linux.git/net/netfilter/xt_state.c, branch v4.3 Clone of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git netfilter: nf_conntrack: IPS_UNTRACKED bit 2010-06-08T14:09:52+00:00 Eric Dumazet eric.dumazet@gmail.com 2010-06-08T14:09:52+00:00 5bfddbd46a95c978f4d3c992339cbdf4f4b790a3 NOTRACK makes all cpus share a cache line on nf_conntrack_untracked twice per packet. This is bad for performance. __read_mostly annotation is also a bad choice. This patch introduces IPS_UNTRACKED bit so that we can use later a per_cpu untrack structure more easily. A new helper, nf_ct_untracked_get() returns a pointer to nf_conntrack_untracked. Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add IPS_NAT_DONE_MASK bits to untracked status. nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 
NOTRACK makes all cpus share a cache line on nf_conntrack_untracked
twice per packet. This is bad for performance.
__read_mostly annotation is also a bad choice.

This patch introduces IPS_UNTRACKED bit so that we can use later a
per_cpu untrack structure more easily.

A new helper, nf_ct_untracked_get() returns a pointer to
nf_conntrack_untracked.

Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add
IPS_NAT_DONE_MASK bits to untracked status.

nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11T16:33:37+00:00 Jan Engelhardt jengelh@medozas.de 2009-07-07T18:42:08+00:00 62fc8051083a334578c3f4b3488808f210b4565f In future, layer-3 matches will be an xt module of their own, and need to set the fragoff and thoff fields. Adding more pointers would needlessy increase memory requirements (esp. so for 64-bit, where pointers are wider). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
In future, layer-3 matches will be an xt module of their own, and
need to set the fragoff and thoff fields. Adding more pointers would
needlessy increase memory requirements (esp. so for 64-bit, where
pointers are wider).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: substitute temporary defines by final name 2010-05-11T16:31:17+00:00 Jan Engelhardt jengelh@medozas.de 2009-07-05T17:43:26+00:00 4b560b447df83368df44bd3712c0c39b1d79ba04 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: merge registration structure to NFPROTO_UNSPEC 2010-03-25T16:05:10+00:00 Jan Engelhardt jengelh@medozas.de 2010-03-24T21:50:01+00:00 b44672889c11e13e4f4dc0a8ee23f0e64f1e57c6 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: shorten up return clause 2010-03-25T15:56:09+00:00 Jan Engelhardt jengelh@medozas.de 2010-03-21T03:05:56+00:00 f95c74e33eff5e3fe9798e2dc0a7749150ea3f80 The return value of nf_ct_l3proto_get can directly be returned even in the case of success. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
The return value of nf_ct_l3proto_get can directly be returned even in
the case of success.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: slightly better error reporting 2010-03-25T15:56:09+00:00 Jan Engelhardt jengelh@medozas.de 2010-03-19T16:32:59+00:00 4a5a5c73b7cfee46a0b1411903cfa0dea532deec When extended status codes are available, such as ENOMEM on failed allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing them up to userspace seems like a good idea compared to just always EINVAL. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
When extended status codes are available, such as ENOMEM on failed
allocations, or subsequent functions (e.g. nf_ct_get_l3proto), passing
them up to userspace seems like a good idea compared to just always
EINVAL.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: change matches to return error code 2010-03-25T15:55:24+00:00 Jan Engelhardt jengelh@medozas.de 2010-03-23T15:35:56+00:00 bd414ee605ff3ac5fcd79f57269a897879ee4cde The following semantic patch does part of the transformation: // <smpl> @ rule1 @ struct xt_match ops; identifier check; @@ ops.checkentry = check; @@ identifier rule1.check; @@ check(...) { <... -return true; +return 0; ...> } @@ identifier rule1.check; @@ check(...) { <... -return false; +return -EINVAL; ...> } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
The following semantic patch does part of the transformation:
// <smpl>
@ rule1 @
struct xt_match ops;
identifier check;
@@
 ops.checkentry = check;

@@
identifier rule1.check;
@@
 check(...) { <...
-return true;
+return 0;
 ...> }

@@
identifier rule1.check;
@@
 check(...) { <...
-return false;
+return -EINVAL;
 ...> }
// </smpl>

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: change xt_match.checkentry return type 2010-03-25T15:03:13+00:00 Jan Engelhardt jengelh@medozas.de 2010-03-19T16:16:42+00:00 b0f38452ff73da7e9e0ddc68cd5c6b93c897ca0d Restore function signatures from bool to int so that we can report memory allocation failures or similar using -ENOMEM rather than always having to pass -EINVAL back. This semantic patch may not be too precise (checking for functions that use xt_mtchk_param rather than functions referenced by xt_match.checkentry), but reviewed, it produced the intended result. // <smpl> @@ type bool; identifier check, par; @@ -bool check +int check (struct xt_mtchk_param *par) { ... } // </smpl> Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
Restore function signatures from bool to int so that we can report
memory allocation failures or similar using -ENOMEM rather than
always having to pass -EINVAL back.

This semantic patch may not be too precise (checking for functions
that use xt_mtchk_param rather than functions referenced by
xt_match.checkentry), but reviewed, it produced the intended result.

// <smpl>
@@
type bool;
identifier check, par;
@@
-bool check
+int check
 (struct xt_mtchk_param *par) { ... }
// </smpl>

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xt extensions: use pr_<level> 2010-03-18T13:20:07+00:00 Jan Engelhardt jengelh@medozas.de 2010-03-17T15:04:40+00:00 8bee4bad03c5b601bd6cea123c31025680587ccc Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: make use of caller family rather than match family 2010-03-18T13:20:06+00:00 Jan Engelhardt jengelh@medozas.de 2010-03-17T23:44:52+00:00 aa5fa3185791aac71c9172d4fda3e8729164b5d1 The matches can have .family = NFPROTO_UNSPEC, and though that is not the case for the touched modules, it seems better to just use the nfproto from the caller. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
The matches can have .family = NFPROTO_UNSPEC, and though that is not
the case for the touched modules, it seems better to just use the
nfproto from the caller.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>