1. 28 Aug, 2017 1 commit
    • Florian Westphal's avatar
      netfilter: fix a few (harmless) sparse warnings · 5fd02ebe
      Florian Westphal authored
      net/netfilter/nft_payload.c:187:18: warning: incorrect type in return expression (expected bool got restricted __sum16 [usertype] check)
      net/netfilter/nft_exthdr.c:222:14: warning: cast to restricted __be32
      net/netfilter/nft_rt.c:49:23: warning: incorrect type in assignment (different base types expected unsigned int got restricted __be32)
      net/netfilter/nft_rt.c:70:25: warning: symbol 'nft_rt_policy' was not declared. Should it be static?
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      5fd02ebe
  2. 24 Aug, 2017 9 commits
  3. 19 Aug, 2017 7 commits
  4. 02 Aug, 2017 3 commits
  5. 31 Jul, 2017 16 commits
  6. 24 Jul, 2017 4 commits
    • Phil Sutter's avatar
      netfilter: nf_tables: Attach process info to NFT_MSG_NEWGEN notifications · 784b4e61
      Phil Sutter authored
      This is helpful for 'nft monitor' to track which process caused a given
      change to the ruleset.
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      784b4e61
    • Taehee Yoo's avatar
      netfilter: Remove duplicated rcu_read_lock. · 0b35f603
      Taehee Yoo authored
      This patch removes duplicate rcu_read_lock().
      
      1. IPVS part:
      
      According to Julian Anastasov's mention, contexts of ipvs are described
      at: http://marc.info/?l=netfilter-devel&m=149562884514072&w=2, in summary:
      
       - packet RX/TX: does not need locks because packets come from hooks.
       - sync msg RX: backup server uses RCU locks while registering new
         connections.
       - ip_vs_ctl.c: configuration get/set, RCU locks needed.
       - xt_ipvs.c: It is a netfilter match, running from hook context.
      
      As result, rcu_read_lock and rcu_read_unlock can be removed from:
      
       - ip_vs_core.c: all
       - ip_vs_ctl.c:
         - only from ip_vs_has_real_service
       - ip_vs_ftp.c: all
       - ip_vs_proto_sctp.c: all
       - ip_vs_proto_tcp.c: all
       - ip_vs_proto_udp.c: all
       - ip_vs_xmit.c: all (contains only packet processing)
      
      2. Netfilter part:
      
      There are three types of functions that are guaranteed the rcu_read_lock().
      First, as result, functions are only called by nf_hook():
      
       - nf_conntrack_broadcast_help(), pptp_expectfn(), set_expected_rtp_rtcp().
       - tcpmss_reverse_mtu(), tproxy_laddr4(), tproxy_laddr6().
       - match_lookup_rt6(), check_hlist(), hashlimit_mt_common().
       - xt_osf_match_packet().
      
      Second, functions that caller already held the rcu_read_lock().
       - destroy_conntrack(), ctnetlink_conntrack_event().
       - ctnl_timeout_find_get(), nfqnl_nf_hook_drop().
      
      Third, functions that are mixed with type1 and type2.
      
      These functions are called by nf_hook() also these are called by
      ordinary functions that already held the rcu_read_lock():
      
       - __ctnetlink_glue_build(), ctnetlink_expect_event().
       - ctnetlink_proto_size().
      
      Applied files are below:
      
      - nf_conntrack_broadcast.c, nf_conntrack_core.c, nf_conntrack_netlink.c.
      - nf_conntrack_pptp.c, nf_conntrack_sip.c, nfnetlink_cttimeout.c.
      - nfnetlink_queue.c, xt_TCPMSS.c, xt_TPROXY.c, xt_addrtype.c.
      - xt_connlimit.c, xt_hashlimit.c, xt_osf.c
      
      Detailed calltrace can be found at:
      http://marc.info/?l=netfilter-devel&m=149667610710350&w=2Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0b35f603
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: keep chain counters away from hot path · 9f08ea84
      Pablo Neira Ayuso authored
      These chain counters are only used by the iptables-compat tool, that
      allow users to use the x_tables extensions from the existing nf_tables
      framework. This patch makes nf_tables by ~5% for the general usecase,
      ie. native nft users, where no chain counters are used at all.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9f08ea84
    • Florian Westphal's avatar
      netfilter: expect: add to hash table after expect init · 56a97e70
      Florian Westphal authored
      assuming we have lockless readers we should make sure they can only
      see expectations that have already been initialized.
      
      hlist_add_head_rcu acts as memory barrier, move it after timer setup.
      
      Theoretically we could crash due to a del_timer() on other cpu
      seeing garbage data.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      56a97e70