[PATCH 00/15] Netfilter updates for net-next
Hi David, This is second pull request includes the conflict resolution patch that resulted from the updates that we got for the conntrack template through kmalloc. No changes with regards to the previously sent 15 patches. The following patchset contains Netfilter updates for your net-next tree, they are: 1) Rework the existing nf_tables counter expression to make it per-cpu. 2) Prepare and factor out common packet duplication code from the TEE target so it can be reused from the new dup expression. 3) Add the new dup expression for the nf_tables IPv4 and IPv6 families. 4) Convert the nf_tables limit expression to use a token-based approach with 64-bits precision. 5) Enhance the nf_tables limit expression to support limiting at packet byte. This comes after several preparation patches. 6) Add a burst parameter to indicate the amount of packets or bytes that can exceed the limiting. 7) Add netns support to nfacct, from Andreas Schultz. 8) Pass the nf_conn_zone structure instead of the zone ID in nf_tables to allow accessing more zone specific information, from Daniel Borkmann. 9) Allow to define zone per-direction to support netns containers with overlapping network addressing, also from Daniel. 10) Extend the CT target to allow setting the zone based on the skb-mark as a way to support simple mappings from iptables, also from Daniel. 11) Make the nf_tables payload expression aware of the fact that VLAN offload may have removed a vlan header, from Florian Westphal. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Thanks! The following changes since commit 938049e18dca57bcd2f93986fc1cbb5a83cdf027: net: xgene Remove xgene specific phy and MAC lookup functions (2015-08-20 14:43:49 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master for you to fetch changes up to 81bf1c64e7fe08f956c74fe2b0f1fa6eb163bd91: Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next (2015-08-21 06:09:05 +0200) Andreas Schultz (1): netfilter: nfacct: per network namespace support Daniel Borkmann (3): netfilter: nf_conntrack: push zone object into functions netfilter: nf_conntrack: add direction support for zones netfilter: nf_conntrack: add efficient mark to zone mapping Florian Westphal (1): netfilter: nft_payload: work around vlan header stripping Pablo Neira Ayuso (11): netfilter: nft_counter: convert it to use per-cpu counters netfilter: xt_TEE: get rid of WITH_CONNTRACK definition netfilter: factor out packet duplication for IPv4/IPv6 netfilter: nf_tables: add nft_dup expression netfilter: nft_limit: rename to nft_limit_pkts netfilter: nft_limit: convert to token-based limiting at nanosecond granularity netfilter: nft_limit: factor out shared code with per-byte limiting netfilter: nft_limit: add burst parameter netfilter: nft_limit: constant token cost per packet netfilter: nft_limit: add per-byte limiting Merge branch 'master' of git://git.kernel.org/.../davem/net-next include/linux/netfilter/nfnetlink_acct.h |3 +- include/net/net_namespace.h|3 + include/net/netfilter/ipv4/nf_dup_ipv4.h |7 + include/net/netfilter/ipv6/nf_dup_ipv6.h |7 + include/net/netfilter/nf_conntrack.h | 10 +- include/net/netfilter/nf_conntrack_core.h |3 +- include/net/netfilter/nf_conntrack_expect.h| 11 +- include/net/netfilter/nf_conntrack_zones.h | 99 - include/net/netfilter/nft_dup.h|9 + include/uapi/linux/netfilter/nf_tables.h | 23 ++ include/uapi/linux/netfilter/nfnetlink_conntrack.h |1 + include/uapi/linux/netfilter/xt_CT.h |8 +- net/ipv4/netfilter/Kconfig | 12 ++ net/ipv4/netfilter/Makefile|3 + net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |2 +- net/ipv4/netfilter/nf_conntrack_proto_icmp.c |4 +- net/ipv4/netfilter/nf_defrag_ipv4.c| 17 +- net/ipv4/netfilter/nf_dup_ipv4.c | 120 +++ net/ipv4/netfilter/nft_dup_ipv4.c | 110 ++ net/ipv6/netfilter/Kconfig | 12 ++ net/ipv6/netfilter/Makefile|3 + net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |2 +- net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |5 +- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 18 +- net/ipv6/netfilter/nf_dup_ipv6.c | 96 + net/ipv6/netfilter/nft_dup_ipv6.c | 108 ++
Re: [PATCH 00/15] Netfilter updates for net-next
From: Pablo Neira Ayuso pa...@netfilter.org Date: Fri, 21 Aug 2015 06:32:29 +0200 This is second pull request includes the conflict resolution patch that resulted from the updates that we got for the conntrack template through kmalloc. No changes with regards to the previously sent 15 patches. ... You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git This looks better, pulled, thanks! -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 00/15] Netfilter updates for net-next
From: Pablo Neira Ayuso pa...@netfilter.org Date: Wed, 19 Aug 2015 21:18:16 +0200 The following patchset contains Netfilter updates for your net-next tree, they are: This doesn't pull cleanly, I get a couple of conflicts: [davem@localhost net-next]$ git pull --no-ff git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git remote: Counting objects: 195, done. remote: Compressing objects: 100% (195/195), done. remote: Total 195 (delta 121), reused 0 (delta 0) Receiving objects: 100% (195/195), 211.81 KiB | 0 bytes/s, done. Resolving deltas: 100% (121/121), done. From git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next * branchHEAD - FETCH_HEAD Auto-merging net/netfilter/xt_CT.c CONFLICT (content): Merge conflict in net/netfilter/xt_CT.c Auto-merging net/netfilter/nf_synproxy_core.c CONFLICT (content): Merge conflict in net/netfilter/nf_synproxy_core.c Auto-merging net/netfilter/nf_conntrack_core.c CONFLICT (content): Merge conflict in net/netfilter/nf_conntrack_core.c Automatic merge failed; fix conflicts and then commit the result. Please fix this up and resubmit your pull request, thanks! -- To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 00/15] Netfilter updates for net-next
Hi David, The following patchset contains Netfilter updates for your net-next tree, they are: 1) Rework the existing nf_tables counter expression to make it per-cpu. 2) Prepare and factor out common packet duplication code from the TEE target so it can be reused from the new dup expression. 3) Add the new dup expression for the nf_tables IPv4 and IPv6 families. 4) Convert the nf_tables limit expression to use a token-based approach with 64-bits precision. 5) Enhance the nf_tables limit expression to support limiting at packet byte. This comes after several preparation patches. 6) Add a burst parameter to indicate the amount of packets or bytes that can exceed the limiting. 7) Add netns support to nfacct, from Andreas Schultz. 8) Pass the nf_conn_zone structure instead of the zone ID in nf_tables to allow accessing more zone specific information, from Daniel Borkmann. 9) Allow to define zone per-direction to support netns containers with overlapping network addressing, also from Daniel. 10) Extend the CT target to allow setting the zone based on the skb-mark as a way to support simple mappings from iptables, also from Daniel. 11) Make the nf_tables payload expression aware of the fact that VLAN offload may have removed a vlan header, from Florian Westphal. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Thanks! The following changes since commit d92cff89a0c80e7e49796366e441d97f07b5d321: net_dbg_ratelimited: turn into no-op when !DEBUG (2015-08-06 23:51:30 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master for you to fetch changes up to 8cfd23e6740158817d2045915f6ea5a2daf11bce: netfilter: nft_payload: work around vlan header stripping (2015-08-19 08:39:53 +0200) Andreas Schultz (1): netfilter: nfacct: per network namespace support Daniel Borkmann (3): netfilter: nf_conntrack: push zone object into functions netfilter: nf_conntrack: add direction support for zones netfilter: nf_conntrack: add efficient mark to zone mapping Florian Westphal (1): netfilter: nft_payload: work around vlan header stripping Pablo Neira Ayuso (10): netfilter: nft_counter: convert it to use per-cpu counters netfilter: xt_TEE: get rid of WITH_CONNTRACK definition netfilter: factor out packet duplication for IPv4/IPv6 netfilter: nf_tables: add nft_dup expression netfilter: nft_limit: rename to nft_limit_pkts netfilter: nft_limit: convert to token-based limiting at nanosecond granularity netfilter: nft_limit: factor out shared code with per-byte limiting netfilter: nft_limit: add burst parameter netfilter: nft_limit: constant token cost per packet netfilter: nft_limit: add per-byte limiting include/linux/netfilter/nfnetlink_acct.h |3 +- include/net/net_namespace.h|3 + include/net/netfilter/ipv4/nf_dup_ipv4.h |7 + include/net/netfilter/ipv6/nf_dup_ipv6.h |7 + include/net/netfilter/nf_conntrack.h | 10 +- include/net/netfilter/nf_conntrack_core.h |3 +- include/net/netfilter/nf_conntrack_expect.h| 11 +- include/net/netfilter/nf_conntrack_zones.h | 99 - include/net/netfilter/nft_dup.h|9 + include/uapi/linux/netfilter/nf_tables.h | 23 ++ include/uapi/linux/netfilter/nfnetlink_conntrack.h |1 + include/uapi/linux/netfilter/xt_CT.h |8 +- net/ipv4/netfilter/Kconfig | 12 ++ net/ipv4/netfilter/Makefile|3 + net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |2 +- net/ipv4/netfilter/nf_conntrack_proto_icmp.c |4 +- net/ipv4/netfilter/nf_defrag_ipv4.c| 17 +- net/ipv4/netfilter/nf_dup_ipv4.c | 120 +++ net/ipv4/netfilter/nft_dup_ipv4.c | 110 ++ net/ipv6/netfilter/Kconfig | 12 ++ net/ipv6/netfilter/Makefile|3 + net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c |2 +- net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c |5 +- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 18 +- net/ipv6/netfilter/nf_dup_ipv6.c | 96 + net/ipv6/netfilter/nft_dup_ipv6.c | 108 ++ net/netfilter/Kconfig |2 + net/netfilter/ipvs/ip_vs_nfct.c|2 +- net/netfilter/nf_conntrack_core.c | 134 ++-- net/netfilter/nf_conntrack_expect.c| 21 +- net/netfilter/nf_conntrack_netlink.c | 228 ++--
