10 Apr, 2008
1 commit
-
Shifts larger than the data type are undefined, don't try to shift
an u32 by 32. Also remove some special-casing of bitmasks divisible
by 32.Based on patch by Jan Engelhardt .
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
28 Mar, 2008
1 commit
-
This elliminates infamous race during module loading when one could lookup
proc entry without proc_fops assigned.Signed-off-by: Denis V. Lunev
Signed-off-by: David S. Miller
20 Feb, 2008
1 commit
-
By allocating ->hinfo, we already have the needed indirection to cope
with the per-cpu xtables struct match_entry.[Patrick: do this now before the revision 1 struct is used by userspace]
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
01 Feb, 2008
3 commits
-
The hashlimit_ipv6_mask() is called from under IP6_NF_IPTABLES config
option, but is not under it by itself.gcc warns us about it :) :
net/netfilter/xt_hashlimit.c:473: warning: "hashlimit_ipv6_mask" defined but not usedSigned-off-by: Pavel Emelyanov
Signed-off-by: David S. Miller -
Introduces the xt_hashlimit match revision 1. It adds support for
kernel-level inversion and grouping source and/or destination IP
addresses, allowing to limit on a per-subnet basis. While this would
technically obsolete xt_limit, xt_hashlimit is a more expensive due
to the hashbucketing.Kernel-level inversion: Previously you had to do user-level inversion:
iptables -N foo
iptables -A foo -m hashlimit --hashlimit(-upto) 5/s -j RETURN
iptables -A foo -j DROP
iptables -A INPUT -j foonow it is simpler:
iptables -A INPUT -m hashlimit --hashlimit-over 5/s -j DROP
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Some lock annotations, and make initializers static.
Signed-off-by: Stephen Hemminger
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Jan, 2008
5 commits
-
Updates the MODULE_DESCRIPTION() tags for all Netfilter modules,
actually describing what the module does and not just
"netfilter XYZ target".Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
This patch generalizes the (CONFIG_IP6_NF_IPTABLES || CONFIG_IP6_NF_IPTABLES_MODULE)
test done in hashlimit_init_dst() to all the xt_hashlimit module.This permits a size reduction of "struct dsthash_dst". This saves memory and
cpu for IPV4 only hosts.Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
1) Using jhash2() instead of jhash() is a litle bit faster if applicable.
2) Thanks to jhash, hash value uses full 32 bits.
Instead of returning hash % size (implying a divide)
we return the high 32 bits of the (hash * size) that will
give results between [0 and size-1] and same hash distribution.On most cpus, a multiply is less expensive than a divide, by an order
of magnitude.Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch from ipv6_find_hdr to ipv6_skip_exthdr to avoid pulling in ip6_tables
and ipv6 when only using it for IPv4.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Give all Netfilter modules consistent and unique symbol names.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
15 Dec, 2007
1 commit
-
In order to avoid jiffies wraparound and its effect, special care must
be taken
when doing comparisons ...Signed-off-by: Eric Dumazet
Acked-by: Patrick McHardy
Signed-off-by: David S. Miller
11 Oct, 2007
1 commit
-
This patch makes /proc/net per network namespace. It modifies the global
variables proc_net and proc_net_stat to be per network namespace.
The proc_net file helpers are modified to take a network namespace argument,
and all of their callers are fixed to pass &init_net for that argument.
This ensures that all of the /proc/net files are only visible and
usable in the initial network namespace until the code behind them
has been updated to be handle multiple network namespaces.Making /proc/net per namespace is necessary as at least some files
in /proc/net depend upon the set of network devices which is per
network namespace, and even more files in /proc/net have contents
that are relevant to a single network namespace.Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller
20 Jul, 2007
1 commit
-
Slab destructors were no longer supported after Christoph's
c59def9f222d44bb7e2f0a559f2906191a0862d7 change. They've been
BUGs for both slab and slub, and slob never supported them
either.This rips out support for the dtor pointer from kmem_cache_create()
completely and fixes up every single callsite in the kernel (there were
about 224, not including the slab allocator definitions themselves,
or the documentation references).Signed-off-by: Paul Mundt
11 Jul, 2007
7 commits
-
Make all initialized struct seq_operations in net/ const
Signed-off-by: Philippe De Muyter
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Removes redundant parentheses and braces (And add one pair in a
xt_tcpudp.c macro).Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Make a number of variables const and/or remove unneeded casts.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of match functions to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the return type of match functions to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Switch the "hotdrop" variables to boolean
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
26 Apr, 2007
3 commits
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Now the skb->nh union has just one member, .raw, i.e. it is just like the
skb->mac union, strange, no? I'm just leaving it like that till the transport
layer is done with, when we'll rename skb->mac.raw to skb->mac_header (or
->mac_header_offset?), ditto for ->{h,nh}.Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller -
Signed-off-by: Arnaldo Carvalho de Melo
Signed-off-by: David S. Miller
13 Feb, 2007
2 commits
-
Signed-off-by: YOSHIFUJI Hideaki
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Many struct file_operations in the kernel can be "const". Marking them const
moves these to the .rodata section, which avoids false sharing with potential
dirty data. In addition it'll catch accidental writes at compile time to
these shared resources.Signed-off-by: Arjan van de Ven
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
09 Feb, 2007
1 commit
-
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
04 Jan, 2007
1 commit
-
Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
08 Dec, 2006
1 commit
-
Replace all uses of kmem_cache_t with struct kmem_cache.
The patch was generated using the following script:
#!/bin/sh
#
# Replace one string by another in all the kernel sources.
#set -e
for file in `find * -name "*.c" -o -name "*.h"|xargs grep -l $1`; do
quilt add $file
sed -e "1,\$s/$1/$2/g" $file >/tmp/$$
mv /tmp/$$ $file
quilt refresh
doneThe script was run like this
sh replace kmem_cache_t "struct kmem_cache"
Signed-off-by: Christoph Lameter
Signed-off-by: Andrew Morton
Signed-off-by: Linus Torvalds
04 Dec, 2006
1 commit
-
Signed-off-by: Al Viro
03 Dec, 2006
2 commits
-
To use ipv6_find_hdr(), IP6_NF_IPTABLES is necessary.
Signed-off-by: Yasuyuki Kozakai
Signed-off-by: David S. Miller -
Signed-off-by: Patrick McHardy