* [PATCH 30/84] netfilter: remove unused headers in net/ipv4/netfilter/nf_nat_h323.c
From: kaber @ 2010-05-10 20:18 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Zhitong Wang <zhitong.wangzt@alibaba-inc.com>
Remove unused headers in net/ipv4/netfilter/nf_nat_h323.c
Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/ipv4/netfilter/nf_nat_h323.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)
diff --git a/net/ipv4/netfilter/nf_nat_h323.c b/net/ipv4/netfilter/nf_nat_h323.c
index 7e8e6fc..d4c0618 100644
--- a/net/ipv4/netfilter/nf_nat_h323.c
+++ b/net/ipv4/netfilter/nf_nat_h323.c
@@ -10,7 +10,6 @@
*/
#include <linux/module.h>
-#include <linux/moduleparam.h>
#include <linux/tcp.h>
#include <net/tcp.h>
--
1.7.0.4
^ permalink raw reply related
* [PATCH 27/84] netfilter: xtables: replace custom duprintf with pr_debug
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/ipv4/netfilter/ipt_ah.c | 18 ++++++------------
net/ipv6/netfilter/ip6t_mh.c | 11 +++--------
net/netfilter/x_tables.c | 12 +++---------
net/netfilter/xt_esp.c | 18 ++++++------------
net/netfilter/xt_multiport.c | 16 +++++-----------
net/netfilter/xt_sctp.c | 29 +++++++++++++----------------
net/netfilter/xt_tcpudp.c | 16 +++++-----------
7 files changed, 41 insertions(+), 79 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_ah.c b/net/ipv4/netfilter/ipt_ah.c
index 0104c0b..4f27e17 100644
--- a/net/ipv4/netfilter/ipt_ah.c
+++ b/net/ipv4/netfilter/ipt_ah.c
@@ -5,7 +5,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/in.h>
#include <linux/module.h>
#include <linux/skbuff.h>
@@ -18,21 +18,15 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
-#ifdef DEBUG_CONNTRACK
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-
/* Returns 1 if the spi is matched by the range, 0 otherwise */
static inline bool
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
{
bool r;
- duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
- min,spi,max);
+ pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
+ invert ? '!' : ' ', min, spi, max);
r=(spi >= min && spi <= max) ^ invert;
- duprintf(" result %s\n",r? "PASS" : "FAILED");
+ pr_debug(" result %s\n", r ? "PASS" : "FAILED");
return r;
}
@@ -51,7 +45,7 @@ static bool ah_mt(const struct sk_buff *skb, const struct xt_match_param *par)
/* We've been asked to examine this packet, and we
* can't. Hence, no choice but to drop.
*/
- duprintf("Dropping evil AH tinygram.\n");
+ pr_debug("Dropping evil AH tinygram.\n");
*par->hotdrop = true;
return 0;
}
@@ -67,7 +61,7 @@ static bool ah_mt_check(const struct xt_mtchk_param *par)
/* Must specify no unknown invflags */
if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
- duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
+ pr_debug("unknown flags %X\n", ahinfo->invflags);
return false;
}
return true;
diff --git a/net/ipv6/netfilter/ip6t_mh.c b/net/ipv6/netfilter/ip6t_mh.c
index aafe4e6..0181eb8 100644
--- a/net/ipv6/netfilter/ip6t_mh.c
+++ b/net/ipv6/netfilter/ip6t_mh.c
@@ -11,6 +11,7 @@
* Based on net/netfilter/xt_tcpudp.c
*
*/
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/types.h>
#include <linux/module.h>
#include <net/ip.h>
@@ -24,12 +25,6 @@
MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
MODULE_LICENSE("GPL");
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-
/* Returns 1 if the type is matched by the range, 0 otherwise */
static inline bool
type_match(u_int8_t min, u_int8_t max, u_int8_t type, bool invert)
@@ -51,13 +46,13 @@ static bool mh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
if (mh == NULL) {
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
- duprintf("Dropping evil MH tinygram.\n");
+ pr_debug("Dropping evil MH tinygram.\n");
*par->hotdrop = true;
return false;
}
if (mh->ip6mh_proto != IPPROTO_NONE) {
- duprintf("Dropping invalid MH Payload Proto: %u\n",
+ pr_debug("Dropping invalid MH Payload Proto: %u\n",
mh->ip6mh_proto);
*par->hotdrop = true;
return false;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 0a12ced..9a248d4 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -12,7 +12,7 @@
* published by the Free Software Foundation.
*
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/kernel.h>
#include <linux/socket.h>
#include <linux/net.h>
@@ -54,12 +54,6 @@ struct xt_af {
static struct xt_af *xt;
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-
static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
[NFPROTO_UNSPEC] = "x",
[NFPROTO_IPV4] = "ip",
@@ -720,7 +714,7 @@ xt_replace_table(struct xt_table *table,
/* Check inside lock: is the old number correct? */
if (num_counters != private->number) {
- duprintf("num_counters != table->private->number (%u/%u)\n",
+ pr_debug("num_counters != table->private->number (%u/%u)\n",
num_counters, private->number);
local_bh_enable();
*error = -EAGAIN;
@@ -777,7 +771,7 @@ struct xt_table *xt_register_table(struct net *net,
goto unlock;
private = table->private;
- duprintf("table->private->number = %u\n", private->number);
+ pr_debug("table->private->number = %u\n", private->number);
/* save number of initial entries */
private->initial_entries = private->number;
diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 6094399..f9deecb 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -6,7 +6,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/in.h>
@@ -24,21 +24,15 @@ MODULE_DESCRIPTION("Xtables: IPsec-ESP packet match");
MODULE_ALIAS("ipt_esp");
MODULE_ALIAS("ip6t_esp");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-
/* Returns 1 if the spi is matched by the range, 0 otherwise */
static inline bool
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
{
bool r;
- duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
- min, spi, max);
+ pr_debug("esp spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
+ invert ? '!' : ' ', min, spi, max);
r = (spi >= min && spi <= max) ^ invert;
- duprintf(" result %s\n", r ? "PASS" : "FAILED");
+ pr_debug(" result %s\n", r ? "PASS" : "FAILED");
return r;
}
@@ -57,7 +51,7 @@ static bool esp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
/* We've been asked to examine this packet, and we
* can't. Hence, no choice but to drop.
*/
- duprintf("Dropping evil ESP tinygram.\n");
+ pr_debug("Dropping evil ESP tinygram.\n");
*par->hotdrop = true;
return false;
}
@@ -71,7 +65,7 @@ static bool esp_mt_check(const struct xt_mtchk_param *par)
const struct xt_esp *espinfo = par->matchinfo;
if (espinfo->invflags & ~XT_ESP_INV_MASK) {
- duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
+ pr_debug("unknown flags %X\n", espinfo->invflags);
return false;
}
diff --git a/net/netfilter/xt_multiport.c b/net/netfilter/xt_multiport.c
index d06bb2d..4fa90c8 100644
--- a/net/netfilter/xt_multiport.c
+++ b/net/netfilter/xt_multiport.c
@@ -8,7 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
-
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/types.h>
#include <linux/udp.h>
@@ -26,12 +26,6 @@ MODULE_DESCRIPTION("Xtables: multiple port matching for TCP, UDP, UDP-Lite, SCTP
MODULE_ALIAS("ipt_multiport");
MODULE_ALIAS("ip6t_multiport");
-#if 0
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-
/* Returns 1 if the port is matched by the test, 0 otherwise. */
static inline bool
ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
@@ -63,7 +57,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
if (minfo->pflags[i]) {
/* range port matching */
e = minfo->ports[++i];
- duprintf("src or dst matches with %d-%d?\n", s, e);
+ pr_debug("src or dst matches with %d-%d?\n", s, e);
if (minfo->flags == XT_MULTIPORT_SOURCE
&& src >= s && src <= e)
@@ -77,7 +71,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
return true ^ minfo->invert;
} else {
/* exact port matching */
- duprintf("src or dst matches with %d?\n", s);
+ pr_debug("src or dst matches with %d?\n", s);
if (minfo->flags == XT_MULTIPORT_SOURCE
&& src == s)
@@ -109,7 +103,7 @@ multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
/* We've been asked to examine this packet, and we
* can't. Hence, no choice but to drop.
*/
- duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
+ pr_debug("Dropping evil offset=0 tinygram.\n");
*par->hotdrop = true;
return false;
}
@@ -133,7 +127,7 @@ multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
/* We've been asked to examine this packet, and we
* can't. Hence, no choice but to drop.
*/
- duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
+ pr_debug("Dropping evil offset=0 tinygram.\n");
*par->hotdrop = true;
return false;
}
diff --git a/net/netfilter/xt_sctp.c b/net/netfilter/xt_sctp.c
index a189ada..43c7e1d 100644
--- a/net/netfilter/xt_sctp.c
+++ b/net/netfilter/xt_sctp.c
@@ -1,3 +1,4 @@
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/skbuff.h>
#include <net/ip.h>
@@ -15,12 +16,6 @@ MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
MODULE_ALIAS("ipt_sctp");
MODULE_ALIAS("ip6t_sctp");
-#ifdef DEBUG_SCTP
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-
#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
|| (!!((invflag) & (option)) ^ (cond)))
@@ -52,7 +47,7 @@ match_packet(const struct sk_buff *skb,
const struct xt_sctp_flag_info *flag_info = info->flag_info;
int flag_count = info->flag_count;
-#ifdef DEBUG_SCTP
+#ifdef DEBUG
int i = 0;
#endif
@@ -62,17 +57,19 @@ match_packet(const struct sk_buff *skb,
do {
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
if (sch == NULL || sch->length == 0) {
- duprintf("Dropping invalid SCTP packet.\n");
+ pr_debug("Dropping invalid SCTP packet.\n");
*hotdrop = true;
return false;
}
-
- duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
- ++i, offset, sch->type, htons(sch->length), sch->flags);
-
+#ifdef DEBUG
+ pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d"
+ "\tflags: %x\n",
+ ++i, offset, sch->type, htons(sch->length),
+ sch->flags);
+#endif
offset += (ntohs(sch->length) + 3) & ~3;
- duprintf("skb->len: %d\toffset: %d\n", skb->len, offset);
+ pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset);
if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
switch (chunk_match_type) {
@@ -124,17 +121,17 @@ sctp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
sctp_sctphdr_t _sh;
if (par->fragoff != 0) {
- duprintf("Dropping non-first fragment.. FIXME\n");
+ pr_debug("Dropping non-first fragment.. FIXME\n");
return false;
}
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
if (sh == NULL) {
- duprintf("Dropping evil TCP offset=0 tinygram.\n");
+ pr_debug("Dropping evil TCP offset=0 tinygram.\n");
*par->hotdrop = true;
return false;
}
- duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
+ pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
return SCCHECK(ntohs(sh->source) >= info->spts[0]
&& ntohs(sh->source) <= info->spts[1],
diff --git a/net/netfilter/xt_tcpudp.c b/net/netfilter/xt_tcpudp.c
index 1ebdc49..b53887f 100644
--- a/net/netfilter/xt_tcpudp.c
+++ b/net/netfilter/xt_tcpudp.c
@@ -1,3 +1,4 @@
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/types.h>
#include <linux/module.h>
#include <net/ip.h>
@@ -19,13 +20,6 @@ MODULE_ALIAS("ipt_tcp");
MODULE_ALIAS("ip6t_udp");
MODULE_ALIAS("ip6t_tcp");
-#ifdef DEBUG_IP_FIREWALL_USER
-#define duprintf(format, args...) printk(format , ## args)
-#else
-#define duprintf(format, args...)
-#endif
-
-
/* Returns 1 if the port is matched by the range, 0 otherwise */
static inline bool
port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
@@ -46,7 +40,7 @@ tcp_find_option(u_int8_t option,
u_int8_t _opt[60 - sizeof(struct tcphdr)];
unsigned int i;
- duprintf("tcp_match: finding option\n");
+ pr_debug("finding option\n");
if (!optlen)
return invert;
@@ -82,7 +76,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
flag overwrite to pass the direction checks.
*/
if (par->fragoff == 1) {
- duprintf("Dropping evil TCP offset=1 frag.\n");
+ pr_debug("Dropping evil TCP offset=1 frag.\n");
*par->hotdrop = true;
}
/* Must not be a fragment. */
@@ -95,7 +89,7 @@ static bool tcp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if (th == NULL) {
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
- duprintf("Dropping evil TCP offset=0 tinygram.\n");
+ pr_debug("Dropping evil TCP offset=0 tinygram.\n");
*par->hotdrop = true;
return false;
}
@@ -148,7 +142,7 @@ static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if (uh == NULL) {
/* We've been asked to examine this packet, and we
can't. Hence, no choice but to drop. */
- duprintf("Dropping evil UDP tinygram.\n");
+ pr_debug("Dropping evil UDP tinygram.\n");
*par->hotdrop = true;
return false;
}
--
1.7.0.4
^ permalink raw reply related
* [PATCH 26/84] netfilter: xtables: do not print any messages on ENOMEM
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
ENOMEM is a very obvious error code (cf. EINVAL), so I think we do not
really need a warning message. Not to mention that if the allocation
fails, the user is most likely going to get a stack trace from slab
already.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebt_ulog.c | 7 ++-----
net/netfilter/xt_LED.c | 4 +---
net/netfilter/xt_hashlimit.c | 8 ++------
net/netfilter/xt_statistic.c | 4 +---
4 files changed, 6 insertions(+), 17 deletions(-)
diff --git a/net/bridge/netfilter/ebt_ulog.c b/net/bridge/netfilter/ebt_ulog.c
index c6ac657..84340ab 100644
--- a/net/bridge/netfilter/ebt_ulog.c
+++ b/net/bridge/netfilter/ebt_ulog.c
@@ -305,13 +305,10 @@ static int __init ebt_ulog_init(void)
ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG,
EBT_ULOG_MAXNLGROUPS, NULL, NULL,
THIS_MODULE);
- if (!ebtulognl) {
- printk(KERN_WARNING KBUILD_MODNAME ": out of memory trying to "
- "call netlink_kernel_create\n");
+ if (!ebtulognl)
ret = -ENOMEM;
- } else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) {
+ else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0)
netlink_kernel_release(ebtulognl);
- }
if (ret == 0)
nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger);
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index f86dc52..0d6c288 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -92,10 +92,8 @@ static bool led_tg_check(const struct xt_tgchk_param *par)
}
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
- if (!ledinternal) {
- printk(KERN_CRIT KBUILD_MODNAME ": out of memory\n");
+ if (!ledinternal)
return false;
- }
ledinternal->netfilter_led_trigger.name = ledinfo->id;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 1fdb50a..52327c5 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -215,10 +215,8 @@ static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_
/* FIXME: don't use vmalloc() here or anywhere else -HW */
hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
sizeof(struct list_head) * size);
- if (!hinfo) {
- printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
+ if (!hinfo)
return -1;
- }
minfo->hinfo = hinfo;
/* copy match config into hashtable config */
@@ -288,10 +286,8 @@ static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
/* FIXME: don't use vmalloc() here or anywhere else -HW */
hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
sizeof(struct list_head) * size);
- if (hinfo == NULL) {
- printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
+ if (hinfo == NULL)
return -1;
- }
minfo->hinfo = hinfo;
/* copy match config into hashtable config */
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index d8c0f8f..51ac1bb 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -61,10 +61,8 @@ static bool statistic_mt_check(const struct xt_mtchk_param *par)
return false;
info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
- if (info->master == NULL) {
- printk(KERN_ERR KBUILD_MODNAME ": Out of memory\n");
+ if (info->master == NULL)
return false;
- }
info->master->count = info->u.nth.count;
return true;
--
1.7.0.4
^ permalink raw reply related
* [PATCH 24/84] netfilter: xtables: remove almost-unused xt_match_param.data member
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
This member is taking up a "long" per match, yet is only used by one
module out of the roughly 90 modules, ip6t_hbh. ip6t_hbh can be
restructured a little to accomodate for the lack of the .data member.
This variant uses checking the par->match address, which should avoid
having to add two extra functions, including calls, i.e.
(hbh_mt6: call hbhdst_mt6(skb, par, NEXTHDR_OPT),
dst_mt6: call hbhdst_mt6(skb, par, NEXTHDR_DEST))
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 3 ---
net/ipv6/netfilter/ip6t_hbh.c | 9 ++++++---
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index c68ff82..cf91473 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -315,9 +315,6 @@ struct xt_match {
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
struct module *me;
- /* Free to use by each match */
- unsigned long data;
-
const char *table;
unsigned int matchsize;
#ifdef CONFIG_COMPAT
diff --git a/net/ipv6/netfilter/ip6t_hbh.c b/net/ipv6/netfilter/ip6t_hbh.c
index cbe8dec..82593c8 100644
--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -41,6 +41,8 @@ MODULE_ALIAS("ip6t_dst");
* 5 -> RTALERT 2 x x
*/
+static struct xt_match hbh_mt6_reg[] __read_mostly;
+
static bool
hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
{
@@ -58,7 +60,9 @@ hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
unsigned int optlen;
int err;
- err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL);
+ err = ipv6_find_hdr(skb, &ptr,
+ (par->match == &hbh_mt6_reg[0]) ?
+ NEXTHDR_HOP : NEXTHDR_DEST, NULL);
if (err < 0) {
if (err != -ENOENT)
*par->hotdrop = true;
@@ -179,13 +183,13 @@ static bool hbh_mt6_check(const struct xt_mtchk_param *par)
static struct xt_match hbh_mt6_reg[] __read_mostly = {
{
+ /* Note, hbh_mt6 relies on the order of hbh_mt6_reg */
.name = "hbh",
.family = NFPROTO_IPV6,
.match = hbh_mt6,
.matchsize = sizeof(struct ip6t_opts),
.checkentry = hbh_mt6_check,
.me = THIS_MODULE,
- .data = NEXTHDR_HOP,
},
{
.name = "dst",
@@ -194,7 +198,6 @@ static struct xt_match hbh_mt6_reg[] __read_mostly = {
.matchsize = sizeof(struct ip6t_opts),
.checkentry = hbh_mt6_check,
.me = THIS_MODULE,
- .data = NEXTHDR_DEST,
},
};
--
1.7.0.4
^ permalink raw reply related
* [PATCH 23/84] netfilter: update documentation fields of x_tables.h
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/x_tables.h | 10 ++++++++--
1 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
index 84c7c92..c68ff82 100644
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -197,6 +197,7 @@ struct xt_counters_info {
* @family: Actual NFPROTO_* through which the function is invoked
* (helpful when match->family == NFPROTO_UNSPEC)
* @hotdrop: drop packet if we had inspection problems
+ * Network namespace obtainable using dev_net(in/out)
*/
struct xt_match_param {
const struct net_device *in, *out;
@@ -213,12 +214,14 @@ struct xt_match_param {
* struct xt_mtchk_param - parameters for match extensions'
* checkentry functions
*
+ * @net: network namespace through which the check was invoked
* @table: table the rule is tried to be inserted into
* @entryinfo: the family-specific rule data
- * (struct ipt_ip, ip6t_ip, ebt_entry)
+ * (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
* @match: struct xt_match through which this function was invoked
* @matchinfo: per-match data
* @hook_mask: via which hooks the new rule is reachable
+ * Other fields as above.
*/
struct xt_mtchk_param {
struct net *net;
@@ -230,7 +233,10 @@ struct xt_mtchk_param {
u_int8_t family;
};
-/* Match destructor parameters */
+/**
+ * struct xt_mdtor_param - match destructor parameters
+ * Fields as above.
+ */
struct xt_mtdtor_param {
struct net *net;
const struct xt_match *match;
--
1.7.0.4
^ permalink raw reply related
* [PATCH 21/84] netfilter: xtables: resort osf kconfig text
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Restore alphabetical ordering of the list and put the xt_osf option
into its 'right' place again.
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/Kconfig | 26 +++++++++++++-------------
1 files changed, 13 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 6ac28ef..8055786 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -774,6 +774,19 @@ config NETFILTER_XT_MATCH_MULTIPORT
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_OSF
+ tristate '"osf" Passive OS fingerprint match'
+ depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
+ help
+ This option selects the Passive OS Fingerprinting match module
+ that allows to passively match the remote operating system by
+ analyzing incoming TCP SYN packets.
+
+ Rules and loading software can be downloaded from
+ http://www.ioremap.net/projects/osf
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_OWNER
tristate '"owner" match support'
depends on NETFILTER_ADVANCED
@@ -958,19 +971,6 @@ config NETFILTER_XT_MATCH_U32
Details and examples are in the kernel module source.
-config NETFILTER_XT_MATCH_OSF
- tristate '"osf" Passive OS fingerprint match'
- depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
- help
- This option selects the Passive OS Fingerprinting match module
- that allows to passively match the remote operating system by
- analyzing incoming TCP SYN packets.
-
- Rules and loading software can be downloaded from
- http://www.ioremap.net/projects/osf
-
- To compile it as a module, choose M here. If unsure, say N.
-
endif # NETFILTER_XTABLES
endmenu
--
1.7.0.4
^ permalink raw reply related
* [PATCH 19/84] netfilter: xtables: clean up xt_mac match routine
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_mac.c | 18 ++++++++++--------
1 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/net/netfilter/xt_mac.c b/net/netfilter/xt_mac.c
index c200711..2039d07 100644
--- a/net/netfilter/xt_mac.c
+++ b/net/netfilter/xt_mac.c
@@ -26,14 +26,16 @@ MODULE_ALIAS("ip6t_mac");
static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
- const struct xt_mac_info *info = par->matchinfo;
-
- /* Is mac pointer valid? */
- return skb_mac_header(skb) >= skb->head &&
- skb_mac_header(skb) + ETH_HLEN <= skb->data
- /* If so, compare... */
- && ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr))
- ^ info->invert);
+ const struct xt_mac_info *info = par->matchinfo;
+ bool ret;
+
+ if (skb_mac_header(skb) < skb->head)
+ return false;
+ if (skb_mac_header(skb) + ETH_HLEN > skb->data)
+ return false;
+ ret = compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr) == 0;
+ ret ^= info->invert;
+ return ret;
}
static struct xt_match mac_mt_reg __read_mostly = {
--
1.7.0.4
^ permalink raw reply related
* [PATCH 13/84] netfilter: xt_recent: update description
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
It had IPv6 for quite a while already :-)
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_recent.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/net/netfilter/xt_recent.c b/net/netfilter/xt_recent.c
index 1af74dd..bcabfbc 100644
--- a/net/netfilter/xt_recent.c
+++ b/net/netfilter/xt_recent.c
@@ -35,7 +35,7 @@
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
-MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
+MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_recent");
MODULE_ALIAS("ip6t_recent");
--
1.7.0.4
^ permalink raw reply related
* [PATCH 12/84] netfilter: ebt_ip6: add principal maintainer in a MODULE_AUTHOR tag
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Cc: Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/bridge/netfilter/ebt_ip6.c | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index 4cb60f1..05d0d0c 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -139,4 +139,5 @@ static void __exit ebt_ip6_fini(void)
module_init(ebt_ip6_init);
module_exit(ebt_ip6_fini);
MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match");
+MODULE_AUTHOR("Kuo-Lang Tseng <kuo-lang.tseng@intel.com>");
MODULE_LICENSE("GPL");
--
1.7.0.4
^ permalink raw reply related
* [PATCH 10/84] netfilter: xtables: schedule xt_NOTRACK for removal
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
It is being superseded by xt_CT (-j CT --notrack).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
Documentation/feature-removal-schedule.txt | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/Documentation/feature-removal-schedule.txt b/Documentation/feature-removal-schedule.txt
index ed511af..8843fef 100644
--- a/Documentation/feature-removal-schedule.txt
+++ b/Documentation/feature-removal-schedule.txt
@@ -589,3 +589,11 @@ Why: Useful in 2003, implementation is a hack.
Generally invoked by accident today.
Seen as doing more harm than good.
Who: Len Brown <len.brown@intel.com>
+
+---------------------------
+
+What: xt_NOTRACK
+Files: net/netfilter/xt_NOTRACK.c
+When: April 2011
+Why: Superseded by xt_CT
+Who: Netfilter developer team <netfilter-devel@vger.kernel.org>
--
1.7.0.4
^ permalink raw reply related
* [PATCH 08/84] netfilter: xtables: merge xt_MARK into xt_mark
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Two arguments for combining the two:
- xt_mark is pretty useless without xt_MARK
- the actual code is so small anyway that the kmod metadata and the module
in its loaded state totally outweighs the combined actual code size.
i586-before:
-rw-r--r-- 1 jengelh users 3821 Feb 10 01:01 xt_MARK.ko
-rw-r--r-- 1 jengelh users 2592 Feb 10 00:04 xt_MARK.o
-rw-r--r-- 1 jengelh users 3274 Feb 10 01:01 xt_mark.ko
-rw-r--r-- 1 jengelh users 2108 Feb 10 00:05 xt_mark.o
text data bss dec hex filename
354 264 0 618 26a xt_MARK.o
223 176 0 399 18f xt_mark.o
And the runtime size is like 14 KB.
i586-after:
-rw-r--r-- 1 jengelh users 3264 Feb 18 17:28 xt_mark.o
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
include/linux/netfilter/xt_MARK.h | 6 +---
include/linux/netfilter/xt_mark.h | 4 ++
net/netfilter/Kconfig | 46 +++++++++++++++++++-----------
net/netfilter/Makefile | 5 ++-
net/netfilter/xt_MARK.c | 56 -------------------------------------
net/netfilter/xt_mark.c | 35 +++++++++++++++++++++-
6 files changed, 70 insertions(+), 82 deletions(-)
delete mode 100644 net/netfilter/xt_MARK.c
diff --git a/include/linux/netfilter/xt_MARK.h b/include/linux/netfilter/xt_MARK.h
index bc9561b..41c456d 100644
--- a/include/linux/netfilter/xt_MARK.h
+++ b/include/linux/netfilter/xt_MARK.h
@@ -1,10 +1,6 @@
#ifndef _XT_MARK_H_target
#define _XT_MARK_H_target
-#include <linux/types.h>
-
-struct xt_mark_tginfo2 {
- __u32 mark, mask;
-};
+#include <linux/netfilter/xt_mark.h>
#endif /*_XT_MARK_H_target */
diff --git a/include/linux/netfilter/xt_mark.h b/include/linux/netfilter/xt_mark.h
index 6607c8f..ecadc40 100644
--- a/include/linux/netfilter/xt_mark.h
+++ b/include/linux/netfilter/xt_mark.h
@@ -3,6 +3,10 @@
#include <linux/types.h>
+struct xt_mark_tginfo2 {
+ __u32 mark, mask;
+};
+
struct xt_mark_mtinfo1 {
__u32 mark, mask;
__u8 invert;
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index abf4ce6..236aa20 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -314,6 +314,23 @@ config NETFILTER_XTABLES
if NETFILTER_XTABLES
+comment "Xtables combined modules"
+
+config NETFILTER_XT_MARK
+ tristate 'nfmark target and match support'
+ default m if NETFILTER_ADVANCED=n
+ ---help---
+ This option adds the "MARK" target and "mark" match.
+
+ Netfilter mark matching allows you to match packets based on the
+ "nfmark" value in the packet.
+ The target allows you to create rules in the "mangle" table which alter
+ the netfilter mark (nfmark) field associated with the packet.
+
+ Prior to routing, the nfmark can influence the routing method (see
+ "Use netfilter MARK value as routing key") and can also be used by
+ other subsystems to change their behavior.
+
# alphabetically ordered list of targets
comment "Xtables targets"
@@ -425,16 +442,12 @@ config NETFILTER_XT_TARGET_LED
config NETFILTER_XT_TARGET_MARK
tristate '"MARK" target support'
- default m if NETFILTER_ADVANCED=n
- help
- This option adds a `MARK' target, which allows you to create rules
- in the `mangle' table which alter the netfilter mark (nfmark) field
- associated with the packet prior to routing. This can change
- the routing method (see `Use netfilter MARK value as routing
- key') and can also be used by other subsystems to change their
- behavior.
-
- To compile it as a module, choose M here. If unsure, say N.
+ depends on NETFILTER_ADVANCED
+ select NETFILTER_XT_MARK
+ ---help---
+ This is a backwards-compat option for the user's convenience
+ (e.g. when running oldconfig). It selects
+ CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
config NETFILTER_XT_TARGET_NFLOG
tristate '"NFLOG" target support'
@@ -739,13 +752,12 @@ config NETFILTER_XT_MATCH_MAC
config NETFILTER_XT_MATCH_MARK
tristate '"mark" match support'
- default m if NETFILTER_ADVANCED=n
- help
- Netfilter mark matching allows you to match packets based on the
- `nfmark' value in the packet. This can be set by the MARK target
- (see below).
-
- To compile it as a module, choose M here. If unsure, say N.
+ depends on NETFILTER_ADVANCED
+ select NETFILTER_XT_MARK
+ ---help---
+ This is a backwards-compat option for the user's convenience
+ (e.g. when running oldconfig). It selects
+ CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
config NETFILTER_XT_MATCH_MULTIPORT
tristate '"multiport" Multiple port match support'
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f873644..19775cc 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -40,6 +40,9 @@ obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
# generic X tables
obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
+# combos
+obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
+
# targets
obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
@@ -48,7 +51,6 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
-obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
@@ -76,7 +78,6 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_IPRANGE) += xt_iprange.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
-obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
diff --git a/net/netfilter/xt_MARK.c b/net/netfilter/xt_MARK.c
deleted file mode 100644
index 225f8d1..0000000
--- a/net/netfilter/xt_MARK.c
+++ /dev/null
@@ -1,56 +0,0 @@
-/*
- * xt_MARK - Netfilter module to modify the NFMARK field of an skb
- *
- * (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
- * Copyright © CC Computer Consultants GmbH, 2007 - 2008
- * Jan Engelhardt <jengelh@computergmbh.de>
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
- */
-
-#include <linux/module.h>
-#include <linux/skbuff.h>
-#include <linux/ip.h>
-#include <net/checksum.h>
-
-#include <linux/netfilter/x_tables.h>
-#include <linux/netfilter/xt_MARK.h>
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("Xtables: packet mark modification");
-MODULE_ALIAS("ipt_MARK");
-MODULE_ALIAS("ip6t_MARK");
-
-static unsigned int
-mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
-{
- const struct xt_mark_tginfo2 *info = par->targinfo;
-
- skb->mark = (skb->mark & ~info->mask) ^ info->mark;
- return XT_CONTINUE;
-}
-
-static struct xt_target mark_tg_reg __read_mostly = {
- .name = "MARK",
- .revision = 2,
- .family = NFPROTO_UNSPEC,
- .target = mark_tg,
- .targetsize = sizeof(struct xt_mark_tginfo2),
- .me = THIS_MODULE,
-};
-
-static int __init mark_tg_init(void)
-{
- return xt_register_target(&mark_tg_reg);
-}
-
-static void __exit mark_tg_exit(void)
-{
- xt_unregister_target(&mark_tg_reg);
-}
-
-module_init(mark_tg_init);
-module_exit(mark_tg_exit);
diff --git a/net/netfilter/xt_mark.c b/net/netfilter/xt_mark.c
index 1db07d8..035c468 100644
--- a/net/netfilter/xt_mark.c
+++ b/net/netfilter/xt_mark.c
@@ -18,9 +18,20 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
-MODULE_DESCRIPTION("Xtables: packet mark match");
+MODULE_DESCRIPTION("Xtables: packet mark operations");
MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
+MODULE_ALIAS("ipt_MARK");
+MODULE_ALIAS("ip6t_MARK");
+
+static unsigned int
+mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
+{
+ const struct xt_mark_tginfo2 *info = par->targinfo;
+
+ skb->mark = (skb->mark & ~info->mask) ^ info->mark;
+ return XT_CONTINUE;
+}
static bool
mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
@@ -30,6 +41,15 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
+static struct xt_target mark_tg_reg __read_mostly = {
+ .name = "MARK",
+ .revision = 2,
+ .family = NFPROTO_UNSPEC,
+ .target = mark_tg,
+ .targetsize = sizeof(struct xt_mark_tginfo2),
+ .me = THIS_MODULE,
+};
+
static struct xt_match mark_mt_reg __read_mostly = {
.name = "mark",
.revision = 1,
@@ -41,12 +61,23 @@ static struct xt_match mark_mt_reg __read_mostly = {
static int __init mark_mt_init(void)
{
- return xt_register_match(&mark_mt_reg);
+ int ret;
+
+ ret = xt_register_target(&mark_tg_reg);
+ if (ret < 0)
+ return ret;
+ ret = xt_register_match(&mark_mt_reg);
+ if (ret < 0) {
+ xt_unregister_target(&mark_tg_reg);
+ return ret;
+ }
+ return 0;
}
static void __exit mark_mt_exit(void)
{
xt_unregister_match(&mark_mt_reg);
+ xt_unregister_target(&mark_tg_reg);
}
module_init(mark_mt_init);
--
1.7.0.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related
* [PATCH 06/84] netfilter: xt_NFQUEUE: consolidate v4/v6 targets into one
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_NFQUEUE.c | 40 ++++++++++++----------------------------
1 files changed, 12 insertions(+), 28 deletions(-)
diff --git a/net/netfilter/xt_NFQUEUE.c b/net/netfilter/xt_NFQUEUE.c
index 12dcd70..a37e216 100644
--- a/net/netfilter/xt_NFQUEUE.c
+++ b/net/netfilter/xt_NFQUEUE.c
@@ -49,17 +49,6 @@ static u32 hash_v4(const struct sk_buff *skb)
return jhash_2words((__force u32)ipaddr, iph->protocol, jhash_initval);
}
-static unsigned int
-nfqueue_tg4_v1(struct sk_buff *skb, const struct xt_target_param *par)
-{
- const struct xt_NFQ_info_v1 *info = par->targinfo;
- u32 queue = info->queuenum;
-
- if (info->queues_total > 1)
- queue = hash_v4(skb) % info->queues_total + queue;
- return NF_QUEUE_NR(queue);
-}
-
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
static u32 hash_v6(const struct sk_buff *skb)
{
@@ -73,18 +62,24 @@ static u32 hash_v6(const struct sk_buff *skb)
return jhash2((__force u32 *)addr, ARRAY_SIZE(addr), jhash_initval);
}
+#endif
static unsigned int
-nfqueue_tg6_v1(struct sk_buff *skb, const struct xt_target_param *par)
+nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_NFQ_info_v1 *info = par->targinfo;
u32 queue = info->queuenum;
- if (info->queues_total > 1)
- queue = hash_v6(skb) % info->queues_total + queue;
+ if (info->queues_total > 1) {
+ if (par->target->family == NFPROTO_IPV4)
+ queue = hash_v4(skb) % info->queues_total + queue;
+#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
+ else if (par->target->family == NFPROTO_IPV6)
+ queue = hash_v6(skb) % info->queues_total + queue;
+#endif
+ }
return NF_QUEUE_NR(queue);
}
-#endif
static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
{
@@ -119,23 +114,12 @@ static struct xt_target nfqueue_tg_reg[] __read_mostly = {
{
.name = "NFQUEUE",
.revision = 1,
- .family = NFPROTO_IPV4,
- .checkentry = nfqueue_tg_v1_check,
- .target = nfqueue_tg4_v1,
- .targetsize = sizeof(struct xt_NFQ_info_v1),
- .me = THIS_MODULE,
- },
-#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
- {
- .name = "NFQUEUE",
- .revision = 1,
- .family = NFPROTO_IPV6,
+ .family = NFPROTO_UNSPEC,
.checkentry = nfqueue_tg_v1_check,
- .target = nfqueue_tg6_v1,
+ .target = nfqueue_tg_v1,
.targetsize = sizeof(struct xt_NFQ_info_v1),
.me = THIS_MODULE,
},
-#endif
};
static int __init nfqueue_tg_init(void)
--
1.7.0.4
^ permalink raw reply related
* [PATCH 05/84] netfilter: xt_CT: par->family is an nfproto
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
---
net/netfilter/xt_CT.c | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c
index 61c50fa..fda603e 100644
--- a/net/netfilter/xt_CT.c
+++ b/net/netfilter/xt_CT.c
@@ -37,13 +37,13 @@ static unsigned int xt_ct_target(struct sk_buff *skb,
static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
{
- if (par->family == AF_INET) {
+ if (par->family == NFPROTO_IPV4) {
const struct ipt_entry *e = par->entryinfo;
if (e->ip.invflags & IPT_INV_PROTO)
return 0;
return e->ip.proto;
- } else if (par->family == AF_INET6) {
+ } else if (par->family == NFPROTO_IPV6) {
const struct ip6t_entry *e = par->entryinfo;
if (e->ipv6.invflags & IP6T_INV_PROTO)
--
1.7.0.4
^ permalink raw reply related
* [PATCH 02/84] netfilter: ebt_ip6: Use ipv6_masked_addr_cmp()
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: Bart De Schuymer <bdschuym@pandora.be>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
net/bridge/netfilter/ebt_ip6.c | 18 ++++--------------
1 files changed, 4 insertions(+), 14 deletions(-)
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c
index bbf2534..4644cc9 100644
--- a/net/bridge/netfilter/ebt_ip6.c
+++ b/net/bridge/netfilter/ebt_ip6.c
@@ -35,8 +35,6 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
struct ipv6hdr _ip6h;
const struct tcpudphdr *pptr;
struct tcpudphdr _ports;
- struct in6_addr tmp_addr;
- int i;
ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
if (ih6 == NULL)
@@ -44,18 +42,10 @@ ebt_ip6_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if (info->bitmask & EBT_IP6_TCLASS &&
FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
return false;
- for (i = 0; i < 4; i++)
- tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] &
- info->smsk.in6_u.u6_addr32[i];
- if (info->bitmask & EBT_IP6_SOURCE &&
- FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
- EBT_IP6_SOURCE))
- return false;
- for (i = 0; i < 4; i++)
- tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
- info->dmsk.in6_u.u6_addr32[i];
- if (info->bitmask & EBT_IP6_DEST &&
- FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
+ if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
+ &info->saddr), EBT_IP6_SOURCE) ||
+ FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
+ &info->daddr), EBT_IP6_DEST))
return false;
if (info->bitmask & EBT_IP6_PROTO) {
uint8_t nexthdr = ih6->nexthdr;
--
1.7.0.4
^ permalink raw reply related
* [PATCH 01/84] netfilter: include/linux/netfilter/nf_conntrack_tuple_common.h: Checkpatch cleanup
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
In-Reply-To: <1273522735-24672-1-git-send-email-kaber@trash.net>
From: Andrea Gelmini <andrea.gelmini@gelma.net>
include/linux/netfilter/nf_conntrack_tuple_common.h:5: ERROR: open brace '{' following enum go on the same line
Signed-off-by: Andrea Gelmini <andrea.gelmini@gelma.net>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
.../linux/netfilter/nf_conntrack_tuple_common.h | 3 +--
1 files changed, 1 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/nf_conntrack_tuple_common.h b/include/linux/netfilter/nf_conntrack_tuple_common.h
index 8e145f0..2ea22b0 100644
--- a/include/linux/netfilter/nf_conntrack_tuple_common.h
+++ b/include/linux/netfilter/nf_conntrack_tuple_common.h
@@ -1,8 +1,7 @@
#ifndef _NF_CONNTRACK_TUPLE_COMMON_H
#define _NF_CONNTRACK_TUPLE_COMMON_H
-enum ip_conntrack_dir
-{
+enum ip_conntrack_dir {
IP_CT_DIR_ORIGINAL,
IP_CT_DIR_REPLY,
IP_CT_DIR_MAX
--
1.7.0.4
^ permalink raw reply related
* [PATCH 00/84] netfilter: netfilter update for 2.6.35
From: kaber @ 2010-05-10 20:17 UTC (permalink / raw)
To: davem; +Cc: netfilter-devel, netdev
Hi Dave,
appologies for not sending this earlier in smaller batches, as mentioned
earlier I ran into some problems with git. Following is a first netfilter
update for 2.6.35, containing:
- various smaller cleanups, optimizations, Kconfig updates etc.
- merging of the xt_MARK module with xt_mark and xt_CONNMARK with xt_connmark
to decrease overhead when using modular kernels, saving 14k on 32 bit,
from Jan
- scheduling of the NOTRACK module for removal, obsoleted by the CT module
- removal of the compat /proc directory of xt_recent
- addition of an entry reaper to the recent module, from Tim Gardner
- support for changing UID/GID of the recent /proc files, from Jan
- use of NFPROTO values in NF_HOOK calls in IPv4/IPv6/bridging/DECnet, from Jan
- a change to the xtables ->checkentry() function signature to support
returning errno codes, from Jan
- removal of old revisions of the hashlimit, multiport and string matches,
from Jan
- ctnetlink message size computation fixes with conntrack accounting,
from Jiri Pirko
- hashlimit match RCU conversion, from Eric
- userspace queuing checksum fixes, from Herbert
- fixes for netfilter RCU warnings, from myself
- fixes for the LED target to avoid invalid errors when replacing the
ruleset
- fixes for iproute compilation breakage due to XT_ALIGN cleanups, from
Alexey Dobriyan
- bridge netfilter cleanups, simplification and comment updates from Bart
- bridge netfilter MAC header fixes when using DNAT
- bridge netfilter refragmentation fixes for PPPoe, from Bart
- a change to the IPv6 POST_ROUTING invocation to make it receive
unfragmented packets like IPv4, from Jan
- a fix for the IPv6 xfrm lookup in ip6_route_me_harder, from Ulrich Weber
- more appropriate default log level (KERNL_NOTICE instead of KERN_EMERG) for
the IPv4 and IPv6 LOG targets, from myself
- addition of the TEE target, which can be used to clone packets and send
them to other hosts, f.i. IDS or logging hosts, from Jan
- a patch to make iptables and ip6tables reentrant by moving the jump stack
to a seperately allocated area. This will allow to get rid of the per
CPU ruleset duplication in the future. From Jan.
The patches won't apply cleanly because of some conflicts resolved during
merges, please pull from:
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6.git master
Thanks!
^ permalink raw reply
* Question about more headroom in skb
From: Sharat Masetty @ 2010-05-10 20:09 UTC (permalink / raw)
To: netdev
Hello All,
For my project I need 3 words of headroom in the skb in the network driver level, to add a custom header to the ethernet packet. I looked into the tcp code and figured out tcp uses sk->sk_prot->max_header for header allocation size. But I was not able to confirm that all other transport protocol use the same mechanism(?) For example in UDP/ICMP I was not able to figure out from the code where the allocation and header reservation happens(Any light here would be really helpful.)
I have also looked at an API in skbuff skb_pad() which does what I want(add either headroom or tailroom), but I want to avoid that for performance reasons(skb_pad does kmalloc and memcpy). I want to figure out a good way(may be tune some parameters) to allocate extra 3 words for any skbuff independant of the transport protocol being used. Any light here would be very much appreciated.
Thanks,
Sharat.
^ permalink raw reply
* Fw: Subnet broadcast MTU issue?
From: Gerrit Binnenmars @ 2010-05-10 19:51 UTC (permalink / raw)
To: netdev
Hello,
I have configured an ethernet port at MTU 9000 with ifconfig
On this port I have an alias (with IP 192.168.100.254) for a network that
support only an MTU of 1500, I added ip route change 192.168.100.0/24 dev
eth0 src 192.168.100.254 mtu lock 1500.
Then ping -s 20000 192.168.100.253 works fine, with packets being fragmented
as expected at 1500 bytes
but ping -b -s 20000 192.168.100.255 does not work, packets are fragmented
at approx. 9000 bytes.
I tried ip route change table local broadcast 192.168.100.255 mtu lock 1500
without success.
Is there a solution? Where in the source code is the MTU size for a
broadcast message determined?
Thanks in advance,
Gerrit Binnenmars
^ permalink raw reply
* [PATCH 4/4] bridge: update sysfs link names if port device names have changed
From: Stephen Hemminger @ 2010-05-10 19:31 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, bridge, Simon Arlott
In-Reply-To: <20100510193107.722574297@vyatta.com>
[-- Attachment #1: br-rename-link.patch --]
[-- Type: text/plain, Size: 4844 bytes --]
From: Simon Arlott <simon@fire.lp0.eu>
Links for each port are created in sysfs using the device
name, but this could be changed after being added to the
bridge.
As well as being unable to remove interfaces after this
occurs (because userspace tools don't recognise the new
name, and the kernel won't recognise the old name), adding
another interface with the old name to the bridge will
cause an error trying to create the sysfs link.
This fixes the problem by listening for NETDEV_CHANGENAME
notifications and renaming the link.
https://bugzilla.kernel.org/show_bug.cgi?id=12743
Signed-off-by: Simon Arlott <simon@fire.lp0.eu>
Acked-by: Stephen Hemminger <shemminger@vyatta.com>
---
Modified to apply to net-next and fix checkpatch warnings -- stephen
fs/sysfs/symlink.c | 1 +
net/bridge/br_if.c | 2 +-
net/bridge/br_notify.c | 7 +++++++
net/bridge/br_private.h | 6 ++++++
net/bridge/br_sysfs_if.c | 32 +++++++++++++++++++++++++++-----
5 files changed, 42 insertions(+), 6 deletions(-)
--- a/fs/sysfs/symlink.c 2010-05-07 17:43:18.937936182 -0700
+++ b/fs/sysfs/symlink.c 2010-05-10 12:15:03.247827705 -0700
@@ -261,3 +261,4 @@ const struct inode_operations sysfs_syml
EXPORT_SYMBOL_GPL(sysfs_create_link);
EXPORT_SYMBOL_GPL(sysfs_remove_link);
+EXPORT_SYMBOL_GPL(sysfs_rename_link);
--- a/net/bridge/br_if.c 2010-05-10 10:47:51.089679264 -0700
+++ b/net/bridge/br_if.c 2010-05-10 12:15:03.247827705 -0700
@@ -133,7 +133,7 @@ static void del_nbp(struct net_bridge_po
struct net_bridge *br = p->br;
struct net_device *dev = p->dev;
- sysfs_remove_link(br->ifobj, dev->name);
+ sysfs_remove_link(br->ifobj, p->sysfs_name);
dev_set_promiscuity(dev, -1);
--- a/net/bridge/br_notify.c 2010-05-07 17:43:18.927931730 -0700
+++ b/net/bridge/br_notify.c 2010-05-10 12:15:03.257881460 -0700
@@ -34,6 +34,7 @@ static int br_device_event(struct notifi
struct net_device *dev = ptr;
struct net_bridge_port *p = dev->br_port;
struct net_bridge *br;
+ int err;
/* not a port of a bridge */
if (p == NULL)
@@ -83,6 +84,12 @@ static int br_device_event(struct notifi
br_del_if(br, dev);
break;
+ case NETDEV_CHANGENAME:
+ err = br_sysfs_renameif(p);
+ if (err)
+ return notifier_from_errno(err);
+ break;
+
case NETDEV_PRE_TYPE_CHANGE:
/* Forbid underlaying device to change its type. */
return NOTIFY_BAD;
--- a/net/bridge/br_private.h 2010-05-10 12:11:13.863532891 -0700
+++ b/net/bridge/br_private.h 2010-05-10 12:15:03.267827450 -0700
@@ -139,6 +139,10 @@ struct net_bridge_port
struct hlist_head mglist;
struct hlist_node rlist;
#endif
+
+#ifdef CONFIG_SYSFS
+ char sysfs_name[IFNAMSIZ];
+#endif
};
struct br_cpu_netstats {
@@ -480,6 +484,7 @@ extern void br_ifinfo_notify(int event,
/* br_sysfs_if.c */
extern const struct sysfs_ops brport_sysfs_ops;
extern int br_sysfs_addif(struct net_bridge_port *p);
+extern int br_sysfs_renameif(struct net_bridge_port *p);
/* br_sysfs_br.c */
extern int br_sysfs_addbr(struct net_device *dev);
@@ -488,6 +493,7 @@ extern void br_sysfs_delbr(struct net_de
#else
#define br_sysfs_addif(p) (0)
+#define br_sysfs_renameif(p) (0)
#define br_sysfs_addbr(dev) (0)
#define br_sysfs_delbr(dev) do { } while(0)
#endif /* CONFIG_SYSFS */
--- a/net/bridge/br_sysfs_if.c 2010-05-07 17:43:18.917930679 -0700
+++ b/net/bridge/br_sysfs_if.c 2010-05-10 12:15:03.267827450 -0700
@@ -246,7 +246,7 @@ const struct sysfs_ops brport_sysfs_ops
/*
* Add sysfs entries to ethernet device added to a bridge.
* Creates a brport subdirectory with bridge attributes.
- * Puts symlink in bridge's brport subdirectory
+ * Puts symlink in bridge's brif subdirectory
*/
int br_sysfs_addif(struct net_bridge_port *p)
{
@@ -257,15 +257,37 @@ int br_sysfs_addif(struct net_bridge_por
err = sysfs_create_link(&p->kobj, &br->dev->dev.kobj,
SYSFS_BRIDGE_PORT_LINK);
if (err)
- goto out2;
+ return err;
for (a = brport_attrs; *a; ++a) {
err = sysfs_create_file(&p->kobj, &((*a)->attr));
if (err)
- goto out2;
+ return err;
}
- err = sysfs_create_link(br->ifobj, &p->kobj, p->dev->name);
-out2:
+ strlcpy(p->sysfs_name, p->dev->name, IFNAMSIZ);
+ return sysfs_create_link(br->ifobj, &p->kobj, p->sysfs_name);
+}
+
+/* Rename bridge's brif symlink */
+int br_sysfs_renameif(struct net_bridge_port *p)
+{
+ struct net_bridge *br = p->br;
+ int err;
+
+ /* If a rename fails, the rollback will cause another
+ * rename call with the existing name.
+ */
+ if (!strncmp(p->sysfs_name, p->dev->name, IFNAMSIZ))
+ return 0;
+
+ err = sysfs_rename_link(br->ifobj, &p->kobj,
+ p->sysfs_name, p->dev->name);
+ if (err)
+ netdev_notice(br->dev, "unable to rename link %s to %s",
+ p->sysfs_name, p->dev->name);
+ else
+ strlcpy(p->sysfs_name, p->dev->name, IFNAMSIZ);
+
return err;
}
^ permalink raw reply
* [PATCH 3/4] bridge: netfilter use net_ratelimit
From: Stephen Hemminger @ 2010-05-10 19:31 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, bridge
In-Reply-To: <20100510193107.722574297@vyatta.com>
[-- Attachment #1: bridge-netfilter-msg.patch --]
[-- Type: text/plain, Size: 1408 bytes --]
The function __br_dnat_complain is basically reimplementing existing
net_ratelimit.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
--- a/net/bridge/br_netfilter.c 2010-05-06 12:32:23.427786161 -0700
+++ b/net/bridge/br_netfilter.c 2010-05-06 12:33:37.826565965 -0700
@@ -253,17 +253,6 @@ static int br_nf_pre_routing_finish_ipv6
return 0;
}
-static void __br_dnat_complain(void)
-{
- static unsigned long last_complaint;
-
- if (jiffies - last_complaint >= 5 * HZ) {
- printk(KERN_WARNING "Performing cross-bridge DNAT requires IP "
- "forwarding to be enabled\n");
- last_complaint = jiffies;
- }
-}
-
/* This requires some explaining. If DNAT has taken place,
* we will need to fix up the destination Ethernet address,
* and this is a tricky process.
@@ -382,8 +371,12 @@ static int br_nf_pre_routing_finish(stru
/* we are sure that forwarding is disabled, so printing
* this message is no problem. Note that the packet could
* still have a martian destination address, in which case
- * the packet could be dropped even if forwarding were enabled */
- __br_dnat_complain();
+ * the packet could be dropped even if forwarding were enabled
+ */
+ if (net_ratelimit())
+ netdev_warn(dev, "Performing cross-bridge DNAT "
+ "requires IP forwarding to be enabled\n");
+
dst_release((struct dst_entry *)rt);
}
free_skb:
^ permalink raw reply
* [PATCH 2/4] bridge: change console message interface
From: Stephen Hemminger @ 2010-05-10 19:31 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, bridge
In-Reply-To: <20100510193107.722574297@vyatta.com>
[-- Attachment #1: bridge-msg.patch --]
[-- Type: text/plain, Size: 12036 bytes --]
Use one set of macro's for all bridge messages.
Note: can't use netdev_XXX macro's because bridge is purely
virtual and has no device parent.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
---
net/bridge/br.c | 2 +-
net/bridge/br_fdb.c | 9 ++++-----
net/bridge/br_ioctl.c | 2 +-
net/bridge/br_multicast.c | 32 +++++++++++++-------------------
net/bridge/br_netlink.c | 8 +++++---
net/bridge/br_private.h | 15 +++++++++++++++
net/bridge/br_stp.c | 11 +++++------
net/bridge/br_stp_if.c | 16 ++++++----------
net/bridge/br_stp_timer.c | 24 ++++++++++--------------
9 files changed, 60 insertions(+), 59 deletions(-)
--- a/net/bridge/br.c 2010-05-10 11:50:28.856612469 -0700
+++ b/net/bridge/br.c 2010-05-10 11:50:34.547229645 -0700
@@ -38,7 +38,7 @@ static int __init br_init(void)
err = stp_proto_register(&br_stp_proto);
if (err < 0) {
- printk(KERN_ERR "bridge: can't register sap for STP\n");
+ pr_err("bridge: can't register sap for STP\n");
return err;
}
--- a/net/bridge/br_fdb.c 2010-05-10 11:50:28.886629735 -0700
+++ b/net/bridge/br_fdb.c 2010-05-10 12:00:32.239308637 -0700
@@ -353,8 +353,7 @@ static int fdb_insert(struct net_bridge
*/
if (fdb->is_local)
return 0;
-
- printk(KERN_WARNING "%s adding interface with same address "
+ br_warn(br, "adding interface %s with same address "
"as a received packet\n",
source->dev->name);
fdb_delete(fdb);
@@ -397,9 +396,9 @@ void br_fdb_update(struct net_bridge *br
/* attempt to update an entry for a local interface */
if (unlikely(fdb->is_local)) {
if (net_ratelimit())
- printk(KERN_WARNING "%s: received packet with "
- "own address as source address\n",
- source->dev->name);
+ br_warn(br, "received packet on %s with "
+ "own address as source address\n",
+ source->dev->name);
} else {
/* fastpath: update of existing entry */
fdb->dst = source;
--- a/net/bridge/br_multicast.c 2010-05-10 11:50:28.936627985 -0700
+++ b/net/bridge/br_multicast.c 2010-05-10 12:04:33.316906966 -0700
@@ -585,10 +585,9 @@ static struct net_bridge_mdb_entry *br_m
if (unlikely(count > br->hash_elasticity && count)) {
if (net_ratelimit())
- printk(KERN_INFO "%s: Multicast hash table "
- "chain limit reached: %s\n",
- br->dev->name, port ? port->dev->name :
- br->dev->name);
+ br_info(br, "Multicast hash table "
+ "chain limit reached: %s\n",
+ port ? port->dev->name : br->dev->name);
elasticity = br->hash_elasticity;
}
@@ -596,11 +595,9 @@ static struct net_bridge_mdb_entry *br_m
if (mdb->size >= max) {
max *= 2;
if (unlikely(max >= br->hash_max)) {
- printk(KERN_WARNING "%s: Multicast hash table maximum "
- "reached, disabling snooping: %s, %d\n",
- br->dev->name, port ? port->dev->name :
- br->dev->name,
- max);
+ br_warn(br, "Multicast hash table maximum "
+ "reached, disabling snooping: %s, %d\n",
+ port ? port->dev->name : br->dev->name, max);
err = -E2BIG;
disable:
br->multicast_disabled = 1;
@@ -611,22 +608,19 @@ disable:
if (max > mdb->max || elasticity) {
if (mdb->old) {
if (net_ratelimit())
- printk(KERN_INFO "%s: Multicast hash table "
- "on fire: %s\n",
- br->dev->name, port ? port->dev->name :
- br->dev->name);
+ br_info(br, "Multicast hash table "
+ "on fire: %s\n",
+ port ? port->dev->name : br->dev->name);
err = -EEXIST;
goto err;
}
err = br_mdb_rehash(&br->mdb, max, elasticity);
if (err) {
- printk(KERN_WARNING "%s: Cannot rehash multicast "
- "hash table, disabling snooping: "
- "%s, %d, %d\n",
- br->dev->name, port ? port->dev->name :
- br->dev->name,
- mdb->size, err);
+ br_warn(br, "Cannot rehash multicast "
+ "hash table, disabling snooping: %s, %d, %d\n",
+ port ? port->dev->name : br->dev->name,
+ mdb->size, err);
goto disable;
}
--- a/net/bridge/br_stp_if.c 2010-05-10 11:50:28.916629479 -0700
+++ b/net/bridge/br_stp_if.c 2010-05-10 12:04:37.100899166 -0700
@@ -85,17 +85,16 @@ void br_stp_enable_port(struct net_bridg
{
br_init_port(p);
br_port_state_selection(p->br);
+ br_log_state(p);
}
/* called under bridge lock */
void br_stp_disable_port(struct net_bridge_port *p)
{
- struct net_bridge *br;
+ struct net_bridge *br = p->br;
int wasroot;
- br = p->br;
- printk(KERN_INFO "%s: port %i(%s) entering %s state\n",
- br->dev->name, p->port_no, p->dev->name, "disabled");
+ br_log_state(p);
wasroot = br_is_root_bridge(br);
br_become_designated_port(p);
@@ -127,11 +126,10 @@ static void br_stp_start(struct net_brid
r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
if (r == 0) {
br->stp_enabled = BR_USER_STP;
- printk(KERN_INFO "%s: userspace STP started\n", br->dev->name);
+ br_debug(br, "userspace STP started\n");
} else {
br->stp_enabled = BR_KERNEL_STP;
- printk(KERN_INFO "%s: starting userspace STP failed, "
- "starting kernel STP\n", br->dev->name);
+ br_debug(br, "using kernel STP\n");
/* To start timers on any ports left in blocking */
spin_lock_bh(&br->lock);
@@ -148,9 +146,7 @@ static void br_stp_stop(struct net_bridg
if (br->stp_enabled == BR_USER_STP) {
r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
- printk(KERN_INFO "%s: userspace STP stopped, return code %d\n",
- br->dev->name, r);
-
+ br_info(br, "userspace STP stopped, return code %d\n", r);
/* To start timers on any ports left in blocking */
spin_lock_bh(&br->lock);
--- a/net/bridge/br_ioctl.c 2010-05-10 11:50:28.906610162 -0700
+++ b/net/bridge/br_ioctl.c 2010-05-10 12:00:40.326906216 -0700
@@ -412,6 +412,6 @@ int br_dev_ioctl(struct net_device *dev,
}
- pr_debug("Bridge does not support ioctl 0x%x\n", cmd);
+ br_debug(br, "Bridge does not support ioctl 0x%x\n", cmd);
return -EOPNOTSUPP;
}
--- a/net/bridge/br_netlink.c 2010-05-10 11:50:28.876606911 -0700
+++ b/net/bridge/br_netlink.c 2010-05-10 12:11:33.095469978 -0700
@@ -42,8 +42,8 @@ static int br_fill_ifinfo(struct sk_buff
struct nlmsghdr *nlh;
u8 operstate = netif_running(dev) ? dev->operstate : IF_OPER_DOWN;
- pr_debug("br_fill_info event %d port %s master %s\n",
- event, dev->name, br->dev->name);
+ br_debug(br, "br_fill_info event %d port %s master %s\n",
+ event, dev->name, br->dev->name);
nlh = nlmsg_put(skb, pid, seq, event, sizeof(*hdr), flags);
if (nlh == NULL)
@@ -87,7 +87,9 @@ void br_ifinfo_notify(int event, struct
struct sk_buff *skb;
int err = -ENOBUFS;
- pr_debug("bridge notify event=%d\n", event);
+ br_debug(port->br, "port %u(%s) event %d\n",
+ (unsigned)port->port_no, port->dev->name, event);
+
skb = nlmsg_new(br_nlmsg_size(), GFP_ATOMIC);
if (skb == NULL)
goto errout;
--- a/net/bridge/br_stp_timer.c 2010-05-10 11:50:28.916629479 -0700
+++ b/net/bridge/br_stp_timer.c 2010-05-10 12:09:57.504418884 -0700
@@ -35,7 +35,7 @@ static void br_hello_timer_expired(unsig
{
struct net_bridge *br = (struct net_bridge *)arg;
- pr_debug("%s: hello timer expired\n", br->dev->name);
+ br_debug(br, "hello timer expired\n");
spin_lock(&br->lock);
if (br->dev->flags & IFF_UP) {
br_config_bpdu_generation(br);
@@ -55,13 +55,9 @@ static void br_message_age_timer_expired
if (p->state == BR_STATE_DISABLED)
return;
-
- pr_info("%s: neighbor %.2x%.2x.%.2x:%.2x:%.2x:%.2x:%.2x:%.2x lost on port %d(%s)\n",
- br->dev->name,
- id->prio[0], id->prio[1],
- id->addr[0], id->addr[1], id->addr[2],
- id->addr[3], id->addr[4], id->addr[5],
- p->port_no, p->dev->name);
+ br_info(br, "port %u(%s) neighbor %.2x%.2x.%pM lost\n",
+ (unsigned) p->port_no, p->dev->name,
+ id->prio[0], id->prio[1], &id->addr);
/*
* According to the spec, the message age timer cannot be
@@ -87,8 +83,8 @@ static void br_forward_delay_timer_expir
struct net_bridge_port *p = (struct net_bridge_port *) arg;
struct net_bridge *br = p->br;
- pr_debug("%s: %d(%s) forward delay timer\n",
- br->dev->name, p->port_no, p->dev->name);
+ br_debug(br, "port %u(%s) forward delay timer\n",
+ (unsigned) p->port_no, p->dev->name);
spin_lock(&br->lock);
if (p->state == BR_STATE_LISTENING) {
p->state = BR_STATE_LEARNING;
@@ -107,7 +103,7 @@ static void br_tcn_timer_expired(unsigne
{
struct net_bridge *br = (struct net_bridge *) arg;
- pr_debug("%s: tcn timer expired\n", br->dev->name);
+ br_debug(br, "tcn timer expired\n");
spin_lock(&br->lock);
if (br->dev->flags & IFF_UP) {
br_transmit_tcn(br);
@@ -121,7 +117,7 @@ static void br_topology_change_timer_exp
{
struct net_bridge *br = (struct net_bridge *) arg;
- pr_debug("%s: topo change timer expired\n", br->dev->name);
+ br_debug(br, "topo change timer expired\n");
spin_lock(&br->lock);
br->topology_change_detected = 0;
br->topology_change = 0;
@@ -132,8 +128,8 @@ static void br_hold_timer_expired(unsign
{
struct net_bridge_port *p = (struct net_bridge_port *) arg;
- pr_debug("%s: %d(%s) hold timer expired\n",
- p->br->dev->name, p->port_no, p->dev->name);
+ br_debug(p->br, "port %u(%s) hold timer expired\n",
+ (unsigned) p->port_no, p->dev->name);
spin_lock(&p->br->lock);
if (p->config_pending)
--- a/net/bridge/br_stp.c 2010-05-10 11:50:28.896578146 -0700
+++ b/net/bridge/br_stp.c 2010-05-10 12:01:40.080530431 -0700
@@ -31,10 +31,9 @@ static const char *const br_port_state_n
void br_log_state(const struct net_bridge_port *p)
{
- pr_info("%s: port %d(%s) entering %s state\n",
- p->br->dev->name, p->port_no, p->dev->name,
+ br_info(p->br, "port %u(%s) entering %s state\n",
+ (unsigned) p->port_no, p->dev->name,
br_port_state_names[p->state]);
-
}
/* called under bridge lock */
@@ -300,7 +299,7 @@ void br_topology_change_detection(struct
if (br->stp_enabled != BR_KERNEL_STP)
return;
- pr_info("%s: topology change detected, %s\n", br->dev->name,
+ br_info(br, "topology change detected, %s\n",
isroot ? "propagating" : "sending tcn bpdu");
if (isroot) {
@@ -469,8 +468,8 @@ void br_received_config_bpdu(struct net_
void br_received_tcn_bpdu(struct net_bridge_port *p)
{
if (br_is_designated_port(p)) {
- pr_info("%s: received tcn bpdu on port %i(%s)\n",
- p->br->dev->name, p->port_no, p->dev->name);
+ br_info(p->br, "port %u(%s) received tcn bpdu\n",
+ (unsigned) p->port_no, p->dev->name);
br_topology_change_detection(p->br);
br_topology_change_acknowledge(p);
--- a/net/bridge/br_private.h 2010-05-10 11:50:37.646944750 -0700
+++ b/net/bridge/br_private.h 2010-05-10 12:28:44.137056465 -0700
@@ -240,6 +240,21 @@ struct br_input_skb_cb {
# define BR_INPUT_SKB_CB_MROUTERS_ONLY(__skb) (0)
#endif
+#define br_printk(level, br, format, args...) \
+ printk(level "%s: " format, (br)->dev->name, ##args)
+
+#define br_err(__br, format, args...) \
+ br_printk(KERN_ERR, __br, format, ##args)
+#define br_warn(__br, format, args...) \
+ br_printk(KERN_WARNING, __br, format, ##args)
+#define br_notice(__br, format, args...) \
+ br_printk(KERN_NOTICE, __br, format, ##args)
+#define br_info(__br, format, args...) \
+ br_printk(KERN_INFO, __br, format, ##args)
+
+#define br_debug(br, format, args...) \
+ pr_debug("%s: " format, (br)->dev->name, ##args)
+
extern struct notifier_block br_device_notifier;
extern const u8 br_group_address[ETH_ALEN];
--- a/net/bridge/br_device.c 2010-05-10 12:29:30.308306178 -0700
+++ b/net/bridge/br_device.c 2010-05-10 12:30:13.027074884 -0700
@@ -255,9 +255,8 @@ void br_netpoll_enable(struct net_bridge
dev->npinfo = br->dev->npinfo;
} else if (!(br->dev->priv_flags & IFF_DISABLE_NETPOLL)) {
br->dev->priv_flags |= IFF_DISABLE_NETPOLL;
- printk(KERN_INFO "%s:new device %s"
- " does not support netpoll (disabling)",
- br->dev->name, dev->name);
+ br_info(br,"new device %s does not support netpoll (disabling)",
+ dev->name);
}
}
^ permalink raw reply
* [PATCH 1/4] bridge: netpoll cleanup
From: Stephen Hemminger @ 2010-05-10 19:31 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, bridge
In-Reply-To: <20100510193107.722574297@vyatta.com>
[-- Attachment #1: br-netpoll-cleanup.patch --]
[-- Type: text/plain, Size: 3983 bytes --]
Move code around so that the ifdef for NETPOLL_CONTROLLER don't have to
show up in main code path. The control functions should be in helpers
that are only compiled if needed.
Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
--- a/net/bridge/br_device.c 2010-05-10 09:51:51.568057462 -0700
+++ b/net/bridge/br_device.c 2010-05-10 11:19:04.867327762 -0700
@@ -191,7 +191,7 @@ static int br_set_tx_csum(struct net_dev
}
#ifdef CONFIG_NET_POLL_CONTROLLER
-bool br_devices_support_netpoll(struct net_bridge *br)
+static bool br_devices_support_netpoll(struct net_bridge *br)
{
struct net_bridge_port *p;
bool ret = true;
@@ -217,9 +217,9 @@ static void br_poll_controller(struct ne
netpoll_poll_dev(np->real_dev);
}
-void br_netpoll_cleanup(struct net_device *br_dev)
+void br_netpoll_cleanup(struct net_device *dev)
{
- struct net_bridge *br = netdev_priv(br_dev);
+ struct net_bridge *br = netdev_priv(dev);
struct net_bridge_port *p, *n;
const struct net_device_ops *ops;
@@ -235,10 +235,30 @@ void br_netpoll_cleanup(struct net_devic
}
}
-#else
-
-void br_netpoll_cleanup(struct net_device *br_dev)
+void br_netpoll_disable(struct net_bridge *br,
+ struct net_device *dev)
{
+ if (br_devices_support_netpoll(br))
+ br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
+ if (dev->netdev_ops->ndo_netpoll_cleanup)
+ dev->netdev_ops->ndo_netpoll_cleanup(dev);
+ else
+ dev->npinfo = NULL;
+}
+
+void br_netpoll_enable(struct net_bridge *br,
+ struct net_device *dev)
+{
+ if (br_devices_support_netpoll(br)) {
+ br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
+ if (br->dev->npinfo)
+ dev->npinfo = br->dev->npinfo;
+ } else if (!(br->dev->priv_flags & IFF_DISABLE_NETPOLL)) {
+ br->dev->priv_flags |= IFF_DISABLE_NETPOLL;
+ printk(KERN_INFO "%s:new device %s"
+ " does not support netpoll (disabling)",
+ br->dev->name, dev->name);
+ }
}
#endif
--- a/net/bridge/br_if.c 2010-05-10 09:51:47.878057482 -0700
+++ b/net/bridge/br_if.c 2010-05-10 10:47:51.089679264 -0700
@@ -154,14 +154,7 @@ static void del_nbp(struct net_bridge_po
kobject_uevent(&p->kobj, KOBJ_REMOVE);
kobject_del(&p->kobj);
-#ifdef CONFIG_NET_POLL_CONTROLLER
- if (br_devices_support_netpoll(br))
- br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
- if (dev->netdev_ops->ndo_netpoll_cleanup)
- dev->netdev_ops->ndo_netpoll_cleanup(dev);
- else
- dev->npinfo = NULL;
-#endif
+ br_netpoll_disable(br, dev);
call_rcu(&p->rcu, destroy_nbp_rcu);
}
@@ -455,19 +448,7 @@ int br_add_if(struct net_bridge *br, str
kobject_uevent(&p->kobj, KOBJ_ADD);
-#ifdef CONFIG_NET_POLL_CONTROLLER
- if (br_devices_support_netpoll(br)) {
- br->dev->priv_flags &= ~IFF_DISABLE_NETPOLL;
- if (br->dev->npinfo)
- dev->npinfo = br->dev->npinfo;
- } else if (!(br->dev->priv_flags & IFF_DISABLE_NETPOLL)) {
- br->dev->priv_flags |= IFF_DISABLE_NETPOLL;
- printk(KERN_INFO "New device %s does not support netpoll\n",
- dev->name);
- printk(KERN_INFO "Disabling netpoll for %s\n",
- br->dev->name);
- }
-#endif
+ br_netpoll_enable(br, dev);
return 0;
err2:
--- a/net/bridge/br_private.h 2010-05-10 09:51:55.267744944 -0700
+++ b/net/bridge/br_private.h 2010-05-10 10:08:09.117432563 -0700
@@ -253,8 +253,18 @@ static inline int br_is_root_bridge(cons
extern void br_dev_setup(struct net_device *dev);
extern netdev_tx_t br_dev_xmit(struct sk_buff *skb,
struct net_device *dev);
-extern bool br_devices_support_netpoll(struct net_bridge *br);
-extern void br_netpoll_cleanup(struct net_device *br_dev);
+#ifdef CONFIG_NET_POLL_CONTROLLER
+extern void br_netpoll_cleanup(struct net_device *dev);
+extern void br_netpoll_enable(struct net_bridge *br,
+ struct net_device *dev);
+extern void br_netpoll_disable(struct net_bridge *br,
+ struct net_device *dev);
+#else
+#define br_netpoll_cleanup(br)
+#define br_netpoll_enable(br, dev)
+#define br_netpoll_disable(br, dev)
+
+#endif
/* br_fdb.c */
extern int br_fdb_init(void);
^ permalink raw reply
* [PATCH 0/4] bridge: patches for net-next
From: Stephen Hemminger @ 2010-05-10 19:31 UTC (permalink / raw)
To: David S. Miller; +Cc: netdev, bridge
These are only partially related patches for 2.6.35.
They supersede earlier (unaccepted) patches in net-next.
^ permalink raw reply
* Re: [PATCH] virtif: initial interface extensions
From: Scott Feldman @ 2010-05-10 18:56 UTC (permalink / raw)
To: Stefan Berger, netdev
In-Reply-To: <loom.20100510T172617-53@post.gmane.org>
On 5/10/10 8:37 AM, "Stefan Berger" <stefanb@us.ibm.com> wrote:
> Arnd Bergmann <arnd <at> arndb.de> writes:
>
> [...]
>
>> + if (tb[IFLA_VIRTIF]) {
>> + struct ifla_virtif_port_profile *ivp;
>> + struct nlattr *virtif[IFLA_VIRTIF_MAX+1];
>> + u32 vf;
>> +
>> + err = nla_parse_nested(virtif, IFLA_VIRTIF_MAX,
>> + tb[IFLA_VIRTIF], ifla_virtif_policy);
>> + if (err < 0)
>> + return err;
>> +
>> + if (!virtif[IFLA_VIRTIF_VF] || !virtif[IFLA_VIRTIF_PORT_PROFILE])
>> + goto novirtif; /* IFLA_VIRTIF may be directed at user space */
>
>
> In what case would the IFLA_VIRTIF_PORT_PROFILE be provided? Would libvirt for
> example need to be aware of whether the Ethernet device can handle the setup
> protocol via its firmware and in this case provide the port profile parameter
> and in other cases provide other parameters? Certainly the user or upper layer
> management software would have to know it when creating the domain XML and in
> fact different types of parameters were needed.
> Obviously we should have one
> common set of (XML) parameters that go into the netlink message and that can
> be handled by the kernel driver if the firmware knows how to handle it or by
> LLDPAD.
With Arnd's latest additions, we have a single netlink msg, but the
parameter sets are disjoint between VDP/CDCP and what we need for the kernel
driver. So that means the sender (libvirt in this case) needs to know about
both setups to send a single netlink msg. An alternative is a have two
netlink msgs, one for each setup. That still requires the sender to know
about two setups.
> Libvirt would send the parameters via netlink message to trigger the
> setup protocol and the message may be received by kernel and LLDPAD.
That was the original idea by having libvirt send the netlink msg using
multicast.
^ permalink raw reply
* Re: [PATCHv7] add mergeable buffers support to vhost_net
From: David Stevens @ 2010-05-10 17:46 UTC (permalink / raw)
To: Michael S. Tsirkin; +Cc: kvm, kvm-owner, netdev, netdev-owner, virtualization
In-Reply-To: <20100510172557.GD28798@redhat.com>
netdev-owner@vger.kernel.org wrote on 05/10/2010 10:25:57 AM:
> On Mon, May 10, 2010 at 10:09:03AM -0700, David Stevens wrote:
> > Since "datalen" carries the difference and will be negative by that
amount
> > from the original loop, what about just adding something like:
> >
> > }
> > if (headcount)
> > heads[headcount-1].len += datalen;
> > [and really, headcount >0 since datalen > 0, so just:
> >
> > heads[headcount-1].len += datalen;
> >
> > +-DLS
>
> This works too, just does more checks and comparisons.
> I am still surprised that you were unable to reproduce the problem.
>
I'm sure it happened, and probably had a performance
penalty on my systems too, but not as much as yours.
I didn't see any obvious performance difference running
with the patch, though; not sure why. I'll instrument to
see how often it's happening, I think.
But fixed now, good catch!
+-DLS
^ permalink raw reply
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox