On Mon, May 14, 2018 at 7:27 AM, Vlad Buslov wrote:
> Currently, all netlink protocol handlers for updating rules, actions and
> qdiscs are protected with single global rtnl lock which removes any
> possibility for parallelism. This patch set is a first step to remove
> rtnl
synchronize_rcu() is expensive.
The commit phase currently enforces an unconditional
synchronize_rcu() after incrementing the generation counter.
This is to make sure that a packet always sees a consistent chain, either
nft_do_chain is still using old generation (it will skip the newly added
commit phase is slow as it can invoke synchronize_rcu twice (depending
on the batch).
Remove the unconditional synchronize_rcu() by storing rcu-protected
array of the active rules.
After this, nft_do_chain always gets a consistent snapshot and no longer
needs to examine the rule struct to decide
->commit() cannot fail at the moment.
Followup-patch adds kmalloc calls in the commit phase, so we'll need
to be able to handle errors.
Make it so that -EGAIN causes a full replay, and make other errors
cause the transaction to fail.
Failing is ok from a consistency point of view as long as we
Add support for FTP commands with extended format (RFC 2428):
- FTP EPRT: IPv4 and IPv6, active mode, similar to PORT
- FTP EPSV: IPv4 and IPv6, passive mode, similar to PASV.
EPSV response usually contains only port but we allow real
server to provide different address
We restrict control and
Prepare NFCT to support IPv6 for FTP:
- Do not restrict the expectation callback to PF_INET
- Split the debug messages, so that the 160-byte limitation
in IP_VS_DBG_BUF is not exceeded when printing many IPv6
addresses. This means no more than 3 addresses in one message,
i.e. 1 tuple with 2
The patchset includes two changes to support IPv6 in ip_vs_ftp.
The first patch allows IPv6 addresses in ip_vs_nfct.c debugging
and removes the AF_INET restriction for netfilter expectations.
The second patch changes ip_vs_ftp.c to support EPRT and EPSV
commands with extended format (RFC 2428)
ip_vs_ftp requires conntrack modules for mangling
of FTP command responses in passive mode.
Make sure the conntrack hooks are registered when
real servers use NAT method in FTP virtual service.
The hooks will be registered while the service is
present.
Fixes: 0c66dc1ea3f0 ("netfilter: conntrack:
Hi all,
Today's linux-next merge of the netfilter-next tree got a conflict in:
net/netfilter/core.c
between commit:
25fd386e0bc065849 ("netfilter: core: add missing __rcu annotation")
from the netfilter tree and commit:
2c205dd3981f79cef ("netfilter: add struct nf_nat_hook and use it")
No need to have those available as extra modules; make it
part of nat core and nat_ipv4/ip6, respectively.
kconfig options are turned into implicit dependencies.
No changes vs. v1 except a rebase on nf-next.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the
Instead of using extra modules for these, turn the config options into
an implicit dependency that adds masq feature to the protocol specific nf_nat
module.
before:
textdata bss dec hex filename
2001 860 42865 b31
Similar to previous patch, this time, merge redirect+nat.
The redirect module is just 2k in size, get rid of it and make
redirect part available from the nat core.
before:
textdata bss dec hex filename
1946114844138 2508361fb net/netfilter/nf_nat.ko
1236
On Wed, May 23, 2018 at 12:58 PM, kbuild test robot
wrote:
> From: kbuild test robot
>
> net/netfilter/nft_numgen.c:117:1-3: WARNING: PTR_ERR_OR_ZERO can be used
>
>
> Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
>
> Generated by:
On Wed, May 23, 2018 at 12:53 PM, kbuild test robot
wrote:
> From: kbuild test robot
>
> net/netfilter/nft_hash.c:180:1-3: WARNING: PTR_ERR_OR_ZERO can be used
> net/netfilter/nft_hash.c:223:1-3: WARNING: PTR_ERR_OR_ZERO can be used
>
>
> Use
14 matches
Mail list logo