tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git fw
head: f0ec36fc1d09458eb0ee7efb3aff532b7caf4257
commit: f0ec36fc1d09458eb0ee7efb3aff532b7caf4257 [18/18] netfilter: merge
ctinfo into nfct pointer storage area
config: openrisc-allyesconfig (attached as .config)
compiler
On 2017-01-18 03:01, Florian Westphal wrote:
This further refines the changes made to conntrack gc_worker in
commit e0df8cae6c16 ("netfilter: conntrack: refine gc worker
heuristics").
The main idea of that change was to reduce the scan interval when
evictions
take place.
However, on the rep
On Wed, Jan 18, 2017 at 10:15 AM, Richard Guy Briggs wrote:
> On 2017-01-18 07:32, Paul Moore wrote:
>> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote:
>> > On 2017-01-17 21:34, Richard Guy Briggs wrote:
>> >> On 2017-01-17 15:17, Paul Moore wrote:
>> >> > On Tue, Jan 17, 2017 at 11:1
Signed-off-by: Elise Lennion
---
include/nftables.h | 2 +-
src/main.c | 4 ++--
src/statement.c| 4
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/include/nftables.h b/include/nftables.h
index 760bbff..6f54155 100644
--- a/include/nftables.h
+++ b/include/nftable
On Mon, Jan 16, 2017 at 10:02:57PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> The return value of nf_tables_table_lookup is valid pointer or one
> pointer error. There are two cases totally.
> case1: IS_ERR(table) is true, it would return the error or reset the
> table as NULL, it is unne
On Tue, Jan 10, 2017 at 12:42:39PM +0800, f...@ikuai8.com wrote:
> From: Gao Feng
>
> When something failed in nf_tables_table_enable, it would unregister
> the chains. But the rollback codes are same as nf_tables_table_disable
> almostly, except there is one counter check.
> Now create one wrapp
On Fri, Jan 13, 2017 at 04:41:03PM +0100, Arnd Bergmann wrote:
> We can't access c->pde if CONFIG_PROC_FS is disabled:
>
> net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_config_find_get':
> net/ipv4/netfilter/ipt_CLUSTERIP.c:147:9: error: 'struct clusterip_config'
> has no member name
On Sat, Jan 07, 2017 at 09:33:55PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> After adding the following nft rule, then ping 224.0.0.1:
> # nft add rule netdev t c pkttype host counter
>
> The warning complain message will be printed out again and again:
> WARNING: CPU: 0 PID: 10182
On Sat, Jan 07, 2017 at 09:33:54PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Since there's no broadcast address in IPV6, so in ipv6 family, the
> PACKET_LOOPBACK must be multicast packets, there's no need to check
> it again.
Applied, thanks Liping.
--
To unsubscribe from this list: se
Hi Florian,
Sorry for taking a while to look into this.
On Thu, Jan 05, 2017 at 12:26:49PM +0100, Florian Westphal wrote:
> Merge conntrack related status bits into skb->_nfct.
> After this change conntrack operations (lookup, creation, matching from
> ruleset) only accesses one instead of two sk
Hi,
On Mon, Jan 16, 2017 at 9:14 PM, Kevin Cernekee wrote:
> The libnetfilter_conntrack userland library always sets IPS_CONFIRMED
> when building a CTA_STATUS attribute. If this toggles the bit from
> 0->1, Linux 4.4+ will reject it and this will cause any NFQA_EXP
> attribute in the packet to
Hi,
On Mon, Jan 16, 2017 at 9:14 PM, Kevin Cernekee wrote:
> If a user program specifies CTA_HELP but the argument matches the
> current conntrack helper name, ignore it instead of generating an error.
The "subject" of this patch says that it fixes a regression, but that
regression isn't explain
Hi,
On Mon, Jan 16, 2017 at 9:14 PM, Kevin Cernekee wrote:
> Commit b7bd1809e078 ("netfilter: nfnetlink_queue: get rid of
> nfnetlink_queue_ct.c") introduced a new check on the return value
> from the NFQA_CT parser (currently ctnetlink_glue_parse_ct()).
> Prior to Linux 4.4, nfqnl_ct_parse() wou
On Wed, Jan 18, 2017 at 07:02:53PM +0100, Pablo Neira Ayuso wrote:
> On Tue, Jan 17, 2017 at 01:44:54PM -0200, Elise Lennion wrote:
> > To don't trigger false errors because of unrelated traffic on the
> > tested machine.
> >
> > Tests, which have rules with counter and 'ok' result, are updated to
On Tue, Jan 17, 2017 at 01:44:54PM -0200, Elise Lennion wrote:
> To don't trigger false errors because of unrelated traffic on the
> tested machine.
>
> Tests, which have rules with counter and 'ok' result, are updated to
> avoid new Warnings.
Also applied, thanks.
> diff --git a/tests/py/ip/flo
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Use lookup as field name instead, to prepare the introduction of the
memory class in a follow up patch.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nf_tables_api.c | 12 ++--
net/netfilter/nft_set_hash.c | 2 +-
net/netfilter/
This patch adds a new bitmap set type. This bitmap uses two bits to
represent one element. These two bits determine the element state in the
current and the future generation that fits into the nf_tables commit
protocol. When dumping elements back to userspace, the two bits are
expanded into a stru
Hi,
The following patches contains enhancements for the set infrastructure:
1) Introduce memory scalability notation for sets, this is useful in
case that userspace provides no explicit number of elements for this
set and to break ties if the set selection routine finds two backends
prov
Instead of struct nft_set_dump_args, remove unnecessary wrapper
structure.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 12 +---
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 6598a
Although semantics are similar to deactivate() with no implicit element
lookup, this is only called from the set flush path, so better rename
this to flush.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 8
net/netfilter/nf_tables_api.c | 2 +-
net/netfilte
This provides context to walk callback iterator, thus, we know if the
walk happens from the set flush path. This is required by the new bitmap
set type coming in a follow up patch which has no real struct
nft_set_ext, so it has to allocate it based on the two bit compact
element representation.
Si
The space notation allows us to classify the set backend implementation
based on the amount of required memory. This provides an order of the
set representation scalability in terms of memory. The size field is
still left in place so use this if the userspace provides no explicit
number of elements
This is required by the new bitmap set type that comes in a follow up
patch.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 3 ++-
net/netfilter/nf_tables_api.c | 4 ++--
net/netfilter/nft_set_hash.c | 3 ++-
net/netfilter/nft_set_rbtree.c| 3 ++-
4 files c
If no NLM_F_EXCL is specified and the element already exists, no error
is reported to userspace. However, no new element is added so decrement
set->nelem to restore it the early increment that nf_tables_newsetelem()
performs.
Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set
Pablo Neira Ayuso wrote:
> IIRC, the destroy message is rather small. Moreover, think of
> thousands of messages in that queue, that makes a difference. And I
> cannot think of anything useful people can do with window scale and
> flags at that stage, right?
I could not think of a reason why any
On Wed, Jan 18, 2017 at 04:07:45PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > On Wed, Jan 18, 2017 at 03:54:32PM +0100, Florian Westphal wrote:
> > > destroy events currently don't contain the tcp state info and no
> > > secmark and conntrack labels.
> > >
> > > Quoting Victor:
Pablo Neira Ayuso wrote:
> On Wed, Jan 18, 2017 at 03:54:32PM +0100, Florian Westphal wrote:
> > destroy events currently don't contain the tcp state info and no
> > secmark and conntrack labels.
> >
> > Quoting Victor:
> > "I was hoping to get the last TCP state in a conntrack destroy event,
>
On 2017-01-18 07:32, Paul Moore wrote:
> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote:
> > On 2017-01-17 21:34, Richard Guy Briggs wrote:
> >> On 2017-01-17 15:17, Paul Moore wrote:
> >> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs
> >> > wrote:
> >> > > On 2017-01-17 08:
On Wed, Jan 18, 2017 at 03:54:32PM +0100, Florian Westphal wrote:
> destroy events currently don't contain the tcp state info and no
> secmark and conntrack labels.
>
> Quoting Victor:
> "I was hoping to get the last TCP state in a conntrack destroy event,
> however it seems to be unavailable."
On Wednesday, January 18, 2017 7:32:40 AM EST Paul Moore wrote:
> On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote:
> > On 2017-01-17 21:34, Richard Guy Briggs wrote:
> >> On 2017-01-17 15:17, Paul Moore wrote:
> >> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs
wrote:
> >> > >
destroy events currently don't contain the tcp state info and no
secmark and conntrack labels.
Quoting Victor:
"I was hoping to get the last TCP state in a conntrack destroy event,
however it seems to be unavailable."
Quoting Jarno:
"I have a use case where we want to log terminating connecti
Le 18/01/2017 à 02:01, Florian Westphal a écrit :
> This further refines the changes made to conntrack gc_worker in
> commit e0df8cae6c16 ("netfilter: conntrack: refine gc worker heuristics").
>
> The main idea of that change was to reduce the scan interval when evictions
> take place.
>
> Howeve
On Wed, 18 Jan 2017 15:07:17 +0100, Florian Westphal said:
> Still a linewrap here, rest was fine so I fixed this up and applied
> the patch, thanks!
Curious. My outgoing history claims it's a single line. I'll have to
look into this.
> I did not notce on 1st review but a 'Signed-off-by' line wo
tho...@habets.se wrote:
> diff --git a/iptables/ip6tables-save.c b/iptables/ip6tables-save.c
> index f35e921..053413a 100644
> --- a/iptables/ip6tables-save.c
> +++ b/iptables/ip6tables-save.c
> @@ -35,10 +35,16 @@ static int for_each_table(int (*func)(const char
> *tablename))
Still a linewrap h
On Wed, 18 Jan 2017 14:32:30 +0100, Florian Westphal said:
> static const char filename[] =
Done.
> iptables uses kernel coding style, so
>
> if (errno == ENOENT)
> return ret;
Gotcha. Making the code unambiguously worse, then. (cough, goto fail, cough)
Done.
> Looks like y
Thomas Habets wrote:
> I sent this before without being subscribed, but it doesn't seem to
> have reached the archives so now retrying while subscribed.
Weird, its an open list (no subscribe required).
> If you're not root, then iptables-save silently fails (both to stderr
> and exit code). This
I sent this before without being subscribed, but it doesn't seem to
have reached the archives so now retrying while subscribed.
If you're not root, then iptables-save silently fails (both to stderr
and exit code). This patch fixes that.
--
Author: Thomas Habets
Date: Tue Jan 17 14:22:25 2017
On Wed, Jan 18, 2017 at 12:39 AM, Richard Guy Briggs wrote:
> On 2017-01-17 21:34, Richard Guy Briggs wrote:
>> On 2017-01-17 15:17, Paul Moore wrote:
>> > On Tue, Jan 17, 2017 at 11:12 AM, Richard Guy Briggs
>> > wrote:
>> > > On 2017-01-17 08:55, Steve Grubb wrote:
>> > >> On Tuesday, January
39 matches
Mail list logo
