Re: url filtering with netfiler

2018-08-21 Thread Oleg
On Tue, Aug 21, 2018 at 11:46:58AM +0200, Pablo Neira Ayuso wrote: > On Sat, Aug 11, 2018 at 10:54:21PM +0300, Oleg wrote: > > What mechanisms for example? > > See Performance in > https://netfilter.org/projects/libnetfilter_queue/doxygen/html/ Performance already read,

Re: url filtering with netfiler

2018-08-11 Thread Oleg
27;s unlikely we'll see this infra > again in place. Moreover, there's already a number of mechanism in > place for nfq that were providing similar numbers. What mechanisms for example? -- Олег Неманов (Oleg Nemanov)

Re: url filtering with netfiler

2018-08-10 Thread Oleg
On Fri, Aug 10, 2018 at 02:01:25PM +0200, Pablo Neira Ayuso wrote: > On Thu, Aug 02, 2018 at 10:44:14PM +0300, Oleg wrote: > > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: > > IMHO, this can be easier implemented with help of userspace. > > This can be nfq-ba

Re: url filtering with netfiler

2018-08-07 Thread Oleg
he kernel to decrypt HTTPS, so > software-based ssl offload in the kernel is coming. In this case, it will be useful only for end hosts(client or server) not for intermediate routers. What is the useful scenario for such filtering on the end host? -- Олег Неманов (Oleg Nemanov) -- To unsu

Re: url filtering with netfiler

2018-08-03 Thread Oleg
On Fri, Aug 03, 2018 at 01:21:05AM +0430, Saber Rezvani wrote: > On 08/03/2018 12:14 AM, Oleg wrote: > > On Thu, Aug 02, 2018 at 06:44:26PM +0430, Saber Rezvani wrote: > >> Dear all, > >> > >> > >> Some of my friends and I have decided to work on Linux

Re: url filtering with netfiler

2018-08-02 Thread Oleg
> accept this feature? You know we want to have a contribution for the > community. Do you think this feature will be useful now? For example, filtering uri in https isn't possible and http using is decreasing now. -- Олег Неманов (Oleg Nemanov) -- To unsubscribe from this list: se

libnetfilter_queue 1.0.3 docs

2017-08-27 Thread Oleg
Hi, all. May be anybody know where i can find api docs or tutorial for 1.0.3 version(something like existing doxygen docs for 1.0.2 version, may be)? Thanks. -- Олег Неманов (Oleg Nemanov) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of

Re: libnetfilter_queue & multithreading & 1 queue freezing

2017-08-27 Thread Oleg
On Sat, Aug 26, 2017 at 09:26:25PM +0200, Florian Westphal wrote: > Oleg wrote: > > Hi, all. > > > > My program process multiple NFQUEUEs by creating a separate thread > > for every NFQUEUE. An each thread do recv() and nfq_set_verdict2(): > > > > Bu

libnetfilter_queue 1.0.3

2017-08-27 Thread Oleg
Hi, all. Men, you forgot to create a tag for d7f74c77d0d857855aec44e3d1f5fa75fbe62bef commit. -- Олег Неманов (Oleg Nemanov) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo inf

Re: NFQUEUE --queue-balance

2017-08-27 Thread Oleg
On Sat, Aug 26, 2017 at 09:24:21PM +0200, Florian Westphal wrote: > Oleg wrote: > > Hi, all. > > > > --queue-balance balance packets according to connection tracking, > > iiuc. Consequently queue utilization is not equal. E.g.: > > It hashes based on ip addres

NFQUEUE --queue-balance

2017-08-26 Thread Oleg
1947329 2 65531 0 0 46165759 1 4 19476 4 2 6553160 0 113848636 1 5 1947956 2 6553177 0 148584270 1 Is there queue balancer without this feature(simple round-robin)? Thanks! -- Олег Неманов (Oleg Nemanov) -- To unsubscribe from this list: send the

libnetfilter_queue & multithreading & 1 queue freezing

2017-08-26 Thread Oleg
ot;%u: RECV ERR: %s", thread_idx, strerror(errno)); } while (errno == EWOULDBLOCK); then i get every 2 seconds the next message: 0: RECV ERR: Resource temporarily unavailable for case when thread with id = 0 freeze on recvfrom(). How can i resolve this problem? Thanks! -- Олег Неманов

libnetfilter_queue & nfq_errno

2017-08-03 Thread Oleg
Hi, all. Why do we use nfq_errno instead of errno? And if we really need nfq_errno, why this variable is not thread-local? Thanks! -- Олег Неманов (Oleg Nemanov) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

libnetfilter_queue new versions

2017-08-03 Thread Oleg
Hi, all. Why do we still have no new versions of libnetfilter_queue after 1.0.2? 1.0.2 is very old and master branch has many critical improvements. Thanks! -- Олег Неманов (Oleg Nemanov) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of

libnetfilter_queue & "dropping packets"

2017-07-27 Thread Oleg
Неманов (Oleg Nemanov) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: libnetfilter_queue & multithreading

2017-07-24 Thread Oleg
On Mon, Jul 24, 2017 at 11:44:51AM +0200, Florian Westphal wrote: > Oleg wrote: > > On Sat, Jul 22, 2017 at 06:38:55PM +0200, Florian Westphal wrote: > > > Oleg wrote: > > > > static void* > > > > thread_start(void *data) > > > > { > >

Re: libnetfilter_queue & multithreading

2017-07-24 Thread Oleg
On Sat, Jul 22, 2017 at 06:38:55PM +0200, Florian Westphal wrote: > Oleg wrote: > > static void* > > thread_start(void *data) > > { > > struct nfq_handle *h; > > int fd, n; > > static char *pkt_buf; > > static? Looks buggy..

libnetfilter_queue & multithreading

2017-07-22 Thread Oleg
t;, nfq_num); exit(EXIT_FAILURE); } return h; } Since every thread do nfq_open(), has a separate descriptor and etc, i think i don't need a lock around recv() and nfq_set_verdict2(). Am i right? Thanks! -- Олег Неманов (Oleg Nemanov) -- To unsu

Re: [PATCH RFC 02/26] task_work: Replace spin_unlock_wait() with lock/unlock pair

2017-06-30 Thread Oleg Nesterov
On 06/30, Paul E. McKenney wrote: > > On Fri, Jun 30, 2017 at 05:20:10PM +0200, Oleg Nesterov wrote: > > > > I do not think the overhead will be noticeable in this particular case. > > > > But I am not sure I understand why do we wa

Re: [PATCH RFC 02/26] task_work: Replace spin_unlock_wait() with lock/unlock pair

2017-06-30 Thread Oleg Nesterov
mance-wise this is almost the same, and if we do not really care about overhead we can simplify the code: this way it is obvious that we can't race with task_work_cancel(). Oleg. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH RFC 02/26] task_work: Replace spin_unlock_wait() with lock/unlock pair

2017-06-30 Thread Oleg Nesterov
and other entries. >*/ > - raw_spin_unlock_wait(&task->pi_lock); > + raw_spin_lock(&task->pi_lock); > + raw_spin_unlock(&task->pi_lock); Well, bit the you need spin_lock_irq(). And this is one of the reasons why I personally

nfqueue accepted packet is disappeared

2017-06-08 Thread Oleg
:8a (56) When i remove from iptables in VM1 nfqueue rule, telnet works well and all packets are forwared. So, my question is, what is happen with first request and how i can fix this? kernel: 4.4.6 iptables: 1.4.21 libnetfilter_queue: 1.0.2 Thanks! -- Олег Неманов (Oleg Nemanov) -- To uns

Re: nfqueue buf size for recv()

2017-04-20 Thread Oleg
On Wed, Apr 19, 2017 at 11:45:21PM +0200, Florian Westphal wrote: > Oleg wrote: > > Can anybody tell me how can i determine a right buf size for recv() > > in libnetfilter_queue program. > > > > http://www.netfilter.org/projects/libnetfilter_queu

nfqueue buf size for recv()

2017-04-19 Thread Oleg
, if i chosen a wrong list for my question. -- Олег Неманов (Oleg Nemanov) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html