linux/include/net/netfilter, branch v2.6.36 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v2.6.36 2010-08-02T15:20:54Z netfilter: nf_nat: make unique_tuple return void 2010-08-02T15:20:54Z Changli Gao xiaosuo@gmail.com 2010-08-02T15:20:54Z urn:sha1:f43dc98b3be36551143e3bbaf1bb3067835c24f4 The only user of unique_tuple() get_unique_tuple() doesn't care about the return value of unique_tuple(), so make unique_tuple() return void (nothing). Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: nf_conntrack_extend: introduce __nf_ct_ext_exist() 2010-08-02T15:06:19Z Changli Gao xiaosuo@gmail.com 2010-08-02T15:06:19Z urn:sha1:ee92d37861a90b8f14fa621ae5abcfb29a89aaa9 some users of nf_ct_ext_exist() know ct->ext isn't NULL. For these users, the check for ct->ext isn't necessary, the function __nf_ct_ext_exist() can be used instead. the type of the return value of nf_ct_ext_exist() is changed to bool. Signed-off-by: Changli Gao <xiaosuo@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> nfnetlink_log: do not expose NFULNL_COPY_DISABLED to user-space 2010-07-15T09:27:41Z Pablo Neira Ayuso pablo@netfilter.org 2010-07-15T09:27:41Z urn:sha1:cca5cf91c789f3301cc2541a79c323c53be5a8e1 This patch moves NFULNL_COPY_PACKET definition from linux/netfilter/nfnetlink_log.h to net/netfilter/nfnetlink_log.h since this copy mode is only for internal use. I have also changed the value from 0x03 to 0xff. Thus, we avoid a gap from user-space that may confuse users if we add new copy modes in the future. This change was introduced in: http://www.spinics.net/lists/netfilter-devel/msg13535.html Since this change is not included in any stable Linux kernel, I think it's safe to make this change now. Anyway, this copy mode does not make any sense from user-space, so this patch should not break any existing setup. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: xt_connbytes: Force CT accounting to be enabled 2010-06-25T12:44:07Z Tim Gardner tim.gardner@canonical.com 2010-06-25T12:44:07Z urn:sha1:a8756201ba4189bca3ee1a6ec4e290f467ee09ab Check at rule install time that CT accounting is enabled. Force it to be enabled if not while also emitting a warning since this is not the default state. This is in preparation for deprecating CONFIG_NF_CT_ACCT upon which CONFIG_NETFILTER_XT_MATCH_CONNBYTES depended being set. Added 2 CT accounting support functions: nf_ct_acct_enabled() - Get CT accounting state. nf_ct_set_acct() - Enable/disable CT accountuing. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Acked-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: nf_nat: support user-specified SNAT rules in LOCAL_IN 2010-06-17T04:12:26Z Patrick McHardy kaber@trash.net 2010-06-17T04:12:26Z urn:sha1:c68cd6cc21eb329c47ff020ff7412bf58176984e 2.6.34 introduced 'conntrack zones' to deal with cases where packets from multiple identical networks are handled by conntrack/NAT. Packets are looped through veth devices, during which they are NATed to private addresses, after which they can continue normally through the stack and possibly have NAT rules applied a second time. This works well, but is needlessly complicated for cases where only a single SNAT/DNAT mapping needs to be applied to these packets. In that case, all that needs to be done is to assign each network to a seperate zone and perform NAT as usual. However this doesn't work for packets destined for the machine performing NAT itself since its corrently not possible to configure SNAT mappings for the LOCAL_IN chain. This patch adds a new INPUT chain to the NAT table and changes the targets performing SNAT to be usable in that chain. Example usage with two identical networks (192.168.0.0/24) on eth0/eth1: iptables -t raw -A PREROUTING -i eth0 -j CT --zone 1 iptables -t raw -A PREROUTING -i eth0 -j MARK --set-mark 1 iptables -t raw -A PREROUTING -i eth1 -j CT --zone 2 iptabels -t raw -A PREROUTING -i eth1 -j MARK --set-mark 2 iptables -t nat -A INPUT -m mark --mark 1 -j NETMAP --to 10.0.0.0/24 iptables -t nat -A POSTROUTING -m mark --mark 1 -j NETMAP --to 10.0.0.0/24 iptables -t nat -A INPUT -m mark --mark 2 -j NETMAP --to 10.0.1.0/24 iptables -t nat -A POSTROUTING -m mark --mark 2 -j NETMAP --to 10.0.1.0/24 iptables -t raw -A PREROUTING -d 10.0.0.0/24 -j CT --zone 1 iptables -t raw -A OUTPUT -d 10.0.0.0/24 -j CT --zone 1 iptables -t raw -A PREROUTING -d 10.0.1.0/24 -j CT --zone 2 iptables -t raw -A OUTPUT -d 10.0.1.0/24 -j CT --zone 2 iptables -t nat -A PREROUTING -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24 iptables -t nat -A OUTPUT -d 10.0.0.0/24 -j NETMAP --to 192.168.0.0/24 iptables -t nat -A PREROUTING -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24 iptables -t nat -A OUTPUT -d 10.0.1.0/24 -j NETMAP --to 192.168.0.0/24 Signed-off-by: Patrick McHardy <kaber@trash.net> Merge branch 'master' of /repos/git/net-next-2.6 2010-06-15T15:31:06Z Patrick McHardy kaber@trash.net 2010-06-15T15:31:06Z urn:sha1:f9181f4ffc71d7b7dd1906c9a11d51d6659220ae Conflicts: include/net/netfilter/xt_rateest.h net/bridge/br_netfilter.c net/netfilter/nf_conntrack_core.c Signed-off-by: Patrick McHardy <kaber@trash.net> pkt_sched: gen_kill_estimator() rcu fixes 2010-06-12T01:37:08Z Eric Dumazet eric.dumazet@gmail.com 2010-06-09T02:09:23Z urn:sha1:c7de2cf053420d63bac85133469c965d4b1083e1 gen_kill_estimator() API is incomplete or not well documented, since caller should make sure an RCU grace period is respected before freeing stats_lock. This was partially addressed in commit 5d944c640b4 (gen_estimator: deadlock fix), but same problem exist for all gen_kill_estimator() users, if lock they use is not already RCU protected. A code review shows xt_RATEEST.c, act_api.c, act_police.c have this problem. Other are ok because they use qdisc lock, already RCU protected. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> netfilter: nf_conntrack: per_cpu untracking 2010-06-09T12:43:38Z Eric Dumazet eric.dumazet@gmail.com 2010-06-09T12:43:38Z urn:sha1:b3c5163fe0193a74016dba1bb22491e0d1e9aaa4 NOTRACK makes all cpus share a cache line on nf_conntrack_untracked twice per packet, slowing down performance. This patch converts it to a per_cpu variable. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: nf_conntrack: IPS_UNTRACKED bit 2010-06-08T14:09:52Z Eric Dumazet eric.dumazet@gmail.com 2010-06-08T14:09:52Z urn:sha1:5bfddbd46a95c978f4d3c992339cbdf4f4b790a3 NOTRACK makes all cpus share a cache line on nf_conntrack_untracked twice per packet. This is bad for performance. __read_mostly annotation is also a bad choice. This patch introduces IPS_UNTRACKED bit so that we can use later a per_cpu untrack structure more easily. A new helper, nf_ct_untracked_get() returns a pointer to nf_conntrack_untracked. Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add IPS_NAT_DONE_MASK bits to untracked status. nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> netfilter: xt_rateest: Better struct xt_rateest layout 2010-06-08T12:11:19Z Eric Dumazet eric.dumazet@gmail.com 2010-06-08T12:11:19Z urn:sha1:339bb99e4a8ba1f8960eed21d50be808b35ad22a We currently dirty two cache lines in struct xt_rateest, this hurts SMP performance. This patch moves lock/bstats/rstats at beginning of structure so that they share a single cache line. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>