Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v4.9.166 2018-08-24T11:12:26+00:00 2018-08-24T11:12:26+00:00 Eric Dumazet edumazet@google.com 2018-06-13T17:11:56+00:00 urn:sha1:a677cc36431f68c1208bfe288fa5f407c0114094 [ Upstream commit 9ce7bc036ae4cfe3393232c86e9e1fea2153c237 ] It is a waste of memory to use a full "struct netns_sysctl_ipv6" while only one pointer is really used, considering netns_sysctl_ipv6 keeps growing. Also, since "struct netns_frags" has cache line alignment, it is better to move the frags_hdr pointer outside, otherwise we spend a full cache line for this pointer. This saves 192 bytes of memory per netns. Fixes: c038a767cd69 ("ipv6: add a new namespace for nf_conntrack_reasm") Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2016-09-25T21:34:19+00:00 Pablo Neira Ayuso pablo@netfilter.org 2016-09-25T21:23:57+00:00 urn:sha1:f20fbc0717f9f007c94b2641134b19228d0ce9ed Conflicts: net/netfilter/core.c net/netfilter/nf_tables_netdev.c Resolve two conflicts before pull request for David's net-next tree: 1) Between c73c24849011 ("netfilter: nf_tables_netdev: remove redundant ip_hdr assignment") from the net tree and commit ddc8b6027ad0 ("netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()"). 2) Between e8bffe0cf964 ("net: Add _nf_(un)register_hooks symbols") and Aaron Conole's patches to replace list_head with single linked list. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-25T12:38:48+00:00 Aaron Conole aconole@bytheb.org 2016-09-21T15:35:07+00:00 urn:sha1:e3b37f11e6e4e6b6f02cc762f182ce233d2c1c9d The netfilter hook list never uses the prev pointer, and so can be trimmed to be a simple singly-linked list. In addition to having a more light weight structure for hook traversal, struct net becomes 5568 bytes (down from 6400) and struct net_device becomes 2176 bytes (down from 2240). Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-09-08T20:09:41+00:00 David S. Miller davem@davemloft.net 2016-09-08T20:09:41+00:00 urn:sha1:575f9c43e709ab5008047eb5c68b99fe04592400 Steffen Klassert says: ==================== ipsec-next 2016-09-08 1) Constify the xfrm_replay structures. From Julia Lawall 2) Protect xfrm state hash tables with rcu, lookups can be done now without acquiring xfrm_state_lock. From Florian Westphal. 3) Protect xfrm policy hash tables with rcu, lookups can be done now without acquiring xfrm_policy_lock. From Florian Westphal. 4) We don't need to have a garbage collector list per namespace anymore, so use a global one instead. From Florian Westphal. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 2016-08-24T11:16:06+00:00 Florian Westphal fw@strlen.de 2016-08-23T14:00:12+00:00 urn:sha1:35db57bbc4b7ab810bba6e6d6954a0faf5a842cf After commit 5b8ef3415a21f173 ("xfrm: Remove ancient sleeping when the SA is in acquire state") gc does not need any per-netns data anymore. As far as gc is concerned all state structs are the same, so we can use a global work struct for it. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2016-08-13T11:27:13+00:00 Pablo Neira Ayuso pablo@netfilter.org 2016-08-12T11:47:06+00:00 urn:sha1:adf0516845bcd0e626323c858ece28ee58c74455 This backward compatibility has been around for more than ten years, since Yasuyuki Kozakai introduced IPv6 in conntrack. These days, we have alternate /proc/net/nf_conntrack* entries, the ctnetlink interface and the conntrack utility got adopted by many people in the user community according to what I observed on the netfilter user mailing list. So let's get rid of this. Note that nf_conntrack_htable_size and unsigned int nf_conntrack_max do not need to be exported as symbol anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2016-08-12T06:07:12+00:00 Florian Westphal fw@strlen.de 2016-08-11T13:17:59+00:00 urn:sha1:9d0380df6217e8dd014118fa1c99dda9974f3613 After earlier patches conversions all spots acquire the writer lock and we can now convert this to a normal spinlock. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2016-08-12T06:07:12+00:00 Florian Westphal fw@strlen.de 2016-08-11T13:17:56+00:00 urn:sha1:a7c44247f704e385c77579d65c6ee6d002832529 side effect: no longer disables BH (should be fine). Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2016-08-10T09:23:24+00:00 Florian Westphal fw@strlen.de 2016-08-09T10:16:09+00:00 urn:sha1:d737a5805581c6f99dad4caa9fdf80965d617d1a push the lock down, after earlier patches we can rely on rcu to make sure state struct won't go away. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> 2016-08-09T21:57:39+00:00 David Ahern dsa@cumulusnetworks.com 2016-08-09T13:51:06+00:00 urn:sha1:631fee7d70e8eabb642b4bcc58f08bbe880c91aa After commit 0ddcf43d5d4a ("ipv4: FIB Local/MAIN table collapse") fib_local is set but not used. Remove it. Signed-off-by: David Ahern <dsa@cumulusnetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net>