linux.git/include/linux/netfilter, branch v2.6.35 Linux kernel source tree netfilter: xtables: stackptr should be percpu 2010-05-31T14:41:35+00:00 Eric Dumazet eric.dumazet@gmail.com 2010-05-31T14:41:35+00:00 7489aec8eed4f2f1eb3b4d35763bd3ea30b32ef5 commit f3c5c1bfd4 (netfilter: xtables: make ip_tables reentrant) introduced a performance regression, because stackptr array is shared by all cpus, adding cache line ping pongs. (16 cpus share a 64 bytes cache line) Fix this using alloc_percpu() Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Acked-By: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> 
commit f3c5c1bfd4 (netfilter: xtables: make ip_tables reentrant)
introduced a performance regression, because stackptr array is shared by
all cpus, adding cache line ping pongs. (16 cpus share a 64 bytes cache
line)

Fix this using alloc_percpu()

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-By: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: fix description of expected checkentry return code on xt_target 2010-05-20T13:59:16+00:00 Luciano Coelho luciano.coelho@nokia.com 2010-05-20T13:59:16+00:00 7ea7b858f4bc4fa1645f1327cf9e72c93981aa58 The text describing the return codes that are expected on calls to checkentry() was incorrect. Instead of returning true or false, or an error code, it should return 0 or an error code. Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com> Signed-off-by: Patrick McHardy <kaber@trash.net> 
The text describing the return codes that are expected on calls to
checkentry() was incorrect.  Instead of returning true or false, or an error
code, it should return 0 or an error code.

Signed-off-by: Luciano Coelho <luciano.coelho@nokia.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11T16:35:27+00:00 Jan Engelhardt jengelh@medozas.de 2009-07-07T18:54:30+00:00 b4ba26119b06052888696491f614201817491a0d Since xt_action_param is writable, let's use it. The pointer to 'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!). Surprisingly results in a reduction in size: text data bss filename 5457066 692730 357892 vmlinux.o-prev 5456554 692730 357892 vmlinux.o Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
Since xt_action_param is writable, let's use it. The pointer to
'bool hotdrop' always worried (8 bytes (64-bit) to write 1 byte!).
Surprisingly results in a reduction in size:

   text    data     bss filename
5457066  692730  357892 vmlinux.o-prev
5456554  692730  357892 vmlinux.o

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: deconstify struct xt_action_param for matches 2010-05-11T16:33:37+00:00 Jan Engelhardt jengelh@medozas.de 2009-07-07T18:42:08+00:00 62fc8051083a334578c3f4b3488808f210b4565f In future, layer-3 matches will be an xt module of their own, and need to set the fragoff and thoff fields. Adding more pointers would needlessy increase memory requirements (esp. so for 64-bit, where pointers are wider). Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
In future, layer-3 matches will be an xt module of their own, and
need to set the fragoff and thoff fields. Adding more pointers would
needlessy increase memory requirements (esp. so for 64-bit, where
pointers are wider).

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: substitute temporary defines by final name 2010-05-11T16:31:17+00:00 Jan Engelhardt jengelh@medozas.de 2009-07-05T17:43:26+00:00 4b560b447df83368df44bd3712c0c39b1d79ba04 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: xtables: combine struct xt_match_param and xt_target_param 2010-05-11T16:23:43+00:00 Jan Engelhardt jengelh@medozas.de 2009-07-05T16:26:37+00:00 de74c16996287250f0d947663127f80c6beebd3c The structures carried - besides match/target - almost the same data. It is possible to combine them, as extensions are evaluated serially, and so, the callers end up a little smaller. text data bss filename -15318 740 104 net/ipv4/netfilter/ip_tables.o +15286 740 104 net/ipv4/netfilter/ip_tables.o -15333 540 152 net/ipv6/netfilter/ip6_tables.o +15269 540 152 net/ipv6/netfilter/ip6_tables.o Signed-off-by: Jan Engelhardt <jengelh@medozas.de> 
The structures carried - besides match/target - almost the same data.
It is possible to combine them, as extensions are evaluated serially,
and so, the callers end up a little smaller.

  text  data  bss  filename
-15318   740  104  net/ipv4/netfilter/ip_tables.o
+15286   740  104  net/ipv4/netfilter/ip_tables.o
-15333   540  152  net/ipv6/netfilter/ip6_tables.o
+15269   540  152  net/ipv6/netfilter/ip6_tables.o

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
netfilter: x_tables: rectify XT_FUNCTION_MAXNAMELEN usage 2010-04-27T13:34:34+00:00 Jan Engelhardt jengelh@medozas.de 2010-04-27T13:34:34+00:00 4b2cbd42bef5a22bb681acd607a7c3fbca1eeb3c There has been quite a confusion in userspace about XT_FUNCTION_MAXNAMELEN; because struct xt_entry_match used MAX-1, userspace would have to do an awkward MAX-2 for maximum length checking (due to '\0'). This patch adds a new define that matches the definition of XT_TABLE_MAXNAMELEN - being the size of the actual struct member, not one off. Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net> 
There has been quite a confusion in userspace about
XT_FUNCTION_MAXNAMELEN; because struct xt_entry_match used MAX-1,
userspace would have to do an awkward MAX-2 for maximum length
checking (due to '\0'). This patch adds a new define that matches the
definition of XT_TABLE_MAXNAMELEN - being the size of the actual
struct member, not one off.

Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: nf_conntrack: extend with extra stat counter 2010-04-23T10:34:56+00:00 Jesper Dangaard Brouer hawk@comx.dk 2010-04-23T10:34:56+00:00 af740b2c8f4521e2c45698ee6040941a82d6349d I suspect an unfortunatly series of events occuring under a DDoS attack, in function __nf_conntrack_find() nf_contrack_core.c. Adding a stats counter to see if the search is restarted too often. Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk> Signed-off-by: Patrick McHardy <kaber@trash.net> 
I suspect an unfortunatly series of events occuring under a DDoS
attack, in function __nf_conntrack_find() nf_contrack_core.c.

Adding a stats counter to see if the search is restarted too often.

Signed-off-by: Jesper Dangaard Brouer <hawk@comx.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Merge branch 'master' of /repos/git/net-next-2.6 2010-04-20T14:02:01+00:00 Patrick McHardy kaber@trash.net 2010-04-20T14:02:01+00:00 62910554656cdcd6b6f84a5154c4155aae4ca231 Conflicts: Documentation/feature-removal-schedule.txt net/ipv6/netfilter/ip6t_REJECT.c net/netfilter/xt_limit.c Signed-off-by: Patrick McHardy <kaber@trash.net> 
Conflicts:
	Documentation/feature-removal-schedule.txt
	net/ipv6/netfilter/ip6t_REJECT.c
	net/netfilter/xt_limit.c

Signed-off-by: Patrick McHardy <kaber@trash.net>
netfilter: xt_TEE: resolve oif using netdevice notifiers 2010-04-20T13:07:32+00:00 Patrick McHardy kaber@trash.net 2010-04-20T13:07:32+00:00 22265a5c3c103cf8c50be62e6c90d045eb649e6d Replace the runtime oif name resolving by netdevice notifier based resolving. When an oif is given, a netdevice notifier is registered to resolve the name on NETDEV_REGISTER or NETDEV_CHANGE and unresolve it again on NETDEV_UNREGISTER or NETDEV_CHANGE to a different name. Signed-off-by: Patrick McHardy <kaber@trash.net> 
Replace the runtime oif name resolving by netdevice notifier based
resolving. When an oif is given, a netdevice notifier is registered
to resolve the name on NETDEV_REGISTER or NETDEV_CHANGE and unresolve
it again on NETDEV_UNREGISTER or NETDEV_CHANGE to a different name.

Signed-off-by: Patrick McHardy <kaber@trash.net>