mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-13 22:25:03 +00:00
Code Issues Releases Wiki Activity
linux-stable/include/net/netfilter
History
Florian Westphal 0c66dc1ea3 netfilter: conntrack: register hooks in netns when needed by ruleset 
This makes use of nf_ct_netns_get/put added in previous patch.
We add get/put functions to nf_conntrack_l3proto structure, ipv4 and ipv6
then implement use-count to track how many users (nft or xtables modules)
have a dependency on ipv4 and/or ipv6 connection tracking functionality.

When count reaches zero, the hooks are unregistered.

This delays activation of connection tracking inside a namespace until
stateful firewall rule or nat rule gets added.

This patch breaks backwards compatibility in the sense that connection
tracking won't be active anymore when the protocol tracker module is
loaded.  This breaks e.g. setups that ctnetlink for flow accounting and
the like, without any '-m conntrack' packet filter rules.

Followup patch restores old behavour and makes new delayed scheme
optional via sysctl.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-12-04 21:17:24 +01:00
..
ipv4 netfilter: conntrack: built-in support for UDPlite 2016-12-04 20:57:36 +01:00
ipv6 netfilter: conntrack: built-in support for UDPlite 2016-12-04 20:57:36 +01:00
br_netfilter.h netfilter: bridge: add and use br_nf_hook_thresh 2016-09-24 21:25:48 +02:00
nf_conntrack.h netfilter: add and use nf_ct_netns_get/put 2016-12-04 21:16:50 +01:00
nf_conntrack_acct.h netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
nf_conntrack_core.h netfilter: conntrack: simplify the code by using nf_conntrack_get_ht 2016-08-18 01:20:52 +02:00
nf_conntrack_ecache.h netfilter: don't rely on DYING bit to detect when destroy event was sent 2016-08-30 11:43:08 +02:00
nf_conntrack_expect.h netfilter: conntrack: use a single expectation table for all namespaces 2016-05-06 11:50:01 +02:00
nf_conntrack_extend.h netfilter: move nat hlist_head to nf_conn 2016-07-11 11:47:50 +02:00
nf_conntrack_helper.h netfilter: Add helper array register/unregister functions 2016-07-21 02:31:53 +02:00
nf_conntrack_l3proto.h netfilter: conntrack: register hooks in netns when needed by ruleset 2016-12-04 21:17:24 +01:00
nf_conntrack_l4proto.h netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nf_conntrack_labels.h netfilter: conntrack: avoid excess memory allocation 2016-10-27 18:29:02 +02:00
nf_conntrack_seqadj.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_synproxy.h netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
nf_conntrack_timeout.h netfilter: cttimeout: add netns support 2015-12-14 12:48:58 +01:00
nf_conntrack_timestamp.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_tuple.h netfilter: nf_nat: export NAT definitions to userspace 2011-12-23 14:36:43 +01:00
nf_conntrack_zones.h netfilter: move zone info into struct nf_conn 2016-06-23 13:33:12 +02:00
nf_dup_netdev.h netfilter: nf_tables: add packet duplication to the netdev family 2016-01-03 21:04:23 +01:00
nf_log.h netfilter: nf_log: do not assume ethernet header in netdev family 2016-12-04 20:45:33 +01:00
nf_nat.h netfilter: nat: convert nat bysrc hash to rhashtable 2016-07-11 12:07:57 +02:00
nf_nat_core.h netfilter: Pass net into nf_xfrm_me_harder 2015-09-18 22:00:22 +02:00
nf_nat_helper.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_nat_l3proto.h netfilter: Pass priv instead of nf_hook_ops to netfilter hooks 2015-09-18 22:00:16 +02:00
nf_nat_l4proto.h netfilter: built-in NAT support for UDPlite 2016-12-04 20:45:32 +01:00
nf_nat_redirect.h netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
nf_queue.h netfilter: remove hook_entries field from nf_hook_state 2016-11-03 11:52:58 +01:00
nf_socket.h netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c 2016-11-01 20:50:31 +01:00
nf_tables.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-12-03 12:29:53 -05:00
nf_tables_core.h netfilter: nf_tables: simplify the basic expressions' init routine 2016-11-09 23:42:23 +01:00
nf_tables_ipv4.h netfilter: merge fixup for "nf_tables_netdev: remove redundant ip_hdr assignment" 2016-10-05 20:25:48 -04:00
nf_tables_ipv6.h netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport 2016-09-12 18:52:32 +02:00
nfnetlink_log.h netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
nft_dup.h netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
nft_fib.h netfilter: nf_tables: add fib expression 2016-11-01 20:50:14 +01:00
nft_masq.h netfilter: nft_masq: support port range 2016-03-02 20:05:27 +01:00
nft_meta.h netfilter: nft_meta: improve the validity check of pkttype set expr 2016-08-25 13:12:03 +02:00
nft_redir.h netfilter: nf_tables: add new expression nft_redir 2014-10-27 22:49:39 +01:00
nft_reject.h netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 2016-08-25 12:55:34 +02:00
xt_rateest.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00