Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.9.14 2016-09-25T21:34:19+00:00 2016-09-25T21:34:19+00:00 Pablo Neira Ayuso pablo@netfilter.org 2016-09-25T21:23:57+00:00 urn:sha1:f20fbc0717f9f007c94b2641134b19228d0ce9ed Conflicts: net/netfilter/core.c net/netfilter/nf_tables_netdev.c Resolve two conflicts before pull request for David's net-next tree: 1) Between c73c24849011 ("netfilter: nf_tables_netdev: remove redundant ip_hdr assignment") from the net tree and commit ddc8b6027ad0 ("netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()"). 2) Between e8bffe0cf964 ("net: Add _nf_(un)register_hooks symbols") and Aaron Conole's patches to replace list_head with single linked list. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-25T12:38:48+00:00 Aaron Conole aconole@bytheb.org 2016-09-21T15:35:07+00:00 urn:sha1:e3b37f11e6e4e6b6f02cc762f182ce233d2c1c9d The netfilter hook list never uses the prev pointer, and so can be trimmed to be a simple singly-linked list. In addition to having a more light weight structure for hook traversal, struct net becomes 5568 bytes (down from 6400) and struct net_device becomes 2176 bytes (down from 2240). Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-24T19:25:49+00:00 Florian Westphal fw@strlen.de 2016-09-21T15:35:02+00:00 urn:sha1:fe72926b792e52ab00abfa81a201805bfb2247d6 This makes things simpler because we can store the head of the list in the nf_state structure without worrying about concurrent add/delete of hook elements from the list. A future commit will make use of this to implement a simpler linked-list. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-19T05:25:22+00:00 Mahesh Bandewar maheshb@google.com 2016-09-16T19:59:13+00:00 urn:sha1:e8bffe0cf964f0330595bb376b74921cccdaac88 Add _nf_register_hooks() and _nf_unregister_hooks() calls which allow caller to hold RTNL mutex. Signed-off-by: Mahesh Bandewar <maheshb@google.com> CC: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2016-03-02T19:05:26+00:00 Florian Westphal fw@strlen.de 2016-02-25T09:08:38+00:00 urn:sha1:af4610c39589d839551da104f7da342d86f23ea0 With the previous patches in place, a netns nf_hook_list might be empty, even if e.g. init_net performs filtering. Thus change nf_hook_thresh to check the hook_list as well before initializing hook_state and calling nf_hook_slow(). We still make use of static keys; if no netfilter modules are loaded list is guaranteed to be empty. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-10-16T16:45:36+00:00 Arnd Bergmann arnd@arndb.de 2015-10-09T18:45:42+00:00 urn:sha1:008027c31d57a22bd80dda5acc95b037634eee0f A recent change to the dst_output handling caused a new warning when the call to NF_HOOK() is the only used of a local variable passed as 'dev', and CONFIG_NETFILTER is disabled: net/ipv6/ip6_output.c: In function 'ip6_output': net/ipv6/ip6_output.c:135:21: warning: unused variable 'dev' [-Wunused-variable] The reason for this is that the NF_HOOK macro in this case does not reference the variable at all, and the call to dev_net(dev) got removed from the ip6_output function. To avoid that warning now and in the future, this changes the macro into an equivalent inline function, which tells the compiler that the variable is passed correctly but still unused. The dn_forward function apparently had the same problem in the past and added a local workaround that no longer works with the inline function. In order to avoid a regression, we have to also remove the #ifdef from decnet in the same patch. Fixes: ede2059dbaf9 ("dst: Pass net into dst->output") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-10-16T16:21:39+00:00 Florian Westphal fw@strlen.de 2015-10-13T12:33:26+00:00 urn:sha1:2ffbceb2b08f8ca0496c54a9ebcd11d25275954e since commit 8405a8fff3f8 ("netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook") all pending queued entries are discarded. So we can simply remove all of the owner handling -- when module is removed it also needs to unregister all its hooks. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-10-05T15:32:13+00:00 Ken-ichirou MATSUZAWA chamaken@gmail.com 2015-10-05T02:49:56+00:00 urn:sha1:224a05975ebbbdf507c65043f8aba280ccb39e6e get_ct as is and will not update its skb argument, and users of nfnl_ct_hook is currently only nfqueue, we can add const qualifier. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> 2015-10-05T15:32:11+00:00 Ken-ichirou MATSUZAWA chamaken@gmail.com 2015-10-05T02:47:13+00:00 urn:sha1:a4b4766c3cebb4018167e06b863d8e95b7274757 The idea of this series of patch is to attach conntrack information to nflog like nfqueue has already done. nfqueue conntrack info attaching basis is generic, rename those names to generic one, glue. Signed-off-by: Ken-ichirou MATSUZAWA <chamas@h4.dion.ne.jp> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2015-10-04T19:45:44+00:00 Pablo Neira Ayuso pablo@netfilter.org 2015-09-30T21:53:44+00:00 urn:sha1:b7bd1809e0784435791657502bc0d8280ad6f7ea The original intention was to avoid dependencies between nfnetlink_queue and conntrack without ifdef pollution. However, we can achieve this by moving the conntrack dependent code into ctnetlink and keep some glue code to access the nfq_ct indirection from nfqueue. After this patch, the nfq_ct indirection is always compiled in the netfilter core to avoid polluting nfqueue with ifdefs. Thus, if nf_conntrack is not compiled this results in only 8-bytes of memory waste in x86_64. This patch also adds ctnetlink_nfqueue_seqadj() to avoid that the nf_conn structure layout if exposed to nf_queue, which creates another dependency with nf_conntrack at compilation time. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>