On 2018-05-14 23:05, Richard Guy Briggs wrote:
> On 2018-05-14 17:44, Paul Moore wrote:
> > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> > > Recognizing that the audit context is an internal audit value, use an
> > > access function to retrieve the audit context
On 2018-05-14 17:44, Paul Moore wrote:
> On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> > Recognizing that the audit context is an internal audit value, use an
> > access function to retrieve the audit context pointer for the task
> > rather than reaching directly
Fixes: 446adedb5339 ("net: sched: always take reference to action")
Signed-off-by: Fengguang Wu
---
act_api.c |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sched/act_api.c b/net/sched/act_api.c
index 9459cce..27e80cf 100644
---
Hi Vlad,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net/master]
[also build test WARNING on v4.17-rc5 next-20180514]
[cannot apply to net-next/master]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url
Hi Pablo,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151
base:
Hi Pablo,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151
base:
Hi Vlad,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on net/master]
[also build test WARNING on v4.17-rc5 next-20180514]
[cannot apply to net-next/master]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url
Hi Pablo,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151
base:
Hi Pablo,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151
base:
Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151
base:
This uncovered broken translation of ethernet + mask.
Signed-off-by: Florian Westphal
---
extensions/generic.txlate | 15 ++
iptables/nft-bridge.c | 73 +++
2 files changed, 57 insertions(+), 31 deletions(-)
diff --git
Duncan Roe wrote:
> Since commit b1cdae87f25021eb835872d86d6e7206bd421c3f, make fails thusly:
>
> > libebtc.c: In function 'ebt_reinit_extensions':
> > libebtc.c:275:11: error: 'union ' has no member named 'revision'
> > m->m->u.revision = m->revision;
> >
Since commit b1cdae87f25021eb835872d86d6e7206bd421c3f, make fails thusly:
> libebtc.c: In function 'ebt_reinit_extensions':
> libebtc.c:275:11: error: 'union ' has no member named 'revision'
> m->m->u.revision = m->revision;
>^
> libebtc.c: In function 'ebt_check_rule_exists':
>
On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> The audit-related parameters in struct task_struct should ideally be
> collected together and accessed through a standard audit API.
>
> Collect the existing loginuid, sessionid and audit_context together in a
> new
Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151
base:
On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> Recognizing that the audit context is an internal audit value, use an
> access function to set the audit context pointer for the task
> rather than reaching directly into the task struct to set it.
>
> Signed-off-by:
Hi Pablo,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151
base:
This reverts commit f92b40a8b2645
("netfilter: core: only allow one nat hook per hook point"), this
limitation is no longer needed. The nat core now invokes these
functions and makes sure that hook evaluation stops after a mapping is
created and a null binding is created otherwise.
Copy-pasted, both l3 helpers almost use same code here.
Split out the common part into an 'inet' helper.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_nat_core.h | 7
net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 55 +
This will allow the nat core to reuse the nf_hook infrastructure
to maintain nat lookup functions.
The raw versions don't assume a particular hook location, the
functions get added/deleted from the hook blob that is passed to the
functions.
Signed-off-by: Florian Westphal
---
Will be used in followup patch when nat types no longer
use nf_register_net_hook() but will instead register with the nat core.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_tables.h | 8
net/ipv4/netfilter/nft_chain_nat_ipv4.c | 19
The ip(6)tables nat table is currently receiving skbs from the netfilter
core, after a followup patch skbs will be coming from the netfilter nat
core instead, so the table is no longer backed by normal hook_ops.
Signed-off-by: Florian Westphal
---
net/ipv4/netfilter/ip_tables.c
Currently the packet rewrite and instantiation of nat NULL bindings
happens from the protocol specific nat backend.
Invocation occurs either via ip(6)table_nat or the nf_tables nat chain type.
Invocation looks like this (simplified):
NF_HOOK()
|
`---iptable_nat
|
`--->
Right now, only a single nat hook is permitted at each hook point.
The reason for this is that lookup of the nat transformation
(e.g. "nft add rule nat postrouting tcp dport dnat to 10.1.1.1:22")
that should be attached to a conntrack and the packet rewrite occurs from
the protocol specific
This adds the infrastructure to register nat hooks with the nat core
instead of the netfilter core.
nat hooks are used to configure nat bindings. Such hooks are registered
from ip(6)table_nat or by the nftables core when a nat chain is added.
After next patch, nat hooks will be registered with
On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> Recognizing that the audit context is an internal audit value, use an
> access function to retrieve the audit context pointer for the task
> rather than reaching directly into the task struct to get it.
>
>
On Mon 14 May 2018 at 18:03, Jamal Hadi Salim wrote:
> On 14/05/18 10:27 AM, Vlad Buslov wrote:
>> Currently, all netlink protocol handlers for updating rules, actions and
>> qdiscs are protected with single global rtnl lock which removes any
>> possibility for parallelism.
On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> Use a macro, "AUDIT_SID_UNSET", to replace each instance of
> initialization and comparison to an audit session ID.
>
> Signed-off-by: Richard Guy Briggs
> ---
> include/linux/audit.h | 2 +-
>
Pablo Neira Ayuso wrote:
> > > + ct = nf_ct_get(entry->skb, );
> > > + if (ct && !nf_ct_is_confirmed(ct) &&
> > > + verdict != NF_STOLEN && verdict != NF_DROP) {
> >
> > Why not verdict == NF_ACCEPT?
>
> We also have to deal with NF_STOP, right?
Indeed, right. Your
Linux Plumbers Networking Track CFP
This is a call for proposals for the networking track at the 2018
edition of the Linux Plumbers Conference which will be held in
Vancouver on November 13th and November 14th.
The LPC Networking Track is a community event, open to everyone, and
does not
On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote:
> Recognizing that the loginuid is an internal audit value, use an access
> function to retrieve the audit loginuid value for the task rather than
> reaching directly into the task struct to get it.
>
> Signed-off-by:
Hi!
I'm honored to present
nftlb 0.2
nftlb stands for nftables load balancer, a user space tool
that builds a complete load balancer and traffic distributor
using the nft infrastructure.
nftlb is a nftables rules manager that creates virtual services
for load balancing at layer 2, layer 3
On Mon 14 May 2018 at 16:47, Jiri Pirko wrote:
> Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote:
>
> [...]
>
>
>>+static int tcf_action_del_1(struct net *net, char *kind, u32 index,
>>+ struct netlink_ext_ack *extack)
>>+{
>>+ const
On 14/05/18 10:27 AM, Vlad Buslov wrote:
Currently, all netlink protocol handlers for updating rules, actions and
qdiscs are protected with single global rtnl lock which removes any
possibility for parallelism. This patch set is a first step to remove
rtnl lock dependency from TC rules update
On Mon, May 14, 2018 at 07:30:56PM +0200, Pablo Neira Ayuso wrote:
> On Mon, May 14, 2018 at 07:26:54PM +0200, Florian Westphal wrote:
> > Pablo Neira Ayuso wrote:
> > > static int __init nf_nat_init(void)
> > > diff --git a/net/netfilter/nfnetlink_queue.c
> > >
On Mon, May 14, 2018 at 07:26:54PM +0200, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
> > static int __init nf_nat_init(void)
> > diff --git a/net/netfilter/nfnetlink_queue.c
> > b/net/netfilter/nfnetlink_queue.c
> > index 74a04638ef03..28e4fae98f60 100644
> > ---
Pablo Neira Ayuso wrote:
> static int __init nf_nat_init(void)
> diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
> index 74a04638ef03..28e4fae98f60 100644
> --- a/net/netfilter/nfnetlink_queue.c
> +++ b/net/netfilter/nfnetlink_queue.c
> @@
Make_global.am already add include directory via -I option.
Signed-off-by: Pablo Neira Ayuso
---
src/config.c | 4 ++--
src/main.c | 8
src/model.c | 6 +++---
src/nft.c| 6 +++---
src/server.c | 6 +++---
5 files changed, 15 insertions(+), 15 deletions(-)
Remove all forward declarations, they are unnecessary and they are also
missing the static keyword.
Enable -Wmissing-prototypes to spot functions that should be declared
static.
Signed-off-by: Pablo Neira Ayuso
---
Make_global.am | 1 +
src/config.c | 355
There is already a config.h in tree, it clashes with it.
Signed-off-by: Pablo Neira Ayuso
---
configure.ac | 2 --
1 file changed, 2 deletions(-)
diff --git a/configure.ac b/configure.ac
index 03c7c91dd26c..fc7eef1dd95e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,8
http://lists.schmorp.de/pipermail/libev/2010q1/000920.html
The following warning should be calmed via -Wno-strict-aliasing:
server.c: In function ‘server_init’:
server.c:375:2: warning: dereferencing type-punned pointer will break
strict-aliasing rules [-Wstrict-aliasing]
ev_io_init(_accept,
Move decode_session() and parse_nat_setup_hook() indirections to struct
nf_nat_hook structure.
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter.h| 22 --
include/net/netfilter/nf_nat_core.h | 27 +++
In nfqueue, two consecutive skbuffs may race to create the conntrack
entry. Hence, the one that loses the race gets dropped due to clash in
the insertion into the hashes from the nf_conntrack_confirm() path.
This patch adds a new nf_conntrack_update() function which searches for
possible clashes
Move the nf_ct_destroy indirection to the struct nf_ct_hook.
Signed-off-by: Pablo Neira Ayuso
---
I think it should be possible to place the ip_ct_attach indirection here
too, this is being set to NULL before cleaning up the hashes on module
removal to ensure no new ICMP
Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote:
[...]
>+static int tcf_action_del_1(struct net *net, char *kind, u32 index,
>+ struct netlink_ext_ack *extack)
>+{
>+ const struct tc_action_ops *ops;
>+ int err = -EINVAL;
>+
>+ ops =
Mon, May 14, 2018 at 05:12:22PM CEST, j...@resnulli.us wrote:
>Mon, May 14, 2018 at 04:27:04PM CEST, vla...@mellanox.com wrote:
>>Extend action ops with 'delete' function. Each action type to implement its
>>own delete function that doesn't depend on rtnl lock.
>>
>>Signed-off-by: Vlad Buslov
Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote:
>Implement helper function to delete action using new action ops delete
>function implemented by each action for lockless execution.
Reading this sentense for 4 times. I still don't understand what you say :(
>
>Implement action
Mon, May 14, 2018 at 04:27:06PM CEST, vla...@mellanox.com wrote:
>Without rtnl lock protection it is no longer safe to use pointer to tc
>action without holding reference to it. (it can be destroyed concurrently)
>
>Remove unsafe action idr lookup function. Instead of it, implement safe tcf
>idr
Mon, May 14, 2018 at 04:27:05PM CEST, vla...@mellanox.com wrote:
>Add additional 'unlocked' argument to act API init functions.
>Argument is true when rtnl lock is not taken and false otherwise.
>It is required to implement actions that need to release rtnl lock before
>loading kernel module and
Mon, May 14, 2018 at 04:27:04PM CEST, vla...@mellanox.com wrote:
>Extend action ops with 'delete' function. Each action type to implement its
>own delete function that doesn't depend on rtnl lock.
>
>Signed-off-by: Vlad Buslov
>---
> include/net/act_api.h | 1 +
> 1 file
Mon, May 14, 2018 at 04:27:03PM CEST, vla...@mellanox.com wrote:
>Change type of action reference counter to refcount_t.
>
>Change type of action bind counter to atomic_t.
>This type is used to allow decrementing bind counter without testing
>for 0 result.
>
>Signed-off-by: Vlad Buslov
Mon, May 14, 2018 at 04:27:02PM CEST, vla...@mellanox.com wrote:
>Implement functions to atomically update and free action cookie
>using rcu mechanism.
>
>Signed-off-by: Vlad Buslov
Signed-off-by: Jiri Pirko
--
To unsubscribe from this list: send the line
Currently, all netlink protocol handlers for updating rules, actions and
qdiscs are protected with single global rtnl lock which removes any
possibility for parallelism. This patch set is a first step to remove
rtnl lock dependency from TC rules update path. It updates act API to
use atomic
Add additional 'unlocked' argument to act API init functions.
Argument is true when rtnl lock is not taken and false otherwise.
It is required to implement actions that need to release rtnl lock before
loading kernel module and reacquire if afterwards.
Signed-off-by: Vlad Buslov
Change type of action reference counter to refcount_t.
Change type of action bind counter to atomic_t.
This type is used to allow decrementing bind counter without testing
for 0 result.
Signed-off-by: Vlad Buslov
---
include/net/act_api.h | 5 +++--
Implement functions to atomically update and free action cookie
using rcu mechanism.
Signed-off-by: Vlad Buslov
---
include/net/act_api.h | 2 +-
include/net/pkt_cls.h | 1 +
net/sched/act_api.c | 44 ++--
3 files changed, 32
Return from action init function with reference to action taken,
even when overwriting existing action.
Action init API initializes its fourth argument (pointer to pointer to
tc action) to either existing action with same index or newly created
action. In case of existing index(and bind argument
Implement helper function to delete action using new action ops delete
function implemented by each action for lockless execution.
Implement action put function that releases reference to action and frees
it if necessary. Refactor action deletion code to use new put function and
not to rely on
Change action API to assume that action init function always takes
reference to action, even when overwriting existing action. This is
necessary because action API continues to use action pointer after init
function is done. At this point action becomes accessible for concurrent
modifications so
Implement new action API function to atomically delete action with
specified index and to atomically insert unique action. These functions are
required to implement init and delete functions for specific actions that
do not rely on rtnl lock.
Signed-off-by: Vlad Buslov
---
Extend action ops with 'delete' function. Each action type to implement its
own delete function that doesn't depend on rtnl lock.
Signed-off-by: Vlad Buslov
---
include/net/act_api.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/net/act_api.h
Without rtnl lock protection it is no longer safe to use pointer to tc
action without holding reference to it. (it can be destroyed concurrently)
Remove unsafe action idr lookup function. Instead of it, implement safe tcf
idr check function that atomically looks up action in idr and increments
tca_get_fill function has 'bind' and 'ref' arguments that get passed
down to action dump function. These arguments values are subtracted from
actual reference and bind counter values before writing them to skb.
In order to prevent concurrent action delete, RTM_GETACTION handler
acquires a
Retry check-insert sequence in action init functions if action with same
index was inserted concurrently.
Signed-off-by: Vlad Buslov
---
net/sched/act_bpf.c| 8 +++-
net/sched/act_connmark.c | 8 +++-
net/sched/act_csum.c | 8 +++-
Extend rate estimator new and replace APIs with additional spinlock
parameter used by lockless actions to protect rate_est pointer from
concurrent modification.
Signed-off-by: Vlad Buslov
---
include/net/gen_stats.h| 2 ++
net/core/gen_estimator.c | 58
Substitute calls to action insert function with calls to action insert
unique function that warns if insertion overwrites index in idr.
Signed-off-by: Vlad Buslov
---
net/sched/act_bpf.c| 2 +-
net/sched/act_connmark.c | 2 +-
net/sched/act_csum.c | 2 +-
Implement delete function that is required to delete actions without
holding rtnl lock. Use action API function that atomically deletes action
only if it is still in action idr. This implementation prevents concurrent
threads from deleting same action twice.
Signed-off-by: Vlad Buslov
We would like to introduce you our image editing services today:
Our advantages:
Clipping path, image cut out
Shadow creation
Photo masking
Beauty retouching, skin retouching, face retouching
.
We also provide you testing on your photos.
Please reply back if interested.
Thanks,
Jan
--
To
68 matches
Mail list logo