1. 19 Jul, 2011 2 commits
    • Florian Westphal's avatar
      netfilter: nfnetlink_queue: batch verdict support · 97d32cf9
      Florian Westphal authored
      Introduces a new nfnetlink type that applies a given
      verdict to all queued packets with an id <= the id in the verdict
      message.
      
      If a mark is provided it is applied to all matched packets.
      
      This reduces the number of verdicts that have to be sent.
      Applications that make use of this feature need to maintain
      a timeout to send a batchverdict periodically to avoid starvation.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      97d32cf9
    • Eric Dumazet's avatar
      netfilter: nfnetlink_queue: assert monotonic packet ids · 5863702a
      Eric Dumazet authored
      Packet identifier is currently setup in nfqnl_build_packet_message(),
      using one atomic_inc_return().
      
      Problem is that since several cpus might concurrently call
      nfqnl_enqueue_packet() for the same queue, we can deliver packets to
      consumer in non monotonic way (packet N+1 being delivered after packet
      N)
      
      This patch moves the packet id setup from nfqnl_build_packet_message()
      to nfqnl_enqueue_packet() to guarantee correct delivery order.
      
      This also removes one atomic operation.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Florian Westphal <fw@strlen.de>
      CC: Pablo Neira Ayuso <pablo@netfilter.org>
      CC: Eric Leblond <eric@regit.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      5863702a
  2. 18 Jul, 2011 2 commits
    • Eric Dumazet's avatar
      netfilter: nfnetlink_queue: provide rcu enabled callbacks · 84a797dd
      Eric Dumazet authored
      nenetlink_queue operations on SMP are not efficent if several queues are
      used, because of nfnl_mutex contention when applications give packet
      verdict.
      
      Use new call_rcu field in struct nfnl_callback to advertize a callback
      that is called under rcu_read_lock instead of nfnl_mutex.
      
      On my 2x4x2 machine, I was able to reach 2.000.000 pps going through
      user land returning NF_ACCEPT verdicts without losses, instead of less
      than 500.000 pps before patch.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Florian Westphal <fw@strlen.de>
      CC: Eric Leblond <eric@regit.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      84a797dd
    • Eric Dumazet's avatar
      netfilter: nfnetlink: add RCU in nfnetlink_rcv_msg() · 6b75e3e8
      Eric Dumazet authored
      Goal of this patch is to permit nfnetlink providers not mandate
      nfnl_mutex being held while nfnetlink_rcv_msg() calls them.
      
      If struct nfnl_callback contains a non NULL call_rcu(), then
      nfnetlink_rcv_msg() will use it instead of call() field, holding
      rcu_read_lock instead of nfnl_mutex
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Florian Westphal <fw@strlen.de>
      CC: Eric Leblond <eric@regit.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      6b75e3e8
  3. 30 Jun, 2011 1 commit
    • Mr Dash Four's avatar
      netfilter: add SELinux context support to AUDIT target · 131ad62d
      Mr Dash Four authored
      In this revision the conversion of secid to SELinux context and adding it
      to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
      separate helper function - audit_log_secctx - which does both the conversion
      and logging of SELinux context, thus also preventing internal secid number
      being leaked to userspace. If conversion is not successful an error is raised.
      
      With the introduction of this helper function the work done in xt_AUDIT.c is
      much more simplified. It also opens the possibility of this helper function
      being used by other modules (including auditd itself), if desired. With this
      addition, typical (raw auditd) output after applying the patch would be:
      
      type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
      type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarMr Dash Four <mr.dash.four@googlemail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      131ad62d
  4. 16 Jun, 2011 17 commits
  5. 15 Jun, 2011 18 commits