Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.1 2015-04-08T16:30:21Z 2015-04-08T16:30:21Z Pablo Neira Ayuso pablo@netfilter.org 2015-04-08T15:40:17Z urn:sha1:aadd51aa71f8d013c818a312bb2a0c5714830dbc Resolve conflicts between 5888b93 ("Merge branch 'nf-hook-compress'") and Florian Westphal br_netfilter works. Conflicts: net/bridge/br_netfilter.c Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-04-08T14:49:08Z Florian Westphal fw@strlen.de 2015-04-02T12:31:41Z urn:sha1:c737b7c4510026c200e14de51eb0006adea0fb2f right now we store this in the nf_bridge_info struct, accessible via skb->nf_bridge. This patch prepares removal of this pointer from skb: Instead of using skb->nf_bridge->x, we use helpers to obtain the in/out device (or ifindexes). Followup patches to netfilter will then allow nf_bridge_info to be obtained by a call into the br_netfilter core, rather than keeping a pointer to it in sk_buff. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-04-07T19:25:55Z David Miller davem@davemloft.net 2015-04-06T02:19:04Z urn:sha1:7026b1ddb6b8d4e6ee33dc2bd06c0ca8746fa7ab On the output paths in particular, we have to sometimes deal with two socket contexts. First, and usually skb->sk, is the local socket that generated the frame. And second, is potentially the socket used to control a tunneling socket, such as one the encapsulates using UDP. We do not want to disassociate skb->sk when encapsulating in order to fix this, because that would break socket memory accounting. The most extreme case where this can cause huge problems is an AF_PACKET socket transmitting over a vxlan device. We hit code paths doing checks that assume they are dealing with an ipv4 socket, but are actually operating upon the AF_PACKET one. Signed-off-by: David S. Miller <davem@davemloft.net> 2015-04-07T19:25:55Z David Miller davem@davemloft.net 2015-04-06T02:19:00Z urn:sha1:1c984f8a5df085bcf35364a8a870bd4db4da4ed3 It is currently always set to NULL, but nf_queue is adjusted to be prepared for it being set to a real socket by taking and releasing a reference to that socket when necessary. Signed-off-by: David S. Miller <davem@davemloft.net> 2015-04-04T16:25:22Z David S. Miller davem@davemloft.net 2015-04-03T20:31:01Z urn:sha1:1d1de89b9a4746f1dd055a3b8d073dd2f962a3b6 That way we don't have to reinstantiate another nf_hook_state on the stack of the nf_reinject() path. Signed-off-by: David S. Miller <davem@davemloft.net> 2015-04-04T16:17:40Z David S. Miller davem@davemloft.net 2015-04-03T20:23:58Z urn:sha1:cfdfab314647b1755afedc33ab66f3f247e161ae Instead of passing a large number of arguments down into the nf_hook() entry points, create a structure which carries this state down through the hook processing layers. This makes is so that if we want to change the types or signatures of any of these pieces of state, there are less places that need to be changed. Signed-off-by: David S. Miller <davem@davemloft.net> 2014-10-02T16:30:54Z Pablo Neira Ayuso pablo@netfilter.org 2014-10-01T09:19:17Z urn:sha1:1109a90c01177e8f4a5fd95c5b685ad02f1fe9bb In 34666d4 ("netfilter: bridge: move br_netfilter out of the core"), the bridge netfilter code has been modularized. Use IS_ENABLED instead of ifdef to cover the module case. Fixes: 34666d4 ("netfilter: bridge: move br_netfilter out of the core") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-04-29T18:09:05Z Florian Westphal fw@strlen.de 2013-04-19T04:58:25Z urn:sha1:a5fedd43d5f6c94c71053a66e4c3d2e35f1731a2 skb_gso_segment is expensive, so it would be nice if we could avoid it in the future. However, userspace needs to be prepared to receive larger-than-mtu-packets (which will also have incorrect l3/l4 checksums), so we cannot simply remove it. The plan is to add a per-queue feature flag that userspace can set when binding the queue. The problem is that in nf_queue, we only have a queue number, not the queue context/configuration settings. This patch should have no impact other than the skb_gso_segment call now being in a function that has access to the queue config data. A new size attribute in nf_queue_entry is needed so nfnetlink_queue can duplicate the entry of the gso skb when segmenting the skb while also copying the route key. The follow up patch adds switch to disable skb_gso_segment when queue config says so. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-04-29T18:09:04Z Florian Westphal fw@strlen.de 2013-04-19T04:58:23Z urn:sha1:4bd60443cc44c93ff37d483d69674647a0c48e4e required by future patch that will need to duplicate the nf_queue_entry, bumping refcounts of the copy. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2013-04-18T18:27:55Z Patrick McHardy kaber@trash.net 2013-04-06T13:24:29Z urn:sha1:f229f6ce481ceb33a966311722b8ef0cb6c25de7 Add copyright statements to all netfilter files which have had significant changes done by myself in the past. Some notes: - nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter Core Team when it got split out of nf_conntrack_core.c. The copyrights even state a date which lies six years before it was written. It was written in 2005 by Harald and myself. - net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright statements. I've added the copyright statement from net/netfilter/core.c, where this code originated - for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want it to give the wrong impression Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>