<feed xmlns='http://www.w3.org/2005/Atom'>
<title>rhel7-kernel-misery/include/uapi/linux/netfilter, branch master</title>
<subtitle>Attempts to make the RHEL7 kernel work in minimal CI</subtitle>
<id>https://git.zx2c4.com/rhel7-kernel-misery/atom/include/uapi/linux/netfilter?h=master</id>
<link rel='self' href='https://git.zx2c4.com/rhel7-kernel-misery/atom/include/uapi/linux/netfilter?h=master'/>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/'/>
<updated>2020-09-30T14:24:59Z</updated>
<entry>
<title>linux-3.10.0-1160.el7</title>
<updated>2020-09-30T14:24:59Z</updated>
<author>
<name>Jason A. Donenfeld</name>
<email>Jason@zx2c4.com</email>
</author>
<published>2020-09-30T14:24:59Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=e4784e2fd10cc4fe5e38037d19ebf50d4ad7de6f'/>
<id>urn:sha1:e4784e2fd10cc4fe5e38037d19ebf50d4ad7de6f</id>
<content type='text'>
</content>
</entry>
<entry>
<title>netfilter: nfnetlink_queue: avoid expensive gso segmentation and checksum fixup</title>
<updated>2013-04-29T18:09:07Z</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2013-04-19T04:58:27Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=00bd1cc24a7dd295ee095dc50791aab6ede46c7a'/>
<id>urn:sha1:00bd1cc24a7dd295ee095dc50791aab6ede46c7a</id>
<content type='text'>
Userspace can now indicate that it can cope with larger-than-mtu sized
packets and packets that have invalid ipv4/tcp checksums.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: nfnetlink_queue: add skb info attribute</title>
<updated>2013-04-29T18:09:06Z</updated>
<author>
<name>Florian Westphal</name>
<email>fw@strlen.de</email>
</author>
<published>2013-04-19T04:58:26Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=7237190df8c4129241697530a4eecabdc4ecc66e'/>
<id>urn:sha1:7237190df8c4129241697530a4eecabdc4ecc66e</id>
<content type='text'>
Once we allow userspace to receive gso/gro packets, userspace
needs to be able to determine when checksums appear to be
broken, but are not.

NFQA_SKB_CSUMNOTREADY means 'checksums will be fixed in kernel
later, pretend they are ok'.

NFQA_SKB_GSO could be used for statistics, or to determine when
packet size exceeds mtu.

Signed-off-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: ipset: set match: add support to match the counters</title>
<updated>2013-04-29T18:09:03Z</updated>
<author>
<name>Jozsef Kadlecsik</name>
<email>kadlec@blackhole.kfki.hu</email>
</author>
<published>2013-04-27T12:40:50Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=6e01781d1c80e2e8263471252a631e86165b15c5'/>
<id>urn:sha1:6e01781d1c80e2e8263471252a631e86165b15c5</id>
<content type='text'>
The new revision of the set match supports to match the counters
and to suppress updating the counters at matching too.

At the set:list types, the updating of the subcounters can be
suppressed as well.

Signed-off-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hu&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: ipset: Introduce the counter extension in the core</title>
<updated>2013-04-29T18:08:59Z</updated>
<author>
<name>Jozsef Kadlecsik</name>
<email>kadlec@blackhole.kfki.hu</email>
</author>
<published>2013-04-27T12:38:56Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=34d666d489cf70c246ca99b2387741915c34b88c'/>
<id>urn:sha1:34d666d489cf70c246ca99b2387741915c34b88c</id>
<content type='text'>
Signed-off-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hu&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: xt_NFQUEUE: introduce CPU fanout</title>
<updated>2013-04-01T23:25:44Z</updated>
<author>
<name>holger@eitzenberger.org</name>
<email>holger@eitzenberger.org</email>
</author>
<published>2013-03-23T10:04:03Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=8746ddcf12bb263ad240e095ef16531006caeb50'/>
<id>urn:sha1:8746ddcf12bb263ad240e095ef16531006caeb50</id>
<content type='text'>
Current NFQUEUE target uses a hash, computed over source and
destination address (and other parameters), for steering the packet
to the actual NFQUEUE. This, however forgets about the fact that the
packet eventually is handled by a particular CPU on user request.

If E. g.

  1) IRQ affinity is used to handle packets on a particular CPU already
     (both single-queue or multi-queue case)

and/or

  2) RPS is used to steer packets to a specific softirq

the target easily chooses an NFQUEUE which is not handled by a process
pinned to the same CPU.

The idea is therefore to use the CPU index for determining the
NFQUEUE handling the packet.

E. g. when having a system with 4 CPUs, 4 MQ queues and 4 NFQUEUEs it
looks like this:

 +-----+  +-----+  +-----+  +-----+
 |NFQ#0|  |NFQ#1|  |NFQ#2|  |NFQ#3|
 +-----+  +-----+  +-----+  +-----+
    ^        ^        ^        ^
    |        |NFQUEUE |        |
    +        +        +        +
 +-----+  +-----+  +-----+  +-----+
 |rx-0 |  |rx-1 |  |rx-2 |  |rx-3 |
 +-----+  +-----+  +-----+  +-----+

The NFQUEUEs not necessarily have to start with number 0, setups with
less NFQUEUEs than packet-handling CPUs are not a problem as well.

This patch extends the NFQUEUE target to accept a new
NFQ_FLAG_CPU_FANOUT flag. If this is specified the target uses the
CPU index for determining the NFQUEUE being used. I have to introduce
rev3 for this. The 'flags' are folded into _v2 'bypass'.

By changing the way which queue is assigned, I'm able to improve the
performance if the processes reading on the NFQUEUs are pinned
correctly.

Signed-off-by: Holger Eitzenberger &lt;holger@eitzenberger.org&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: xt_CT: add alias flag</title>
<updated>2013-02-05T00:49:26Z</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2013-01-30T19:24:22Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=5474f57f7d686ac918355419cb71496f835aaf5d'/>
<id>urn:sha1:5474f57f7d686ac918355419cb71496f835aaf5d</id>
<content type='text'>
This patch adds the alias flag to support full NOTRACK target
aliasing.

Based on initial patch from Jozsef Kadlecsik.

Acked-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hi&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: xt_conntrack: Add flag to support aliases</title>
<updated>2013-02-05T00:45:23Z</updated>
<author>
<name>Jozsef Kadlecsik</name>
<email>kadlec@blackhole.kfki.hu</email>
</author>
<published>2013-01-28T10:44:48Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=d1beadd1cb649404bfa2c3d92f77dbcb15b712e5'/>
<id>urn:sha1:d1beadd1cb649404bfa2c3d92f77dbcb15b712e5</id>
<content type='text'>
The patch adds the flag to denote the "state" alias as of the subset
of the "conntrack" match.

Signed-off-by: Jozsef Kadlecsik &lt;kadlec@blackhole.kfki.hu&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: add missing xt_connlabel.h header in installation</title>
<updated>2013-01-21T12:46:49Z</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2013-01-21T12:02:19Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=8a454ab95e5ccbffd04363e9c028f60739bc3fa4'/>
<id>urn:sha1:8a454ab95e5ccbffd04363e9c028f60739bc3fa4</id>
<content type='text'>
In (c539f01 netfilter: add connlabel conntrack extension), it
was missing the change to the Kbuild file to install the header
in the system.

Reported-by: Florian Westphal &lt;fw@strlen.de&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
<entry>
<title>netfilter: add missing xt_bpf.h header in installation</title>
<updated>2013-01-21T11:30:59Z</updated>
<author>
<name>Pablo Neira Ayuso</name>
<email>pablo@netfilter.org</email>
</author>
<published>2013-01-21T11:30:59Z</published>
<link rel='alternate' type='text/html' href='https://git.zx2c4.com/rhel7-kernel-misery/commit/?id=e7db3cbcd6508235d63ba4a31bbd1ce4fdece6e1'/>
<id>urn:sha1:e7db3cbcd6508235d63ba4a31bbd1ce4fdece6e1</id>
<content type='text'>
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
</content>
</entry>
</feed>
