Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-09-27 02:13:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
5e8018fc61
linux/include/net/netfilter
History
Daniel Borkmann 5e8018fc61 netfilter: nf_conntrack: add efficient mark to zone mapping 
This work adds the possibility of deriving the zone id from the skb->mark
field in a scalable manner. This allows for having only a single template
serving hundreds/thousands of different zones, for example, instead of the
need to have one match for each zone as an extra CT jump target.

Note that we'd need to have this information attached to the template as at
the time when we're trying to lookup a possible ct object, we already need
to know zone information for a possible match when going into
__nf_conntrack_find_get(). This work provides a minimal implementation for
a possible mapping.

In order to not add/expose an extra ct->status bit, the zone structure has
been extended to carry a flag for deriving the mark.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18 01:24:05 +02:00
..
ipv4 netfilter: factor out packet duplication for IPv4/IPv6 2015-08-07 11:49:49 +02:00
ipv6 netfilter: factor out packet duplication for IPv4/IPv6 2015-08-07 11:49:49 +02:00
br_netfilter.h netfilter: bridge: split ipv6 code into separated file 2015-06-18 21:14:21 +02:00
nf_conntrack_acct.h netfilter: introduce nf_conn_acct structure 2013-11-03 21:48:49 +01:00
nf_conntrack_core.h netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
nf_conntrack_ecache.h netfilter: conntrack: remove timer from ecache extension 2014-06-25 19:15:38 +02:00
nf_conntrack_expect.h netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
nf_conntrack_extend.h netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len 2014-04-03 23:52:31 +02:00
nf_conntrack_helper.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_l3proto.h netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_l4proto.h netfilter: Convert print_tuple functions to return void 2014-11-05 14:10:33 -05:00
nf_conntrack_labels.h netfilter: nft_ct: labels get support 2014-02-19 11:41:25 +01:00
nf_conntrack_seqadj.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_synproxy.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-10-01 17:06:14 -04:00
nf_conntrack_timeout.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_timestamp.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_conntrack_tuple.h netfilter: nf_nat: export NAT definitions to userspace 2011-12-23 14:36:43 +01:00
nf_conntrack_zones.h netfilter: nf_conntrack: add efficient mark to zone mapping 2015-08-18 01:24:05 +02:00
nf_conntrack.h netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
nf_log.h netfilter: restore rule tracing via nfnetlink_log 2015-03-19 11:14:48 +01:00
nf_nat_core.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_nat_helper.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_nat_l3proto.h netfilter: Pass nf_hook_state through nf_nat_ipv6_{in,out,fn,local_fn}(). 2015-04-04 12:48:08 -04:00
nf_nat_l4proto.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00
nf_nat_redirect.h netfilter: combine IPv4 and IPv6 nf_nat_redirect code in one module 2014-11-27 13:08:42 +01:00
nf_nat.h netfilter: fix compilation of masquerading without IP_NF_TARGET_MASQUERADE 2014-09-11 17:02:45 +02:00
nf_queue.h netfilter: nf_qeueue: Drop queue entries on nf_unregister_hook 2015-06-23 06:23:23 -07:00
nf_tables_bridge.h netfilter: nf_tables_bridge: export nft_reject_ip*hdr_validate functions 2014-11-27 12:58:05 +01:00
nf_tables_core.h netfilter: nf_tables: add support for dynamic set updates 2015-04-08 16:58:27 +02:00
nf_tables_ipv4.h netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nf_tables_ipv6.h netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nf_tables.h netfilter: nf_tables_netdev: unregister hooks on net_device removal 2015-06-15 23:02:35 +02:00
nfnetlink_log.h netfilter: log: netns NULL ptr bug when calling from conntrack 2013-05-15 14:11:07 +02:00
nfnetlink_queue.h netfilter: nfnetlink_queue: allow to attach expectations to conntracks 2013-08-13 16:32:10 +02:00
nft_dup.h netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
nft_masq.h netfilter: nf_tables: restrict nat/masq expressions to nat chain type 2014-10-13 20:42:00 +02:00
nft_meta.h netfilter: nf_tables: get rid of NFT_REG_VERDICT usage 2015-04-13 17:17:07 +02:00
nft_redir.h netfilter: nf_tables: add new expression nft_redir 2014-10-27 22:49:39 +01:00
nft_reject.h netfilter: nft_reject: introduce icmp code abstraction for inet and bridge 2014-10-02 18:29:57 +02:00
xt_rateest.h netfilter: Remove extern from function prototypes 2013-09-23 16:29:42 -04:00