mirror of
https://github.com/torvalds/linux.git
synced 2024-11-07 04:32:03 +00:00
0ca743a559
This patch adds the x_tables compatibility layer. This allows you to use existing x_tables matches and targets from nf_tables. This compatibility later allows us to use existing matches/targets for features that are still missing in nf_tables. We can progressively replace them with native nf_tables extensions. It also provides the userspace compatibility software that allows you to express the rule-set using the iptables syntax but using the nf_tables kernel components. In order to get this compatibility layer working, I've done the following things: * add NFNL_SUBSYS_NFT_COMPAT: this new nfnetlink subsystem is used to query the x_tables match/target revision, so we don't need to use the native x_table getsockopt interface. * emulate xt structures: this required extending the struct nft_pktinfo to include the fragment offset, which is already obtained from ip[6]_tables and that is used by some matches/targets. * add support for default policy to base chains, required to emulate x_tables. * add NFTA_CHAIN_USE attribute to obtain the number of references to chains, required by x_tables emulation. * add chain packet/byte counters using per-cpu. * support 32-64 bits compat. For historical reasons, this patch includes the following patches that were posted in the netfilter-devel mailing list. From Pablo Neira Ayuso: * nf_tables: add default policy to base chains * netfilter: nf_tables: add NFTA_CHAIN_USE attribute * nf_tables: nft_compat: private data of target and matches in contiguous area * nf_tables: validate hooks for compat match/target * nf_tables: nft_compat: release cached matches/targets * nf_tables: x_tables support as a compile time option * nf_tables: fix alias for xtables over nftables module * nf_tables: add packet and byte counters per chain * nf_tables: fix per-chain counter stats if no counters are passed * nf_tables: don't bump chain stats * nf_tables: add protocol and flags for xtables over nf_tables * nf_tables: add ip[6]t_entry emulation * nf_tables: move specific layer 3 compat code to nf_tables_ipv[4|6] * nf_tables: support 32bits-64bits x_tables compat * nf_tables: fix compilation if CONFIG_COMPAT is disabled From Patrick McHardy: * nf_tables: move policy to struct nft_base_chain * nf_tables: send notifications for base chain policy changes From Alexander Primak: * nf_tables: remove the duplicate NF_INET_LOCAL_OUT From Nicolas Dichtel: * nf_tables: fix compilation when nf-netlink is a module Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
|---|---|---|
| .. | ||
| netfilter | ||
| addrconf_core.c | ||
| addrconf.c | ||
| addrlabel.c | ||
| af_inet6.c | ||
| ah6.c | ||
| anycast.c | ||
| datagram.c | ||
| esp6.c | ||
| exthdrs_core.c | ||
| exthdrs_offload.c | ||
| exthdrs.c | ||
| fib6_rules.c | ||
| icmp.c | ||
| inet6_connection_sock.c | ||
| inet6_hashtables.c | ||
| ip6_checksum.c | ||
| ip6_fib.c | ||
| ip6_flowlabel.c | ||
| ip6_gre.c | ||
| ip6_icmp.c | ||
| ip6_input.c | ||
| ip6_offload.c | ||
| ip6_offload.h | ||
| ip6_output.c | ||
| ip6_tunnel.c | ||
| ip6mr.c | ||
| ipcomp6.c | ||
| ipv6_sockglue.c | ||
| Kconfig | ||
| Makefile | ||
| mcast.c | ||
| mip6.c | ||
| ndisc.c | ||
| netfilter.c | ||
| output_core.c | ||
| ping.c | ||
| proc.c | ||
| protocol.c | ||
| raw.c | ||
| reassembly.c | ||
| route.c | ||
| sit.c | ||
| syncookies.c | ||
| sysctl_net_ipv6.c | ||
| tcp_ipv6.c | ||
| tcpv6_offload.c | ||
| tunnel6.c | ||
| udp_impl.h | ||
| udp_offload.c | ||
| udp.c | ||
| udplite.c | ||
| xfrm6_input.c | ||
| xfrm6_mode_beet.c | ||
| xfrm6_mode_ro.c | ||
| xfrm6_mode_transport.c | ||
| xfrm6_mode_tunnel.c | ||
| xfrm6_output.c | ||
| xfrm6_policy.c | ||
| xfrm6_state.c | ||
| xfrm6_tunnel.c | ||