On Mon, Nov 20, 2017 at 6:58 PM, Pablo Neira Ayuso wrote:
> On Sun, Nov 19, 2017 at 06:04:32PM +0530, Varsha Rao wrote:
>> This patch adds test case for IPv4 Mapped IPv6 address and renames
>> file 0025named_limit_0 to 0026named_limit_0.
>
> Applied, thanks Varsha.
>
> Please, next time, send one
On Wed, Nov 22, 2017 at 08:36:16PM +0100, Pablo Neira Ayuso wrote:
> 2535ba7006f2 ("src: get rid of printf") uses gmp_vfprintf() which
> doesn't exists in mini-gmp.c, this breaks compilation with --mini-gmp.
>
> This patch implements poor man's gmp_vfprintf that takes one single
> argument which i
Restore some code that is needed, until we have a version of gmp_printf
that takes variable arguments.
In file included from ../include/utils.h:12:0,
from ../include/nftables.h:6,
from ../include/rule.h:5,
from segtree.c:15:
segtree.c: In function
2535ba7006f2 ("src: get rid of printf") uses gmp_vfprintf() which
doesn't exists in mini-gmp.c, this breaks compilation with --mini-gmp.
This patch implements poor man's gmp_vfprintf that takes one single
argument which is what we need.
Signed-off-by: Pablo Neira Ayuso
---
@Phil: We're still hit
Hi Phil,
On Wed, Nov 22, 2017 at 06:49:43PM +0100, Phil Sutter wrote:
> On Mon, Nov 20, 2017 at 05:53:13PM +0100, Pablo Neira Ayuso wrote:
> > On Mon, Nov 20, 2017 at 04:58:22PM +0100, Phil Sutter wrote:
> > > On Mon, Nov 20, 2017 at 02:07:32PM +0100, Pablo Neira Ayuso wrote:
> > > > On Mon, Nov 2
On Mon, Nov 13, 2017 at 10:58:18PM +0800, gfree.w...@vip.163.com wrote:
> From: Gao Feng
>
> The param of frag_safe_skb_hp, ipvsh, isn't used now. So remove it and
> update the callers' codes too.
>
> Signed-off-by: Gao Feng
> ---
> Simon advise me send the patch to netfilter group
Acked-by:
On Mon, Nov 20, 2017 at 05:53:13PM +0100, Pablo Neira Ayuso wrote:
> On Mon, Nov 20, 2017 at 04:58:22PM +0100, Phil Sutter wrote:
> > On Mon, Nov 20, 2017 at 02:07:32PM +0100, Pablo Neira Ayuso wrote:
> > > On Mon, Nov 20, 2017 at 01:54:18PM +0100, Phil Sutter wrote:
> > > > On Mon, Nov 20, 2017 at
Giuseppe Scrivano wrote:
> > However, I suggest you try to go with call_rcu to get rid of all of the
> > synchronize_net() calls. I don't even see why its still needed for
> > nfqueue case provided we invoke the nfqueue drop handler first.
> >
> > PoC example, untested:
>
> thanks, the patch seem
Florian Westphal writes:
> However, I suggest you try to go with call_rcu to get rid of all of the
> synchronize_net() calls. I don't even see why its still needed for
> nfqueue case provided we invoke the nfqueue drop handler first.
>
> PoC example, untested:
thanks, the patch seems to work for
46928a0b49f3 ("netfilter: nf_tables: remove multihook chains and
families") already removed this, this is a leftover.
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nf_tables_arp.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/ipv4/netfilter/nf_tables_arp.c
b/net/ipv4/netfilte
Instead of calling this function from the family specific variant, this
reduces the code size in the fast path for the netdev, bridge and inet
families. After this change, we must call nft_set_pktinfo() unfront from
the chain hook indirection.
Before:
textdata bss dec hex filen
They don't belong to the family definition, move them to the filter
chain type definition instead.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 2 +-
net/bridge/netfilter/nf_tables_bridge.c | 14 +++---
net/ipv4/netfilter/nf_tables_arp.c | 8 -
Use new native NFPROTO_INET support in netfilter core, this gets rid of
ad-hoc code in the nf_tables API codebase.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables_ipv4.h | 2 --
include/net/netfilter/nf_tables_ipv6.h | 2 --
net/ipv4/netfilter/nf_tables_ipv4.c| 3 +-
Just a preparation change, this is needed by follow up patches to handle
NFPROTO_INET as a real family from the core.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 32 ++--
1 file changed, 18 insertions(+), 14 deletions(-)
diff --git a/net/netfilter/cor
Expand NFPROTO_INET in two hook registrations, one for NFPROTO_IPV4 and
another for NFPROTO_IPV6. Hence, we handle NFPROTO_INET as a real family
from the core.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 61 +---
1 file changed, 53
Hi,
This is a patchset to handle NFPROTO_INET hook registration from the
Netfilter core, as we discussed during the NFWS in Faro, Portugal [1].
>From the hook path, your code just needs to check for state->pf to know
if this either IPv4 or IPv6 traffic, alternatively skb->protocol could
be used fo
Since NFPROTO_INET is handled from the core, we don't need to maintain
extra infrastructure in nf_tables to handle the double hook
registration, one for IPv4 and another for IPv6.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h | 9 +--
net/bridge/netfilter/nf_table
Just a cleanup, __nf_unregister_net_hook() is used by a follow up patch
when handling NFPROTO_INET as a real family from the core.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/core.c | 10 +-
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/core.c b/net/n
On Wed, Nov 22, 2017 at 01:44:10PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > Hi Florian,
> >
> > On Mon, Nov 13, 2017 at 05:41:05PM +0100, Florian Westphal wrote:
> > > Check that the array hooks are not accessed out-of-bounds.
> > > Next patch will then reduce their sizes to
Pablo Neira Ayuso wrote:
> Hi Florian,
>
> On Mon, Nov 13, 2017 at 05:41:05PM +0100, Florian Westphal wrote:
> > Check that the array hooks are not accessed out-of-bounds.
> > Next patch will then reduce their sizes to reflect the number
> > of hooks implemented for each family.
>
> I'm hitting
Hi Florian,
On Mon, Nov 13, 2017 at 05:41:05PM +0100, Florian Westphal wrote:
> Check that the array hooks are not accessed out-of-bounds.
> Next patch will then reduce their sizes to reflect the number
> of hooks implemented for each family.
I'm hitting this here.
In file included from ./includ
On Mon, Nov 20, 2017 at 04:54:04PM +0100, Phil Sutter wrote:
> Initialize output_fp to 'stdout' upon context creation and check output
> stream validity in nft_ctx_set_output(). This allows to drop checks in
> nft_{gmp_,}print() and do_command_export(). While doing so for the
> latter, simplify it
On Tue, Nov 21, 2017 at 11:13:39PM +0100, Phil Sutter wrote:
> Since packets traverse both tables, the accept rule in the first one is
> ineffective due to the second table's drop policy. To prevent lockouts
> when running the testsuite via SSH connection, set the second chain's
> policy to accept
Giuseppe Scrivano wrote:
> Florian Westphal writes:
>
> > Giuseppe Scrivano wrote:
> >> SELinux, if enabled, registers for each new network namespace 6
> >> netfilter hooks. Avoid to use synchronize_net for each new hook, but do
> >> it once after all the hooks are added. The net benefit on a
Florian Westphal writes:
> Giuseppe Scrivano wrote:
>> SELinux, if enabled, registers for each new network namespace 6
>> netfilter hooks. Avoid to use synchronize_net for each new hook, but do
>> it once after all the hooks are added. The net benefit on an SMP
>> machine with two cores is tha
Florian Westphal wrote:
> Giuseppe Scrivano wrote:
> > SELinux, if enabled, registers for each new network namespace 6
> > netfilter hooks. Avoid to use synchronize_net for each new hook, but do
> > it once after all the hooks are added. The net benefit on an SMP
> > machine with two cores is t
Giuseppe Scrivano wrote:
> SELinux, if enabled, registers for each new network namespace 6
> netfilter hooks. Avoid to use synchronize_net for each new hook, but do
> it once after all the hooks are added. The net benefit on an SMP
> machine with two cores is that creating a new network namespac
Giuseppe Scrivano wrote:
> SELinux, if enabled, registers for each new network namespace 6
> netfilter hooks. Avoid to use synchronize_net for each new hook, but do
> it once after all the hooks are added. The net benefit on an SMP
> machine with two cores is that creating a new network namespac
SELinux, if enabled, registers for each new network namespace 6
netfilter hooks. Avoid to use synchronize_net for each new hook, but do
it once after all the hooks are added. The net benefit on an SMP
machine with two cores is that creating a new network namespace takes
-40% of the original time.
29 matches
Mail list logo
