- 12 5月, 2010 2 次提交
-
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
The structures carried - besides match/target - almost the same data. It is possible to combine them, as extensions are evaluated serially, and so, the callers end up a little smaller. text data bss filename -15318 740 104 net/ipv4/netfilter/ip_tables.o +15286 740 104 net/ipv4/netfilter/ip_tables.o -15333 540 152 net/ipv6/netfilter/ip6_tables.o +15269 540 152 net/ipv6/netfilter/ip6_tables.o Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 27 4月, 2010 1 次提交
-
-
由 Jan Engelhardt 提交于
There has been quite a confusion in userspace about XT_FUNCTION_MAXNAMELEN; because struct xt_entry_match used MAX-1, userspace would have to do an awkward MAX-2 for maximum length checking (due to '\0'). This patch adds a new define that matches the definition of XT_TABLE_MAXNAMELEN - being the size of the actual struct member, not one off. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 19 4月, 2010 1 次提交
-
-
由 Jan Engelhardt 提交于
Currently, the table traverser stores return addresses in the ruleset itself (struct ip6t_entry->comefrom). This has a well-known drawback: the jumpstack is overwritten on reentry, making it necessary for targets to return absolute verdicts. Also, the ruleset (which might be heavy memory-wise) needs to be replicated for each CPU that can possibly invoke ip6t_do_table. This patch decouples the jumpstack from struct ip6t_entry and instead puts it into xt_table_info. Not being restricted by 'comefrom' anymore, we can set up a stack as needed. By default, there is room allocated for two entries into the traverser. arp_tables is not touched though, because there is just one/two modules and further patches seek to collapse the table traverser anyhow. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 13 4月, 2010 1 次提交
-
-
由 Alexey Dobriyan 提交于
XT_ALIGN() was rewritten through ALIGN() by commit 42107f50 "netfilter: xtables: symmetric COMPAT_XT_ALIGN definition". ALIGN() is not exported in userspace headers, which created compile problem for tc(8) and will create problem for iptables(8). We can't export generic looking name ALIGN() but we can export less generic __ALIGN_KERNEL() (suggested by Ben Hutchings). Google knows nothing about __ALIGN_KERNEL(). COMPAT_XT_ALIGN() changed for symmetry. Reported-by: NAndreas Henriksson <andreas@fatal.se> Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 25 3月, 2010 3 次提交
-
-
由 Jan Engelhardt 提交于
Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_tgchk_param *par) { ... } // </smpl> Minus the change it does to xt_ct_find_proto. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. This semantic patch may not be too precise (checking for functions that use xt_mtchk_param rather than functions referenced by xt_match.checkentry), but reviewed, it produced the intended result. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_mtchk_param *par) { ... } // </smpl> Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 18 3月, 2010 3 次提交
-
-
由 Jan Engelhardt 提交于
This will save one full padding chunk (8 bytes on x86_64) per target. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
This member is taking up a "long" per match, yet is only used by one module out of the roughly 90 modules, ip6t_hbh. ip6t_hbh can be restructured a little to accomodate for the lack of the .data member. This variant uses checking the par->match address, which should avoid having to add two extra functions, including calls, i.e. (hbh_mt6: call hbhdst_mt6(skb, par, NEXTHDR_OPT), dst_mt6: call hbhdst_mt6(skb, par, NEXTHDR_DEST)) Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 25 2月, 2010 2 次提交
-
-
由 Jan Engelhardt 提交于
The macro is replaced by a list.h-like foreach loop. This makes the code more inspectable. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jan Engelhardt 提交于
The macro is replaced by a list.h-like foreach loop. This makes the code much more inspectable. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 16 2月, 2010 1 次提交
-
-
由 Florian Westphal 提交于
with 32 bit userland and 64 bit kernels, it is unlikely but possible that insertion of new rules fails even tough there are only about 2000 iptables rules. This happens because the compat delta is using a short int. Easily reproducible via "iptables -m limit" ; after about 2050 rules inserting new ones fails with -ELOOP. Note that compat_delta included 2 bytes of padding on x86_64, so structure size remains the same. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 15 2月, 2010 1 次提交
-
-
由 Jan Engelhardt 提交于
Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 11 2月, 2010 1 次提交
-
-
由 Jan Engelhardt 提交于
The respective xt_table structures already have most of the metadata needed for hook setup. Add a 'priority' field to struct xt_table so that xt_hook_link() can be called with a reduced number of arguments. So should we be having more tables in the future, it comes at no static cost (only runtime, as before) - space saved: 6807373->6806555. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 10 2月, 2010 2 次提交
-
-
由 Alexey Dobriyan 提交于
Rewrite COMPAT_XT_ALIGN in terms of dummy structure hack. Compat counters logically have nothing to do with it. Use ALIGN() macro while I'm at it for same types. Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Alexey Dobriyan 提交于
There is compat_u64 type which deals with different u64 type alignment on different compat-capable platforms, so use it and removed some hardcoded assumptions. Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 03 2月, 2010 1 次提交
-
-
由 Patrick McHardy 提交于
Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 02 2月, 2010 1 次提交
-
-
由 Alexey Dobriyan 提交于
Ifdef out struct nf_sockopt_ops::compat_set struct nf_sockopt_ops::compat_get struct xt_match::compat_from_user struct xt_match::compat_to_user struct xt_match::compatsize to make structures smaller on COMPAT=n kernels. Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 18 1月, 2010 2 次提交
-
-
由 Alexey Dobriyan 提交于
Add ->net to match destructor list like ->net in constructor list. Make sure it's set in ebtables/iptables/ip6tables, this requires to propagate netns up to *_unregister_table(). Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Alexey Dobriyan 提交于
Some complex match modules (like xt_hashlimit/xt_recent) want netns information at constructor and destructor time. We propably can play games at match destruction time, because netns can be passed in object, but I think it's cleaner to explicitly pass netns. Add ->net, make sure it's set from ebtables/iptables/ip6tables code. Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 05 11月, 2009 1 次提交
-
-
由 Eric Dumazet 提交于
This cleanup patch puts struct/union/enum opening braces, in first line to ease grep games. struct something { becomes : struct something { Signed-off-by: NEric Dumazet <eric.dumazet@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 24 8月, 2009 1 次提交
-
-
由 Jan Engelhardt 提交于
The inputted table is never modified, so should be considered const. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 10 8月, 2009 1 次提交
-
-
由 Jan Engelhardt 提交于
This commit gets rid of a padding hole as reported by pahole(1). Saves 8 bytes on x86_64. Signed-off-by: NJan Engelhardt <jengelh@medozas.de>
-
- 04 6月, 2009 1 次提交
-
-
由 Evgeniy Polyakov 提交于
Signed-off-by: NEvgeniy Polyakov <zbr@ioremap.net> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 02 5月, 2009 1 次提交
-
-
由 Eric Dumazet 提交于
Signed-off-by: NEric Dumazet <dada1@cosmosbay.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 29 4月, 2009 1 次提交
-
-
由 Stephen Hemminger 提交于
The x_tables are organized with a table structure and a per-cpu copies of the counters and rules. On older kernels there was a reader/writer lock per table which was a performance bottleneck. In 2.6.30-rc, this was converted to use RCU and the counters/rules which solved the performance problems for do_table but made replacing rules much slower because of the necessary RCU grace period. This version uses a per-cpu set of spinlocks and counters to allow to table processing to proceed without the cache thrashing of a global reader lock and keeps the same performance for table updates. Signed-off-by: NStephen Hemminger <shemminger@vyatta.com> Acked-by: NLinus Torvalds <torvalds@linux-foundation.org> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 27 3月, 2009 1 次提交
-
-
由 Arnd Bergmann 提交于
Netfilter traditionally uses BSD integer types in its interface headers. This changes it to use the Linux strict integer types, like everyone else. Cc: netfilter-devel@vger.kernel.org Signed-off-by: NArnd Bergmann <arnd@arndb.de> Acked-by: NDavid S. Miller <davem@davemloft.net> Signed-off-by: NH. Peter Anvin <hpa@linux.intel.com> Signed-off-by: NIngo Molnar <mingo@elte.hu>
-
- 26 3月, 2009 1 次提交
-
-
由 Eric Dumazet 提交于
We use same not trivial helper function in four places. We can factorize it. Signed-off-by: NEric Dumazet <dada1@cosmosbay.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 20 2月, 2009 1 次提交
-
-
由 Stephen Hemminger 提交于
The reader/writer lock in ip_tables is acquired in the critical path of processing packets and is one of the reasons just loading iptables can cause a 20% performance loss. The rwlock serves two functions: 1) it prevents changes to table state (xt_replace) while table is in use. This is now handled by doing rcu on the xt_table. When table is replaced, the new table(s) are put in and the old one table(s) are freed after RCU period. 2) it provides synchronization when accesing the counter values. This is now handled by swapping in new table_info entries for each cpu then summing the old values, and putting the result back onto one cpu. On a busy system it may cause sampling to occur at different times on each cpu, but no packet/byte counts are lost in the process. Signed-off-by: NStephen Hemminger <shemminger@vyatta.com> Sucessfully tested on my dual quad core machine too, but iptables only (no ipv6 here) BTW, my new "tbench 8" result is 2450 MB/s, (it was 2150 MB/s not so long ago) Acked-by: NEric Dumazet <dada1@cosmosbay.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 18 2月, 2009 1 次提交
-
-
由 Stephen Hemminger 提交于
Change to proper type on private pointer rather than anonymous void. Keep active elements on same cache line. Signed-off-by: NStephen Hemminger <shemminger@vyatta.com> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
- 13 1月, 2009 1 次提交
-
-
由 Richard Kennedy 提交于
reorder struct xt_match to remove 8 bytes of padding and make its size 128 bytes. This saves a small amount of data space in each of the xt netfilter modules and fits xt_match in one 128 byte cache line. Signed-off-by: NRichard Kennedy <richard@rsk.demon.co.uk> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 25 11月, 2008 1 次提交
-
-
由 Jan Engelhardt 提交于
When entryinfo was a standalone parameter to functions, it used to be "const void *". Put the const back in. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
- 08 10月, 2008 6 次提交
-
-
由 Jan Engelhardt 提交于
By passing in the family through which extensions were invoked, a bit of data space can be reclaimed. The "family" member will be added to the parameter structures and the check functions be adjusted. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jan Engelhardt 提交于
This patch does this for target extensions' destroy functions. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jan Engelhardt 提交于
This patch does this for target extensions' checkentry functions. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jan Engelhardt 提交于
This patch does this for target extensions' target functions. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jan Engelhardt 提交于
This patch does this for match extensions' destroy functions. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-
由 Jan Engelhardt 提交于
This patch does this for match extensions' checkentry functions. Signed-off-by: NJan Engelhardt <jengelh@medozas.de> Signed-off-by: NPatrick McHardy <kaber@trash.net>
-