mirror of https://gitee.com/openkylin/linux.git
ca69d7102f
Pablo Neira Ayuso says:
====================
Netfilter updates for net-next
The following patchset contains Netfilter updates for your net-next tree.
They are:
* nf_tables set timeout infrastructure from Patrick Mchardy.
1) Add support for set timeout support.
2) Add support for set element timeouts using the new set extension
infrastructure.
4) Add garbage collection helper functions to get rid of stale elements.
Elements are accumulated in a batch that are asynchronously released
via RCU when the batch is full.
5) Add garbage collection synchronization helpers. This introduces a new
element busy bit to address concurrent access from the netlink API and the
garbage collector.
5) Add timeout support for the nft_hash set implementation. The garbage
collector peridically checks for stale elements from the workqueue.
* iptables/nftables cgroup fixes:
6) Ignore non full-socket objects from the input path, otherwise cgroup
match may crash, from Daniel Borkmann.
7) Fix cgroup in nf_tables.
8) Save some cycles from xt_socket by skipping packet header parsing when
skb->sk is already set because of early demux. Also from Daniel.
* br_netfilter updates from Florian Westphal.
9) Save frag_max_size and restore it from the forward path too.
10) Use a per-cpu area to restore the original source MAC address when traffic
is DNAT'ed.
11) Add helper functions to access physical devices.
12) Use these new physdev helper function from xt_physdev.
13) Add another nf_bridge_info_get() helper function to fetch the br_netfilter
state information.
14) Annotate original layer 2 protocol number in nf_bridge info, instead of
using kludgy flags.
15) Also annotate the pkttype mangling when the packet travels back and forth
from the IP to the bridge layer, instead of using a flag.
* More nf_tables set enhancement from Patrick:
16) Fix possible usage of set variant that doesn't support timeouts.
17) Avoid spurious "set is full" errors from Netlink API when there are pending
stale elements scheduled to be released.
18) Restrict loop checks to set maps.
19) Add support for dynamic set updates from the packet path.
20) Add support to store optional user data (eg. comments) per set element.
BTW, I have also pulled net-next into nf-next to anticipate the conflict
resolution between your okfn() signature changes and Florian's br_netfilter
updates.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| arp_tables.c | ||
| arpt_mangle.c | ||
| arptable_filter.c | ||
| ip_tables.c | ||
| ipt_CLUSTERIP.c | ||
| ipt_ECN.c | ||
| ipt_MASQUERADE.c | ||
| ipt_REJECT.c | ||
| ipt_SYNPROXY.c | ||
| ipt_ah.c | ||
| ipt_rpfilter.c | ||
| iptable_filter.c | ||
| iptable_mangle.c | ||
| iptable_nat.c | ||
| iptable_raw.c | ||
| iptable_security.c | ||
| nf_conntrack_l3proto_ipv4.c | ||
| nf_conntrack_l3proto_ipv4_compat.c | ||
| nf_conntrack_proto_icmp.c | ||
| nf_defrag_ipv4.c | ||
| nf_log_arp.c | ||
| nf_log_ipv4.c | ||
| nf_nat_h323.c | ||
| nf_nat_l3proto_ipv4.c | ||
| nf_nat_masquerade_ipv4.c | ||
| nf_nat_pptp.c | ||
| nf_nat_proto_gre.c | ||
| nf_nat_proto_icmp.c | ||
| nf_nat_snmp_basic.c | ||
| nf_reject_ipv4.c | ||
| nf_tables_arp.c | ||
| nf_tables_ipv4.c | ||
| nft_chain_nat_ipv4.c | ||
| nft_chain_route_ipv4.c | ||
| nft_masq_ipv4.c | ||
| nft_redir_ipv4.c | ||
| nft_reject_ipv4.c | ||