Re: [PATCH nf-next v2 1/3] netfilter: bridge: add and use br_nf_hook_thresh

Pablo Neira Ayuso writes: > On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote: >> +/* recursively invokes nf_hook_slow (again), skipping already-called >> + * hooks (< NF_BR_PRI_BRNF). >> + * >> + * Called with rcu read lock held. >> + */ >> +int

Re: [PATCH v2 3/3] netfilter: replace list_head with single linked list

On Tue, Jul 12, 2016 at 11:32:21AM -0400, Aaron Conole wrote: > The netfilter hook list never uses the prev pointer, and so can be > trimmed to be a smaller singly-linked list. > > In addition to having a more light weight structure for hook traversal, > struct net becomes 5568 bytes (down from

Re: [PATCH nf-next v2 2/3] netfilter: call nf_hook_state_init with rcu_read_lock held

Pablo Neira Ayuso wrote: > > diff --git a/net/bridge/netfilter/ebt_redirect.c > > b/net/bridge/netfilter/ebt_redirect.c > > index 20396499..2e7c4f9 100644 > > --- a/net/bridge/netfilter/ebt_redirect.c > > +++ b/net/bridge/netfilter/ebt_redirect.c > > @@ -24,7 +24,7 @@

Re: [PATCH nf-next v2 2/3] netfilter: call nf_hook_state_init with rcu_read_lock held

On Tue, Jul 12, 2016 at 11:32:20AM -0400, Aaron Conole wrote: > From: Florian Westphal > > This makes things simpler because we can store the head of the list > in the nf_state structure without worrying about concurrent add/delete > of hook elements from the list. This is

Re: [PATCH nf-next v2 1/3] netfilter: bridge: add and use br_nf_hook_thresh

On Tue, Jul 12, 2016 at 11:32:19AM -0400, Aaron Conole wrote: > +/* recursively invokes nf_hook_slow (again), skipping already-called > + * hooks (< NF_BR_PRI_BRNF). > + * > + * Called with rcu read lock held. > + */ > +int br_nf_hook_thresh(unsigned int hook, struct net *net, > +

Re: [PATCH v2 nf] netfilter: x_tables: speed up jump target validation

Florian Westphal wrote: > The dummy ruleset I used to test the original validation change was broken, > most rules were unreachable and were not tested by mark_source_chains(). ... I will send a v3 to also include arptables. I thought arptables was irrelevant since arptable

Re: [PATCH nft 2/3] meta: add short-hand mnemonic for probalistic matching

Pablo Neira Ayuso wrote: > But if the user introduces a meta random value that can be mapped to > probability datatype, we would still hit this asymmetry, right? So the > guess game would fail and the user would get confused. Yes, but thats not really different from what we

Re: [PATCH nft 2/3] meta: add short-hand mnemonic for probalistic matching

On Thu, Jul 14, 2016 at 12:52:18PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Tue, Jul 05, 2016 at 09:35:34AM +0200, Florian Westphal wrote: > > > Allow users to use a simpler way to specify probalistic matching, e. g.: > > > > > > meta probability 0.5

Re: [PATCH nft 2/3] meta: add short-hand mnemonic for probalistic matching

Pablo Neira Ayuso wrote: > On Tue, Jul 05, 2016 at 09:35:34AM +0200, Florian Westphal wrote: > > Allow users to use a simpler way to specify probalistic matching, e. g.: > > > > meta probability 0.5(match approx. every 2nd packet) > > meta probability 0.001

Re: [PATCH nft 2/3] meta: add short-hand mnemonic for probalistic matching

On Tue, Jul 05, 2016 at 09:35:34AM +0200, Florian Westphal wrote: > Allow users to use a simpler way to specify probalistic matching, e. g.: > > meta probability 0.5 (match approx. every 2nd packet) > meta probability 0.001(match approx. once every 1000 packets) > > nft