leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
5e8018fc61
linux/net/ipv4/netfilter
History
Daniel Borkmann 5e8018fc61 netfilter: nf_conntrack: add efficient mark to zone mapping 
This work adds the possibility of deriving the zone id from the skb->mark
field in a scalable manner. This allows for having only a single template
serving hundreds/thousands of different zones, for example, instead of the
need to have one match for each zone as an extra CT jump target.

Note that we'd need to have this information attached to the template as at
the time when we're trying to lookup a possible ct object, we already need
to know zone information for a possible match when going into
__nf_conntrack_find_get(). This work provides a minimal implementation for
a possible mapping.

In order to not add/expose an extra ct->status bit, the zone structure has
been extended to carry a flag for deriving the mark.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-18 01:24:05 +02:00
..
arp_tables.c netfilter: xtables: remove __pure annotation 2015-07-15 18:18:07 +02:00
arpt_mangle.c netfilter: arpt_mangle: fix return values of checkentry 2011-02-01 16:03:46 +01:00
arptable_filter.c netfilter: Pass nf_hook_state through arpt_do_table(). 2015-04-04 13:26:52 -04:00
ip_tables.c netfilter: xtables: remove __pure annotation 2015-07-15 18:18:07 +02:00
ipt_ah.c netfilter: xtables: change hotdrop pointer to direct modification 2010-05-11 18:35:27 +02:00
ipt_CLUSTERIP.c netfilter: x_tables: add context to know if extension runs from nft_compat 2015-05-15 20:14:07 +02:00
ipt_ECN.c netfilter: xtables: substitute temporary defines by final name 2010-05-11 18:31:17 +02:00
ipt_MASQUERADE.c netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables 2014-09-09 16:31:29 +02:00
ipt_REJECT.c netfilter: reject: don't send icmp error if csum is invalid 2015-03-03 02:10:35 +01:00
ipt_rpfilter.c net: ipv4 sysctl option to ignore routes when nexthop link is down 2015-06-24 02:15:54 -07:00
ipt_SYNPROXY.c netfilter: synproxy: fix sparse errors 2015-05-17 13:08:29 -04:00
iptable_filter.c netfilter: Pass nf_hook_state through ipt_do_table(). 2015-04-04 12:47:04 -04:00
iptable_mangle.c netfilter: Pass nf_hook_state through ipt_do_table(). 2015-04-04 12:47:04 -04:00
iptable_nat.c netfilter: Pass nf_hook_state through ipt_do_table(). 2015-04-04 12:47:04 -04:00
iptable_raw.c netfilter: Pass nf_hook_state through ipt_do_table(). 2015-04-04 12:47:04 -04:00
iptable_security.c netfilter: Pass nf_hook_state through ipt_do_table(). 2015-04-04 12:47:04 -04:00
Kconfig netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
Makefile netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
nf_conntrack_l3proto_ipv4_compat.c netfilter: Remove uses of seq_<foo> return values 2015-03-18 10:51:35 +01:00
nf_conntrack_l3proto_ipv4.c netfilter: nf_conntrack: push zone object into functions 2015-08-11 12:29:01 +02:00
nf_conntrack_proto_icmp.c netfilter: nf_conntrack: add efficient mark to zone mapping 2015-08-18 01:24:05 +02:00
nf_defrag_ipv4.c netfilter: nf_conntrack: add direction support for zones 2015-08-18 01:22:50 +02:00
nf_dup_ipv4.c netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
nf_log_arp.c netfilter: Use LOGLEVEL_<FOO> defines 2015-03-25 12:09:39 +01:00
nf_log_ipv4.c netfilter: Use LOGLEVEL_<FOO> defines 2015-03-25 12:09:39 +01:00
nf_nat_h323.c netfilter: nf_nat_h323: fix crash in nf_ct_unlink_expect_report() 2014-02-05 17:46:05 +01:00
nf_nat_l3proto_ipv4.c netfilter: Pass nf_hook_state through nf_nat_ipv4_{in,out,fn,local_fn}(). 2015-04-04 12:45:19 -04:00
nf_nat_masquerade_ipv4.c netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables 2014-09-09 16:31:29 +02:00
nf_nat_pptp.c netfilter: add my copyright statements 2013-04-18 20:27:55 +02:00
nf_nat_proto_gre.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_proto_icmp.c netfilter: use IS_ENABLED() macro 2014-06-30 11:38:03 +02:00
nf_nat_snmp_basic.c netfilter: nf_nat_snmp_basic: fix duplicates in if/else branches 2014-02-14 11:37:36 +01:00
nf_reject_ipv4.c netfilter: bridge: add helpers for fetching physin/outdev 2015-04-08 16:49:08 +02:00
nf_tables_arp.c netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nf_tables_ipv4.c netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nft_chain_nat_ipv4.c netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nft_chain_route_ipv4.c netfilter: Pass nf_hook_state through nft_set_pktinfo*(). 2015-04-04 12:54:27 -04:00
nft_dup_ipv4.c netfilter: nf_tables: add nft_dup expression 2015-08-07 11:49:49 +02:00
nft_masq_ipv4.c netfilter: nf_tables: get rid of NFT_REG_VERDICT usage 2015-04-13 17:17:07 +02:00
nft_redir_ipv4.c netfilter: nf_tables: switch registers to 32 bit addressing 2015-04-13 17:17:29 +02:00
nft_reject_ipv4.c netfilter: nf_tables: get rid of NFT_REG_VERDICT usage 2015-04-13 17:17:07 +02:00