Re: [GIT-PULL nf-next 00/15] IPVS Updates for v4.4

On Thu, Sep 17, 2015 at 02:40:36PM +0900, Simon Horman wrote: > Hi Pablo, > > please consider these IPVS Updates for v4.4. > > The updates include the following from Alex Gartrell: > * Scheduling of ICMP > * Sysctl to ignore tunneled packets; and hence some packet-looping scenarios > > The

Re: [PATCH next 0/15] netfilter: Stop guessing net (take 2)

On Fri, Sep 18, 2015 at 02:28:40PM -0500, Eric W. Biederman wrote: > > This is the next installment of my work to pass struct net through the > output path so the code does not need to guess how to figure out which > network namespace it is in, and ultimately routes can have output > devices in

Re: [PATCH next 00/84] ipvs: Stop guessing the network namespace (take 2)

On Wed, Sep 23, 2015 at 09:17:27AM +0900, Simon Horman wrote: > On Tue, Sep 22, 2015 at 10:50:41AM +0200, Pablo Neira Ayuso wrote: > > On Tue, Sep 22, 2015 at 10:22:13AM +0300, Julian Anastasov wrote: > > [...] > > > > > > v2 looks good to me, > >

[PATCH 03/30] ipvs: Handle inverse and icmp headers in ip_vs_leave

From: Alex Gartrell Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_core.c | 33 + 1 file changed, 21 insertions(+), 12

[PATCH 04/30] ipvs: pull out ip_vs_try_to_schedule function

From: Alex Gartrell This is necessary as we'll be trying to schedule icmp later and we'll want to share this code. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman ---

[PATCH 06/30] ipvs: Make ip_vs_schedule aware of inverse iph'es

From: Alex Gartrell This is necessary to schedule icmp later. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_core.c | 50

[PATCH 00/30] Netfilter/IPVS updates for net-next

priv instead of nf_hook_ops to netfilter hooks netfilter: Pass net into nf_xfrm_me_harder netfilter: Use nf_ct_net instead of dev_net(out) in nf_nat_masquerade_ipv6 Pablo Neira Ayuso (1): Merge tag 'ipvs-for-v4.4' of https://git.kernel.org/.../horms/ipvs-next Documentatio

[PATCH 23/30] netfilter: nf_tables: Use pkt->net instead of computing net from the passed net_devices

From: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/nft_reject_bridge.c | 13 ++--- net/ipv6/netfilter/nf

[PATCH 07/30] ipvs: add schedule_icmp sysctl

From: Alex Gartrell This sysctl will be used to enable the scheduling of icmp packets. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- include/net/ip_vs.h| 11

[PATCH 16/30] netfilter: ebtables: Simplify the arguments to ebt_do_table

ion.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter_bridge/ebtables.h |6 +++--- net/bridge/netfilter/ebtable_broute.c |8 ++-- net/bridge/netfilter/ebtable_filter.c |6 ++ net/bridge/netfilter/ebtable_nat.c|6 +

[PATCH 01/30] ipvs: replace ip_vs_fill_ip4hdr with ip_vs_fill_iph_skb_off

From: Alex Gartrell This removes some duplicated code and makes the ICMPv6 path look more like the ICMP path. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- include/net/ip_vs.h

Re: [PATCH next 00/84] ipvs: Stop guessing the network namespace (take 2)

On Tue, Sep 22, 2015 at 10:22:13AM +0300, Julian Anastasov wrote: [...] > > v2 looks good to me, > > Acked-by: Julian Anastasov Thanks a lot for reviewing Julian. Simon, please let me know how you want to handle this. Thanks. -- To unsubscribe from this list: send the line

[PATCH 21/30] netfilter: x_tables: Use par->net instead of computing from the passed net devices

From: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebt_log.c |2 +- net/bridge/netfilter/ebt_nflog.c |2

[PATCH 17/30] inet netfilter: Remove hook from ip6t_do_table, arp_do_table, ipt_do_table

e->hook instead of ops->hooknum for clarity and to reduce the number of cachelines the callers touch. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter_arp/arp_tables.h |1 -

[PATCH 10/30] ipvs: attempt to schedule icmp packets

From: Alex Gartrell Invoke the try_to_schedule logic from the icmp path and update it to the appropriate ip_vs_conn_put function. The schedule functions have been updated to reject the packets immediately for now. Signed-off-by: Alex Gartrell Acked-by:

[PATCH 26/30] netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple

r protocols) can get this right. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_conntrack.h |3 ++- include/net/netfilter/nf_conntrack_core.h |1 + includ

[PATCH 18/30] inet netfilter: Prefer state->hook to ops->hooknum

ache line misses, and slightly more consistent code. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c |4 ++-- net/ipv4/netfilter/nf_defrag_ipv4.c

[PATCH 29/30] netfilter: Pass net into nf_xfrm_me_harder

From: "Eric W. Biederman" <ebied...@xmission.com> Instead of calling dev_net on a likley looking network device pass state->net into nf_xfrm_me_harder. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@net

[PATCH 02/30] ipvs: Add hdr_flags to iphdr

From: Alex Gartrell These flags contain information like whether or not the addresses are inverted or from icmp. The first will allow us to drop an inverse param all over the place, and the second will later be useful in scheduling icmp. Signed-off-by: Alex Gartrell

[PATCH 30/30] netfilter: Use nf_ct_net instead of dev_net(out) in nf_nat_masquerade_ipv6

From: "Eric W. Biederman" <ebied...@xmission.com> Use nf_ct_net(ct) instead of guessing that the netdevice out can reliably report the network namespace the conntrack operation is happening in. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Sign

[PATCH 09/30] ipvs: sh: support scheduling icmp/inverse packets consistently

From: Alex Gartrell "source_hash" the dest fields if it's an inverse packet. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_sh.c | 45

[PATCH 22/30] netfilter: nf_tables: Pass struct net in nft_pktinfo

uot;Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h |3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_

[PATCH 28/30] netfilter: Pass priv instead of nf_hook_ops to netfilter hooks

W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter.h |2 +- include/net/netfilter/br_netfilter.h |2 +- include/net/netfilter/nf_nat_l3proto.h | 32 -

[PATCH 19/30] netfilter: nf_tables: kill nft_pktinfo.ops

etails of nft_hook_ops are of no concern to the recpients of nft_pktinfo. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h |9 - include/net/netfilter/nf_tables

[PATCH 24/30] netfilter: Pass net to nf_dup_ipv4 and nf_dup_ipv6

From: "Eric W. Biederman" <ebied...@xmission.com> This allows them to stop guessing the network namespace with pick_net. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/n

[PATCH 27/30] ipvs: Read hooknum from state rather than ops->hooknum

From: "Eric W. Biederman" <ebied...@xmission.com> This should be more cache efficient as state is more likely to be in core, and the netfilter core will stop passing in ops soon. Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo

[PATCH 05/30] ipvs: drop inverse argument to conn_{in,out}_get

From: Alex Gartrell No longer necessary since the information is included in the ip_vs_iphdr itself. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- include/net/ip_vs.h

[PATCH 13/30] ipvs: support scheduling inverse and icmp UDP packets

From: Alex Gartrell In the event of an icmp packet, take only the ports instead of trying to grab the full header. In the event of an inverse packet, use the source address and port. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov

[PATCH 15/30] ipvs: add sysctl to ignore tunneled packets

From: Alex Gartrell This is a way to avoid nasty routing loops when multiple ipvs instances can forward to eachother. Signed-off-by: Alex Gartrell Signed-off-by: Simon Horman --- Documentation/networking/ipvs-sysctl.txt | 10

[PATCH 11/30] ipvs: ensure that ICMP cannot be sent in reply to ICMP

From: Alex Gartrell Check the header for icmp before sending a PACKET_TOO_BIG Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_xmit.c |5 +++-- 1 file

[PATCH 20/30] netfilter: x_tables: Pass struct net in xt_action_param

uot;Eric W. Biederman" <ebied...@xmission.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/x_tables.h |3 ++- include/net/netfilter/nf_tables.h |1 + net/bridge/netfilter/ebtables.c|1 + net/ipv4/netfilter/arp_tables.c|

[PATCH 12/30] ipvs: support scheduling inverse and icmp TCP packets

From: Alex Gartrell In the event of an icmp packet, take only the ports instead of trying to grab the full header. In the event of an inverse packet, use the source address and port. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov

[PATCH 08/30] ipvs: Use outer header in ip_vs_bypass_xmit_v6

From: Alex Gartrell The ip_vs_iphdr may refer to an internal header, so use the outer one instead. Signed-off-by: Alex Gartrell Acked-by: Julian Anastasov Signed-off-by: Simon Horman --- net/netfilter/ipvs/ip_vs_xmit.c |

[PATCH 25/30] act_connmark: Remember the struct net instead of guessing it.

ion.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/tc_act/tc_connmark.h |1 + net/sched/act_connmark.c |3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/include/net/tc_act/tc_connmark.h b/include/net/tc_act/tc_co

Re: [GIT PULL nf-next 00/84] Second Round of IPVS Updates for v4.4

On Thu, Sep 24, 2015 at 09:51:45AM +0900, Simon Horman wrote: > Hi Pablo, > > please consider these bug fixes and extensive clean-ups of IPVS > from Eric Biederman for v4.4. Pulled, thanks Simon. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to

[PATCH 1/9] ipvs: Add ovf scheduler

From: Raducu Deaconu rhadoo.i...@gmail.com The weighted overflow scheduling algorithm directs network connections to the server with the highest weight that is currently available and overflows to the next when active connections exceed the node's weight. Signed-off-by: Raducu Deaconu

[PATCH 0/9] Netfilter updates for net-next

netfilter: reduce sparse warnings Julian Anastasov (3): ipvs: call rtnl_lock early ipvs: add sync_maxlen parameter for the sync daemon ipvs: add more mcast parameters for the sync daemon Pablo Neira Ayuso (3): netfilter: nf_dup: fix sparse warnings netfilter: xt_TEE

[PATCH 3/9] ipvs: add sync_maxlen parameter for the sync daemon

From: Julian Anastasov j...@ssi.bg Allow setups with large MTU to send large sync packets by adding sync_maxlen parameter. The default value is now based on MTU but no more than 1500 for compatibility reasons. To avoid problems if MTU changes allow fragmentation by sending packets with DF=0.

[PATCH 2/9] ipvs: call rtnl_lock early

From: Julian Anastasov j...@ssi.bg When the sync damon is started we need to hold rtnl lock while calling ip_mc_join_group. Currently, we have a wrong locking order because the correct one is rtnl_lock-__ip_vs_mutex. It is implied from the usage of __ip_vs_mutex in ip_vs_dst_event() which is

[PATCH 5/9] netfilter: nf_dup: fix sparse warnings

fengguang...@intel.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/ipv4/netfilter/nft_dup_ipv4.c |2 +- net/ipv6/netfilter/nf_dup_ipv6.c |4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/net/ipv4/netfilter/nft_dup_ipv4.c b/net/ipv4/netfilter/nft_dup_ipv4

[PATCH 8/9] Revert netfilter: xtables: compute exact size needed for jumpstack

-by: Hannes Frederic Sowa han...@stressinduktion.org Signed-off-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/ipv4/netfilter/arp_tables.c | 19 +++ net/ipv4/netfilter/ip_tables.c | 28 ++-- net/ipv6/netfilter

[PATCH 7/9] netfilter: ip6t_REJECT: added missing icmpv6 codes

forwarded to it that use an address from a prefix that has been invalidated. Codes 5 and 6 are more informative subsets of code 1. Signed-off-by: Andreas Herz a...@geekosphere.org Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- include/uapi/linux/netfilter_ipv6/ip6t_REJECT.h |4 +++- net

[PATCH 6/9] netfilter: xt_TEE: use IS_ENABLED(CONFIG_NF_DUP_IPV6)

robot fengguang...@intel.com Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/netfilter/xt_TEE.c |4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/xt_TEE.c b/net/netfilter/xt_TEE.c index 49fee6a..fd980aa 100644 --- a/net/netfilter/xt_TEE.c +++ b/net

[PATCH 9/9] netfilter: reduce sparse warnings

-by: Florian Westphal f...@strlen.de Signed-off-by: Pablo Neira Ayuso pa...@netfilter.org --- net/bridge/netfilter/ebtables.c|2 +- net/ipv6/netfilter/ip6t_SYNPROXY.c |2 +- net/netfilter/core.c |3 --- net/netfilter/nf_synproxy_core.c |6 +++--- 4 files changed, 5

Re: [PATCH v2 net-next] netfilter: ipset: Fixing unnamed union initg

On Sat, Aug 22, 2015 at 08:44:48PM +0200, Pablo Neira Ayuso wrote: [...] I'll wait for some little time just in case someone raises any concern. JFYI, I'll be passing up this patch to David via the nf tree soon. Thanks. -- To unsubscribe from this list: send the line unsubscribe netdev

Re: [PATCH] netfilter: fix bad checksum on IPv6 when NAT is performed

On Tue, Oct 06, 2015 at 04:10:52PM +0200, Maxime Bizon wrote: > > With this setup: > > * non IPv6 checksumming capable network hardware > * GRO off > * IPv6 SNAT > > I get this when I receive an UDPv6 reply: ": hw csum failure" > > Call trace: > > * nf_ip6_checksum() calls

Re: [PATCH net-next v3 3/8] netfilter: Allow calling into nat helper without skb_dst.g

On Wed, Nov 25, 2015 at 04:08:16PM -0800, Jarno Rajahalme wrote: > NAT checksum recalculation code assumes existence of skb_dst, which > becomes a problem for a later patch in the series ("openvswitch: > Interface with NAT."). Simplify this by removing the check on > skb_dst, as the checksum will

Re: [netfilter-core] [PATCH] netfilter: nfnetlink_queue: Unregister pernet subsys in case of init failure

On Mon, Dec 07, 2015 at 02:17:46PM +0100, Pablo Neira Ayuso wrote: > On Mon, Dec 07, 2015 at 02:58:44PM +0200, Nikolay Borisov wrote: > > > > > > On 12/07/2015 02:29 PM, Sergei Shtylyov wrote: > > > Hello. > > > > > > On 12/07/2015 01:13

Re: [PATCH] netfilter: Initialize local variables to NULL, to prevent using them when uninitialized.

We already have this: http://git.kernel.org/cgit/linux/kernel/git/pablo/nf.git/commit/?id=8e662164abb4a8fde701a46e1431980f9e325742 We'll be sending this today to David to avoid this annoyance. Thanks for you patch anyway. -- To unsubscribe from this list: send the line "unsubscribe netdev" in

Re: [PATCH net] nftables: use list_for_each_entry_safe_reverse to traversal commit_list in nf_tables_abort

On Mon, Dec 07, 2015 at 06:48:07PM +0800, Xin Long wrote: > when we use 'nft -f' to sumbit rules, it will build multiple rules into > one netlink skb to send to kernel, kernel will process them one by one. > meanwhile, it add the trans into commit_list to record every commit. > if one of them's

Re: [PATCH] net: remove unnecessary semicolon in netdev_alloc_pcpu_stats()

<ka...@openwrt.org> > Signed-off-by: Felix Fietkau <n...@openwrt.org> Acked-by: Pablo Neira Ayuso <pa...@netfilter.org> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

[ANNOUNCE] NetDev 1.1 updates (Seville, Spain February 10-12)

Hi! We would like to share with you some interesting updates regarding netdev 1.1, the community-driven Linux networking conference held back-to-back with netconf in Sevilla, Spain, February 10-12, 2016. First off, we're extending our session proposal submission deadline to Dec 20th. Moreover,

Re: linux-next: manual merge of the ipvs-next tree with the tree

On Tue, Dec 01, 2015 at 07:26:09PM +, Mark Brown wrote: > Hi Simon, > > Today's linux-next merge of the ipvs-next tree got a conflict in > between commit 264640fc2c5f4f ("ipv6: distinguish frag queues by > device for multicast and link-local packets") from the net tree and > commit

Re: [PATCH] netfilter: nfnetlink_queue: Unregister pernet subsys in case of init failure

On Mon, Dec 07, 2015 at 02:58:44PM +0200, Nikolay Borisov wrote: > > > On 12/07/2015 02:29 PM, Sergei Shtylyov wrote: > > Hello. > > > > On 12/07/2015 01:13 PM, Nikolay Borisov wrote: > > > >> Commit 3bfe049807c2403 ('netfilter: nfnetlink_{log,queue}: > > > >Double quotes please, that's

Re: [PATCH net-next v4 8/8] openvswitch: Interface with NAT.

On Tue, Dec 08, 2015 at 05:01:10PM -0800, Jarno Rajahalme wrote: > - /* Call the helper right after nf_conntrack_in() for confirmed > - * connections, but only when commiting for unconfirmed connections. > - */ > ct = nf_ct_get(skb, ); > - if (ct && (nf_ct_is_confirmed(ct)

Re: [PATCH net-next v4 2/8] netfilter: Factor out nf_ct_get_info().

On Tue, Dec 08, 2015 at 05:01:04PM -0800, Jarno Rajahalme wrote: > Define a new inline function to map conntrack status to enum > ip_conntrack_info. This removes the need to otherwise duplicate this > code in a later patch ("openvswitch: Find existing conntrack entry > after upcall."). > >

[PATCH 5/6] netfilter: nf_dup: add missing dependencies with NF_CONNTRACK

CONFIG_NF_CONNTRACK=m CONFIG_NF_DUP_IPV4=y results in: net/built-in.o: In function `nf_dup_ipv4': >> (.text+0xd434f): undefined reference to `nf_conntrack_untracked' Reported-by: kbuild test robot <fengguang...@intel.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org

[PATCH 6/6] netfilter: nf_tables: use reverse traversal commit_list in nf_tables_abort

er of rollback should be: 'del tab trans' -> 'del set trans' -> 'add set trans'. which is opposite with commit_list order. so fix it by rolling back commits with reverse order in nf_tables_abort. Signed-off-by: Xin Long <lucien....@gmail.com> Signed-off-by: Pablo Neira Ayuso <pa.

Re: [PATCH net] nftables: use list_for_each_entry_safe_reverse to traversal commit_list in nf_tables_abort

On Thu, Dec 10, 2015 at 12:24:21AM +0800, Xin Long wrote: > On Wed, Dec 9, 2015 at 10:03 PM, Pablo Neira Ayuso <pa...@netfilter.org> > wrote: > > On Mon, Dec 07, 2015 at 06:48:07PM +0800, Xin Long wrote: [...] > >> the right order of rollback should be: > >>

[ANNOUNCE] Another round of NetDev 1.1 updates

Hi! We would like to share with you another round of incremental updates on accepted sessions in netdev 1.1, the community-driven Linux networking conference held back-to-back with netconf in Sevilla, Spain, February 10-12, 2016. = Keynote = * "Hardware Checksumming: Less is More" (David S.

[PATCH 2/6] netfilter: nfnetlink_queue: Unregister pernet subsys in case of init failure

Borisov <ker...@kyup.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index 3e24054..861c661 100644 --- a/net

[PATCH 3/6] netfilter: nfnetlink: avoid recurrent netns lookups in call_batch

Pass the net pointer to the call_batch callback functions so we can skip recurrent lookups. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- include/linux/netfilter/nfnetlink.h | 2 +- net/netfilter/nf_

[PATCH 1/6] netfilter: nfnetlink_queue: avoid harmless unnitialized variable warnings

g without forcing us to preinitialize the variable. Signed-off-by: Arnd Bergmann <a...@arndb.de> Fixes: a4b4766c3ceb ("netfilter: nfnetlink_queue: rename related to nfqueue attaching conntrack info") Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_queue.c

[PATCH 4/6] netfilter: nfnetlink: fix splat due to incorrect socket memory accounting in skbuff clones

nt to resolve this problem. Reported-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> Reported-by: Ben Hutchings <b...@decadent.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> Tested-by: Arturo Borrero Gonzalez <arturo.borrero.g...@gmail.com> --- net

[PATCH 0/6] netfilter fixes for net

Neira Ayuso (3): netfilter: nfnetlink: avoid recurrent netns lookups in call_batch netfilter: nfnetlink: fix splat due to incorrect socket memory accounting in skbuff clones netfilter: nf_dup: add missing dependencies with NF_CONNTRACK Xin Long (1): netfilter: nf_tables: use

Re: [PATCH 7/8] netfilter: prepare xt_cgroup for multi revisions

On Mon, Dec 07, 2015 at 05:38:54PM -0500, Tejun Heo wrote: > xt_cgroup will grow cgroup2 path based match. Postfix existing > symbols with _v0 and prepare for multi revision registration. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a

Re: [PATCH 8/8] netfilter: implement xt_cgroup cgroup2 path match

On Mon, Dec 07, 2015 at 05:38:55PM -0500, Tejun Heo wrote: > This patch implements xt_cgroup path match which matches cgroup2 > membership of the associated socket. The match is recursive and > invertible. Applied, thanks. I shared the same concerns as Florian regarding the large size of the

[ANNOUNCE] NetDev 1.1 is approaching...

Hi! For those that still didn't hear about us, Netdev 1.1 is the community-driven Linux networking conference. This event will be again held back-to-back with NetConf in Sevilla, Spain, February 10-12, 2016. After the holidays break (happy new year everyone!), we would like to make a quick

Re: nf_unregister_net_hook: hook not found!

On Mon, Dec 28, 2015 at 09:05:03PM +0100, Sander Eikelenboom wrote: > Hi, > > Running a 4.4.0-rc6 kernel i encountered the warning below. Cc'ing Eric Biederman. @Sander, could you provide a way to reproduce this? Thanks. > [ 13.740472] ip_tables: (C) 2000-2006 Netfilter Core Team > [

[PATCH 1/2] netfilter: nf_tables: use skb->protocol instead of assuming ethernet header

Otherwise we may end up with incorrect network and transport header for other protocols. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_tables_netdev.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_netdev.c

[PATCH 2/2] netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key

From: Florian Westphal <f...@strlen.de> one nft userspace test case fails with 'ct l3proto original ipv4' mismatches 'ct l3proto ipv4' ... because NFTA_CT_DIRECTION attr is missing. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilte

[PATCH 0/2] Netfilter fixes for net

-12-18 14:45:45 +0100) Florian Westphal (1): netfilter: nft_ct: include direction when dumping NFT_CT_L3PROTOCOL key Pablo Neira Ayuso (1): netfilter: nf_tables: use skb->protocol instead of assuming ethernet header

Re: [PATCH net-next v5 2/8] netfilter: Factor out nf_ct_get_info().

On Wed, Dec 16, 2015 at 04:36:41PM -0800, Jarno Rajahalme wrote: > Define a new inline function to map conntrack status to enum > ip_conntrack_info. This removes the need to otherwise duplicate this > code in a later patch ("openvswitch: Find existing conntrack entry > after upcall."). > >

Re: [PATCH] ila: add NETFILTER dependency

On Fri, Dec 18, 2015 at 03:37:37PM +0100, Arnd Bergmann wrote: > The recently added generic ILA translation facility fails to > build when CONFIG_NETFILTER is disabled: > > net/ipv6/ila/ila_xlat.c:229:20: warning: 'struct nf_hook_state' declared > inside parameter list >

[PATCH 05/23] netfilter-bridge: brace placement

From: Ian Morris <i...@chirality.org.uk> Change brace placement to eliminate checkpatch error. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebt_log.c | 6

[PATCH 12/23] netfilter: nf_tables: remove unused struct members

From: Florian Westphal <f...@strlen.de> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/inc

[PATCH 10/23] netfilter: ipv6: avoid nf_iterate recursion

eshold to skip already-called hooks we can now just return NF_ACCEPT to move on to the next hook except for -EINPROGRESS (which means skb has been queued for reassembly), in which case we return NF_STOLEN. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa..

[PATCH 00/23] Netfilter updates for net-next

arcelo Ricardo Leitner (1): netfilter: nf_ct_sctp: move ip_ct_sctp away from UAPI Mikko Rapeli (2): netfilter: ebtables: use __u64 from linux/types.h netfilter: fix include files for compilation Pablo Neira (1): netfilter: cttimeout: add netns support Pablo Neira Ay

[PATCH 01/23] netfilter: ebtables: use __u64 from linux/types.h

From: Mikko Rapeli <mikko.rap...@iki.fi> Fixes userspace compilation error: linux/netfilter_bridge/ebtables.h:38:2: error: unknown type name ‘uint64_t’ Signed-off-by: Mikko Rapeli <mikko.rap...@iki.fi> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> ---

[PATCH 19/23] netfilter: cttimeout: add netns support

From: Pablo Neira <pa...@netfilter.org> Add a per-netns list of timeout objects and adjust code to use it. Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/net_namespace.h | 3 + include/net/netfilter/nf_conntrack_timeout.h | 2 +- n

[PATCH 21/23] netfilter: implement xt_cgroup cgroup2 path match

Cc: Daniel Borkmann <dan...@iogearbox.net> Cc: Daniel Wagner <daniel.wag...@bmw-carit.de> CC: Neil Horman <nhor...@tuxdriver.com> Cc: Jan Engelhardt <jeng...@inai.de> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> -

[PATCH 11/23] netfilter: Set /proc/net entries owner to root in namespace

ilable, so this order should be followed: unshare(CLONE_NEWUSER); /* Setup the mapping */ unshare(CLONE_NEWNET); Signed-off-by: Philip Whineray <p...@firehol.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nf_conntrack_expect.c | 7

[PATCH 23/23] netfilter: meta: add support for setting skb->pkttype

igned-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nft_meta.c | 38 ++ 1 file changed, 38 insertions(+) diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 5b

[PATCH 14/23] netfilter: nf_tables: extend tracing infrastructure

ed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Patrick McHardy <ka...@trash.net> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables.h| 32 include/uapi/linux/netfilter/nf_tables.h | 52 ++ include/uapi/linux/netfilter/

[PATCH 17/23] netfilter: nfnetlink_log: Change setter functions to be void

or these methods to return int. Signed-off-by: Rami Rosen <rami.ro...@intel.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink_log.c | 8 ++-- 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nfnetlink_log.c b/net/net

[PATCH 16/23] netfilter: ipv6: nf_defrag: fix NULL deref panic

t;valdis.kletni...@vt.edu> Tested-by: Valdis Kletnieks <valdis.kletni...@vt.edu> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv6/netfilter/nf_conntrack_reasm.c | 13 - 1 file changed, 8 insertions(+), 5

[PATCH 08/23] netfilter: remove duplicate include

From: stephen hemminger <shemm...@brocade.com> Signed-off-by: Stephen Hemminger <step...@networkplumber.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/ipv4/netfilter/nf_reject_ipv4.c | 1 - net/ipv6/netfilter/nf_reject_ipv6.c | 1 - 2 files changed, 2

[PATCH 15/23] netfilter: nf_tables: wrap tracing with a static key

larger nft_do_chain footprint. Signed-off-by: Florian Westphal <f...@strlen.de> Acked-by: Patrick McHardy <ka...@trash.net> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tables_core.h | 1 + include/net/netfilter/nft_meta.h | 3 +++ ne

[PATCH 18/23] netfilter: nf_tables: fix nf_log_trace based tracing

From: Florian Westphal <f...@strlen.de> nf_log_trace() outputs bogus 'TRACE:' strings because I forgot to update the comments array. Fixes: 33d5a7b14bfd0 ("netfilter: nf_tables: extend tracing infrastructure") Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by:

[PATCH 02/23] netfilter: fix include files for compilation

From: Mikko Rapeli <mikko.rap...@iki.fi> Add missing header dependencies and other small changes so that each file compiles alone in userspace. Signed-off-by: Mikko Rapeli <mikko.rap...@iki.fi> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/lin

[PATCH 22/23] nfnetlink: add nfnl_dereference_protected helper

From: Florian Westphal <f...@strlen.de> to avoid overly long line in followup patch. Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/netfilter/nfnetlink.c | 13 +++-- 1 file changed, 7 insertions(+), 6

[PATCH 20/23] netfilter: prepare xt_cgroup for multi revisions

g...@bmw-carit.de> CC: Neil Horman <nhor...@tuxdriver.com> Cc: Jan Engelhardt <jeng...@inai.de> Cc: Pablo Neira Ayuso <pa...@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/uapi/linux/netfilter/xt_cgroup.h | 2 +

[PATCH 13/23] netfilter: nft_payload: add packet mangling support

ferent checksumming methods can be specified. The currently supported methods are NONE for no checksum updates, and INET for internet type checksums. Signed-off-by: Patrick McHardy <ka...@trash.net> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/net/netfilter/nf_tab

[PATCH 06/23] netfilter-bridge: layout of if statements

From: Ian Morris <i...@chirality.org.uk> Eliminate some checkpatch issues by improved layout of if statements. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfil

[PATCH 03/23] netfilter-bridge: Cleanse indentation

From: Ian Morris <i...@chirality.org.uk> Fixes a bunch of issues detected by checkpatch with regards to code indentation. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/n

[PATCH 04/23] netfilter-bridge: use netdev style comments

From: Ian Morris <i...@chirality.org.uk> Changes comments to use netdev style. No changes detected by objdiff. Signed-off-by: Ian Morris <i...@chirality.org.uk> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- net/bridge/netfilter/ebt_log.c | 3 +- net/bridge/ne

[PATCH 07/23] netfilter: nf_ct_sctp: move ip_ct_sctp away from UAPI

imilar structs for other protocols. Signed-off-by: Marcelo Ricardo Leitner <marcelo.leit...@gmail.com> Acked-by: Neil Horman <nhor...@tuxdriver.com> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org> --- include/linux/netfilter/nf_conntrack_sctp.h | 13 + incl

[PATCH 09/23] netfilter: ipv6: nf_defrag: avoid/free clone operations

anymore to deal with this situation so just remove that. A followup patch can then also remove the NF_HOOK (re)invocation in the ipv6 netfilter defrag hook. Cc: Joe Stringer <joestrin...@nicira.com> Signed-off-by: Florian Westphal <f...@strlen.de> Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.

Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

On Fri, Nov 20, 2015 at 08:56:25PM +0100, Pablo Neira Ayuso wrote: > Regarding #7, I have a couple two concerns: > > 1) cgroup currently doesn't work the way users expect, ie. to perform any >reasonable firewalling. Since this relies on early demux, only a >limited number

Re: [PATCHSET v2] netfilter, cgroup: implement xt_cgroup2 match

On Fri, Nov 20, 2015 at 01:59:12PM -0500, David Miller wrote: > From: Tejun Heo > Date: Thu, 19 Nov 2015 13:52:44 -0500 > > > This is the second take of the xt_cgroup2 patchset. Changes from the > > last take are > > > > * Instead of adding sock->sk_cgroup separately,

<    1   2   3   4   5   6   7   8   9   10   >