]
Signed-off-by: Pablo Neira Ayuso [EMAIL PROTECTED]
Index: net-2.6.git/lib/ts_bm.c
===
--- net-2.6.git.orig/lib/ts_bm.c2006-01-29 05:10:25.0 +0100
+++ net-2.6.git/lib/ts_bm.c 2006-01-29 05:25:47.0 +0100
Patrick McHardy wrote:
Yes, that was a bug in the lastest release. We need to
release a 1.4.1 version or something like that, but I'm
not too familiar with the release process, so I haven't
done this so far.
I can schedule one for this weekend, just send me an ACK.
--
Los honestos son
Patrick McHardy wrote:
Pablo Neira Ayuso wrote:
Patrick McHardy wrote:
Yes, that was a bug in the lastest release. We need to
release a 1.4.1 version or something like that, but I'm
not too familiar with the release process, so I haven't
done this so far.
I can schedule one
Acked-by: Pablo Neira Ayuso pa...@netfilter.org
--
To unsubscribe from this list: send the line unsubscribe netdev in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
.
This only depends on the basic hook infrastructure that resides on
net/core/hooks.c, so you have enable qdisc ingress filtering without the
layer 3 netfilter hooks.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/rtnetlink.h | 13 ---
net/core/dev.c| 92
On Wed, Apr 29, 2015 at 10:27:05PM +0200, Daniel Borkmann wrote:
On 04/29/2015 08:53 PM, Pablo Neira Ayuso wrote:
Port qdisc ingress on top of the Netfilter ingress allows us to detach the
qdisc ingress filtering code from the core, so now it resides where it really
belongs.
Hm
On Sat, Apr 25, 2015 at 10:26:54AM +0100, Ian Morris wrote:
This series of patches removes some style issues in the ipv6 netfilter
code detected by checkpatch. There is no change to functionality and
no changes to the resultant object determined by objdiff.
Please, Cc:
: bridge: add helpers for fetching
physin/outdev)
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter_bridge.h | 16 ++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/include/linux
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix a crash in nf_tables when dictionaries are used from the ruleset,
due to memory corruption, from Florian Westphal.
2) Fix another crash in nf_queue when used with br_netfilter. Also from
Florian.
From: Florian Westphal f...@strlen.de
NFT_JUMP/GOTO erronously sets length to sizeof(void *).
We then allocate insufficient memory when such element is added to a vmap.
Suggested-by: Patrick McHardy ka...@trash.net
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso
old box.
As it's been stated before, most users don't need this:
24824a09 (net: dynamic ingress_queue allocation)
So getting the code inlined into the core introduces a penalty to everyone in
this world.
Please apply, thanks!
Pablo Neira Ayuso (2):
net: kill useless net_*_ingress_queue
From: Sergey Popovich popovich_ser...@mail.ua
So pointers returned by these macros could be
referenced with - directly.
Signed-off-by: Sergey Popovich popovich_ser...@mail.ua
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
patch.
Miscellanea:
o Don't use strlen, use *ptr to determine if a string
should be emitted like all the other tests here
o Delete unnecessary return statements
Signed-off-by: Joe Perches j...@perches.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter
From: Zhang Chunyu zhan...@cn.fujitsu.com
Add arpt_MARK to xt_mark.
The corresponding userspace update is available at:
http://git.netfilter.org/arptables/commit/?id=4bb2f8340783fd3a3f70aa6f8807428a280f8474
Signed-off-by: Zhang Chunyu zhan...@cn.fujitsu.com
Signed-off-by: Pablo Neira Ayuso pa
On Wed, May 06, 2015 at 04:28:57PM +0200, Denys Vlasenko wrote:
On x86 allyesconfig build:
The function compiles to 489 bytes of machine code.
It has 25 callsites.
textdata bss dec hex filename
82441375 22255384 20627456 125324215 7784bb7 vmlinux.before
82434909
On Sun, May 17, 2015 at 02:30:31PM -0700, Francesco Ruggeri wrote:
nfnetlink_log_init registers netlink callback nfulnl_rcv_nl_event before
registering the pernet_subsys, but the callback relies on data structures
allocated by pernet init functions.
When nfnetlink_log is loaded, if a netlink
messages.)
As for the module_exit, rather than replace it with __exitcall,
we simply remove it, since it appears only UML does anything
with those, and even for UML, there is no relevant cleanup
to be done here.
Cc: Pablo Neira Ayuso pa...@netfilter.org
Cc: Patrick McHardy ka...@trash.net
On Mon, Jun 22, 2015 at 09:56:37AM -0500, Eric W. Biederman wrote:
Pablo Neira Ayuso pa...@netfilter.org writes:
[...]
There is no nfnetlink_queue support for the netdev family at this
moment, so this can't be triggered unless you use an out of tree
module.
I have a patch here to add
On Fri, Jun 19, 2015 at 02:03:39PM -0500, Eric W. Biederman wrote:
Add code to nf_unregister_hook to flush the nf_queue when a hook is
unregistered. This guarantees that the pointer that the nf_queue code
retains into the nf_hook list will remain valid while a packet is
queued.
I think the
On Fri, Jun 19, 2015 at 05:23:37PM -0500, Eric W. Biederman wrote:
If someone sends packets from one of the netdevice ingress hooks to
the a userspace queue, and then userspace later accepts the packet,
the netfilter code can enter an infinite loop as the list head will
never be found.
On Wed, Jun 17, 2015 at 07:08:15PM +0200, Florian Westphal wrote:
Eric Dumazet eric.duma...@gmail.com wrote:
From: Eric Dumazet eduma...@google.com
Let's force a 16 bytes alignment on xt_counter percpu allocations,
so that bytes and packets sit in same cache line.
xt_counter being
On Wed, Jun 17, 2015 at 10:09:40AM -0500, Eric W. Biederman wrote:
[...]
There are a few extra cleanups in the first group of changes sprinkled
in as I noticed a few other things as I was sorting out the network
namespace computation logic.
This is a rather large patchset that address many
On Tue, Jun 16, 2015 at 03:13:41PM +0300, Roman Khimov wrote:
В письме от 16 июня 2015 12:48:41 пользователь Pablo Neira Ayuso написал:
[...]
But if we change the existing behaviour, users may be relying on it
and we'll get things broken for them. Someone else will come later one
’:
net/netfilter/nf_synproxy_core.c:326:2: error: implicit declaration of function
‘proc_create’ [-Werror=implicit-function-declaration]
if (!proc_create(synproxy, S_IRUGO, net-proc_net_stat,
^
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
Signed-off-by: Eric W. Biederman ebied
: sched: Simplify em_ipset_match
Florian Westphal (1):
netfilter: xtables: fix warnings on 32bit platforms
Harout Hedeshian (1):
netfilter: xt_socket: add XT_SOCKET_RESTORESKMARK flag
Pablo Neira Ayuso (5):
netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c
--mark 10 -j action2
iptables -t mangle -A action -m mark --mark 11 -j action3
Signed-off-by: Harout Hedeshian haro...@codeaurora.org
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/uapi/linux/netfilter/xt_socket.h |8
net/netfilter/xt_socket.c| 59
From: Eric W. Biederman ebied...@xmission.com
This appears to have been a dead macro in both nfnetlink_log.c and
nfnetlink_queue_core.c since these pieces of code were added in 2005.
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
from
integer of different size [-Wint-to-pointer-cast]
Fixes: 71ae0dff02d756e (netfilter: xtables: use percpu rule counters)
Reported-by: kbuild test robot fengguang...@intel.com
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux
From: Eric W Biederman ebied...@xmission.com
While testing my netfilter changes I noticed several files where
recompiling unncessarily because they unncessarily included
netfilter.h.
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
/nfnetlink_queue_core.c:23:
include/uapi/linux/netfilter.h:76:17: error: field ‘in’ has incomplete type
struct in_addr in;
And also explicit include linux/netfilter.h in several spots.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
Signed-off-by: Eric W. Biederman ebied...@xmission.com
On Sat, Jun 20, 2015 at 03:11:30PM +0200, Jakub Kiciński wrote:
On Mon, 15 Jun 2015 23:25:57 +0200, Pablo Neira Ayuso wrote:
Hi David,
This a bit large (and late) patchset that contains Netfilter updates for
net-next. Most relevantly br_netfilter fixes, ipset RCU support, removal
On Sat, Jun 20, 2015 at 01:32:48PM +0200, Patrick McHardy wrote:
On 20.06, Pablo Neira Ayuso wrote:
On Fri, Jun 19, 2015 at 02:03:39PM -0500, Eric W. Biederman wrote:
Add code to nf_unregister_hook to flush the nf_queue when a hook is
unregistered. This guarantees that the pointer
On Sat, Jun 20, 2015 at 07:40:03PM +0200, Florian Westphal wrote:
[...]
Introduced by commit:
71ae0dff02d7 (netfilter: xtables: use percpu rule counters)
Yes, sorry about this, should be fixed by dcb8f5c8139ef945cdfd
(netfilter: xtables: fix warnings on 32bit platforms).
There's a
On Sat, Jun 20, 2015 at 09:08:20AM -0500, Eric W. Biederman wrote:
Pablo Neira Ayuso pa...@netfilter.org writes:
On Fri, Jun 19, 2015 at 05:23:37PM -0500, Eric W. Biederman wrote:
If someone sends packets from one of the netdevice ingress hooks to
the a userspace queue
this by simply not running nf_tables chains in the wrong
network namespace.
Cc: sta...@vger.kernel.org
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Acked-by: Pablo Neira Ayuso pa...@netfilter.org
@David: Patrick sent a similar patch to address this, if you can get
this into the net tree
Include linux/idr.h and linux/skbuff.h since they are required by objects that
are declared in the net structure.
struct net {
...
struct idr netns_ids;
...
struct sk_buff_head wext_nlevents;
...
Signed-off-by: Pablo Neira Ayuso pa
Resolve compilation breakage when CONFIG_IPV6 is not set by moving the IPv6
code into a separated br_netfilter_ipv6.c file.
Fixes: efb6de9b4ba0 (netfilter: bridge: forward IPv6 fragmented packets)
Reported-by: kbuild test robot fengguang...@intel.com
Signed-off-by: Pablo Neira Ayuso pa
From: Eric W. Biederman ebied...@xmission.com
em-net is always set and always available, use it in preference
to dev_net(skb-dev).
Signed-off-by: Eric W. Biederman ebied...@xmission.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/sched/em_ipset.c |4 ++--
1 file changed, 2
To prepare separation of the IPv6 code into different file.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/Makefile |1 +
net/bridge/{br_netfilter.c = br_netfilter_hooks.c} |0
2 files changed, 1 insertion(+)
rename net/bridge
Cc: Florian Westphal f...@strlen.de
Acked-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter/x_tables.h |6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/x_tables.h
b/include/linux
.
Signed-off-by: Roman Kubiak r.kub...@samsung.com
Acked-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/uapi/linux/netfilter/nfnetlink_queue.h |4 ++-
net/netfilter/nfnetlink_queue_core.c | 35 +++-
2 files changed
On Mon, Jun 15, 2015 at 10:06:27AM -0500, Eric W. Biederman wrote:
Pablo Neira Ayuso pa...@netfilter.org writes:
Hi Eric,
On Sun, Jun 14, 2015 at 10:07:30PM -0500, Eric W. Biederman wrote:
While looking into what it would take to route packets out to network
devices in other
On Fri, Jun 05, 2015 at 01:28:38PM +0200, Florian Westphal wrote:
since commit d6b915e29f4adea9
(ip_fragment: don't forward defragmented DF packet) the largest
fragment size is available in the IPCB.
Therefore we no longer need to care about 'encapsulation'
overhead of stripped PPPOE/VLAN
On Thu, Jun 18, 2015 at 03:43:26AM -0700, David Miller wrote:
From: Eric Dumazet eric.duma...@gmail.com
Date: Mon, 15 Jun 2015 18:10:13 -0700
From: Eric Dumazet eduma...@google.com
Let's force a 16 bytes alignment on xt_counter percpu allocations,
so that bytes and packets sit in same
Cc'ing Thomas.
On Mon, Jun 15, 2015 at 12:11:58PM +0300, Roman I Khimov wrote:
Suppose that we're trying to use an xt_string netfilter module to match a
string in a specially crafted packet that has a nice string starting at
offset 28.
It could be done in iptables like this:
-A
On Mon, Jun 15, 2015 at 10:37:31PM +0300, Roman Khimov wrote:
В письме от 15 июня 2015 19:06:39 пользователь Pablo Neira Ayuso написал:
On Mon, Jun 15, 2015 at 12:11:58PM +0300, Roman I Khimov wrote:
Suppose that we're trying to use an xt_string netfilter module to match a
string
On Mon, Jun 15, 2015 at 07:26:13PM -0500, Eric W. Biederman wrote:
[...]
So what I am in the processes of doing is reviewing and testing
the combined set of patches and hopefully I will have something
for you soon (tomorrow?). Unless Pablo has objections.
Please, feel free to take over my
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
There's nothing much required because the bitmap types use atomic
bit operations. However the logic of adding elements slightly changed:
first the MAC address updated (which is not atomic), then the element
activated (added). The extensions may call
are not registered. This flag is used by the netdev family to
handle the case where the net_device object is gone. Currently this flag is not
exposed to userspace.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/nf_tables.h |7
net/netfilter/nf_tables_api.c
Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter_ipv6.h |1 +
include/linux/skbuff.h |6 -
net/bridge/br_netfilter.c | 55 +---
net/ipv6/netfilter.c |1 +
4
From: Bernhard Thaler bernhard.tha...@wvnet.at
use binary AND on complement of BRNF_NF_BRIDGE_PREROUTING to unset
bit in nf_bridge-mask.
Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/br_netfilter.c |4 ++--
1 file
Thaler bernhard.tha...@wvnet.at
[pa...@netfilter.org: small changes to br_nf_dev_queue_xmit]
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter_ipv6.h |2 +
net/bridge/br_netfilter.c | 139
net/bridge/br_private.h
Borkmann dan...@iogearbox.net
Signed-off-by: Marcelo Ricardo Leitner marcelo.leit...@gmail.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nf_conntrack_proto_generic.c |8 +++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/net/netfilter
From: Bernhard Thaler bernhard.tha...@wvnet.at
Put br_nf_pre_routing_finish_ipv6() after daddr_was_changed() and
br_nf_pre_routing_finish_bridge() to prepare calling these functions
from there.
Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa
its value in forward and xmit functions.
Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/skbuff.h|1 +
net/bridge/br_netfilter.c | 20 +++-
net/bridge/br_private.h |1 -
3 files changed, 8
to use
Pablo Neira Ayuso (5):
netfilter: Kconfig: get rid of parens around depends on
Merge branch 'master' of git://blackhole.kfki.hu/nf-next
netfilter: nf_tables: attach net_device to basechain
netfilter: nf_tables: add nft_register_basechain
This wrapper functions take care of hook registration for basechains.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/nf_tables_api.c | 52 +
1 file changed, 37 insertions(+), 15 deletions(-)
diff --git a/net/netfilter
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
There was a small window when all sets are destroyed and a concurrent
listing of all sets could grab a set which is just being destroyed.
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
net/netfilter/ipset/ip_set_core.c | 49
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Standard rculist is used.
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
net/netfilter/ipset/ip_set_list_set.c | 398 -
1 file changed, 189 insertions(+), 209 deletions(-)
diff --git
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
When elements added to a hash:* type of set and resizing triggered,
parallel listing could start to list the original set (before resizing)
and continue with listing the new set. Fix it by references and
using the original hash table for listing.
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
include/linux/netfilter/ipset/ip_set.h |5 +-
include/uapi/linux/netfilter/ipset/ip_set.h |6 +-
net/netfilter/ipset/ip_set_bitmap_gen.h | 11 +-
From: Sergey Popovich popovich_ser...@mail.ua
Permit userspace to supply CIDR length equal to the host address CIDR
length in netlink message. Prohibit any other CIDR length for IPv6
variant of the set.
Also return -IPSET_ERR_HASH_RANGE_UNSUPPORTED instead of generic
-IPSET_ERR_PROTOCOL in IPv6
From: Sergey Popovich popovich_ser...@mail.ua
Even if we return with generic IPSET_ERR_PROTOCOL it is good idea
to return line number if we called in batch mode.
Moreover we are not always exiting with IPSET_ERR_PROTOCOL. For
example hash:ip,port,net may return IPSET_ERR_HASH_RANGE_UNSUPPORTED
From: Sergey Popovich popovich_ser...@mail.ua
Make all extensions attributes checks within ip_set_get_extensions()
and reduce number of duplicated code.
Signed-off-by: Sergey Popovich popovich_ser...@mail.ua
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
From: Bernhard Thaler bernhard.tha...@wvnet.at
Prepare check_hbh_len() to be called from newly introduced
br_validate_ipv6() in next commit.
Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/br_netfilter.c | 111
doesn't use device mtu in such cases.
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter_bridge.h |7 ---
net/bridge/br_netfilter.c|7 +++
net/ipv4/ip_output.c |4
3 files changed
Neira Ayuso pa...@netfilter.org
---
net/bridge/br_netfilter.c | 10 ++
1 file changed, 10 insertions(+)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 1e62ae5..e4e5f2f 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -116,6 +116,8 @@ struct
According to the reporter, they are not needed.
Reported-by: Sergei Shtylyov sergei.shtyl...@cogentembedded.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/Kconfig |3 ++-
net/ipv6/netfilter/Kconfig |3 ++-
net/netfilter/Kconfig | 18
structure which is
required the netdev notification subscription that follows up in a patch to
handle gone net_devices.
Suggested-by: Patrick McHardy ka...@trash.net
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/nf_tables.h|4 +-
include/uapi/linux
bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/br_netfilter.c |9 -
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 1f30b28..962d5f8 100644
--- a/net/bridge/br_netfilter.c
+++ b
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Remove rbtree in order to introduce RCU instead of rwlock in ipset
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
net/netfilter/ipset/ip_set_hash_netiface.c | 163
1 file changed, 20 insertions(+), 143
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Three types of data need to be protected in the case of the hash types:
a. The hash buckets: standard rcu pointer operations are used.
b. The element blobs in the hash buckets are stored in an array and
a bitmap is used for book-keeping to tell
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
include/linux/netfilter/ipset/ip_set_timeout.h |4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set_timeout.h
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Commit Simplify cidr handling for hash:*net* types broke the cidr
handling for the hash:*net* types when the sets were used by the SET
target: entries with invalid cidr values were added to the sets.
Reported by Jonathan Johnson.
Testsuite entry is
Dumazet eduma...@google.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter/x_tables.h | 49
net/ipv4/netfilter/arp_tables.c| 32 +++
net/ipv4/netfilter/ip_tables.c | 31
From: Sergey Popovich popovich_ser...@mail.ua
There is no reason to check CIDR value regardless attribute
specifying CIDR is given.
Initialize cidr array in element structure on element structure
declaration to let more freedom to the compiler to optimize
initialization right before element
From: Sergey Popovich popovich_ser...@mail.ua
Signed-off-by: Sergey Popovich popovich_ser...@mail.ua
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
net/netfilter/ipset/ip_set_core.c | 12 ++--
net/netfilter/ipset/ip_set_hash_gen.h |2 +-
2 files changed, 7
...@redhat.com
Signed-off-by: Florian Westphal f...@strlen.de
Acked-by: Eric Dumazet eduma...@google.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux/netfilter/x_tables.h |4 +--
net/ipv4/netfilter/arp_tables.c| 50 +--
net/ipv4/netfilter/ip_tables.c
compiler.
Then, we attempt a kmalloc() if total size is under order-3 allocation,
to reduce TLB pressure, as in many cases, rules fit in 32 KB.
Signed-off-by: Eric Dumazet eduma...@google.com
Cc: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/linux
From: Jozsef Kadlecsik kad...@blackhole.kfki.hu
Replace rwlock_t with spinlock_t in struct ip_set and change the locking
accordingly. Convert the comment extension into an rcu-avare object. Also,
simplify the timeout routines.
Signed-off-by: Jozsef Kadlecsik kad...@blackhole.kfki.hu
---
Hi Eric,
On Sun, Jun 14, 2015 at 10:07:30PM -0500, Eric W. Biederman wrote:
While looking into what it would take to route packets out to network
devices in other network namespaces I started looking at the netfilter
hooks, and there is a lot of nasty code to figure out which network
This allows us to create netdev tables that contain ingress chains. Use
skb_header_pointer() as we may see shared sk_buffs at this stage.
This change provides access to the existing nf_tables features from the ingress
hook.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net
from ingress (2015-05-26
18:41:23 +0200)
Florian Westphal (1):
netfilter: remove unused comefrom hookmask argument
Pablo Neira Ayuso (3):
netfilter: default CONFIG_NETFILTER_INGRESS to y
netfilter: nf_tables: allow
This patch adds the internal NFT_AF_NEEDS_DEV flag to indicate that you must
attach this table to a net_device.
This change is required by the follow up patch that introduces the new netdev
table.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/nf_tables.h
From: Florian Westphal f...@strlen.de
Signed-off-by: Florian Westphal f...@strlen.de
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/ipv4/netfilter/ip_tables.c |4 +---
net/ipv6/netfilter/ip6_tables.c |4 +---
2 files changed, 2 insertions(+), 6 deletions(-)
diff --git
Useful to compile-test all options.
Suggested-by: Alexei Stavoroitov a...@plumgrid.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/Kconfig |1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index db1c674..9a89e7c 100644
On Fri, May 29, 2015 at 08:19:35AM +0200, Jan Engelhardt wrote:
On Friday 2015-05-29 01:44, Pablo Neira Ayuso wrote:
Useful to compile-test all options.
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -3,6 +3,7 @@ menu Core Netfilter Configuration
config NETFILTER_INGRESS
Hi David,
The following patch reverts the ebtables chunk that enforces counters that was
introduced in the recently applied d26e2c9ffa38 ('Revert netfilter: ensure
number of counters is 0 in do_replace()') since this breaks ebtables.
You can pull this change from:
Reverting the ebtables part of 1086bbe97a07 makes this work again.
Signed-off-by: Bernhard Thaler bernhard.tha...@wvnet.at
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/netfilter/ebtables.c |4
1 file changed, 4 deletions(-)
diff --git a/net/bridge/netfilter
On Thu, Jun 25, 2015 at 11:12:06PM -0400, Stephen Hemminger wrote:
This fixes breakage to iproute2 build with recent kernel headers
caused by:
commit a263653ed798216c0069922d7b5237ca49436007
Author: Pablo Neira Ayuso pa...@netfilter.org
Date: Wed Jun 17 10:28:27 2015 -0500
This allows us to create netdev tables that contain ingress chains. Use
skb_header_pointer() as we may see shared sk_buffs at this stage.
This change provides access to the existing nf_tables features from the ingress
hook.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net
netdev eth0 ingress counter
or a bit more elaborated test like:
http://people.netfilter.org/pablo/nft-ingress.ruleset
More information will be available at the nftables documentation site [1].
[1] http://wiki.nftables.org/
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
doc/nft.xml
This patch adds the internal NFT_AF_NEEDS_DEV flag to indicate that you must
attach this table to a net_device.
This change is required by the follow up patch that introduces the new netdev
table.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/net/netfilter/nf_tables.h
Useful to compile-test all options.
Suggested-by: by Alexei Stavoroitov a...@plumgrid.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/netfilter/Kconfig |1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index db1c674..9a89e7c
This adds support for the new 'netdev' family tables.
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
include/buffer.h|1 +
include/libnftnl/table.h|1 +
include/linux/netfilter.h |8
include/linux/netfilter/nf_tables.h
prepare more patches to revisit our existing limit expression
and to add support for the tee expression.
If no objections, I'll enqueue this patchset to the nf-next tree.
Thanks.
[1] https://lwn.net/Articles/644937/
Pablo Neira Ayuso (3):
netfilter: default CONFIG_NETFILTER_INGRESS to y
On Tue, May 26, 2015 at 09:44:44AM +0900, Simon Horman wrote:
Hi Pablo,
On Mon, May 25, 2015 at 02:46:40PM +0200, Pablo Neira Ayuso wrote:
Useful to compile-test all options.
Suggested-by: by Alexei Stavoroitov a...@plumgrid.com
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
On Tue, May 26, 2015 at 09:48:41AM +0900, Simon Horman wrote:
Hi Pablo,
On Mon, May 25, 2015 at 02:46:41PM +0200, Pablo Neira Ayuso wrote:
This patch adds the internal NFT_AF_NEEDS_DEV flag to indicate that you must
attach this table to a net_device.
This change is required
On Tue, May 19, 2015 at 08:55:17PM -0400, Dave Jones wrote:
After improving setsockopt() coverage in trinity, I started triggering
vmalloc failures pretty reliably from this code path:
warn_alloc_failed+0xe9/0x140
__vmalloc_node_range+0x1be/0x270
vzalloc+0x4b/0x50
__do_replace+0x52/0x260
exists in ebtables, arptables, ipv6, and the
compat variants.
Signed-off-by: Dave Jones da...@codemonkey.org.uk
Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org
---
net/bridge/netfilter/ebtables.c |4
net/ipv4/netfilter/arp_tables.c |6 ++
net/ipv4/netfilter/ip_tables.c |6
1 - 100 of 2305 matches
Mail list logo