Re: [PATCH 1/2] LSM-IPSec Networking Hooks -- mods based on Herbert's comments

2005-08-13 Thread Herbert Xu
Hi Trent: Thanks for your good work. Here are the comments for your first patch. I won't comment on the second patch since others have already looked through it and I don't know enough about SELINUX to be of much help. On Thu, Aug 11, 2005 at 02:21:15PM -0400, jaegert wrote: +static inline

[PATCH] move XFRM state tables from bss to dynamically allocated pages

2005-08-13 Thread Balazs Scheidler
Hi, Against latest net-2.6.14, but should apply to other versions as well. Please apply. diff-tree b13ca94bb73c79cbc1b34c4261b02c3df934498a (from c097bee59e15d4703e53b8c21d9e9ce5da9365bc) Author: Balazs Scheidler [EMAIL PROTECTED] Date: Sat Aug 13 16:24:25 2005 +0200 As discussed

Re: [PATCH] add new iptables ipt_connbytes match

2005-08-13 Thread Harald Welte
On Sat, Aug 13, 2005 at 03:20:06AM +0200, Patrick McHardy wrote: Harald Welte wrote: Just send two incremental patches to Dave. Here they are. The first patch fixes the div64_64 function, the second one renames some constants. Ok, just in case Dave was waiting for my comments (which are

Re: [PATCH] add new iptables ipt_connbytes match

2005-08-13 Thread Harald Welte
On Fri, Aug 12, 2005 at 12:09:04PM -0700, David S. Miller wrote: From: Harald Welte [EMAIL PROTECTED] Date: Fri, 12 Aug 2005 21:03:43 +0200 Ok, I hope everyone is fine with this patch: It is, but I did not add the connbytes patch into my tree so I can't use this patch as-is. That's why

[PATCH] introduce and use aligned_u64 in nfnetlink

2005-08-13 Thread Harald Welte
This time without the ipt_connbytes hunk: -- - Harald Welte [EMAIL PROTECTED] http://netfilter.org/ Fragmentation is like classful addressing -- an interesting early architectural error that shows

Re: nat checksum mangling - tso

2005-08-13 Thread Harald Welte
On Sat, Aug 13, 2005 at 03:20:09PM +0530, Anand SVR wrote: Hi, While browsing through the code, I encountered instances in ipv4/netfilter where checksum related calls are made in ip_nat_core.c and other files. Wondering if netfilter should be made aware of tso so that the checksum operation

Re: nat checksum mangling - tso

2005-08-13 Thread Anand SVR
Harald, Thanks a lot for the clarification. If NAT for non-locally generated packets means no TSO possible, then we are not including all those large base of private-addressed TSO-enabled LAN hosts from taking its benefits. The NAT box in fact would be handling load from many local hosts and

Re: [PATCH] add new iptables ipt_connbytes match

2005-08-13 Thread David S. Miller
From: Patrick McHardy [EMAIL PROTECTED] Subject: Re: [PATCH] add new iptables ipt_connbytes match Date: Sat, 13 Aug 2005 03:20:06 +0200 Harald Welte wrote: Just send two incremental patches to Dave. Here they are. The first patch fixes the div64_64 function, the second one renames some

Re: [PATCH] add new iptables ipt_connbytes match

2005-08-13 Thread David S. Miller
From: Harald Welte [EMAIL PROTECTED] Date: Sat, 13 Aug 2005 16:51:57 +0200 Ok, just in case Dave was waiting for my comments (which are usually not required since Patricks patches tend to have a higher quality than mine): ACK-ed-by: Harald Welte [EMAIL PROTECTED] I like to see ACKs,

Re: nat checksum mangling - tso

2005-08-13 Thread David S. Miller
From: Harald Welte [EMAIL PROTECTED] Date: Sat, 13 Aug 2005 18:06:21 +0200 TSO can only happen for locally-generated packets, am I right? That is correct. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at

Re: skb-pkt_type

2005-08-13 Thread David S. Miller
From: Herbert Xu [EMAIL PROTECTED] Date: Sat, 13 Aug 2005 11:32:39 +1000 I actually had a play with the fast clone stuff. However, eventually I gave up because of this dilemma: I needed to either introduce an extra atomic op on the __kfree_skb path, or add bloat to the inlined kfree_skb

Re: [PATCH] add new iptables ipt_connbytes match

2005-08-13 Thread David S. Miller
From: Harald Welte [EMAIL PROTECTED] Date: Sat, 13 Aug 2005 16:50:23 +0200 So for new development, I'm now more inclined to push things sooner to you - even more for code that only adds new featurss. If you generally dislike that, please let me know. I think this is the way to go. - To

Re: [PATCH] add new iptables ipt_connbytes match

2005-08-13 Thread David S. Miller
From: Harald Welte [EMAIL PROTECTED] Date: Sat, 13 Aug 2005 17:46:19 +0200 [NETFILTER] Add new iptables connbytes match Applied. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at

Re: [PATCH] introduce and use aligned_u64 in nfnetlink

2005-08-13 Thread David S. Miller
From: Harald Welte [EMAIL PROTECTED] Date: Sat, 13 Aug 2005 17:45:34 +0200 [NETFILTER] introduce and use aligned_u64 data type Applied. - To unsubscribe from this list: send the line unsubscribe netdev in the body of a message to [EMAIL PROTECTED] More majordomo info at

Re: skb-pkt_type

2005-08-13 Thread Tommy Christensen
David S. Miller wrote: Here is the current patch. It dies on the destruction of the first TCP socket, while pruning the write queue of the socket, so something is very wrong in the implementation, I just haven't had a chance to fully debug it yet. First thing I'd try is to remove the ! from

Re: skb-pkt_type

2005-08-13 Thread David S. Miller
From: Tommy Christensen [EMAIL PROTECTED] Subject: Re: skb-pkt_type Date: Sun, 14 Aug 2005 00:20:28 +0200 David S. Miller wrote: Here is the current patch. It dies on the destruction of the first TCP socket, while pruning the write queue of the socket, so something is very wrong in the

Re: skb-pkt_type

2005-08-13 Thread Thomas Graf
* David S. Miller [EMAIL PROTECTED] 2005-08-13 14:10 From: Herbert Xu [EMAIL PROTECTED] Date: Sat, 13 Aug 2005 11:32:39 +1000 I actually had a play with the fast clone stuff. However, eventually I gave up because of this dilemma: I needed to either introduce an extra atomic op on the