From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org
Subject: [NETFILTER 00/64]: Netfilter update
Date: Tue, 18 Dec 2007 00:46:12 +0100 (MET) [thread overview]
Message-ID: <20071217234612.23601.6979.sendpatchset@localhost.localdomain> (raw)
Hi Dave,
following is a rather large netfilter update for 2.6.25. The diffstat
looks a bit worse than it is, most files are only touched due to
__read_mostly and const annotations. The rough overview is:
- Some type consitency improvements for ip_tables compat support,
doesn't actual change or fix anything, but the current code is
rather inconsistent and only works for ip_tables, not the other
copy-and-paste ports.
- Compat support for ip6_tables and arp_tables
- Resyncing of ip_tables, ip6_tables and arp_tables, not entirely
completed yet, but I'll do that on top since its getting more
and more complicated to do in proper order with this huge stack
of patches.
- More const and __read_mostly annotations
- NAT API change to stop using hook numbers to indicate mapping types,
which is a relict from before rusty-nat
- Conversion of multiple files to typeful netlink attribute helpers
- nfnetlink_log resyncing with the nfnetlink_queue changes (which are
in most parts copies of each other). Also not completely done yet,
will be completed on top.
- Eric's hashlimit optimizations
- Similar optimizations for the other non-power-of-two netfilter hashes
- ctnetlink updates from Pablo, adding better support for helpers, SCTP
and secmark
- Some cleanups by Jan, mainly converting multiple IPv4/IPv6 address
types to a single unified one
- Finally, the CONFIG_NETFILTER_ADVANCED patch. Its more intrusive than
I hoped and the choices weren't really clear, so Its last in the
series. Please have a look whether you think its useful like this,
otherwise feel free to drop it.
Please apply, thanks.
include/linux/netfilter.h | 85 +--
include/linux/netfilter/nf_conntrack_common.h | 8 +
include/linux/netfilter/nf_conntrack_h323.h | 6 +-
include/linux/netfilter/nfnetlink_conntrack.h | 11 +
include/linux/netfilter/nfnetlink_log.h | 1 +
include/linux/netfilter/x_tables.h | 51 +-
include/linux/netfilter/xt_connlimit.h | 9 +-
include/linux/netfilter_arp/arp_tables.h | 50 +-
include/linux/netfilter_ipv4/ip_tables.h | 76 +--
include/linux/netfilter_ipv6/ip6_tables.h | 73 +-
include/net/netfilter/nf_conntrack_expect.h | 4 +-
include/net/netfilter/nf_conntrack_tuple.h | 17 +-
include/net/netfilter/nf_log.h | 59 ++
include/net/netfilter/nf_nat.h | 2 +-
include/net/netfilter/nf_nat_protocol.h | 18 +-
include/net/netlink.h | 12 +
net/Kconfig | 12 +
net/bridge/netfilter/Kconfig | 2 +-
net/bridge/netfilter/ebt_log.c | 3 +-
net/bridge/netfilter/ebt_ulog.c | 3 +-
net/compat.c | 106 ---
net/decnet/netfilter/Kconfig | 1 +
net/ipv4/netfilter.c | 2 +-
net/ipv4/netfilter/Kconfig | 26 +-
net/ipv4/netfilter/arp_tables.c | 984 +++++++++++++++++----
net/ipv4/netfilter/ip_tables.c | 386 ++++-----
net/ipv4/netfilter/ipt_CLUSTERIP.c | 4 +-
net/ipv4/netfilter/ipt_LOG.c | 3 +-
net/ipv4/netfilter/ipt_MASQUERADE.c | 2 +-
net/ipv4/netfilter/ipt_NETMAP.c | 2 +-
net/ipv4/netfilter/ipt_REDIRECT.c | 2 +-
net/ipv4/netfilter/ipt_ULOG.c | 1 +
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 10 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 19 +-
net/ipv4/netfilter/nf_nat_core.c | 58 +-
net/ipv4/netfilter/nf_nat_h323.c | 26 +-
net/ipv4/netfilter/nf_nat_helper.c | 9 +-
net/ipv4/netfilter/nf_nat_pptp.c | 6 +-
net/ipv4/netfilter/nf_nat_proto_gre.c | 3 +-
net/ipv4/netfilter/nf_nat_proto_icmp.c | 2 +-
net/ipv4/netfilter/nf_nat_proto_tcp.c | 2 +-
net/ipv4/netfilter/nf_nat_proto_udp.c | 2 +-
net/ipv4/netfilter/nf_nat_proto_unknown.c | 2 +-
net/ipv4/netfilter/nf_nat_rule.c | 8 +-
net/ipv4/netfilter/nf_nat_sip.c | 6 +-
net/ipv4/netfilter/nf_nat_snmp_basic.c | 2 +-
net/ipv4/netfilter/nf_nat_standalone.c | 6 +-
net/ipv6/netfilter.c | 2 +-
net/ipv6/netfilter/Kconfig | 23 +-
net/ipv6/netfilter/ip6_tables.c | 1157 +++++++++++++++++++-----
net/ipv6/netfilter/ip6t_LOG.c | 3 +-
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 19 +-
net/netfilter/Kconfig | 71 ++-
net/netfilter/core.c | 6 +-
net/netfilter/nf_conntrack_core.c | 12 +-
net/netfilter/nf_conntrack_expect.c | 12 +-
net/netfilter/nf_conntrack_ftp.c | 2 +-
net/netfilter/nf_conntrack_h323_asn1.c | 8 +-
net/netfilter/nf_conntrack_h323_main.c | 36 +-
net/netfilter/nf_conntrack_netlink.c | 254 +++++-
net/netfilter/nf_conntrack_proto_sctp.c | 18 +-
net/netfilter/nf_conntrack_proto_tcp.c | 23 +-
net/netfilter/nf_conntrack_proto_udp.c | 1 +
net/netfilter/nf_conntrack_proto_udplite.c | 1 +
net/netfilter/nf_conntrack_sip.c | 8 +-
net/netfilter/nf_log.c | 12 +-
net/netfilter/nf_queue.c | 4 +-
net/netfilter/nfnetlink_log.c | 203 ++---
net/netfilter/nfnetlink_queue.c | 23 +-
net/netfilter/x_tables.c | 63 ++-
net/netfilter/xt_CONNMARK.c | 7 +-
net/netfilter/xt_CONNSECMARK.c | 7 +-
net/netfilter/xt_MARK.c | 55 +-
net/netfilter/xt_NFLOG.c | 1 +
net/netfilter/xt_TCPMSS.c | 7 +-
net/netfilter/xt_connbytes.c | 2 +-
net/netfilter/xt_connlimit.c | 25 +-
net/netfilter/xt_connmark.c | 7 +-
net/netfilter/xt_conntrack.c | 5 +-
net/netfilter/xt_hashlimit.c | 31 +-
net/netfilter/xt_helper.c | 2 +-
net/netfilter/xt_limit.c | 5 +
net/netfilter/xt_mark.c | 5 +
net/netfilter/xt_policy.c | 2 +-
net/netfilter/xt_state.c | 2 +-
net/netfilter/xt_string.c | 2 +-
86 files changed, 2995 insertions(+), 1313 deletions(-)
create mode 100644 include/net/netfilter/nf_log.h
Benjamin LaHaise (1):
[NETFILTER]: xt_TCPMSS: don't allow netfilter --setmss to increase mss
Eric Dumazet (2):
[NETFILTER]: xt_hashlimit: speedup hash_dst()
[NETFILTER]: xt_hashlimit: reduce overhead without IPv6
Jan Engelhardt (4):
[NETFILTER]: x_tables: use %u format specifiers
[NETFILTER]: Introduce nf_inet_address
[NETFILTER]: Parenthesize macro parameters
[NETFILTER]: xt_connlimit: use the new union nf_inet_addr
Pablo Neira Ayuso (4):
[NETFILTER]: ctnetlink: add support for NAT sequence adjustments
[NETFILTER]: ctnetlink: add support for master tuple event notification and dumping
[NETFILTER]: ctnetlink: add support for secmark
[NETFILTER]: nf_conntrack_sctp: add ctnetlink support
Patrick McHardy (53):
[NETFILTER]: ip_tables: kill useless wrapper
[NETFILTER]: ip_tables: reformat compat code
[NETFILTER]: x_tables: make xt_compat_match_from_user usable in iterator macros
[NETFILTER]: {ip,ip6,arp}_tables: consolidate iterator macros
[NETFILTER]: ip_tables: account for struct ipt_entry/struct compat_ipt_entry size diff
[NETFILTER]: ip_tables: fix compat types
[NETFILTER]: ip_tables: move compat offset calculation to x_tables
[NETFILTER]: ip6_tables: kill a few useless defines/forward declarations
[NETFILTER]: ip6_tables: move entry, match and target checks to seperate functions
[NETFILTER]: ip6_tables: use vmalloc_node()
[NETFILTER]: ip6_tables: move counter allocation to seperate function
[NETFILTER]: ip6_tables: move IP6T_SO_GET_INFO handling to seperate function
[NETFILTER]: ip6_tables: resync get_entries() with ip_tables
[NETFILTER]: ip6_tables: add compat support
[NETFILTER]: x_tables: enable compat translation for IPv6 matches/targets
[NETFILTER]: xt_MARK: support revision 1 for IPv6
[NETFILTER]: xt_MARK: add compat support for revision 0
[NETFILTER]: {ip,ip6}_tables: reformat to eliminate differences
[NETFILTER]: {ip,ip6}_tables: fix format strings
[NETFILTER]: ip6_tables: fix stack leagage
[NETFILTER]: ip6_tables: use raw_smp_processor_id() in do_add_counters()
[NETFILTER]: ip_tables: remove ipchains compatibility hack
[NETFILTER]: ip6_tables: use XT_ALIGN
[NETFILTER]: arp_tables: remove obsolete standard_check function
[NETFILTER]: arp_tables: use XT_ALIGN
[NETFILTER]: arp_tables: use vmalloc_node()
[NETFILTER]: arp_tables: remove ipchains compat hack
[NETFILTER]: arp_tables: move entry and target checks to seperate functions
[NETFILTER]: arp_tables: move counter allocation to seperate function
[NETFILTER]: arp_tables: move ARPT_SO_GET_INFO handling to seperate function
[NETFILTER]: arp_tables: resync get_entries() with ip_tables
[NETFILTER]: arp_tables: add compat support
[NETLINK]: Add NLA_PUT_BE16/nla_get_be16()
[NETFILTER]: ctnetlink: use netlink attribute helpers
[NETFILTER]: ctnetlink: fix expectation timeout dumping
[NETFILTER]: nf_nat_proto_gre: add missing module reference
[NETFILTER]: nf_nat: mark NAT protocols const
[NETFILTER]: nf_nat: sprinkle a few __read_mostlys
[NETFILTER]: nf_nat: pass manip type instead of hook to nf_nat_setup_info
[NETFILTER]: nf_log: move logging stuff to seperate header
[NETFILTER]: nf_log: constify struct nf_logger and nf_log_packet loginfo arg
[NETFILTER]: nf_log: remove incomprehensible comment
[NETFILTER]: nfnetlink_log: fix checks in nfulnl_recv_config
[NETFILTER]: nfnetlink_{queue,log}: return ENOTSUPP for unknown cfg commands
[NETFILTER]: nfnetlink_log: remove excessive debugging
[NETFILTER]: nfnetlink_{queue,log}: return proper error codes in instance_create
[NETFILTER]: nfnetlink_log: use endianness-aware attribute functions
[NETFILTER]: nfnetlink_log: include GID in netlink message
[NETFILTER]: Kill function prototype for non-existing function
[NETFILTER]: constify nf_afinfo
[NETFILTER]: nf_nat: properly use RCU for ip_nat_decode_session
[NETFILTER]: non-power-of-two jhash optimizations
[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option
next reply other threads:[~2007-12-17 23:46 UTC|newest]
Thread overview: 69+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-17 23:46 Patrick McHardy [this message]
2007-12-17 23:46 ` [NETFILTER 01/64]: ip_tables: kill useless wrapper Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 02/64]: ip_tables: reformat compat code Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 03/64]: x_tables: make xt_compat_match_from_user usable in iterator macros Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 04/64]: {ip,ip6,arp}_tables: consolidate " Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 05/64]: ip_tables: account for struct ipt_entry/struct compat_ipt_entry size diff Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 06/64]: ip_tables: fix compat types Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 07/64]: ip_tables: move compat offset calculation to x_tables Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 08/64]: ip6_tables: kill a few useless defines/forward declarations Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 09/64]: ip6_tables: move entry, match and target checks to seperate functions Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 10/64]: ip6_tables: use vmalloc_node() Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 11/64]: ip6_tables: move counter allocation to seperate function Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 12/64]: ip6_tables: move IP6T_SO_GET_INFO handling " Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 13/64]: ip6_tables: resync get_entries() with ip_tables Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 14/64]: ip6_tables: add compat support Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 15/64]: x_tables: enable compat translation for IPv6 matches/targets Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 16/64]: xt_MARK: support revision 1 for IPv6 Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 17/64]: xt_MARK: add compat support for revision 0 Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 18/64]: {ip,ip6}_tables: reformat to eliminate differences Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 19/64]: {ip,ip6}_tables: fix format strings Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 20/64]: ip6_tables: fix stack leagage Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 21/64]: ip6_tables: use raw_smp_processor_id() in do_add_counters() Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 22/64]: ip_tables: remove ipchains compatibility hack Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 23/64]: ip6_tables: use XT_ALIGN Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 24/64]: arp_tables: remove obsolete standard_check function Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 25/64]: arp_tables: use XT_ALIGN Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 26/64]: arp_tables: use vmalloc_node() Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 27/64]: arp_tables: remove ipchains compat hack Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 28/64]: arp_tables: move entry and target checks to seperate functions Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 29/64]: arp_tables: move counter allocation to seperate function Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 30/64]: arp_tables: move ARPT_SO_GET_INFO handling " Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 31/64]: arp_tables: resync get_entries() with ip_tables Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 32/64]: arp_tables: add compat support Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 33/64]: xt_TCPMSS: don't allow netfilter --setmss to increase mss Patrick McHardy
2007-12-17 23:46 ` [NETFILTER 34/64]: ctnetlink: add support for NAT sequence adjustments Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 35/64]: ctnetlink: add support for master tuple event notification and dumping Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 36/64]: ctnetlink: add support for secmark Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 37/64]: nf_conntrack_sctp: add ctnetlink support Patrick McHardy
2007-12-17 23:47 ` [NETLINK 38/64]: Add NLA_PUT_BE16/nla_get_be16() Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 39/64]: ctnetlink: use netlink attribute helpers Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 40/64]: ctnetlink: fix expectation timeout dumping Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 41/64]: nf_nat_proto_gre: add missing module reference Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 42/64]: nf_nat: mark NAT protocols const Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 43/64]: nf_nat: sprinkle a few __read_mostlys Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 44/64]: nf_nat: pass manip type instead of hook to nf_nat_setup_info Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 45/64]: nf_log: move logging stuff to seperate header Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 46/64]: nf_log: constify struct nf_logger and nf_log_packet loginfo arg Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 47/64]: nf_log: remove incomprehensible comment Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 48/64]: nfnetlink_log: fix checks in nfulnl_recv_config Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 49/64]: nfnetlink_{queue,log}: return ENOTSUPP for unknown cfg commands Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 50/64]: nfnetlink_log: remove excessive debugging Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 51/64]: nfnetlink_{queue,log}: return proper error codes in instance_create Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 52/64]: nfnetlink_log: use endianness-aware attribute functions Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 53/64]: nfnetlink_log: include GID in netlink message Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 54/64]: Kill function prototype for non-existing function Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 55/64]: constify nf_afinfo Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 56/64]: nf_nat: properly use RCU for ip_nat_decode_session Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 57/64]: x_tables: use %u format specifiers Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 58/64]: Introduce nf_inet_address Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 59/64]: Parenthesize macro parameters Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 60/64]: xt_connlimit: use the new union nf_inet_addr Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 61/64]: xt_hashlimit: speedup hash_dst() Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 62/64]: xt_hashlimit: reduce overhead without IPv6 Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 63/64]: non-power-of-two jhash optimizations Patrick McHardy
2007-12-17 23:47 ` [NETFILTER 64/64]: Add CONFIG_NETFILTER_ADVANCED option Patrick McHardy
2007-12-18 6:51 ` [NETFILTER 00/64]: Netfilter update David Miller
2007-12-18 10:31 ` Patrick McHardy
2007-12-18 11:32 ` Pablo Neira Ayuso
2007-12-18 11:33 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071217234612.23601.6979.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.