Re: [PATCH 00/14] Modify action API for implementing lockless actions

On Mon, May 14, 2018 at 7:27 AM, Vlad Buslov wrote: > Currently, all netlink protocol handlers for updating rules, actions and > qdiscs are protected with single global rtnl lock which removes any > possibility for parallelism. This patch set is a first step to remove > rtnl

[PATCH nf-next 2/2] netfilter: nf_tables: remove synchronize_rcu in commit phase

synchronize_rcu() is expensive. The commit phase currently enforces an unconditional synchronize_rcu() after incrementing the generation counter. This is to make sure that a packet always sees a consistent chain, either nft_do_chain is still using old generation (it will skip the newly added

[PATCH nf-next 0/2] netfilter: nf_tables: speed up commit phase

commit phase is slow as it can invoke synchronize_rcu twice (depending on the batch). Remove the unconditional synchronize_rcu() by storing rcu-protected array of the active rules. After this, nft_do_chain always gets a consistent snapshot and no longer needs to examine the rule struct to decide

[PATCH nf-next 1/2] netfilter: nfnetlink: allow commit to fail

->commit() cannot fail at the moment. Followup-patch adds kmalloc calls in the commit phase, so we'll need to be able to handle errors. Make it so that -EGAIN causes a full replay, and make other errors cause the transaction to fail. Failing is ok from a consistency point of view as long as we

[PATCH net-next 2/2] ipvs: add ipv6 support to ftp

Add support for FTP commands with extended format (RFC 2428): - FTP EPRT: IPv4 and IPv6, active mode, similar to PORT - FTP EPSV: IPv4 and IPv6, passive mode, similar to PASV. EPSV response usually contains only port but we allow real server to provide different address We restrict control and

[PATCH net-next 1/2] ipvs: add full ipv6 support to nfct

Prepare NFCT to support IPv6 for FTP: - Do not restrict the expectation callback to PF_INET - Split the debug messages, so that the 160-byte limitation in IP_VS_DBG_BUF is not exceeded when printing many IPv6 addresses. This means no more than 3 addresses in one message, i.e. 1 tuple with 2

[PATCH net-next 0/2] Add IPv6 support to IPVS FTP-NAT

The patchset includes two changes to support IPv6 in ip_vs_ftp. The first patch allows IPv6 addresses in ip_vs_nfct.c debugging and removes the AF_INET restriction for netfilter expectations. The second patch changes ip_vs_ftp.c to support EPRT and EPSV commands with extended format (RFC 2428)

[PATCH net] ipvs: register conntrack hooks for ftp

ip_vs_ftp requires conntrack modules for mangling of FTP command responses in passive mode. Make sure the conntrack hooks are registered when real servers use NAT method in FTP virtual service. The hooks will be registered while the service is present. Fixes: 0c66dc1ea3f0 ("netfilter: conntrack:

linux-next: manual merge of the netfilter-next tree with the netfilter tree

Hi all, Today's linux-next merge of the netfilter-next tree got a conflict in: net/netfilter/core.c between commit: 25fd386e0bc065849 ("netfilter: core: add missing __rcu annotation") from the netfilter tree and commit: 2c205dd3981f79cef ("netfilter: add struct nf_nat_hook and use it")

[PATCH v2 nf-next 0/2] netfilter: nat: remove masq/redirect modules

No need to have those available as extra modules; make it part of nat core and nat_ipv4/ip6, respectively. kconfig options are turned into implicit dependencies. No changes vs. v1 except a rebase on nf-next. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the

[PATCH v2 nf-next 1/2] netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module

Instead of using extra modules for these, turn the config options into an implicit dependency that adds masq feature to the protocol specific nf_nat module. before: textdata bss dec hex filename 2001 860 42865 b31

[PATCH v2 nf-next 2/2] netfilter: nat: merge nf_nat_redirect into nf_nat

Similar to previous patch, this time, merge redirect+nat. The redirect module is just 2k in size, get rid of it and make redirect part available from the nat core. before: textdata bss dec hex filename 1946114844138 2508361fb net/netfilter/nf_nat.ko 1236

Re: [PATCH] netfilter: nft_numgen: fix ptr_ret.cocci warnings

On Wed, May 23, 2018 at 12:58 PM, kbuild test robot wrote: > From: kbuild test robot > > net/netfilter/nft_numgen.c:117:1-3: WARNING: PTR_ERR_OR_ZERO can be used > > > Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR > > Generated by:

Re: [PATCH] netfilter: nft_hash: fix ptr_ret.cocci warnings

On Wed, May 23, 2018 at 12:53 PM, kbuild test robot wrote: > From: kbuild test robot > > net/netfilter/nft_hash.c:180:1-3: WARNING: PTR_ERR_OR_ZERO can be used > net/netfilter/nft_hash.c:223:1-3: WARNING: PTR_ERR_OR_ZERO can be used > > > Use