kernel/linux.git/include/linux/netfilter.h, branch v5.19

netfilter: conntrack: handle ->destroy hook via nat_ops instead

2022-02-04T05:30:28+00:00

The nat module already exposes a few functions to the conntrack core. Move the nat extension destroy hook to it. After this, no conntrack extension needs a destroy hook. 'struct nf_ct_ext_type' and the register/unregister api can be removed in a followup patch. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: make function op structures const

2022-01-09T22:30:13+00:00

No functional changes, these structures should be const. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: core: move ip_ct_attach indirection to struct nf_ct_hook

2022-01-09T22:30:13+00:00

ip_ct_attach predates struct nf_ct_hook, we can place it there and remove the exported symbol. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: annotate nf_tables base hook ops

2021-06-07T10:23:38+00:00

This will allow a followup patch to treat the 'ops->priv' pointer as nft_chain argument without having to first walk the table/chains to check if there is a matching base chain pointer. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: reduce size of nf_hook_state on 32bit platforms

2021-05-28T23:04:53+00:00

Reduce size from 28 to 24 bytes on 32bit platforms. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: ctnetlink: remove get_ct indirection

2021-01-25T21:06:11+00:00

Use nf_ct_get() directly, its a small inline helper without dependencies. Add CONFIG_NF_CONNTRACK guards to elide the relevant part when conntrack isn't available at all. v2: add ifdef guard around nf_ct_get call (kernel test robot) Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: switch nf_setsockopt to sockptr_t

2020-07-24T22:41:54+00:00

Pass a sockptr_t to prepare for set_fs-less handling of the kernel pointer from bpf-cgroup. Signed-off-by: Christoph Hellwig Signed-off-by: David S. Miller

netfilter: remove the compat_{get,set} methods

2020-07-20T01:16:40+00:00

All instances handle compat sockopts via in_compat_syscall() now, so remove the compat_{get,set} methods as well as the compat_nf_{get,set}sockopt wrappers. Signed-off-by: Christoph Hellwig Signed-off-by: David S. Miller

netfilter: add and use nf_hook_slow_list()

2019-10-17T10:20:48+00:00

At this time, NF_HOOK_LIST() macro will iterate the list and then calls nf_hook() for each individual skb. This makes it so the entire list is passed into the netfilter core. The advantage is that we only need to fetch the rule blob once per list instead of per-skb. NF_HOOK_LIST now only works for ipv4 and ipv6, as those are the only callers. v2: use skb_list_del_init() instead of list_del (Edward Cree) Signed-off-by: Florian Westphal Acked-by: Edward Cree Signed-off-by: Pablo Neira Ayuso

netfilter: remove CONFIG_NETFILTER checks from headers.

2019-09-13T10:47:36+00:00

`struct nf_hook_ops`, `struct nf_hook_state` and the `nf_hookfn` function typedef appear in function and struct declarations and definitions in a number of netfilter headers. The structs and typedef themselves are defined by linux/netfilter.h but only when CONFIG_NETFILTER is enabled. Define them unconditionally and add forward declarations in order to remove CONFIG_NETFILTER conditionals from the other headers. Signed-off-by: Jeremy Sowden Signed-off-by: Pablo Neira Ayuso