diff options
| author | David S. Miller <davem@davemloft.net> | 2014-03-17 15:06:24 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-03-17 15:06:24 -0400 |
| commit | e86e180b824e00733bd0e499d412a595078f9b51 (patch) | |
| tree | ebda350b99785b4d0dd0188dd28fa17ec8135474 /include/uapi | |
| parent | e7ef085d0a9dc1cc72e7d8108ed3b4e1a5e8d938 (diff) | |
| parent | 7d08487777c8b30dea34790734d708470faaf1e5 (diff) | |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for net-next,
most relevantly they are:
* cleanup to remove double semicolon from stephen hemminger.
* calm down sparse warning in xt_ipcomp, from Fan Du.
* nf_ct_labels support for nf_tables, from Florian Westphal.
* new macros to simplify rcu dereferences in the scope of nfnetlink
and nf_tables, from Patrick McHardy.
* Accept queue and drop (including reason for drop) to verdict
parsing in nf_tables, also from Patrick.
* Remove unused random seed initialization in nfnetlink_log, from
Florian Westphal.
* Allow to attach user-specific information to nf_tables rules, useful
to attach user comments to rule, from me.
* Return errors in ipset according to the manpage documentation, from
Jozsef Kadlecsik.
* Fix coccinelle warnings related to incorrect bool type usage for ipset,
from Fengguang Wu.
* Add hash:ip,mark set type to ipset, from Vytas Dauksa.
* Fix message for each spotted by ipset for each netns that is created,
from Ilia Mirkin.
* Add forceadd option to ipset, which evicts a random entry from the set
if it becomes full, from Josh Hunt.
* Minor IPVS cleanups and fixes from Andi Kleen and Tingwei Liu.
* Improve conntrack scalability by removing a central spinlock, original
work from Eric Dumazet. Jesper Dangaard Brouer took them over to address
remaining issues. Several patches to prepare this change come in first
place.
* Rework nft_hash to resolve bugs (leaking chain, missing rcu synchronization
on element removal, etc. from Patrick McHardy.
* Restore context in the rule deletion path, as we now release rule objects
synchronously, from Patrick McHardy. This gets back event notification for
anonymous sets.
* Fix NAT family validation in nft_nat, also from Patrick.
* Improve scalability of xt_connlimit by using an array of spinlocks and
by introducing a rb-tree of hashtables for faster lookup of accounted
objects per network. This patch was preceded by several patches and
refactorizations to accomodate this change including the use of kmem_cache,
from Florian Westphal.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/uapi')
| -rw-r--r-- | include/uapi/linux/netfilter/ipset/ip_set.h | 12 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 6 |
2 files changed, 17 insertions, 1 deletions
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h index 25d3b2f79c02..78c2f2e79920 100644 --- a/include/uapi/linux/netfilter/ipset/ip_set.h +++ b/include/uapi/linux/netfilter/ipset/ip_set.h | |||
| @@ -82,6 +82,8 @@ enum { | |||
| 82 | IPSET_ATTR_PROTO, /* 7 */ | 82 | IPSET_ATTR_PROTO, /* 7 */ |
| 83 | IPSET_ATTR_CADT_FLAGS, /* 8 */ | 83 | IPSET_ATTR_CADT_FLAGS, /* 8 */ |
| 84 | IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ | 84 | IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ |
| 85 | IPSET_ATTR_MARK, /* 10 */ | ||
| 86 | IPSET_ATTR_MARKMASK, /* 11 */ | ||
| 85 | /* Reserve empty slots */ | 87 | /* Reserve empty slots */ |
| 86 | IPSET_ATTR_CADT_MAX = 16, | 88 | IPSET_ATTR_CADT_MAX = 16, |
| 87 | /* Create-only specific attributes */ | 89 | /* Create-only specific attributes */ |
| @@ -144,6 +146,7 @@ enum ipset_errno { | |||
| 144 | IPSET_ERR_IPADDR_IPV6, | 146 | IPSET_ERR_IPADDR_IPV6, |
| 145 | IPSET_ERR_COUNTER, | 147 | IPSET_ERR_COUNTER, |
| 146 | IPSET_ERR_COMMENT, | 148 | IPSET_ERR_COMMENT, |
| 149 | IPSET_ERR_INVALID_MARKMASK, | ||
| 147 | 150 | ||
| 148 | /* Type specific error codes */ | 151 | /* Type specific error codes */ |
| 149 | IPSET_ERR_TYPE_SPECIFIC = 4352, | 152 | IPSET_ERR_TYPE_SPECIFIC = 4352, |
| @@ -182,9 +185,18 @@ enum ipset_cadt_flags { | |||
| 182 | IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS), | 185 | IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS), |
| 183 | IPSET_FLAG_BIT_WITH_COMMENT = 4, | 186 | IPSET_FLAG_BIT_WITH_COMMENT = 4, |
| 184 | IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT), | 187 | IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT), |
| 188 | IPSET_FLAG_BIT_WITH_FORCEADD = 5, | ||
| 189 | IPSET_FLAG_WITH_FORCEADD = (1 << IPSET_FLAG_BIT_WITH_FORCEADD), | ||
| 185 | IPSET_FLAG_CADT_MAX = 15, | 190 | IPSET_FLAG_CADT_MAX = 15, |
| 186 | }; | 191 | }; |
| 187 | 192 | ||
| 193 | /* The flag bits which correspond to the non-extension create flags */ | ||
| 194 | enum ipset_create_flags { | ||
| 195 | IPSET_CREATE_FLAG_BIT_FORCEADD = 0, | ||
| 196 | IPSET_CREATE_FLAG_FORCEADD = (1 << IPSET_CREATE_FLAG_BIT_FORCEADD), | ||
| 197 | IPSET_CREATE_FLAG_BIT_MAX = 7, | ||
| 198 | }; | ||
| 199 | |||
| 188 | /* Commands with settype-specific attributes */ | 200 | /* Commands with settype-specific attributes */ |
| 189 | enum ipset_adt { | 201 | enum ipset_adt { |
| 190 | IPSET_ADD, | 202 | IPSET_ADD, |
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 83c985a6170b..c88ccbfda5f1 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
| @@ -1,7 +1,8 @@ | |||
| 1 | #ifndef _LINUX_NF_TABLES_H | 1 | #ifndef _LINUX_NF_TABLES_H |
| 2 | #define _LINUX_NF_TABLES_H | 2 | #define _LINUX_NF_TABLES_H |
| 3 | 3 | ||
| 4 | #define NFT_CHAIN_MAXNAMELEN 32 | 4 | #define NFT_CHAIN_MAXNAMELEN 32 |
| 5 | #define NFT_USERDATA_MAXLEN 256 | ||
| 5 | 6 | ||
| 6 | enum nft_registers { | 7 | enum nft_registers { |
| 7 | NFT_REG_VERDICT, | 8 | NFT_REG_VERDICT, |
| @@ -156,6 +157,7 @@ enum nft_chain_attributes { | |||
| 156 | * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) | 157 | * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) |
| 157 | * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) | 158 | * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) |
| 158 | * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) | 159 | * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) |
| 160 | * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) | ||
| 159 | */ | 161 | */ |
| 160 | enum nft_rule_attributes { | 162 | enum nft_rule_attributes { |
| 161 | NFTA_RULE_UNSPEC, | 163 | NFTA_RULE_UNSPEC, |
| @@ -165,6 +167,7 @@ enum nft_rule_attributes { | |||
| 165 | NFTA_RULE_EXPRESSIONS, | 167 | NFTA_RULE_EXPRESSIONS, |
| 166 | NFTA_RULE_COMPAT, | 168 | NFTA_RULE_COMPAT, |
| 167 | NFTA_RULE_POSITION, | 169 | NFTA_RULE_POSITION, |
| 170 | NFTA_RULE_USERDATA, | ||
| 168 | __NFTA_RULE_MAX | 171 | __NFTA_RULE_MAX |
| 169 | }; | 172 | }; |
| 170 | #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) | 173 | #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) |
| @@ -601,6 +604,7 @@ enum nft_ct_keys { | |||
| 601 | NFT_CT_PROTOCOL, | 604 | NFT_CT_PROTOCOL, |
| 602 | NFT_CT_PROTO_SRC, | 605 | NFT_CT_PROTO_SRC, |
| 603 | NFT_CT_PROTO_DST, | 606 | NFT_CT_PROTO_DST, |
| 607 | NFT_CT_LABELS, | ||
| 604 | }; | 608 | }; |
| 605 | 609 | ||
| 606 | /** | 610 | /** |