1. 30 8月, 2012 1 次提交
  2. 22 6月, 2012 1 次提交
  3. 21 6月, 2012 1 次提交
  4. 16 6月, 2012 2 次提交
  5. 07 6月, 2012 1 次提交
  6. 21 4月, 2012 1 次提交
  7. 24 2月, 2012 1 次提交
    • I
      static keys: Introduce 'struct static_key', static_key_true()/false() and... · c5905afb
      Ingo Molnar 提交于
      static keys: Introduce 'struct static_key', static_key_true()/false() and static_key_slow_[inc|dec]()
      
      So here's a boot tested patch on top of Jason's series that does
      all the cleanups I talked about and turns jump labels into a
      more intuitive to use facility. It should also address the
      various misconceptions and confusions that surround jump labels.
      
      Typical usage scenarios:
      
              #include <linux/static_key.h>
      
              struct static_key key = STATIC_KEY_INIT_TRUE;
      
              if (static_key_false(&key))
                      do unlikely code
              else
                      do likely code
      
      Or:
      
              if (static_key_true(&key))
                      do likely code
              else
                      do unlikely code
      
      The static key is modified via:
      
              static_key_slow_inc(&key);
              ...
              static_key_slow_dec(&key);
      
      The 'slow' prefix makes it abundantly clear that this is an
      expensive operation.
      
      I've updated all in-kernel code to use this everywhere. Note
      that I (intentionally) have not pushed through the rename
      blindly through to the lowest levels: the actual jump-label
      patching arch facility should be named like that, so we want to
      decouple jump labels from the static-key facility a bit.
      
      On non-jump-label enabled architectures static keys default to
      likely()/unlikely() branches.
      Signed-off-by: NIngo Molnar <mingo@elte.hu>
      Acked-by: NJason Baron <jbaron@redhat.com>
      Acked-by: NSteven Rostedt <rostedt@goodmis.org>
      Cc: a.p.zijlstra@chello.nl
      Cc: mathieu.desnoyers@efficios.com
      Cc: davem@davemloft.net
      Cc: ddaney.cavm@gmail.com
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Link: http://lkml.kernel.org/r/20120222085809.GA26397@elte.huSigned-off-by: NIngo Molnar <mingo@elte.hu>
      c5905afb
  8. 22 11月, 2011 1 次提交
    • E
      netfilter: use jump_label for nf_hooks · a2d7ec58
      Eric Dumazet 提交于
      On configs where CONFIG_JUMP_LABEL=y, we can replace in fast path a
      load/compare/conditional jump by a single jump with no dcache reference.
      
      Jump target is modified as soon as nf_hooks[pf][hook] switches from
      empty state to non empty states. jump_label state is kept outside of
      nf_hooks array so has no cost on cpu caches.
      
      This patch removes the test on CONFIG_NETFILTER_DEBUG : No need to call
      nf_hook_slow() at all if nf_hooks[pf][hook] is empty, this didnt give
      useful information, but slowed down things a lot.
      Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com>
      CC: Patrick McHardy <kaber@trash.net>
      CC: Pablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a2d7ec58
  9. 28 5月, 2011 1 次提交
  10. 04 4月, 2011 2 次提交
  11. 18 1月, 2011 2 次提交
    • F
      netfilter: allow NFQUEUE bypass if no listener is available · 94b27cc3
      Florian Westphal 提交于
      If an skb is to be NF_QUEUE'd, but no program has opened the queue, the
      packet is dropped.
      
      This adds a v2 target revision of xt_NFQUEUE that allows packets to
      continue through the ruleset instead.
      
      Because the actual queueing happens outside of the target context, the
      'bypass' flag has to be communicated back to the netfilter core.
      
      Unfortunately the only choice to do this without adding a new function
      argument is to use the target function return value (i.e. the verdict).
      
      In the NF_QUEUE case, the upper 16bit already contain the queue number
      to use.  The previous patch reduced NF_VERDICT_MASK to 0xff, i.e.
      we now have extra room for a new flag.
      
      If a hook issued a NF_QUEUE verdict, then the netfilter core will
      continue packet processing if the queueing hook
      returns -ESRCH (== "this queue does not exist") and the new
      NF_VERDICT_FLAG_QUEUE_BYPASS flag is set in the verdict value.
      
      Note: If the queue exists, but userspace does not consume packets fast
      enough, the skb will still be dropped.
      Signed-off-by: NFlorian Westphal <fwestphal@astaro.com>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      94b27cc3
    • F
      netfilter: reduce NF_VERDICT_MASK to 0xff · f615df76
      Florian Westphal 提交于
      NF_VERDICT_MASK is currently 0xffff. This is because the upper
      16 bits are used to store errno (for NF_DROP) or the queue number
      (NF_QUEUE verdict).
      
      As there are up to 0xffff different queues available, there is no more
      room to store additional flags.
      
      At the moment there are only 6 different verdicts, i.e. we can reduce
      NF_VERDICT_MASK to 0xff to allow storing additional flags in the 0xff00 space.
      
      NF_VERDICT_BITS would then be reduced to 8, but because the value is
      exported to userspace, this might cause breakage; e.g.:
      
      e.g. 'queuenr = (1 << NF_VERDICT_BITS) | NF_QUEUE'  would now break.
      
      Thus, remove NF_VERDICT_BITS usage in the kernel and move the old value
      to the 'userspace compat' section.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      f615df76
  12. 18 11月, 2010 1 次提交
  13. 16 11月, 2010 1 次提交
  14. 12 11月, 2010 1 次提交
    • E
      netfilter: NF_HOOK_COND has wrong conditional · ac5aa2e3
      Eric Paris 提交于
      The NF_HOOK_COND returns 0 when it shouldn't due to what I believe to be an
      error in the code as the order of operations is not what was intended.  C will
      evalutate == before =.  Which means ret is getting set to the bool result,
      rather than the return value of the function call.  The code says
      
      if (ret = function() == 1)
      when it meant to say:
      if ((ret = function()) == 1)
      
      Normally the compiler would warn, but it doesn't notice it because its
      a actually complex conditional and so the wrong code is wrapped in an explict
      set of () [exactly what the compiler wants you to do if this was intentional].
      Fixing this means that errors when netfilter denies a packet get propagated
      back up the stack rather than lost.
      
      Problem introduced by commit 2249065f (netfilter: get rid of the grossness
      in netfilter.h).
      Signed-off-by: NEric Paris <eparis@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      ac5aa2e3
  15. 19 2月, 2010 1 次提交
  16. 15 2月, 2010 2 次提交
  17. 02 2月, 2010 1 次提交
  18. 05 11月, 2009 1 次提交
  19. 01 10月, 2009 1 次提交
  20. 08 10月, 2008 3 次提交
  21. 22 5月, 2008 1 次提交
  22. 14 4月, 2008 2 次提交
    • P
      [NETFILTER]: Add partial checksum validation helper · d63a6507
      Patrick McHardy 提交于
      Move the UDP-Lite conntrack checksum validation to a generic helper
      similar to nf_checksum() and make it fall back to nf_checksum()
      in case the full packet is to be checksummed and hardware checksums
      are available. This is to be used by DCCP conntrack, which also
      needs to verify partial checksums.
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      d63a6507
    • A
      [NETFILTER]: ip_tables: per-netns FILTER/MANGLE/RAW tables for real · 666953df
      Alexey Dobriyan 提交于
      Commit 9335f047 aka
      "[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW"
      added per-netns _view_ of iptables rules. They were shown to user, but
      ignored by filtering code. Now that it's possible to at least ping loopback,
      per-netns tables can affect filtering decisions.
      
      netns is taken in case of
      	PRE_ROUTING, LOCAL_IN -- from in device,
      	POST_ROUTING, LOCAL_OUT -- from out device,
      	FORWARD -- from in device which should be equal to out device's netns.
      		   This code is relatively new, so BUG_ON was plugged.
      
      Wrappers were added to a) keep code the same from CONFIG_NET_NS=n users
      (overwhelming majority), b) consolidate code in one place -- similar
      changes will be done in ipv6 and arp netfilter code.
      Signed-off-by: NAlexey Dobriyan <adobriyan@sw.ru>
      Signed-off-by: NPatrick McHardy <kaber@trash.net>
      666953df
  23. 26 3月, 2008 1 次提交
  24. 28 2月, 2008 1 次提交
  25. 20 2月, 2008 1 次提交
  26. 29 1月, 2008 8 次提交