Клиентские базы Skype: prodawez390 Email: prodawez...@gmail.com Whatsapp:
+79139230330
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
This allows easier future refactoring.
Signed-off-by: Aaron Conole
---
include/linux/netfilter.h | 27 +++
net/bridge/br_netfilter_hooks.c | 2 +-
net/netfilter/core.c| 10 --
net/netfilter/nf_queue.c| 5 ++---
4 files changed, 34 inser
From: Aaron Conole
During nfhook traversal we only need a very small subset of
nf_hook_ops members.
We need:
- next element
- hook function to call
- hook function priv argument
Bridge netfilter also needs 'thresh'; can be obtained via ->orig_ops.
nf_hook_entry struct is now 32 bytes on x86_64
This is to facilitate converting from a singly-linked list to an array
of elements.
Signed-off-by: Aaron Conole
---
net/bridge/br_netfilter_hooks.c | 8
net/netfilter/core.c| 6 ++
2 files changed, 6 insertions(+), 8 deletions(-)
diff --git a/net/bridge/br_netfilter_hoo
This series introduces a set of accessors, compacts the nf_hook_entry, and
rearranges some of the loops in preparation for the final set of work going
to an array based hook system.
After this series, the nf_hook_entry should fit in a cacheline on a modern
Intel i7.
Tested on bare-metal system.
This switch (default on) can be used to disable automatic registration
of connection tracking functionality in newly created network
namespaces.
This means that when net namespace goes down (or the tracker protocol
module is unloaded) we *might* have to unregister the hooks.
We can either add ano
so that conntrack core will add the needed hooks in this namespace.
Signed-off-by: Florian Westphal
---
no changes since v3.
net/ipv4/netfilter/nft_masq_ipv4.c | 7 +++
net/ipv4/netfilter/nft_redir_ipv4.c | 7 +++
net/ipv6/netfilter/nft_masq_ipv6.c | 7 +++
net/ipv6/netfilter/
nf_defrag modules for ipv4 and ipv6 export an empty stub function.
Any module that needs the defragmentation hooks registered simply 'calls'
this empty function to create a phony module dependency -- modprobe will
then load the defrag module too.
This extends netfilter ipv4/ipv6 defragmentation mo
This makes use of nf_ct_netns_get/put added in previous patch.
We add get/put functions to nf_conntrack_l3proto structure, ipv4 and ipv6
then implement use-count to track how many users (nft or xtables modules)
have a dependency on ipv4 and/or ipv6 connection tracking functionality.
When count rea
Historically all the netfilter hooks got registered on module load time.
When net namespace support was added, hooks were registered in each
namespace (and new net namespaces inherit already-registered hooks from
global list).
This means that once nf_conntrack_ipv4/6.ko is loaded, all
existing an
MASQUERADE, S/DNAT and REDIRECT already call functions that depend on the
conntrack module.
However, since the conntrack hooks are now registered in a lazy fashion
(i.e., only when needed) a symbol reference is not enough.
Thus, when something is added to a nat table, make sure that it will see
p
since adf0516845bcd0 ("netfilter: remove ip_conntrack* sysctl compat code")
the only user (ipv4 tracker) sets this to an empty stub function.
After this change nf_ct_l3proto_pernet_register() is also empty,
but this will change in a followup patch to add conditional register
of the hooks.
Signed-
currently aliased to try_module_get/_put.
Will be changed in next patch when we add functions to make use of ->net
argument to store usercount per l3proto tracker.
This is needed to avoid registering the conntrack hooks in all netns and
later only enable connection tracking in those that need conn
On Tue, Nov 15, 2016 at 08:50:10PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Nov 15, 2016 at 05:22:38PM -0200, Elise Lennion wrote:
> > Error messages in nft should start with "syntax error" to keep
> > consistency. A new function add_syntax_error() was created to add this
> > prefix when necessary
On Tue, Nov 15, 2016 at 05:22:38PM -0200, Elise Lennion wrote:
> Error messages in nft should start with "syntax error" to keep
> consistency. A new function add_syntax_error() was created to add this
> prefix when necessary.
Probably you can just add EREC_SYNTAX_ERROR to enum
error_record_types,
On Tue, Nov 15, 2016 at 03:08:24PM +0100, Davide Caratti wrote:
> To allow usage of enum ip_conntrack_dir in include/net/netns/conntrack.h,
> this patch encloses #include in a #ifndef __KERNEL__
> directive, so that compiler errors caused by unwanted inclusion of
> include/linux/netfilter.h are av
Error messages in nft should start with "syntax error" to keep
consistency. A new function add_syntax_error() was created to add this
prefix when necessary.
Signed-off-by: Elise Lennion
---
include/erec.h | 3 +++
src/erec.c | 23 +++
2 files changed, 26 insertions(+)
d
2016-11-15 6:21 GMT+08:00 Pablo Neira Ayuso :
> On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote:
>> From: Liping Zhang
>>
>> After NF_LOG_XXX is exposed to the userspace, we can set log flags to
>> log more things. The following iptables rule:
>> # iptables -A OUTPUT -j LOG --log-tc
CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection
tracking support for DCCP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntr
CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection
tracking support for SCTP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/nf_conntr
CONFIG_NF_CT_PROTO_UDPLITE is no more a tristate. When set to y,
connection tracking support for UDPlite protocol is built-in into
nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_udplite,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
net/ipv6/netfilter/
To allow usage of enum ip_conntrack_dir in include/net/netns/conntrack.h,
this patch encloses #include in a #ifndef __KERNEL__
directive, so that compiler errors caused by unwanted inclusion of
include/linux/netfilter.h are avoided.
In addition, #include line has
been added to resolve correctly C
When netfilter needs to match traffic made by one of the above protocols,
layer-4 connection tracking functionality will not be available, unless the
user explicly loads it in the kernel (e.g. "modprobe nf_conntrack_proto_sctp")
or modifies the default kernel configuration and rebuilds.
In order to
From: Pablo Neira Ayuso
> Sent: 13 November 2016 22:25
> Allocate memory with kmalloc() rather than kzalloc(): the string
> is immediately initialized so it is unnecessary to zero out
> the allocated memory area.
>
> Ported from a patch proposed by Sergey Popovich .
>
> Suggested-by: Sergey Popov
Hi Pablo,
please consider these enhancements to the IPVS for v4.10.
* Decrement the IP ttl in all the modes in order to prevent infinite
route loops. Thanks to Dwip Banerjee.
* Use IS_ERR_OR_NULL macro. Clean-up from Gao Feng.
The following changes since commit 7d384846b9987f7b611357adf3cdfec
From: Gao Feng
This minor refactoring does not change the logic of function
ip_vs_genl_dump_dests.
Signed-off-by: Gao Feng
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
---
net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilt
From: Dwip Banerjee
We decrement the IP ttl in all the modes in order to prevent infinite
route loops. The changes were done based on Julian Anastasov's
suggestions in a prior thread.
The ttl based check/discard and the actual decrement are done in
__ip_vs_get_out_rt() and in __ip_vs_get_out_rt_
27 matches
Mail list logo
