Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

author: David S. Miller <davem@davemloft.net> 2011-07-21 15:39:35 -0400
committer: David S. Miller <davem@davemloft.net> 2011-07-21 15:39:35 -0400
commit: f5caadbb3d8fc0b71533e880c684b2230bdb76ac (patch)
tree: 7a23a2b44f6e043d9cb6ad4245b78da4bd2e14b0 /include
parent: 0ca87f05ba8bdc6791c14878464efc901ad71e99 (diff)
parent: 0f598f0b4c3b2259366cfa8adc01bd8e714c82d0 (diff)
4 files changed, 83 insertions, 36 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 9d339eb27881..0c8006129fb2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -613,6 +613,12 @@ extern void		    audit_log_d_path(struct audit_buffer *ab,
 extern void                 audit_log_key(struct audit_buffer *ab,
                                          char *key);
 extern void                 audit_log_lost(const char *message);
+#ifdef CONFIG_SECURITY
+extern void                 audit_log_secctx(struct audit_buffer *ab, u32 secid);
+#else
+#define audit_log_secctx(b,s) do { ; } while (0)
+#endif
 extern int                  audit_update_lsm_rules(void);
                                /* Private API (for audit.c only) */
@@ -635,6 +641,7 @@ extern int audit_enabled;
 #define audit_log_untrustedstring(a,s) do { ; } while (0)
 #define audit_log_d_path(b, p, d) do { ; } while (0)
 #define audit_log_key(b, k) do { ; } while (0)
+#define audit_log_secctx(b,s) do { ; } while (0)
 #define audit_enabled 0
 #endif
 #endif
diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h
index c5b06aaa205c..b89fb79cb44f 100644
--- a/include/linux/netfilter/ipset/ip_set_ahash.h
+++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -28,7 +28,32 @@
 /* Number of elements to store in an initial array block */
 #define AHASH_INIT_SIZE                 4
 /* Max number of elements to store in an array block */
-#define AHASH_MAX_SIZE                  (3*4)
+#define AHASH_MAX_SIZE                  (3*AHASH_INIT_SIZE)
+/* Max number of elements can be tuned */
+#ifdef IP_SET_HASH_WITH_MULTI
+#define AHASH_MAX(h)                    ((h)->ahash_max)
+static inline u8
+tune_ahash_max(u8 curr, u32 multi)
+{
+        u32 n;
+        if (multi < curr)
+                return curr;
+        n = curr + AHASH_INIT_SIZE;
+        /* Currently, at listing one hash bucket must fit into a message.
+         * Therefore we have a hard limit here.
+         */
+        return n > curr && n <= 64 ? n : curr;
+}
+#define TUNE_AHASH_MAX(h, multi)        \
+        ((h)->ahash_max = tune_ahash_max((h)->ahash_max, multi))
+#else
+#define AHASH_MAX(h)                    AHASH_MAX_SIZE
+#define TUNE_AHASH_MAX(h, multi)
+#endif
 /* A hash bucket */
 struct hbucket {
@@ -60,6 +85,9 @@ struct ip_set_hash {
        u32 timeout;            /* timeout value, if enabled */
        struct timer_list gc;   /* garbage collection when timeout enabled */
        struct type_pf_next next; /* temporary storage for uadd */
+#ifdef IP_SET_HASH_WITH_MULTI
+        u8 ahash_max;           /* max elements in an array block */
+#endif
 #ifdef IP_SET_HASH_WITH_NETMASK
        u8 netmask;             /* netmask value for subnets to store */
 #endif
@@ -211,12 +239,16 @@ ip_set_hash_destroy(struct ip_set *set)
        set->data = NULL;
 }
-#define HKEY(data, initval, htable_bits)                                 \
-(jhash2((u32 *)(data), sizeof(struct type_pf_elem)/sizeof(u32), initval) \
-        & jhash_mask(htable_bits))
 #endif /* _IP_SET_AHASH_H */
+#ifndef HKEY_DATALEN
+#define HKEY_DATALEN    sizeof(struct type_pf_elem)
+#endif
+#define HKEY(data, initval, htable_bits)                        \
+(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval)       \
+        & jhash_mask(htable_bits))
 #define CONCAT(a, b, c)         a##b##c
 #define TOKEN(a, b, c)          CONCAT(a, b, c)
@@ -275,12 +307,13 @@ ip_set_hash_destroy(struct ip_set *set)
 /* Add an element to the hash table when resizing the set:
 * we spare the maintenance of the internal counters. */
 static int
-type_pf_elem_add(struct hbucket *n, const struct type_pf_elem *value)
+type_pf_elem_add(struct hbucket *n, const struct type_pf_elem *value,
+                 u8 ahash_max)
 {
        if (n->pos >= n->size) {
                void *tmp;
-                if (n->size >= AHASH_MAX_SIZE)
+                if (n->size >= ahash_max)
                        /* Trigger rehashing */
                        return -EAGAIN;
@@ -335,7 +368,7 @@ retry:
                for (j = 0; j < n->pos; j++) {
                        data = ahash_data(n, j);
                        m = hbucket(t, HKEY(data, h->initval, htable_bits));
-                        ret = type_pf_elem_add(m, data);
+                        ret = type_pf_elem_add(m, data, AHASH_MAX(h));
                        if (ret < 0) {
                                read_unlock_bh(&set->lock);
                                ahash_destroy(t);
@@ -359,7 +392,7 @@ retry:
        return 0;
 }
-static void
+static inline void
 type_pf_data_next(struct ip_set_hash *h, const struct type_pf_elem *d);
 /* Add an element to a hash and update the internal counters when succeeded,
@@ -372,7 +405,7 @@ type_pf_add(struct ip_set *set, void *value, u32 timeout, u32 flags)
        const struct type_pf_elem *d = value;
        struct hbucket *n;
        int i, ret = 0;
-        u32 key;
+        u32 key, multi = 0;
        if (h->elements >= h->maxelem)
                return -IPSET_ERR_HASH_FULL;
@@ -382,12 +415,12 @@ type_pf_add(struct ip_set *set, void *value, u32 timeout, u32 flags)
        key = HKEY(value, h->initval, t->htable_bits);
        n = hbucket(t, key);
        for (i = 0; i < n->pos; i++)
-                if (type_pf_data_equal(ahash_data(n, i), d)) {
+                if (type_pf_data_equal(ahash_data(n, i), d, &multi)) {
                        ret = -IPSET_ERR_EXIST;
                        goto out;
                }
+        TUNE_AHASH_MAX(h, multi);
-        ret = type_pf_elem_add(n, value);
+        ret = type_pf_elem_add(n, value, AHASH_MAX(h));
        if (ret != 0) {
                if (ret == -EAGAIN)
                        type_pf_data_next(h, d);
@@ -415,13 +448,13 @@ type_pf_del(struct ip_set *set, void *value, u32 timeout, u32 flags)
        struct hbucket *n;
        int i;
        struct type_pf_elem *data;
-        u32 key;
+        u32 key, multi = 0;
        key = HKEY(value, h->initval, t->htable_bits);
        n = hbucket(t, key);
        for (i = 0; i < n->pos; i++) {
                data = ahash_data(n, i);
-                if (!type_pf_data_equal(data, d))
+                if (!type_pf_data_equal(data, d, &multi))
                        continue;
                if (i != n->pos - 1)
                        /* Not last one */
@@ -462,17 +495,17 @@ type_pf_test_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout)
        struct hbucket *n;
        const struct type_pf_elem *data;
        int i, j = 0;
-        u32 key;
+        u32 key, multi = 0;
        u8 host_mask = SET_HOST_MASK(set->family);
        pr_debug("test by nets\n");
-        for (; j < host_mask && h->nets[j].cidr; j++) {
+        for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
                type_pf_data_netmask(d, h->nets[j].cidr);
                key = HKEY(d, h->initval, t->htable_bits);
                n = hbucket(t, key);
                for (i = 0; i < n->pos; i++) {
                        data = ahash_data(n, i);
-                        if (type_pf_data_equal(data, d))
+                        if (type_pf_data_equal(data, d, &multi))
                                return 1;
                }
        }
@@ -490,7 +523,7 @@ type_pf_test(struct ip_set *set, void *value, u32 timeout, u32 flags)
        struct hbucket *n;
        const struct type_pf_elem *data;
        int i;
-        u32 key;
+        u32 key, multi = 0;
 #ifdef IP_SET_HASH_WITH_NETS
        /* If we test an IP address and not a network address,
@@ -503,7 +536,7 @@ type_pf_test(struct ip_set *set, void *value, u32 timeout, u32 flags)
        n = hbucket(t, key);
        for (i = 0; i < n->pos; i++) {
                data = ahash_data(n, i);
-                if (type_pf_data_equal(data, d))
+                if (type_pf_data_equal(data, d, &multi))
                        return 1;
        }
        return 0;
@@ -660,14 +693,14 @@ type_pf_data_timeout_set(struct type_pf_elem *data, u32 timeout)
 static int
 type_pf_elem_tadd(struct hbucket *n, const struct type_pf_elem *value,
-                  u32 timeout)
+                  u8 ahash_max, u32 timeout)
 {
        struct type_pf_elem *data;
        if (n->pos >= n->size) {
                void *tmp;
-                if (n->size >= AHASH_MAX_SIZE)
+                if (n->size >= ahash_max)
                        /* Trigger rehashing */
                        return -EAGAIN;
@@ -772,7 +805,7 @@ retry:
                for (j = 0; j < n->pos; j++) {
                        data = ahash_tdata(n, j);
                        m = hbucket(t, HKEY(data, h->initval, htable_bits));
-                        ret = type_pf_elem_tadd(m, data,
+                        ret = type_pf_elem_tadd(m, data, AHASH_MAX(h),
                                                type_pf_data_timeout(data));
                        if (ret < 0) {
                                read_unlock_bh(&set->lock);
@@ -803,9 +836,9 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags)
        const struct type_pf_elem *d = value;
        struct hbucket *n;
        struct type_pf_elem *data;
-        int ret = 0, i, j = AHASH_MAX_SIZE + 1;
+        int ret = 0, i, j = AHASH_MAX(h) + 1;
        bool flag_exist = flags & IPSET_FLAG_EXIST;
-        u32 key;
+        u32 key, multi = 0;
        if (h->elements >= h->maxelem)
                /* FIXME: when set is full, we slow down here */
@@ -819,18 +852,18 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags)
        n = hbucket(t, key);
        for (i = 0; i < n->pos; i++) {
                data = ahash_tdata(n, i);
-                if (type_pf_data_equal(data, d)) {
+                if (type_pf_data_equal(data, d, &multi)) {
                        if (type_pf_data_expired(data) || flag_exist)
                                j = i;
                        else {
                                ret = -IPSET_ERR_EXIST;
                                goto out;
                        }
-                } else if (j == AHASH_MAX_SIZE + 1 &&
+                } else if (j == AHASH_MAX(h) + 1 &&
                           type_pf_data_expired(data))
                        j = i;
        }
-        if (j != AHASH_MAX_SIZE + 1) {
+        if (j != AHASH_MAX(h) + 1) {
                data = ahash_tdata(n, j);
 #ifdef IP_SET_HASH_WITH_NETS
                del_cidr(h, data->cidr, HOST_MASK);
@@ -840,7 +873,8 @@ type_pf_tadd(struct ip_set *set, void *value, u32 timeout, u32 flags)
                type_pf_data_timeout_set(data, timeout);
                goto out;
        }
-        ret = type_pf_elem_tadd(n, d, timeout);
+        TUNE_AHASH_MAX(h, multi);
+        ret = type_pf_elem_tadd(n, d, AHASH_MAX(h), timeout);
        if (ret != 0) {
                if (ret == -EAGAIN)
                        type_pf_data_next(h, d);
@@ -865,13 +899,13 @@ type_pf_tdel(struct ip_set *set, void *value, u32 timeout, u32 flags)
        struct hbucket *n;
        int i;
        struct type_pf_elem *data;
-        u32 key;
+        u32 key, multi = 0;
        key = HKEY(value, h->initval, t->htable_bits);
        n = hbucket(t, key);
        for (i = 0; i < n->pos; i++) {
                data = ahash_tdata(n, i);
-                if (!type_pf_data_equal(data, d))
+                if (!type_pf_data_equal(data, d, &multi))
                        continue;
                if (type_pf_data_expired(data))
                        return -IPSET_ERR_EXIST;
@@ -911,16 +945,16 @@ type_pf_ttest_cidrs(struct ip_set *set, struct type_pf_elem *d, u32 timeout)
        struct type_pf_elem *data;
        struct hbucket *n;
        int i, j = 0;
-        u32 key;
+        u32 key, multi = 0;
        u8 host_mask = SET_HOST_MASK(set->family);
-        for (; j < host_mask && h->nets[j].cidr; j++) {
+        for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
                type_pf_data_netmask(d, h->nets[j].cidr);
                key = HKEY(d, h->initval, t->htable_bits);
                n = hbucket(t, key);
                for (i = 0; i < n->pos; i++) {
                        data = ahash_tdata(n, i);
-                        if (type_pf_data_equal(data, d))
+                        if (type_pf_data_equal(data, d, &multi))
                                return !type_pf_data_expired(data);
                }
        }
@@ -936,7 +970,7 @@ type_pf_ttest(struct ip_set *set, void *value, u32 timeout, u32 flags)
        struct type_pf_elem *data, *d = value;
        struct hbucket *n;
        int i;
-        u32 key;
+        u32 key, multi = 0;
 #ifdef IP_SET_HASH_WITH_NETS
        if (d->cidr == SET_HOST_MASK(set->family))
@@ -946,7 +980,7 @@ type_pf_ttest(struct ip_set *set, void *value, u32 timeout, u32 flags)
        n = hbucket(t, key);
        for (i = 0; i < n->pos; i++) {
                data = ahash_tdata(n, i);
-                if (type_pf_data_equal(data, d))
+                if (type_pf_data_equal(data, d, &multi))
                        return !type_pf_data_expired(data);
        }
        return 0;
@@ -1054,6 +1088,8 @@ type_pf_gc_init(struct ip_set *set)
                 IPSET_GC_PERIOD(h->timeout));
 }
+#undef HKEY_DATALEN
+#undef HKEY
 #undef type_pf_data_equal
 #undef type_pf_data_isnull
 #undef type_pf_data_copy
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 2b11fc1a86be..74d33861473c 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -60,6 +60,9 @@ struct nfnl_callback {
        int (*call)(struct sock *nl, struct sk_buff *skb, 
                    const struct nlmsghdr *nlh,
                    const struct nlattr * const cda[]);
+        int (*call_rcu)(struct sock *nl, struct sk_buff *skb, 
+                    const struct nlmsghdr *nlh,
+                    const struct nlattr * const cda[]);
        const struct nla_policy *policy;        /* netlink attribute policy */
        const u_int16_t attr_count;             /* number of nlattr's */
 };
diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h
index af94e0014ebd..24b32e6c009e 100644
--- a/include/linux/netfilter/nfnetlink_queue.h
+++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -8,6 +8,7 @@ enum nfqnl_msg_types {
        NFQNL_MSG_PACKET,               /* packet from kernel to userspace */
        NFQNL_MSG_VERDICT,              /* verdict from userspace to kernel */
        NFQNL_MSG_CONFIG,               /* connect to a particular queue */
+        NFQNL_MSG_VERDICT_BATCH,        /* batchv from userspace to kernel */
        NFQNL_MSG_MAX
 };
author	David S. Miller <davem@davemloft.net>	2011-07-21 15:39:35 -0400
committer	David S. Miller <davem@davemloft.net>	2011-07-21 15:39:35 -0400
commit	f5caadbb3d8fc0b71533e880c684b2230bdb76ac (patch)
tree	7a23a2b44f6e043d9cb6ad4245b78da4bd2e14b0 /include
parent	0ca87f05ba8bdc6791c14878464efc901ad71e99 (diff)
parent	0f598f0b4c3b2259366cfa8adc01bd8e714c82d0 (diff)

diff --git a/include/linux/audit.h b/include/linux/audit.h index 9d339eb27881..0c8006129fb2 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h
@@ -613,6 +613,12 @@ extern void audit_log_d_path(struct audit_buffer *ab,
613	extern void audit_log_key(struct audit_buffer *ab,	613	extern void audit_log_key(struct audit_buffer *ab,
614	char *key);	614	char *key);
615	extern void audit_log_lost(const char *message);	615	extern void audit_log_lost(const char *message);
		616	#ifdef CONFIG_SECURITY
		617	extern void audit_log_secctx(struct audit_buffer *ab, u32 secid);
		618	#else
		619	#define audit_log_secctx(b,s) do { ; } while (0)
		620	#endif
		621
616	extern int audit_update_lsm_rules(void);	622	extern int audit_update_lsm_rules(void);
617		623
618	/* Private API (for audit.c only) */	624	/* Private API (for audit.c only) */
@@ -635,6 +641,7 @@ extern int audit_enabled;
635	#define audit_log_untrustedstring(a,s) do { ; } while (0)	641	#define audit_log_untrustedstring(a,s) do { ; } while (0)
636	#define audit_log_d_path(b, p, d) do { ; } while (0)	642	#define audit_log_d_path(b, p, d) do { ; } while (0)
637	#define audit_log_key(b, k) do { ; } while (0)	643	#define audit_log_key(b, k) do { ; } while (0)
		644	#define audit_log_secctx(b,s) do { ; } while (0)
638	#define audit_enabled 0	645	#define audit_enabled 0
639	#endif	646	#endif
640	#endif	647	#endif


diff --git a/include/linux/netfilter/ipset/ip_set_ahash.h b/include/linux/netfilter/ipset/ip_set_ahash.h index c5b06aaa205c..b89fb79cb44f 100644 --- a/include/linux/netfilter/ipset/ip_set_ahash.h +++ b/include/linux/netfilter/ipset/ip_set_ahash.h
@@ -28,7 +28,32 @@
28	/* Number of elements to store in an initial array block */	28	/* Number of elements to store in an initial array block */
29	#define AHASH_INIT_SIZE 4	29	#define AHASH_INIT_SIZE 4
30	/* Max number of elements to store in an array block */	30	/* Max number of elements to store in an array block */
31	#define AHASH_MAX_SIZE (3*4)	31	#define AHASH_MAX_SIZE (3*AHASH_INIT_SIZE)
		32
		33	/* Max number of elements can be tuned */
		34	#ifdef IP_SET_HASH_WITH_MULTI
		35	#define AHASH_MAX(h) ((h)->ahash_max)
		36
		37	static inline u8
		38	tune_ahash_max(u8 curr, u32 multi)
		39	{
		40	u32 n;
		41
		42	if (multi < curr)
		43	return curr;
		44
		45	n = curr + AHASH_INIT_SIZE;
		46	/* Currently, at listing one hash bucket must fit into a message.
		47	* Therefore we have a hard limit here.
		48	*/
		49	return n > curr && n <= 64 ? n : curr;
		50	}
		51	#define TUNE_AHASH_MAX(h, multi) \
		52	((h)->ahash_max = tune_ahash_max((h)->ahash_max, multi))
		53	#else
		54	#define AHASH_MAX(h) AHASH_MAX_SIZE
		55	#define TUNE_AHASH_MAX(h, multi)
		56	#endif
32		57
33	/* A hash bucket */	58	/* A hash bucket */
34	struct hbucket {	59	struct hbucket {
@@ -60,6 +85,9 @@ struct ip_set_hash {
60	u32 timeout; /* timeout value, if enabled */	85	u32 timeout; /* timeout value, if enabled */
61	struct timer_list gc; /* garbage collection when timeout enabled */	86	struct timer_list gc; /* garbage collection when timeout enabled */
62	struct type_pf_next next; /* temporary storage for uadd */	87	struct type_pf_next next; /* temporary storage for uadd */
		88	#ifdef IP_SET_HASH_WITH_MULTI
		89	u8 ahash_max; /* max elements in an array block */
		90	#endif
63	#ifdef IP_SET_HASH_WITH_NETMASK	91	#ifdef IP_SET_HASH_WITH_NETMASK
64	u8 netmask; /* netmask value for subnets to store */	92	u8 netmask; /* netmask value for subnets to store */
65	#endif	93	#endif
@@ -211,12 +239,16 @@ ip_set_hash_destroy(struct ip_set *set)
211	set->data = NULL;	239	set->data = NULL;
212	}	240	}
213		241
214	#define HKEY(data, initval, htable_bits) \
215	(jhash2((u32 *)(data), sizeof(struct type_pf_elem)/sizeof(u32), initval) \
216	& jhash_mask(htable_bits))
217
218	#endif /* _IP_SET_AHASH_H */	242	#endif /* _IP_SET_AHASH_H */
219		243
		244	#ifndef HKEY_DATALEN
		245	#define HKEY_DATALEN sizeof(struct type_pf_elem)
		246	#endif
		247
		248	#define HKEY(data, initval, htable_bits) \
		249	(jhash2((u32 *)(data), HKEY_DATALEN/sizeof(u32), initval) \
		250	& jhash_mask(htable_bits))
		251
220	#define CONCAT(a, b, c) a##b##c	252	#define CONCAT(a, b, c) a##b##c
221	#define TOKEN(a, b, c) CONCAT(a, b, c)	253	#define TOKEN(a, b, c) CONCAT(a, b, c)
222		254
@@ -275,12 +307,13 @@ ip_set_hash_destroy(struct ip_set *set)
275	/* Add an element to the hash table when resizing the set:	307	/* Add an element to the hash table when resizing the set:
276	* we spare the maintenance of the internal counters. */	308	* we spare the maintenance of the internal counters. */
277	static int	309	static int
278	type_pf_elem_add(struct hbucket n, const struct type_pf_elem value)	310	type_pf_elem_add(struct hbucket n, const struct type_pf_elem value,
		311	u8 ahash_max)
279	{	312	{
280	if (n->pos >= n->size) {	313	if (n->pos >= n->size) {
281	void *tmp;	314	void *tmp;
282		315
283	if (n->size >= AHASH_MAX_SIZE)	316	if (n->size >= ahash_max)
284	/* Trigger rehashing */	317	/* Trigger rehashing */
285	return -EAGAIN;	318	return -EAGAIN;
286		319
@@ -335,7 +368,7 @@ retry:
335	for (j = 0; j < n->pos; j++) {	368	for (j = 0; j < n->pos; j++) {
336	data = ahash_data(n, j);	369	data = ahash_data(n, j);
337	m = hbucket(t, HKEY(data, h->initval, htable_bits));	370	m = hbucket(t, HKEY(data, h->initval, htable_bits));
338	ret = type_pf_elem_add(m, data);	371	ret = type_pf_elem_add(m, data, AHASH_MAX(h));
339	if (ret < 0) {	372	if (ret < 0) {
340	read_unlock_bh(&set->lock);	373	read_unlock_bh(&set->lock);
341	ahash_destroy(t);	374	ahash_destroy(t);
@@ -359,7 +392,7 @@ retry:
359	return 0;	392	return 0;
360	}	393	}
361		394
362	static void	395	static inline void
363	type_pf_data_next(struct ip_set_hash h, const struct type_pf_elem d);	396	type_pf_data_next(struct ip_set_hash h, const struct type_pf_elem d);
364		397
365	/* Add an element to a hash and update the internal counters when succeeded,	398	/* Add an element to a hash and update the internal counters when succeeded,
@@ -372,7 +405,7 @@ type_pf_add(struct ip_set set, void value, u32 timeout, u32 flags)
372	const struct type_pf_elem *d = value;	405	const struct type_pf_elem *d = value;
373	struct hbucket *n;	406	struct hbucket *n;
374	int i, ret = 0;	407	int i, ret = 0;
375	u32 key;	408	u32 key, multi = 0;
376		409
377	if (h->elements >= h->maxelem)	410	if (h->elements >= h->maxelem)
378	return -IPSET_ERR_HASH_FULL;	411	return -IPSET_ERR_HASH_FULL;
@@ -382,12 +415,12 @@ type_pf_add(struct ip_set set, void value, u32 timeout, u32 flags)
382	key = HKEY(value, h->initval, t->htable_bits);	415	key = HKEY(value, h->initval, t->htable_bits);
383	n = hbucket(t, key);	416	n = hbucket(t, key);
384	for (i = 0; i < n->pos; i++)	417	for (i = 0; i < n->pos; i++)
385	if (type_pf_data_equal(ahash_data(n, i), d)) {	418	if (type_pf_data_equal(ahash_data(n, i), d, &multi)) {
386	ret = -IPSET_ERR_EXIST;	419	ret = -IPSET_ERR_EXIST;
387	goto out;	420	goto out;
388	}	421	}
389		422	TUNE_AHASH_MAX(h, multi);
390	ret = type_pf_elem_add(n, value);	423	ret = type_pf_elem_add(n, value, AHASH_MAX(h));
391	if (ret != 0) {	424	if (ret != 0) {
392	if (ret == -EAGAIN)	425	if (ret == -EAGAIN)
393	type_pf_data_next(h, d);	426	type_pf_data_next(h, d);
@@ -415,13 +448,13 @@ type_pf_del(struct ip_set set, void value, u32 timeout, u32 flags)
415	struct hbucket *n;	448	struct hbucket *n;
416	int i;	449	int i;
417	struct type_pf_elem *data;	450	struct type_pf_elem *data;
418	u32 key;	451	u32 key, multi = 0;
419		452
420	key = HKEY(value, h->initval, t->htable_bits);	453	key = HKEY(value, h->initval, t->htable_bits);
421	n = hbucket(t, key);	454	n = hbucket(t, key);
422	for (i = 0; i < n->pos; i++) {	455	for (i = 0; i < n->pos; i++) {
423	data = ahash_data(n, i);	456	data = ahash_data(n, i);
424	if (!type_pf_data_equal(data, d))	457	if (!type_pf_data_equal(data, d, &multi))
425	continue;	458	continue;
426	if (i != n->pos - 1)	459	if (i != n->pos - 1)
427	/* Not last one */	460	/* Not last one */
@@ -462,17 +495,17 @@ type_pf_test_cidrs(struct ip_set set, struct type_pf_elem d, u32 timeout)
462	struct hbucket *n;	495	struct hbucket *n;
463	const struct type_pf_elem *data;	496	const struct type_pf_elem *data;
464	int i, j = 0;	497	int i, j = 0;
465	u32 key;	498	u32 key, multi = 0;
466	u8 host_mask = SET_HOST_MASK(set->family);	499	u8 host_mask = SET_HOST_MASK(set->family);
467		500
468	pr_debug("test by nets\n");	501	pr_debug("test by nets\n");
469	for (; j < host_mask && h->nets[j].cidr; j++) {	502	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
470	type_pf_data_netmask(d, h->nets[j].cidr);	503	type_pf_data_netmask(d, h->nets[j].cidr);
471	key = HKEY(d, h->initval, t->htable_bits);	504	key = HKEY(d, h->initval, t->htable_bits);
472	n = hbucket(t, key);	505	n = hbucket(t, key);
473	for (i = 0; i < n->pos; i++) {	506	for (i = 0; i < n->pos; i++) {
474	data = ahash_data(n, i);	507	data = ahash_data(n, i);
475	if (type_pf_data_equal(data, d))	508	if (type_pf_data_equal(data, d, &multi))
476	return 1;	509	return 1;
477	}	510	}
478	}	511	}
@@ -490,7 +523,7 @@ type_pf_test(struct ip_set set, void value, u32 timeout, u32 flags)
490	struct hbucket *n;	523	struct hbucket *n;
491	const struct type_pf_elem *data;	524	const struct type_pf_elem *data;
492	int i;	525	int i;
493	u32 key;	526	u32 key, multi = 0;
494		527
495	#ifdef IP_SET_HASH_WITH_NETS	528	#ifdef IP_SET_HASH_WITH_NETS
496	/* If we test an IP address and not a network address,	529	/* If we test an IP address and not a network address,
@@ -503,7 +536,7 @@ type_pf_test(struct ip_set set, void value, u32 timeout, u32 flags)
503	n = hbucket(t, key);	536	n = hbucket(t, key);
504	for (i = 0; i < n->pos; i++) {	537	for (i = 0; i < n->pos; i++) {
505	data = ahash_data(n, i);	538	data = ahash_data(n, i);
506	if (type_pf_data_equal(data, d))	539	if (type_pf_data_equal(data, d, &multi))
507	return 1;	540	return 1;
508	}	541	}
509	return 0;	542	return 0;
@@ -660,14 +693,14 @@ type_pf_data_timeout_set(struct type_pf_elem *data, u32 timeout)
660		693
661	static int	694	static int
662	type_pf_elem_tadd(struct hbucket n, const struct type_pf_elem value,	695	type_pf_elem_tadd(struct hbucket n, const struct type_pf_elem value,
663	u32 timeout)	696	u8 ahash_max, u32 timeout)
664	{	697	{
665	struct type_pf_elem *data;	698	struct type_pf_elem *data;
666		699
667	if (n->pos >= n->size) {	700	if (n->pos >= n->size) {
668	void *tmp;	701	void *tmp;
669		702
670	if (n->size >= AHASH_MAX_SIZE)	703	if (n->size >= ahash_max)
671	/* Trigger rehashing */	704	/* Trigger rehashing */
672	return -EAGAIN;	705	return -EAGAIN;
673		706
@@ -772,7 +805,7 @@ retry:
772	for (j = 0; j < n->pos; j++) {	805	for (j = 0; j < n->pos; j++) {
773	data = ahash_tdata(n, j);	806	data = ahash_tdata(n, j);
774	m = hbucket(t, HKEY(data, h->initval, htable_bits));	807	m = hbucket(t, HKEY(data, h->initval, htable_bits));
775	ret = type_pf_elem_tadd(m, data,	808	ret = type_pf_elem_tadd(m, data, AHASH_MAX(h),
776	type_pf_data_timeout(data));	809	type_pf_data_timeout(data));
777	if (ret < 0) {	810	if (ret < 0) {
778	read_unlock_bh(&set->lock);	811	read_unlock_bh(&set->lock);
@@ -803,9 +836,9 @@ type_pf_tadd(struct ip_set set, void value, u32 timeout, u32 flags)
803	const struct type_pf_elem *d = value;	836	const struct type_pf_elem *d = value;
804	struct hbucket *n;	837	struct hbucket *n;
805	struct type_pf_elem *data;	838	struct type_pf_elem *data;
806	int ret = 0, i, j = AHASH_MAX_SIZE + 1;	839	int ret = 0, i, j = AHASH_MAX(h) + 1;
807	bool flag_exist = flags & IPSET_FLAG_EXIST;	840	bool flag_exist = flags & IPSET_FLAG_EXIST;
808	u32 key;	841	u32 key, multi = 0;
809		842
810	if (h->elements >= h->maxelem)	843	if (h->elements >= h->maxelem)
811	/* FIXME: when set is full, we slow down here */	844	/* FIXME: when set is full, we slow down here */
@@ -819,18 +852,18 @@ type_pf_tadd(struct ip_set set, void value, u32 timeout, u32 flags)
819	n = hbucket(t, key);	852	n = hbucket(t, key);
820	for (i = 0; i < n->pos; i++) {	853	for (i = 0; i < n->pos; i++) {
821	data = ahash_tdata(n, i);	854	data = ahash_tdata(n, i);
822	if (type_pf_data_equal(data, d)) {	855	if (type_pf_data_equal(data, d, &multi)) {
823	if (type_pf_data_expired(data) \|\| flag_exist)	856	if (type_pf_data_expired(data) \|\| flag_exist)
824	j = i;	857	j = i;
825	else {	858	else {
826	ret = -IPSET_ERR_EXIST;	859	ret = -IPSET_ERR_EXIST;
827	goto out;	860	goto out;
828	}	861	}
829	} else if (j == AHASH_MAX_SIZE + 1 &&	862	} else if (j == AHASH_MAX(h) + 1 &&
830	type_pf_data_expired(data))	863	type_pf_data_expired(data))
831	j = i;	864	j = i;
832	}	865	}
833	if (j != AHASH_MAX_SIZE + 1) {	866	if (j != AHASH_MAX(h) + 1) {
834	data = ahash_tdata(n, j);	867	data = ahash_tdata(n, j);
835	#ifdef IP_SET_HASH_WITH_NETS	868	#ifdef IP_SET_HASH_WITH_NETS
836	del_cidr(h, data->cidr, HOST_MASK);	869	del_cidr(h, data->cidr, HOST_MASK);
@@ -840,7 +873,8 @@ type_pf_tadd(struct ip_set set, void value, u32 timeout, u32 flags)
840	type_pf_data_timeout_set(data, timeout);	873	type_pf_data_timeout_set(data, timeout);
841	goto out;	874	goto out;
842	}	875	}
843	ret = type_pf_elem_tadd(n, d, timeout);	876	TUNE_AHASH_MAX(h, multi);
		877	ret = type_pf_elem_tadd(n, d, AHASH_MAX(h), timeout);
844	if (ret != 0) {	878	if (ret != 0) {
845	if (ret == -EAGAIN)	879	if (ret == -EAGAIN)
846	type_pf_data_next(h, d);	880	type_pf_data_next(h, d);
@@ -865,13 +899,13 @@ type_pf_tdel(struct ip_set set, void value, u32 timeout, u32 flags)
865	struct hbucket *n;	899	struct hbucket *n;
866	int i;	900	int i;
867	struct type_pf_elem *data;	901	struct type_pf_elem *data;
868	u32 key;	902	u32 key, multi = 0;
869		903
870	key = HKEY(value, h->initval, t->htable_bits);	904	key = HKEY(value, h->initval, t->htable_bits);
871	n = hbucket(t, key);	905	n = hbucket(t, key);
872	for (i = 0; i < n->pos; i++) {	906	for (i = 0; i < n->pos; i++) {
873	data = ahash_tdata(n, i);	907	data = ahash_tdata(n, i);
874	if (!type_pf_data_equal(data, d))	908	if (!type_pf_data_equal(data, d, &multi))
875	continue;	909	continue;
876	if (type_pf_data_expired(data))	910	if (type_pf_data_expired(data))
877	return -IPSET_ERR_EXIST;	911	return -IPSET_ERR_EXIST;
@@ -911,16 +945,16 @@ type_pf_ttest_cidrs(struct ip_set set, struct type_pf_elem d, u32 timeout)
911	struct type_pf_elem *data;	945	struct type_pf_elem *data;
912	struct hbucket *n;	946	struct hbucket *n;
913	int i, j = 0;	947	int i, j = 0;
914	u32 key;	948	u32 key, multi = 0;
915	u8 host_mask = SET_HOST_MASK(set->family);	949	u8 host_mask = SET_HOST_MASK(set->family);
916		950
917	for (; j < host_mask && h->nets[j].cidr; j++) {	951	for (; j < host_mask && h->nets[j].cidr && !multi; j++) {
918	type_pf_data_netmask(d, h->nets[j].cidr);	952	type_pf_data_netmask(d, h->nets[j].cidr);
919	key = HKEY(d, h->initval, t->htable_bits);	953	key = HKEY(d, h->initval, t->htable_bits);
920	n = hbucket(t, key);	954	n = hbucket(t, key);
921	for (i = 0; i < n->pos; i++) {	955	for (i = 0; i < n->pos; i++) {
922	data = ahash_tdata(n, i);	956	data = ahash_tdata(n, i);
923	if (type_pf_data_equal(data, d))	957	if (type_pf_data_equal(data, d, &multi))
924	return !type_pf_data_expired(data);	958	return !type_pf_data_expired(data);
925	}	959	}
926	}	960	}
@@ -936,7 +970,7 @@ type_pf_ttest(struct ip_set set, void value, u32 timeout, u32 flags)
936	struct type_pf_elem data, d = value;	970	struct type_pf_elem data, d = value;
937	struct hbucket *n;	971	struct hbucket *n;
938	int i;	972	int i;
939	u32 key;	973	u32 key, multi = 0;
940		974
941	#ifdef IP_SET_HASH_WITH_NETS	975	#ifdef IP_SET_HASH_WITH_NETS
942	if (d->cidr == SET_HOST_MASK(set->family))	976	if (d->cidr == SET_HOST_MASK(set->family))
@@ -946,7 +980,7 @@ type_pf_ttest(struct ip_set set, void value, u32 timeout, u32 flags)
946	n = hbucket(t, key);	980	n = hbucket(t, key);
947	for (i = 0; i < n->pos; i++) {	981	for (i = 0; i < n->pos; i++) {
948	data = ahash_tdata(n, i);	982	data = ahash_tdata(n, i);
949	if (type_pf_data_equal(data, d))	983	if (type_pf_data_equal(data, d, &multi))
950	return !type_pf_data_expired(data);	984	return !type_pf_data_expired(data);
951	}	985	}
952	return 0;	986	return 0;
@@ -1054,6 +1088,8 @@ type_pf_gc_init(struct ip_set *set)
1054	IPSET_GC_PERIOD(h->timeout));	1088	IPSET_GC_PERIOD(h->timeout));
1055	}	1089	}
1056		1090
		1091	#undef HKEY_DATALEN
		1092	#undef HKEY
1057	#undef type_pf_data_equal	1093	#undef type_pf_data_equal
1058	#undef type_pf_data_isnull	1094	#undef type_pf_data_isnull
1059	#undef type_pf_data_copy	1095	#undef type_pf_data_copy


diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 2b11fc1a86be..74d33861473c 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h
@@ -60,6 +60,9 @@ struct nfnl_callback {
60	int (call)(struct sock nl, struct sk_buff *skb,	60	int (call)(struct sock nl, struct sk_buff *skb,
61	const struct nlmsghdr *nlh,	61	const struct nlmsghdr *nlh,
62	const struct nlattr * const cda[]);	62	const struct nlattr * const cda[]);
		63	int (call_rcu)(struct sock nl, struct sk_buff *skb,
		64	const struct nlmsghdr *nlh,
		65	const struct nlattr * const cda[]);
63	const struct nla_policy policy; / netlink attribute policy */	66	const struct nla_policy policy; / netlink attribute policy */
64	const u_int16_t attr_count; /* number of nlattr's */	67	const u_int16_t attr_count; /* number of nlattr's */
65	};	68	};


diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index af94e0014ebd..24b32e6c009e 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h
@@ -8,6 +8,7 @@ enum nfqnl_msg_types {
8	NFQNL_MSG_PACKET, /* packet from kernel to userspace */	8	NFQNL_MSG_PACKET, /* packet from kernel to userspace */
9	NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */	9	NFQNL_MSG_VERDICT, /* verdict from userspace to kernel */
10	NFQNL_MSG_CONFIG, /* connect to a particular queue */	10	NFQNL_MSG_CONFIG, /* connect to a particular queue */
		11	NFQNL_MSG_VERDICT_BATCH, /* batchv from userspace to kernel */
11		12
12	NFQNL_MSG_MAX	13	NFQNL_MSG_MAX
13	};	14	};