nf_afinfo[family]);
+ }
+ 
+-static inline __sum16
+-nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
+-	    u_int8_t protocol, unsigned short family)
+-{
+-	const struct nf_afinfo *afinfo;
+-	__sum16 csum = 0;
+-
+-	rcu_read_lock();
+-	afinfo = nf_get_afinfo(family);
+-	if (afinfo)
+-		csum = afinfo->checksum(skb, hook, dataoff, protocol);
+-	rcu_read_unlock();
+-	return csum;
+-}
++__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
++		    unsigned int dataoff, u_int8_t protocol,
++		    unsigned short family);
+ 
+ static inline __sum16
+ nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -7,6 +7,16 @@
+ #include <uapi/linux/netfilter_ipv4.h>
+ 
+ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
++
++#ifdef CONFIG_INET
+ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ 		       unsigned int dataoff, u_int8_t protocol);
++#else
++static inline __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
++				     unsigned int dataoff, u_int8_t protocol)
++{
++	return 0;
++}
++#endif /* CONFIG_INET */
++
+ #endif /*__LINUX_IP_NETFILTER_H*/
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -19,6 +19,8 @@ struct nf_ipv6_ops {
+ 	void (*route_input)(struct sk_buff *skb);
+ 	int (*fragment)(struct net *net, struct sock *sk, struct sk_buff *skb,
+ 			int (*output)(struct net *, struct sock *, struct sk_buff *));
++	__sum16 (*checksum)(struct sk_buff *skb, unsigned int hook,
++			    unsigned int dataoff, u_int8_t protocol);
+ };
+ 
+ #ifdef CONFIG_NETFILTER
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -106,12 +106,6 @@ static int nf_br_reroute(struct net *net
+ 	return 0;
+ }
+ 
+-static __sum16 nf_br_checksum(struct sk_buff *skb, unsigned int hook,
+-			      unsigned int dataoff, u_int8_t protocol)
+-{
+-	return 0;
+-}
+-
+ static __sum16 nf_br_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ 				      unsigned int dataoff, unsigned int len,
+ 				      u_int8_t protocol)
+@@ -127,7 +121,6 @@ static int nf_br_route(struct net *net,
+ 
+ static const struct nf_afinfo nf_br_afinfo = {
+ 	.family                 = AF_BRIDGE,
+-	.checksum               = nf_br_checksum,
+ 	.checksum_partial       = nf_br_checksum_partial,
+ 	.route                  = nf_br_route,
+ 	.saveroute              = nf_br_saveroute,
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -188,7 +188,6 @@ static int nf_ip_route(struct net *net,
+ 
+ static const struct nf_afinfo nf_ip_afinfo = {
+ 	.family			= AF_INET,
+-	.checksum		= nf_ip_checksum,
+ 	.checksum_partial	= nf_ip_checksum_partial,
+ 	.route			= nf_ip_route,
+ 	.saveroute		= nf_ip_saveroute,
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -192,12 +192,12 @@ static __sum16 nf_ip6_checksum_partial(s
+ static const struct nf_ipv6_ops ipv6ops = {
+ 	.chk_addr	= ipv6_chk_addr,
+ 	.route_input    = ip6_route_input,
+-	.fragment	= ip6_fragment
++	.fragment	= ip6_fragment,
++	.checksum	= nf_ip6_checksum,
+ };
+ 
+ static const struct nf_afinfo nf_ip6_afinfo = {
+ 	.family			= AF_INET6,
+-	.checksum		= nf_ip6_checksum,
+ 	.checksum_partial	= nf_ip6_checksum_partial,
+ 	.route			= nf_ip6_route,
+ 	.saveroute		= nf_ip6_saveroute,
+--- a/net/netfilter/Makefile
++++ b/net/netfilter/Makefile
+@@ -1,5 +1,5 @@
+ # SPDX-License-Identifier: GPL-2.0
+-netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o
++netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o utils.o
+ 
+ nf_conntrack-y	:= nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_expect.o nf_conntrack_helper.o nf_conntrack_proto.o nf_conntrack_l3proto_generic.o nf_conntrack_proto_generic.o nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o nf_conntrack_extend.o nf_conntrack_acct.o nf_conntrack_seqadj.o
+ nf_conntrack-$(CONFIG_NF_CONNTRACK_TIMEOUT) += nf_conntrack_timeout.o
+--- /dev/null
++++ b/net/netfilter/utils.c
+@@ -0,0 +1,26 @@
++#include <linux/kernel.h>
++#include <linux/netfilter.h>
++#include <linux/netfilter_ipv4.h>
++#include <linux/netfilter_ipv6.h>
++
++__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
++		    unsigned int dataoff, u_int8_t protocol,
++		    unsigned short family)
++{
++	const struct nf_ipv6_ops *v6ops;
++	__sum16 csum = 0;
++
++	switch (family) {
++	case AF_INET:
++		csum = nf_ip_checksum(skb, hook, dataoff, protocol);
++		break;
++	case AF_INET6:
++		v6ops = rcu_dereference(nf_ipv6_ops);
++		if (v6ops)
++			csum = v6ops->checksum(skb, hook, dataoff, protocol);
++		break;
++	}
++
++	return csum;
++}
++EXPORT_SYMBOL_GPL(nf_checksum);

target/linux/generic/backport-4.14/305-netfilter-move-checksum_partial-indirection-to-struc.patch

@@ -0,0 +1,204 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Wed, 20 Dec 2017 16:04:18 +0100
+Subject: [PATCH] netfilter: move checksum_partial indirection to struct
+ nf_ipv6_ops
+
+We cannot make a direct call to nf_ip6_checksum_partial() because that
+would result in autoloading the 'ipv6' module because of symbol
+dependencies.  Therefore, define checksum_partial indirection in
+nf_ipv6_ops where this really belongs to.
+
+For IPv4, we can indeed make a direct function call, which is faster,
+given IPv4 is built-in in the networking code by default. Still,
+CONFIG_INET=n and CONFIG_NETFILTER=y is possible, so define empty inline
+stub for IPv4 in such case.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -274,11 +274,6 @@ struct nf_queue_entry;
+ 
+ struct nf_afinfo {
+ 	unsigned short	family;
+-	__sum16		(*checksum_partial)(struct sk_buff *skb,
+-					    unsigned int hook,
+-					    unsigned int dataoff,
+-					    unsigned int len,
+-					    u_int8_t protocol);
+ 	int		(*route)(struct net *net, struct dst_entry **dst,
+ 				 struct flowi *fl, bool strict);
+ 	void		(*saveroute)(const struct sk_buff *skb,
+@@ -298,22 +293,9 @@ __sum16 nf_checksum(struct sk_buff *skb,
+ 		    unsigned int dataoff, u_int8_t protocol,
+ 		    unsigned short family);
+ 
+-static inline __sum16
+-nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+-		    unsigned int dataoff, unsigned int len,
+-		    u_int8_t protocol, unsigned short family)
+-{
+-	const struct nf_afinfo *afinfo;
+-	__sum16 csum = 0;
+-
+-	rcu_read_lock();
+-	afinfo = nf_get_afinfo(family);
+-	if (afinfo)
+-		csum = afinfo->checksum_partial(skb, hook, dataoff, len,
+-						protocol);
+-	rcu_read_unlock();
+-	return csum;
+-}
++__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
++			    unsigned int dataoff, unsigned int len,
++			    u_int8_t protocol, unsigned short family);
+ 
+ int nf_register_afinfo(const struct nf_afinfo *afinfo);
+ void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -11,12 +11,23 @@ int ip_route_me_harder(struct net *net,
+ #ifdef CONFIG_INET
+ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ 		       unsigned int dataoff, u_int8_t protocol);
++__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
++			       unsigned int dataoff, unsigned int len,
++			       u_int8_t protocol);
+ #else
+ static inline __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ 				     unsigned int dataoff, u_int8_t protocol)
+ {
+ 	return 0;
+ }
++static inline __sum16 nf_ip_checksum_partial(struct sk_buff *skb,
++					     unsigned int hook,
++					     unsigned int dataoff,
++					     unsigned int len,
++					     u_int8_t protocol)
++{
++	return 0;
++}
+ #endif /* CONFIG_INET */
+ 
+ #endif /*__LINUX_IP_NETFILTER_H*/
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -21,6 +21,9 @@ struct nf_ipv6_ops {
+ 			int (*output)(struct net *, struct sock *, struct sk_buff *));
+ 	__sum16 (*checksum)(struct sk_buff *skb, unsigned int hook,
+ 			    unsigned int dataoff, u_int8_t protocol);
++	__sum16 (*checksum_partial)(struct sk_buff *skb, unsigned int hook,
++				    unsigned int dataoff, unsigned int len,
++				    u_int8_t protocol);
+ };
+ 
+ #ifdef CONFIG_NETFILTER
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -106,13 +106,6 @@ static int nf_br_reroute(struct net *net
+ 	return 0;
+ }
+ 
+-static __sum16 nf_br_checksum_partial(struct sk_buff *skb, unsigned int hook,
+-				      unsigned int dataoff, unsigned int len,
+-				      u_int8_t protocol)
+-{
+-	return 0;
+-}
+-
+ static int nf_br_route(struct net *net, struct dst_entry **dst,
+ 		       struct flowi *fl, bool strict __always_unused)
+ {
+@@ -121,7 +114,6 @@ static int nf_br_route(struct net *net,
+ 
+ static const struct nf_afinfo nf_br_afinfo = {
+ 	.family                 = AF_BRIDGE,
+-	.checksum_partial       = nf_br_checksum_partial,
+ 	.route                  = nf_br_route,
+ 	.saveroute              = nf_br_saveroute,
+ 	.reroute                = nf_br_reroute,
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -155,9 +155,9 @@ __sum16 nf_ip_checksum(struct sk_buff *s
+ }
+ EXPORT_SYMBOL(nf_ip_checksum);
+ 
+-static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
+-				      unsigned int dataoff, unsigned int len,
+-				      u_int8_t protocol)
++__sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
++			       unsigned int dataoff, unsigned int len,
++			       u_int8_t protocol)
+ {
+ 	const struct iphdr *iph = ip_hdr(skb);
+ 	__sum16 csum = 0;
+@@ -175,6 +175,7 @@ static __sum16 nf_ip_checksum_partial(st
+ 	}
+ 	return csum;
+ }
++EXPORT_SYMBOL_GPL(nf_ip_checksum_partial);
+ 
+ static int nf_ip_route(struct net *net, struct dst_entry **dst,
+ 		       struct flowi *fl, bool strict __always_unused)
+@@ -188,7 +189,6 @@ static int nf_ip_route(struct net *net,
+ 
+ static const struct nf_afinfo nf_ip_afinfo = {
+ 	.family			= AF_INET,
+-	.checksum_partial	= nf_ip_checksum_partial,
+ 	.route			= nf_ip_route,
+ 	.saveroute		= nf_ip_saveroute,
+ 	.reroute		= nf_ip_reroute,
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -190,15 +190,15 @@ static __sum16 nf_ip6_checksum_partial(s
+ };
+ 
+ static const struct nf_ipv6_ops ipv6ops = {
+-	.chk_addr	= ipv6_chk_addr,
+-	.route_input    = ip6_route_input,
+-	.fragment	= ip6_fragment,
+-	.checksum	= nf_ip6_checksum,
++	.chk_addr		= ipv6_chk_addr,
++	.route_input    	= ip6_route_input,
++	.fragment		= ip6_fragment,
++	.checksum		= nf_ip6_checksum,
++	.checksum_partial	= nf_ip6_checksum_partial,
+ };
+ 
+ static const struct nf_afinfo nf_ip6_afinfo = {
+ 	.family			= AF_INET6,
+-	.checksum_partial	= nf_ip6_checksum_partial,
+ 	.route			= nf_ip6_route,
+ 	.saveroute		= nf_ip6_saveroute,
+ 	.reroute		= nf_ip6_reroute,
+--- a/net/netfilter/utils.c
++++ b/net/netfilter/utils.c
+@@ -24,3 +24,27 @@ __sum16 nf_checksum(struct sk_buff *skb,
+ 	return csum;
+ }
+ EXPORT_SYMBOL_GPL(nf_checksum);
++
++__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
++			    unsigned int dataoff, unsigned int len,
++			    u_int8_t protocol, unsigned short family)
++{
++	const struct nf_ipv6_ops *v6ops;
++	__sum16 csum = 0;
++
++	switch (family) {
++	case AF_INET:
++		csum = nf_ip_checksum_partial(skb, hook, dataoff, len,
++					      protocol);
++		break;
++	case AF_INET6:
++		v6ops = rcu_dereference(nf_ipv6_ops);
++		if (v6ops)
++			csum = v6ops->checksum_partial(skb, hook, dataoff, len,
++						       protocol);
++		break;
++	}
++
++	return csum;
++}
++EXPORT_SYMBOL_GPL(nf_checksum_partial);

target/linux/generic/backport-4.14/306-netfilter-remove-saveroute-indirection-in-struct-nf_.patch

@@ -0,0 +1,232 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Wed, 20 Dec 2017 16:12:55 +0100
+Subject: [PATCH] netfilter: remove saveroute indirection in struct nf_afinfo
+
+This is only used by nf_queue.c and this function comes with no symbol
+dependencies with IPv6, it just refers to structure layouts. Therefore,
+we can replace it by a direct function call from where it belongs.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -276,8 +276,6 @@ struct nf_afinfo {
+ 	unsigned short	family;
+ 	int		(*route)(struct net *net, struct dst_entry **dst,
+ 				 struct flowi *fl, bool strict);
+-	void		(*saveroute)(const struct sk_buff *skb,
+-				     struct nf_queue_entry *entry);
+ 	int		(*reroute)(struct net *net, struct sk_buff *skb,
+ 				   const struct nf_queue_entry *entry);
+ 	int		route_key_size;
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -6,6 +6,16 @@
+ 
+ #include <uapi/linux/netfilter_ipv4.h>
+ 
++/* Extra routing may needed on local out, as the QUEUE target never returns
++ * control to the table.
++ */
++struct ip_rt_info {
++	__be32 daddr;
++	__be32 saddr;
++	u_int8_t tos;
++	u_int32_t mark;
++};
++
+ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
+ 
+ #ifdef CONFIG_INET
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -9,6 +9,15 @@
+ 
+ #include <uapi/linux/netfilter_ipv6.h>
+ 
++/* Extra routing may needed on local out, as the QUEUE target never returns
++ * control to the table.
++ */
++struct ip6_rt_info {
++	struct in6_addr daddr;
++	struct in6_addr saddr;
++	u_int32_t mark;
++};
++
+ /*
+  * Hook functions for ipv6 to allow xt_* modules to be built-in even
+  * if IPv6 is a module.
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -95,11 +95,6 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_BR_POST_ROUTING),
+ };
+ 
+-static void nf_br_saveroute(const struct sk_buff *skb,
+-			    struct nf_queue_entry *entry)
+-{
+-}
+-
+ static int nf_br_reroute(struct net *net, struct sk_buff *skb,
+ 			 const struct nf_queue_entry *entry)
+ {
+@@ -115,7 +110,6 @@ static int nf_br_route(struct net *net,
+ static const struct nf_afinfo nf_br_afinfo = {
+ 	.family                 = AF_BRIDGE,
+ 	.route                  = nf_br_route,
+-	.saveroute              = nf_br_saveroute,
+ 	.reroute                = nf_br_reroute,
+ 	.route_key_size         = 0,
+ };
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -80,33 +80,6 @@ int ip_route_me_harder(struct net *net,
+ }
+ EXPORT_SYMBOL(ip_route_me_harder);
+ 
+-/*
+- * Extra routing may needed on local out, as the QUEUE target never
+- * returns control to the table.
+- */
+-
+-struct ip_rt_info {
+-	__be32 daddr;
+-	__be32 saddr;
+-	u_int8_t tos;
+-	u_int32_t mark;
+-};
+-
+-static void nf_ip_saveroute(const struct sk_buff *skb,
+-			    struct nf_queue_entry *entry)
+-{
+-	struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
+-
+-	if (entry->state.hook == NF_INET_LOCAL_OUT) {
+-		const struct iphdr *iph = ip_hdr(skb);
+-
+-		rt_info->tos = iph->tos;
+-		rt_info->daddr = iph->daddr;
+-		rt_info->saddr = iph->saddr;
+-		rt_info->mark = skb->mark;
+-	}
+-}
+-
+ static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
+ 			 const struct nf_queue_entry *entry)
+ {
+@@ -190,7 +163,6 @@ static int nf_ip_route(struct net *net,
+ static const struct nf_afinfo nf_ip_afinfo = {
+ 	.family			= AF_INET,
+ 	.route			= nf_ip_route,
+-	.saveroute		= nf_ip_saveroute,
+ 	.reroute		= nf_ip_reroute,
+ 	.route_key_size		= sizeof(struct ip_rt_info),
+ };
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -68,31 +68,6 @@ int ip6_route_me_harder(struct net *net,
+ }
+ EXPORT_SYMBOL(ip6_route_me_harder);
+ 
+-/*
+- * Extra routing may needed on local out, as the QUEUE target never
+- * returns control to the table.
+- */
+-
+-struct ip6_rt_info {
+-	struct in6_addr daddr;
+-	struct in6_addr saddr;
+-	u_int32_t mark;
+-};
+-
+-static void nf_ip6_saveroute(const struct sk_buff *skb,
+-			     struct nf_queue_entry *entry)
+-{
+-	struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
+-
+-	if (entry->state.hook == NF_INET_LOCAL_OUT) {
+-		const struct ipv6hdr *iph = ipv6_hdr(skb);
+-
+-		rt_info->daddr = iph->daddr;
+-		rt_info->saddr = iph->saddr;
+-		rt_info->mark = skb->mark;
+-	}
+-}
+-
+ static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
+ 			  const struct nf_queue_entry *entry)
+ {
+@@ -200,7 +175,6 @@ static const struct nf_ipv6_ops ipv6ops
+ static const struct nf_afinfo nf_ip6_afinfo = {
+ 	.family			= AF_INET6,
+ 	.route			= nf_ip6_route,
+-	.saveroute		= nf_ip6_saveroute,
+ 	.reroute		= nf_ip6_reroute,
+ 	.route_key_size		= sizeof(struct ip6_rt_info),
+ };
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -10,6 +10,8 @@
+ #include <linux/proc_fs.h>
+ #include <linux/skbuff.h>
+ #include <linux/netfilter.h>
++#include <linux/netfilter_ipv4.h>
++#include <linux/netfilter_ipv6.h>
+ #include <linux/netfilter_bridge.h>
+ #include <linux/seq_file.h>
+ #include <linux/rcupdate.h>
+@@ -111,6 +113,35 @@ unsigned int nf_queue_nf_hook_drop(struc
+ }
+ EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop);
+ 
++static void nf_ip_saveroute(const struct sk_buff *skb,
++			    struct nf_queue_entry *entry)
++{
++	struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
++
++	if (entry->state.hook == NF_INET_LOCAL_OUT) {
++		const struct iphdr *iph = ip_hdr(skb);
++
++		rt_info->tos = iph->tos;
++		rt_info->daddr = iph->daddr;
++		rt_info->saddr = iph->saddr;
++		rt_info->mark = skb->mark;
++	}
++}
++
++static void nf_ip6_saveroute(const struct sk_buff *skb,
++			     struct nf_queue_entry *entry)
++{
++	struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
++
++	if (entry->state.hook == NF_INET_LOCAL_OUT) {
++		const struct ipv6hdr *iph = ipv6_hdr(skb);
++
++		rt_info->daddr = iph->daddr;
++		rt_info->saddr = iph->saddr;
++		rt_info->mark = skb->mark;
++	}
++}
++
+ static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
+ 		      const struct nf_hook_entries *entries,
+ 		      unsigned int index, unsigned int queuenum)
+@@ -147,7 +178,16 @@ static int __nf_queue(struct sk_buff *sk
+ 
+ 	nf_queue_entry_get_refs(entry);
+ 	skb_dst_force(skb);
+-	afinfo->saveroute(skb, entry);
++
++	switch (entry->state.pf) {
++	case AF_INET:
++		nf_ip_saveroute(skb, entry);
++		break;
++	case AF_INET6:
++		nf_ip6_saveroute(skb, entry);
++		break;
++	}
++
+ 	status = qh->outfn(entry, queuenum);
+ 
+ 	if (status < 0) {

target/linux/generic/backport-4.14/307-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch

@@ -0,0 +1,349 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Mon, 27 Nov 2017 22:29:52 +0100
+Subject: [PATCH] netfilter: move route indirection to struct nf_ipv6_ops
+
+We cannot make a direct call to nf_ip6_route() because that would result
+in autoloading the 'ipv6' module because of symbol dependencies.
+Therefore, define route indirection in nf_ipv6_ops where this really
+belongs to.
+
+For IPv4, we can indeed make a direct function call, which is faster,
+given IPv4 is built-in in the networking code by default. Still,
+CONFIG_INET=n and CONFIG_NETFILTER=y is possible, so define empty inline
+stub for IPv4 in such case.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -274,8 +274,6 @@ struct nf_queue_entry;
+ 
+ struct nf_afinfo {
+ 	unsigned short	family;
+-	int		(*route)(struct net *net, struct dst_entry **dst,
+-				 struct flowi *fl, bool strict);
+ 	int		(*reroute)(struct net *net, struct sk_buff *skb,
+ 				   const struct nf_queue_entry *entry);
+ 	int		route_key_size;
+@@ -294,6 +292,8 @@ __sum16 nf_checksum(struct sk_buff *skb,
+ __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ 			    unsigned int dataoff, unsigned int len,
+ 			    u_int8_t protocol, unsigned short family);
++int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
++	     bool strict, unsigned short family);
+ 
+ int nf_register_afinfo(const struct nf_afinfo *afinfo);
+ void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -24,6 +24,8 @@ __sum16 nf_ip_checksum(struct sk_buff *s
+ __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
+ 			       unsigned int dataoff, unsigned int len,
+ 			       u_int8_t protocol);
++int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
++		bool strict);
+ #else
+ static inline __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ 				     unsigned int dataoff, u_int8_t protocol)
+@@ -38,6 +40,11 @@ static inline __sum16 nf_ip_checksum_par
+ {
+ 	return 0;
+ }
++static inline int nf_ip_route(struct net *net, struct dst_entry **dst,
++			      struct flowi *fl, bool strict)
++{
++	return -EOPNOTSUPP;
++}
+ #endif /* CONFIG_INET */
+ 
+ #endif /*__LINUX_IP_NETFILTER_H*/
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -33,6 +33,8 @@ struct nf_ipv6_ops {
+ 	__sum16 (*checksum_partial)(struct sk_buff *skb, unsigned int hook,
+ 				    unsigned int dataoff, unsigned int len,
+ 				    u_int8_t protocol);
++	int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,
++		     bool strict);
+ };
+ 
+ #ifdef CONFIG_NETFILTER
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -101,15 +101,8 @@ static int nf_br_reroute(struct net *net
+ 	return 0;
+ }
+ 
+-static int nf_br_route(struct net *net, struct dst_entry **dst,
+-		       struct flowi *fl, bool strict __always_unused)
+-{
+-	return 0;
+-}
+-
+ static const struct nf_afinfo nf_br_afinfo = {
+ 	.family                 = AF_BRIDGE,
+-	.route                  = nf_br_route,
+ 	.reroute                = nf_br_reroute,
+ 	.route_key_size         = 0,
+ };
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -150,8 +150,8 @@ __sum16 nf_ip_checksum_partial(struct sk
+ }
+ EXPORT_SYMBOL_GPL(nf_ip_checksum_partial);
+ 
+-static int nf_ip_route(struct net *net, struct dst_entry **dst,
+-		       struct flowi *fl, bool strict __always_unused)
++int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
++		bool strict __always_unused)
+ {
+ 	struct rtable *rt = ip_route_output_key(net, &fl->u.ip4);
+ 	if (IS_ERR(rt))
+@@ -159,10 +159,10 @@ static int nf_ip_route(struct net *net,
+ 	*dst = &rt->dst;
+ 	return 0;
+ }
++EXPORT_SYMBOL_GPL(nf_ip_route);
+ 
+ static const struct nf_afinfo nf_ip_afinfo = {
+ 	.family			= AF_INET,
+-	.route			= nf_ip_route,
+ 	.reroute		= nf_ip_reroute,
+ 	.route_key_size		= sizeof(struct ip_rt_info),
+ };
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -170,11 +170,11 @@ static const struct nf_ipv6_ops ipv6ops
+ 	.fragment		= ip6_fragment,
+ 	.checksum		= nf_ip6_checksum,
+ 	.checksum_partial	= nf_ip6_checksum_partial,
++	.route			= nf_ip6_route,
+ };
+ 
+ static const struct nf_afinfo nf_ip6_afinfo = {
+ 	.family			= AF_INET6,
+-	.route			= nf_ip6_route,
+ 	.reroute		= nf_ip6_reroute,
+ 	.route_key_size		= sizeof(struct ip6_rt_info),
+ };
+--- a/net/ipv6/netfilter/nft_fib_ipv6.c
++++ b/net/ipv6/netfilter/nft_fib_ipv6.c
+@@ -60,7 +60,6 @@ static u32 __nft_fib6_eval_type(const st
+ {
+ 	const struct net_device *dev = NULL;
+ 	const struct nf_ipv6_ops *v6ops;
+-	const struct nf_afinfo *afinfo;
+ 	int route_err, addrtype;
+ 	struct rt6_info *rt;
+ 	struct flowi6 fl6 = {
+@@ -69,8 +68,8 @@ static u32 __nft_fib6_eval_type(const st
+ 	};
+ 	u32 ret = 0;
+ 
+-	afinfo = nf_get_afinfo(NFPROTO_IPV6);
+-	if (!afinfo)
++	v6ops = nf_get_ipv6_ops();
++	if (!v6ops)
+ 		return RTN_UNREACHABLE;
+ 
+ 	if (priv->flags & NFTA_FIB_F_IIF)
+@@ -80,12 +79,11 @@ static u32 __nft_fib6_eval_type(const st
+ 
+ 	nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);
+ 
+-	v6ops = nf_get_ipv6_ops();
+-	if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
++	if (dev && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
+ 		ret = RTN_LOCAL;
+ 
+-	route_err = afinfo->route(nft_net(pkt), (struct dst_entry **)&rt,
+-				  flowi6_to_flowi(&fl6), false);
++	route_err = v6ops->route(nft_net(pkt), (struct dst_entry **)&rt,
++				 flowi6_to_flowi(&fl6), false);
+ 	if (route_err)
+ 		goto err;
+ 
+--- a/net/netfilter/nf_conntrack_h323_main.c
++++ b/net/netfilter/nf_conntrack_h323_main.c
+@@ -24,6 +24,7 @@
+ #include <linux/skbuff.h>
+ #include <net/route.h>
+ #include <net/ip6_route.h>
++#include <linux/netfilter_ipv6.h>
+ 
+ #include <net/netfilter/nf_conntrack.h>
+ #include <net/netfilter/nf_conntrack_core.h>
+@@ -732,14 +733,8 @@ static int callforward_do_filter(struct
+ 				 const union nf_inet_addr *dst,
+ 				 u_int8_t family)
+ {
+-	const struct nf_afinfo *afinfo;
+ 	int ret = 0;
+ 
+-	/* rcu_read_lock()ed by nf_hook_thresh */
+-	afinfo = nf_get_afinfo(family);
+-	if (!afinfo)
+-		return 0;
+-
+ 	switch (family) {
+ 	case AF_INET: {
+ 		struct flowi4 fl1, fl2;
+@@ -750,10 +745,10 @@ static int callforward_do_filter(struct
+ 
+ 		memset(&fl2, 0, sizeof(fl2));
+ 		fl2.daddr = dst->ip;
+-		if (!afinfo->route(net, (struct dst_entry **)&rt1,
+-				   flowi4_to_flowi(&fl1), false)) {
+-			if (!afinfo->route(net, (struct dst_entry **)&rt2,
+-					   flowi4_to_flowi(&fl2), false)) {
++		if (!nf_ip_route(net, (struct dst_entry **)&rt1,
++				 flowi4_to_flowi(&fl1), false)) {
++			if (!nf_ip_route(net, (struct dst_entry **)&rt2,
++					 flowi4_to_flowi(&fl2), false)) {
+ 				if (rt_nexthop(rt1, fl1.daddr) ==
+ 				    rt_nexthop(rt2, fl2.daddr) &&
+ 				    rt1->dst.dev  == rt2->dst.dev)
+@@ -766,18 +761,23 @@ static int callforward_do_filter(struct
+ 	}
+ #if IS_ENABLED(CONFIG_NF_CONNTRACK_IPV6)
+ 	case AF_INET6: {
+-		struct flowi6 fl1, fl2;
++		const struct nf_ipv6_ops *v6ops;
+ 		struct rt6_info *rt1, *rt2;
++		struct flowi6 fl1, fl2;
++
++		v6ops = nf_get_ipv6_ops();
++		if (!v6ops)
++			return 0;
+ 
+ 		memset(&fl1, 0, sizeof(fl1));
+ 		fl1.daddr = src->in6;
+ 
+ 		memset(&fl2, 0, sizeof(fl2));
+ 		fl2.daddr = dst->in6;
+-		if (!afinfo->route(net, (struct dst_entry **)&rt1,
+-				   flowi6_to_flowi(&fl1), false)) {
+-			if (!afinfo->route(net, (struct dst_entry **)&rt2,
+-					   flowi6_to_flowi(&fl2), false)) {
++		if (!v6ops->route(net, (struct dst_entry **)&rt1,
++				  flowi6_to_flowi(&fl1), false)) {
++			if (!v6ops->route(net, (struct dst_entry **)&rt2,
++					  flowi6_to_flowi(&fl2), false)) {
+ 				if (ipv6_addr_equal(rt6_nexthop(rt1, &fl1.daddr),
+ 						    rt6_nexthop(rt2, &fl2.daddr)) &&
+ 				    rt1->dst.dev == rt2->dst.dev)
+--- a/net/netfilter/nft_rt.c
++++ b/net/netfilter/nft_rt.c
+@@ -27,7 +27,7 @@ static u16 get_tcpmss(const struct nft_p
+ {
+ 	u32 minlen = sizeof(struct ipv6hdr), mtu = dst_mtu(skbdst);
+ 	const struct sk_buff *skb = pkt->skb;
+-	const struct nf_afinfo *ai;
++	struct dst_entry *dst = NULL;
+ 	struct flowi fl;
+ 
+ 	memset(&fl, 0, sizeof(fl));
+@@ -43,15 +43,10 @@ static u16 get_tcpmss(const struct nft_p
+ 		break;
+ 	}
+ 
+-	ai = nf_get_afinfo(nft_pf(pkt));
+-	if (ai) {
+-		struct dst_entry *dst = NULL;
+-
+-		ai->route(nft_net(pkt), &dst, &fl, false);
+-		if (dst) {
+-			mtu = min(mtu, dst_mtu(dst));
+-			dst_release(dst);
+-		}
++	nf_route(nft_net(pkt), &dst, &fl, false, nft_pf(pkt));
++	if (dst) {
++		mtu = min(mtu, dst_mtu(dst));
++		dst_release(dst);
+ 	}
+ 
+ 	if (mtu <= minlen || mtu > 0xffff)
+--- a/net/netfilter/utils.c
++++ b/net/netfilter/utils.c
+@@ -48,3 +48,24 @@ __sum16 nf_checksum_partial(struct sk_bu
+ 	return csum;
+ }
+ EXPORT_SYMBOL_GPL(nf_checksum_partial);
++
++int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
++	     bool strict, unsigned short family)
++{
++	const struct nf_ipv6_ops *v6ops;
++	int ret = 0;
++
++	switch (family) {
++	case AF_INET:
++		ret = nf_ip_route(net, dst, fl, strict);
++		break;
++	case AF_INET6:
++		v6ops = rcu_dereference(nf_ipv6_ops);
++		if (v6ops)
++			ret = v6ops->route(net, dst, fl, strict);
++		break;
++	}
++
++	return ret;
++}
++EXPORT_SYMBOL_GPL(nf_route);
+--- a/net/netfilter/xt_TCPMSS.c
++++ b/net/netfilter/xt_TCPMSS.c
+@@ -48,7 +48,6 @@ static u_int32_t tcpmss_reverse_mtu(stru
+ 				    unsigned int family)
+ {
+ 	struct flowi fl;
+-	const struct nf_afinfo *ai;
+ 	struct rtable *rt = NULL;
+ 	u_int32_t mtu     = ~0U;
+ 
+@@ -62,10 +61,8 @@ static u_int32_t tcpmss_reverse_mtu(stru
+ 		memset(fl6, 0, sizeof(*fl6));
+ 		fl6->daddr = ipv6_hdr(skb)->saddr;
+ 	}
+-	ai = nf_get_afinfo(family);
+-	if (ai != NULL)
+-		ai->route(net, (struct dst_entry **)&rt, &fl, false);
+ 
++	nf_route(net, (struct dst_entry **)&rt, &fl, false, family);
+ 	if (rt != NULL) {
+ 		mtu = dst_mtu(&rt->dst);
+ 		dst_release(&rt->dst);
+--- a/net/netfilter/xt_addrtype.c
++++ b/net/netfilter/xt_addrtype.c
+@@ -36,7 +36,7 @@ MODULE_ALIAS("ip6t_addrtype");
+ static u32 match_lookup_rt6(struct net *net, const struct net_device *dev,
+ 			    const struct in6_addr *addr, u16 mask)
+ {
+-	const struct nf_afinfo *afinfo;
++	const struct nf_ipv6_ops *v6ops;
+ 	struct flowi6 flow;
+ 	struct rt6_info *rt;
+ 	u32 ret = 0;
+@@ -47,17 +47,14 @@ static u32 match_lookup_rt6(struct net *
+ 	if (dev)
+ 		flow.flowi6_oif = dev->ifindex;
+ 
+-	afinfo = nf_get_afinfo(NFPROTO_IPV6);
+-	if (afinfo != NULL) {
+-		const struct nf_ipv6_ops *v6ops;
+-
++	v6ops = nf_get_ipv6_ops();
++	if (v6ops) {
+ 		if (dev && (mask & XT_ADDRTYPE_LOCAL)) {
+-			v6ops = nf_get_ipv6_ops();
+-			if (v6ops && v6ops->chk_addr(net, addr, dev, true))
++			if (v6ops->chk_addr(net, addr, dev, true))
+ 				ret = XT_ADDRTYPE_LOCAL;
+ 		}
+-		route_err = afinfo->route(net, (struct dst_entry **)&rt,
+-					  flowi6_to_flowi(&flow), false);
++		route_err = v6ops->route(net, (struct dst_entry **)&rt,
++					 flowi6_to_flowi(&flow), false);
+ 	} else {
+ 		route_err = 1;
+ 	}

target/linux/generic/backport-4.14/308-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch

@@ -0,0 +1,223 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Mon, 27 Nov 2017 22:50:26 +0100
+Subject: [PATCH] netfilter: move reroute indirection to struct nf_ipv6_ops
+
+We cannot make a direct call to nf_ip6_reroute() because that would result
+in autoloading the 'ipv6' module because of symbol dependencies.
+Therefore, define reroute indirection in nf_ipv6_ops where this really
+belongs to.
+
+For IPv4, we can indeed make a direct function call, which is faster,
+given IPv4 is built-in in the networking code by default. Still,
+CONFIG_INET=n and CONFIG_NETFILTER=y is possible, so define empty inline
+stub for IPv4 in such case.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -274,8 +274,6 @@ struct nf_queue_entry;
+ 
+ struct nf_afinfo {
+ 	unsigned short	family;
+-	int		(*reroute)(struct net *net, struct sk_buff *skb,
+-				   const struct nf_queue_entry *entry);
+ 	int		route_key_size;
+ };
+ 
+@@ -294,6 +292,7 @@ __sum16 nf_checksum_partial(struct sk_bu
+ 			    u_int8_t protocol, unsigned short family);
+ int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ 	     bool strict, unsigned short family);
++int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
+ 
+ int nf_register_afinfo(const struct nf_afinfo *afinfo);
+ void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
+--- a/include/linux/netfilter_ipv4.h
++++ b/include/linux/netfilter_ipv4.h
+@@ -18,6 +18,8 @@ struct ip_rt_info {
+ 
+ int ip_route_me_harder(struct net *net, struct sk_buff *skb, unsigned addr_type);
+ 
++struct nf_queue_entry;
++
+ #ifdef CONFIG_INET
+ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ 		       unsigned int dataoff, u_int8_t protocol);
+@@ -26,6 +28,7 @@ __sum16 nf_ip_checksum_partial(struct sk
+ 			       u_int8_t protocol);
+ int nf_ip_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ 		bool strict);
++int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry);
+ #else
+ static inline __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ 				     unsigned int dataoff, u_int8_t protocol)
+@@ -45,6 +48,11 @@ static inline int nf_ip_route(struct net
+ {
+ 	return -EOPNOTSUPP;
+ }
++static inline int nf_ip_reroute(struct sk_buff *skb,
++				const struct nf_queue_entry *entry)
++{
++	return -EOPNOTSUPP;
++}
+ #endif /* CONFIG_INET */
+ 
+ #endif /*__LINUX_IP_NETFILTER_H*/
+--- a/include/linux/netfilter_ipv6.h
++++ b/include/linux/netfilter_ipv6.h
+@@ -18,6 +18,8 @@ struct ip6_rt_info {
+ 	u_int32_t mark;
+ };
+ 
++struct nf_queue_entry;
++
+ /*
+  * Hook functions for ipv6 to allow xt_* modules to be built-in even
+  * if IPv6 is a module.
+@@ -35,6 +37,7 @@ struct nf_ipv6_ops {
+ 				    u_int8_t protocol);
+ 	int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl,
+ 		     bool strict);
++	int (*reroute)(struct sk_buff *skb, const struct nf_queue_entry *entry);
+ };
+ 
+ #ifdef CONFIG_NETFILTER
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -95,15 +95,8 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_BR_POST_ROUTING),
+ };
+ 
+-static int nf_br_reroute(struct net *net, struct sk_buff *skb,
+-			 const struct nf_queue_entry *entry)
+-{
+-	return 0;
+-}
+-
+ static const struct nf_afinfo nf_br_afinfo = {
+ 	.family                 = AF_BRIDGE,
+-	.reroute                = nf_br_reroute,
+ 	.route_key_size         = 0,
+ };
+ 
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -80,8 +80,7 @@ int ip_route_me_harder(struct net *net,
+ }
+ EXPORT_SYMBOL(ip_route_me_harder);
+ 
+-static int nf_ip_reroute(struct net *net, struct sk_buff *skb,
+-			 const struct nf_queue_entry *entry)
++int nf_ip_reroute(struct sk_buff *skb, const struct nf_queue_entry *entry)
+ {
+ 	const struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
+ 
+@@ -92,10 +91,12 @@ static int nf_ip_reroute(struct net *net
+ 		      skb->mark == rt_info->mark &&
+ 		      iph->daddr == rt_info->daddr &&
+ 		      iph->saddr == rt_info->saddr))
+-			return ip_route_me_harder(net, skb, RTN_UNSPEC);
++			return ip_route_me_harder(entry->state.net, skb,
++						  RTN_UNSPEC);
+ 	}
+ 	return 0;
+ }
++EXPORT_SYMBOL_GPL(nf_ip_reroute);
+ 
+ __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
+ 			    unsigned int dataoff, u_int8_t protocol)
+@@ -163,7 +164,6 @@ EXPORT_SYMBOL_GPL(nf_ip_route);
+ 
+ static const struct nf_afinfo nf_ip_afinfo = {
+ 	.family			= AF_INET,
+-	.reroute		= nf_ip_reroute,
+ 	.route_key_size		= sizeof(struct ip_rt_info),
+ };
+ 
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -68,7 +68,7 @@ int ip6_route_me_harder(struct net *net,
+ }
+ EXPORT_SYMBOL(ip6_route_me_harder);
+ 
+-static int nf_ip6_reroute(struct net *net, struct sk_buff *skb,
++static int nf_ip6_reroute(struct sk_buff *skb,
+ 			  const struct nf_queue_entry *entry)
+ {
+ 	struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
+@@ -78,7 +78,7 @@ static int nf_ip6_reroute(struct net *ne
+ 		if (!ipv6_addr_equal(&iph->daddr, &rt_info->daddr) ||
+ 		    !ipv6_addr_equal(&iph->saddr, &rt_info->saddr) ||
+ 		    skb->mark != rt_info->mark)
+-			return ip6_route_me_harder(net, skb);
++			return ip6_route_me_harder(entry->state.net, skb);
+ 	}
+ 	return 0;
+ }
+@@ -171,11 +171,11 @@ static const struct nf_ipv6_ops ipv6ops
+ 	.checksum		= nf_ip6_checksum,
+ 	.checksum_partial	= nf_ip6_checksum_partial,
+ 	.route			= nf_ip6_route,
++	.reroute		= nf_ip6_reroute,
+ };
+ 
+ static const struct nf_afinfo nf_ip6_afinfo = {
+ 	.family			= AF_INET6,
+-	.reroute		= nf_ip6_reroute,
+ 	.route_key_size		= sizeof(struct ip6_rt_info),
+ };
+ 
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -250,7 +250,6 @@ void nf_reinject(struct nf_queue_entry *
+ 	const struct nf_hook_entry *hook_entry;
+ 	const struct nf_hook_entries *hooks;
+ 	struct sk_buff *skb = entry->skb;
+-	const struct nf_afinfo *afinfo;
+ 	const struct net *net;
+ 	unsigned int i;
+ 	int err;
+@@ -277,8 +276,7 @@ void nf_reinject(struct nf_queue_entry *
+ 		verdict = nf_hook_entry_hookfn(hook_entry, skb, &entry->state);
+ 
+ 	if (verdict == NF_ACCEPT) {
+-		afinfo = nf_get_afinfo(entry->state.pf);
+-		if (!afinfo || afinfo->reroute(entry->state.net, skb, entry) < 0)
++		if (nf_reroute(skb, entry) < 0)
+ 			verdict = NF_DROP;
+ 	}
+ 
+--- a/net/netfilter/utils.c
++++ b/net/netfilter/utils.c
+@@ -2,6 +2,7 @@
+ #include <linux/netfilter.h>
+ #include <linux/netfilter_ipv4.h>
+ #include <linux/netfilter_ipv6.h>
++#include <net/netfilter/nf_queue.h>
+ 
+ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
+ 		    unsigned int dataoff, u_int8_t protocol,
+@@ -69,3 +70,21 @@ int nf_route(struct net *net, struct dst
+ 	return ret;
+ }
+ EXPORT_SYMBOL_GPL(nf_route);
++
++int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry)
++{
++	const struct nf_ipv6_ops *v6ops;
++	int ret = 0;
++
++	switch (entry->state.pf) {
++	case AF_INET:
++		ret = nf_ip_reroute(skb, entry);
++		break;
++	case AF_INET6:
++		v6ops = rcu_dereference(nf_ipv6_ops);
++		if (v6ops)
++			ret = v6ops->reroute(skb, entry);
++		break;
++	}
++	return ret;
++}

target/linux/generic/backport-4.14/309-netfilter-remove-route_key_size-field-in-struct-nf_a.patch

@@ -0,0 +1,94 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Mon, 27 Nov 2017 22:58:37 +0100
+Subject: [PATCH] netfilter: remove route_key_size field in struct nf_afinfo
+
+This is only needed by nf_queue, place this code where it belongs.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -274,7 +274,6 @@ struct nf_queue_entry;
+ 
+ struct nf_afinfo {
+ 	unsigned short	family;
+-	int		route_key_size;
+ };
+ 
+ extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO];
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -164,7 +164,6 @@ EXPORT_SYMBOL_GPL(nf_ip_route);
+ 
+ static const struct nf_afinfo nf_ip_afinfo = {
+ 	.family			= AF_INET,
+-	.route_key_size		= sizeof(struct ip_rt_info),
+ };
+ 
+ static int __init ipv4_netfilter_init(void)
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -176,7 +176,6 @@ static const struct nf_ipv6_ops ipv6ops
+ 
+ static const struct nf_afinfo nf_ip6_afinfo = {
+ 	.family			= AF_INET6,
+-	.route_key_size		= sizeof(struct ip6_rt_info),
+ };
+ 
+ int __init ipv6_netfilter_init(void)
+--- a/net/netfilter/nf_queue.c
++++ b/net/netfilter/nf_queue.c
+@@ -15,6 +15,8 @@
+ #include <linux/netfilter_bridge.h>
+ #include <linux/seq_file.h>
+ #include <linux/rcupdate.h>
++#include <linux/netfilter_ipv4.h>
++#include <linux/netfilter_ipv6.h>
+ #include <net/protocol.h>
+ #include <net/netfilter/nf_queue.h>
+ #include <net/dst.h>
+@@ -148,9 +150,9 @@ static int __nf_queue(struct sk_buff *sk
+ {
+ 	int status = -ENOENT;
+ 	struct nf_queue_entry *entry = NULL;
+-	const struct nf_afinfo *afinfo;
+ 	const struct nf_queue_handler *qh;
+ 	struct net *net = state->net;
++	unsigned int route_key_size;
+ 
+ 	/* QUEUE == DROP if no one is waiting, to be safe. */
+ 	qh = rcu_dereference(net->nf.queue_handler);
+@@ -159,11 +161,19 @@ static int __nf_queue(struct sk_buff *sk
+ 		goto err;
+ 	}
+ 
+-	afinfo = nf_get_afinfo(state->pf);
+-	if (!afinfo)
+-		goto err;
++	switch (state->pf) {
++	case AF_INET:
++		route_key_size = sizeof(struct ip_rt_info);
++		break;
++	case AF_INET6:
++		route_key_size = sizeof(struct ip6_rt_info);
++		break;
++	default:
++		route_key_size = 0;
++		break;
++	}
+ 
+-	entry = kmalloc(sizeof(*entry) + afinfo->route_key_size, GFP_ATOMIC);
++	entry = kmalloc(sizeof(*entry) + route_key_size, GFP_ATOMIC);
+ 	if (!entry) {
+ 		status = -ENOMEM;
+ 		goto err;
+@@ -173,7 +183,7 @@ static int __nf_queue(struct sk_buff *sk
+ 		.skb	= skb,
+ 		.state	= *state,
+ 		.hook_index = index,
+-		.size	= sizeof(*entry) + afinfo->route_key_size,
++		.size	= sizeof(*entry) + route_key_size,
+ 	};
+ 
+ 	nf_queue_entry_get_refs(entry);

target/linux/generic/backport-4.14/310-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch

@@ -0,0 +1,173 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sat, 9 Dec 2017 17:05:53 +0100
+Subject: [PATCH] netfilter: remove struct nf_afinfo and its helper functions
+
+This abstraction has no clients anymore, remove it.
+
+This is what remains from previous authors, so correct copyright
+statement after recent modifications and code removal.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/linux/netfilter.h
++++ b/include/linux/netfilter.h
+@@ -272,16 +272,6 @@ int skb_make_writable(struct sk_buff *sk
+ struct flowi;
+ struct nf_queue_entry;
+ 
+-struct nf_afinfo {
+-	unsigned short	family;
+-};
+-
+-extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO];
+-static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
+-{
+-	return rcu_dereference(nf_afinfo[family]);
+-}
+-
+ __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
+ 		    unsigned int dataoff, u_int8_t protocol,
+ 		    unsigned short family);
+@@ -293,9 +283,6 @@ int nf_route(struct net *net, struct dst
+ 	     bool strict, unsigned short family);
+ int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
+ 
+-int nf_register_afinfo(const struct nf_afinfo *afinfo);
+-void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
+-
+ #include <net/flow.h>
+ extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
+ 
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -95,30 +95,23 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_BR_POST_ROUTING),
+ };
+ 
+-static const struct nf_afinfo nf_br_afinfo = {
+-	.family                 = AF_BRIDGE,
+-	.route_key_size         = 0,
+-};
+-
+ static int __init nf_tables_bridge_init(void)
+ {
+ 	int ret;
+ 
+-	nf_register_afinfo(&nf_br_afinfo);
+ 	ret = nft_register_chain_type(&filter_bridge);
+ 	if (ret < 0)
+-		goto err1;
++		return ret;
+ 
+ 	ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
+ 	if (ret < 0)
+-		goto err2;
++		goto err_register_subsys;
+ 
+ 	return ret;
+ 
+-err2:
++err_register_subsys:
+ 	nft_unregister_chain_type(&filter_bridge);
+-err1:
+-	nf_unregister_afinfo(&nf_br_afinfo);
++
+ 	return ret;
+ }
+ 
+@@ -126,7 +119,6 @@ static void __exit nf_tables_bridge_exit
+ {
+ 	unregister_pernet_subsys(&nf_tables_bridge_net_ops);
+ 	nft_unregister_chain_type(&filter_bridge);
+-	nf_unregister_afinfo(&nf_br_afinfo);
+ }
+ 
+ module_init(nf_tables_bridge_init);
+--- a/net/ipv4/netfilter.c
++++ b/net/ipv4/netfilter.c
+@@ -161,13 +161,3 @@ int nf_ip_route(struct net *net, struct
+ 	return 0;
+ }
+ EXPORT_SYMBOL_GPL(nf_ip_route);
+-
+-static const struct nf_afinfo nf_ip_afinfo = {
+-	.family			= AF_INET,
+-};
+-
+-static int __init ipv4_netfilter_init(void)
+-{
+-	return nf_register_afinfo(&nf_ip_afinfo);
+-}
+-subsys_initcall(ipv4_netfilter_init);
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -174,14 +174,10 @@ static const struct nf_ipv6_ops ipv6ops
+ 	.reroute		= nf_ip6_reroute,
+ };
+ 
+-static const struct nf_afinfo nf_ip6_afinfo = {
+-	.family			= AF_INET6,
+-};
+-
+ int __init ipv6_netfilter_init(void)
+ {
+ 	RCU_INIT_POINTER(nf_ipv6_ops, &ipv6ops);
+-	return nf_register_afinfo(&nf_ip6_afinfo);
++	return 0;
+ }
+ 
+ /* This can be called from inet6_init() on errors, so it cannot
+@@ -190,5 +186,4 @@ int __init ipv6_netfilter_init(void)
+ void ipv6_netfilter_fini(void)
+ {
+ 	RCU_INIT_POINTER(nf_ipv6_ops, NULL);
+-	nf_unregister_afinfo(&nf_ip6_afinfo);
+ }
+--- a/net/netfilter/core.c
++++ b/net/netfilter/core.c
+@@ -4,8 +4,7 @@
+  * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
+  * way.
+  *
+- * Rusty Russell (C)2000 -- This code is GPL.
+- * Patrick McHardy (c) 2006-2012
++ * This code is GPL.
+  */
+ #include <linux/kernel.h>
+ #include <linux/netfilter.h>
+@@ -28,34 +27,12 @@
+ 
+ #include "nf_internals.h"
+ 
+-static DEFINE_MUTEX(afinfo_mutex);
+-
+-const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
+-EXPORT_SYMBOL(nf_afinfo);
+ const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
+ EXPORT_SYMBOL_GPL(nf_ipv6_ops);
+ 
+ DEFINE_PER_CPU(bool, nf_skb_duplicated);
+ EXPORT_SYMBOL_GPL(nf_skb_duplicated);
+ 
+-int nf_register_afinfo(const struct nf_afinfo *afinfo)
+-{
+-	mutex_lock(&afinfo_mutex);
+-	RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
+-	mutex_unlock(&afinfo_mutex);
+-	return 0;
+-}
+-EXPORT_SYMBOL_GPL(nf_register_afinfo);
+-
+-void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
+-{
+-	mutex_lock(&afinfo_mutex);
+-	RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
+-	mutex_unlock(&afinfo_mutex);
+-	synchronize_rcu();
+-}
+-EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
+-
+ #ifdef HAVE_JUMP_LABEL
+ struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
+ EXPORT_SYMBOL(nf_hooks_needed);

target/linux/generic/backport-4.14/311-netfilter-nf_tables_arp-don-t-set-forward-chain.patch

@@ -0,0 +1,20 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sun, 10 Dec 2017 01:42:58 +0100
+Subject: [PATCH] netfilter: nf_tables_arp: don't set forward chain
+
+46928a0b49f3 ("netfilter: nf_tables: remove multihook chains and
+families") already removed this, this is a leftover.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -34,7 +34,6 @@ static struct nft_af_info nft_af_arp __r
+ 	.hooks		= {
+ 		[NF_ARP_IN]		= nft_do_chain_arp,
+ 		[NF_ARP_OUT]		= nft_do_chain_arp,
+-		[NF_ARP_FORWARD]	= nft_do_chain_arp,
+ 	},
+ };
+ 

target/linux/generic/backport-4.14/312-netfilter-nf_tables-remove-hooks-from-family-definit.patch

@@ -0,0 +1,233 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sat, 9 Dec 2017 15:43:17 +0100
+Subject: [PATCH] netfilter: nf_tables: remove hooks from family definition
+
+They don't belong to the family definition, move them to the filter
+chain type definition instead.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -870,7 +870,7 @@ enum nft_chain_type {
+  * 	@family: address family
+  * 	@owner: module owner
+  * 	@hook_mask: mask of valid hooks
+- * 	@hooks: hookfn overrides
++ * 	@hooks: array of hook functions
+  */
+ struct nf_chain_type {
+ 	const char			*name;
+@@ -964,7 +964,6 @@ enum nft_af_flags {
+  *	@owner: module owner
+  *	@tables: used internally
+  *	@flags: family flags
+- *	@hooks: hookfn overrides for packet validation
+  */
+ struct nft_af_info {
+ 	struct list_head		list;
+@@ -973,7 +972,6 @@ struct nft_af_info {
+ 	struct module			*owner;
+ 	struct list_head		tables;
+ 	u32				flags;
+-	nf_hookfn			*hooks[NF_MAX_HOOKS];
+ };
+ 
+ int nft_register_afinfo(struct net *, struct nft_af_info *);
+--- a/net/bridge/netfilter/nf_tables_bridge.c
++++ b/net/bridge/netfilter/nf_tables_bridge.c
+@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_bridge
+ 	.family		= NFPROTO_BRIDGE,
+ 	.nhooks		= NF_BR_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_BR_PRE_ROUTING]	= nft_do_chain_bridge,
+-		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,
+-		[NF_BR_FORWARD]		= nft_do_chain_bridge,
+-		[NF_BR_LOCAL_OUT]	= nft_do_chain_bridge,
+-		[NF_BR_POST_ROUTING]	= nft_do_chain_bridge,
+-	},
+ };
+ 
+ static int nf_tables_bridge_init_net(struct net *net)
+@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_BR_FORWARD) |
+ 			  (1 << NF_BR_LOCAL_OUT) |
+ 			  (1 << NF_BR_POST_ROUTING),
++	.hooks		= {
++		[NF_BR_PRE_ROUTING]	= nft_do_chain_bridge,
++		[NF_BR_LOCAL_IN]	= nft_do_chain_bridge,
++		[NF_BR_FORWARD]		= nft_do_chain_bridge,
++		[NF_BR_LOCAL_OUT]	= nft_do_chain_bridge,
++		[NF_BR_POST_ROUTING]	= nft_do_chain_bridge,
++	},
+ };
+ 
+ static int __init nf_tables_bridge_init(void)
+--- a/net/ipv4/netfilter/nf_tables_arp.c
++++ b/net/ipv4/netfilter/nf_tables_arp.c
+@@ -31,10 +31,6 @@ static struct nft_af_info nft_af_arp __r
+ 	.family		= NFPROTO_ARP,
+ 	.nhooks		= NF_ARP_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_ARP_IN]		= nft_do_chain_arp,
+-		[NF_ARP_OUT]		= nft_do_chain_arp,
+-	},
+ };
+ 
+ static int nf_tables_arp_init_net(struct net *net)
+@@ -72,6 +68,10 @@ static const struct nf_chain_type filter
+ 	.owner		= THIS_MODULE,
+ 	.hook_mask	= (1 << NF_ARP_IN) |
+ 			  (1 << NF_ARP_OUT),
++	.hooks		= {
++		[NF_ARP_IN]		= nft_do_chain_arp,
++		[NF_ARP_OUT]		= nft_do_chain_arp,
++	},
+ };
+ 
+ static int __init nf_tables_arp_init(void)
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -49,13 +49,6 @@ static struct nft_af_info nft_af_ipv4 __
+ 	.family		= NFPROTO_IPV4,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
+-		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
+-		[NF_INET_FORWARD]	= nft_do_chain_ipv4,
+-		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv4,
+-		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
+-	},
+ };
+ 
+ static int nf_tables_ipv4_init_net(struct net *net)
+@@ -96,6 +89,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_FORWARD) |
+ 			  (1 << NF_INET_PRE_ROUTING) |
+ 			  (1 << NF_INET_POST_ROUTING),
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
++		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
++		[NF_INET_FORWARD]	= nft_do_chain_ipv4,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv4,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
++	},
+ };
+ 
+ static int __init nf_tables_ipv4_init(void)
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -46,13 +46,6 @@ static struct nft_af_info nft_af_ipv6 __
+ 	.family		= NFPROTO_IPV6,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
+-		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
+-		[NF_INET_FORWARD]	= nft_do_chain_ipv6,
+-		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv6,
+-		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
+-	},
+ };
+ 
+ static int nf_tables_ipv6_init_net(struct net *net)
+@@ -93,6 +86,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_FORWARD) |
+ 			  (1 << NF_INET_PRE_ROUTING) |
+ 			  (1 << NF_INET_POST_ROUTING),
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
++		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
++		[NF_INET_FORWARD]	= nft_do_chain_ipv6,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv6,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
++	},
+ };
+ 
+ static int __init nf_tables_ipv6_init(void)
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1352,7 +1352,6 @@ static int nf_tables_addchain(struct nft
+ 	if (nla[NFTA_CHAIN_HOOK]) {
+ 		struct nft_chain_hook hook;
+ 		struct nf_hook_ops *ops;
+-		nf_hookfn *hookfn;
+ 
+ 		err = nft_chain_parse_hook(net, nla, afi, &hook, create);
+ 		if (err < 0)
+@@ -1378,7 +1377,6 @@ static int nf_tables_addchain(struct nft
+ 			static_branch_inc(&nft_counters_enabled);
+ 		}
+ 
+-		hookfn = hook.type->hooks[hook.num];
+ 		basechain->type = hook.type;
+ 		chain = &basechain->chain;
+ 
+@@ -1387,10 +1385,8 @@ static int nf_tables_addchain(struct nft
+ 		ops->hooknum	= hook.num;
+ 		ops->priority	= hook.priority;
+ 		ops->priv	= chain;
+-		ops->hook	= afi->hooks[ops->hooknum];
++		ops->hook	= hook.type->hooks[ops->hooknum];
+ 		ops->dev	= hook.dev;
+-		if (hookfn)
+-			ops->hook = hookfn;
+ 
+ 		if (basechain->type->type == NFT_CHAIN_T_NAT)
+ 			ops->nat_hook = true;
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -74,13 +74,6 @@ static struct nft_af_info nft_af_inet __
+ 	.family		= NFPROTO_INET,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+-	.hooks		= {
+-		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
+-		[NF_INET_LOCAL_OUT]	= nft_inet_output,
+-		[NF_INET_FORWARD]	= nft_do_chain_inet,
+-		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
+-		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
+-        },
+ };
+ 
+ static int __net_init nf_tables_inet_init_net(struct net *net)
+@@ -121,6 +114,13 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_FORWARD) |
+ 			  (1 << NF_INET_PRE_ROUTING) |
+ 			  (1 << NF_INET_POST_ROUTING),
++	.hooks		= {
++		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
++		[NF_INET_LOCAL_OUT]	= nft_inet_output,
++		[NF_INET_FORWARD]	= nft_do_chain_inet,
++		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
++		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,
++        },
+ };
+ 
+ static int __init nf_tables_inet_init(void)
+--- a/net/netfilter/nf_tables_netdev.c
++++ b/net/netfilter/nf_tables_netdev.c
+@@ -43,9 +43,6 @@ static struct nft_af_info nft_af_netdev
+ 	.nhooks		= NF_NETDEV_NUMHOOKS,
+ 	.owner		= THIS_MODULE,
+ 	.flags		= NFT_AF_NEEDS_DEV,
+-	.hooks		= {
+-		[NF_NETDEV_INGRESS]	= nft_do_chain_netdev,
+-	},
+ };
+ 
+ static int nf_tables_netdev_init_net(struct net *net)
+@@ -82,6 +79,9 @@ static const struct nf_chain_type nft_fi
+ 	.family		= NFPROTO_NETDEV,
+ 	.owner		= THIS_MODULE,
+ 	.hook_mask	= (1 << NF_NETDEV_INGRESS),
++	.hooks		= {
++		[NF_NETDEV_INGRESS]	= nft_do_chain_netdev,
++	},
+ };
+ 
+ static void nft_netdev_event(unsigned long event, struct net_device *dev,

target/linux/generic/backport-4.14/313-netfilter-remove-defensive-check-on-malformed-packet.patch

@@ -0,0 +1,302 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Sat, 30 Dec 2017 22:41:46 +0100
+Subject: [PATCH] netfilter: remove defensive check on malformed packets from
+ raw sockets
+
+Users cannot forge malformed IPv4/IPv6 headers via raw sockets that they
+can inject into the stack. Specifically, not for IPv4 since 55888dfb6ba7
+("AF_RAW: Augment raw_send_hdrinc to expand skb to fit iphdr->ihl
+(v2)"). IPv6 raw sockets also ensure that packets have a well-formed
+IPv6 header available in the skbuff.
+
+At quick glance, br_netfilter also validates layer 3 headers and it
+drops malformed both IPv4 and IPv6 packets.
+
+Therefore, let's remove this defensive check all over the place.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/net/ipv4/netfilter/iptable_filter.c
++++ b/net/ipv4/netfilter/iptable_filter.c
+@@ -38,12 +38,6 @@ static unsigned int
+ iptable_filter_hook(void *priv, struct sk_buff *skb,
+ 		    const struct nf_hook_state *state)
+ {
+-	if (state->hook == NF_INET_LOCAL_OUT &&
+-	    (skb->len < sizeof(struct iphdr) ||
+-	     ip_hdrlen(skb) < sizeof(struct iphdr)))
+-		/* root is playing with raw sockets. */
+-		return NF_ACCEPT;
+-
+ 	return ipt_do_table(skb, state, state->net->ipv4.iptable_filter);
+ }
+ 
+--- a/net/ipv4/netfilter/iptable_mangle.c
++++ b/net/ipv4/netfilter/iptable_mangle.c
+@@ -49,11 +49,6 @@ ipt_mangle_out(struct sk_buff *skb, cons
+ 	u_int32_t mark;
+ 	int err;
+ 
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct iphdr) ||
+-	    ip_hdrlen(skb) < sizeof(struct iphdr))
+-		return NF_ACCEPT;
+-
+ 	/* Save things which could affect route */
+ 	mark = skb->mark;
+ 	iph = ip_hdr(skb);
+--- a/net/ipv4/netfilter/iptable_raw.c
++++ b/net/ipv4/netfilter/iptable_raw.c
+@@ -26,12 +26,6 @@ static unsigned int
+ iptable_raw_hook(void *priv, struct sk_buff *skb,
+ 		 const struct nf_hook_state *state)
+ {
+-	if (state->hook == NF_INET_LOCAL_OUT &&
+-	    (skb->len < sizeof(struct iphdr) ||
+-	     ip_hdrlen(skb) < sizeof(struct iphdr)))
+-		/* root is playing with raw sockets. */
+-		return NF_ACCEPT;
+-
+ 	return ipt_do_table(skb, state, state->net->ipv4.iptable_raw);
+ }
+ 
+--- a/net/ipv4/netfilter/iptable_security.c
++++ b/net/ipv4/netfilter/iptable_security.c
+@@ -43,12 +43,6 @@ static unsigned int
+ iptable_security_hook(void *priv, struct sk_buff *skb,
+ 		      const struct nf_hook_state *state)
+ {
+-	if (state->hook == NF_INET_LOCAL_OUT &&
+-	    (skb->len < sizeof(struct iphdr) ||
+-	     ip_hdrlen(skb) < sizeof(struct iphdr)))
+-		/* Somebody is playing with raw sockets. */
+-		return NF_ACCEPT;
+-
+ 	return ipt_do_table(skb, state, state->net->ipv4.iptable_security);
+ }
+ 
+--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+@@ -154,11 +154,6 @@ static unsigned int ipv4_conntrack_local
+ 					 struct sk_buff *skb,
+ 					 const struct nf_hook_state *state)
+ {
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct iphdr) ||
+-	    ip_hdrlen(skb) < sizeof(struct iphdr))
+-		return NF_ACCEPT;
+-
+ 	if (ip_is_fragment(ip_hdr(skb))) /* IP_NODEFRAG setsockopt set */
+ 		return NF_ACCEPT;
+ 
+--- a/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
+@@ -355,11 +355,6 @@ nf_nat_ipv4_out(void *priv, struct sk_bu
+ #endif
+ 	unsigned int ret;
+ 
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct iphdr) ||
+-	    ip_hdrlen(skb) < sizeof(struct iphdr))
+-		return NF_ACCEPT;
+-
+ 	ret = nf_nat_ipv4_fn(priv, skb, state, do_chain);
+ #ifdef CONFIG_XFRM
+ 	if (ret != NF_DROP && ret != NF_STOLEN &&
+@@ -395,11 +390,6 @@ nf_nat_ipv4_local_fn(void *priv, struct
+ 	unsigned int ret;
+ 	int err;
+ 
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct iphdr) ||
+-	    ip_hdrlen(skb) < sizeof(struct iphdr))
+-		return NF_ACCEPT;
+-
+ 	ret = nf_nat_ipv4_fn(priv, skb, state, do_chain);
+ 	if (ret != NF_DROP && ret != NF_STOLEN &&
+ 	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
+--- a/net/ipv4/netfilter/nf_tables_ipv4.c
++++ b/net/ipv4/netfilter/nf_tables_ipv4.c
+@@ -30,21 +30,6 @@ static unsigned int nft_do_chain_ipv4(vo
+ 	return nft_do_chain(&pkt, priv);
+ }
+ 
+-static unsigned int nft_ipv4_output(void *priv,
+-				    struct sk_buff *skb,
+-				    const struct nf_hook_state *state)
+-{
+-	if (unlikely(skb->len < sizeof(struct iphdr) ||
+-		     ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
+-		if (net_ratelimit())
+-			pr_info("nf_tables_ipv4: ignoring short SOCK_RAW "
+-				"packet\n");
+-		return NF_ACCEPT;
+-	}
+-
+-	return nft_do_chain_ipv4(priv, skb, state);
+-}
+-
+ static struct nft_af_info nft_af_ipv4 __read_mostly = {
+ 	.family		= NFPROTO_IPV4,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+@@ -91,7 +76,7 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_POST_ROUTING),
+ 	.hooks		= {
+ 		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv4,
+-		[NF_INET_LOCAL_OUT]	= nft_ipv4_output,
++		[NF_INET_LOCAL_OUT]	= nft_do_chain_ipv4,
+ 		[NF_INET_FORWARD]	= nft_do_chain_ipv4,
+ 		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv4,
+ 		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv4,
+--- a/net/ipv4/netfilter/nft_chain_route_ipv4.c
++++ b/net/ipv4/netfilter/nft_chain_route_ipv4.c
+@@ -33,11 +33,6 @@ static unsigned int nf_route_table_hook(
+ 	const struct iphdr *iph;
+ 	int err;
+ 
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct iphdr) ||
+-	    ip_hdrlen(skb) < sizeof(struct iphdr))
+-		return NF_ACCEPT;
+-
+ 	nft_set_pktinfo(&pkt, skb, state);
+ 	nft_set_pktinfo_ipv4(&pkt, skb);
+ 
+--- a/net/ipv6/netfilter/ip6table_mangle.c
++++ b/net/ipv6/netfilter/ip6table_mangle.c
+@@ -42,14 +42,6 @@ ip6t_mangle_out(struct sk_buff *skb, con
+ 	u_int8_t hop_limit;
+ 	u_int32_t flowlabel, mark;
+ 	int err;
+-#if 0
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct iphdr) ||
+-	    ip_hdrlen(skb) < sizeof(struct iphdr)) {
+-		net_warn_ratelimited("ip6t_hook: happy cracking\n");
+-		return NF_ACCEPT;
+-	}
+-#endif
+ 
+ 	/* save source/dest address, mark, hoplimit, flowlabel, priority,  */
+ 	memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
+--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+@@ -176,11 +176,6 @@ static unsigned int ipv6_conntrack_local
+ 					 struct sk_buff *skb,
+ 					 const struct nf_hook_state *state)
+ {
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct ipv6hdr)) {
+-		net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
+-		return NF_ACCEPT;
+-	}
+ 	return nf_conntrack_in(state->net, PF_INET6, state->hook, skb);
+ }
+ 
+--- a/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
++++ b/net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
+@@ -368,10 +368,6 @@ nf_nat_ipv6_out(void *priv, struct sk_bu
+ #endif
+ 	unsigned int ret;
+ 
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct ipv6hdr))
+-		return NF_ACCEPT;
+-
+ 	ret = nf_nat_ipv6_fn(priv, skb, state, do_chain);
+ #ifdef CONFIG_XFRM
+ 	if (ret != NF_DROP && ret != NF_STOLEN &&
+@@ -407,10 +403,6 @@ nf_nat_ipv6_local_fn(void *priv, struct
+ 	unsigned int ret;
+ 	int err;
+ 
+-	/* root is playing with raw sockets. */
+-	if (skb->len < sizeof(struct ipv6hdr))
+-		return NF_ACCEPT;
+-
+ 	ret = nf_nat_ipv6_fn(priv, skb, state, do_chain);
+ 	if (ret != NF_DROP && ret != NF_STOLEN &&
+ 	    (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
+--- a/net/ipv6/netfilter/nf_tables_ipv6.c
++++ b/net/ipv6/netfilter/nf_tables_ipv6.c
+@@ -28,20 +28,6 @@ static unsigned int nft_do_chain_ipv6(vo
+ 	return nft_do_chain(&pkt, priv);
+ }
+ 
+-static unsigned int nft_ipv6_output(void *priv,
+-				    struct sk_buff *skb,
+-				    const struct nf_hook_state *state)
+-{
+-	if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
+-		if (net_ratelimit())
+-			pr_info("nf_tables_ipv6: ignoring short SOCK_RAW "
+-				"packet\n");
+-		return NF_ACCEPT;
+-	}
+-
+-	return nft_do_chain_ipv6(priv, skb, state);
+-}
+-
+ static struct nft_af_info nft_af_ipv6 __read_mostly = {
+ 	.family		= NFPROTO_IPV6,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+@@ -88,7 +74,7 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_POST_ROUTING),
+ 	.hooks		= {
+ 		[NF_INET_LOCAL_IN]	= nft_do_chain_ipv6,
+-		[NF_INET_LOCAL_OUT]	= nft_ipv6_output,
++		[NF_INET_LOCAL_OUT]	= nft_do_chain_ipv6,
+ 		[NF_INET_FORWARD]	= nft_do_chain_ipv6,
+ 		[NF_INET_PRE_ROUTING]	= nft_do_chain_ipv6,
+ 		[NF_INET_POST_ROUTING]	= nft_do_chain_ipv6,
+--- a/net/netfilter/nf_tables_inet.c
++++ b/net/netfilter/nf_tables_inet.c
+@@ -38,38 +38,6 @@ static unsigned int nft_do_chain_inet(vo
+ 	return nft_do_chain(&pkt, priv);
+ }
+ 
+-static unsigned int nft_inet_output(void *priv, struct sk_buff *skb,
+-				    const struct nf_hook_state *state)
+-{
+-	struct nft_pktinfo pkt;
+-
+-	nft_set_pktinfo(&pkt, skb, state);
+-
+-	switch (state->pf) {
+-	case NFPROTO_IPV4:
+-		if (unlikely(skb->len < sizeof(struct iphdr) ||
+-			     ip_hdr(skb)->ihl < sizeof(struct iphdr) / 4)) {
+-			if (net_ratelimit())
+-				pr_info("ignoring short SOCK_RAW packet\n");
+-			return NF_ACCEPT;
+-		}
+-		nft_set_pktinfo_ipv4(&pkt, skb);
+-		break;
+-	case NFPROTO_IPV6:
+-	        if (unlikely(skb->len < sizeof(struct ipv6hdr))) {
+-			if (net_ratelimit())
+-				pr_info("ignoring short SOCK_RAW packet\n");
+-			return NF_ACCEPT;
+-		}
+-		nft_set_pktinfo_ipv6(&pkt, skb);
+-		break;
+-	default:
+-		break;
+-	}
+-
+-	return nft_do_chain(&pkt, priv);
+-}
+-
+ static struct nft_af_info nft_af_inet __read_mostly = {
+ 	.family		= NFPROTO_INET,
+ 	.nhooks		= NF_INET_NUMHOOKS,
+@@ -116,7 +84,7 @@ static const struct nf_chain_type filter
+ 			  (1 << NF_INET_POST_ROUTING),
+ 	.hooks		= {
+ 		[NF_INET_LOCAL_IN]	= nft_do_chain_inet,
+-		[NF_INET_LOCAL_OUT]	= nft_inet_output,
++		[NF_INET_LOCAL_OUT]	= nft_do_chain_inet,
+ 		[NF_INET_FORWARD]	= nft_do_chain_inet,
+ 		[NF_INET_PRE_ROUTING]	= nft_do_chain_inet,
+ 		[NF_INET_POST_ROUTING]	= nft_do_chain_inet,

target/linux/generic/backport-4.14/314-netfilter-meta-secpath-support.patch

@@ -0,0 +1,101 @@
+From: Florian Westphal <[email protected]>
+Date: Wed, 6 Dec 2017 16:18:16 +0100
+Subject: [PATCH] netfilter: meta: secpath support
+
+replacement for iptables "-m policy --dir in --policy {ipsec,none}".
+
+Signed-off-by: Florian Westphal <[email protected]>
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+---
+
+--- a/include/uapi/linux/netfilter/nf_tables.h
++++ b/include/uapi/linux/netfilter/nf_tables.h
+@@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
+  * @NFT_META_OIFGROUP: packet output interface group
+  * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
+  * @NFT_META_PRANDOM: a 32bit pseudo-random number
++ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
+  */
+ enum nft_meta_keys {
+ 	NFT_META_LEN,
+@@ -804,6 +805,7 @@ enum nft_meta_keys {
+ 	NFT_META_OIFGROUP,
+ 	NFT_META_CGROUP,
+ 	NFT_META_PRANDOM,
++	NFT_META_SECPATH,
+ };
+ 
+ /**
+--- a/net/netfilter/nft_meta.c
++++ b/net/netfilter/nft_meta.c
+@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_
+ 		*dest = prandom_u32_state(state);
+ 		break;
+ 	}
++#ifdef CONFIG_XFRM
++	case NFT_META_SECPATH:
++		nft_reg_store8(dest, !!skb->sp);
++		break;
++#endif
+ 	default:
+ 		WARN_ON(1);
+ 		goto err;
+@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_c
+ 		prandom_init_once(&nft_prandom_state);
+ 		len = sizeof(u32);
+ 		break;
++#ifdef CONFIG_XFRM
++	case NFT_META_SECPATH:
++		len = sizeof(u8);
++		break;
++#endif
+ 	default:
+ 		return -EOPNOTSUPP;
+ 	}
+@@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_c
+ }
+ EXPORT_SYMBOL_GPL(nft_meta_get_init);
+ 
++static int nft_meta_get_validate(const struct nft_ctx *ctx,
++				 const struct nft_expr *expr,
++				 const struct nft_data **data)
++{
++#ifdef CONFIG_XFRM
++	const struct nft_meta *priv = nft_expr_priv(expr);
++	unsigned int hooks;
++
++	if (priv->key != NFT_META_SECPATH)
++		return 0;
++
++	switch (ctx->afi->family) {
++	case NFPROTO_NETDEV:
++		hooks = 1 << NF_NETDEV_INGRESS;
++		break;
++	case NFPROTO_IPV4:
++	case NFPROTO_IPV6:
++	case NFPROTO_INET:
++		hooks = (1 << NF_INET_PRE_ROUTING) |
++			(1 << NF_INET_LOCAL_IN) |
++			(1 << NF_INET_FORWARD);
++		break;
++	default:
++		return -EOPNOTSUPP;
++	}
++
++	return nft_chain_validate_hooks(ctx->chain, hooks);
++#else
++	return 0;
++#endif
++}
++
+ int nft_meta_set_validate(const struct nft_ctx *ctx,
+ 			  const struct nft_expr *expr,
+ 			  const struct nft_data **data)
+@@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_met
+ 	.eval		= nft_meta_get_eval,
+ 	.init		= nft_meta_get_init,
+ 	.dump		= nft_meta_get_dump,
++	.validate	= nft_meta_get_validate,
+ };
+ 
+ static const struct nft_expr_ops nft_meta_set_ops = {

target/linux/generic/backport-4.14/315-netfilter-conntrack-move-nf_ct_netns_-get-put-to-cor.patch

@@ -0,0 +1,142 @@
+From: Pablo Neira Ayuso <[email protected]>
+Date: Fri, 3 Nov 2017 16:26:32 +0100
+Subject: [PATCH] netfilter: conntrack: move nf_ct_netns_{get,put}() to core
+
+So we can call this from other expression that need conntrack in place
+to work.
+
+Signed-off-by: Pablo Neira Ayuso <[email protected]>
+Acked-by: Florian Westphal <[email protected]>
+---
+
+--- a/net/netfilter/nf_conntrack_proto.c
++++ b/net/netfilter/nf_conntrack_proto.c
+@@ -125,7 +125,7 @@ void nf_ct_l3proto_module_put(unsigned s
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
+ 
+-int nf_ct_netns_get(struct net *net, u8 nfproto)
++static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
+ {
+ 	const struct nf_conntrack_l3proto *l3proto;
+ 	int ret;
+@@ -150,9 +150,33 @@ int nf_ct_netns_get(struct net *net, u8
+ 
+ 	return ret;
+ }
++
++int nf_ct_netns_get(struct net *net, u8 nfproto)
++{
++	int err;
++
++	if (nfproto == NFPROTO_INET) {
++		err = nf_ct_netns_do_get(net, NFPROTO_IPV4);
++		if (err < 0)
++			goto err1;
++		err = nf_ct_netns_do_get(net, NFPROTO_IPV6);
++		if (err < 0)
++			goto err2;
++	} else {
++		err = nf_ct_netns_do_get(net, nfproto);
++		if (err < 0)
++			goto err1;
++	}
++	return 0;
++
++err2:
++	nf_ct_netns_put(net, NFPROTO_IPV4);
++err1:
++	return err;
++}
+ EXPORT_SYMBOL_GPL(nf_ct_netns_get);
+ 
+-void nf_ct_netns_put(struct net *net, u8 nfproto)
++static void nf_ct_netns_do_put(struct net *net, u8 nfproto)
+ {
+ 	const struct nf_conntrack_l3proto *l3proto;
+ 
+@@ -171,6 +195,15 @@ void nf_ct_netns_put(struct net *net, u8
+ 
+ 	nf_ct_l3proto_module_put(nfproto);
+ }
++
++void nf_ct_netns_put(struct net *net, uint8_t nfproto)
++{
++	if (nfproto == NFPROTO_INET) {
++		nf_ct_netns_do_put(net, NFPROTO_IPV4);
++		nf_ct_netns_do_put(net, NFPROTO_IPV6);
++	} else
++		nf_ct_netns_do_put(net, nfproto);
++}
+ EXPORT_SYMBOL_GPL(nf_ct_netns_put);
+ 
+ const struct nf_conntrack_l4proto *
+--- a/net/netfilter/nft_ct.c
++++ b/net/netfilter/nft_ct.c
+@@ -312,39 +312,6 @@ static const struct nla_policy nft_ct_po
+ 	[NFTA_CT_SREG]		= { .type = NLA_U32 },
+ };
+ 
+-static int nft_ct_netns_get(struct net *net, uint8_t family)
+-{
+-	int err;
+-
+-	if (family == NFPROTO_INET) {
+-		err = nf_ct_netns_get(net, NFPROTO_IPV4);
+-		if (err < 0)
+-			goto err1;
+-		err = nf_ct_netns_get(net, NFPROTO_IPV6);
+-		if (err < 0)
+-			goto err2;
+-	} else {
+-		err = nf_ct_netns_get(net, family);
+-		if (err < 0)
+-			goto err1;
+-	}
+-	return 0;
+-
+-err2:
+-	nf_ct_netns_put(net, NFPROTO_IPV4);
+-err1:
+-	return err;
+-}
+-
+-static void nft_ct_netns_put(struct net *net, uint8_t family)
+-{
+-	if (family == NFPROTO_INET) {
+-		nf_ct_netns_put(net, NFPROTO_IPV4);
+-		nf_ct_netns_put(net, NFPROTO_IPV6);
+-	} else
+-		nf_ct_netns_put(net, family);
+-}
+-
+ #ifdef CONFIG_NF_CONNTRACK_ZONES
+ static void nft_ct_tmpl_put_pcpu(void)
+ {
+@@ -489,7 +456,7 @@ static int nft_ct_get_init(const struct
+ 	if (err < 0)
+ 		return err;
+ 
+-	err = nft_ct_netns_get(ctx->net, ctx->afi->family);
++	err = nf_ct_netns_get(ctx->net, ctx->afi->family);
+ 	if (err < 0)
+ 		return err;
+ 
+@@ -583,7 +550,7 @@ static int nft_ct_set_init(const struct
+ 	if (err < 0)
+ 		goto err1;
+ 
+-	err = nft_ct_netns_get(ctx->net, ctx->afi->family);
++	err = nf_ct_netns_get(ctx->net, ctx->afi->family);
+ 	if (err < 0)
+ 		goto err1;
+ 
+@@ -606,7 +573,7 @@ static void nft_ct_set_destroy(const str
+ 	struct nft_ct *priv = nft_expr_priv(expr);
+ 
+ 	__nft_ct_set_destroy(ctx, priv);
+-	nft_ct_netns_put(ctx->net, ctx->afi->family);
++	nf_ct_netns_put(ctx->net, ctx->afi->family);
+ }
+ 
+ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)