Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says: ==================== Netfilter/IPVS updates for net-next The following patchset contains Netfilter/IPVS updates for net-next, most relevantly they are: * cleanup to remove double semicolon from stephen hemminger. * calm down sparse warning in xt_ipcomp, from Fan Du. * nf_ct_labels support for nf_tables, from Florian Westphal. * new macros to simplify rcu dereferences in the scope of nfnetlink and nf_tables, from Patrick McHardy. * Accept queue and drop (including reason for drop) to verdict parsing in nf_tables, also from Patrick. * Remove unused random seed initialization in nfnetlink_log, from Florian Westphal. * Allow to attach user-specific information to nf_tables rules, useful to attach user comments to rule, from me. * Return errors in ipset according to the manpage documentation, from Jozsef Kadlecsik. * Fix coccinelle warnings related to incorrect bool type usage for ipset, from Fengguang Wu. * Add hash:ip,mark set type to ipset, from Vytas Dauksa. * Fix message for each spotted by ipset for each netns that is created, from Ilia Mirkin. * Add forceadd option to ipset, which evicts a random entry from the set if it becomes full, from Josh Hunt. * Minor IPVS cleanups and fixes from Andi Kleen and Tingwei Liu. * Improve conntrack scalability by removing a central spinlock, original work from Eric Dumazet. Jesper Dangaard Brouer took them over to address remaining issues. Several patches to prepare this change come in first place. * Rework nft_hash to resolve bugs (leaking chain, missing rcu synchronization on element removal, etc. from Patrick McHardy. * Restore context in the rule deletion path, as we now release rule objects synchronously, from Patrick McHardy. This gets back event notification for anonymous sets. * Fix NAT family validation in nft_nat, also from Patrick. * Improve scalability of xt_connlimit by using an array of spinlocks and by introducing a rb-tree of hashtables for faster lookup of accounted objects per network. This patch was preceded by several patches and refactorizations to accomodate this change including the use of kmem_cache, from Florian Westphal. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
@@ -82,6 +82,8 @@ enum {
|
||||
IPSET_ATTR_PROTO, /* 7 */
|
||||
IPSET_ATTR_CADT_FLAGS, /* 8 */
|
||||
IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */
|
||||
IPSET_ATTR_MARK, /* 10 */
|
||||
IPSET_ATTR_MARKMASK, /* 11 */
|
||||
/* Reserve empty slots */
|
||||
IPSET_ATTR_CADT_MAX = 16,
|
||||
/* Create-only specific attributes */
|
||||
@@ -144,6 +146,7 @@ enum ipset_errno {
|
||||
IPSET_ERR_IPADDR_IPV6,
|
||||
IPSET_ERR_COUNTER,
|
||||
IPSET_ERR_COMMENT,
|
||||
IPSET_ERR_INVALID_MARKMASK,
|
||||
|
||||
/* Type specific error codes */
|
||||
IPSET_ERR_TYPE_SPECIFIC = 4352,
|
||||
@@ -182,9 +185,18 @@ enum ipset_cadt_flags {
|
||||
IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS),
|
||||
IPSET_FLAG_BIT_WITH_COMMENT = 4,
|
||||
IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT),
|
||||
IPSET_FLAG_BIT_WITH_FORCEADD = 5,
|
||||
IPSET_FLAG_WITH_FORCEADD = (1 << IPSET_FLAG_BIT_WITH_FORCEADD),
|
||||
IPSET_FLAG_CADT_MAX = 15,
|
||||
};
|
||||
|
||||
/* The flag bits which correspond to the non-extension create flags */
|
||||
enum ipset_create_flags {
|
||||
IPSET_CREATE_FLAG_BIT_FORCEADD = 0,
|
||||
IPSET_CREATE_FLAG_FORCEADD = (1 << IPSET_CREATE_FLAG_BIT_FORCEADD),
|
||||
IPSET_CREATE_FLAG_BIT_MAX = 7,
|
||||
};
|
||||
|
||||
/* Commands with settype-specific attributes */
|
||||
enum ipset_adt {
|
||||
IPSET_ADD,
|
||||
|
||||
@@ -1,7 +1,8 @@
|
||||
#ifndef _LINUX_NF_TABLES_H
|
||||
#define _LINUX_NF_TABLES_H
|
||||
|
||||
#define NFT_CHAIN_MAXNAMELEN 32
|
||||
#define NFT_CHAIN_MAXNAMELEN 32
|
||||
#define NFT_USERDATA_MAXLEN 256
|
||||
|
||||
enum nft_registers {
|
||||
NFT_REG_VERDICT,
|
||||
@@ -156,6 +157,7 @@ enum nft_chain_attributes {
|
||||
* @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes)
|
||||
* @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes)
|
||||
* @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64)
|
||||
* @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN)
|
||||
*/
|
||||
enum nft_rule_attributes {
|
||||
NFTA_RULE_UNSPEC,
|
||||
@@ -165,6 +167,7 @@ enum nft_rule_attributes {
|
||||
NFTA_RULE_EXPRESSIONS,
|
||||
NFTA_RULE_COMPAT,
|
||||
NFTA_RULE_POSITION,
|
||||
NFTA_RULE_USERDATA,
|
||||
__NFTA_RULE_MAX
|
||||
};
|
||||
#define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1)
|
||||
@@ -601,6 +604,7 @@ enum nft_ct_keys {
|
||||
NFT_CT_PROTOCOL,
|
||||
NFT_CT_PROTO_SRC,
|
||||
NFT_CT_PROTO_DST,
|
||||
NFT_CT_LABELS,
|
||||
};
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user