Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v4.20 2018-01-10T14:32:15Z 2018-01-10T14:32:15Z Wei Yongjun weiyongjun1@huawei.com 2018-01-10T13:06:46Z urn:sha1:99eadf67c8fe0d9ebe5f4a2b1551d8238b4a43bf Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08T17:11:01Z Pablo Neira Ayuso pablo@netfilter.org 2017-11-27T21:58:37Z urn:sha1:464356234f88518f7d0678b979013e78607e8266 This is only needed by nf_queue, place this code where it belongs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08T17:10:53Z Pablo Neira Ayuso pablo@netfilter.org 2017-11-27T21:50:26Z urn:sha1:ce388f452f0af2013c657dd24be4415d94e7704f We cannot make a direct call to nf_ip6_reroute() because that would result in autoloading the 'ipv6' module because of symbol dependencies. Therefore, define reroute indirection in nf_ipv6_ops where this really belongs to. For IPv4, we can indeed make a direct function call, which is faster, given IPv4 is built-in in the networking code by default. Still, CONFIG_INET=n and CONFIG_NETFILTER=y is possible, so define empty inline stub for IPv4 in such case. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08T17:01:25Z Pablo Neira Ayuso pablo@netfilter.org 2017-12-20T15:12:55Z urn:sha1:7db9a51e0f9931446ed4231feb1040ed5134fc60 This is only used by nf_queue.c and this function comes with no symbol dependencies with IPv6, it just refers to structure layouts. Therefore, we can replace it by a direct function call from where it belongs. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08T17:01:11Z Florian Westphal fw@strlen.de 2017-12-07T15:28:26Z urn:sha1:2a95183a5e0375df756efb2ca37602d71e8455f9 no need to define hook points if the family isn't supported. Because we need these hooks for either nftables, arp/ebtables or the 'call-iptables' hack we have in the bridge layer add two new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the users select them. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08T17:01:08Z Florian Westphal fw@strlen.de 2017-12-02T23:58:47Z urn:sha1:b0f38338aef2dae5ade3c16acf713737e3b15a73 struct net contains: struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; which store the hook entry point locations for the various protocol families and the hooks. Using array results in compact c code when doing accesses, i.e. x = rcu_dereference(net->nf.hooks[pf][hook]); but its also wasting a lot of memory, as most families are not used. So split the array into those families that are used, which are only 5 (instead of 13). In most cases, the 'pf' argument is constant, i.e. gcc removes switch statement. struct net before: /* size: 5184, cachelines: 81, members: 46 */ after: /* size: 4672, cachelines: 73, members: 46 */ Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08T17:01:06Z Florian Westphal fw@strlen.de 2017-11-30T23:21:03Z urn:sha1:26888dfd7e7454686b8d3ea9ba5045d5f236e4d7 since commit 960632ece6949b ("netfilter: convert hook list to an array") nfqueue no longer stores a pointer to the hook that caused the packet to be queued. Therefore no extra synchronize_net() call is needed after dropping the packets enqueued by the old rule blob. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2017-08-28T15:44:00Z Aaron Conole aconole@bytheb.org 2017-08-23T22:08:32Z urn:sha1:960632ece6949be1ab6f7a911faa4fa6e8305f4a This converts the storage and layout of netfilter hook entries from a linked list to an array. After this commit, hook entries will be stored adjacent in memory. The next pointer is no longer required. The ops pointers are stored at the end of the array as they are only used in the register/unregister path and in the legacy br_netfilter code. nf_unregister_net_hooks() is slower than needed as it just calls nf_unregister_net_hook in a loop (i.e. at least n synchronize_net() calls), this will be addressed in followup patch. Test setup: - ixgbe 10gbit - netperf UDP_STREAM, 64 byte packets - 5 hooks: (raw + mangle prerouting, mangle+filter input, inet filter): empty mangle and raw prerouting, mangle and filter input hooks: 353.9 this patch: 364.2 Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2017-07-31T17:09:39Z Florian Westphal fw@strlen.de 2017-07-25T22:02:33Z urn:sha1:e2a750070aeec7af3818065b39d61cb38627ce64 queued skbs might be using conntrack extensions that are being removed, such as timeout. This happens for skbs that have a skb->nfct in unconfirmed state (i.e., not in hash table yet). This is destructive, but there are only two use cases: - module removal (rare) - netns cleanup (most likely no conntracks exist, and if they do, they are removed anyway later on). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2017-05-01T09:19:12Z Florian Westphal fw@strlen.de 2017-04-24T13:37:41Z urn:sha1:039b40ee5854dc733cf786fee4a88e240a012115 nf_unregister_net_hook(s) can avoid a second call to synchronize_net, provided there is no nfqueue active in that net namespace (which is the common case). This also gets rid of the extra arg to nf_queue_nf_hook_drop(), normally this gets called during netns cleanup so no packets should be queued. For the rare case of base chain being unregistered or module removal while nfqueue is in use the extra hiccup due to the packet drops isn't a big deal. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>