Nftables does not work in OpenWrt?

Hi all, Using nftables to control the traffic flow on ip address has been succeed on my Linux PC, then I ported the same nft script into another linux-like system called OpenWrt. Unfortunately, it failed. Is there any conflict between iptables and nftables ? Or it needs some other

[PATCH nf-next] netfilter: make NF_OSF non-visible symbol

Signed-off-by: Fernando Fernandez Mancera --- net/netfilter/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index e57c9d479503..a5b60e6a983e 100644 --- a/net/netfilter/Kconfig +++

Re: [PATCH 00/14] Modify action API for implementing lockless actions

On Tue 15 May 2018 at 18:25, Jamal Hadi Salim wrote: > On 14/05/18 04:46 PM, Vlad Buslov wrote: >> >> On Mon 14 May 2018 at 18:03, Jamal Hadi Salim wrote: >>> On 14/05/18 10:27 AM, Vlad Buslov wrote: > > >> Hello Jamal, >> >> I'm trying to run tdc, but

Re: [PATCH 00/14] Modify action API for implementing lockless actions

On 14/05/18 04:46 PM, Vlad Buslov wrote: On Mon 14 May 2018 at 18:03, Jamal Hadi Salim wrote: On 14/05/18 10:27 AM, Vlad Buslov wrote: Hello Jamal, I'm trying to run tdc, but keep getting following error even on clean branch without my patches: Vlad, not sure if you

Re: linux-next: build warning after merge of the netfilter-next tree

Geert Uytterhoeven wrote: > On Tue, May 8, 2018 at 9:17 AM, Florian Westphal wrote: > > Stephen Rothwell wrote: > >> On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell > >> wrote: > >> > > >> > After merging

[nft PATCH] nft.8: Document limitation of reject statement in bridge family

Bridge family allows reject statement in prerouting and input chains only. Users can't know without looking at kernel code. Signed-off-by: Phil Sutter --- doc/nft.xml | 4 1 file changed, 4 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index

Re: [PATCH 11/40] ipv6/flowlabel: simplify pid namespace lookup

On Sat, May 05, 2018 at 07:37:33AM -0500, Eric W. Biederman wrote: > Christoph Hellwig writes: > > > The shole seq_file sequence already operates under a single RCU lock pair, > > so move the pid namespace lookup into it, and stop grabbing a reference > > and remove all kinds of

Re: [PATCH 04/40] proc: introduce proc_create_seq{,_data}

On Mon, Apr 30, 2018 at 02:19:25PM +0100, David Howells wrote: > Christoph Hellwig wrote: > > > + > > +struct proc_dir_entry *proc_create_seq_data(const char *name, umode_t mode, > > + struct proc_dir_entry *parent, const struct seq_operations *ops, > > + void

Re: [PATCH 34/40] atm: simplify procfs code

On Sat, May 05, 2018 at 07:51:18AM -0500, Eric W. Biederman wrote: > Christoph Hellwig writes: > > > Use remove_proc_subtree to remove the whole subtree on cleanup, and > > unwind the registration loop into individual calls. Switch to use > > proc_create_seq where applicable. > >

Re: simplify procfs code for seq_file instances V2

On Sun, May 06, 2018 at 08:19:49PM +0300, Alexey Dobriyan wrote: > On Wed, Apr 25, 2018 at 05:47:47PM +0200, Christoph Hellwig wrote: > > Changes since V1: > > - open code proc_create_data to avoid setting not fully initialized > >entries live > > - use unsigned int for state_size > > Need

Re: [PATCH 06/40] proc: introduce proc_create_single{,_data}

On Thu, Apr 26, 2018 at 11:45:50AM +1000, Finn Thain wrote: > > > > -/* > > - * /proc/nubus stuff > > - */ > > - > > I don't think that the introduction of proc_create_single{,_data} alters > the value of that comment. That comment and similar comments in the same > file do have a purpose,

[PATCH nf 5/5] netfilter: nf_tables: add call validate callback.

A validate callback is called just before calling a ->commit callback. If it is failed, ->abort is called. Signed-off-by: Taehee Yoo --- net/netfilter/nfnetlink.c | 13 + 1 file changed, 13 insertions(+) diff --git a/net/netfilter/nfnetlink.c

[PATCH nf 4/5] netfilter: nf_tables: use chain info to validate type and hook.

After this patch, the nft_chain_validate_dependency and nft_chain_validate_hooks use chain information array. so that these functions can validate both basechain and non-basechain. Now expr->ops->validate should be called in the nf_tables_validate because that uses chain information that is

[PATCH nf 3/5] netfilter: nf_tables: add type and hook validate routine

This patch adds validate callback to the nfnetlink_subsysem. It validates type and hook of both basechain and non-basechain. To validate type and hook, it constructs chain information array. Like loop detection routine, validator travels each rules and sets then marks type and hook value to the

[PATCH nf 2/5] netfilter: nf_tables: remove nft_af_info.

The struct nft_af_info was removed. Signed-off-by: Taehee Yoo --- include/net/netns/nftables.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/net/netns/nftables.h b/include/net/netns/nftables.h index 4813435..29c3851 100644 --- a/include/net/netns/nftables.h

[PATCH nf 0/5] netfilter: nf_tables: add validate non-basechain ruleset routine

Non-basechain rulesets can't be validated. because only basechain has information that are type and hooknum. So, common validation functions(nft_chain_validate_hooks, nft_chain_validate_dependency) skip non-basechain rulesets. So that, null-ptr exception can occurred. Steps to reproduce : %nft

[PATCH nf 1/5] netfilter: nf_tables: use nft_ctx instead of nft_chain

This patch prepares for next patches. The nft_chain_validate_hooks and nft_chain_validate_dependency are going to use both net and nft_chain. Signed-off-by: Taehee Yoo --- include/net/netfilter/nf_tables.h| 4 ++-- net/bridge/netfilter/nft_reject_bridge.c | 4 ++--

Re: [PATCH 07/14] net: sched: use reference counting action init

Tue, May 15, 2018 at 01:41:45PM CEST, vla...@mellanox.com wrote: > >On Tue 15 May 2018 at 11:39, Jiri Pirko wrote: >> Tue, May 15, 2018 at 01:32:51PM CEST, vla...@mellanox.com wrote: >>> >>>On Tue 15 May 2018 at 11:24, Jiri Pirko wrote: Mon, May 14, 2018

Re: [PATCH 05/14] net: sched: always take reference to action

On Tue 15 May 2018 at 08:58, Jiri Pirko wrote: > Mon, May 14, 2018 at 08:49:07PM CEST, vla...@mellanox.com wrote: >> >>On Mon 14 May 2018 at 16:23, Jiri Pirko wrote: >>> Mon, May 14, 2018 at 04:27:06PM CEST, vla...@mellanox.com wrote: Without rtnl lock

Re: [PATCH 07/14] net: sched: use reference counting action init

Tue, May 15, 2018 at 01:32:51PM CEST, vla...@mellanox.com wrote: > >On Tue 15 May 2018 at 11:24, Jiri Pirko wrote: >> Mon, May 14, 2018 at 04:27:08PM CEST, vla...@mellanox.com wrote: >>>Change action API to assume that action init function always takes >>>reference to action,

Re: [PATCH 07/14] net: sched: use reference counting action init

Mon, May 14, 2018 at 04:27:08PM CEST, vla...@mellanox.com wrote: >Change action API to assume that action init function always takes >reference to action, even when overwriting existing action. This is >necessary because action API continues to use action pointer after init >function is done. At

Re: linux-next: build warning after merge of the netfilter-next tree

Hi Florian, On Tue, May 8, 2018 at 9:17 AM, Florian Westphal wrote: > Stephen Rothwell wrote: >> On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell >> wrote: >> > >> > After merging the netfilter-next tree, today's linux-next build

[PATCH nf-next,v2 1/3] netfilter: add struct nf_ct_hook and use it

Move the nf_ct_destroy indirection to the struct nf_ct_hook. Signed-off-by: Pablo Neira Ayuso --- v2: Place struct nf_ct_hook declaration after forward declaration of struct nf_conn and enum ip_conntrack_info as this will avoid compilation problems one the new update

[PATCH nf-next,v2 2/3] netfilter: add struct nf_nat_hook and use it

Move decode_session() and parse_nat_setup_hook() indirections to struct nf_nat_hook structure. Signed-off-by: Pablo Neira Ayuso --- v2: place __rcu before nf_nat_hook in its definition to calm down sparse warning, it seems sparse is sensible to the position where we

[PATCH nf-next,v2 3/3] netfilter: nfnetlink_queue: resolve clash for unconfirmed conntracks

In nfqueue, two consecutive skbuffs may race to create the conntrack entry. Hence, the one that loses the race gets dropped due to clash in the insertion into the hashes from the nf_conntrack_confirm() path. This patch adds a new nf_conntrack_update() function which searches for possible clashes

Re: [nft PATCH] libnftables: Move scanner object into struct nft_ctx

On Tue, May 15, 2018 at 11:37:56AM +0200, Phil Sutter wrote: > The initial approach of keeping as much of lex/yacc-specific data > local to the relevant parsing routines was flawed in that input > descriptors which parsed commands' location information points at were > freed after parsing (in

[nft PATCH] libnftables: Move scanner object into struct nft_ctx

The initial approach of keeping as much of lex/yacc-specific data local to the relevant parsing routines was flawed in that input descriptors which parsed commands' location information points at were freed after parsing (in scanner_destroy()) although they were required later for error reporting

Re: [PATCH 06/14] net: sched: implement reference counted action release

On Tue 15 May 2018 at 09:03, Jiri Pirko wrote: > Mon, May 14, 2018 at 09:07:06PM CEST, vla...@mellanox.com wrote: >> >>On Mon 14 May 2018 at 16:47, Jiri Pirko wrote: >>> Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote: >>> >>> [...] >>> >>>

Re: [PATCH 06/14] net: sched: implement reference counted action release

Mon, May 14, 2018 at 09:07:06PM CEST, vla...@mellanox.com wrote: > >On Mon 14 May 2018 at 16:47, Jiri Pirko wrote: >> Mon, May 14, 2018 at 04:27:07PM CEST, vla...@mellanox.com wrote: >> >> [...] >> >> >>>+static int tcf_action_del_1(struct net *net, char *kind, u32 index, >>>+

Re: [PATCH 05/14] net: sched: always take reference to action

Mon, May 14, 2018 at 08:49:07PM CEST, vla...@mellanox.com wrote: > >On Mon 14 May 2018 at 16:23, Jiri Pirko wrote: >> Mon, May 14, 2018 at 04:27:06PM CEST, vla...@mellanox.com wrote: >>>Without rtnl lock protection it is no longer safe to use pointer to tc >>>action without

Re: [PATCH 00/14] Modify action API for implementing lockless actions

Mon, May 14, 2018 at 08:03:20PM CEST, j...@mojatatu.com wrote: >On 14/05/18 10:27 AM, Vlad Buslov wrote: >> Currently, all netlink protocol handlers for updating rules, actions and >> qdiscs are protected with single global rtnl lock which removes any >> possibility for parallelism. This patch set