1. 26 Sep, 2014 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: bridge: move br_netfilter out of the core · 34666d46
      Pablo Neira Ayuso authored
      Jesper reported that br_netfilter always registers the hooks since
      this is part of the bridge core. This harms performance for people that
      don't need this.
      This patch modularizes br_netfilter so it can be rmmod'ed, thus,
      the hooks can be unregistered. I think the bridge netfilter should have
      been a separated module since the beginning, Patrick agreed on that.
      Note that this is breaking compatibility for users that expect that
      bridge netfilter is going to be available after explicitly 'modprobe
      bridge' or via automatic load through brctl.
      However, the damage can be easily undone by modprobing br_netfilter.
      The bridge core also spots a message to provide a clue to people that
      didn't notice that this has been deprecated.
      On top of that, the plan is that nftables will not rely on this software
      layer, but integrate the connection tracking into the bridge layer to
      enable stateful filtering and NAT, which is was bridge netfilter users
      seem to require.
      This patch still keeps the fake_dst_ops in the bridge core, since this
      is required by when the bridge port is initialized. So we can safely
      modprobe/rmmod br_netfilter anytime.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
  2. 26 May, 2014 1 commit
    • Pablo Neira's avatar
      netfilter: bridge: fix Kconfig unmet dependencies · 1708803e
      Pablo Neira authored
      Before f5efc696 ("netfilter: nf_tables: Add meta expression key for
      bridge interface name"), the entire net/bridge/netfilter/ directory
      depended on BRIDGE_NF_EBTABLES, ie. on ebtables. However, that
      directory already contained the nf_tables bridge extension that
      we should allow to compile separately. In f5efc696, we tried to
      generalize this by using CONFIG_BRIDGE_NETFILTER which was not a good
      idea since this option already existed and it is dedicated to enable
      the Netfilter bridge IP/ARP filtering.
      Let's try to fix this mess by:
      1) making net/bridge/netfilter/ dependent on the toplevel
         CONFIG_NETFILTER option, just like we do with the net/netfilter and
         net/ipv{4,6}/netfilter/ directories.
      2) Changing 'selects' to 'depends on' NETFILTER_XTABLES for
         BRIDGE_NF_EBTABLES. I believe this problem was already before
      warning: (BRIDGE_NF_EBTABLES) selects NETFILTER_XTABLES which has
      unmet direct dependencies (NET && INET && NETFILTER)
      3) Fix ebtables/nf_tables bridge dependencies by making NF_TABLES_BRIDGE
         and BRIDGE_NF_EBTABLES dependent on BRIDGE and NETFILTER:
      warning: (NF_TABLES_BRIDGE && BRIDGE_NF_EBTABLES) selects
      BRIDGE_NETFILTER which has unmet direct dependencies (NET && BRIDGE &&
      net/built-in.o: In function `br_parse_ip_options':
      br_netfilter.c:(.text+0x4a5ba): undefined reference to `ip_options_compile'
      br_netfilter.c:(.text+0x4a5ed): undefined reference to `ip_options_rcv_srr'
      net/built-in.o: In function `br_nf_pre_routing_finish':
      br_netfilter.c:(.text+0x4a8a4): undefined reference to `ip_route_input_noref'
      br_netfilter.c:(.text+0x4a987): undefined reference to `ip_route_output_flow'
      make: *** [vmlinux] Error 1
      Reported-by: default avatarJim Davis <jim.epost@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  3. 22 May, 2014 1 commit
  4. 24 Apr, 2014 1 commit
  5. 14 Feb, 2013 1 commit
    • Vlad Yasevich's avatar
      bridge: Add vlan filtering infrastructure · 243a2e63
      Vlad Yasevich authored
      Adds an optional infrustructure component to bridge that would allow
      native vlan filtering in the bridge.  Each bridge port (as well
      as the bridge device) now get a VLAN bitmap.  Each bit in the bitmap
      is associated with a vlan id.  This way if the bit corresponding to
      the vid is set in the bitmap that the packet with vid is allowed to
      enter and exit the port.
      Write access the bitmap is protected by RTNL and read access
      protected by RCU.
      Vlan functionality is disabled by default.
      Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  6. 07 Dec, 2012 1 commit
    • Cong Wang's avatar
      bridge: export multicast database via netlink · ee07c6e7
      Cong Wang authored
      V5: fix two bugs pointed out by Thomas
          remove seq check for now, mark it as TODO
      V4: remove some useless #include
          some coding style fix
      V3: drop debugging printk's
          update selinux perm table as well
      V2: drop patch 1/2, export ifindex directly
          Redesign netlink attributes
          Improve netlink seq check
          Handle IPv6 addr as well
      This patch exports bridge multicast database via netlink
      message type RTM_GETMDB. Similar to fdb, but currently bridge-specific.
      We may need to support modify multicast database too (RTM_{ADD,DEL}MDB).
      (Thanks to Thomas for patient reviews)
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Stephen Hemminger <shemminger@vyatta.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Thomas Graf <tgraf@suug.ch>
      Cc: Jesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarCong Wang <amwang@redhat.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  7. 28 Feb, 2010 1 commit
    • Herbert Xu's avatar
      bridge: Add core IGMP snooping support · eb1d1641
      Herbert Xu authored
      This patch adds the core functionality of IGMP snooping support
      without actually hooking it up.  So this patch should be a no-op
      as far as the bridge's external behaviour is concerned.
      All the new code and data is controlled by the Kconfig option
      BRIDGE_IGMP_SNOOPING.  A run-time toggle is also available.
      The multicast switching is done using an hash table that is
      lockless on the read-side through RCU.  On the write-side the
      new multicast_lock is used for all operations.  The hash table
      supports dynamic growth/rehashing.
      The hash table will be rehashed if any chain length exceeds a
      preset limit.  If rehashing does not reduce the maximum chain
      length then snooping will be disabled.
      These features may be added in future (in no particular order):
      * IGMPv3 source support
      * Non-querier router detection
      * IPv6
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  8. 18 Jun, 2006 1 commit
  9. 16 Apr, 2005 1 commit
    • Linus Torvalds's avatar
      Linux-2.6.12-rc2 · 1da177e4
      Linus Torvalds authored
      Initial git repository build. I'm not bothering with the full history,
      even though we have it. We can create a separate "historical" git
      archive of that later if we want to, and in the meantime it's about
      3.2GB when imported into git - space that would just make the early
      git days unnecessarily complicated, when we don't have a lot of good
      infrastructure for it.
      Let it rip!