#ifndef RND_H #define RND_H #define HIG_ENTROPY_SOURCE "/dev/random" #define LOW_ENTROPY_SOURCE "/dev/urandom" /* secrand is not really secure, but the name only suggests it's better to use * than rand(3) when transferring bytes over the network in non-security * critical structure members. secrand() is only used to fill up salts actually. */ extern int secrand(void); extern void gen_key_bytes(unsigned char *area, size_t len); #endif /* RND_H */ net-next.git' title='net-next.git Git repository'/>
summaryrefslogtreecommitdiff
path: root/net/ipv6
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2016-11-15 21:36:43 +0100
committerPablo Neira Ayuso <pablo@netfilter.org>2016-12-04 21:17:24 +0100
commit0c66dc1ea3f0366221f8a5a16c73f01ea9259678 (patch)
tree11fd93933ed8b0170c80291db63e0c86220b611a /net/ipv6
parent20afd423976ef3df0ce5719909ffd4416f9ef986 (diff)
netfilter: conntrack: register hooks in netns when needed by ruleset
This makes use of nf_ct_netns_get/put added in previous patch. We add get/put functions to nf_conntrack_l3proto structure, ipv4 and ipv6 then implement use-count to track how many users (nft or xtables modules) have a dependency on ipv4 and/or ipv6 connection tracking functionality. When count reaches zero, the hooks are unregistered. This delays activation of connection tracking inside a namespace until stateful firewall rule or nat rule gets added. This patch breaks backwards compatibility in the sense that connection tracking won't be active anymore when the protocol tracker module is loaded. This breaks e.g. setups that ctnetlink for flow accounting and the like, without any '-m conntrack' packet filter rules. Followup patch restores old behavour and makes new delayed scheme optional via sysctl. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6')