Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.5 2016-01-20T13:15:31Z 2016-01-20T13:15:31Z Sasha Levin sasha.levin@oracle.com 2016-01-19T00:23:51Z urn:sha1:b16c29191dc89bd877af99a7b04ce4866728a3e0 When we need to lock all buckets in the connection hashtable we'd attempt to lock 1024 spinlocks, which is way more preemption levels than supported by the kernel. Furthermore, this behavior was hidden by checking if lockdep is enabled, and if it was - use only 8 buckets(!). Fix this by using a global lock and synchronize all buckets on it when we need to lock them all. This is pretty heavyweight, but is only done when we need to resize the hashtable, and that doesn't happen often enough (or at all). Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Acked-by: Jesper Dangaard Brouer <brouer@redhat.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-01-08T12:25:08Z Carlos Falgueras García carlosfg@riseup.net 2016-01-05T13:03:32Z urn:sha1:e6d8ecac9e68265aee9be711c5bd29406129666f User data is stored at after 'nft_set_ops' private data into 'data[]' flexible array. The field 'udata' points to user data and 'udlen' stores its length. Add new flag NFTA_SET_USERDATA. Signed-off-by: Carlos Falgueras García <carlosfg@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-01-03T20:04:23Z Pablo Neira Ayuso pablo@netfilter.org 2016-01-03T20:02:18Z urn:sha1:502061f81d3eb4518d2e72178e494a8547788ad0 You can use this to duplicate packets and inject them at the egress path of the specified interface. This duplication allows you to inspect traffic from the dummy or any other interface dedicated to this purpose. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-12-28T17:34:35Z Pablo Neira Ayuso pablo@netfilter.org 2015-12-15T18:40:49Z urn:sha1:5ebe0b0eec9d6f703b137f9b938c52f7b91dd9d6 If the netdevice is destroyed, the resources that are attached should be released too as they belong to the device that is now gone. Suggested-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-12-28T17:34:35Z Pablo Neira Ayuso pablo@netfilter.org 2015-12-15T18:39:32Z urn:sha1:df05ef874b284d833c2d9795a6350c6a373ab6c9 We have to release the existing objects on netns removal otherwise we leak them. Chains are unregistered in first place to make sure no packets are walking on our rules and sets anymore. The object release happens by when we unregister the family via nft_release_afinfo() which is called from nft_unregister_afinfo() from the corresponding __net_exit path in every family. Reported-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-12-14T11:48:58Z Pablo Neira pablo@netfilter.org 2015-12-09T13:07:40Z urn:sha1:19576c9478682a398276c994ea0d2696474df32b Add a per-netns list of timeout objects and adjust code to use it. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-12-09T12:23:13Z Florian Westphal fw@strlen.de 2015-11-28T20:53:05Z urn:sha1:e639f7ab079b5256660018511d87aa34b54f1a9d Only needed when meta nftrace rule(s) were added. The assumption is that no such rules are active, so the call to nft_trace_init is "never" needed. When nftrace rules are active, we always call the nft_trace_* functions, but will only send netlink messages when all of the following are true: - traceinfo structure was initialised - skb->nf_trace == 1 - at least one subscriber to trace group. Adding an extra conditional (static_branch ... && skb->nf_trace) nft_trace_init( ..) Is possible but results in a larger nft_do_chain footprint. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-12-09T12:18:37Z Florian Westphal fw@strlen.de 2015-11-28T20:53:04Z urn:sha1:33d5a7b14bfd02e60af9d223db8dfff0cbcabe6b nft monitor mode can then decode and display this trace data. Parts of LL/Network/Transport headers are provided as separate attributes. Otherwise, printing IP address data becomes virtually impossible for userspace since in the case of the netdev family we really don't want userspace to have to know all the possible link layer types and/or sizes just to display/print an ip address. We also don't want userspace to have to follow ipv6 header chains to get the s/dport info, the kernel already did this work for us. To avoid bloating nft_do_chain all data required for tracing is encapsulated in nft_traceinfo. The structure is initialized unconditionally(!) for each nft_do_chain invocation. This unconditionall call will be moved under a static key in a followup patch. With lots of help from Patrick McHardy and Pablo Neira. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-11-25T12:54:51Z Patrick McHardy kaber@trash.net 2015-11-24T10:00:22Z urn:sha1:7ec3f7b47b8d9ad7ba425726f2c58f9ddce040df Add support for mangling packet payload. Checksum for the specified base header is updated automatically if requested, however no updates for any kind of pseudo headers are supported, meaning no stateless NAT is supported. For checksum updates different checksumming methods can be specified. The currently supported methods are NONE for no checksum updates, and INET for internet type checksums. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-11-25T12:54:50Z Florian Westphal fw@strlen.de 2015-11-23T23:03:28Z urn:sha1:a9ecfbe7fcf2f600718c3f995cbb46043f7a7a5d Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>