Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v3.14 2014-01-06T18:29:30Z 2014-01-06T18:29:30Z David S. Miller davem@davemloft.net 2014-01-06T18:29:30Z urn:sha1:9aa28f2b71055d5ae17a2e1daee359d4174bb13e Pablo Neira Ayuso says: <pablo@netfilter.org> ==================== nftables updates for net-next The following patchset contains nftables updates for your net-next tree, they are: * Add set operation to the meta expression by means of the select_ops() infrastructure, this allows us to set the packet mark among other things. From Arturo Borrero Gonzalez. * Fix wrong format in sscanf in nf_tables_set_alloc_name(), from Daniel Borkmann. * Add new queue expression to nf_tables. These comes with two previous patches to prepare this new feature, one to add mask in nf_tables_core to evaluate the queue verdict appropriately and another to refactor common code with xt_NFQUEUE, from Eric Leblond. * Do not hide nftables from Kconfig if nfnetlink is not enabled, also from Eric Leblond. * Add the reject expression to nf_tables, this adds the missing TCP RST support. It comes with an initial patch to refactor common code with xt_NFQUEUE, again from Eric Leblond. * Remove an unused variable assignment in nf_tables_dump_set(), from Michal Nazarewicz. * Remove the nft_meta_target code, now that Arturo added the set operation to the meta expression, from me. * Add help information for nf_tables to Kconfig, also from me. * Allow to dump all sets by specifying NFPROTO_UNSPEC, similar feature is available to other nf_tables objects, requested by Arturo, from me. * Expose the table usage counter, so we can know how many chains are using this table without dumping the list of chains, from Tomasz Bursztyka. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 2014-01-03T22:41:37Z stephen hemminger stephen@networkplumber.org 2013-12-31T01:16:08Z urn:sha1:dcd93ed4cd1669b2c1510e801fe5f1132390761c The following code is not used in current upstream code. Some of this seems to be old hooks, other might be used by some out of tree module (which I don't care about breaking), and the need_ipv4_conntrack was used by old NAT code but no longer called. Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-12-30T14:04:41Z Eric Leblond eric@regit.org 2013-12-29T11:28:13Z urn:sha1:cc70d069e2b9cece683206c0f6a1d1484414e577 This patch prepares the addition of TCP reset support in the nft_reject module by moving reusable code into a header file. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-09-23T20:29:42Z Joe Perches joe@perches.com 2013-09-23T18:37:48Z urn:sha1:4e77be4637641c92468dd5de39cba774bed7d6ba There are a mix of function prototypes with and without extern in the kernel sources. Standardize on not using extern for function prototypes. Function prototypes don't need to be written with extern. extern is assumed by the compiler. Its use is as unnecessary as using auto to declare automatic/local variables in a block. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: David S. Miller <davem@davemloft.net> 2009-06-08T13:53:43Z Jan Kasprzak kas@fi.muni.cz 2009-06-08T13:53:43Z urn:sha1:f87fb666bb00a7afcbd7992d236e42ac544996f9 Current conntrack code kills the ICMP conntrack entry as soon as the first reply is received. This is incorrect, as we then see only the first ICMP echo reply out of several possible duplicates as ESTABLISHED, while the rest will be INVALID. Also this unnecessarily increases the conntrackd traffic on H-A firewalls. Make all the ICMP conntrack entries (including the replied ones) last for the default of nf_conntrack_icmp{,v6}_timeout seconds. Signed-off-by: Jan "Yenya" Kasprzak <kas@fi.muni.cz> Signed-off-by: Patrick McHardy <kaber@trash.net> 2008-10-08T09:35:12Z KOVACS Krisztian hidden@sch.bme.hu 2008-10-08T09:35:12Z urn:sha1:73e4022f78acdbe420e8c24a7afbd90f4c8f5077 Netfilter connection tracking requires all IPv4 packets to be defragmented. Both the socket match and the TPROXY target depend on this functionality, so this patch separates the Netfilter IPv4 defrag hooks into a separate module. Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 2008-06-09T23:00:22Z Rami Rosen ramirose@gmail.com 2008-06-09T23:00:22Z urn:sha1:7bcd978e8cf2a1a9502d454cd2f80f9834e82610 This patch removes nf_ct_ipv4_ct_gather_frags() method declaration from include/net/netfilter/ipv4/nf_conntrack_ipv4.h, since it is unused in the Linux kernel. Signed-off-by: Rami Rosen <ramirose@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2007-08-08T01:12:01Z Patrick McHardy kaber@trash.net 2007-08-08T01:12:01Z urn:sha1:591e620693e71e24fb3450a4084217e44b7a60b6 Loading nf_nat causes the conntrack core to be loaded, but we need IPv4 as well. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2007-07-15T03:48:19Z Patrick McHardy kaber@trash.net 2007-07-15T03:48:19Z urn:sha1:61075af51f252913401c41fbe94075b46c94e9f1 Also remove two unnecessary EXPORT_SYMBOLs and move the nf_conntrack_l3proto_ipv4 declaration to the correct file. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2007-07-11T05:17:16Z Yasuyuki Kozakai yasuyuki.kozakai@toshiba.co.jp 2007-07-08T05:22:33Z urn:sha1:4ba887790ce2015e8c464809c0be902fb813ad15 Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>