Re: [PATCH 8/7] net/netfilter/nf_conntrack_core: Remove another memory barrier

On Fri, Sep 02, 2016 at 08:35:55AM +0200, Manfred Spraul wrote: > On 09/01/2016 06:41 PM, Peter Zijlstra wrote: > >On Thu, Sep 01, 2016 at 04:30:39PM +0100, Will Deacon wrote: > >>On Thu, Sep 01, 2016 at 05:27:52PM +0200, Manfred Spraul wrote: > >>>Since spin_unlock_wait() is defined as equivalent

Re: [PATCH nf] netfilter: nf_tables_trace: fix endiness when dump chain policy

Liping Zhang wrote: > From: Liping Zhang > > NFTA_TRACE_POLICY attribute is big endian, but we forget to call > htonl to convert it. Fortunately, this attribute is parsed as big > endian in libnftnl. It is however handled as u16, not u32. Care

[PATCH v2 libnftnl] expr: numgen: Rename until attribute by modulus

The _modulus_ attribute will be reused as _until_, as it's similar to other expressions with value limits (ex. hash). Renaming is possible according to the kernel module ntf_numgen that has not been released yet. Signed-off-by: Laura Garcia Liebana --- Changes in V2: -

[PATCH v2] netfilter: nft_numgen: rename until attribute by modulus

The _until_ attribute is renamed to _modulus_ as the behaviour is similar to other expresions with number limits (ex. nft_hash). Renaming is possible because there isn't a kernel release yet with these changes. Signed-off-by: Laura Garcia Liebana --- Changes in V2: -

Re: [PATCH libnftnl] trace: use get_u32 to parse NFPROTO and POLICY attribute

Liping Zhang wrote: > From: Liping Zhang > > NFTA_TRACE_NFPROTO and NFTA_TRACE_POLICY attribute is 32-bit > value, so we should use mnl_attr_get_u32 and htonl here. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe

[PATCH nf] netfilter: nf_tables_trace: fix endiness when dump chain policy

From: Liping Zhang NFTA_TRACE_POLICY attribute is big endian, but we forget to call htonl to convert it. Fortunately, this attribute is parsed as big endian in libnftnl. Signed-off-by: Liping Zhang --- net/netfilter/nf_tables_trace.c |

[PATCH iptables] extensions: libip6t_SNAT/DNAT: add square bracket in xlat output when port is specified

From: Liping Zhang It is better to add square brackets to ip6 address in nft translation output when the port is specified. This is keep consistent with the nft syntax. Before this patch: # ip6tables-translate -t nat -A OUTPUT -p tcp -j DNAT --to-destination \

[PATCH libnftnl] include: resync nf_tables.h cache copy

Sync this with the kernel header file we currently have in tree. This patch addresses the compilation warning and breakage as result of this header update, specifically the "attibute" typo in trace and missing default case in expr/numgen.c. Signed-off-by: Pablo Neira Ayuso

Re: nfqueue & bridge netfilter considered broken

On Fri, Sep 02, 2016 at 11:08:48AM +0200, Florian Westphal wrote: > I - discard extra nfct entry when cloning. Works, but obviously not > compatible in any way (the clones are INVALID). This approach is simple and it would only break when packets are flooded to all ports, actually this is not

Re: [PATCH] netfilter: nft_numgen: add counter offset value and rename until by modulus

On Fri, Sep 02, 2016 at 10:39:37AM +0200, Laura Garcia Liebana wrote: > Add support for an initialization counter value. With this option the > sysadmin is able to start the counter when used with the increment > type. > > Example: > > meta mark set numgen inc mod 2 sum 100 > > This will

nfqueue & bridge netfilter considered broken

Hi. This is a note to summarize state of bridge + br_netfilter + nfqueue. TL;DR: I am giving up. I see no way to fix this in a sane fashion. What I tried: I - discard extra nfct entry when cloning. Works, but obviously not compatible in any way (the clones are INVALID). II - add locking

[PATCH] netfilter: nft_numgen: add counter offset value and rename until by modulus

Add support for an initialization counter value. With this option the sysadmin is able to start the counter when used with the increment type. Example: meta mark set numgen inc mod 2 sum 100 This will generate marks with the serie 100, 101, 100, 101, ... The _until_ attribute is

Re: [PATCH v2 1/2 nf] netfilter: seqadj: Fix one possible panic in seqadj when mem is exhausted

Hi Florian, On Fri, Sep 2, 2016 at 2:59 PM, Florian Westphal wrote: > f...@ikuai8.com wrote: >> From: Gao Feng >> >> When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj >> extension. But the function nf_ct_seqadj_init

Re: [PATCH v2 1/2 nf] netfilter: seqadj: Fix one possible panic in seqadj when mem is exhausted

f...@ikuai8.com wrote: > From: Gao Feng > > When memory is exhausted, nfct_seqadj_ext_add may fail to add the seqadj > extension. But the function nf_ct_seqadj_init doesn't check if get valid > seqadj pointer by the nfct_seqadj, while other functions perform

Re: [PATCH 2/2 nf-next] netfilter: seqadj: print the warning log when fail to add seqadj extension

f...@ikuai8.com wrote: > From: Gao Feng > > Print the warning log when fail to add seqadj extension like > nf_ct_acct_ext_add does. It could be helpful to find the problem. Failure to add ext area means that we're pretty much completely out of memory. There

Re: [PATCH 8/7] net/netfilter/nf_conntrack_core: Remove another memory barrier

On 09/01/2016 06:41 PM, Peter Zijlstra wrote: On Thu, Sep 01, 2016 at 04:30:39PM +0100, Will Deacon wrote: On Thu, Sep 01, 2016 at 05:27:52PM +0200, Manfred Spraul wrote: Since spin_unlock_wait() is defined as equivalent to spin_lock(); spin_unlock(), the memory barrier before