diff options
author | David S. Miller <davem@davemloft.net> | 2014-03-17 15:06:24 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-03-17 15:06:24 -0400 |
commit | e86e180b824e00733bd0e499d412a595078f9b51 (patch) | |
tree | ebda350b99785b4d0dd0188dd28fa17ec8135474 /include/uapi | |
parent | e7ef085d0a9dc1cc72e7d8108ed3b4e1a5e8d938 (diff) | |
parent | 7d08487777c8b30dea34790734d708470faaf1e5 (diff) |
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for net-next,
most relevantly they are:
* cleanup to remove double semicolon from stephen hemminger.
* calm down sparse warning in xt_ipcomp, from Fan Du.
* nf_ct_labels support for nf_tables, from Florian Westphal.
* new macros to simplify rcu dereferences in the scope of nfnetlink
and nf_tables, from Patrick McHardy.
* Accept queue and drop (including reason for drop) to verdict
parsing in nf_tables, also from Patrick.
* Remove unused random seed initialization in nfnetlink_log, from
Florian Westphal.
* Allow to attach user-specific information to nf_tables rules, useful
to attach user comments to rule, from me.
* Return errors in ipset according to the manpage documentation, from
Jozsef Kadlecsik.
* Fix coccinelle warnings related to incorrect bool type usage for ipset,
from Fengguang Wu.
* Add hash:ip,mark set type to ipset, from Vytas Dauksa.
* Fix message for each spotted by ipset for each netns that is created,
from Ilia Mirkin.
* Add forceadd option to ipset, which evicts a random entry from the set
if it becomes full, from Josh Hunt.
* Minor IPVS cleanups and fixes from Andi Kleen and Tingwei Liu.
* Improve conntrack scalability by removing a central spinlock, original
work from Eric Dumazet. Jesper Dangaard Brouer took them over to address
remaining issues. Several patches to prepare this change come in first
place.
* Rework nft_hash to resolve bugs (leaking chain, missing rcu synchronization
on element removal, etc. from Patrick McHardy.
* Restore context in the rule deletion path, as we now release rule objects
synchronously, from Patrick McHardy. This gets back event notification for
anonymous sets.
* Fix NAT family validation in nft_nat, also from Patrick.
* Improve scalability of xt_connlimit by using an array of spinlocks and
by introducing a rb-tree of hashtables for faster lookup of accounted
objects per network. This patch was preceded by several patches and
refactorizations to accomodate this change including the use of kmem_cache,
from Florian Westphal.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/uapi')
-rw-r--r-- | include/uapi/linux/netfilter/ipset/ip_set.h | 12 | ||||
-rw-r--r-- | include/uapi/linux/netfilter/nf_tables.h | 6 |
2 files changed, 17 insertions, 1 deletions
diff --git a/include/uapi/linux/netfilter/ipset/ip_set.h b/include/uapi/linux/netfilter/ipset/ip_set.h index 25d3b2f79c02..78c2f2e79920 100644 --- a/include/uapi/linux/netfilter/ipset/ip_set.h +++ b/include/uapi/linux/netfilter/ipset/ip_set.h | |||
@@ -82,6 +82,8 @@ enum { | |||
82 | IPSET_ATTR_PROTO, /* 7 */ | 82 | IPSET_ATTR_PROTO, /* 7 */ |
83 | IPSET_ATTR_CADT_FLAGS, /* 8 */ | 83 | IPSET_ATTR_CADT_FLAGS, /* 8 */ |
84 | IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ | 84 | IPSET_ATTR_CADT_LINENO = IPSET_ATTR_LINENO, /* 9 */ |
85 | IPSET_ATTR_MARK, /* 10 */ | ||
86 | IPSET_ATTR_MARKMASK, /* 11 */ | ||
85 | /* Reserve empty slots */ | 87 | /* Reserve empty slots */ |
86 | IPSET_ATTR_CADT_MAX = 16, | 88 | IPSET_ATTR_CADT_MAX = 16, |
87 | /* Create-only specific attributes */ | 89 | /* Create-only specific attributes */ |
@@ -144,6 +146,7 @@ enum ipset_errno { | |||
144 | IPSET_ERR_IPADDR_IPV6, | 146 | IPSET_ERR_IPADDR_IPV6, |
145 | IPSET_ERR_COUNTER, | 147 | IPSET_ERR_COUNTER, |
146 | IPSET_ERR_COMMENT, | 148 | IPSET_ERR_COMMENT, |
149 | IPSET_ERR_INVALID_MARKMASK, | ||
147 | 150 | ||
148 | /* Type specific error codes */ | 151 | /* Type specific error codes */ |
149 | IPSET_ERR_TYPE_SPECIFIC = 4352, | 152 | IPSET_ERR_TYPE_SPECIFIC = 4352, |
@@ -182,9 +185,18 @@ enum ipset_cadt_flags { | |||
182 | IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS), | 185 | IPSET_FLAG_WITH_COUNTERS = (1 << IPSET_FLAG_BIT_WITH_COUNTERS), |
183 | IPSET_FLAG_BIT_WITH_COMMENT = 4, | 186 | IPSET_FLAG_BIT_WITH_COMMENT = 4, |
184 | IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT), | 187 | IPSET_FLAG_WITH_COMMENT = (1 << IPSET_FLAG_BIT_WITH_COMMENT), |
188 | IPSET_FLAG_BIT_WITH_FORCEADD = 5, | ||
189 | IPSET_FLAG_WITH_FORCEADD = (1 << IPSET_FLAG_BIT_WITH_FORCEADD), | ||
185 | IPSET_FLAG_CADT_MAX = 15, | 190 | IPSET_FLAG_CADT_MAX = 15, |
186 | }; | 191 | }; |
187 | 192 | ||
193 | /* The flag bits which correspond to the non-extension create flags */ | ||
194 | enum ipset_create_flags { | ||
195 | IPSET_CREATE_FLAG_BIT_FORCEADD = 0, | ||
196 | IPSET_CREATE_FLAG_FORCEADD = (1 << IPSET_CREATE_FLAG_BIT_FORCEADD), | ||
197 | IPSET_CREATE_FLAG_BIT_MAX = 7, | ||
198 | }; | ||
199 | |||
188 | /* Commands with settype-specific attributes */ | 200 | /* Commands with settype-specific attributes */ |
189 | enum ipset_adt { | 201 | enum ipset_adt { |
190 | IPSET_ADD, | 202 | IPSET_ADD, |
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 83c985a6170b..c88ccbfda5f1 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h | |||
@@ -1,7 +1,8 @@ | |||
1 | #ifndef _LINUX_NF_TABLES_H | 1 | #ifndef _LINUX_NF_TABLES_H |
2 | #define _LINUX_NF_TABLES_H | 2 | #define _LINUX_NF_TABLES_H |
3 | 3 | ||
4 | #define NFT_CHAIN_MAXNAMELEN 32 | 4 | #define NFT_CHAIN_MAXNAMELEN 32 |
5 | #define NFT_USERDATA_MAXLEN 256 | ||
5 | 6 | ||
6 | enum nft_registers { | 7 | enum nft_registers { |
7 | NFT_REG_VERDICT, | 8 | NFT_REG_VERDICT, |
@@ -156,6 +157,7 @@ enum nft_chain_attributes { | |||
156 | * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) | 157 | * @NFTA_RULE_EXPRESSIONS: list of expressions (NLA_NESTED: nft_expr_attributes) |
157 | * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) | 158 | * @NFTA_RULE_COMPAT: compatibility specifications of the rule (NLA_NESTED: nft_rule_compat_attributes) |
158 | * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) | 159 | * @NFTA_RULE_POSITION: numeric handle of the previous rule (NLA_U64) |
160 | * @NFTA_RULE_USERDATA: user data (NLA_BINARY, NFT_USERDATA_MAXLEN) | ||
159 | */ | 161 | */ |
160 | enum nft_rule_attributes { | 162 | enum nft_rule_attributes { |
161 | NFTA_RULE_UNSPEC, | 163 | NFTA_RULE_UNSPEC, |
@@ -165,6 +167,7 @@ enum nft_rule_attributes { | |||
165 | NFTA_RULE_EXPRESSIONS, | 167 | NFTA_RULE_EXPRESSIONS, |
166 | NFTA_RULE_COMPAT, | 168 | NFTA_RULE_COMPAT, |
167 | NFTA_RULE_POSITION, | 169 | NFTA_RULE_POSITION, |
170 | NFTA_RULE_USERDATA, | ||
168 | __NFTA_RULE_MAX | 171 | __NFTA_RULE_MAX |
169 | }; | 172 | }; |
170 | #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) | 173 | #define NFTA_RULE_MAX (__NFTA_RULE_MAX - 1) |
@@ -601,6 +604,7 @@ enum nft_ct_keys { | |||
601 | NFT_CT_PROTOCOL, | 604 | NFT_CT_PROTOCOL, |
602 | NFT_CT_PROTO_SRC, | 605 | NFT_CT_PROTO_SRC, |
603 | NFT_CT_PROTO_DST, | 606 | NFT_CT_PROTO_DST, |
607 | NFT_CT_LABELS, | ||
604 | }; | 608 | }; |
605 | 609 | ||
606 | /** | 610 | /** |