Re: [PATCH iptables] xtables: use exponential delay when waiting for xtables lock

2016-04-08 11:07 GMT+08:00 Subash Abhinov Kasiviswanathan : > ip[6]tables currently waits for 1 second for the xtables lock to > be freed if the -w option is used. We have seen that the lock is > held much less than that resulting in unnecessary delay when > trying to

Re: [nft PATCH] evaluate: better error reporting in too long sets names

On Wed, Apr 27, 2016 at 07:36:38PM +0200, Jozsef Kadlecsik wrote: > On Wed, 27 Apr 2016, Pablo Neira Ayuso wrote: > > > On Wed, Apr 20, 2016 at 03:43:00PM +0200, Arturo Borrero Gonzalez wrote: > > > Currently, if we choose a set name larger than allowed, the error message > > > is: > > > Error:

Re: [nft PATCH] evaluate: better error reporting in too long sets names

On Wed, Apr 20, 2016 at 03:43:00PM +0200, Arturo Borrero Gonzalez wrote: > Currently, if we choose a set name larger than allowed, the error message is: > Error: Could not process rule: Numerical result out of range > > Let's inform the user with a better error message. > > We can discuss later

Re: [iptables PATCH] configure: make libmnl and libnftnl hard requirements

On Tue, Apr 26, 2016 at 09:27:58PM +0200, Giuseppe Longo wrote: > From: Giuseppe Longo > > Iptables building is broken if either libmnl orlibnftnl > is not installed on the system. > > Configure script actually checks if libmnl and libnftnl are installed, > but doesn't

Re: [PATCH 1/2] NFQUEUE: Fix bug with order of fanout and bypass

On Thu, Apr 14, 2016 at 08:55:58PM +0530, Shivani Bhardwaj wrote: > NFQUEUE had a bug with the ordering of fanout and bypass options which > was arising due to same and odd values for flags and bypass when used > together. Because of this, during bitwise ANDing of flags and > NFQ_FLAG_CPU_FANOUT,

Re: [PATCH 2/2] extensions: libxt_NFQUEUE: Unstack different versions

On Thu, Apr 14, 2016 at 08:56:49PM +0530, Shivani Bhardwaj wrote: > Remove the stacking of older version into the newer one by adding the > appropriate code corresponding to each version. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the

Re: [PATCH net-next v2] taskstats: fix nl parsing in accounting/getdelays.c

From: Nicolas Dichtel Date: Wed, 27 Apr 2016 17:53:08 +0200 > The type TASKSTATS_TYPE_NULL should always be ignored. > > When jumping to the next attribute, only the length of the current > attribute should be added, not the length of all nested attributes. > This

Re: [PATCH net-next 9/9] taskstats: use the libnl API to align nlattr on 64-bit

From: Balbir Singh Date: Wed, 27 Apr 2016 22:29:22 +1000 > My concern is ABI breakage of user space. The "ABI" is that unrecognized attributes must be silently ignored by userspace. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body

Re: [PATCH nft 7/7] nft: add flow statement

On Wed, Apr 27, 2016 at 12:29:50PM +0100, Patrick McHardy wrote: > The flow statement allows to instantiate per flow statements for user > defined flows. This can so far be used for per flow accounting or limiting, > similar to what the iptables hashlimit provides. Flows can be aged using > the

Re: [PATCH net-next] taskstats: fix nl parsing in accounting/getdelays.c

Le 27/04/2016 17:47, Nicolas Dichtel a écrit : > The type TASKSTATS_TYPE_NULL should always be ignored. > > When jumping to the next attribute, only the length of the current > attribute should be added, not the length of all nested attributes. > This last bug was not visible before commit

[PATCH net-next v2] taskstats: fix nl parsing in accounting/getdelays.c

The type TASKSTATS_TYPE_NULL should always be ignored. When jumping to the next attribute, only the length of the current attribute should be added, not the length of all nested attributes. This last bug was not visible before commit 80df554275c2, because the kernel didn't put more than two

Re: [PATCH net-next 9/9] taskstats: use the libnl API to align nlattr on 64-bit

Le 27/04/2016 14:29, Balbir Singh a écrit : [snip] > Please try > > https://www.kernel.org/doc/Documentation/accounting/getdelays.c A patch follows this mail to fix that. > > iotop uses it as well. My concern is ABI breakage of user space. My test is ok here, I didn't see a problem. Code review

Re: [nft PATCH] tests: shell: add testcases for named sets with intervals

On Mon, Apr 25, 2016 at 12:20:57PM +0200, Arturo Borrero Gonzalez wrote: > Let's add some testcases for named sets with intervals and ranges. Applied, thanks Arturo! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org

[PATCH nft 3/3 nft] tests/py: add interval tests

Add some initial tests to cover dynamic interval sets. Signed-off-by: Pablo Neira Ayuso --- tests/py/ip/sets.t | 12 tests/py/ip6/sets.t | 11 +++ 2 files changed, 23 insertions(+) diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t index

[PATCH nft 2/3 nft] tests/py: explicitly indication of set type and flags from test definitions

This patch adds explicit set type in test definitions, as well as flags. This has triggered a rework that starts by introducing a Set class to make this whole code more extensible and maintainable. Signed-off-by: Pablo Neira Ayuso --- tests/py/ip/sets.t | 12

Re: [PATCH net-next 9/9] taskstats: use the libnl API to align nlattr on 64-bit

On 27/04/16 17:29, Nicolas Dichtel wrote: > Le 27/04/2016 03:14, Balbir Singh a écrit : >> >> >> On 23/04/16 01:31, Nicolas Dichtel wrote: >>> Goal of this patch is to use the new libnl API to align netlink attribute >>> when needed. >>> The layout of the netlink message will be a bit different

[PATCH nft 6/7] stmt: support generating stateful statements outside of rule context

The flow statement contains a stateful per flow statement, which is not directly part of the rule. Allow generating these statements without adding them to the rule and mark the supported statements using a new flag STMT_F_STATEFUL. Signed-off-by: Patrick McHardy ---

[PATCH nft 7/7] nft: add flow statement

The flow statement allows to instantiate per flow statements for user defined flows. This can so far be used for per flow accounting or limiting, similar to what the iptables hashlimit provides. Flows can be aged using the timeout option. Examples: # nft filter input flow ip saddr . tcp dport

[PATCH nft 5/7] netlink_delinearize: support parsing statements not contained within a rule

Return the parsed statement instead of adding it to the rule in order to parse statements contained in the flow statement. Signed-off-by: Patrick McHardy --- include/netlink.h | 2 +- src/netlink_delinearize.c | 70 --- 2

[PATCH nft 2/7] set: allow non-constant implicit set declarations

Currently all implicitly declared sets are marked as constant. The flow statement needs to implicitly declare non-constant sets, so instead of unconditionally marking the set as constant, only do so if the declaring expression is itself a constant set. Signed-off-by: Patrick McHardy

[PATCH nft 3/7] set: explicitly supply name to implicit set declarations

Support explicitly names implicitly declared sets. Also change the template names for literal sets and maps to use identifiers that can not clash with user supplied identifiers. Signed-off-by: Patrick McHardy --- src/evaluate.c | 10 +++--- 1 file changed, 7 insertions(+),

[PATCH nft 1/7] netlink: make dump functions object argument constant

Signed-off-by: Patrick McHardy --- include/netlink.h | 10 +- include/nftables.h | 2 +- src/netlink.c | 10 +- 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/include/netlink.h b/include/netlink.h index 8444742..80b7c60 100644 ---

[PATCH nft 0/7] flow statement

The following patches add the "flow" statement to dynamically instantiate stateful expression for each user defined flow. This can currently be used for per flow accounting and per flow rate limiting, similar to what hashlimit provides, but with a much more flexible definition of a flow.

Re: [PATCH net-next 9/9] taskstats: use the libnl API to align nlattr on 64-bit

Le 27/04/2016 03:14, Balbir Singh a écrit : > > > On 23/04/16 01:31, Nicolas Dichtel wrote: >> Goal of this patch is to use the new libnl API to align netlink attribute >> when needed. >> The layout of the netlink message will be a bit different after the patch, >> because the padattr