Клиентские базы Skype: prodawez390 Email: prodawez...@gmail.com Whatsapp:
+79139230330
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
This allows easier future refactoring.
Signed-off-by: Aaron Conole
---
include/linux/netfilter.h | 27 +++
net/bridge/br_netfilter_hooks.c | 2 +-
net/netfilter/core.c| 10 --
net/netfilter/nf_queue.c| 5 ++---
4
From: Aaron Conole
During nfhook traversal we only need a very small subset of
nf_hook_ops members.
We need:
- next element
- hook function to call
- hook function priv argument
Bridge netfilter also needs 'thresh'; can be obtained via ->orig_ops.
nf_hook_entry struct is
This switch (default on) can be used to disable automatic registration
of connection tracking functionality in newly created network
namespaces.
This means that when net namespace goes down (or the tracker protocol
module is unloaded) we *might* have to unregister the hooks.
We can either add
Historically all the netfilter hooks got registered on module load time.
When net namespace support was added, hooks were registered in each
namespace (and new net namespaces inherit already-registered hooks from
global list).
This means that once nf_conntrack_ipv4/6.ko is loaded, all
existing
MASQUERADE, S/DNAT and REDIRECT already call functions that depend on the
conntrack module.
However, since the conntrack hooks are now registered in a lazy fashion
(i.e., only when needed) a symbol reference is not enough.
Thus, when something is added to a nat table, make sure that it will see
currently aliased to try_module_get/_put.
Will be changed in next patch when we add functions to make use of ->net
argument to store usercount per l3proto tracker.
This is needed to avoid registering the conntrack hooks in all netns and
later only enable connection tracking in those that need
2016-11-15 6:21 GMT+08:00 Pablo Neira Ayuso :
> On Sun, Sep 25, 2016 at 05:06:58PM +0800, Liping Zhang wrote:
>> From: Liping Zhang
>>
>> After NF_LOG_XXX is exposed to the userspace, we can set log flags to
>> log more things. The following
CONFIG_NF_CT_PROTO_DCCP is no more a tristate. When set to y, connection
tracking support for DCCP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_dccp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
CONFIG_NF_CT_PROTO_SCTP is no more a tristate. When set to y, connection
tracking support for SCTP protocol is built-in into nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_sctp,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
CONFIG_NF_CT_PROTO_UDPLITE is no more a tristate. When set to y,
connection tracking support for UDPlite protocol is built-in into
nf_conntrack.ko.
footprint test:
$ ls -l net/netfilter/nf_conntrack{_proto_udplite,}.ko \
net/ipv4/netfilter/nf_conntrack_ipv4.ko \
To allow usage of enum ip_conntrack_dir in include/net/netns/conntrack.h,
this patch encloses #include in a #ifndef __KERNEL__
directive, so that compiler errors caused by unwanted inclusion of
include/linux/netfilter.h are avoided.
In addition, #include line has
been added to resolve correctly
When netfilter needs to match traffic made by one of the above protocols,
layer-4 connection tracking functionality will not be available, unless the
user explicly loads it in the kernel (e.g. "modprobe nf_conntrack_proto_sctp")
or modifies the default kernel configuration and rebuilds.
In order
From: Pablo Neira Ayuso
> Sent: 13 November 2016 22:25
> Allocate memory with kmalloc() rather than kzalloc(): the string
> is immediately initialized so it is unnecessary to zero out
> the allocated memory area.
>
> Ported from a patch proposed by Sergey Popovich .
>
>
From: Gao Feng
This minor refactoring does not change the logic of function
ip_vs_genl_dump_dests.
Signed-off-by: Gao Feng
Acked-by: Julian Anastasov
Signed-off-by: Simon Horman
---
net/netfilter/ipvs/ip_vs_ctl.c | 2 +-
1
From: Dwip Banerjee
We decrement the IP ttl in all the modes in order to prevent infinite
route loops. The changes were done based on Julian Anastasov's
suggestions in a prior thread.
The ttl based check/discard and the actual decrement are done in
__ip_vs_get_out_rt()
16 matches
Mail list logo