• David S. Miller's avatar
    Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 9000a457
    David S. Miller authored
    Pablo Neira Ayuso says:
    
    ====================
    Netfilter updates for net-next
    
    The following patchset contains Netfilter updates for your net-next tree:
    
    1) Support for matching on ipsec policy already set in the route, from
       Florian Westphal.
    
    2) Split set destruction into deactivate and destroy phase to make it
       fit better into the transaction infrastructure, also from Florian.
       This includes a patch to warn on imbalance when setting the new
       activate and deactivate interfaces.
    
    3) Release transaction list from the workqueue to remove expensive
       synchronize_rcu() from configuration plane path. This speeds up
       configuration plane quite a bit. From Florian Westphal.
    
    4) Add new xfrm/ipsec extension, this new extension allows you to match
       for ipsec tunnel keys such as source and destination address, spi and
       reqid. From Máté Eckl and Florian Westphal.
    
    5) Add secmark support, this includes connsecmark too, patches
       from Christian Gottsche.
    
    6) Allow to specify remaining bytes in xt_quota, from Chenbo Feng.
       One follow up patch to calm a clang warning for this one, from
       Nathan Chancellor.
    
    7) Flush conntrack entries based on layer 3 family, from Kristian Evensen.
    
    8) New revision for cgroups2 to shrink the path field.
    
    9) Get rid of obsolete need_conntrack(), as a result from recent
       demodularization works.
    
    10) Use WARN_ON instead of BUG_ON, from Florian Westphal.
    
    11) Unused exported symbol in nf_nat_ipv4_fn(), from Florian.
    
    12) Remove superfluous check for timeout netlink parser and dump
        functions in layer 4 conntrack helpers.
    
    13) Unnecessary redundant rcu read side locks in NAT redirect,
        from Taehee Yoo.
    
    14) Pass nf_hook_state structure to error handlers, patch from
        Florian Westphal.
    
    15) Remove ->new() interface from layer 4 protocol trackers. Place
        them in the ->packet() interface. From Florian.
    
    16) Place conntrack ->error() handling in the ->packet() interface.
        Patches from Florian Westphal.
    
    17) Remove unused parameter in the pernet initialization path,
        also from Florian.
    
    18) Remove additional parameter to specify layer 3 protocol when
        looking up for protocol tracker. From Florian.
    
    19) Shrink array of layer 4 protocol trackers, from Florian.
    
    20) Check for linear skb only once from the ALG NAT mangling
        codebase, from Taehee Yoo.
    
    21) Use rhashtable_walk_enter() instead of deprecated
        rhashtable_walk_init(), also from Taehee.
    
    22) No need to flush all conntracks when only one single address
        is gone, from Tan Hu.
    
    23) Remove redundant check for NAT flags in flowtable code, from
        Taehee Yoo.
    
    24) Use rhashtable_lookup() instead of rhashtable_lookup_fast()
        from netfilter codebase, since rcu read lock side is already
        assumed in this path.
    ====================
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    9000a457
conntrack.c 57.9 KB