Re: [PATCH nf] netfilter: never get/set skb->tstamp

2019-04-16 Thread Eric Dumazet
On Tue, Apr 16, 2019 at 5:16 PM Florian Westphal wrote: > > setting net.netfilter.nf_conntrack_timestamp=1 breaks xmit with fq > scheduler. skb->tstamp might be "refreshed" using ktime_get_real(), > but fq expects CLOCK_MONOTONIC. > > This patch removes all places in netfilter that check/set skb-

Re: [PATCH net-next 04/10] net: ipv6: split skbuff into fragments transformer

2019-04-16 Thread David Miller
From: Pablo Neira Ayuso Date: Mon, 15 Apr 2019 23:36:05 +0200 > The API consists of: > > * ip6_frag_init(), that initializes the internal state of the transformer. > * ip6_frag_next(), that allows you to fetch the next fragment. This function > internally allocates the skbuff that represents t

[PATCH nf] netfilter: never get/set skb->tstamp

2019-04-16 Thread Florian Westphal
setting net.netfilter.nf_conntrack_timestamp=1 breaks xmit with fq scheduler. skb->tstamp might be "refreshed" using ktime_get_real(), but fq expects CLOCK_MONOTONIC. This patch removes all places in netfilter that check/set skb->tstamp: 1. To fix the bogus "start" time seen with conntrack times

Re: [PATCH net-next 08/10] netfilter: bridge: add support for conntrack support

2019-04-16 Thread Nikolay Aleksandrov
On 16/04/2019 00:36, Pablo Neira Ayuso wrote: > This patch adds basic connection tracking support for the bridge, > including initial IPv4 support. > > This patch register two hooks to deal with the bridge forwarding path, > one at bridge prerouting to call nf_conntrack_in() and another at the > b

Re: ESTABLISHED tcp conntrack timeout

2019-04-16 Thread Naruto Nguyen
Hi Pablo, Thanks very much for your reply. I will describe the test later. Could you please let me know more clearly in case the TCP_CONNTRACK_UNACK is set if IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED is set? Does it indicate some UNACK packets due to network congestion, but eventually the ACK is sent, s

Re: ulogd2 question - meaning of flow.start.sec when hash_mode == 0 (NFCT input, JSON output)

2019-04-16 Thread Michal Soltys
On 4/16/19 12:46 PM, Michal Soltys wrote: > When using hash_mode == 0 with default event_mask, it looks like > destruction entry has uninitialized (or having some specific meaning) > flow.start.sec and flow.start.usec - as the former converts to early 1970. > > Peeking at the code in event_handl

ulogd2 question - meaning of flow.start.sec when hash_mode == 0 (NCFT input, JSON output)

2019-04-16 Thread Michal Soltys
When using hash_mode == 0 with default event_mask, it looks like destruction entry has uninitialized (or having some specific meaning) flow.start.sec and flow.start.usec - as the former converts to early 1970. Peeking at the code in event_handler_no_hashtable() it looks like it should be set c

Re: [PATCH] [NETFILTER]: nf_conntrack_h323: fix spelling mistake "authenticaton" -> "authentication"

2019-04-16 Thread Colin Ian King
On 16/04/2019 10:12, Florian Westphal wrote: > On 4/15/2019 5:14 PM, Colin King wrote: >>> diff --git a/net/netfilter/nf_conntrack_h323_types.c >>> b/net/netfilter/nf_conntrack_h323_types.c >>> index d880f3523c1d..95a0b3d6b24d 100644 >>> --- a/net/netfilter/nf_conntrack_h323_types.c >>> +++ b/net/

Re: [PATCH] [NETFILTER]: nf_conntrack_h323: fix spelling mistake "authenticaton" -> "authentication"

2019-04-16 Thread Florian Westphal
On 4/15/2019 5:14 PM, Colin King wrote: > > diff --git a/net/netfilter/nf_conntrack_h323_types.c > > b/net/netfilter/nf_conntrack_h323_types.c > > index d880f3523c1d..95a0b3d6b24d 100644 > > --- a/net/netfilter/nf_conntrack_h323_types.c > > +++ b/net/netfilter/nf_conntrack_h323_types.c > > @@ -110