Home
Reading
Searching
Subscribe
Sponsors
Statistics
Posting
Contact
Spam
Lists
Links
About
Hosting
Filtering
Features Download
Marketing
Archives
FAQ
Blog
 
Gmane
From: Patrick McHardy <kaber <at> trash.net>
Subject: [NETFILTER 00/69]: Netfilter Update
Newsgroups: gmane.comp.security.firewalls.netfilter.devel
Date: Wednesday 30th January 2008 20:16:52 UTC (over 9 years ago)
Hi Dave,

following is the final netfilter update for 2.6.25. containing the iptables
netns work by Alexey Dobriyan, lots of sparse warning fixes by Stephen,
Eric
and myself, const annotations throughout netfilter by Jan Engelhardt,
a set of patches to finally use RCU for the conntrack and NAT hashes, some
conntrack optimizations and some minor misc cleanups.

Please apply, thanks.


 include/linux/netfilter/nf_conntrack_pptp.h        |    2 +-
 include/linux/netfilter/nf_conntrack_sip.h         |    6 +-
 include/linux/netfilter/x_tables.h                 |   28 +-
 include/linux/netfilter/xt_conntrack.h             |   30 +-
 include/linux/netfilter/xt_hashlimit.h             |   37 ++-
 include/linux/netfilter/xt_owner.h                 |    4 +-
 include/linux/netfilter_arp/arp_tables.h           |    5 +-
 include/linux/netfilter_ipv4/ip_tables.h           |    5 +-
 include/linux/netfilter_ipv6/ip6_tables.h          |    5 +-
 include/linux/skbuff.h                             |    3 -
 include/linux/types.h                              |    2 +-
 include/net/arp.h                                  |    8 +-
 include/net/net_namespace.h                        |    4 +
 include/net/netfilter/nf_conntrack.h               |   15 +-
 include/net/netfilter/nf_conntrack_core.h          |    6 +-
 include/net/netfilter/nf_conntrack_expect.h        |    2 +
 include/net/netfilter/nf_conntrack_helper.h        |    4 -
 include/net/netfilter/nf_conntrack_l3proto.h       |    4 +-
 include/net/netfilter/nf_conntrack_l4proto.h       |   25 +-
 include/net/netfilter/nf_conntrack_tuple.h         |   17 +-
 include/net/netfilter/nf_log.h                     |    2 +-
 include/net/netns/ipv4.h                           |    6 +
 include/net/netns/ipv6.h                           |    5 +
 include/net/netns/x_tables.h                       |   10 +
 net/bridge/br_netfilter.c                          |    4 -
 net/bridge/netfilter/ebt_802_3.c                   |   10 +-
 net/bridge/netfilter/ebt_among.c                   |   27 +-
 net/bridge/netfilter/ebt_arp.c                     |   17 +-
 net/bridge/netfilter/ebt_arpreply.c                |   17 +-
 net/bridge/netfilter/ebt_dnat.c                    |    8 +-
 net/bridge/netfilter/ebt_ip.c                      |   14 +-
 net/bridge/netfilter/ebt_limit.c                   |    6 +-
 net/bridge/netfilter/ebt_log.c                     |   19 +-
 net/bridge/netfilter/ebt_mark.c                    |    8 +-
 net/bridge/netfilter/ebt_mark_m.c                  |    8 +-
 net/bridge/netfilter/ebt_pkttype.c                 |    8 +-
 net/bridge/netfilter/ebt_redirect.c                |    8 +-
 net/bridge/netfilter/ebt_snat.c                    |   11 +-
 net/bridge/netfilter/ebt_stp.c                     |   28 +-
 net/bridge/netfilter/ebt_ulog.c                    |    9 +-
 net/bridge/netfilter/ebt_vlan.c                    |   12 +-
 net/ipv4/arp.c                                     |    9 +-
 net/ipv4/netfilter/arp_tables.c                    |  102 ++++--
 net/ipv4/netfilter/arptable_filter.c               |   31 ++-
 net/ipv4/netfilter/ip_queue.c                      |   18 +-
 net/ipv4/netfilter/ip_tables.c                     |  112 ++++---
 net/ipv4/netfilter/ipt_CLUSTERIP.c                 |    7 -
 net/ipv4/netfilter/ipt_recent.c                    |    6 +-
 net/ipv4/netfilter/iptable_filter.c                |   33 ++-
 net/ipv4/netfilter/iptable_mangle.c                |   33 ++-
 net/ipv4/netfilter/iptable_raw.c                   |   33 ++-
 net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c     |   14 +-
 .../netfilter/nf_conntrack_l3proto_ipv4_compat.c   |   40 ++-
 net/ipv4/netfilter/nf_conntrack_proto_icmp.c       |   22 +-
 net/ipv4/netfilter/nf_nat_core.c                   |   42 +--
 net/ipv4/netfilter/nf_nat_h323.c                   |    5 +-
 net/ipv4/netfilter/nf_nat_helper.c                 |    3 +-
 net/ipv4/netfilter/nf_nat_pptp.c                   |   10 +-
 net/ipv4/netfilter/nf_nat_proto_gre.c              |   16 +-
 net/ipv4/netfilter/nf_nat_proto_icmp.c             |    2 +-
 net/ipv4/netfilter/nf_nat_proto_tcp.c              |    2 +-
 net/ipv4/netfilter/nf_nat_proto_udp.c              |    2 +-
 net/ipv4/netfilter/nf_nat_rule.c                   |   16 +-
 net/ipv4/netfilter/nf_nat_sip.c                    |    4 +-
 net/ipv4/netfilter/nf_nat_snmp_basic.c             |    2 +-
 net/ipv4/netfilter/nf_nat_tftp.c                   |    2 +-
 net/ipv6/netfilter/ip6_queue.c                     |   18 +-
 net/ipv6/netfilter/ip6_tables.c                    |  113 ++++---
 net/ipv6/netfilter/ip6table_filter.c               |   33 ++-
 net/ipv6/netfilter/ip6table_mangle.c               |   33 ++-
 net/ipv6/netfilter/ip6table_raw.c                  |   31 ++-
 net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c     |    7 +-
 net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c     |   22 +-
 net/ipv6/netfilter/nf_conntrack_reasm.c            |   16 +-
 net/netfilter/nf_conntrack_core.c                  |  234 +++++++------
 net/netfilter/nf_conntrack_expect.c                |   53 ++--
 net/netfilter/nf_conntrack_h323_asn1.c             |  156 +++++----
 net/netfilter/nf_conntrack_h323_main.c             |   23 +-
 net/netfilter/nf_conntrack_h323_types.c            |  346
++++++++++----------
 net/netfilter/nf_conntrack_helper.c                |   60 +---
 net/netfilter/nf_conntrack_irc.c                   |    2 +-
 net/netfilter/nf_conntrack_netlink.c               |   68 ++--
 net/netfilter/nf_conntrack_pptp.c                  |   14 +-
 net/netfilter/nf_conntrack_proto_generic.c         |    6 +-
 net/netfilter/nf_conntrack_proto_gre.c             |    6 +-
 net/netfilter/nf_conntrack_proto_sctp.c            |    6 +-
 net/netfilter/nf_conntrack_proto_tcp.c             |  192 ++++++------
 net/netfilter/nf_conntrack_proto_udp.c             |   19 +-
 net/netfilter/nf_conntrack_proto_udplite.c         |   19 +-
 net/netfilter/nf_conntrack_sane.c                  |    9 +-
 net/netfilter/nf_conntrack_sip.c                   |   29 +-
 net/netfilter/nf_conntrack_standalone.c            |   66 ++--
 net/netfilter/nf_conntrack_tftp.c                  |    5 +-
 net/netfilter/nf_log.c                             |    2 +
 net/netfilter/nfnetlink_log.c                      |    4 +-
 net/netfilter/nfnetlink_queue.c                    |    6 +-
 net/netfilter/x_tables.c                           |  313
++++++++++++-------
 net/netfilter/xt_TCPMSS.c                          |   62 ++++-
 net/netfilter/xt_connlimit.c                       |    6 +-
 net/netfilter/xt_conntrack.c                       |   50 +++-
 net/netfilter/xt_hashlimit.c                       |  324
++++++++++++++++--
 net/netfilter/xt_iprange.c                         |    2 +-
 net/netfilter/xt_owner.c                           |   14 +-
 103 files changed, 2089 insertions(+), 1295 deletions(-)
 create mode 100644 include/net/netns/x_tables.h

Alexey Dobriyan (13):
      [NETFILTER]: x_tables: change xt_table_register() return value
convention
      [NETFILTER]: x_tables: per-netns xt_tables
      [NETFILTER]: x_tables: return new table from
{arp,ip,ip6}t_register_table()
      [NETFILTER]: ip_tables: propagate netns from userspace
      [NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW
      [NETFILTER]: ip6_tables: netns preparation
      [NETFILTER]: ip6_tables: per-netns IPv6 FILTER, MANGLE, RAW
      [NETFILTER]: arp_tables: netns preparation
      [NETFILTER]: arp_tables: per-netns arp_tables FILTER
      [NETFILTER]: netns: put table module on netns stop
      [NETFILTER]: x_tables: semi-rewrite of /proc/net/foo_tables_*
      [NETFILTER]: x_tables: netns propagation for /proc/net/*_tables_names
      [NETFILTER]: x_tables: create per-netns /proc/net/*_tables_*

Eric Dumazet (1):
      [NETFILTER]: Supress some sparse warnings

Eric Leblond (1):
      [NETFILTER]: nf_conntrack_netlink: transmit mark during all events

Helge Deller (1):
      [NETFILTER]: nf_log: add netfilter gcc printf format checking

Ilpo Järvinen (2):
      [NETFILTER]: ipt_CLUSTERIP: kill clusterip_config_entry_get
      [NETFILTER]: nf_conntrack: kill unused static inline (do_iter)

Jan Engelhardt (20):
      [NETFILTER]: Use const in struct xt_match, xt_target, xt_table
      linux/types.h: Use __u64 for aligned_u64
      [NETFILTER]: xt_conntrack: add port and direction matching
      [NETFILTER]: ebtables: remove casts, use consts
      [NETFILTER]: ebtables: Update modules' descriptions
      [NETFILTER]: ebtables: mark matches, targets and watchers
__read_mostly
      [NETFILTER]: xt_TCPMSS: consider reverse route's MTU in clamp-to-pmtu
      [NETFILTER]: xt_owner: allow matching UID/GID ranges
      [NETFILTER]: nf_conntrack_h323: clean up code a bit
      [NETFILTER]: xt_hashlimit match, revision 1
      [NETFILTER]: nf_conntrack_h323: constify and annotate H.323 helper
      [NETFILTER]: nf_{conntrack,nat}_sip: annotate SIP helper with const
      [NETFILTER]: nf_{conntrack,nat}_tftp: annotate TFTP helper with const
      [NETFILTER]: nf_{conntrack,nat}_pptp: annotate PPtP helper with const
      [NETFILTER]: nf_conntrack_sane: annotate SANE helper with const
      [NETFILTER]: nf_{conntrack,nat}_proto_tcp: constify and annotate TCP
modules
      [NETFILTER]: nf_{conntrack,nat}_proto_udp{,lite}: annotate with const
      [NETFILTER]: nf_{conntrack,nat}_proto_gre: annotate with const
      [NETFILTER]: nf_{conntrack,nat}_icmp: constify and annotate
      [NETFILTER]: nf_conntrack: annotate l3protos with const

Patrick McHardy (25):
      [NETFILTER]: nf_nat: remove double bysource hash initialization
      [NETFILTER]: bridge netfilter: remove nf_bridge_info read-only
netoutdev member
      [NETFILTER]: nfnetlink_log: fix typo
      [NETFILTER]: ipt_recent: fix sparse warnings
      [NETFILTER]: {ip,arp,ip6}_tables: fix sparse warnings in compat code
      [NETFILTER]: nf_conntrack_ipv6: fix sparse warnings
      [NETFILTER]: nf_conntrack_netlink: fix unbalanced locking
      [NETFILTER]: nf_conntrack: fix accounting with fixed timeouts
      [NETFILTER]: nf_conntrack: use RCU for conntrack helpers
      [NETFILTER]: nf_conntrack_core: avoid taking nf_conntrack_lock in
nf_conntrack_alter_reply
      [NETFILTER]: nf_conntrack_expect: use RCU for expectation hash
      [NETFILTER]: nf_conntrack: use RCU for conntrack hash
      [NETFILTER]: nf_conntrack: switch rwlock to spinlock
      [NETFILTER]: nf_conntrack: optimize __nf_conntrack_find()
      [NETFILTER]: nf_conntrack: avoid duplicate protocol comparison in
nf_ct_tuple_equal()
      [NETFILTER]: nf_conntrack: optimize hash_conntrack()
      [NETFILTER]: nf_conntrack: reorder struct nf_conntrack_l4proto
      [NETFILTER]: nf_conntrack: don't inline early_drop()
      [NETFILTER]: nf_conntrack: naming unification
      [NETFILTER]: nf_nat: use RCU for bysource hash
      [NETFILTER]: nf_nat: switch rwlock to spinlock
      [NETFILTER]: {ip,ip6}_queue: fix build error
      [NETFILTER]: nf_conntrack: fix sparse warning
      [NETFILTER]: nf_nat: fix sparse warning
      [NETFILTER]: xt_iprange: fix sparse warnings

Stephen Hemminger (6):
      [NETFILTER]: nf_nat_snmp: sparse warning
      [NETFILTER]: nf_conntrack: sparse warnings
      [NETFILTER]: nfnetlink_log: sparse warning fixes
      [NETFILTER]: conntrack: get rid of sparse warnings
      [NETFILTER]: more sparse fixes
      [NETFILTER]: nf_conntrack_h3223: sparse fixes
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel"
in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
 
CD: 3ms