[PATCH v3] xtables: Add a smaller delay option when waiting for xtables lock

ip[6]tables currently waits for 1 second for the xtables lock to be freed if the -w option is used. We have seen that the lock is held much less than that resulting in unnecessary delay when trying to acquire the lock. This problem is even severe in case of latency sensitive applications.

Re: [PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

On Thu, Jun 02, 2016 at 06:57:00PM +0100, Will Deacon wrote: > > +++ b/include/asm-generic/qspinlock.h > > @@ -28,30 +28,13 @@ > > */ > > static __always_inline int queued_spin_is_locked(struct qspinlock *lock) > > { > > + /* > > +* See queued_spin_unlock_wait(). > > * > > +*

Re: [ANNOUNCE] nftables 0.6 release

On Thursday 2016-06-02 18:59, Pablo Neira Ayuso wrote: >Resources >= >The nftables code can be obtained from:[...] >To build the code, libnftnl 1.0.6 and libmnl >= 1.0.2 are required: According to configure.ac, libnftnl >=1.0.5 and libmnl >=1.0.3 are requested. Something probably needs a

Re: [PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

On Thu, Jun 02, 2016 at 06:34:25PM +0200, Peter Zijlstra wrote: > On Thu, Jun 02, 2016 at 04:44:24PM +0200, Peter Zijlstra wrote: > > On Thu, Jun 02, 2016 at 10:24:40PM +0800, Boqun Feng wrote: > > > On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote: > > > About spin_unlock_wait() on

[PATCHv4] extensions: libxt_multiport: Add translation to nft

Add translation for multiport to nftables, which it's supported natively. Examples: $ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81 -j ACCEPT nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81} counter accept $ sudo iptables-translate -t filter -A

Re: Next libmnl release

On Thu, Jun 02, 2016 at 07:01:58PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 02, 2016 at 06:21:50PM +0200, Guillaume Nault wrote: > > Hi, > > > > Are there any plans for a new libmnl release? Sure there aren't so many > > changes, but there are still valuable features, fixes and documentation

Re: Next libmnl release

On Thu, Jun 02, 2016 at 06:21:50PM +0200, Guillaume Nault wrote: > Hi, > > Are there any plans for a new libmnl release? Sure there aren't so many > changes, but there are still valuable features, fixes and documentation > updates. Releasing a new version and updating the online documentation >

[ANNOUNCE] nftables 0.6 release

Hi! The Netfilter project proudly presents: nftables 0.6 This release contains many accumulated bug fixes and new features availale up to the Linux 4.7-rc1 kernel release. New features * Rule replacement: You can replace any rule from the unique 64-bits handle. You have

Re: [PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

On Thu, Jun 02, 2016 at 04:44:24PM +0200, Peter Zijlstra wrote: > On Thu, Jun 02, 2016 at 10:24:40PM +0800, Boqun Feng wrote: > > On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote: > > About spin_unlock_wait() on ppc, I actually have a fix pending review: > > > >

Next libmnl release

Hi, Are there any plans for a new libmnl release? Sure there aren't so many changes, but there are still valuable features, fixes and documentation updates. Releasing a new version and updating the online documentation would help making them widely available. Regards, Guillaume -- To

Re: [PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

On Thu, Jun 02, 2016 at 11:11:07PM +0800, Boqun Feng wrote: > On Thu, Jun 02, 2016 at 04:44:24PM +0200, Peter Zijlstra wrote: > > Let me go ponder that some :/ > > > > An intial thought of the fix is making queued_spin_unlock_wait() an > atomic-nop too: > > static inline void

Re: [PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

On Thu, Jun 02, 2016 at 11:11:07PM +0800, Boqun Feng wrote: [snip] > > OK, I will resend a new patch making spin_unlock_wait() align the > semantics in your series. > I realize that if my patch goes first then it's more safe and convenient to keep the two smp_mb()s in ppc

Re: [PATCH] extensions: libip6t_hbh: Add translation to nft

On Thu, Jun 02, 2016 at 01:08:47PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote: > > Add translation for Hop-By-Hop header to nftables. Hbh options are not > > supported yet in nft. > > It would be good to document this in the wiki, as

Re: [PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

On Thu, Jun 02, 2016 at 10:24:40PM +0800, Boqun Feng wrote: > On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote: > About spin_unlock_wait() on ppc, I actually have a fix pending review: > > http://lkml.kernel.org/r/1461130033-70898-1-git-send-email-boqun.f...@gmail.com Please use

Re: [PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote: [snip] > --- a/arch/powerpc/include/asm/spinlock.h > +++ b/arch/powerpc/include/asm/spinlock.h > @@ -27,6 +27,8 @@ > #include > #include > #include > +#include > +#include > > #ifdef CONFIG_PPC64 > /* use 0x80yy when

[PATCH] extensions: libxt_devgroup: Fix order of mask and id

The order of mask and id in the translated code is not apt so fix it. This patch follows commit 8548dd by Liping Zhang. Signed-off-by: Shivani Bhardwaj --- extensions/libxt_devgroup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git

Re: [PATCH nf] netfilter: x_tables: don't reject valid target size on some architectures

On Wed, Jun 01, 2016 at 02:04:44AM +0200, Florian Westphal wrote: > Quoting John Stultz: > In updating a 32bit arm device from 4.6 to Linus' current HEAD, I > noticed I was having some trouble with networking, and realized that > /proc/net/ip_tables_names was suddenly empty. > Digging

[PATCH -v4 3/7] locking: Move smp_cond_load_acquire() to asm-generic/barrier.h

Since all asm/barrier.h should/must include asm-generic/barrier.h the latter is a good place for generic infrastructure like this. This also allows archs to override the new smp_acquire__after_ctrl_dep(). Signed-off-by: Peter Zijlstra (Intel) ---

[PATCH -v4 7/7] locking,netfilter: Fix nf_conntrack_lock()

Even with spin_unlock_wait() fixed, nf_conntrack_lock{,_all}() is borken as it misses a bunch of memory barriers to order the whole global vs local locks scheme. Even x86 (and other TSO archs) are affected. Signed-off-by: Peter Zijlstra (Intel) ---

[PATCH -v4 1/7] locking: Replace smp_cond_acquire with smp_cond_load_acquire

This new form allows using hardware assisted waiting. Some hardware (ARM64 and x86) allow monitoring an address for changes, so by providing a pointer we can use this to replace the cpu_relax(). Requested-by: Will Deacon Suggested-by: Linus Torvalds

[PATCH -v4 6/7] locking: Update spin_unlock_wait users

With the modified semantics of spin_unlock_wait() a number of explicit barriers can be removed. And update the comment for the do_exit() usecase, as that was somewhat stale/obscure. Signed-off-by: Peter Zijlstra (Intel) --- ipc/sem.c |1 - kernel/exit.c |

[PATCH -v4 5/7] locking, arch: Update spin_unlock_wait()

This patch updates/fixes all spin_unlock_wait() implementations. The update is in semantics; where it previously was only a control dependency, we now upgrade to a full load-acquire to match the store-release from the spin_unlock() we waited on. This ensures that when spin_unlock_wait() returns,

[PATCH -v4 2/7] locking: Introduce smp_acquire__after_ctrl_dep

Introduce smp_acquire__after_ctrl_dep(), this construct is not uncommen, but the lack of this barrier is. Signed-off-by: Peter Zijlstra (Intel) --- include/linux/compiler.h | 17 - ipc/sem.c| 14 ++ 2 files changed, 14

[PATCH -v4 4/7] locking, tile: Provide TILE specific smp_acquire__after_ctrl_dep

Since TILE doesn't do read speculation, its control dependencies also guarantee LOAD->LOAD order and we don't need the additional RMB otherwise required to provide ACQUIRE semantics. Acked-by: Chris Metcalf Signed-off-by: Peter Zijlstra (Intel) ---

Re: [PATCH] extensions: libip6t_hbh: Add translation to nft

On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote: > Add translation for Hop-By-Hop header to nftables. Hbh options are not > supported yet in nft. It would be good to document this in the wiki, as Shivani did already. It would be also good if you can document what is missing

Re: [PATCH 1/2,libnftnl] Free user data in unsetters

On Thu, Jun 02, 2016 at 12:55:38PM +0200, Pablo Neira Ayuso wrote: > On Thu, Jun 02, 2016 at 12:40:23PM +0200, Carlos Falgueras García wrote: > > Signed-off-by: Carlos Falgueras García > > --- > > src/rule.c | 2 ++ > > src/set_elem.c | 2 ++ > > 2 files changed, 4

Re: [PATCH 2/2,libnftnl] Check memory allocations in setters

On Thu, Jun 02, 2016 at 12:40:24PM +0200, Carlos Falgueras García wrote: > When you set an object attribute the memory is copied, sometimes an > allocations is needed and it must be checked. By now all setters methods > returns void, so the policy adopted in case of error is keep the object >

Re: [PATCH] doc: fix old parameters and update datatypes

On Thu, Jun 02, 2016 at 12:25:13AM +0200, Laura Garcia Liebana wrote: > Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation' > instead. Update some FIXME datatypes. Applied, thanks Laura. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body

Re: [PATCH v3] extensions: libxt_multiport: Add translation to nft

On Wed, Jun 01, 2016 at 10:16:18PM +0200, Laura Garcia wrote: > On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote: > > On 31 May 2016 at 20:26, Laura Garcia Liebana wrote: > > > +static int __multiport_xlate_v1(const void *ip, > > > +

[PATCH 2/2,libnftnl] Check memory allocations in setters

When you set an object attribute the memory is copied, sometimes an allocations is needed and it must be checked. By now all setters methods returns void, so the policy adopted in case of error is keep the object unchanged. What this patch makes: * All memory allocations inside setters

[PATCH 1/2,libnftnl] Free user data in unsetters

Signed-off-by: Carlos Falgueras García --- src/rule.c | 2 ++ src/set_elem.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/src/rule.c b/src/rule.c index 8ee8648..3576e32 100644 --- a/src/rule.c +++ b/src/rule.c @@ -112,6 +112,8 @@ void nftnl_rule_unset(struct