1. 10 Nov, 2016 7 commits
  2. 09 Nov, 2016 2 commits
    • Davide Caratti's avatar
      netfilter: conntrack: simplify init/uninit of L4 protocol trackers · 0e54d217
      Davide Caratti authored
      
      
      modify registration and deregistration of layer-4 protocol trackers to
      facilitate inclusion of new elements into the current list of builtin
      protocols. Both builtin (TCP, UDP, ICMP) and non-builtin (DCCP, GRE, SCTP,
      UDPlite) layer-4 protocol trackers usually register/deregister themselves
      using consecutive calls to nf_ct_l4proto_{,pernet}_{,un}register(...).
      This sequence is interrupted and rolled back in case of error; in order to
      simplify addition of builtin protocols, the input of the above functions
      has been modified to allow registering/unregistering multiple protocols.
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0e54d217
    • Liping Zhang's avatar
      netfilter: nf_tables: simplify the basic expressions' init routine · 4e24877e
      Liping Zhang authored
      
      
      Some basic expressions are built into nf_tables.ko, such as nft_cmp,
      nft_lookup, nft_range and so on. But these basic expressions' init
      routine is a little ugly, too many goto errX labels, and we forget
      to call nft_range_module_exit in the exit routine, although it is
      harmless.
      
      Acctually, the init and exit routines of these basic expressions
      are same, i.e. do nft_register_expr in the init routine and do
      nft_unregister_expr in the exit routine.
      
      So it's better to arrange them into an array and deal with them
      together.
      Signed-off-by: default avatarLiping Zhang <zlpnobody@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      4e24877e
  3. 03 Nov, 2016 5 commits
  4. 02 Nov, 2016 1 commit
  5. 01 Nov, 2016 5 commits
    • Anders K. Pedersen's avatar
      netfilter: nf_tables: introduce routing expression · 2fa84193
      Anders K. Pedersen authored
      
      
      Introduces an nftables rt expression for routing related data with support
      for nexthop (i.e. the directly connected IP address that an outgoing packet
      is sent to), which can be used either for matching or accounting, eg.
      
       # nft add rule filter postrouting \
      	ip daddr 192.168.1.0/24 rt nexthop != 192.168.0.1 drop
      
      This will drop any traffic to 192.168.1.0/24 that is not routed via
      192.168.0.1.
      
       # nft add rule filter postrouting \
      	flow table acct { rt nexthop timeout 600s counter }
       # nft add rule ip6 filter postrouting \
      	flow table acct { rt nexthop timeout 600s counter }
      
      These rules count outgoing traffic per nexthop. Note that the timeout
      releases an entry if no traffic is seen for this nexthop within 10 minutes.
      
       # nft add rule inet filter postrouting \
      	ether type ip \
      	flow table acct { rt nexthop timeout 600s counter }
       # nft add rule inet filter postrouting \
      	ether type ip6 \
      	flow table acct { rt nexthop timeout 600s counter }
      
      Same as above, but via the inet family, where the ether type must be
      specified explicitly.
      
      "rt classid" is also implemented identical to "meta rtclassid", since it
      is more logical to have this match in the routing expression going forward.
      Signed-off-by: default avatarAnders K. Pedersen <akp@cohaesio.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      2fa84193
    • Pablo Neira Ayuso's avatar
      netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c · 8db4c5be
      Pablo Neira Ayuso authored
      
      
      We need this split to reuse existing codebase for the upcoming nf_tables
      socket expression.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8db4c5be
    • Pablo Neira Ayuso's avatar
      netfilter: nf_log: add packet logging for netdev family · 1fddf4ba
      Pablo Neira Ayuso authored
      
      
      Move layer 2 packet logging into nf_log_l2packet() that resides in
      nf_log_common.c, so this can be shared by both bridge and netdev
      families.
      
      This patch adds the boiler plate code to register the netdev logging
      family.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1fddf4ba
    • Florian Westphal's avatar
      netfilter: nf_tables: add fib expression · f6d0cbcf
      Florian Westphal authored
      Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
      just dispatches to ipv4 or ipv6 one based on nfproto).
      
      Currently supports fetching output interface index/name and the
      rtm_type associated with an address.
      
      This can be used for adding path filtering. rtm_type is useful
      to e.g. enforce a strong-end host model where packets
      are only accepted if daddr is configured on the interface the
      packet arrived on.
      
      The fib expression is a native nftables alternative to the
      xtables addrtype and rp_filter matches.
      
      FIB result order for oif/oifname retrieval is as follows:
       - if packet is local (skb has rtable, RTF_LOCAL set, this
         will also catch looped-back multicast packets), set oif to
         the loopback interface.
       - if fib lookup returns an error, or result points to local,
         store zero result.  This means '--local' option of -m rpfilter
         is not supported. It is possible to use 'fib type local' or add
         explicit saddr/daddr matching rules to create exceptions if this
         is really needed.
       - store result in the destination register.
         In case of multiple routes, search set for desired oif in case
         strict matching is requested.
      
      ipv4 and ipv6 behave fib expressions are supposed to behave the same.
      
      [ I have collapsed Arnd Bergmann's ("netfilter: nf_tables: fib warnings")
      
      	http://patchwork.ozlabs.org/patch/688615/
      
      
      
        to address fallout from this patch after rebasing nf-next, that was
        posted to address compilation warnings. --pablo ]
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f6d0cbcf
    • Eric Dumazet's avatar
      net: set SK_MEM_QUANTUM to 4096 · bd68a2a8
      Eric Dumazet authored
      
      
      Systems with large pages (64KB pages for example) do not always have
      huge quantity of memory.
      
      A big SK_MEM_QUANTUM value leads to fewer interactions with the
      global counters (like tcp_memory_allocated) but might trigger
      memory pressure much faster, giving suboptimal TCP performance
      since windows are lowered to ridiculous values.
      
      Note that sysctl_mem units being in pages and in ABI, we also need
      to change sk_prot_mem_limits() accordingly.
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bd68a2a8
  6. 31 Oct, 2016 12 commits
  7. 30 Oct, 2016 5 commits
  8. 29 Oct, 2016 3 commits