19 Jun, 2019
1 commit
-
Based on 2 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundationthis program is free software you can redistribute it and or modify
it under the terms of the gnu general public license version 2 as
published by the free software foundation #extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-only
has been chosen to replace the boilerplate/reference in 4122 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Enrico Weigelt
Reviewed-by: Kate Stewart
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de
Signed-off-by: Greg Kroah-Hartman
15 Feb, 2018
1 commit
-
switch this to info, since these aren't really errors.
We only use printk because we cannot report meaningful errors
in the xtables framework.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
03 Nov, 2016
1 commit
-
Place pointer to hook state in xt_action_param structure instead of
copying the fields that we need. After this change xt_action_param fits
into one cacheline.This patch also adds a set of new wrapper functions to fetch relevant
hook state structure fields.Signed-off-by: Pablo Neira Ayuso
08 Dec, 2013
1 commit
-
This patch prepares the addition of nft_queue module by moving
reusable code into a header file.This patch also converts NFQUEUE to use prandom_u32 to initialize
the random jhash seed as suggested by Florian Westphal.Signed-off-by: Eric Leblond
Signed-off-by: Pablo Neira Ayuso
29 Oct, 2013
1 commit
-
V3 of the NFQUEUE target ignores the --queue-bypass flag,
causing packets to be dropped when the userspace listener
isn't running.Regression is in since 8746ddcf12bb26 ("netfilter: xt_NFQUEUE:
introduce CPU fanout").Reported-by: Florian Westphal
Signed-off-by: Holger Eitzenberger
Signed-off-by: Pablo Neira Ayuso
02 Apr, 2013
2 commits
-
Because rev1 and rev3 of the target share the same hashing
generalize it by introduing nfqueue_hash().Signed-off-by: Holger Eitzenberger
Signed-off-by: Pablo Neira Ayuso -
Current NFQUEUE target uses a hash, computed over source and
destination address (and other parameters), for steering the packet
to the actual NFQUEUE. This, however forgets about the fact that the
packet eventually is handled by a particular CPU on user request.If E. g.
1) IRQ affinity is used to handle packets on a particular CPU already
(both single-queue or multi-queue case)and/or
2) RPS is used to steer packets to a specific softirq
the target easily chooses an NFQUEUE which is not handled by a process
pinned to the same CPU.The idea is therefore to use the CPU index for determining the
NFQUEUE handling the packet.E. g. when having a system with 4 CPUs, 4 MQ queues and 4 NFQUEUEs it
looks like this:+-----+ +-----+ +-----+ +-----+
|NFQ#0| |NFQ#1| |NFQ#2| |NFQ#3|
+-----+ +-----+ +-----+ +-----+
^ ^ ^ ^
| |NFQUEUE | |
+ + + +
+-----+ +-----+ +-----+ +-----+
|rx-0 | |rx-1 | |rx-2 | |rx-3 |
+-----+ +-----+ +-----+ +-----+The NFQUEUEs not necessarily have to start with number 0, setups with
less NFQUEUEs than packet-handling CPUs are not a problem as well.This patch extends the NFQUEUE target to accept a new
NFQ_FLAG_CPU_FANOUT flag. If this is specified the target uses the
CPU index for determining the NFQUEUE being used. I have to introduce
rev3 for this. The 'flags' are folded into _v2 'bypass'.By changing the way which queue is assigned, I'm able to improve the
performance if the processes reading on the NFQUEUs are pinned
correctly.Signed-off-by: Holger Eitzenberger
Signed-off-by: Pablo Neira Ayuso
20 Aug, 2012
1 commit
-
Fix a couple of endian annotation in net/netfilter:
net/netfilter/nfnetlink_acct.c:82:30: warning: cast to restricted __be64
net/netfilter/nfnetlink_acct.c:86:30: warning: cast to restricted __be64
net/netfilter/nfnetlink_cthelper.c:77:28: warning: cast to restricted __be16
net/netfilter/xt_NFQUEUE.c:46:16: warning: restricted __be32 degrades to integer
net/netfilter/xt_NFQUEUE.c:60:34: warning: restricted __be32 degrades to integer
net/netfilter/xt_NFQUEUE.c:68:34: warning: restricted __be32 degrades to integer
net/netfilter/xt_osf.c:272:55: warning: cast to restricted __be16Signed-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
07 Jun, 2012
1 commit
-
because reply packets need to go to the same nfqueue, src/dst ip
address were xor'd prior to jhash().However, this causes bad distribution for some workloads, e.g.
flows a.b.1.{1,n} -> a.b.2.{1,n} all share the same hash value.Avoid this by hashing both. To get same hash for replies,
first argument is the smaller address.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
17 Dec, 2011
1 commit
-
Use IS_ENABLED(CONFIG_FOO)
instead of defined(CONFIG_FOO) || defined (CONFIG_FOO_MODULE)Signed-off-by: Igor Maravić
Signed-off-by: David S. Miller
18 Jan, 2011
1 commit
-
If an skb is to be NF_QUEUE'd, but no program has opened the queue, the
packet is dropped.This adds a v2 target revision of xt_NFQUEUE that allows packets to
continue through the ruleset instead.Because the actual queueing happens outside of the target context, the
'bypass' flag has to be communicated back to the netfilter core.Unfortunately the only choice to do this without adding a new function
argument is to use the target function return value (i.e. the verdict).In the NF_QUEUE case, the upper 16bit already contain the queue number
to use. The previous patch reduced NF_VERDICT_MASK to 0xff, i.e.
we now have extra room for a new flag.If a hook issued a NF_QUEUE verdict, then the netfilter core will
continue packet processing if the queueing hook
returns -ESRCH (== "this queue does not exist") and the new
NF_VERDICT_FLAG_QUEUE_BYPASS flag is set in the verdict value.Note: If the queue exists, but userspace does not consume packets fast
enough, the skb will still be dropped.Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy
13 Nov, 2010
1 commit
-
Signed-off-by: Changli Gao
Acked-by: Eric Dumazet
Signed-off-by: Patrick McHardy
12 May, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
25 Mar, 2010
4 commits
-
When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.Signed-off-by: Jan Engelhardt
-
Part of the transition of done by this semantic patch:
//
@ rule1 @
struct xt_target ops;
identifier check;
@@
ops.checkentry = check;@@
identifier rule1.check;
@@
check(...) { }@@
identifier rule1.check;
@@
check(...) { }
//Signed-off-by: Jan Engelhardt
-
Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.//
@@
type bool;
identifier check, par;
@@
-bool check
+int check
(struct xt_tgchk_param *par) { ... }
//Minus the change it does to xt_ct_find_proto.
Signed-off-by: Jan Engelhardt
-
Supplement to aa5fa3185791aac71c9172d4fda3e8729164b5d1.
The semantic patch for this change is://
@@
struct xt_target_param *par;
@@
-par->target->family
+par->family@@
struct xt_tgchk_param *par;
@@
-par->target->family
+par->family@@
struct xt_tgdtor_param *par;
@@
-par->target->family
+par->family
//Signed-off-by: Jan Engelhardt
17 Mar, 2010
1 commit
-
Signed-off-by: Jan Engelhardt
04 Jan, 2010
1 commit
-
"It is deliberately not done in the init function, since we might not
have sufficient random while booting."Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
22 Jun, 2009
1 commit
-
net/netfilter/xt_NFQUEUE.c:46:9: warning: incorrect type in assignment (different base types)
net/netfilter/xt_NFQUEUE.c:46:9: expected unsigned int [unsigned] [usertype] ipaddr
net/netfilter/xt_NFQUEUE.c:46:9: got restricted unsigned int
net/netfilter/xt_NFQUEUE.c:68:10: warning: incorrect type in assignment (different base types)
net/netfilter/xt_NFQUEUE.c:68:10: expected unsigned int [unsigned]
net/netfilter/xt_NFQUEUE.c:68:10: got restricted unsigned int
net/netfilter/xt_NFQUEUE.c:69:10: warning: incorrect type in assignment (different base types)
net/netfilter/xt_NFQUEUE.c:69:10: expected unsigned int [unsigned]
net/netfilter/xt_NFQUEUE.c:69:10: got restricted unsigned int
net/netfilter/xt_NFQUEUE.c:70:10: warning: incorrect type in assignment (different base types)
net/netfilter/xt_NFQUEUE.c:70:10: expected unsigned int [unsigned]
net/netfilter/xt_NFQUEUE.c:70:10: got restricted unsigned int
net/netfilter/xt_NFQUEUE.c:71:10: warning: incorrect type in assignment (different base types)
net/netfilter/xt_NFQUEUE.c:71:10: expected unsigned int [unsigned]
net/netfilter/xt_NFQUEUE.c:71:10: got restricted unsigned intnet/netfilter/xt_cluster.c:20:55: warning: incorrect type in return expression (different base types)
net/netfilter/xt_cluster.c:20:55: expected unsigned int
net/netfilter/xt_cluster.c:20:55: got restricted unsigned int const [usertype] ip
net/netfilter/xt_cluster.c:20:55: warning: incorrect type in return expression (different base types)
net/netfilter/xt_cluster.c:20:55: expected unsigned int
net/netfilter/xt_cluster.c:20:55: got restricted unsigned int const [usertype] ipSigned-off-by: Patrick McHardy
05 Jun, 2009
2 commits
-
Adds support for specifying a range of queues instead of a single queue
id. Flows will be distributed across the given range.This is useful for multicore systems: Instead of having a single
application read packets from a queue, start multiple
instances on queues x, x+1, .. x+n. Each instance can process
flows independently.Packets for the same connection are put into the same queue.
Signed-off-by: Holger Eitzenberger
Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy -
We can use wildcard matching here, just like
ab4f21e6fb1c09b13c4c3cb8357babe8223471bd ("xtables: use NFPROTO_UNSPEC
in more extensions").Signed-off-by: Florian Westphal
Signed-off-by: Patrick McHardy
20 Oct, 2008
1 commit
-
(Supplements: ee999d8b9573df1b547aacdc6d79f86eb79c25cd)
NFPROTO_ARP actually has a different value from NF_ARP, so ensure all
callers use the new value so that packets _do_ get delivered to the
registered hooks.Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
08 Oct, 2008
2 commits
-
This patch does this for target extensions' target functions.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
29 Jan, 2008
2 commits
-
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Give all Netfilter modules consistent and unique symbol names.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Oct, 2007
1 commit
-
With all the users of the double pointers removed, this patch mops up by
finally replacing all occurances of sk_buff ** in the netfilter API by
sk_buff *.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
11 Jul, 2007
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Feb, 2007
1 commit
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
16 Oct, 2006
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
23 Sep, 2006
2 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Mar, 2006
1 commit
-
Every netfilter module uses `init' for its module_init() function and
`fini' or `cleanup' for its module_exit() function.Problem is, this creates uninformative initcall_debug output and makes
ctags rather useless.So go through and rename them all to $(filename)_init and
$(filename)_fini.Signed-off-by: Andrew Morton
Signed-off-by: David S. Miller
23 Mar, 2006
1 commit
-
Set the family field in xt_[matches|targets] registered.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
21 Mar, 2006
2 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
13 Jan, 2006
1 commit
-
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headersBased on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.Signed-off-by: Harald Welte
Signed-off-by: David S. Miller
