Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=v4.12-rc2 2017-04-07T14:31:36Z 2017-04-07T14:31:36Z Pablo Neira Ayuso pablo@netfilter.org 2017-03-28T16:57:32Z urn:sha1:dedb67c4b4e5fa2e6e149a2ce93e7848aaa9d762 Add and use nfnl_msg_type() function to replace opencoded nfnetlink message type. I suggested this change, Arushi Singhal made an initial patch to address this but was missing several spots. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2017-02-12T13:45:11Z Pablo Neira Ayuso pablo@netfilter.org 2017-02-10T11:08:17Z urn:sha1:8c4d4e8b5626fec965fd5034e5bd5e57790f243f This patch allows userspace to specify the generation ID that has been used to build an incremental batch update. If userspace specifies the generation ID in the batch message as attribute, then nfnetlink compares it to the current generation ID so you make sure that you work against the right baseline. Otherwise, bail out with ERESTART so userspace knows that its changeset is stale and needs to respin. Userspace can do this transparently at the cost of taking slightly more time to refresh caches and rework the changeset. This check is optional, if there is no NFNL_BATCH_GENID attribute in the batch begin message, then no check is performed. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2017-01-09T16:24:53Z Willem de Bruijn willemb@google.com 2017-01-02T22:19:40Z urn:sha1:f32815d21d4d8287336fb9cef4d2d9e0866214c2 xt_entry_target, xt_entry_match and their private data may contain kernel data. Introduce helper functions xt_match_to_user, xt_target_to_user and xt_data_to_user that copy only the expected fields. These replace existing logic that calls copy_to_user on entire structs, then overwrites select fields. Private data is defined in xt_match and xt_target. All matches and targets that maintain kernel data store this at the tail of their private structure. Extend xt_match and xt_target with .usersize to limit how many bytes of data are copied. The remainder is cleared. If compatsize is specified, usersize can only safely be used if all fields up to usersize use platform-independent types. Otherwise, the compat_to_user callback must be defined. This patch does not yet enable the support logic. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-12-06T20:42:19Z Florian Westphal fw@strlen.de 2016-11-22T13:44:19Z urn:sha1:ae0ac0ed6fcf5af3be0f63eb935f483f44a402d2 instead of allocating each xt_counter individually, allocate 4k chunks and then use these for counter allocation requests. This should speed up rule evaluation by increasing data locality, also speeds up ruleset loading because we reduce calls to the percpu allocator. As Eric points out we can't use PAGE_SIZE, page_allocator would fail on arches with 64k page size. Suggested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-12-06T20:42:18Z Florian Westphal fw@strlen.de 2016-11-22T13:44:18Z urn:sha1:f28e15bacedd444608e25421c72eb2cf4527c9ca Keeps some noise away from a followup patch. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-12-06T20:42:17Z Florian Westphal fw@strlen.de 2016-11-22T13:44:17Z urn:sha1:4d31eef5176df06f218201bc9c0ce40babb41660 On SMP we overload the packet counter (unsigned long) to contain percpu offset. Hide this from callers and pass xt_counters address instead. Preparation patch to allocate the percpu counters in page-sized batch chunks. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-12-04T19:53:15Z Davide Caratti dcaratti@redhat.com 2016-11-15T14:08:25Z urn:sha1:c51d39010a1bccc9c1294e2d7c00005aefeb2b5c CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection tracking support for DCCP protocol is built-in into nf_conntrack.ko. footprint test: $ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \ net/ipv4/netfilter/nf_conntrack_ipv4.ko \ net/ipv6/netfilter/nf_conntrack_ipv6.ko (builtin)|| dccp | ipv4 | ipv6 | nf_conntrack ---------++--------+--------+--------+-------------- none || 469140 | 828755 | 828676 | 6141434 DCCP || - | 830566 | 829935 | 6533526 Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-11-10T12:28:45Z Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2016-11-10T11:05:34Z urn:sha1:9e41f26a505cca04b7122e65053cf6447007ea79 Non-static (i.e. comment) extension was not counted into the memory size. A new internal counter is introduced for this. In the case of the hash types the sizes of the arrays are counted there as well so that we can avoid to scan the whole set when just the header data is requested. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2016-11-10T12:28:45Z Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2016-10-10T20:07:41Z urn:sha1:702b71e7c666a1c9be9d49e8cd173f0d4d1e859f It is better to list the set elements for all set types, thus the header information is uniform. Element counts are therefore added to the bitmap and list types. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> 2016-11-10T12:28:44Z Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2016-10-10T19:52:51Z urn:sha1:837a90eab67edfa464dcc0ddef193449d23da408 Cleanup: group ip_set_put_extensions and ip_set_get_extensions together and add missing extern. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>