| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, the caching system is implemented in a two layer
architecture: hashtable (inner layer) and cache (upper layer).
This patch reworks the hash-cache infrastructure to solve some
initial design problems to make it more flexible, the main strong
points of this patch are:
* Memory handling is done in the cache layer, not in the inner
hashtable layer. This removes one of the main dependencies between
the hashtable and the cache classes.
* Remove excessive encapsulation: the former cache used to hide a
lot of details of the inner hashtable implementation.
* Fix over-hashing of some operations: lookup-delete-add required
three hash calculations. Similarly, the update-or-add operation
required two hash calculations. Now, we calculate the hash once
and re-use the value how many times as we need.
This patch simplifies the caching system. As a result, we save ~130
lines of code. Small code means and less complexity means less
chance to have bugs.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch adds the prefix ct_filter_ to the hash and compare
functions. This is useful to disambiguate when interpreting the
oprofile reports. Note that without this patch there are two
functions called hash and compare in the source tree.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
This patch constifies the hashtable parameter that is passed to the
hash callbacks registered when the hashtable is created.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch fixes a bug that may result in wrong filtering of
destroy events which usually don't contain the state information.
In that case, skip the filtering.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
This patch renames the function hashtable_test() by
hashtable_find() which is a better name IMO to describe this
function.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
This patch is a cleanup. It moves the callbacks from netlink.c to
run.c where they are actually invoked. This is better for code
readability as I usually have to switch from run.c to netlink.c
to remember what the callbacks actually do.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
|
| |
This patch adds CIDR-based filtering support. The current
implementation is O(n).
This patch also introduces the vector data type which is
used to store the IP address and the network mask.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
|
| |
If the logic is set to -1, this means that we do not perform any
filtering for this sort of network address. Therefore, we don't
need to re-check if there is any filter later. This patch also
inlines the check functions.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Since an IPv6 address can be seen as an array of uint32_t. Use
the optimized jhash2() function instead of the generic jhash().
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
| |
use XOR instead of branches in ct_filter_check.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
|
| |
With this patch, we rely on the real source and destination of the
packet to perform the filter. The current NAT detection tweak is broken
for certain situations.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
|
|
| |
Skip user-space the protocol state filter if the protocol state is not
present in the event message.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
|
This patch reworks the user-space filtering. Although we have
kernel-space filtering since Linux kernel >= 2.6.26, we keep userspace
filtering to ensure backward compatibility. Moreover, this patch
prepares the implementation of the kernel-space filtering via
libnetfilter_conntrack's high-level berkeley socket filter API.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|