1. 15 Jun, 2015 6 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables_netdev: unregister hooks on net_device removal · 835b8033
      Pablo Neira Ayuso authored
      In case the net_device is gone, we have to unregister the hooks and put back
      the reference on the net_device object. Once it comes back, register them
      again. This also covers the device rename case.
      
      This patch also adds a new flag to indicate that the basechain is disabled, so
      their hooks are not registered. This flag is used by the netdev family to
      handle the case where the net_device object is gone. Currently this flag is not
      exposed to userspace.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      835b8033
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: add nft_register_basechain() and nft_unregister_basechain() · d8ee8f7c
      Pablo Neira Ayuso authored
      This wrapper functions take care of hook registration for basechains.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d8ee8f7c
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: attach net_device to basechain · 2cbce139
      Pablo Neira Ayuso authored
      The device is part of the hook configuration, so instead of a global
      configuration per table, set it to each of the basechain that we create.
      
      This patch reworks ebddf1a8 ("netfilter: nf_tables: allow to bind table to
      net_device").
      
      Note that this adds a dev_name field in the nft_base_chain structure which is
      required the netdev notification subscription that follows up in a patch to
      handle gone net_devices.
      Suggested-by: default avatarPatrick McHardy <kaber@trash.net>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2cbce139
    • Eric Dumazet's avatar
      netfilter: x_tables: remove XT_TABLE_INFO_SZ and a dereference. · 711bdde6
      Eric Dumazet authored
      After Florian patches, there is no need for XT_TABLE_INFO_SZ anymore :
      Only one copy of table is kept, instead of one copy per cpu.
      
      We also can avoid a dereference if we put table data right after
      xt_table_info. It reduces register pressure and helps compiler.
      
      Then, we attempt a kmalloc() if total size is under order-3 allocation,
      to reduce TLB pressure, as in many cases, rules fit in 32 KB.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Florian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      711bdde6
    • Pablo Neira Ayuso's avatar
      Merge branch 'master' of git://blackhole.kfki.hu/nf-next · 53b87627
      Pablo Neira Ayuso authored
      Jozsef Kadlecsik says:
      
      ====================
      ipset patches for nf-next
      
      Please consider to apply the next bunch of patches for ipset. First
      comes the small changes, then the bugfixes and at the end the RCU
      related patches.
      
      * Use MSEC_PER_SEC consistently instead of the number.
      * Use SET_WITH_*() helpers to test set extensions from Sergey Popovich.
      * Check extensions attributes before getting extensions from Sergey Popovich.
      * Permit CIDR equal to the host address CIDR in IPv6 from Sergey Popovich.
      * Make sure we always return line number on batch in the case of error
        from Sergey Popovich.
      * Check CIDR value only when attribute is given from Sergey Popovich.
      * Fix cidr handling for hash:*net* types, reported by Jonathan Johnson.
      * Fix parallel resizing and listing of the same set so that the original
        set is kept for the whole dumping.
      * Make sure listing doesn't grab a set which is just being destroyed.
      * Remove rbtree from ip_set_hash_netiface.c in order to introduce RCU.
      * Replace rwlock_t with spinlock_t in "struct ip_set", change the locking
        in the core and simplifications in the timeout routines.
      * Introduce RCU locking in bitmap:* types with a slight modification in the
        logic on how an element is added.
      * Introduce RCU locking in hash:* types. This is the most complex part of
        the changes.
      * Introduce RCU locking in list type where standard rculist is used.
      * Fix coding styles reported by checkpatch.pl.
      ====================
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      53b87627
    • Pablo Neira Ayuso's avatar
      netfilter: Kconfig: get rid of parens around depends on · f09becc7
      Pablo Neira Ayuso authored
      According to the reporter, they are not needed.
      Reported-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f09becc7
  2. 14 Jun, 2015 15 commits
  3. 12 Jun, 2015 12 commits
  4. 11 Jun, 2015 7 commits