31 Oct, 2016

1 commit

• b73b8a1ba   netfilter: nft_dup: do not use sreg_dev if the user doesn't specify it ... Browse Code »

  The NFTA_DUP_SREG_DEV attribute is not a must option, so we should use it
  in routing lookup only when the user specify it.

  Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression")
  Signed-off-by: Liping Zhang
  Signed-off-by: Pablo Neira Ayuso

  Liping Zhang

  2016-10-31 20:17:38 +0800  

19 Sep, 2015

2 commits

• 206e8c007   netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv6 ... Browse Code »

  This allows them to stop guessing the network namespace with pick_net.

  Signed-off-by: "Eric W. Biederman"
  Signed-off-by: Pablo Neira Ayuso

  Eric W. Biederman

  2015-09-19 03:59:11 +0800  
• 6aa187f21   netfilter: nf_tables: kill nft_pktinfo.ops ... Browse Code »

  - Add nft_pktinfo.pf to replace ops->pf
  - Add nft_pktinfo.hook to replace ops->hooknum

  This simplifies the code, makes it more readable, and likely reduces
  cache line misses. Maintainability is enhanced as the details of
  nft_hook_ops are of no concern to the recpients of nft_pktinfo.

  Signed-off-by: "Eric W. Biederman"
  Signed-off-by: Pablo Neira Ayuso

  Eric W. Biederman

  2015-09-19 03:58:01 +0800  

07 Aug, 2015

1 commit

• d877f0711   netfilter: nf_tables: add nft_dup expression ... Browse Code »

  This new expression uses the nf_dup engine to clone packets to a given gateway.
  Unlike xt_TEE, we use an index to indicate output interface which should be
  fine at this stage.

  Moreover, change to the preemtion-safe this_cpu_read(nf_skb_duplicated) from
  nf_dup_ipv{4,6} to silence a lockdep splat.

  Based on the original tee expression from Arturo Borrero Gonzalez, although
  this patch has diverted quite a bit from this initial effort due to the
  change to support maps.

  Signed-off-by: Pablo Neira Ayuso

  Pablo Neira Ayuso

  2015-08-07 17:49:49 +0800