Minor nitpicks as I said, see below.
On Fri, Oct 28, 2016 at 10:42:09AM +0200, Davide Caratti wrote:
> modify registration and deregistration of layer-4 protocol trackers to
> facilitate inclusion of new elements into the current list of builtin
> protocols. Both builtin (TCP, UDP, ICMP) and non-b
Eric Dumazet wrote:
> On Tue, 2016-11-01 at 21:01 +0100, Florian Westphal wrote:
> > schedule_delayed_work(&gc_work->dwork, next_run);
>
>
> > @@ -993,6 +1029,7 @@ static void gc_worker(struct work_struct *work)
> > static void conntrack_gc_work_init(struct conntrack_gc_work *gc_work)
> >
From: "Anders K. Pedersen"
Introduces an nftables rt expression for routing related data with support
for nexthop (i.e. the directly connected IP address that an outgoing packet
is sent to), which can be used either for matching or accounting, eg.
# nft add rule filter postrouting \
ip
This patch adds notrack support.
I decided to add a new expression, given that this doesn't fit into the
existing set operation. Notrack doesn't need a source register, and an
hypothetical NFT_CT_NOTRACK key makes no sense since matching the
untracked state is done through NFT_CT_STATE.
I'm placi
Hi David,
The following patchset contains Netfilter updates for your net-next
tree. This includes better integration with the routing subsystem for
nf_tables, explicit notrack support and smaller updates. More
specifically, they are:
1) Add fib lookup expression for nf_tables, from Florian Westph
From: Florian Westphal
Add FIB expression, supported for ipv4, ipv6 and inet family (the latter
just dispatches to ipv4 or ipv6 one based on nfproto).
Currently supports fetching output interface index/name and the
rtm_type associated with an address.
This can be used for adding path filtering.
From: Liping Zhang
Currently we start round robin from 1, but it's better to start round
robin from 0. This is to keep consistent with xt_statistic in iptables.
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_numgen.c | 2 +-
1 file changed, 1 insertion(+),
From: Liping Zhang
After call nft_data_init, size is already validated and desc.len will
not exceed the sizeof(struct nft_data), i.e. 16 bytes. So it will never
exceed U8_MAX.
Furthermore, in nft_immediate_init, we forget to call nft_data_uninit
when desc.len exceeds U8_MAX, although this will n
Move layer 2 packet logging into nf_log_l2packet() that resides in
nf_log_common.c, so this can be shared by both bridge and netdev
families.
This patch adds the boiler plate code to register the netdev logging
family.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_log.h |
From: Florian Westphal
Currently not supported, we'd oops as skb was (or is) free'd elsewhere.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nf_tables_core.c b/net/netfilter
From: Liping Zhang
After supporting this, we can combine it with hash expression to emulate
the 'cluster match'.
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Liping Zhang
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_meta.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/
From: Florian Westphal
As the comment indicates, the data at the end of nfqnl_instance struct is
written on every queue/dequeue, so it should reside in its own cacheline.
Before this change, 'lock' was in first cacheline so we dirtied both.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo
We need this split to reuse existing codebase for the upcoming nf_tables
socket expression.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_socket.h | 27
net/ipv4/netfilter/Kconfig | 6 +
net/ipv4/netfilter/Makefile | 2 +
net/ipv4/netfilter/nf_socket_
From: Calvin Owens
Since the code explicilty falls back to a smaller allocation when the
large one fails, we shouldn't complain when that happens.
Signed-off-by: Calvin Owens
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nfnetlink_log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(
From: Gao Feng
There are multiple equality condition checks in the original codes, so it
is better to use switch case instead of them.
Signed-off-by: Gao Feng
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/xt_multiport.c | 40 +---
1 file changed, 21 in
On Tue, 2016-11-01 at 21:01 +0100, Florian Westphal wrote:
> schedule_delayed_work(&gc_work->dwork, next_run);
> @@ -993,6 +1029,7 @@ static void gc_worker(struct work_struct *work)
> static void conntrack_gc_work_init(struct conntrack_gc_work *gc_work)
> {
> INIT_DELAYED_WORK(&gc_w
Nicholas Dichtel says:
After commit b87a2f9199ea ("netfilter: conntrack: add gc worker to
remove timed-out entries"), netlink conntrack deletion events may be
sent with a huge delay.
Nicholas further points at this line:
goal = min(nf_conntrack_htable_size / GC_MAX_BUCKETS_DIV, GC_MAX_BUC
Hi,
I'm rebasing nf-next because I found problems on the ipset batch.
As part of the rebase, I'm going to squash this Arnd's patch:
http://patchwork.ozlabs.org/patch/688615/
into original Florian's fib nf_tables expression patch.
As well as this one:
http://patchwork.ozlabs.or
On Sun, Oct 23, 2016 at 10:37:52PM +0200, Jozsef Kadlecsik wrote:
> From: Muhammad Falak R Wani
>
> Use setup_timer() and instead of init_timer(), being the preferred way
> of setting up a timer.
>
> Also, quoting the mod_timer() function comment:
> -> mod_timer() is a more efficient way to upda
On Sun, Oct 23, 2016 at 10:37:49PM +0200, Jozsef Kadlecsik wrote:
> Signed-off-by: Jozsef Kadlecsik
Please, document that net_ratelimit() and pr_warn is not useful
anymore, so you remove.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to maj
On Sun, Oct 23, 2016 at 10:37:44PM +0200, Jozsef Kadlecsik wrote:
> Remove redundant parameters nets_length and dsize:
> they could be get from other parameters.
>
> Remove one leve of intendation by using continue while
> iterating over elements in bucket.
Please, split this in two patches, othe
On Sun, Oct 23, 2016 at 10:37:40PM +0200, Jozsef Kadlecsik wrote:
> Signed-off-by: Jozsef Kadlecsik
A bit pendantic, but please, add description, oneline is fine
indicating why this belongs there is good. Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the
On Sun, Oct 23, 2016 at 10:37:39PM +0200, Jozsef Kadlecsik wrote:
> Hash types already has it's memsize calculation code in separate
> functions. Do the same for *bitmap* and *list* sets.
This is just a cleanup, right?
More comments below.
> Ported from a patch proposed by Sergey Popovich .
>
>
On Sun, Oct 23, 2016 at 10:37:38PM +0200, Jozsef Kadlecsik wrote:
> Ported from a patch proposed by Sergey Popovich .
And please, provide a better description for this. Probably oneline
indicating that this is a cleanup should be fine.
--
To unsubscribe from this list: send the line "unsubscribe n
On Sun, Oct 23, 2016 at 10:37:38PM +0200, Jozsef Kadlecsik wrote:
> Ported from a patch proposed by Sergey Popovich .
>
> Suggested-by: Sergey Popovich
> Signed-off-by: Jozsef Kadlecsik
> ---
> include/linux/netfilter/ipset/ip_set.h | 95
> +-
> include/linux/ne
On Sun, Oct 23, 2016 at 10:37:36PM +0200, Jozsef Kadlecsik wrote:
> Use struct ip_set_skbinfo in struct ip_set_ext instead of open
> coded fields and assign structure members in get/init helpers
> instead of copying members one by one.
>
> Ported from a patch proposed by Sergey Popovich .
>
> Sug
On Sun, Oct 23, 2016 at 10:37:37PM +0200, Jozsef Kadlecsik wrote:
> Allocate memory with kmalloc() rather than kzalloc().
>
> Ported from a patch proposed by Sergey Popovich .
>
> Suggested-by: Sergey Popovich
> Signed-off-by: Jozsef Kadlecsik
> ---
> include/linux/netfilter/ipset/ip_set_comme
On Sun, Oct 23, 2016 at 10:37:35PM +0200, Jozsef Kadlecsik wrote:
> Remove extra whitespace, group counter helper together. Mark some of
> the helpers arguments as const.
It would be better to split this in two patches, one to remove extra
whitespace.
And another to group counter helper together.
On Sun, Oct 23, 2016 at 10:37:34PM +0200, Jozsef Kadlecsik wrote:
> When rcu_dereference_bh_nfnl() macro would be defined on the target
> system it will accept pointer and subsystem id.
>
> Check if rcu_dereference_bh_nfnl() is defined and make it accepting two
> arguments.
>
> Ported from a patc
On Thu, Oct 27, 2016 at 06:53:51PM +0200, Pablo Neira Ayuso wrote:
[...]
> Pulled, thanks Jozsef.
Sorry Jozsef for not coming to you any sooner. I'm finding several
problems in this patchset that forces me to toss it again.
I'm going to follow up on a deeper review on your submission with
comment
Add support to add an offset to the hash generator, eg.
ct mark set hash ip saddr mod 10 offset 100
This will generate marks with series between 100-109.
Signed-off-by: Laura Garcia Liebana
---
Changes in v2:
- Adapt the code to the repository changes.
- Include test payload.
The hash expression requires a seed attribute to call the jhash
operation, eg.
# nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \
seed 0xdeadbeef
With this patch the seed attribute is optional and it's generated by a
random function from userspace, eg.
# nft add rule x
32 matches
Mail list logo
