1. 18 Jul, 2011 2 commits
    • Eric Dumazet's avatar
      netfilter: nfnetlink_queue: provide rcu enabled callbacks · 84a797dd
      Eric Dumazet authored
      nenetlink_queue operations on SMP are not efficent if several queues are
      used, because of nfnl_mutex contention when applications give packet
      verdict.
      
      Use new call_rcu field in struct nfnl_callback to advertize a callback
      that is called under rcu_read_lock instead of nfnl_mutex.
      
      On my 2x4x2 machine, I was able to reach 2.000.000 pps going through
      user land returning NF_ACCEPT verdicts without losses, instead of less
      than 500.000 pps before patch.
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Florian Westphal <fw@strlen.de>
      CC: Eric Leblond <eric@regit.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      84a797dd
    • Eric Dumazet's avatar
      netfilter: nfnetlink: add RCU in nfnetlink_rcv_msg() · 6b75e3e8
      Eric Dumazet authored
      Goal of this patch is to permit nfnetlink providers not mandate
      nfnl_mutex being held while nfnetlink_rcv_msg() calls them.
      
      If struct nfnl_callback contains a non NULL call_rcu(), then
      nfnetlink_rcv_msg() will use it instead of call() field, holding
      rcu_read_lock instead of nfnl_mutex
      Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      CC: Florian Westphal <fw@strlen.de>
      CC: Eric Leblond <eric@regit.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      6b75e3e8
  2. 30 Jun, 2011 1 commit
    • Mr Dash Four's avatar
      netfilter: add SELinux context support to AUDIT target · 131ad62d
      Mr Dash Four authored
      In this revision the conversion of secid to SELinux context and adding it
      to the audit log is moved from xt_AUDIT.c to audit.c with the aid of a
      separate helper function - audit_log_secctx - which does both the conversion
      and logging of SELinux context, thus also preventing internal secid number
      being leaked to userspace. If conversion is not successful an error is raised.
      
      With the introduction of this helper function the work done in xt_AUDIT.c is
      much more simplified. It also opens the possibility of this helper function
      being used by other modules (including auditd itself), if desired. With this
      addition, typical (raw auditd) output after applying the patch would be:
      
      type=NETFILTER_PKT msg=audit(1305852240.082:31012): action=0 hook=1 len=52 inif=? outif=eth0 saddr=10.1.1.7 daddr=10.1.2.1 ipid=16312 proto=6 sport=56150 dport=22 obj=system_u:object_r:ssh_client_packet_t:s0
      type=NETFILTER_PKT msg=audit(1306772064.079:56): action=0 hook=3 len=48 inif=eth0 outif=? smac=00:05:5d:7c:27:0b dmac=00:02:b3:0a:7f:81 macproto=0x0800 saddr=10.1.2.1 daddr=10.1.1.7 ipid=462 proto=6 sport=22 dport=3561 obj=system_u:object_r:ssh_server_packet_t:s0
      Acked-by: default avatarEric Paris <eparis@redhat.com>
      Signed-off-by: default avatarMr Dash Four <mr.dash.four@googlemail.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      131ad62d
  3. 16 Jun, 2011 17 commits
  4. 15 Jun, 2011 20 commits