linux.git/include/uapi/linux/netfilter, branch v4.7 Linux kernel source tree netfilter: xt_SYNPROXY: include missing <linux/types.h> 2016-06-17T11:47:40+00:00 Pablo Neira Ayuso pablo@netfilter.org 2016-06-17T10:54:18+00:00 1463847e93fe693e89c52b03ab4ede6800d717c1 ./usr/include/linux/netfilter/xt_SYNPROXY.h:11: found __[us]{8,16,32,64} type without #include <linux/types.h> Reported-by: kbuild test robot <lkp@intel.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
./usr/include/linux/netfilter/xt_SYNPROXY.h:11: found __[us]{8,16,32,64} type without #include <linux/types.h>

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: xt_SYNPROXY: add missing header to Kbuild 2016-06-17T11:47:28+00:00 Pablo Neira Ayuso pablo@netfilter.org 2016-06-17T10:54:18+00:00 8f45927c3cae4db85887700e5415286f766cbaf9 Matt Whitlock says: Without this line, the file xt_SYNPROXY.h does not get installed in /usr/include/linux/netfilter/, and thus user-space programs cannot make use of it. Reported-by: Matt Whitlock <kernel@mattwhitlock.name> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Matt Whitlock says:

 Without this line, the file xt_SYNPROXY.h does not get installed in
 /usr/include/linux/netfilter/, and thus user-space programs cannot make
 use of it.

Reported-by: Matt Whitlock <kernel@mattwhitlock.name>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: allow set names up to 32 bytes 2016-05-05T14:39:51+00:00 Pablo Neira Ayuso pablo@netfilter.org 2016-05-04T15:49:53+00:00 cb39ad8b8ef224c544074962780bf763077d6141 Currently, we support set names of up to 16 bytes, get this aligned with the maximum length we can use in ipset to make it easier when considering migration to nf_tables. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Currently, we support set names of up to 16 bytes, get this aligned
with the maximum length we can use in ipset to make it easier when
considering migration to nf_tables.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
libnl: nla_put_net64(): align on a 64-bit area 2016-04-24T00:13:24+00:00 Nicolas Dichtel nicolas.dichtel@6wind.com 2016-04-22T15:31:19+00:00 e9bbe898cbe89b17ad3993c136aa13d0431cd537 nla_data() is now aligned on a 64-bit area. The temporary function nla_put_be64_32bit() is removed in this patch. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
nla_data() is now aligned on a 64-bit area.

The temporary function nla_put_be64_32bit() is removed in this patch.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
libnl: nla_put_be64(): align on a 64-bit area 2016-04-24T00:13:24+00:00 Nicolas Dichtel nicolas.dichtel@6wind.com 2016-04-22T15:31:18+00:00 b46f6ded906ef0be52a4881ba50a084aeca64d7e nla_data() is now aligned on a 64-bit area. A temporary version (nla_put_be64_32bit()) is added for nla_put_net64(). This function is removed in the next patch. Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> Signed-off-by: David S. Miller <davem@davemloft.net> 
nla_data() is now aligned on a 64-bit area.

A temporary version (nla_put_be64_32bit()) is added for nla_put_net64().
This function is removed in the next patch.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
netfilter: bridge: pass L2 header and VLAN as netlink attributes in queues to userspace 2016-03-29T11:26:38+00:00 Stephane Bryant stephane.ml.bryant@gmail.com 2016-03-26T07:42:11+00:00 15824ab29f364abd3299ecd17ea48473d971aa79 - This creates 2 netlink attribute NFQA_VLAN and NFQA_L2HDR. - These are filled up for the PF_BRIDGE family on the way to userspace. - NFQA_VLAN is a nested attribute, with the NFQA_VLAN_PROTO and the NFQA_VLAN_TCI carrying the corresponding vlan_proto and vlan_tci fields from the skb using big endian ordering (and using the CFI bit as the VLAN_TAG_PRESENT flag in vlan_tci as in the skb) Signed-off-by: Stephane Bryant <stephane.ml.bryant@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
- This creates 2 netlink attribute NFQA_VLAN and NFQA_L2HDR.
- These are filled up for the PF_BRIDGE family on the way to userspace.
- NFQA_VLAN is a nested attribute, with the NFQA_VLAN_PROTO and the
  NFQA_VLAN_TCI carrying the corresponding vlan_proto and vlan_tci
  fields from the skb using big endian ordering (and using the CFI
  bit as the VLAN_TAG_PRESENT flag in vlan_tci as in the skb)

Signed-off-by: Stephane Bryant <stephane.ml.bryant@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: Remove IP_CT_NEW_REPLY definition. 2016-03-14T22:47:27+00:00 Jarno Rajahalme jarno@ovn.org 2016-03-10T18:54:16+00:00 bfa3f9d7f3b349acea8982d2248e33a0ed84c687 Remove the definition of IP_CT_NEW_REPLY from the kernel as it does not make sense. This allows the definition of IP_CT_NUMBER to be simplified as well. Signed-off-by: Jarno Rajahalme <jarno@ovn.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Remove the definition of IP_CT_NEW_REPLY from the kernel as it does
not make sense.  This allows the definition of IP_CT_NUMBER to be
simplified as well.

Signed-off-by: Jarno Rajahalme <jarno@ovn.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_masq: support port range 2016-03-02T19:05:27+00:00 Pablo Neira Ayuso pablo@netfilter.org 2016-03-01T18:55:14+00:00 8a6bf5da1aefdafd60b73d9122c7af9fd2d7bb9c Complete masquerading support by allowing port range selection. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Complete masquerading support by allowing port range selection.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: meta: add PRANDOM support 2016-02-29T12:55:59+00:00 Florian Westphal fw@strlen.de 2016-02-16T16:24:08+00:00 b07edbe1cf3dae9ba81f24888e2f2a9dbe778918 Can be used to randomly match packets e.g. for statistic traffic sampling. See commit 3ad0040573b0c00f8848 ("bpf: split state from prandom_u32() and consolidate {c, e}BPF prngs") for more info why this doesn't use prandom_u32 directly. Unlike bpf nft_meta can be built as a module, so add an EXPORT_SYMBOL for prandom_seed_full_state too. Cc: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Can be used to randomly match packets e.g. for statistic traffic sampling.

See commit 3ad0040573b0c00f8848
("bpf: split state from prandom_u32() and consolidate {c, e}BPF prngs")
for more info why this doesn't use prandom_u32 directly.

Unlike bpf nft_meta can be built as a module, so add an EXPORT_SYMBOL
for prandom_seed_full_state too.

Cc: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_ct: add byte/packet counter support 2016-01-08T13:44:09+00:00 Florian Westphal fw@strlen.de 2016-01-07T20:34:24+00:00 48f66c905a976bf0ff092fc24f08d9addd82a245 If the accounting extension isn't present, we'll return a counter value of 0. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
If the accounting extension isn't present, we'll return a counter
value of 0.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>