1. 21 Jun, 2012 1 commit
  2. 20 Jun, 2012 1 commit
  3. 16 Jun, 2012 2 commits
  4. 07 Jun, 2012 1 commit
  5. 20 Apr, 2012 1 commit
  6. 24 Feb, 2012 1 commit
    • Ingo Molnar's avatar
      static keys: Introduce 'struct static_key', static_key_true()/false() and... · c5905afb
      Ingo Molnar authored
      
      static keys: Introduce 'struct static_key', static_key_true()/false() and static_key_slow_[inc|dec]()
      
      So here's a boot tested patch on top of Jason's series that does
      all the cleanups I talked about and turns jump labels into a
      more intuitive to use facility. It should also address the
      various misconceptions and confusions that surround jump labels.
      
      Typical usage scenarios:
      
              #include <linux/static_key.h>
      
              struct static_key key = STATIC_KEY_INIT_TRUE;
      
              if (static_key_false(&key))
                      do unlikely code
              else
                      do likely code
      
      Or:
      
              if (static_key_true(&key))
                      do likely code
              else
                      do unlikely code
      
      The static key is modified via:
      
              static_key_slow_inc(&key);
              ...
              static_key_slow_dec(&key);
      
      The 'slow' prefix makes it abundantly clear that this is an
      expensive operation.
      
      I've updated all in-kernel code to use this everywhere. Note
      that I (intentionally) have not pushed through the rename
      blindly through to the lowest levels: the actual jump-label
      patching arch facility should be named like that, so we want to
      decouple jump labels from the static-key facility a bit.
      
      On non-jump-label enabled architectures static keys default to
      likely()/unlikely() branches.
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      Acked-by: default avatarJason Baron <jbaron@redhat.com>
      Acked-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: a.p.zijlstra@chello.nl
      Cc: mathieu.desnoyers@efficios.com
      Cc: davem@davemloft.net
      Cc: ddaney.cavm@gmail.com
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Link: http://lkml.kernel.org/r/20120222085809.GA26397@elte.hu
      
      Signed-off-by: default avatarIngo Molnar <mingo@elte.hu>
      c5905afb
  7. 21 Nov, 2011 1 commit
    • Eric Dumazet's avatar
      netfilter: use jump_label for nf_hooks · a2d7ec58
      Eric Dumazet authored
      
      
      On configs where CONFIG_JUMP_LABEL=y, we can replace in fast path a
      load/compare/conditional jump by a single jump with no dcache reference.
      
      Jump target is modified as soon as nf_hooks[pf][hook] switches from
      empty state to non empty states. jump_label state is kept outside of
      nf_hooks array so has no cost on cpu caches.
      
      This patch removes the test on CONFIG_NETFILTER_DEBUG : No need to call
      nf_hook_slow() at all if nf_hooks[pf][hook] is empty, this didnt give
      useful information, but slowed down things a lot.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Patrick McHardy <kaber@trash.net>
      CC: Pablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2d7ec58
  8. 27 May, 2011 1 commit
  9. 04 Apr, 2011 2 commits
  10. 18 Jan, 2011 2 commits
    • Florian Westphal's avatar
      netfilter: allow NFQUEUE bypass if no listener is available · 94b27cc3
      Florian Westphal authored
      
      
      If an skb is to be NF_QUEUE'd, but no program has opened the queue, the
      packet is dropped.
      
      This adds a v2 target revision of xt_NFQUEUE that allows packets to
      continue through the ruleset instead.
      
      Because the actual queueing happens outside of the target context, the
      'bypass' flag has to be communicated back to the netfilter core.
      
      Unfortunately the only choice to do this without adding a new function
      argument is to use the target function return value (i.e. the verdict).
      
      In the NF_QUEUE case, the upper 16bit already contain the queue number
      to use.  The previous patch reduced NF_VERDICT_MASK to 0xff, i.e.
      we now have extra room for a new flag.
      
      If a hook issued a NF_QUEUE verdict, then the netfilter core will
      continue packet processing if the queueing hook
      returns -ESRCH (== "this queue does not exist") and the new
      NF_VERDICT_FLAG_QUEUE_BYPASS flag is set in the verdict value.
      
      Note: If the queue exists, but userspace does not consume packets fast
      enough, the skb will still be dropped.
      Signed-off-by: default avatarFlorian Westphal <fwestphal@astaro.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      94b27cc3
    • Florian Westphal's avatar
      netfilter: reduce NF_VERDICT_MASK to 0xff · f615df76
      Florian Westphal authored
      
      
      NF_VERDICT_MASK is currently 0xffff. This is because the upper
      16 bits are used to store errno (for NF_DROP) or the queue number
      (NF_QUEUE verdict).
      
      As there are up to 0xffff different queues available, there is no more
      room to store additional flags.
      
      At the moment there are only 6 different verdicts, i.e. we can reduce
      NF_VERDICT_MASK to 0xff to allow storing additional flags in the 0xff00 space.
      
      NF_VERDICT_BITS would then be reduced to 8, but because the value is
      exported to userspace, this might cause breakage; e.g.:
      
      e.g. 'queuenr = (1 << NF_VERDICT_BITS) | NF_QUEUE'  would now break.
      
      Thus, remove NF_VERDICT_BITS usage in the kernel and move the old value
      to the 'userspace compat' section.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      f615df76
  11. 17 Nov, 2010 1 commit
  12. 15 Nov, 2010 1 commit
  13. 12 Nov, 2010 1 commit
    • Eric Paris's avatar
      netfilter: NF_HOOK_COND has wrong conditional · ac5aa2e3
      Eric Paris authored
      The NF_HOOK_COND returns 0 when it shouldn't due to what I believe to be an
      error in the code as the order of operations is not what was intended.  C will
      evalutate == before =.  Which means ret is getting set to the bool result,
      rather than the return value of the function call.  The code says
      
      if (ret = function() == 1)
      when it meant to say:
      if ((ret = function()) == 1)
      
      Normally the compiler would warn, but it doesn't notice it because its
      a actually complex conditional and so the wrong code is wrapped in an explict
      set of () [exactly what the compiler wants you to do if this was intentional].
      Fixing this means that errors when netfilter denies a packet get propagated
      back up the stack rather than lost.
      
      Problem introduced by commit 2249065f
      
       (netfilter: get rid of the grossness
      in netfilter.h).
      Signed-off-by: default avatarEric Paris <eparis@redhat.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      ac5aa2e3
  14. 19 Feb, 2010 1 commit
  15. 15 Feb, 2010 2 commits
  16. 02 Feb, 2010 1 commit
  17. 04 Nov, 2009 1 commit
  18. 30 Sep, 2009 1 commit
  19. 08 Oct, 2008 3 commits
  20. 21 May, 2008 1 commit
  21. 14 Apr, 2008 2 commits
    • Patrick McHardy's avatar
      [NETFILTER]: Add partial checksum validation helper · d63a6507
      Patrick McHardy authored
      
      
      Move the UDP-Lite conntrack checksum validation to a generic helper
      similar to nf_checksum() and make it fall back to nf_checksum()
      in case the full packet is to be checksummed and hardware checksums
      are available. This is to be used by DCCP conntrack, which also
      needs to verify partial checksums.
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      d63a6507
    • Alexey Dobriyan's avatar
      [NETFILTER]: ip_tables: per-netns FILTER/MANGLE/RAW tables for real · 666953df
      Alexey Dobriyan authored
      Commit 9335f047
      
       aka
      "[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW"
      added per-netns _view_ of iptables rules. They were shown to user, but
      ignored by filtering code. Now that it's possible to at least ping loopback,
      per-netns tables can affect filtering decisions.
      
      netns is taken in case of
      	PRE_ROUTING, LOCAL_IN -- from in device,
      	POST_ROUTING, LOCAL_OUT -- from out device,
      	FORWARD -- from in device which should be equal to out device's netns.
      		   This code is relatively new, so BUG_ON was plugged.
      
      Wrappers were added to a) keep code the same from CONFIG_NET_NS=n users
      (overwhelming majority), b) consolidate code in one place -- similar
      changes will be done in ipv6 and arp netfilter code.
      Signed-off-by: default avatarAlexey Dobriyan <adobriyan@sw.ru>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      666953df
  22. 25 Mar, 2008 1 commit
  23. 27 Feb, 2008 1 commit
  24. 19 Feb, 2008 1 commit
  25. 28 Jan, 2008 9 commits