Patrick McHardy wrote:
> Alexey Dobriyan wrote:
>> Make nfnl socket per-petns.
>
> Applied, thanks.
While merging the nf-next tree with the changes from net-next I noticed
that this patch allows any namespace to send configurations and verdicts
to nfnetlink_{log,queue}. It seems
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
jamal wrote:
> On Thu, 2010-01-14 at 16:37 +0100, Patrick McHardy wrote:
>> jamal wrote:
>
>>> Agreed that this would be a main driver of such a feature.
>>> Which means that you need zones (or whatever noun other people use) to
>>> work on not just
ments inline:
>
> On Thu, 2010-01-14 at 15:05 +0100, Patrick McHardy wrote:
>> The attached largish patch adds support for "conntrack zones",
>> which are virtual conntrack tables that can be used to seperate
>> connections from different zones, allowing to handle mu
ould be quite small, its mainly the extra argument
passing and an occasional extra comparison. Code size increase with
all netfilter options enabled on x86_64 is 152 bytes.
Any comments welcome.
commit 7f68e7aa55f9e1f9dfd647b60dace4149f27ae1f
Author: Patrick McHardy
Date: Thu Jan 14 13:51:06 20
Alexey Dobriyan wrote:
Also applied, thanks.
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz
Alexey Dobriyan wrote:
> Make nfnl socket per-petns.
Applied, thanks.
___
Containers mailing list
contain...@lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel
Alexey Dobriyan wrote:
> On Wed, Jan 13, 2010 at 02:42:00PM +0100, Patrick McHardy wrote:
>> Alexey Dobriyan wrote:
>>> On Wed, Jan 13, 2010 at 02:27:08PM +0100, Patrick McHardy wrote:
>>>> Alexey Dobriyan wrote:
>>>>> On Wed, Jan 13, 2010 at 02:02:33P
Alexey Dobriyan wrote:
> On Wed, Jan 13, 2010 at 02:27:08PM +0100, Patrick McHardy wrote:
>> Alexey Dobriyan wrote:
>>> On Wed, Jan 13, 2010 at 02:02:33PM +0100, Patrick McHardy wrote:
>>>> Alexey Dobriyan wrote:
>>>>> + struct sock *nfnl
Alexey Dobriyan wrote:
> On Wed, Jan 13, 2010 at 02:02:33PM +0100, Patrick McHardy wrote:
>> Alexey Dobriyan wrote:
>
>>> + struct sock *nfnl;
>>> + struct sock *nfnl_stash;
>> Shouldn't this be contained in an ifdef(CONFIG_
Alexey Dobriyan wrote:
> Make nfnetlink socket per-netns.
>
> --- a/include/net/net_namespace.h
> +++ b/include/net/net_namespace.h
> @@ -81,6 +81,8 @@ struct net {
> #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
> struct netns_ct ct;
> #endif
> + stru
Alexey Dobriyan wrote:
> Allow conntrack program to operate correctly in netns.
> Note: passing events is not done in this patch.
Why not? It seems like a small change and without this the netns
support will still be incomplete.
___
Containers mailing l
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/
Alexey Dobriyan wrote:
Also applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/m
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/m
Alexey Dobriyan wrote:
> Now that ebt_unregister_table() can be called during netns stop, and module
> pinning scheme can't prevent netns stop, do table cleanup by hand.
>
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linu
Alexey Dobriyan wrote:
> * return ebt_table from ebt_register_table(), module code will save it into
> per-netns data for unregistration
> * duplicate ebt_table at the very beginning of registration -- it's added into
> list, so one ebt_table wouldn't end up in many lists (and each netns has
>
Alexey Dobriyan wrote:
> * propagate netns from userspace, register table in passed netns
> * remporarily register every ebt_table in init_net
>
> P. S.: one needs to add ".netns_ok = 1" to igmp_protocol to test with
> ebtables(8) in netns.
Applied, thanks.
_
Alexey Dobriyan wrote:
> * propagate netns from userspace, register table in passed netns
> * remporarily register every ebt_table in init_net
>
> P. S.: one needs to add ".netns_ok = 1" to igmp_protocol to test with
> ebtables(8) in netns.
The containers list address bounces and the netfilter ad
Alexey Dobriyan wrote:
> On Wed, Oct 15, 2008 at 08:20:14AM +0400, Alexey Dobriyan wrote:
>> One needs to add ".netns_ok = 1" to igmp_protocol to test all of this
>> with ebtables() in netns.
>
> Contains 80-column violations, I forgot about damn script again :^)
Apart from the minor comment abou
se you would like to add
an ACK).
commit c985d88e7ae4f45d50cca80033429c7270a8c185
Author: Patrick McHardy <[EMAIL PROTECTED]>
Date: Thu Oct 16 13:14:26 2008 +0200
netfilter: netns: use NFPROTO_NUMPROTO instead of NUMPROTO for tables array
The netfilter families have b
Ingo Molnar wrote:
> * Patrick McHardy <[EMAIL PROTECTED]> wrote:
>
>> Ingo Molnar wrote:
>>> i think you misunderstood my report. This is about latest upstream -git
>>> being broken:
>>>
>>> ERROR: "ebt_register_table" [n
Ingo Molnar wrote:
i think you misunderstood my report. This is about latest upstream -git
being broken:
ERROR: "ebt_register_table" [net/bridge/netfilter/ebtable_filter.ko] undefined!
ERROR: "ebt_do_table" [net/bridge/netfilter/ebtable_filter.ko] undefined!
ERROR: "ebt_unregister_table" [net/b
Alexey Dobriyan wrote:
> On Thu, Oct 02, 2008 at 11:12:08AM +0200, Patrick McHardy wrote:
>
>> Is there an easy way to test all this stuff?
>>
>
> I used the following:
>
> 0) netns is currently mutually exclusive with sysfs, so depending on
>sanity of
Alexey Dobriyan wrote:
> >From kernel perspective, allow entrance in nf_hook_slow().
>
> Stuff which uses nf_register_hook/nf_register_hooks, but otherwise not
> netns-ready:
>
> DECnet netfilter
> ipt_CLUSTERIP
> nf_nat_standalone.c together with XFRM (?)
> IPVS
> se
Alexey Dobriyan wrote:
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/l
Alexey Dobriyan wrote:
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/l
Alexey Dobriyan wrote:
> Same story as with iptable_filter, iptables_raw tables.
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel
Alexey Dobriyan wrote:
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/l
Alexey Dobriyan wrote:
> First, allow entry in notifier hook.
> Second, start conntrack cleanup in netns to which netdevice belongs.
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
__
Alexey Dobriyan wrote:
> Same story as with iptable_filter, iptables_raw tables.
>
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Alexey Dobriyan wrote:
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/l
Alexey Dobriyan wrote:
> * make keymap list per-netns
> * per-netns keymal lock (not strictly necessary)
> * flush keymap at netns stop and module unload.
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/l
Alexey Dobriyan wrote:
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/l
Alexey Dobriyan wrote:
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/l
Alexey Dobriyan wrote:
> Add init_net checks to not remove kmem_caches twice and so on.
>
> Refactor functions to split code which should be executed only for
> init_net into one place.
>
> ip_ct_attach and ip_ct_destroy assignments remain separate, because
> they're separate stages in setup and te
Alexey Dobriyan wrote:
> Show correct conntrack count, while I'm at it.
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing
Alexey Dobriyan wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
> ---
>
> include/net/netfilter/nf_conntrack_acct.h | 10 +--
> include/net/netns/conntrack.h |2
> net/netfilter/nf_conntrack_acct.c | 100
> +-
> net/netfilter/nf_
Alexey Dobriyan wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
> ---
>
> include/net/netfilter/nf_conntrack.h |1 -
> include/net/netns/conntrack.h |1 +
> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |2 +-
> net/ipv4/netfilter/nf_conntrack_pr
Alexey Dobriyan wrote:
> Note, sysctl table is always duplicated, this is simpler and less
> special-cased.
>
>
Applied.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Alexey Dobriyan wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
> ---
>
> include/net/netfilter/nf_conntrack_l4proto.h | 15 +++
> include/net/netns/conntrack.h |1 +
> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |2 +-
> net/ipv4/netfilter/n
Alexey Dobriyan wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
> ---
>
> include/net/netfilter/nf_conntrack.h |8 +-
> include/net/netns/conntrack.h |1
> net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c |4 -
> net/netfilter/
Alexey Dobriyan wrote:
> Ping!
>
> I've just sent patch which adds init_net checks in somewhat nicer way.
Thanks.
> Please, review and apply the rest.
I'll do that this week during the netfilter workshop.
___
Containers mailing list
[EMAIL PROTECTED
Alexey Dobriyan wrote:
> On Tue, Sep 09, 2008 at 09:20:42AM +0200, Patrick McHardy wrote:
>> Having multiple of these net_eq checks per function (14 total) is
>> not a very nice way to do this.
>
> Yep, I was just afraid of some subtle ordering rules and to keep
> potent
Alexey Dobriyan wrote:
> Add checks for init_net to not create kmem caches twice and so on.
>
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
>
> diff --git a/net/netfilter/nf_conntrack_core.c
> b/net/netfilter/nf_conntrack_core.c
> index b55944e..52d0663 100644
> --- a/net/netfilter/nf_con
Patrick McHardy wrote:
> Alexey Dobriyan wrote:
>> On Tue, Sep 09, 2008 at 08:12:27AM +0200, Patrick McHardy wrote:
>>> Alexey Dobriyan wrote:
>>>> Heh, last minute proof-reading of this patch made me think,
>>>> that this is actually unneeded, simply be
Alexey Dobriyan wrote:
> On Tue, Sep 09, 2008 at 07:49:34AM +0200, Patrick McHardy wrote:
>>> @@ -406,7 +404,7 @@ int nf_ct_expect_related(struct nf_conntrack_expect
>>> *expect)
>>> }
>>> }
>>> - if (nf_ct_expect_count >= n
Alexey Dobriyan wrote:
> On Tue, Sep 09, 2008 at 08:12:27AM +0200, Patrick McHardy wrote:
>> Alexey Dobriyan wrote:
>>> Heh, last minute proof-reading of this patch made me think,
>>> that this is actually unneeded, simply because "ct" pointers will be
>
Alexey Dobriyan wrote:
> Heh, last minute proof-reading of this patch made me think,
> that this is actually unneeded, simply because "ct" pointers will be
> different for different conntracks in different netns, just like they
> are different in one netns.
>
> Not so sure anymore.
Its necessary
Alexey Dobriyan wrote:
> This is cleaner, we already know conntrack to which event is relevant.
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Alexey Dobriyan wrote:
Applthanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailma
Alexey Dobriyan wrote:
> Conntrack code will use it for
> a) removing expectations and helpers when corresponding module is removed, and
> b) removing conntracks when L3 protocol conntrack module is removed.
Applied, thanks.
___
Containers mailing list
[
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/m
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/m
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/m
Alexey Dobriyan wrote:
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
Devel mailing list
Devel@openvz.org
https://openvz.org/
Alexey Dobriyan wrote:
> Again, it's deducible from skb, but we're going to use it for
> nf_conntrack_checksum and statistics, so just pass it from upper layer.
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation
Alexey Dobriyan wrote:
> It's deducible from skb->dev or skb->dst->dev, but we know netns at
> the moment of call, so pass it down and use for finding and creating
> conntracks.
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists
Alexey Dobriyan wrote:
> What is confirmed connection in one netns can very well be unconfirmed
> in another one.
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
_
Alexey Dobriyan wrote:
> Make per-netns a) expectation hash and b) expectations count.
>
> Expectations always belongs to netns to which it's master conntrack belong.
> This is natural and doesn't bloat expectation.
>
> Proc files and leaf users are stubbed to init_net, this is temporary.
Looks
Alexey Dobriyan wrote:
> Take netns from skb->dst->dev. It should be safe because, they are called
> from LOCAL_OUT hook where dst is valid (though, I'm not exactly sure about
> IPVS and queueing packets to userspace).
Its safe in all cases since they already expect to only get
called when skb->ds
Alexey Dobriyan wrote:
> It does "kfree(list_head)" which looks wrong because entity that was
> allocated is definitely not list_head.
>
> However, this all works because list_head is first item in
> struct nf_ct_gre_keymap .
The first three patches are already in Linus' tree.
___
Jan Engelhardt wrote:
> On Friday 2008-09-05 08:25, Patrick McHardy wrote:
>>>> I hope so :) A different possiblity suggest by Pablo some time ago
>>>> would be to mark untracked packets in skb->nfctinfo and not
>>>> attach a conntrack at all.
>>&g
Pablo Neira Ayuso wrote:
> Patrick McHardy wrote:
>>>> I think you could avoid this mess by using a struct nf_conntrack
>>>> for the untracked conntrack instead of struct nf_conn. It shouldn't
>>>> make any difference since its ignored anyways.
Alexey Dobriyan wrote:
> On Thu, Sep 04, 2008 at 06:54:16PM +0200, Patrick McHardy wrote:
>> [EMAIL PROTECTED] wrote:
>>> Make untracked conntrack per-netns. Compare conntracks with relevant
>>> untracked one.
>>>
>>> The following code you'll sta
Alexey Dobriyan wrote:
> On Thu, Sep 04, 2008 at 06:58:38PM +0200, Patrick McHardy wrote:
>> [EMAIL PROTECTED] wrote:
>>> static inline void
>>> -nf_conntrack_event_cache(enum ip_conntrack_events event,
>>> +nf_conntrack_event_cache(struct net
[EMAIL PROTECTED] wrote:
> Note, sysctl table is always duplicated, this is simpler, less special-cased,
> less mistakes (and did one mistake in first version of this patch).
This also doesn't explain what the patch is doing at all.
___
Containers mailin
[EMAIL PROTECTED] wrote:
> static inline void
> -nf_conntrack_event_cache(enum ip_conntrack_events event,
> +nf_conntrack_event_cache(struct net *net, enum ip_conntrack_events event,
>const struct sk_buff *skb)
> {
Passing the conntrack instead of the struct net and the s
[EMAIL PROTECTED] wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
Changelog please, I was wondering whether this was a resend
of the last one.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/c
[EMAIL PROTECTED] wrote:
> Make untracked conntrack per-netns. Compare conntracks with relevant
> untracked one.
>
> The following code you'll start laughing at this code:
>
> if (ct == ct->ct_net->ct.untracked)
> ...
>
> let me remind you that ->ct_net is set in only one pla
[EMAIL PROTECTED] wrote:
> Make per-netns expectation hash and expectation count.
>
> Expectation always belongs to netns to which it's master conntrack belongs.
> This is natural and allows to not bloat expectations.
>
> Proc files and leaf users in protocol modules are stubbed to init_net,
> th
[EMAIL PROTECTED] wrote:
> What is unconfirmed connection in one netns can very well be confirmed
> in another.
>
> @@ -10,5 +11,6 @@ struct netns_ct {
> unsigned intexpect_count;
> struct hlist_head *expect_hash;
> int expect_vmalloc;
> +
[EMAIL PROTECTED] wrote:
> * make per-netns conntrack hash
>
> Other solution is to add ->ct_net pointer to tuplehashes and still has one
> hash, I tried that it's ugly and requires more code deep down in protocol
> modules et al.
>
> * propagate netns pointer to where needed, e. g. to conn
[EMAIL PROTECTED] wrote:
> Sysctls and proc files are stubbed to init_net's one. This is temporary.
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
[EMAIL PROTECTED] wrote:
> Conntrack (struct nf_conn) gets pointer to netns: ->ct_net -- netns in which
> it was created. It comes from netdevice.
>
> ->ct_net is write-once field.
>
> Every conntrack in system has ->ct_net initialized, no exceptions.
>
> ->ct_net doesn't pin netns: conntracks a
[EMAIL PROTECTED] wrote:
> ip_route_me_harder() is called on output codepaths:
> 1) IPVS: honestly, not sure, looks like it can be called during forwarding
> 2) IPv4 REJECT: refreshing comment re skb->dst is valid and assigment of
>skb->dst right before call :^)
> 3) NAT: called in LOCAL_OUT ho
[EMAIL PROTECTED] wrote:
> One comment: #ifdefs around #include is necessary to overcome amazing compile
> breakages in NOTRACK-in-netns patch (see below).
I guess thats because of the net/netfilter/nf_conntrack.h inclusion.
We should fix that, its spreading to too many places.
Anyways, applied.
[EMAIL PROTECTED] wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
Applied, thanks.
> @@ -108,7 +120,7 @@ ip6t_local_hook(unsigned int hook,
> /* flowlabel and prio (includes version, which shouldn't change either
> */
> flowlabel = *((u_int32_t *)ipv6_hdr(skb));
>
> -
[EMAIL PROTECTED] wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
D
[EMAIL PROTECTED] wrote:
> Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
Applied, thanks.
___
Containers mailing list
[EMAIL PROTECTED]
https://lists.linux-foundation.org/mailman/listinfo/containers
___
D
[EMAIL PROTECTED] wrote:
> Now that dev_net() exists, the usefullness of them is even less. Also they're
> a big problem in resolving circular header dependencies necessary for
> NOTRACK-in-netns patch. See below.
Applied, thanks.
___
Containers mailing
Alexey Dobriyan wrote:
On Mon, Jun 16, 2008 at 01:16:00PM +0200, Patrick McHardy wrote:
Alexey Dobriyan wrote:
On Mon, Jun 16, 2008 at 12:26:03PM +0200, Patrick McHardy wrote:
By the way, is there already work done for conntrack/NAT namespace
support? I have this patch that uses marks for
Pavel Emelyanov wrote:
Patrick McHardy wrote:
Alexey Dobriyan wrote:
On Mon, Jun 16, 2008 at 12:26:03PM +0200, Patrick McHardy wrote:
By the way, is there already work done for conntrack/NAT namespace
support? I have this patch that uses marks for something very similar
that should be easy to
Alexey Dobriyan wrote:
On Mon, Jun 16, 2008 at 12:26:03PM +0200, Patrick McHardy wrote:
By the way, is there already work done for conntrack/NAT namespace
support? I have this patch that uses marks for something very similar
that should be easy to adjust.
Yes, right now I'm fig
Patrick McHardy wrote:
Alexey Dobriyan wrote:
Hi,
Den basically banned iptables in netns via this patch
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
...
, however, at least some of netfilter pieces are ready for usage in netns
and it would be nice to unlock them before release.
If
Alexey Dobriyan wrote:
Hi,
Den basically banned iptables in netns via this patch
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
...
, however, at least some of netfilter pieces are ready for usage in netns
and it would be nice to unlock them before release.
If I'm deciphering chengelog
Alexey Dobriyan wrote:
Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
---
net/netfilter/nf_conntrack_expect.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Applied, thanks Alexey. I'll also push this to -stable.
___
Devel mailing
Pavel Emelyanov wrote:
>>> for_each_net(net) {
>>> -restart:
>>> - for_each_netdev_safe(net, dev, n) {
>>> - if (dev->rtnl_link_ops == ops) {
>>> - ops->dellink(dev);
>>> - goto restart;
>>> - }
>>
d during testing vlan netnsization patchset.
Signed-off-by: Pavel Emelyanov <[EMAIL PROTECTED]>
Good catch, thanks.
Acked-by: Patrick McHardy <[EMAIL PROTECTED]>
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel
Pavel Emelyanov wrote:
This may lead to situations, when each of two proc entries produce
data for the other's device.
Looks like a BUG, so this patch is for net-2.6. It will not apply
to net-2.6.26 since dev->nd_net access is replaced with dev_net(dev)
one. Should I rework the patch to fit 2.
Alexey Dobriyan wrote:
Commit 9335f047fe61587ec82ff12fbb1220bcfdd32006 aka
"[NETFILTER]: ip_tables: per-netns FILTER, MANGLE, RAW"
added per-netns _view_ of iptables rules. They were shown to user, but
ignored by filtering code. Now that it's possible to at least ping loopback,
per-netns tables c
Pavel Emelyanov wrote:
Patrick McHardy wrote:
Pavel Emelyanov wrote:
Patrick McHardy wrote:
It would be nicer to replace the entire hand-made name
allocation to remove the 100 device limit.
Actually, I thought the same, but fixing % in names looks like a
BUG-fix for 2.6.25, while removing
Pavel Emelyanov wrote:
Patrick McHardy wrote:
It would be nicer to replace the entire hand-made name
allocation to remove the 100 device limit.
Actually, I thought the same, but fixing % in names looks like a
BUG-fix for 2.6.25, while removing the hand-made name allocation
looks like an
Pavel Emelyanov wrote:
Four tunnel drivers (ip_gre, ipip, ip6_tunnel and sit) can
receive a pre-defined name for a device from the userspace.
Since these drivers call the register_netdevice() after this
(rtnl_lock is held), the device's name may contain a '%'
character.
Not sure how bad is th
Denis V. Lunev wrote:
They do exactly the same job.
Signed-off-by: Denis V. Lunev <[EMAIL PROTECTED]>
---
net/ipv4/netfilter/ipt_MASQUERADE.c | 14 ++
1 files changed, 2 insertions(+), 12 deletions(-)
Looks fine.
___
Devel mailing lis
Alexey Dobriyan wrote:
Propagate netns together with AF down to ->start/->next/->stop
iterators. Choose table based on netns and AF for showing.
Applied.
___
Devel mailing list
Devel@openvz.org
https://openvz.org/mailman/listinfo/devel
Alexey Dobriyan wrote:
Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
---
include/linux/netfilter/x_tables.h |4 ++--
net/ipv4/netfilter/arp_tables.c| 21 ++---
net/ipv4/netfilter/ip_tables.c | 21 ++---
net/ipv6/netfilter/ip6_tables.c|
Alexey Dobriyan wrote:
Argh, there are many small but still wrong things with /proc/net/*_tables_*
so I decided to do overhaul simultaneously making it more suitable for
per-netns /proc/net/*_tables_* implementation.
Fix
a) xt_get_idx() duplicating now standard seq_list_start/seq_list_next
it
Alexey Dobriyan wrote:
When number of entries exceeds number of initial entries, foo-tables code
will pin table module. But during table unregister on netns stop,
that additional pin was forgotten.
Applied, thanks.
___
Devel mailing list
Devel@openv
1 - 100 of 178 matches
Mail list logo