linux/net/netfilter/xt_physdev.c, branch v4.5

netfilter: physdev: use helpers

2015-04-08T14:49:09Z

Avoid skb->nf_bridge accesses where possible. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: bridge: remove BRNF_STATE_BRIDGED flag

2015-03-16T13:35:02Z

Its not needed anymore since 2bf540b73ed5b ([NETFILTER]: bridge-netfilter: remove deferred hooks). Before this it was possible to have physoutdev set for locally generated packets -- this isn't the case anymore: BRNF_STATE_BRIDGED flag is set when we assign nf_bridge->physoutdev, so physoutdev != NULL means BRNF_STATE_BRIDGED is set. If physoutdev is NULL, then we are looking at locally-delivered and routed packet. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: explicit module dependency between br_netfilter and physdev

2014-10-02T16:30:57Z

You can use physdev to match the physical interface enslaved to the bridge device. This information is stored in skb->nf_bridge and it is set up by br_netfilter. So, this is only available when iptables is used from the bridge netfilter path. Since 34666d4 ("netfilter: bridge: move br_netfilter out of the core"), the br_netfilter code is modular. To reduce the impact of this change, we can autoload the br_netfilter if the physdev match is used since we assume that the users need br_netfilter in place. Signed-off-by: Pablo Neira Ayuso

netfilter: xtables: deconstify struct xt_action_param for matches

2010-05-11T16:33:37Z

In future, layer-3 matches will be an xt module of their own, and need to set the fragoff and thoff fields. Adding more pointers would needlessy increase memory requirements (esp. so for 64-bit, where pointers are wider). Signed-off-by: Jan Engelhardt

netfilter: xtables: substitute temporary defines by final name

2010-05-11T16:31:17Z

Signed-off-by: Jan Engelhardt

netfilter: xtables: change matches to return error code

2010-03-25T15:55:24Z

The following semantic patch does part of the transformation: // @ rule1 @ struct xt_match ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // Signed-off-by: Jan Engelhardt

netfilter: xtables: change xt_match.checkentry return type

2010-03-25T15:03:13Z

Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. This semantic patch may not be too precise (checking for functions that use xt_mtchk_param rather than functions referenced by xt_match.checkentry), but reviewed, it produced the intended result. // @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_mtchk_param *par) { ... } // Signed-off-by: Jan Engelhardt

netfilter: xt extensions: use pr_

2010-03-18T13:20:07Z

Signed-off-by: Jan Engelhardt

netfilter: factorize ifname_compare()

2009-03-25T16:31:52Z

We use same not trivial helper function in four places. We can factorize it. Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy

netfilter: xt_physdev: unfold two loops in physdev_mt()

2009-02-19T10:17:17Z

xt_physdev netfilter module can use an ifname_compare() helper so that two loops are unfolded. Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy