Re: build failure if --with-xtables [WAS: nftables 0.7 release]

[Arturo Borrero Gonzalez]

On 3 January 2017 at 22:56, Robby Workman  wrote:
> On Tue, 20 Dec 2016 21:46:36 +0100
> Pablo Neira Ayuso  wrote:
>
>> Hi!
>>
>> The Netfilter project proudly presents:
>>
>> nftables 0.7
>>
>> This release contains many accumulated bug fixes and new features
>> available up to the (upcoming) Linux 4.10-rc1 kernel release.
>>
>> * Facilitate migration from iptables to nftables:
>>
>>   At compilation time, you have to pass this option.
>>
>>   # ./configure --with-xtables
>
>
> I get a build failure with this option - bug filed with some details:
> https://bugzilla.netfilter.org/show_bug.cgi?id=1110

the required xlate methods of iptables have not been released so far.
They are not present in iptables 1.6.0.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH xtables-addons] build: support for Linux 4.10

[Jan Engelhardt]

On Monday 2016-12-26 16:14, Ralph Sennhauser wrote:

>Commit 613dbd95723aee7abd16860745691b6c7bda20dc (netfilter:
>x_tables: move hook state into xt_action_param structure) changes the
>struct xt_action_param, accommodate for it.

Both applied.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next 5/8] bridge: use __vlan_hwaccel helpers

[Michał Mirosław]

This removes assumption than vlan_tci != 0 when tag is present.

Signed-off-by: Michał Mirosław 
---
 net/bridge/br_netfilter_hooks.c | 15 +--
 net/bridge/br_private.h |  2 +-
 net/bridge/br_vlan.c|  6 +++---
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 8ca6a929bf12..b62177a980e1 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -682,10 +682,8 @@ static int br_nf_push_frag_xmit(struct net *net, struct 
sock *sk, struct sk_buff
return 0;
}
 
-   if (data->vlan_tci) {
-   skb->vlan_tci = data->vlan_tci;
-   skb->vlan_proto = data->vlan_proto;
-   }
+   if (data->vlan_proto)
+   __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
 
skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);
__skb_push(skb, data->encap_size);
@@ -749,8 +747,13 @@ static int br_nf_dev_queue_xmit(struct net *net, struct 
sock *sk, struct sk_buff
 
data = this_cpu_ptr(_frag_data_storage);
 
-   data->vlan_tci = skb->vlan_tci;
-   data->vlan_proto = skb->vlan_proto;
+   if (skb_vlan_tag_present(skb)) {
+   data->vlan_tci = skb->vlan_tci;
+   data->vlan_proto = skb->vlan_proto;
+   } else {
+   data->vlan_proto = 0;
+   }
+
data->encap_size = nf_bridge_encap_header_len(skb);
data->size = ETH_HLEN + data->encap_size;
 
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 8ce621e8345c..2efbdaf9ae1b 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -819,7 +819,7 @@ static inline int br_vlan_get_tag(const struct sk_buff 
*skb, u16 *vid)
int err = 0;
 
if (skb_vlan_tag_present(skb)) {
-   *vid = skb_vlan_tag_get(skb) & VLAN_VID_MASK;
+   *vid = skb_vlan_tag_get_id(skb);
} else {
*vid = 0;
err = -EINVAL;
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index b6de4f457161..d25a5b34dc76 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -377,7 +377,7 @@ struct sk_buff *br_handle_vlan(struct net_bridge *br,
}
 
if (v->flags & BRIDGE_VLAN_INFO_UNTAGGED)
-   skb->vlan_tci = 0;
+   __vlan_hwaccel_clear_tag(skb);
 out:
return skb;
 }
@@ -444,8 +444,8 @@ static bool __allowed_ingress(const struct net_bridge *br,
__vlan_hwaccel_put_tag(skb, br->vlan_proto, pvid);
else
/* Priority-tagged Frame.
-* At this point, We know that skb->vlan_tci had
-* VLAN_TAG_PRESENT bit and its VID field was 0x000.
+* At this point, we know that skb->vlan_tci VID
+* field was 0.
 * We update only VID field and preserve PCP field.
 */
skb->vlan_tci |= pvid;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next] nfnetlink/queue: use __vlan_hwaccel helpers

[Michał Mirosław]

Signed-off-by: Michał Mirosław 
---
 net/netfilter/nfnetlink_queue.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 3ee0b8a000a4..8c7923aac826 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -,8 +,9 @@ static int nfqa_parse_bridge(struct nf_queue_entry *entry,
if (!tb[NFQA_VLAN_TCI] || !tb[NFQA_VLAN_PROTO])
return -EINVAL;
 
-   entry->skb->vlan_tci = ntohs(nla_get_be16(tb[NFQA_VLAN_TCI]));
-   entry->skb->vlan_proto = nla_get_be16(tb[NFQA_VLAN_PROTO]);
+   __vlan_hwaccel_put_tag(entry->skb,
+   nla_get_be16(tb[NFQA_VLAN_PROTO]),
+   ntohs(nla_get_be16(tb[NFQA_VLAN_TCI])));
}
 
if (nfqa[NFQA_L2HDR]) {
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: build failure if --with-xtables [WAS: nftables 0.7 release]

[Robby Workman]

On Tue, 20 Dec 2016 21:46:36 +0100
Pablo Neira Ayuso  wrote:

> Hi!
> 
> The Netfilter project proudly presents:
> 
> nftables 0.7
> 
> This release contains many accumulated bug fixes and new features
> available up to the (upcoming) Linux 4.10-rc1 kernel release.
> 
> * Facilitate migration from iptables to nftables:
> 
>   At compilation time, you have to pass this option.
> 
>   # ./configure --with-xtables


I get a build failure with this option - bug filed with some details:
https://bugzilla.netfilter.org/show_bug.cgi?id=1110

-RW
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] uapi: use wildcards to list files

[Arnd Bergmann]

On Tuesday, January 3, 2017 3:35:44 PM CET Nicolas Dichtel wrote:
> Regularly, when a new header is created in include/uapi/, the developer
> forgets to add it in the corresponding Kbuild file. This error is usually
> detected after the release is out.
> 
> In fact, all headers under include/uapi/ should be exported, so let's
> use wildcards.

I think the idea makes a lot of sense: if a header is in uapi, we should
really export it. However, using a wildcard expression seems a bit
backwards here, I think we should make this implicit and not have the
Kbuild file at all.

The "header-y" syntax was originally added back when the uapi headers
were mixed with the internal headers in the same directory. After
David Howells introduced the separate directory for uapi, it has
become a bit redundant.

Can you try to modify scripts/Makefile.headersinst instead so we
can simply remove the Kbuild files entirely?

Arnd
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next v2 16/27] nfnetlink/queue: use __vlan_hwaccel helpers

[Michał Mirosław]

Signed-off-by: Michał Mirosław 
---
 net/netfilter/nfnetlink_queue.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 3ee0b8a000a4..8c7923aac826 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -,8 +,9 @@ static int nfqa_parse_bridge(struct nf_queue_entry *entry,
if (!tb[NFQA_VLAN_TCI] || !tb[NFQA_VLAN_PROTO])
return -EINVAL;
 
-   entry->skb->vlan_tci = ntohs(nla_get_be16(tb[NFQA_VLAN_TCI]));
-   entry->skb->vlan_proto = nla_get_be16(tb[NFQA_VLAN_PROTO]);
+   __vlan_hwaccel_put_tag(entry->skb,
+   nla_get_be16(tb[NFQA_VLAN_PROTO]),
+   ntohs(nla_get_be16(tb[NFQA_VLAN_TCI])));
}
 
if (nfqa[NFQA_L2HDR]) {
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH net-next v2 13/27] bridge: use __vlan_hwaccel helpers

[Michał Mirosław]

This removes assumption than vlan_tci != 0 when tag is present.

Signed-off-by: Michał Mirosław 
---
 net/bridge/br_netfilter_hooks.c | 15 +--
 net/bridge/br_private.h |  2 +-
 net/bridge/br_vlan.c|  6 +++---
 3 files changed, 13 insertions(+), 10 deletions(-)

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 8ca6a929bf12..b62177a980e1 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -682,10 +682,8 @@ static int br_nf_push_frag_xmit(struct net *net, struct 
sock *sk, struct sk_buff
return 0;
}
 
-   if (data->vlan_tci) {
-   skb->vlan_tci = data->vlan_tci;
-   skb->vlan_proto = data->vlan_proto;
-   }
+   if (data->vlan_proto)
+   __vlan_hwaccel_put_tag(skb, data->vlan_proto, data->vlan_tci);
 
skb_copy_to_linear_data_offset(skb, -data->size, data->mac, data->size);
__skb_push(skb, data->encap_size);
@@ -749,8 +747,13 @@ static int br_nf_dev_queue_xmit(struct net *net, struct 
sock *sk, struct sk_buff
 
data = this_cpu_ptr(_frag_data_storage);
 
-   data->vlan_tci = skb->vlan_tci;
-   data->vlan_proto = skb->vlan_proto;
+   if (skb_vlan_tag_present(skb)) {
+   data->vlan_tci = skb->vlan_tci;
+   data->vlan_proto = skb->vlan_proto;
+   } else {
+   data->vlan_proto = 0;
+   }
+
data->encap_size = nf_bridge_encap_header_len(skb);
data->size = ETH_HLEN + data->encap_size;
 
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 8ce621e8345c..2efbdaf9ae1b 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -819,7 +819,7 @@ static inline int br_vlan_get_tag(const struct sk_buff 
*skb, u16 *vid)
int err = 0;
 
if (skb_vlan_tag_present(skb)) {
-   *vid = skb_vlan_tag_get(skb) & VLAN_VID_MASK;
+   *vid = skb_vlan_tag_get_id(skb);
} else {
*vid = 0;
err = -EINVAL;
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index b6de4f457161..d25a5b34dc76 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -377,7 +377,7 @@ struct sk_buff *br_handle_vlan(struct net_bridge *br,
}
 
if (v->flags & BRIDGE_VLAN_INFO_UNTAGGED)
-   skb->vlan_tci = 0;
+   __vlan_hwaccel_clear_tag(skb);
 out:
return skb;
 }
@@ -444,8 +444,8 @@ static bool __allowed_ingress(const struct net_bridge *br,
__vlan_hwaccel_put_tag(skb, br->vlan_proto, pvid);
else
/* Priority-tagged Frame.
-* At this point, We know that skb->vlan_tci had
-* VLAN_TAG_PRESENT bit and its VID field was 0x000.
+* At this point, we know that skb->vlan_tci VID
+* field was 0.
 * We update only VID field and preserve PCP field.
 */
skb->vlan_tci |= pvid;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] uapi: use wildcards to list files

[David Miller]

From: Nicolas Dichtel 
Date: Tue,  3 Jan 2017 15:35:44 +0100

> Regularly, when a new header is created in include/uapi/, the developer
> forgets to add it in the corresponding Kbuild file. This error is usually
> detected after the release is out.
> 
> In fact, all headers under include/uapi/ should be exported, so let's
> use wildcards.
> 
> After this patch, the following files, which were not exported, are now
> exported:
 ...
> 
> Signed-off-by: Nicolas Dichtel 

Acked-by: David S. Miller 
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] uapi: use wildcards to list files

[Nicolas Dichtel]

Regularly, when a new header is created in include/uapi/, the developer
forgets to add it in the corresponding Kbuild file. This error is usually
detected after the release is out.

In fact, all headers under include/uapi/ should be exported, so let's
use wildcards.

After this patch, the following files, which were not exported, are now
exported:
drm/vgem_drm.h
drm/armada_drm.h
drm/omap_drm.h
drm/etnaviv_drm.h
rdma/qedr-abi.h
linux/bcache.h
linux/kfd_ioctl.h
linux/cryptouser.h
linux/kcm.h
linux/kcov.h
linux/seg6_iptunnel.h
linux/stm.h
linux/seg6.h
linux/auto_dev-ioctl.h
linux/userio.h
linux/pr.h
linux/wil6210_uapi.h
linux/nilfs2_ondisk.h
linux/hash_info.h
linux/seg6_genl.h
linux/seg6_hmac.h
linux/batman_adv.h
linux/nsfs.h
linux/qrtr.h
linux/btrfs_tree.h
linux/coresight-stm.h
linux/dma-buf.h
linux/module.h
linux/lightnvm.h
linux/nilfs2_api.h

Signed-off-by: Nicolas Dichtel 
---

This patch is built against linus tree. I don't know if it should be
done against antoher tree.

Comments are welcomed,
Nicolas

 include/uapi/asm-generic/Kbuild|  36 +--
 include/uapi/drm/Kbuild|  22 +-
 include/uapi/linux/Kbuild  | 463 +
 include/uapi/linux/android/Kbuild  |   2 +-
 include/uapi/linux/byteorder/Kbuild|   3 +-
 include/uapi/linux/caif/Kbuild |   3 +-
 include/uapi/linux/can/Kbuild  |   6 +-
 include/uapi/linux/dvb/Kbuild  |   9 +-
 include/uapi/linux/hdlc/Kbuild |   2 +-
 include/uapi/linux/hsi/Kbuild  |   2 +-
 include/uapi/linux/iio/Kbuild  |   3 +-
 include/uapi/linux/isdn/Kbuild |   2 +-
 include/uapi/linux/mmc/Kbuild  |   2 +-
 include/uapi/linux/netfilter/Kbuild|  88 +-
 include/uapi/linux/netfilter/ipset/Kbuild  |   5 +-
 include/uapi/linux/netfilter_arp/Kbuild|   3 +-
 include/uapi/linux/netfilter_bridge/Kbuild |  18 +-
 include/uapi/linux/netfilter_ipv4/Kbuild   |  10 +-
 include/uapi/linux/netfilter_ipv6/Kbuild   |  13 +-
 include/uapi/linux/nfsd/Kbuild |   6 +-
 include/uapi/linux/raid/Kbuild |   3 +-
 include/uapi/linux/spi/Kbuild  |   2 +-
 include/uapi/linux/sunrpc/Kbuild   |   2 +-
 include/uapi/linux/tc_act/Kbuild   |  15 +-
 include/uapi/linux/tc_ematch/Kbuild|   5 +-
 include/uapi/linux/usb/Kbuild  |  12 +-
 include/uapi/linux/wimax/Kbuild|   2 +-
 include/uapi/misc/Kbuild   |   2 +-
 include/uapi/mtd/Kbuild|   6 +-
 include/uapi/rdma/Kbuild   |  17 +-
 include/uapi/rdma/hfi/Kbuild   |   2 +-
 include/uapi/scsi/Kbuild   |   5 +-
 include/uapi/scsi/fc/Kbuild|   5 +-
 include/uapi/sound/Kbuild  |  16 +-
 include/uapi/video/Kbuild  |   4 +-
 include/uapi/xen/Kbuild|   5 +-
 36 files changed, 47 insertions(+), 754 deletions(-)

diff --git a/include/uapi/asm-generic/Kbuild b/include/uapi/asm-generic/Kbuild
index b73de7bb7a62..8e52cdc3d941 100644
--- a/include/uapi/asm-generic/Kbuild
+++ b/include/uapi/asm-generic/Kbuild
@@ -1,36 +1,2 @@
 # UAPI Header export list
-header-y += auxvec.h
-header-y += bitsperlong.h
-header-y += errno-base.h
-header-y += errno.h
-header-y += fcntl.h
-header-y += int-l64.h
-header-y += int-ll64.h
-header-y += ioctl.h
-header-y += ioctls.h
-header-y += ipcbuf.h
-header-y += kvm_para.h
-header-y += mman-common.h
-header-y += mman.h
-header-y += msgbuf.h
-header-y += param.h
-header-y += poll.h
-header-y += posix_types.h
-header-y += resource.h
-header-y += sembuf.h
-header-y += setup.h
-header-y += shmbuf.h
-header-y += shmparam.h
-header-y += siginfo.h
-header-y += signal-defs.h
-header-y += signal.h
-header-y += socket.h
-header-y += sockios.h
-header-y += stat.h
-header-y += statfs.h
-header-y += swab.h
-header-y += termbits.h
-header-y += termios.h
-header-y += types.h
-header-y += ucontext.h
-header-y += unistd.h
+header-y += $(notdir $(wildcard $(srctree)/include/uapi/asm-generic/*.h))
diff --git a/include/uapi/drm/Kbuild b/include/uapi/drm/Kbuild
index 9355dd8eff3b..75f4cde6d9ba 100644
--- a/include/uapi/drm/Kbuild
+++ b/include/uapi/drm/Kbuild
@@ -1,22 +1,2 @@
 # UAPI Header export list
-header-y += drm.h
-header-y += drm_fourcc.h
-header-y += drm_mode.h
-header-y += drm_sarea.h
-header-y += amdgpu_drm.h
-header-y += exynos_drm.h
-header-y += i810_drm.h
-header-y += i915_drm.h
-header-y += mga_drm.h
-header-y += nouveau_drm.h
-header-y += qxl_drm.h
-header-y += r128_drm.h
-header-y += radeon_drm.h
-header-y += savage_drm.h
-header-y += sis_drm.h
-header-y += tegra_drm.h
-header-y += via_drm.h
-header-y += vmwgfx_drm.h
-header-y += msm_drm.h
-header-y += vc4_drm.h
-header-y += virtgpu_drm.h
+header-y += $(notdir $(wildcard $(srctree)/include/uapi/drm/*.h))
diff --git a/include/uapi/linux/Kbuild 

Re: [PATCH libnftnl] src: ct: add average bytes per packet counter support

[Pablo Neira Ayuso]

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 2/2] netfilter: nft_ct: add average bytes per packet support

[Pablo Neira Ayuso]

On Sun, Dec 25, 2016 at 07:58:59PM +0800, Liping Zhang wrote:
> From: Liping Zhang 
> 
> Similar to xt_connbytes, user can match how many average bytes per packet
> a connection has transferred so far.

Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nf-next 1/2] netfilter: nf_tables: add missing descriptions in nft_ct_keys

[Pablo Neira Ayuso]

On Sun, Dec 25, 2016 at 07:58:58PM +0800, Liping Zhang wrote:
> From: Liping Zhang 
> 
> We missed to add descriptions about NFT_CT_LABELS, NFT_CT_PKTS and
> NFT_CT_BYTES, now add it.

Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH nft] scanner: fix search_in_include_path test

[Pablo Neira Ayuso]

On Mon, Jan 02, 2017 at 04:30:01PM +0100, Anatole Denis wrote:
> clang emits a warning in this function as we're using a boolean as the third
> argument to strncmp. Indeed, this function only checks the first byte of the
> path as is, so files beginning with . will be incorrectly included from the
> current working directory instead of the include directory.

Applied, thanks Anatole.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html