19 Jun, 2019

1 commit

• d2912cb15   treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 ... Browse Code »

  Based on 2 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license version 2 as
  published by the free software foundation

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license version 2 as
  published by the free software foundation #

  extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-only

  has been chosen to replace the boilerplate/reference in 4122 file(s).

  Signed-off-by: Thomas Gleixner
  Reviewed-by: Enrico Weigelt
  Reviewed-by: Kate Stewart
  Reviewed-by: Allison Randal
  Cc: linux-spdx@vger.kernel.org
  Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
  Signed-off-by: Greg Kroah-Hartman

  Thomas Gleixner

  2019-06-19 23:09:55 +0800  

30 Apr, 2019

1 commit

• 1de6f3342   netfilter: connlabels: fix spelling mistake "trackling" -> "tracking" ... Browse Code »

  There is a spelling mistake in the module description. Fix this.

  Signed-off-by: Colin Ian King
  Reviewed-by: Mukesh Ojha
  Signed-off-by: Pablo Neira Ayuso

  Colin Ian King

  2019-04-30 20:19:57 +0800  

15 Feb, 2018

1 commit

• b26066447   netfilter: x_tables: use pr ratelimiting in all remaining spots ... Browse Code »

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2018-02-15 04:05:38 +0800  

15 Apr, 2017

1 commit

• ab8bc7ed8   netfilter: remove nf_ct_is_untracked ... Browse Code »

  This function is now obsolete and always returns false.
  This change has no effect on generated code.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2017-04-15 17:51:33 +0800  

05 Dec, 2016

1 commit

• ecb2421b5   netfilter: add and use nf_ct_netns_get/put ... Browse Code »

  currently aliased to try_module_get/_put.
  Will be changed in next patch when we add functions to make use of ->net
  argument to store usercount per l3proto tracker.

  This is needed to avoid registering the conntrack hooks in all netns and
  later only enable connection tracking in those that need conntrack.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2016-12-05 04:16:50 +0800  

22 Jul, 2016

2 commits

• 857ed310c   netfilter: connlabels: move set helper to xt_connlabel ... Browse Code »

  xt_connlabel is the only user so move it.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2016-07-22 23:05:10 +0800  
• 23014011b   netfilter: conntrack: support a fixed size of 128 distinct labels ... Browse Code »

  The conntrack label extension is currently variable-sized, e.g. if
  only 2 labels are used by iptables rules then the labels->bits[] array
  will only contain one element.

  We track size of each label storage area in the 'words' member.

  But in nftables and openvswitch we always have to ask for worst-case
  since we don't know what bit will be used at configuration time.

  As most arches are 64bit we need to allocate 24 bytes in this case:

  struct nf_conn_labels {
  u8 words; /* 0 1 */
  /* XXX 7 bytes hole, try to pack */
  long unsigned bits[2]; /* 8 24 */

  Make bits a fixed size and drop the words member, it simplifies
  the code and only increases memory requirements on x86 when
  less than 64bit labels are required.

  We still only allocate the extension if its needed.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2016-07-22 23:04:55 +0800  

19 Apr, 2016

2 commits

• adff6c656   netfilter: connlabels: change nf_connlabels_get bit arg to 'highest used' ... Browse Code »

  nf_connlabel_set() takes the bit number that we would like to set.
  nf_connlabels_get() however took the number of bits that we want to
  support.

  So e.g. nf_connlabels_get(32) support bits 0 to 31, but not 32.
  This changes nf_connlabels_get() to take the highest bit that we want
  to set.

  Callers then don't have to cope with a potential integer wrap
  when using nf_connlabels_get(bit + 1) anymore.

  Current callers are fine, this change is only to make folloup
  nft ct label set support simpler.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2016-04-19 02:39:48 +0800  
• b4ef15992   netfilter: connlabels: move helpers to xt_connlabel ... Browse Code »

  Currently labels can only be set either by iptables connlabel
  match or via ctnetlink.

  Before adding nftables set support, clean up the clabel core and move
  helpers that nft will not need after all to the xtables module.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2016-04-19 02:39:41 +0800  

28 Aug, 2015

1 commit

• 86ca02e77   netfilter: connlabels: Export setting connlabel length ... Browse Code »

  Add functions to change connlabel length into nf_conntrack_labels.c so
  they may be reused by other modules like OVS and nftables without
  needing to jump through xt_match_check() hoops.

  Suggested-by: Florian Westphal
  Signed-off-by: Joe Stringer
  Acked-by: Florian Westphal
  Acked-by: Thomas Graf
  Signed-off-by: David S. Miller

  Joe Stringer

  2015-08-28 02:40:43 +0800  

18 Jan, 2013

1 commit

• c539f0171   netfilter: add connlabel conntrack extension ... Browse Code »

  similar to connmarks, except labels are bit-based; i.e.
  all labels may be attached to a flow at the same time.

  Up to 128 labels are supported. Supporting more labels
  is possible, but requires increasing the ct offset delta
  from u8 to u16 type due to increased extension sizes.

  Mapping of bit-identifier to label name is done in userspace.

  The extension is enabled at run-time once "-m connlabel" netfilter
  rules are added.

  Signed-off-by: Florian Westphal
  Signed-off-by: Pablo Neira Ayuso

  Florian Westphal

  2013-01-18 07:28:15 +0800