[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <87mvwn18my.fsf@x220.int.ebiederm.org>
Date: Tue, 15 Sep 2015 19:59:49 -0500
From: ebiederm@...ssion.com (Eric W. Biederman)
To: Pablo Neira Ayuso <pablo@...filter.org>,
David Miller <davem@...emloft.net>
Cc: netfilter-devel@...r.kernel.org, <netdev@...r.kernel.org>
Subject: [PATCH next 0/30] Passing net through the netfilter hooks
My primary goal with this patchset and it's follow ups is to cleanup the
network routing paths so that we do not look at the output device to
derive the network namespace. My plan is to pass the network namespace
of the transmitting socket through the output path, to replace code that
looks at the output network device today. Once that is done we can have
routes with output devices outside of the current network namespace.
Which should allow reception and transmission of packets in network
namespaces to be as fast as normal packet reception and transmission
with early demux disabled, because it will same code path.
Once skb_dst(skb)->dev is a little better under control I think it will
also be possible to use rcu to cleanup the ancient hack that sets
dst->dev to loopback_dev when a network device is removed.
The work to get there is a series of code cleanups. I am starting with
passing net into the netfilter hooks and into the functions that are
called after the netfilter hooks. This removes from netfilter the
need to guess which network namespace it is working on.
To get there I perform a series of minor prep patches so the big changes
at the end are possible to audit without getting lost in the noise. In
particular I have a lot of patches computing net into a local variable
and then using it through out the function.
So this patchset encompases removing dead code, sorting out the _sk
functions that were added last time someone pushed a prototype change
through the post netfilter functions. Cleaning up individual functions
use of the network namespace. Passing net into the netfilter hooks.
Passing net into the post netfilter functions. Using state->net in
the netfilter code where it is available and trivially usable.
Pablo, Dave I don't know whose tree this makes more sense to go
through. I am assuming at least initially Pablos as netfilter is
involved. From what I have seen there will be a lot of back and forth
between the netfilter code paths and the routing code paths.
The patches are also available (against 4.3-rc1) at:
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/net-next.git master
Eric W. Biederman (30):
netfilter: Remove !CONFIG_NETFITLER definition of nf_hook_thresh
netfilter: Store net in nf_hook_state
netfilter: Pass net to nf_hook_thresh
xfrm: Remove unused afinfo method init_dst
net: Merge dst_output and dst_output_sk
ipv4: Compute net once in ip_forward
ipv4: Compute net once in ip_forward_finish
ipv4: Compute net once in ip_rcv
ipv4: Remember the net in ip_output and ip_mc_output
ipv4: Don't recompute net in ipmr_queue_xmit
ipv4: Only compute net once in ip_do_fragment
ipv4: Explicitly compute net in ip_fragment
ipv4: Only compute net once in ip_finish_output2
ipv4: Only compute net once in ip_rcv_finish
ipv4: Only compute net once in ipmr_forward_finish
ipv6: Only compute net once in ip6mr_forward2_finish
arp: Introduce arp_xmit_finish
bridge: Introduce br_send_bpdu_finish
net: Remove dev_queue_xmit_sk
ipv6: Don't recompute net in ip6_rcv
ipv6: Only compute net once in ip6_finish_output2
ipv6: Cache net in ip6_output
ipv6: Compute net once in raw6_send_hdrinc
bridge: Pass net into br_nf_ip_fragment
bridge: Pass net into br_nf_push_frag_xmit
bridge: Cache net in br_nf_pre_routing_finish
bridge: Add br_netif_receive_skb remove netif_receive_skb_sk
netfilter: Pass struct net into the netfilter hooks
netfilter: Use nf_hook_state.net
netfilter: Pass net into okfn
drivers/net/vrf.c | 9 ++--
include/linux/netdevice.h | 14 ++----
include/linux/netfilter.h | 68 ++++++++++++--------------
include/linux/netfilter_bridge.h | 2 +-
include/linux/netfilter_ingress.h | 2 +-
include/net/dn_neigh.h | 6 +--
include/net/dst.h | 6 +--
include/net/ipv6.h | 2 +-
include/net/netfilter/br_netfilter.h | 2 +-
include/net/xfrm.h | 2 -
net/bridge/br_forward.c | 16 +++---
net/bridge/br_input.c | 25 ++++++----
net/bridge/br_multicast.c | 4 +-
net/bridge/br_netfilter_hooks.c | 54 ++++++++++----------
net/bridge/br_netfilter_ipv6.c | 8 +--
net/bridge/br_private.h | 6 +--
net/bridge/br_stp_bpdu.c | 12 +++--
net/bridge/netfilter/ebtable_filter.c | 4 +-
net/bridge/netfilter/ebtable_nat.c | 4 +-
net/core/dev.c | 12 +++--
net/decnet/dn_neigh.c | 23 +++++----
net/decnet/dn_nsp_in.c | 7 +--
net/decnet/dn_nsp_out.c | 4 +-
net/decnet/dn_route.c | 30 ++++++------
net/ipv4/arp.c | 20 +++++---
net/ipv4/ip_forward.c | 19 ++++---
net/ipv4/ip_input.c | 39 +++++++--------
net/ipv4/ip_output.c | 58 ++++++++++++----------
net/ipv4/ip_vti.c | 2 +-
net/ipv4/ipmr.c | 15 +++---
net/ipv4/netfilter/arptable_filter.c | 4 +-
net/ipv4/netfilter/ip_tables.c | 8 +--
net/ipv4/netfilter/ipt_CLUSTERIP.c | 2 +-
net/ipv4/netfilter/ipt_SYNPROXY.c | 2 +-
net/ipv4/netfilter/iptable_filter.c | 6 +--
net/ipv4/netfilter/iptable_mangle.c | 7 ++-
net/ipv4/netfilter/iptable_nat.c | 5 +-
net/ipv4/netfilter/iptable_raw.c | 6 +--
net/ipv4/netfilter/iptable_security.c | 5 +-
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 4 +-
net/ipv4/raw.c | 5 +-
net/ipv4/xfrm4_input.c | 7 +--
net/ipv4/xfrm4_output.c | 10 ++--
net/ipv6/ip6_input.c | 15 +++---
net/ipv6/ip6_output.c | 37 +++++++-------
net/ipv6/ip6_vti.c | 2 +-
net/ipv6/ip6mr.c | 12 ++---
net/ipv6/mcast.c | 9 ++--
net/ipv6/ndisc.c | 6 +--
net/ipv6/netfilter/ip6_tables.c | 8 +--
net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 +-
net/ipv6/netfilter/ip6table_filter.c | 5 +-
net/ipv6/netfilter/ip6table_mangle.c | 6 +--
net/ipv6/netfilter/ip6table_nat.c | 5 +-
net/ipv6/netfilter/ip6table_raw.c | 5 +-
net/ipv6/netfilter/ip6table_security.c | 4 +-
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 4 +-
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 2 +-
net/ipv6/output_core.c | 8 +--
net/ipv6/raw.c | 9 ++--
net/ipv6/xfrm6_input.c | 4 +-
net/ipv6/xfrm6_output.c | 10 ++--
net/netfilter/ipvs/ip_vs_xmit.c | 8 +--
net/netfilter/nf_queue.c | 2 +-
net/netfilter/nfnetlink_queue_core.c | 3 +-
net/xfrm/xfrm_output.c | 17 ++++---
net/xfrm/xfrm_policy.c | 4 +-
67 files changed, 375 insertions(+), 358 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists