linux/include/net/netfilter, branch v3.9

netfilter: nf_ct_helper: better logging for dropped packets

2013-02-19T01:48:05Z

Connection tracking helpers have to drop packets under exceptional situations. Currently, the user gets the following logging message in case that happens: nf_ct_%s: dropping packet ... However, depending on the helper, there are different reasons why a packet can be dropped. This patch modifies the existing code to provide more specific error message in the scope of each helper to help users to debug the reason why the packet has been dropped, ie: nf_ct_%s: dropping packet: reason ... Thanks to Joe Perches for many formatting suggestions. Signed-off-by: Pablo Neira Ayuso

Merge branch 'master' of git://1984.lsi.us.es/nf-next

2013-01-27T05:56:10Z

Pablo Neira Ayuso says: ==================== This batch contains netfilter updates for you net-next tree, they are: * The new connlabel extension for x_tables, that allows us to attach labels to each conntrack flow. The kernel implementation uses a bitmask and there's a file in user-space that maps the bits with the corresponding string for each existing label. By now, you can attach up to 128 overlapping labels. From Florian Westphal. * A new round of improvements for the netns support for conntrack. Gao feng has moved many of the initialization code of each module of the netns init path. He also made several code refactoring, that code looks cleaner to me now. * Added documentation for all possible tweaks for nf_conntrack via sysctl, from Jiri Pirko. * Cisco 7941/7945 IP phone support for our SIP conntrack helper, from Kevin Cernekee. * Missing header file in the snmp helper, from Stephen Hemminger. * Finally, a couple of fixes to resolve minor issues with these changes, from myself. ==================== Signed-off-by: David S. Miller

soreuseport: TCP/IPv6 implementation

2013-01-23T18:44:01Z

Motivation for soreuseport would be something like a web server binding to port 80 running with multiple threads, where each thread might have it's own listener socket. This could be done as an alternative to other models: 1) have one listener thread which dispatches completed connections to workers. 2) accept on a single listener socket from multiple threads. In case #1 the listener thread can easily become the bottleneck with high connection turn-over rate. In case #2, the proportion of connections accepted per thread tends to be uneven under high connection load (assuming simple event loop: while (1) { accept(); process() }, wakeup does not promote fairness among the sockets. We have seen the disproportion to be as high as 3:1 ratio between thread accepting most connections and the one accepting the fewest. With so_reusport the distribution is uniform. Signed-off-by: Tom Herbert Signed-off-by: David S. Miller

soreuseport: TCP/IPv4 implementation

2013-01-23T18:44:01Z

Allow multiple listener sockets to bind to the same port. Motivation for soresuseport would be something like a web server binding to port 80 running with multiple threads, where each thread might have it's own listener socket. This could be done as an alternative to other models: 1) have one listener thread which dispatches completed connections to workers. 2) accept on a single listener socket from multiple threads. In case #1 the listener thread can easily become the bottleneck with high connection turn-over rate. In case #2, the proportion of connections accepted per thread tends to be uneven under high connection load (assuming simple event loop: while (1) { accept(); process() }, wakeup does not promote fairness among the sockets. We have seen the disproportion to be as high as 3:1 ratio between thread accepting most connections and the one accepting the fewest. With so_reusport the distribution is uniform. Signed-off-by: Tom Herbert Signed-off-by: David S. Miller

netfilter: nf_conntrack: refactor l4proto support for netns

2013-01-23T13:40:53Z

Move the code that register/unregister l4proto to the module_init/exit context. Given that we have to modify some interfaces to accomodate these changes, it is a good time to use shorter function names for this using the nf_ct_* prefix instead of nf_conntrack_*, that is: nf_ct_l4proto_register nf_ct_l4proto_pernet_register nf_ct_l4proto_unregister nf_ct_l4proto_pernet_unregister We same many line breaks with it. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso

netfilter: nf_conntrack: refactor l3proto support for netns

2013-01-23T13:39:20Z

Move the code that register/unregister l3proto to the module_init/exit context. Given that we have to modify some interfaces to accomodate these changes, it is a good time to use shorter function names for this using the nf_ct_* prefix instead of nf_conntrack_*, that is: nf_ct_l3proto_register nf_ct_l3proto_pernet_register nf_ct_l3proto_unregister nf_ct_l3proto_pernet_unregister We same many line breaks with it. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso

netfilter: nf_ct_proto: move initialization out of pernet_operations

2013-01-23T11:56:33Z

Move the global initial codes to the module_init/exit context. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso

netfilter: nf_ct_labels: move initialization out of pernet_operations

2013-01-23T11:56:23Z

Move the global initial codes to the module_init/exit context. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso

netfilter: nf_ct_helper: move initialization out of pernet_operations

2013-01-23T11:56:13Z

Move the global initial codes to the module_init/exit context. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso

netfilter: nf_ct_timeout: move initialization out of pernet_operations

2013-01-23T11:56:02Z

Move the global initial codes to the module_init/exit context. Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso