Re: [PATCH iptables] xtables: use exponential delay when waiting for xtables lock

This break the "-w" option's semantic, i.e. if the user input "iptables -w 1", and concurrency happen, we will just only wait 10ms and return an error. If there's any chance this patch can break existing setups then we can't take this. I'd suggest you add support to express millisecond

[PATCH nf-next 7/9] netfilter: conntrack: make netns address part of hash

Once we place all conntracks into a global hash table we want them to be spread across entire hash table, even if namespaces have overlapping ip addresses. We add nf_conntrack_netns_hash helper to later re-use it for nat bysrc and expectation hash handling. The helper also allows us to avoid the

[PATCH nf-next 8/9] netfilter: conntrack: use a single hashtable for all namespaces

We already include netns address in the hash and compare the netns pointers during lookup, so even if namespaces have overlapping addresses entries will be spread across the table. Assuming 64k bucket size, this change saves 0.5 mbyte per namespace on a 64bit system. NAT bysrc and expectation

[PATCH nf-next 6/9] netfilter: conntrack: check netns when comparing conntrack objects

Once we place all conntracks in the same hash table we must also compare the netns pointer to skip conntracks that belong to a different namespace. Signed-off-by: Florian Westphal --- .../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 8 ++--

[PATCH nf-next 3/9] netfilter: conntrack: don't attempt to iterate over empty table

Once we place all conntracks into same table iteration becomes more costly because the table contains conntracks that we are not interested in (belonging to other netns). So don't bother scanning if the current namespace has no entries. Signed-off-by: Florian Westphal ---

[PATCH nf-next 1/9] netfilter: conntrack: keep BH enabled during lookup

No need to disable BH here anymore: stats are switched to _ATOMIC variant (== this_cpu_inc()), which nowadays generates same code as the non _ATOMIC NF_STAT, at least on x86. Signed-off-by: Florian Westphal --- net/netfilter/nf_conntrack_core.c | 25 - 1

[PATCH nf-next 5/9] netfilter: conntrack: small refactoring of conntrack seq_printf

The iteration process is lockless, so we test if the conntrack object is eligible for printing (e.g. is AF_INET) after obtaining the reference count. Once we put all conntracks into same hash table we might see more entries that need to be skipped. So add a helper and first perform the test in a

[PATCH nf-next 2/9] netfilter: conntrack: fix lookup race during hash resize

When resizing the conntrack hash table at runtime via echo 42 > /sys/module/nf_conntrack/parameters/hashsize, we are racing with the conntrack lookup path -- reads can happen in parallel and nothing prevents readers from observing a the newly allocated hash but the old size (or vice versa). So

[PATCH nf-next 9/9] netfilter: conntrack: consider ct netns in early_drop logic

When iterating, skip conntrack entries living in a different netns. We could ignore netns and kill some other non-assured one, but it has two problems: - a netns can kill non-assured conntracks in other namespace - we would start to 'over-subscribe' the affected/overlimit netns. Signed-off-by:

[PATCH nf-next 0/9] netfilter: remove per-netns conntrack tables, part 1

[ CCing netdev so netns folks can have a look too ] This patch series removes the per-netns connection tracking tables. All conntrack objects are then stored in one global global table. This avoids the infamous 'vmalloc' when lots of namespaces are used: We no longer allocate a new conntrack

Re: [nft PATCH] dist: include tests/ directory and files in tarball

On Thu, Apr 28, 2016 at 12:07:10PM +0200, Arturo Borrero Gonzalez wrote: > On 28 April 2016 at 11:27, Pablo Neira Ayuso wrote: > > On Thu, Apr 28, 2016 at 11:14:38AM +0200, Arturo Borrero Gonzalez wrote: > >> If we include tests/ in the release tarball, downstream

Re: [nft PATCH] dist: include tests/ directory and files in tarball

On Thu, Apr 28, 2016 at 11:14:38AM +0200, Arturo Borrero Gonzalez wrote: > If we include tests/ in the release tarball, downstream distributors > can run the testsuites themselves while developing the packages. > > This way, tests can be run in a more integrated environment and they can >

[conntrack-tools PATCH] dist: include tests/ directory and files in tarball

If we include tests/ in the release tarball, downstream distributors can run the testsuites themselves while developing the packages. This way, tests can be run in a more integrated environment and they can discover errors related to the integration with the given distribution itself.

[nft PATCH] dist: include tests/ directory and files in tarball

If we include tests/ in the release tarball, downstream distributors can run the testsuites themselves while developing the packages. This way, tests can be run in a more integrated environment and they can discover errors related to the integration with the given distribution itself.

Re: [nf_tables PATCH] netfilter: nf_tables: invert chain deletion abort path

On 14 April 2016 at 12:24, Pablo Neira Ayuso wrote: > > Thanks for coming up with this Arturo. > > I have a better way to fix this by not adding/removing the objects to > the lists. > > Ping me back if I don't come up with the fix anytime soon. ping :-) -- Arturo Borrero

Re: [nf-next, 1/2] netfilter: conntrack: cache route for forwarded connections

2014-12-08 16:36 GMT+01:00 Florian Westphal : > ... to avoid per-packet FIB lookup if possible. > > The cached dst is re-used provided the input interface > is the same as that of the previous packet in the same direction. > > If not, the cached dst is invalidated. It looks like

[PATCH nf-next] netfilter: allow logging from non-init namespaces

Commit 69b34fb996b2 ("netfilter: xt_LOG: add net namespace support for xt_LOG") disabled logging packets using the LOG target from non-init namespaces. The motivation was to prevent containers from flooding kernel log of the host. The plan was to keep it that way until syslog namespace

Re: [nft PATCH] evaluate: better error reporting in too long sets names

On 27 April 2016 at 19:14, Pablo Neira Ayuso wrote: > On Wed, Apr 20, 2016 at 03:43:00PM +0200, Arturo Borrero Gonzalez wrote: >> Currently, if we choose a set name larger than allowed, the error message is: >> Error: Could not process rule: Numerical result out of range >>