Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says: ==================== Netfilter/IPVS updates for net-next The following patchset contains Netfilter/IPVS updates for net-next, most relevantly they are: * cleanup to remove double semicolon from stephen hemminger. * calm down sparse warning in xt_ipcomp, from Fan Du. * nf_ct_labels support for nf_tables, from Florian Westphal. * new macros to simplify rcu dereferences in the scope of nfnetlink and nf_tables, from Patrick McHardy. * Accept queue and drop (including reason for drop) to verdict parsing in nf_tables, also from Patrick. * Remove unused random seed initialization in nfnetlink_log, from Florian Westphal. * Allow to attach user-specific information to nf_tables rules, useful to attach user comments to rule, from me. * Return errors in ipset according to the manpage documentation, from Jozsef Kadlecsik. * Fix coccinelle warnings related to incorrect bool type usage for ipset, from Fengguang Wu. * Add hash:ip,mark set type to ipset, from Vytas Dauksa. * Fix message for each spotted by ipset for each netns that is created, from Ilia Mirkin. * Add forceadd option to ipset, which evicts a random entry from the set if it becomes full, from Josh Hunt. * Minor IPVS cleanups and fixes from Andi Kleen and Tingwei Liu. * Improve conntrack scalability by removing a central spinlock, original work from Eric Dumazet. Jesper Dangaard Brouer took them over to address remaining issues. Several patches to prepare this change come in first place. * Rework nft_hash to resolve bugs (leaking chain, missing rcu synchronization on element removal, etc. from Patrick McHardy. * Restore context in the rule deletion path, as we now release rule objects synchronously, from Patrick McHardy. This gets back event notification for anonymous sets. * Fix NAT family validation in nft_nat, also from Patrick. * Improve scalability of xt_connlimit by using an array of spinlocks and by introducing a rb-tree of hashtables for faster lookup of accounted objects per network. This patch was preceded by several patches and refactorizations to accomodate this change including the use of kmem_cache, from Florian Westphal. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
@@ -39,11 +39,13 @@ enum ip_set_feature {
|
||||
IPSET_TYPE_NAME = (1 << IPSET_TYPE_NAME_FLAG),
|
||||
IPSET_TYPE_IFACE_FLAG = 5,
|
||||
IPSET_TYPE_IFACE = (1 << IPSET_TYPE_IFACE_FLAG),
|
||||
IPSET_TYPE_NOMATCH_FLAG = 6,
|
||||
IPSET_TYPE_MARK_FLAG = 6,
|
||||
IPSET_TYPE_MARK = (1 << IPSET_TYPE_MARK_FLAG),
|
||||
IPSET_TYPE_NOMATCH_FLAG = 7,
|
||||
IPSET_TYPE_NOMATCH = (1 << IPSET_TYPE_NOMATCH_FLAG),
|
||||
/* Strictly speaking not a feature, but a flag for dumping:
|
||||
* this settype must be dumped last */
|
||||
IPSET_DUMP_LAST_FLAG = 7,
|
||||
IPSET_DUMP_LAST_FLAG = 8,
|
||||
IPSET_DUMP_LAST = (1 << IPSET_DUMP_LAST_FLAG),
|
||||
};
|
||||
|
||||
@@ -63,6 +65,7 @@ enum ip_set_extension {
|
||||
#define SET_WITH_TIMEOUT(s) ((s)->extensions & IPSET_EXT_TIMEOUT)
|
||||
#define SET_WITH_COUNTER(s) ((s)->extensions & IPSET_EXT_COUNTER)
|
||||
#define SET_WITH_COMMENT(s) ((s)->extensions & IPSET_EXT_COMMENT)
|
||||
#define SET_WITH_FORCEADD(s) ((s)->flags & IPSET_CREATE_FLAG_FORCEADD)
|
||||
|
||||
/* Extension id, in size order */
|
||||
enum ip_set_ext_id {
|
||||
@@ -171,8 +174,6 @@ struct ip_set_type {
|
||||
char name[IPSET_MAXNAMELEN];
|
||||
/* Protocol version */
|
||||
u8 protocol;
|
||||
/* Set features to control swapping */
|
||||
u8 features;
|
||||
/* Set type dimension */
|
||||
u8 dimension;
|
||||
/*
|
||||
@@ -182,6 +183,8 @@ struct ip_set_type {
|
||||
u8 family;
|
||||
/* Type revisions */
|
||||
u8 revision_min, revision_max;
|
||||
/* Set features to control swapping */
|
||||
u16 features;
|
||||
|
||||
/* Create set */
|
||||
int (*create)(struct net *net, struct ip_set *set,
|
||||
@@ -217,6 +220,8 @@ struct ip_set {
|
||||
u8 revision;
|
||||
/* Extensions */
|
||||
u8 extensions;
|
||||
/* Create flags */
|
||||
u8 flags;
|
||||
/* Default timeout value, if enabled */
|
||||
u32 timeout;
|
||||
/* Element data size */
|
||||
@@ -251,6 +256,8 @@ ip_set_put_flags(struct sk_buff *skb, struct ip_set *set)
|
||||
cadt_flags |= IPSET_FLAG_WITH_COUNTERS;
|
||||
if (SET_WITH_COMMENT(set))
|
||||
cadt_flags |= IPSET_FLAG_WITH_COMMENT;
|
||||
if (SET_WITH_FORCEADD(set))
|
||||
cadt_flags |= IPSET_FLAG_WITH_FORCEADD;
|
||||
|
||||
if (!cadt_flags)
|
||||
return 0;
|
||||
|
||||
@@ -44,6 +44,27 @@ int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
|
||||
|
||||
void nfnl_lock(__u8 subsys_id);
|
||||
void nfnl_unlock(__u8 subsys_id);
|
||||
#ifdef CONFIG_PROVE_LOCKING
|
||||
int lockdep_nfnl_is_held(__u8 subsys_id);
|
||||
#else
|
||||
static inline int lockdep_nfnl_is_held(__u8 subsys_id)
|
||||
{
|
||||
return 1;
|
||||
}
|
||||
#endif /* CONFIG_PROVE_LOCKING */
|
||||
|
||||
/*
|
||||
* nfnl_dereference - fetch RCU pointer when updates are prevented by subsys mutex
|
||||
*
|
||||
* @p: The pointer to read, prior to dereferencing
|
||||
* @ss: The nfnetlink subsystem ID
|
||||
*
|
||||
* Return the value of the specified RCU-protected pointer, but omit
|
||||
* both the smp_read_barrier_depends() and the ACCESS_ONCE(), because
|
||||
* caller holds the NFNL subsystem mutex.
|
||||
*/
|
||||
#define nfnl_dereference(p, ss) \
|
||||
rcu_dereference_protected(p, lockdep_nfnl_is_held(ss))
|
||||
|
||||
#define MODULE_ALIAS_NFNL_SUBSYS(subsys) \
|
||||
MODULE_ALIAS("nfnetlink-subsys-" __stringify(subsys))
|
||||
|
||||
Reference in New Issue
Block a user