Re: [PATCH ghak81 RFC V2 3/5] audit: use inline function to get audit context

On 2018-05-14 23:05, Richard Guy Briggs wrote: > On 2018-05-14 17:44, Paul Moore wrote: > > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > > > Recognizing that the audit context is an internal audit value, use an > > > access function to retrieve the audit context

Re: [PATCH ghak81 RFC V2 3/5] audit: use inline function to get audit context

On 2018-05-14 17:44, Paul Moore wrote: > On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > > Recognizing that the audit context is an internal audit value, use an > > access function to retrieve the audit context pointer for the task > > rather than reaching directly

[RFC PATCH] net: sched: __tcf_idr_check() can be static

Fixes: 446adedb5339 ("net: sched: always take reference to action") Signed-off-by: Fengguang Wu --- act_api.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/sched/act_api.c b/net/sched/act_api.c index 9459cce..27e80cf 100644 ---

Re: [PATCH 05/14] net: sched: always take reference to action

Hi Vlad, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on net/master] [also build test WARNING on v4.17-rc5 next-20180514] [cannot apply to net-next/master] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url

Re: [PATCH nf-next 2/3] netfilter: add struct nf_nat_hook and use it

Hi Pablo, I love your patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151 base:

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

Hi Pablo, I love your patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151 base:

Re: [PATCH 01/14] net: sched: use rcu for action cookie update

Hi Vlad, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on net/master] [also build test WARNING on v4.17-rc5 next-20180514] [cannot apply to net-next/master] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

Hi Pablo, I love your patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151 base:

Re: [PATCH nf-next 2/3] netfilter: add struct nf_nat_hook and use it

Hi Pablo, I love your patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151 base:

Re: [PATCH nf-next 2/3] netfilter: add struct nf_nat_hook and use it

Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151 base:

[PATCH iptables] xtables-compat: extend generic tests for masks and wildcards

This uncovered broken translation of ethernet + mask. Signed-off-by: Florian Westphal --- extensions/generic.txlate | 15 ++ iptables/nft-bridge.c | 73 +++ 2 files changed, 57 insertions(+), 31 deletions(-) diff --git

Re: [PATCH] ebtables: Fix build errors and warnings

Duncan Roe wrote: > Since commit b1cdae87f25021eb835872d86d6e7206bd421c3f, make fails thusly: > > > libebtc.c: In function 'ebt_reinit_extensions': > > libebtc.c:275:11: error: 'union ' has no member named 'revision' > > m->m->u.revision = m->revision; > >

[PATCH] ebtables: Fix build errors and warnings

Since commit b1cdae87f25021eb835872d86d6e7206bd421c3f, make fails thusly: > libebtc.c: In function 'ebt_reinit_extensions': > libebtc.c:275:11: error: 'union ' has no member named 'revision' > m->m->u.revision = m->revision; >^ > libebtc.c: In function 'ebt_check_rule_exists': >

Re: [PATCH ghak81 RFC V2 5/5] audit: collect audit task parameters

On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > The audit-related parameters in struct task_struct should ideally be > collected together and accessed through a standard audit API. > > Collect the existing loginuid, sessionid and audit_context together in a > new

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151 base:

Re: [PATCH ghak81 RFC V2 4/5] audit: use inline function to set audit context

On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > Recognizing that the audit context is an internal audit value, use an > access function to set the audit context pointer for the task > rather than reaching directly into the task struct to set it. > > Signed-off-by:

Re: [PATCH nf-next 2/3] netfilter: add struct nf_nat_hook and use it

Hi Pablo, I love your patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-add-struct-nf_ct_hook-and-use-it/20180515-034151 base:

[PATCH nf-next 7/7] netfilter: lift one-nat-hook-only restriction

This reverts commit f92b40a8b2645 ("netfilter: core: only allow one nat hook per hook point"), this limitation is no longer needed. The nat core now invokes these functions and makes sure that hook evaluation stops after a mapping is created and a null binding is created otherwise.

[PATCH nf-next 1/7] netfilter: nf_nat: move common nat code to nat core

Copy-pasted, both l3 helpers almost use same code here. Split out the common part into an 'inet' helper. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_nat_core.h | 7 net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 55 +

[PATCH nf-next 4/7] netfilter: core: export raw versions of add/delete hook functions

This will allow the nat core to reuse the nf_hook infrastructure to maintain nat lookup functions. The raw versions don't assume a particular hook location, the functions get added/deleted from the hook blob that is passed to the functions. Signed-off-by: Florian Westphal ---

[PATCH nf-next 3/7] netfilter: nf_tables: allow chain type to override hook register

Will be used in followup patch when nat types no longer use nf_register_net_hook() but will instead register with the nat core. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_tables.h | 8 net/ipv4/netfilter/nft_chain_nat_ipv4.c | 19

[PATCH nf-next 2/7] netfilter: xtables: allow table definitions not backed by hook_ops

The ip(6)tables nat table is currently receiving skbs from the netfilter core, after a followup patch skbs will be coming from the netfilter nat core instead, so the table is no longer backed by normal hook_ops. Signed-off-by: Florian Westphal --- net/ipv4/netfilter/ip_tables.c

[PATCH nf-next 6/7] netfilter: nf_nat: add nat type hooks to nat core

Currently the packet rewrite and instantiation of nat NULL bindings happens from the protocol specific nat backend. Invocation occurs either via ip(6)table_nat or the nf_tables nat chain type. Invocation looks like this (simplified): NF_HOOK() | `---iptable_nat | `--->

[PATCH nf-next 0/7] netfilter: remove one-nat-hook-only restriction

Right now, only a single nat hook is permitted at each hook point. The reason for this is that lookup of the nat transformation (e.g. "nft add rule nat postrouting tcp dport dnat to 10.1.1.1:22") that should be attached to a conntrack and the packet rewrite occurs from the protocol specific

[PATCH nf-next 5/7] netfilter: nf_nat: add nat hook register functions to nf_nat

This adds the infrastructure to register nat hooks with the nat core instead of the netfilter core. nat hooks are used to configure nat bindings. Such hooks are registered from ip(6)table_nat or by the nftables core when a nat chain is added. After next patch, nat hooks will be registered with

Re: [PATCH ghak81 RFC V2 3/5] audit: use inline function to get audit context

On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > Recognizing that the audit context is an internal audit value, use an > access function to retrieve the audit context pointer for the task > rather than reaching directly into the task struct to get it. > >

Re: [PATCH 00/14] Modify action API for implementing lockless actions

On Mon 14 May 2018 at 18:03, Jamal Hadi Salim wrote: > On 14/05/18 10:27 AM, Vlad Buslov wrote: >> Currently, all netlink protocol handlers for updating rules, actions and >> qdiscs are protected with single global rtnl lock which removes any >> possibility for parallelism.

Re: [PATCH ghak81 RFC V2 2/5] audit: convert sessionid unset to a macro

On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > Use a macro, "AUDIT_SID_UNSET", to replace each instance of > initialization and comparison to an audit session ID. > > Signed-off-by: Richard Guy Briggs > --- > include/linux/audit.h | 2 +- >

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

Pablo Neira Ayuso wrote: > > > + ct = nf_ct_get(entry->skb, ); > > > + if (ct && !nf_ct_is_confirmed(ct) && > > > + verdict != NF_STOLEN && verdict != NF_DROP) { > > > > Why not verdict == NF_ACCEPT? > > We also have to deal with NF_STOP, right? Indeed, right. Your

Linux Plumbers Networking Track CFP

Linux Plumbers Networking Track CFP This is a call for proposals for the networking track at the 2018 edition of the Linux Plumbers Conference which will be held in Vancouver on November 13th and November 14th. The LPC Networking Track is a community event, open to everyone, and does not

Re: [PATCH ghak81 RFC V2 1/5] audit: normalize loginuid read access

On Sat, May 12, 2018 at 9:58 PM, Richard Guy Briggs wrote: > Recognizing that the loginuid is an internal audit value, use an access > function to retrieve the audit loginuid value for the task rather than > reaching directly into the task struct to get it. > > Signed-off-by:

[ANNOUNCE] nftlb 0.2 release

Hi! I'm honored to present nftlb 0.2 nftlb stands for nftables load balancer, a user space tool that builds a complete load balancer and traffic distributor using the nft infrastructure. nftlb is a nftables rules manager that creates virtual services for load balancing at layer 2, layer 3

Re: [PATCH 06/14] net: sched: implement reference counted action release

On Mon 14 May 2018 at 16:47, Jiri Pirko wrote: > Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote: > > [...] > > >>+static int tcf_action_del_1(struct net *net, char *kind, u32 index, >>+ struct netlink_ext_ack *extack) >>+{ >>+ const

Re: [PATCH 00/14] Modify action API for implementing lockless actions

On 14/05/18 10:27 AM, Vlad Buslov wrote: Currently, all netlink protocol handlers for updating rules, actions and qdiscs are protected with single global rtnl lock which removes any possibility for parallelism. This patch set is a first step to remove rtnl lock dependency from TC rules update

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

On Mon, May 14, 2018 at 07:30:56PM +0200, Pablo Neira Ayuso wrote: > On Mon, May 14, 2018 at 07:26:54PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > static int __init nf_nat_init(void) > > > diff --git a/net/netfilter/nfnetlink_queue.c > > >

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

On Mon, May 14, 2018 at 07:26:54PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > static int __init nf_nat_init(void) > > diff --git a/net/netfilter/nfnetlink_queue.c > > b/net/netfilter/nfnetlink_queue.c > > index 74a04638ef03..28e4fae98f60 100644 > > ---

Re: [PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

Pablo Neira Ayuso wrote: > static int __init nf_nat_init(void) > diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c > index 74a04638ef03..28e4fae98f60 100644 > --- a/net/netfilter/nfnetlink_queue.c > +++ b/net/netfilter/nfnetlink_queue.c > @@

[PATCH nftlb 3/4] src: no need for relative path for #include

Make_global.am already add include directory via -I option. Signed-off-by: Pablo Neira Ayuso --- src/config.c | 4 ++-- src/main.c | 8 src/model.c | 6 +++--- src/nft.c| 6 +++--- src/server.c | 6 +++--- 5 files changed, 15 insertions(+), 15 deletions(-)

[PATCH nftlb 1/4] build: remove forward declarations, statify functions and add -Wmissing-prototypes

Remove all forward declarations, they are unnecessary and they are also missing the static keyword. Enable -Wmissing-prototypes to spot functions that should be declared static. Signed-off-by: Pablo Neira Ayuso --- Make_global.am | 1 + src/config.c | 355

[PATCH nftlb 2/4] build: do not autogenerate config.h

There is already a config.h in tree, it clashes with it. Signed-off-by: Pablo Neira Ayuso --- configure.ac | 2 -- 1 file changed, 2 deletions(-) diff --git a/configure.ac b/configure.ac index 03c7c91dd26c..fc7eef1dd95e 100644 --- a/configure.ac +++ b/configure.ac @@ -8,8

[PATCH nftlb 4/4] server: fix compilation warning

http://lists.schmorp.de/pipermail/libev/2010q1/000920.html The following warning should be calmed via -Wno-strict-aliasing: server.c: In function ‘server_init’: server.c:375:2: warning: dereferencing type-punned pointer will break strict-aliasing rules [-Wstrict-aliasing] ev_io_init(_accept,

[PATCH nf-next 2/3] netfilter: add struct nf_nat_hook and use it

Move decode_session() and parse_nat_setup_hook() indirections to struct nf_nat_hook structure. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter.h| 22 -- include/net/netfilter/nf_nat_core.h | 27 +++

[PATCH nf-next 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

In nfqueue, two consecutive skbuffs may race to create the conntrack entry. Hence, the one that loses the race gets dropped due to clash in the insertion into the hashes from the nf_conntrack_confirm() path. This patch adds a new nf_conntrack_update() function which searches for possible clashes

[PATCH nf-next 1/3] netfilter: add struct nf_ct_hook and use it

Move the nf_ct_destroy indirection to the struct nf_ct_hook. Signed-off-by: Pablo Neira Ayuso --- I think it should be possible to place the ip_ct_attach indirection here too, this is being set to NULL before cleaning up the hashes on module removal to ensure no new ICMP

Re: [PATCH 06/14] net: sched: implement reference counted action release

Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote: [...] >+static int tcf_action_del_1(struct net *net, char *kind, u32 index, >+ struct netlink_ext_ack *extack) >+{ >+ const struct tc_action_ops *ops; >+ int err = -EINVAL; >+ >+ ops =

Re: [PATCH 03/14] net: sched: add 'delete' function to action ops

Mon, May 14, 2018 at 05:12:22PM CEST, j...@resnulli.us wrote: >Mon, May 14, 2018 at 04:27:04PM CEST, vla...@mellanox.com wrote: >>Extend action ops with 'delete' function. Each action type to implement its >>own delete function that doesn't depend on rtnl lock. >> >>Signed-off-by: Vlad Buslov

Re: [PATCH 06/14] net: sched: implement reference counted action release

Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote: >Implement helper function to delete action using new action ops delete >function implemented by each action for lockless execution. Reading this sentense for 4 times. I still don't understand what you say :( > >Implement action

Re: [PATCH 05/14] net: sched: always take reference to action

Mon, May 14, 2018 at 04:27:06PM CEST, vla...@mellanox.com wrote: >Without rtnl lock protection it is no longer safe to use pointer to tc >action without holding reference to it. (it can be destroyed concurrently) > >Remove unsafe action idr lookup function. Instead of it, implement safe tcf >idr

Re: [PATCH 04/14] net: sched: implement unlocked action init API

Mon, May 14, 2018 at 04:27:05PM CEST, vla...@mellanox.com wrote: >Add additional 'unlocked' argument to act API init functions. >Argument is true when rtnl lock is not taken and false otherwise. >It is required to implement actions that need to release rtnl lock before >loading kernel module and

Re: [PATCH 03/14] net: sched: add 'delete' function to action ops

Mon, May 14, 2018 at 04:27:04PM CEST, vla...@mellanox.com wrote: >Extend action ops with 'delete' function. Each action type to implement its >own delete function that doesn't depend on rtnl lock. > >Signed-off-by: Vlad Buslov >--- > include/net/act_api.h | 1 + > 1 file

Re: [PATCH 02/14] net: sched: change type of reference and bind counters

Mon, May 14, 2018 at 04:27:03PM CEST, vla...@mellanox.com wrote: >Change type of action reference counter to refcount_t. > >Change type of action bind counter to atomic_t. >This type is used to allow decrementing bind counter without testing >for 0 result. > >Signed-off-by: Vlad Buslov

Re: [PATCH 01/14] net: sched: use rcu for action cookie update

Mon, May 14, 2018 at 04:27:02PM CEST, vla...@mellanox.com wrote: >Implement functions to atomically update and free action cookie >using rcu mechanism. > >Signed-off-by: Vlad Buslov Signed-off-by: Jiri Pirko -- To unsubscribe from this list: send the line

[PATCH 00/14] Modify action API for implementing lockless actions

Currently, all netlink protocol handlers for updating rules, actions and qdiscs are protected with single global rtnl lock which removes any possibility for parallelism. This patch set is a first step to remove rtnl lock dependency from TC rules update path. It updates act API to use atomic

[PATCH 04/14] net: sched: implement unlocked action init API

Add additional 'unlocked' argument to act API init functions. Argument is true when rtnl lock is not taken and false otherwise. It is required to implement actions that need to release rtnl lock before loading kernel module and reacquire if afterwards. Signed-off-by: Vlad Buslov

[PATCH 02/14] net: sched: change type of reference and bind counters

Change type of action reference counter to refcount_t. Change type of action bind counter to atomic_t. This type is used to allow decrementing bind counter without testing for 0 result. Signed-off-by: Vlad Buslov --- include/net/act_api.h | 5 +++--

[PATCH 01/14] net: sched: use rcu for action cookie update

Implement functions to atomically update and free action cookie using rcu mechanism. Signed-off-by: Vlad Buslov --- include/net/act_api.h | 2 +- include/net/pkt_cls.h | 1 + net/sched/act_api.c | 44 ++-- 3 files changed, 32

[PATCH 09/14] net: sched: don't release reference on action overwrite

Return from action init function with reference to action taken, even when overwriting existing action. Action init API initializes its fourth argument (pointer to pointer to tc action) to either existing action with same index or newly created action. In case of existing index(and bind argument

[PATCH 06/14] net: sched: implement reference counted action release

Implement helper function to delete action using new action ops delete function implemented by each action for lockless execution. Implement action put function that releases reference to action and frees it if necessary. Refactor action deletion code to use new put function and not to rely on

[PATCH 07/14] net: sched: use reference counting action init

Change action API to assume that action init function always takes reference to action, even when overwriting existing action. This is necessary because action API continues to use action pointer after init function is done. At this point action becomes accessible for concurrent modifications so

[PATCH 10/14] net: sched: extend act API for lockless actions

Implement new action API function to atomically delete action with specified index and to atomically insert unique action. These functions are required to implement init and delete functions for specific actions that do not rely on rtnl lock. Signed-off-by: Vlad Buslov ---

[PATCH 03/14] net: sched: add 'delete' function to action ops

Extend action ops with 'delete' function. Each action type to implement its own delete function that doesn't depend on rtnl lock. Signed-off-by: Vlad Buslov --- include/net/act_api.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/net/act_api.h

[PATCH 05/14] net: sched: always take reference to action

Without rtnl lock protection it is no longer safe to use pointer to tc action without holding reference to it. (it can be destroyed concurrently) Remove unsafe action idr lookup function. Instead of it, implement safe tcf idr check function that atomically looks up action in idr and increments

[PATCH 08/14] net: sched: account for temporary action reference

tca_get_fill function has 'bind' and 'ref' arguments that get passed down to action dump function. These arguments values are subtracted from actual reference and bind counter values before writing them to skb. In order to prevent concurrent action delete, RTM_GETACTION handler acquires a

[PATCH 12/14] net: sched: retry action check-insert on concurrent modification

Retry check-insert sequence in action init functions if action with same index was inserted concurrently. Signed-off-by: Vlad Buslov --- net/sched/act_bpf.c| 8 +++- net/sched/act_connmark.c | 8 +++- net/sched/act_csum.c | 8 +++-

[PATCH 11/14] net: core: add new/replace rate estimator lock parameter

Extend rate estimator new and replace APIs with additional spinlock parameter used by lockless actions to protect rate_est pointer from concurrent modification. Signed-off-by: Vlad Buslov --- include/net/gen_stats.h| 2 ++ net/core/gen_estimator.c | 58

[PATCH 13/14] net: sched: use unique idr insert function in unlocked actions

Substitute calls to action insert function with calls to action insert unique function that warns if insertion overwrites index in idr. Signed-off-by: Vlad Buslov --- net/sched/act_bpf.c| 2 +- net/sched/act_connmark.c | 2 +- net/sched/act_csum.c | 2 +-

[PATCH 14/14] net: sched: implement delete for all actions

Implement delete function that is required to delete actions without holding rtnl lock. Use action API function that atomically deletes action only if it is still in action idr. This implementation prevents concurrent threads from deleting same action twice. Signed-off-by: Vlad Buslov

Image masking

We would like to introduce you our image editing services today: Our advantages: Clipping path, image cut out Shadow creation Photo masking Beauty retouching, skin retouching, face retouching . We also provide you testing on your photos. Please reply back if interested. Thanks, Jan -- To