linux.git/include/uapi/linux/netfilter, branch v3.9 Linux kernel source tree netfilter: xt_CT: add alias flag 2013-02-05T00:49:26+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-01-30T19:24:22+00:00 5474f57f7d686ac918355419cb71496f835aaf5d This patch adds the alias flag to support full NOTRACK target aliasing. Based on initial patch from Jozsef Kadlecsik. Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hi> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This patch adds the alias flag to support full NOTRACK target
aliasing.

Based on initial patch from Jozsef Kadlecsik.

Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hi>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xt_conntrack: Add flag to support aliases 2013-02-05T00:45:23+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2013-01-28T10:44:48+00:00 d1beadd1cb649404bfa2c3d92f77dbcb15b712e5 The patch adds the flag to denote the "state" alias as of the subset of the "conntrack" match. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The patch adds the flag to denote the "state" alias as of the subset
of the "conntrack" match.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: add missing xt_connlabel.h header in installation 2013-01-21T12:46:49+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-01-21T12:02:19+00:00 8a454ab95e5ccbffd04363e9c028f60739bc3fa4 In (c539f01 netfilter: add connlabel conntrack extension), it was missing the change to the Kbuild file to install the header in the system. Reported-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
In (c539f01 netfilter: add connlabel conntrack extension), it
was missing the change to the Kbuild file to install the header
in the system.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: add missing xt_bpf.h header in installation 2013-01-21T11:30:59+00:00 Pablo Neira Ayuso pablo@netfilter.org 2013-01-21T11:30:59+00:00 e7db3cbcd6508235d63ba4a31bbd1ce4fdece6e1 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: x_tables: add xt_bpf match 2013-01-21T11:20:19+00:00 Willem de Bruijn willemb@google.com 2013-01-18T07:17:30+00:00 e6f30c731718db45cec380964dfee210307cfc4a Support arbitrary linux socket filter (BPF) programs as x_tables match rules. This allows for very expressive filters, and on platforms with BPF JIT appears competitive with traditional hardcoded iptables rules using the u32 match. The size of the filter has been artificially limited to 64 instructions maximum to avoid bloating the size of each rule using this new match. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Support arbitrary linux socket filter (BPF) programs as x_tables
match rules. This allows for very expressive filters, and on
platforms with BPF JIT appears competitive with traditional
hardcoded iptables rules using the u32 match.

The size of the filter has been artificially limited to 64
instructions maximum to avoid bloating the size of each rule
using this new match.

Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: allow userspace to modify labels 2013-01-17T23:28:17+00:00 Florian Westphal fw@strlen.de 2013-01-11T06:30:46+00:00 9b21f6a90924dfe8e5e686c314ddb441fb06501e Add the ability to set/clear labels assigned to a conntrack via ctnetlink. To allow userspace to only alter specific bits, Pablo suggested to add a new CTA_LABELS_MASK attribute: The new set of active labels is then determined via active = (active & ~mask) ^ changeset i.e., the mask selects those bits in the existing set that should be changed. This follows the same method already used by MARK and CONNMARK targets. Omitting CTA_LABELS_MASK is the same as setting all bits in CTA_LABELS_MASK to 1: The existing set is replaced by the one from userspace. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Add the ability to set/clear labels assigned to a conntrack
via ctnetlink.

To allow userspace to only alter specific bits, Pablo suggested to add
a new CTA_LABELS_MASK attribute:

The new set of active labels is then determined via

active = (active & ~mask) ^ changeset

i.e., the mask selects those bits in the existing set that should be
changed.

This follows the same method already used by MARK and CONNMARK targets.

Omitting CTA_LABELS_MASK is the same as setting all bits in CTA_LABELS_MASK
to 1: The existing set is replaced by the one from userspace.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: deliver labels to userspace 2013-01-17T23:28:16+00:00 Florian Westphal fw@strlen.de 2013-01-11T06:30:45+00:00 0ceabd83875b72a29f33db4ab703d6ba40ea4c58 Introduce CTA_LABELS attribute to send a bit-vector of currently active labels to userspace. Future patch will permit userspace to also set/delete active labels. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Introduce CTA_LABELS attribute to send a bit-vector of currently active labels
to userspace.

Future patch will permit userspace to also set/delete active labels.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: add connlabel conntrack extension 2013-01-17T23:28:15+00:00 Florian Westphal fw@strlen.de 2013-01-11T06:30:44+00:00 c539f01717c239cfa0921dd43927afc976f1eedc similar to connmarks, except labels are bit-based; i.e. all labels may be attached to a flow at the same time. Up to 128 labels are supported. Supporting more labels is possible, but requires increasing the ct offset delta from u8 to u16 type due to increased extension sizes. Mapping of bit-identifier to label name is done in userspace. The extension is enabled at run-time once "-m connlabel" netfilter rules are added. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
similar to connmarks, except labels are bit-based; i.e.
all labels may be attached to a flow at the same time.

Up to 128 labels are supported.  Supporting more labels
is possible, but requires increasing the ct offset delta
from u8 to u16 type due to increased extension sizes.

Mapping of bit-identifier to label name is done in userspace.

The extension is enabled at run-time once "-m connlabel" netfilter
rules are added.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: ctnetlink: dump entries from the dying and unconfirmed lists 2012-12-03T14:06:52+00:00 Pablo Neira Ayuso pablo@netfilter.org 2012-11-27T13:49:42+00:00 d871befe357ccc262edbb0a4f9aeea650012edf5 This patch adds a new operation to dump the content of the dying and unconfirmed lists. Under some situations, the global conntrack counter can be inconsistent with the number of entries that we can dump from the conntrack table. The way to resolve this is to allow dumping the content of the unconfirmed and dying lists, so far it was not possible to look at its content. This provides some extra instrumentation to resolve problematic situations in which anyone suspects memory leaks. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This patch adds a new operation to dump the content of the dying and
unconfirmed lists.

Under some situations, the global conntrack counter can be inconsistent
with the number of entries that we can dump from the conntrack table.
The way to resolve this is to allow dumping the content of the unconfirmed
and dying lists, so far it was not possible to look at its content.

This provides some extra instrumentation to resolve problematic situations
in which anyone suspects memory leaks.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
UAPI: (Scripted) Disintegrate include/linux/netfilter/ipset 2012-10-09T08:48:55+00:00 David Howells dhowells@redhat.com 2012-10-09T08:48:55+00:00 a82014149becc68695e7f1d62a8cc1e4ae062318 Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Arnd Bergmann <arnd@arndb.de> Acked-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Michael Kerrisk <mtk.manpages@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Dave Jones <davej@redhat.com> 
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Michael Kerrisk <mtk.manpages@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Acked-by: Dave Jones <davej@redhat.com>