summaryrefslogtreecommitdiffstats
path: root/kernel/include/linux/netfilter
Commit message (Collapse)AuthorAgeFilesLines
...
* Backport patch: netfilter: ipset: Convert timers to use timer_setup()Jozsef Kadlecsik2018-01-031-0/+15
|
* Backport patch: sctp: remove the typedef sctp_sctphdr_tJozsef Kadlecsik2017-09-111-0/+1
|
* Backport patch: netfilter: nfnetlink: extended ACK reportingJozsef Kadlecsik2017-09-111-5/+9
|
* Backport patch: netlink: pass extended ACK struct to parsing functionsJozsef Kadlecsik2017-09-111-0/+9
|
* Backport patch netlink: extended ACK reportingJozsef Kadlecsik2017-09-111-0/+7
|
* Backport nfnl_msg_type()Jozsef Kadlecsik2017-09-111-0/+8
|
* Compatibility: handle changes in 4.10 kernel treeJozsef Kadlecsik2017-03-231-1/+18
| | | | | Handle changes in struct xt_action_param and the new xt_family(), xt_net() interfaces (reported by Jan Engelhardt).
* Correct copyright ownerJozsef Kadlecsik2016-11-102-2/+2
| | | | | | | The functions was not introduced by Sergey Popovich, he proposed only separating them into individual extension header files. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix the nla_put_net64() API changes backportJozsef Kadlecsik2016-10-141-2/+2
| | | | | | | We must call nla_put_net64() because ipset uses net order in the netlink communication. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: x_tables: Use par->net instead of computing from the passed net ↵Eric W. Biederman2016-10-131-0/+6
| | | | | | | | | | devices Backported from kernel tree. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: x_tables: Pass struct net in xt_action_paramEric W. Biederman2016-10-111-0/+1
| | | | | | | | | | | As xt_action_param lives on the stack this does not bloat any persistent data structures. This is a first step in making netfilter code that needs to know which network namespace it is executing in simpler. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* net: sched: fix skb->protocol use in case of accelerated vlan pathJiri Pirko2016-10-111-0/+11
| | | | | | | | | | | | | | tc code implicitly considers skb->protocol even in case of accelerated vlan paths and expects vlan protocol type here. However, on rx path, if the vlan header was already stripped, skb->protocol contains value of next header. Similar situation is on tx path. So for skbs that use skb->vlan_tci for tagging, use skb->vlan_proto instead. Reported-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* ipset: Backports for the nla_put_net64() API changesNeutron Soutmun2016-06-283-7/+17
| | | | | | | | | | | | | | | | | | | * Backports the patch "libnl: nla_put_net64():align on a 64-bit area" [1] by Nicolas Dichtel <nicolas.dichtel@6wind.com> * Since the nla_put_net64() API has been changed, therefore, the ip_set_compat.h.in should provides the macro IPSET_NLA_PUT_NET64 that point to the nla_put_net64() with appropriate number of arguments. The build script should distinguish the API changes by detect for the existence of nla_put_64bit() function in include/net/netlink.h. This function was added in the same patches set and called by the nla_put_be64() that called by nla_put_net64() respectively. [1] https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit?id=e9bbe898cbe89b17ad3993c136aa13d0431cd537 Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: fix race condition in ipset save, swap and deleteVishwanath Pai2016-03-161-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fix adds a new reference counter (ref_netlink) for the struct ip_set. The other reference counter (ref) can be swapped out by ip_set_swap and we need a separate counter to keep track of references for netlink events like dump. Using the same ref counter for dump causes a race condition which can be demonstrated by the following script: ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \ counters ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \ counters ipset save & ipset swap hash_ip3 hash_ip2 ipset destroy hash_ip3 /* will crash the machine */ Swap will exchange the values of ref so destroy will see ref = 0 instead of ref = 1. With this fix in place swap will not succeed because ipset save still has ref_netlink on the set (ip_set_swap doesn't swap ref_netlink). Both delete and swap will error out if ref_netlink != 0 on the set. Note: The changes to *_head functions is because previously we would increment ref whenever we called these functions, we don't do that anymore. Reviewed-by: Joshua Hunt <johunt@akamai.com> Signed-off-by: Vishwanath Pai <vpai@akamai.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Fix __aligned_u64 compatibility support for older kernel releasesJozsef Kadlecsik2016-02-291-4/+0
| | | | The issue was reported by Mart Frauenlob.
* Add compatibility to support EXPORT_SYMBOL_GPL in module.hJozsef Kadlecsik2016-02-241-0/+5
| | | | Fixes netfilter bugzilla id #1008
* netfilter: nfnetlink: pass down netns pointer to call() and call_rcu()Jozsef Kadlecsik2016-02-161-0/+9
| | | | Backport patch from Pablo Neira Ayuso <pablo@netfilter.org>
* Fix extension alignmentJozsef Kadlecsik2015-11-071-1/+1
| | | | | | | | | | | | | The data extensions in ipset lacked the proper memory alignment and thus could lead to kernel crash on several architectures. Therefore the structures have been reorganized and alignment attributes added where needed. The patch was tested on armv7h by Gerhard Wiesinger and on x86_64, sparc64 by Jozsef Kadlecsik. Reported-by: Gerhard Wiesinger <lists@wiesinger.com> Tested-by: Gerhard Wiesinger <lists@wiesinger.com> Tested-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Compatibility: include linux/export.h when neededJozsef Kadlecsik2015-10-281-21/+28
|
* Compatibility: make sure vmalloc.h is included for kvfree()Jozsef Kadlecsik2015-10-261-0/+1
|
* Protect definition of RCU_INIT_POINTER in compatibility header fileJozsef Kadlecsik2015-10-191-0/+4
| | | | | Nikolay Borisov reported that in 3.12.47 RCU_INIT_POINTER is redefined in ip_set_compat.h.in due to not protecting it individually.
* Count non-static extension memory into the set memory size for userspaceJozsef Kadlecsik2015-06-262-4/+11
| | | | | | | | Non-static (i.e. comment) extension was not counted into the memory size. A new internal counter is introduced for this. In the case of the hash types the sizes of the arrays are counted there as well so that we can avoid to scan the whole set when just the header data is requested.
* Add element count to all set types headerJozsef Kadlecsik2015-06-252-1/+3
| | | | | | It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types.
* netlink: implement nla_put_in_addr and nla_put_in6_addrJiri Benc2015-06-132-3/+17
| | | | | | | | | | | | | | | | IP addresses are often stored in netlink attributes. Add generic functions to do that. For nla_put_in_addr, it would be nicer to pass struct in_addr but this is not used universally throughout the kernel, in way too many places __be32 is used to store IPv4 address. Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Compatibility part added. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: deinline ip_set_put_extensions()Denys Vlasenko2015-06-131-23/+2
| | | | | | | | | | | | | | | | | | | | | | n x86 allyesconfig build: The function compiles to 489 bytes of machine code. It has 25 callsites. text data bss dec hex filename 82441375 22255384 20627456 125324215 7784bb7 vmlinux.before 82434909 22255384 20627456 125317749 7783275 vmlinux Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com> CC: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> CC: Eric W. Biederman <ebiederm@xmission.com> CC: David S. Miller <davem@davemloft.net> CC: Jan Engelhardt <jengelh@medozas.de> CC: Jiri Pirko <jpirko@redhat.com> CC: linux-kernel@vger.kernel.org CC: netdev@vger.kernel.org CC: netfilter-devel@vger.kernel.org Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Split extensions into separate filesJozsef Kadlecsik2015-05-064-92/+122
| | | | | | | Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Improve comment extension helpersJozsef Kadlecsik2015-05-061-1/+1
| | | | | | | | | Allocate memory with kmalloc() rather than kzalloc(). Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Improve skbinfo get/init helpersJozsef Kadlecsik2015-05-051-19/+11
| | | | | | | | | | | Use struct ip_set_skbinfo in struct ip_set_ext instead of open coded fields and assign structure members in get/init helpers instead of copying members one by one. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Headers file cleanupJozsef Kadlecsik2015-05-053-31/+31
| | | | | | | | | | Remove extra whitespace, group counter helper together. Mark some of the helpers arguments as const. Ported from a patch proposed by Sergey Popovich <popovich_sergei@mail.ua>. Suggested-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: bridge: add helpers for fetching physin/outdevpabloFlorian Westphal2015-04-271-0/+17
| | | | | | | | | | | | | | | | right now we store this in the nf_bridge_info struct, accessible via skb->nf_bridge. This patch prepares removal of this pointer from skb: Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out device (or ifindexes). Followup patches to netfilter will then allow nf_bridge_info to be obtained by a call into the br_netfilter core, rather than keeping a pointer to it in sk_buff. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* In comment extension ip_set_comment_free() is always called in a safe pathJozsef Kadlecsik2015-04-261-1/+11
|
* Fix coding styles reported by the most recent checkpatch.pl.Jozsef Kadlecsik2015-04-171-0/+5
|
* RCU safe comment extension handlingJozsef Kadlecsik2015-03-292-12/+23
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* netfilter: ipset: Fix ext_*() macrosSergey Popovich2015-03-231-4/+4
| | | | | | | | | So pointers returned by these macros could be referenced with -> directly. Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
* Make sure bit operations are not reorderedJozsef Kadlecsik2015-03-191-0/+5
| | | | | Sergey Popovich pointed out that {set,clear}_bit() operations must be protected against instruction reordering.
* Fix cidr handling for hash:*net* typesJozsef Kadlecsik2015-03-131-2/+0
| | | | | | | | Commit 092d67cda9ad4 broke the cidr handling for the hash:*net* types when the sets were used by the SET target: entries with invalid cidr values were added to the sets. Reported by Jonathan Johnson. Testsuite entry is added to verify the fix.
* More compatibility checking and simplificationsJozsef Kadlecsik2015-01-062-8/+49
| | | | | Try hard to keep the support of the 2.6.32 kernel tree and simplify the code with self-referential macros.
* Compatibility: define RCU_INIT_POINTER when __rcu is not definedJozsef Kadlecsik2015-01-061-1/+6
|
* Compatibility: check kernel source for list_last_entryJozsef Kadlecsik2015-01-061-0/+6
| | | | list_last_entry is missing on CentOS7, reported by Ricardo Klein.
* Remove an unused macroJozsef Kadlecsik2014-12-101-4/+0
|
* Use MSEC_PER_SEC consistentlyJozsef Kadlecsik2014-12-011-2/+2
|
* Remove unnecessary integer RCU handling and fix sparse warningsJozsef Kadlecsik2014-11-273-82/+41
|
* Fix parallel resizing and listing of the same setJozsef Kadlecsik2014-11-181-5/+8
| | | | | | | | When elements added to a hash:* type of set and resizing triggered, parallel listing could start to list the original set (before resizing) and "continue" with listing the new set. Fix it by references and using the original hash table for listing. Therefore the destroying the original hash table may happen from the resizing or listing functions.
* styles warned by checkpatch.pl fixedJozsef Kadlecsik2014-11-181-4/+5
|
* Introduce RCU in all set types instead of rwlock per setJozsef Kadlecsik2014-11-182-35/+86
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Performance is tested by Jesper Dangaard Brouer: Simple drop in FORWARD ~~~~~~~~~~~~~~~~~~~~~~ Dropping via simple iptables net-mask match:: iptables -t raw -N simple || iptables -t raw -F simple iptables -t raw -I simple -s 198.18.0.0/15 -j DROP iptables -t raw -D PREROUTING -j simple iptables -t raw -I PREROUTING -j simple Drop performance in "raw": 11.3Mpps Generator: sending 12.2Mpps (tx:12264083 pps) Drop via original ipset in RAW table ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Create a set with lots of elements:: sudo ./ipset destroy test echo "create test hash:ip hashsize 65536" > test.set for x in `seq 0 255`; do for y in `seq 0 255`; do echo "add test 198.18.$x.$y" >> test.set done done sudo ./ipset restore < test.set Dropping via ipset:: iptables -t raw -F iptables -t raw -N net198 || iptables -t raw -F net198 iptables -t raw -I net198 -m set --match-set test src -j DROP iptables -t raw -I PREROUTING -j net198 Drop performance in "raw" with ipset: 8Mpps Perf report numbers ipset drop in "raw":: + 24.65% ksoftirqd/1 [ip_set] [k] ip_set_test - 21.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_lock_bh - _raw_read_lock_bh + 99.88% ip_set_test - 19.42% ksoftirqd/1 [kernel.kallsyms] [k] _raw_read_unlock_bh - _raw_read_unlock_bh + 99.72% ip_set_test + 4.31% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_kadt + 2.27% ksoftirqd/1 [ixgbe] [k] ixgbe_fetch_rx_buffer + 2.18% ksoftirqd/1 [ip_tables] [k] ipt_do_table + 1.81% ksoftirqd/1 [ip_set_hash_ip] [k] hash_ip4_test + 1.61% ksoftirqd/1 [kernel.kallsyms] [k] __netif_receive_skb_core + 1.44% ksoftirqd/1 [kernel.kallsyms] [k] build_skb + 1.42% ksoftirqd/1 [kernel.kallsyms] [k] ip_rcv + 1.36% ksoftirqd/1 [kernel.kallsyms] [k] __local_bh_enable_ip + 1.16% ksoftirqd/1 [kernel.kallsyms] [k] dev_gro_receive + 1.09% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_unlock + 0.96% ksoftirqd/1 [ixgbe] [k] ixgbe_clean_rx_irq + 0.95% ksoftirqd/1 [kernel.kallsyms] [k] __netdev_alloc_frag + 0.88% ksoftirqd/1 [kernel.kallsyms] [k] kmem_cache_alloc + 0.87% ksoftirqd/1 [xt_set] [k] set_match_v3 + 0.85% ksoftirqd/1 [kernel.kallsyms] [k] inet_gro_receive + 0.83% ksoftirqd/1 [kernel.kallsyms] [k] nf_iterate + 0.76% ksoftirqd/1 [kernel.kallsyms] [k] put_compound_page + 0.75% ksoftirqd/1 [kernel.kallsyms] [k] __rcu_read_lock Drop via ipset in RAW table with RCU-locking ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With RCU locking, the RW-lock is gone. Drop performance in "raw" with ipset with RCU-locking: 11.3Mpps Performance-tested-by: Jesper Dangaard Brouer <brouer@redhat.com>
* Add more compatibility checkings to support older kernel releasesJozsef Kadlecsik2014-11-181-1/+3
|
* Kernel API changes in em_ipset.c, support both old and new onesJozsef Kadlecsik2014-11-031-0/+2
|
* net: use the new API kvfree()WANG Cong2014-11-031-0/+11
| | | | | | | | | It is available since v3.15-rc5. Cc: Pablo Neira Ayuso <pablo@netfilter.org> Cc: "David S. Miller" <davem@davemloft.net> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Use IS_ENABLED macro and define it if requiredJozsef Kadlecsik2014-11-031-0/+11
|
* skbinfo extension: send nonzero extension elements only to userspaceJozsef Kadlecsik2014-09-151-7/+11
|