Re: [PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

Hello, On Thu, Aug 2, 2018 at 9:28 AM, Harsha Sharma wrote: > This patch allows to add, list and delete connection tracking timeout > policies via nft objref infrastructure and assigning these timeout > via nft rule. > > %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp > > Ruleset: > >

[PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

This patch allows to add, list and delete connection tracking timeout policies via nft objref infrastructure and assigning these timeout via nft rule. %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp Ruleset: table ip raw { ct timeout cttime { protocol tcp established

[PATCH nf-next v3 2/2] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack

As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout. Signed-off-by: Harsha Sharma --- Changes in v3: - Add static inline definition for nf_ct_untimeout when CONFIG_NF_CONNTRACK_TIMEOUT is not defined

[PATCH nf-next v3 1/2] netfilter: Kconfig: Make NF_CT_NETLINK_TIMEOUT depend on NF_CONNTRACK_TIMEOUT

With this, remove ifdef for NF_CONNTRACK_CTTIMEOUT in nfnetlink_cttimeout. This is also required for moving ctnl_untimeout from nfnetlink_cttimeout to nf_conntrack_timeout. Signed-off-by: Harsha Sharma --- Changes in v3: - No changes Changes in v2: - No changes net/netfilter/Kconfig

Re: [iptables PATCH] nft: don't print rule counters unless verbose

Eric Garver wrote: > Currently rule counters are always printed, but that's not the desired > behavior. We should only print them with the verbose flag. This broke > when the arguments of nft_rule_print_save() were changed to accept the > format instead of a counters flag. Applied, thanks. This

[iptables PATCH] nft: don't print rule counters unless verbose

Currently rule counters are always printed, but that's not the desired behavior. We should only print them with the verbose flag. This broke when the arguments of nft_rule_print_save() were changed to accept the format instead of a counters flag. Fixes: cdc78b1d6bd7 ("nft: convert rule into a

Re: [PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

Hi Harsha, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180802-001147 base:

Re: [PATCH nft 0/5] doc: Wrap extra long lines to 80 chars

Máté Eckl wrote: > Too long lines may cause error when sending a patch with git send-email. > fatal: patch.patch:287: patch contains a line longer than 998 > characters > > This series wraps long lines to 80 characters. All applied, thank you. -- To unsubscribe from this list: send the

[PATCH v3 nft] Expose socket mark via socket expression

It can be used like ct mark or meta mark except it cannot be set. doc and tests are included. Signed-off-by: Máté Eckl --- v2: - doc: remove 0 retval when there's no match v3: - Convert doc to asciidoc doc/primary-expression.txt | 17 +

[PATCH v2 nft] doc: Add tproxy statement to man page

Signed-off-by: Máté Eckl --- v2: convert to asciidoc doc/statements.txt | 58 ++ 1 file changed, 58 insertions(+) diff --git a/doc/statements.txt b/doc/statements.txt index bcf3cc2..38d9982 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@

Re: [iptables PATCH 14/23] ebtables: Fix segfault when parsing a rule

On Wed, Aug 01, 2018 at 06:22:46PM +0200, Phil Sutter wrote: > On Fri, Jul 27, 2018 at 01:29:07PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Jul 27, 2018 at 12:53:22PM +0200, Phil Sutter wrote: > > > Hi, > > > > > > On Fri, Jul 27, 2018 at 11:45:16AM +0200, Pablo Neira Ayuso wrote: > > > > On

Re: [iptables PATCH 13/23] ebtables: Fix loading of non-standard targets

On Wed, Aug 01, 2018 at 06:17:09PM +0200, Phil Sutter wrote: > Hi Pablo, > > On Fri, Jul 27, 2018 at 01:43:09PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Jul 27, 2018 at 12:22:32AM +0200, Phil Sutter wrote: > > > Another fix for ebtables-restore: When encountering a non-standard > > > target,

[PATCH nft 5/5] doc: statements.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/statements.txt | 108 ++--- 1 file changed, 83 insertions(+), 25 deletions(-) diff --git a/doc/statements.txt b/doc/statements.txt index 499b573..bcf3cc2 100644 --- a/doc/statements.txt +++ b/doc/statements.txt @@ -11,9

Re: [PATCH nft] doc: nft.txt: Wrap extra long lines to 80 chars

On Wed, Aug 01, 2018 at 04:17:04PM +0200, Florian Westphal wrote: > Máté Eckl wrote: > > When I tried to send a patch that included man page update I got the > > following error from git send-email: > > fatal: patch.patch:287: patch contains a line longer than 998 characters > > Line 287 was

[PATCH nft 0/5] doc: Wrap extra long lines to 80 chars

Too long lines may cause error when sending a patch with git send-email. fatal: patch.patch:287: patch contains a line longer than 998 characters This series wraps long lines to 80 characters. Máté Eckl (5): doc: data-types.txt: Wrap extra long lines to 80 chars doc:

[PATCH nft 1/5] doc: data-types.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/data-types.txt | 29 ++--- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/doc/data-types.txt b/doc/data-types.txt index 1d4218e..57aa3a4 100644 --- a/doc/data-types.txt +++ b/doc/data-types.txt @@ -9,7 +9,9 @@ variable | -

[PATCH nft 4/5] doc: stateful-objects.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/stateful-objects.txt | 9 +++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/doc/stateful-objects.txt b/doc/stateful-objects.txt index 9d99264..57bf627 100644 --- a/doc/stateful-objects.txt +++ b/doc/stateful-objects.txt @@ -3,7 +3,11 @@ CT

[PATCH nft 3/5] doc: primary-expression.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/primary-expression.txt | 16 +--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/doc/primary-expression.txt b/doc/primary-expression.txt index 162f32f..50093b4 100644 --- a/doc/primary-expression.txt +++ b/doc/primary-expression.txt @@

[PATCH nft 2/5] doc: payload-expression.txt: Wrap extra long lines to 80 chars

Signed-off-by: Máté Eckl --- doc/payload-expression.txt | 24 +--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/doc/payload-expression.txt b/doc/payload-expression.txt index d454c95..3f47b4e 100644 --- a/doc/payload-expression.txt +++

Re: [PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

Hi Harsha, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/Harsha-Sharma/netfilter-nft_ct-add-ct-timeout-support/20180802-001147 base:

Re: [PATCH v4 nft] Set/print standard chain prios with textual names

On Sat, Jul 28, 2018 at 12:14:57PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 27, 2018 at 04:21:46PM +0200, Máté Eckl wrote: > > On Mon, Jul 16, 2018 at 09:58:44AM +0200, Máté Eckl wrote: > > > On Tue, Jul 10, 2018 at 12:10:22PM +0200, Pablo Neira Ayuso wrote: > > > > > diff --git

Re: [iptables PATCH 14/23] ebtables: Fix segfault when parsing a rule

On Fri, Jul 27, 2018 at 01:29:07PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 27, 2018 at 12:53:22PM +0200, Phil Sutter wrote: > > Hi, > > > > On Fri, Jul 27, 2018 at 11:45:16AM +0200, Pablo Neira Ayuso wrote: > > > On Fri, Jul 27, 2018 at 12:22:33AM +0200, Phil Sutter wrote: > > > > This

Re: [iptables PATCH 13/23] ebtables: Fix loading of non-standard targets

Hi Pablo, On Fri, Jul 27, 2018 at 01:43:09PM +0200, Pablo Neira Ayuso wrote: > On Fri, Jul 27, 2018 at 12:22:32AM +0200, Phil Sutter wrote: > > Another fix for ebtables-restore: When encountering a non-standard > > target, command_jump() tries to load it and may retrieve an already > > loaded one

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

*Georgi Nikolov* System Administrator www.icdsoft.com On 08/01/2018 11:33 AM, Michal Hocko wrote: > On Wed 01-08-18 09:34:23, Vlastimil Babka wrote: >> On 07/31/2018 04:05 PM, Florian Westphal wrote: >>> Georgi Nikolov wrote: > No, I think that's rather for the

Re: [PATCH nft] doc: nft.txt: Wrap extra long lines to 80 chars

Máté Eckl wrote: > When I tried to send a patch that included man page update I got the > following error from git send-email: > fatal: patch.patch:287: patch contains a line longer than 998 characters > Line 287 was a non-modified line so it was there before my patch. Applied, thanks for

[PATCH nft] doc: nft.txt: Wrap extra long lines to 80 chars

When I tried to send a patch that included man page update I got the following error from git send-email: fatal: patch.patch:287: patch contains a line longer than 998 characters Line 287 was a non-modified line so it was there before my patch. Even this patch can only be sent with mutt

[PATCH nf] netfilter: nf_tables: don't prevent event handler from device cleanup on netns exit

when a netnsamespace exits, the nf_tables core pernet_ops will remove all rules. However, there is one caveat: base chains that register with the ingress hook facility will cause use-after-free as device is already gone. The device event handlers prevented this from happening, as netns exit

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On Wed 01-08-18 09:34:23, Vlastimil Babka wrote: > On 07/31/2018 04:05 PM, Florian Westphal wrote: > > Georgi Nikolov wrote: > >>> No, I think that's rather for the netfilter folks to decide. However, it > >>> seems there has been the debate already [1] and it was not found. The > >>> conclusion

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 07/31/2018 04:05 PM, Florian Westphal wrote: > Georgi Nikolov wrote: >>> No, I think that's rather for the netfilter folks to decide. However, it >>> seems there has been the debate already [1] and it was not found. The >>> conclusion was that __GFP_NORETRY worked fine before, so it should

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 07/31/2018 04:25 PM, Georgi Nikolov wrote: > On 07/31/2018 05:05 PM, Florian Westphal wrote: >> Georgi Nikolov wrote: No, I think that's rather for the netfilter folks to decide. However, it seems there has been the debate already [1] and it was not found. The conclusion was