korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-12-03 00:54:09 +08:00
Code Issues Packages Projects Releases Wiki Activity
42df6e1d22
linux/net/netfilter
History
Lukas Wunner 42df6e1d22 netfilter: Introduce egress hook 
Support classifying packets with netfilter on egress to satisfy user
requirements such as:
* outbound security policies for containers (Laura)
* filtering and mangling intra-node Direct Server Return (DSR) traffic
  on a load balancer (Laura)
* filtering locally generated traffic coming in through AF_PACKET,
  such as local ARP traffic generated for clustering purposes or DHCP
  (Laura; the AF_PACKET plumbing is contained in a follow-up commit)
* L2 filtering from ingress and egress for AVB (Audio Video Bridging)
  and gPTP with nftables (Pablo)
* in the future: in-kernel NAT64/NAT46 (Pablo)

The egress hook introduced herein complements the ingress hook added by
commit e687ad60af ("netfilter: add netfilter ingress hook after
handle_ing() under unique static key").  A patch for nftables to hook up
egress rules from user space has been submitted separately, so users may
immediately take advantage of the feature.

Alternatively or in addition to netfilter, packets can be classified
with traffic control (tc).  On ingress, packets are classified first by
tc, then by netfilter.  On egress, the order is reversed for symmetry.
Conceptually, tc and netfilter can be thought of as layers, with
netfilter layered above tc.

Traffic control is capable of redirecting packets to another interface
(man 8 tc-mirred).  E.g., an ingress packet may be redirected from the
host namespace to a container via a veth connection:
tc ingress (host) -> tc egress (veth host) -> tc ingress (veth container)

In this case, netfilter egress classifying is not performed when leaving
the host namespace!  That's because the packet is still on the tc layer.
If tc redirects the packet to a physical interface in the host namespace
such that it leaves the system, the packet is never subjected to
netfilter egress classifying.  That is only logical since it hasn't
passed through netfilter ingress classifying either.

Packets can alternatively be redirected at the netfilter layer using
nft fwd.  Such a packet *is* subjected to netfilter egress classifying
since it has reached the netfilter layer.

Internally, the skb->nf_skip_egress flag controls whether netfilter is
invoked on egress by __dev_queue_xmit().  Because __dev_queue_xmit() may
be called recursively by tunnel drivers such as vxlan, the flag is
reverted to false after sch_handle_egress().  This ensures that
netfilter is applied both on the overlay and underlying network.

Interaction between tc and netfilter is possible by setting and querying
skb->mark.

If netfilter egress classifying is not enabled on any interface, it is
patched out of the data path by way of a static_key and doesn't make a
performance difference that is discernible from noise:

Before:             1537 1538 1538 1537 1538 1537 Mb/sec
After:              1536 1534 1539 1539 1539 1540 Mb/sec
Before + tc accept: 1418 1418 1418 1419 1419 1418 Mb/sec
After  + tc accept: 1419 1424 1418 1419 1422 1420 Mb/sec
Before + tc drop:   1620 1619 1619 1619 1620 1620 Mb/sec
After  + tc drop:   1616 1624 1625 1624 1622 1619 Mb/sec

When netfilter egress classifying is enabled on at least one interface,
a minimal performance penalty is incurred for every egress packet, even
if the interface it's transmitted over doesn't have any netfilter egress
rules configured.  That is caused by checking dev->nf_hooks_egress
against NULL.

Measurements were performed on a Core i7-3615QM.  Commands to reproduce:
ip link add dev foo type dummy
ip link set dev foo up
modprobe pktgen
echo "add_device foo" > /proc/net/pktgen/kpktgend_3
samples/pktgen/pktgen_bench_xmit_mode_queue_xmit.sh -i foo -n 400000000 -m "11:11:11:11:11:11" -d 1.1.1.1

Accept all traffic with tc:
tc qdisc add dev foo clsact
tc filter add dev foo egress bpf da bytecode '1,6 0 0 0,'

Drop all traffic with tc:
tc qdisc add dev foo clsact
tc filter add dev foo egress bpf da bytecode '1,6 0 0 2,'

Apply this patch when measuring packet drops to avoid errors in dmesg:
https://lore.kernel.org/netdev/a73dda33-57f4-95d8-ea51-ed483abd6a7a@iogearbox.net/

Signed-off-by: Lukas Wunner <lukas@wunner.de>
Cc: Laura García Liébana <nevola@gmail.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2021-10-14 23:06:28 +02:00
..
ipset netfilter: ipset: Fix oversized kvmalloc() calls 2021-09-14 00:50:01 +02:00
ipvs ipvs: add sysctl_run_estimation to support disable estimation 2021-10-07 19:52:58 +02:00
core.c netfilter: Introduce egress hook 2021-10-14 23:06:28 +02:00
Kconfig netfilter: Introduce egress hook 2021-10-14 23:06:28 +02:00
Makefile netfilter: add netfilter hooks to SRv6 data plane 2021-08-30 01:51:36 +02:00
nf_conncount.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
nf_conntrack_acct.c netfilter: nf_conntrack_acct.c: A typo fix 2021-03-28 17:31:14 -07:00
nf_conntrack_amanda.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_conntrack_broadcast.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_conntrack_core.c netfilter: conntrack: serialize hash resizes and cleanups 2021-09-21 03:46:56 +02:00
nf_conntrack_ecache.c netfilter: ecache: remove nf_exp_event_notifier structure 2021-08-25 12:50:38 +02:00
nf_conntrack_expect.c netfilter: conntrack: switch to siphash 2021-08-30 11:49:55 +02:00
nf_conntrack_extend.c netfilter: conntrack: remove two export symbols 2019-12-17 22:59:31 +01:00
nf_conntrack_ftp.c netfilter: remove BUG_ON() after skb_header_pointer() 2021-05-05 23:45:48 +02:00
nf_conntrack_h323_asn1.c netfilter: Use fallthrough pseudo-keyword 2020-07-22 01:18:05 +02:00
nf_conntrack_h323_main.c netfilter: fix clang-12 fmt string warnings 2021-06-01 23:53:51 +02:00
nf_conntrack_h323_types.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 484 2019-06-19 17:09:52 +02:00
nf_conntrack_helper.c netfilter: nftables: add nf_ct_pernet() helper function 2021-06-07 12:23:37 +02:00
nf_conntrack_irc.c netfilter: remove BUG_ON() after skb_header_pointer() 2021-05-05 23:45:48 +02:00
nf_conntrack_labels.c netfilter: not mark a spinlock as __read_mostly 2019-08-27 18:07:03 +02:00
nf_conntrack_netbios_ns.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
nf_conntrack_netlink.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2021-09-03 16:20:37 -07:00
nf_conntrack_pptp.c netfilter: remove BUG_ON() after skb_header_pointer() 2021-05-05 23:45:48 +02:00
nf_conntrack_proto_dccp.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_generic.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
nf_conntrack_proto_gre.c netfilter: conntrack: nf_ct_gre_keymap_flush() removal 2021-07-02 02:07:01 +02:00
nf_conntrack_proto_icmp.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_icmpv6.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_sctp.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_tcp.c netfilter: conntrack: remove offload_pickup sysctl again 2021-08-06 17:07:41 +02:00
nf_conntrack_proto_udp.c netfilter: conntrack: remove offload_pickup sysctl again 2021-08-06 17:07:41 +02:00
nf_conntrack_proto.c netfilter: conntrack: nf_ct_gre_keymap_flush() removal 2021-07-02 02:07:01 +02:00
nf_conntrack_sane.c netfilter: remove BUG_ON() after skb_header_pointer() 2021-05-05 23:45:48 +02:00
nf_conntrack_seqadj.c netfilter: conntrack, nat: prefer skb_ensure_writable 2019-05-31 18:02:45 +02:00
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_conntrack_snmp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
nf_conntrack_standalone.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2021-09-03 16:20:37 -07:00
nf_conntrack_tftp.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_conntrack_timeout.c netfilter: update include directives. 2019-09-13 12:33:06 +02:00
nf_conntrack_timestamp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 77 2019-05-24 17:37:51 +02:00
nf_dup_netdev.c netfilter: nf_fwd_netdev: clear timestamp in forwarding path 2020-10-22 14:49:36 +02:00
nf_flow_table_core.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-08-13 06:41:22 -07:00
nf_flow_table_inet.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nf_flow_table_ip.c netfilter: flowtable: dst_check() from garbage collector path 2021-03-31 22:34:11 +02:00
nf_flow_table_offload.c net: Fix offloading indirect devices dependency on qdisc order creation 2021-08-19 13:19:30 +01:00
nf_hooks_lwtunnel.c netfilter: add netfilter hooks to SRv6 data plane 2021-08-30 01:51:36 +02:00
nf_internals.h netfilter: ctnetlink: add kernel side filtering for dump 2020-05-27 22:20:34 +02:00
nf_log_syslog.c netfilter: nf_log_syslog: Unset bridge logger in pernet exit 2021-04-26 03:20:47 +02:00
nf_log.c netfilter: nft_log: perform module load from nf_tables 2021-03-31 22:34:11 +02:00
nf_nat_amanda.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_nat_core.c netfilter: nat: include zone id in nat table hash again 2021-09-21 03:46:55 +02:00
nf_nat_ftp.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_nat_helper.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
nf_nat_irc.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_nat_masquerade.c netfilter: nf_nat_masquerade: defer conntrack walk to work queue 2021-09-21 03:46:56 +02:00
nf_nat_proto.c netfilter: nat: move nf_xfrm_me_harder to where it is used 2021-04-26 03:20:07 +02:00
nf_nat_redirect.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
nf_nat_sip.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_nat_tftp.c netfilter: nf_conntrack_sip: fix expectation clash 2019-07-16 13:16:59 +02:00
nf_queue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2021-08-11 10:22:26 +01:00
nf_sockopt.c netfilter: switch nf_setsockopt to sockptr_t 2020-07-24 15:41:54 -07:00
nf_synproxy_core.c netfilter: synproxy: Fix out of bounds when parsing TCP options 2021-06-10 14:26:18 -07:00
nf_tables_api.c netfilter: nf_tables: Fix oversized kvmalloc() calls 2021-09-21 03:46:55 +02:00
nf_tables_core.c netfilter: nf_tables: add last expression 2021-06-17 03:23:00 +02:00
nf_tables_offload.c net: Fix offloading indirect devices dependency on qdisc order creation 2021-08-19 13:19:30 +01:00
nf_tables_trace.c netfilter: nf_tables: add and use nft_thoff helper 2021-05-29 01:04:54 +02:00
nfnetlink_acct.c netfilter: use nfnetlink_unicast() 2021-05-29 01:04:53 +02:00
nfnetlink_cthelper.c Merge ra.kernel.org:/pub/scm/linux/kernel/git/netdev/net 2021-06-07 13:01:52 -07:00
nfnetlink_cttimeout.c netfilter: use nfnetlink_unicast() 2021-05-29 01:04:53 +02:00
nfnetlink_hook.c netfilter: Introduce egress hook 2021-10-14 23:06:28 +02:00
nfnetlink_log.c netfilter: nfnetlink: add struct nfgenmsg to struct nfnl_info and use it 2021-06-07 12:23:36 +02:00
nfnetlink_osf.c netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check 2021-05-05 22:26:09 +02:00
nfnetlink_queue.c netfilter: nf_queue: move hookfn registration out of struct net 2021-08-10 17:32:00 +02:00
nfnetlink.c netfilter: add new hook nfnl subsystem 2021-06-07 12:41:10 +02:00
nft_bitwise.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_byteorder.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_chain_filter.c netfilter: Introduce egress hook 2021-10-14 23:06:28 +02:00
nft_chain_nat.c netfilter: nf_tables: remove unused arg in nft_set_pktinfo_unspec() 2021-05-29 01:04:54 +02:00
nft_chain_route.c netfilter: nf_tables: remove unused arg in nft_set_pktinfo_unspec() 2021-05-29 01:04:54 +02:00
nft_cmp.c netfilter: nftables_offload: VLAN id needs host byteorder in flow dissector 2021-04-18 22:02:21 +02:00
nft_compat.c netfilter: log: work around missing softdep backend module 2021-09-21 03:46:56 +02:00
nft_connlimit.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_counter.c netfilter: nftables: counter hardware offload support 2021-04-18 22:04:49 +02:00
nft_ct.c netfilter: nft_ct: protect nft_ct_pcpu_template_refcnt with mutex 2021-08-11 11:22:19 +02:00
nft_dup_netdev.c netfilter: nftables: add nft_parse_register_load() and use it 2021-01-27 22:53:29 +01:00
nft_dynset.c netfilter: nft_dynset: relax superfluous check on set updates 2021-10-07 19:53:15 +02:00
nft_exthdr.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-06-29 15:45:27 -07:00
nft_fib_inet.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_fib_netdev.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_fib.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_flow_offload.c netfilter: nf_tables: add and use nft_thoff helper 2021-05-29 01:04:54 +02:00
nft_fwd_netdev.c netfilter: nftables: add nft_parse_register_load() and use it 2021-01-27 22:53:29 +01:00
nft_hash.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_immediate.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_last.c netfilter: nft_last: avoid possible false sharing 2021-07-23 14:18:02 +02:00
nft_limit.c netfilter: nft_limit: avoid possible divide error in nft_limit_init 2021-04-10 21:15:35 +02:00
nft_log.c netfilter: nft_log: perform module load from nf_tables 2021-03-31 22:34:11 +02:00
nft_lookup.c netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_masq.c netfilter: nftables: add nft_parse_register_load() and use it 2021-01-27 22:53:29 +01:00
nft_meta.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_nat.c netfilter: nft_nat: allow to specify layer 4 protocol NAT only 2021-07-23 14:18:03 +02:00
nft_numgen.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_objref.c netfilter: add and use nft_set_do_lookup helper 2021-05-28 21:11:41 +02:00
nft_osf.c netfilter: nft_osf: check for TCP packet before further processing 2021-06-16 20:51:50 +02:00
nft_payload.c netfilter: nf_tables: add and use nft_thoff helper 2021-05-29 01:04:54 +02:00
nft_queue.c netfilter: nftables: add nft_parse_register_load() and use it 2021-01-27 22:53:29 +01:00
nft_quota.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
nft_range.c netfilter: nftables: add nft_parse_register_load() and use it 2021-01-27 22:53:29 +01:00
nft_redir.c netfilter: nftables: add nft_parse_register_load() and use it 2021-01-27 22:53:29 +01:00
nft_reject_inet.c netfilter: nf_tables: add and use nft_sk helper 2021-05-29 01:04:53 +02:00
nft_reject_netdev.c netfilter: nft_reject: add reject verdict support for netdev 2020-10-31 10:41:00 +01:00
nft_reject.c netfilter: nft_reject: unify reject init and dump into nft_reject 2020-10-31 10:40:42 +01:00
nft_rt.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_set_bitmap.c netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_hash.c netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo_avx2: fix up description warnings 2021-06-01 23:53:51 +02:00
nft_set_pipapo_avx2.h netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_pipapo.c netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version 2021-05-14 01:42:52 +02:00
nft_set_pipapo.h netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_rbtree.c netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_socket.c netfilter: nft_socket: fix build with CONFIG_SOCK_CGROUP_DATA=n 2021-04-27 22:34:05 +02:00
nft_synproxy.c netfilter: nf_tables: add and use nft_thoff helper 2021-05-29 01:04:54 +02:00
nft_tproxy.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2021-06-29 15:45:27 -07:00
nft_tunnel.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_xfrm.c netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
utils.c netfilter: use actual socket sk rather than skb sk when routing harder 2020-10-30 12:57:39 +01:00
x_tables.c netfilter: x_tables: never register tables by default 2021-08-09 10:22:01 +02:00
xt_addrtype.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_AUDIT.c netfilter: fix clang-12 fmt string warnings 2021-06-01 23:53:51 +02:00
xt_bpf.c bpf: Refactor BPF_PROG_RUN into a function 2021-08-17 00:45:07 +02:00
xt_cgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_CHECKSUM.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_CLASSIFY.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_cluster.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_comment.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
xt_connbytes.c netfilter: x_tables: use pr ratelimiting in all remaining spots 2018-02-14 21:05:38 +01:00
xt_connlabel.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_connlimit.c netfilter: update include directives. 2019-09-13 12:33:06 +02:00
xt_connmark.c netfilter: Replace HTTP links with HTTPS ones 2020-07-29 20:09:18 +02:00
xt_CONNSECMARK.c netfilter: Replace HTTP links with HTTPS ones 2020-07-29 20:09:18 +02:00
xt_conntrack.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_cpu.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_CT.c netfilter: remove xt pernet data 2021-08-01 12:00:51 +02:00
xt_dccp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_devgroup.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_dscp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_DSCP.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
xt_ecn.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_esp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_hashlimit.c netfilter: Replace zero-length array with flexible-array member 2020-03-15 15:20:16 +01:00
xt_helper.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_hl.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_HL.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
xt_HMARK.c netfilter: xt_HMARK: Use ip_is_fragment() helper 2020-08-28 19:55:51 +02:00
xt_IDLETIMER.c netfilter: xt_IDLETIMER: target v1 - match Android layout 2020-04-05 23:26:37 +02:00
xt_ipcomp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
xt_iprange.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-06-25 01:32:59 +02:00
xt_ipvs.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
xt_l2tp.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_LED.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 164 2019-05-30 11:26:38 -07:00
xt_length.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_limit.c netfilter: x_tables: improve limit_mt scalability 2021-05-29 01:04:52 +02:00
xt_LOG.c netfilter: log: work around missing softdep backend module 2021-09-21 03:46:56 +02:00
xt_mac.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_mark.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_MASQUERADE.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_multiport.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_nat.c netfilter: Add MODULE_DESCRIPTION entries to kernel modules 2020-06-25 00:50:31 +02:00
xt_NETMAP.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_nfacct.c netfilter: Remove unnecessary conversion to bool 2020-12-01 09:45:29 +01:00
xt_NFLOG.c netfilter: log: work around missing softdep backend module 2021-09-21 03:46:56 +02:00
xt_NFQUEUE.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_osf.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 13 2019-05-21 11:28:45 +02:00
xt_owner.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2019-06-25 01:32:59 +02:00
xt_physdev.c netfilter: inline xt_hashlimit, ebt_802_3 and xt_physdev headers 2019-09-13 12:32:48 +02:00
xt_pkttype.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_policy.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_quota.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
xt_rateest.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_RATEEST.c netfilter: xt_RATEEST: reject non-null terminated string from userspace 2020-12-27 11:52:26 +01:00
xt_realm.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_recent.c netfilter: xt_recent: Fix attempt to update deleted entry 2021-02-04 00:33:08 +01:00
xt_REDIRECT.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_repldata.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xt_sctp.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
xt_SECMARK.c netfilter: xt_SECMARK: add new revision to fix structure layout 2021-05-03 23:02:44 +02:00
xt_set.c netfilter: inline four headers files into another one. 2019-08-13 12:14:26 +02:00
xt_socket.c netfilter: disable defrag once its no longer needed 2021-04-26 03:20:07 +02:00
xt_state.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_statistic.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_string.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_tcpmss.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
xt_TCPMSS.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
xt_TCPOPTSTRIP.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
xt_tcpudp.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00
xt_TEE.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 3 2019-05-21 11:28:40 +02:00
xt_time.c netfilter: Replace HTTP links with HTTPS ones 2020-07-29 20:09:18 +02:00
xt_TPROXY.c netfilter: disable defrag once its no longer needed 2021-04-26 03:20:07 +02:00
xt_TRACE.c netfilter: nf_log: add module softdeps 2021-03-31 22:34:10 +02:00
xt_u32.c treewide: Add SPDX license identifier for more missed files 2019-05-21 10:50:45 +02:00