blackbird-op-linux/include/linux/netfilter, branch v4.2

netfilter: xtables: fix warnings on 32bit platforms

2015-06-18T19:14:33+00:00

On 32bit archs gcc complains due to cast from void* to u64. Add intermediate casts to long to silence these warnings. include/linux/netfilter/x_tables.h:376:10: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] include/linux/netfilter/x_tables.h:384:15: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] include/linux/netfilter/x_tables.h:391:23: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] include/linux/netfilter/x_tables.h:400:22: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast] Fixes: 71ae0dff02d756e ("netfilter: xtables: use percpu rule counters") Reported-by: kbuild test robot Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: x_tables: align per cpu xt_counter

2015-06-18T11:05:45+00:00

Let's force a 16 bytes alignment on xt_counter percpu allocations, so that bytes and packets sit in same cache line. xt_counter being exported to user space, we cannot add __align(16) on the structure itself. Signed-off-by: Eric Dumazet Cc: Florian Westphal Acked-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: x_tables: remove XT_TABLE_INFO_SZ and a dereference.

2015-06-15T18:19:20+00:00

After Florian patches, there is no need for XT_TABLE_INFO_SZ anymore : Only one copy of table is kept, instead of one copy per cpu. We also can avoid a dereference if we put table data right after xt_table_info. It reduces register pressure and helps compiler. Then, we attempt a kmalloc() if total size is under order-3 allocation, to reduce TLB pressure, as in many cases, rules fit in 32 KB. Signed-off-by: Eric Dumazet Cc: Florian Westphal Signed-off-by: Pablo Neira Ayuso

netfilter: ipset: Fix coding styles reported by checkpatch.pl

2015-06-14T08:40:18+00:00

Signed-off-by: Jozsef Kadlecsik

netfilter: ipset: Prepare the ipset core to use RCU at set level

2015-06-14T08:40:16+00:00

Replace rwlock_t with spinlock_t in "struct ip_set" and change the locking accordingly. Convert the comment extension into an rcu-avare object. Also, simplify the timeout routines. Signed-off-by: Jozsef Kadlecsik

netfilter: ipset: Fix parallel resizing and listing of the same set

2015-06-14T08:40:15+00:00

When elements added to a hash:* type of set and resizing triggered, parallel listing could start to list the original set (before resizing) and "continue" with listing the new set. Fix it by references and using the original hash table for listing. Therefore the destroying of the original hash table may happen from the resizing or listing functions. Signed-off-by: Jozsef Kadlecsik

netfilter: ipset: Fix cidr handling for hash:net types

2015-06-14T08:40:14+00:00

Commit "Simplify cidr handling for hash:*net* types" broke the cidr handling for the hash:*net* types when the sets were used by the SET target: entries with invalid cidr values were added to the sets. Reported by Jonathan Johnson. Testsuite entry is added to verify the fix. Signed-off-by: Jozsef Kadlecsik

netfilter: ipset: Use MSEC_PER_SEC consistently

2015-06-14T08:40:12+00:00

Signed-off-by: Jozsef Kadlecsik

netfilter: xtables: avoid percpu ruleset duplication

2015-06-12T12:27:10+00:00

We store the rule blob per (possible) cpu. Unfortunately this means we can waste lot of memory on big smp machines. ipt_entry structure ('rule head') is 112 byte, so e.g. with maxcpu=64 one single rule eats close to 8k RAM. Since previous patch made counters percpu it appears there is nothing left in the rule blob that needs to be percpu. On my test system (144 possible cpus, 400k dummy rules) this change saves close to 9 Gigabyte of RAM. Reported-by: Marcelo Ricardo Leitner Acked-by: Jesper Dangaard Brouer Signed-off-by: Florian Westphal Acked-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso

netfilter: xtables: use percpu rule counters

2015-06-12T12:27:09+00:00

The binary arp/ip/ip6tables ruleset is stored per cpu. The only reason left as to why we need percpu duplication are the rule counters embedded into ipt_entry et al -- since each cpu has its own copy of the rules, all counters can be lockless. The downside is that the more cpus are supported, the more memory is required. Rules are not just duplicated per online cpu but for each possible cpu, i.e. if maxcpu is 144, then rule is duplicated 144 times, not for the e.g. 64 cores present. To save some memory and also improve utilization of shared caches it would be preferable to only store the rule blob once. So we first need to separate counters and the rule blob. Instead of using entry->counters, allocate this percpu and store the percpu address in entry->counters.pcnt on CONFIG_SMP. This change makes no sense as-is; it is merely an intermediate step to remove the percpu duplication of the rule set in a followup patch. Suggested-by: Eric Dumazet Acked-by: Jesper Dangaard Brouer Reported-by: Marcelo Ricardo Leitner Signed-off-by: Florian Westphal Acked-by: Eric Dumazet Signed-off-by: Pablo Neira Ayuso

blackbird-op-linux/include/linux/netfilter, branch v4.2

netfilter: xtables: fix warnings on 32bit platforms

netfilter: x_tables: align per cpu xt_counter

netfilter: x_tables: remove XT_TABLE_INFO_SZ and a dereference.

netfilter: ipset: Fix coding styles reported by checkpatch.pl

netfilter: ipset: Prepare the ipset core to use RCU at set level

netfilter: ipset: Fix parallel resizing and listing of the same set

netfilter: ipset: Fix cidr handling for hash:*net* types

netfilter: ipset: Use MSEC_PER_SEC consistently

netfilter: xtables: avoid percpu ruleset duplication

netfilter: xtables: use percpu rule counters

netfilter: ipset: Fix cidr handling for hash:net types