[PATCH nf-next v3] netfilter: nf_defrag: Skip defrag if NOTRACK is set

2018-01-03 Thread Subash Abhinov Kasiviswanathan
conntrack defrag is needed only if some module like CONNTRACK or NAT explicitly requests it. For plain forwarding scenarios, defrag is not needed and can be skipped if NOTRACK is set in a rule. Since conntrack defrag is currently higher priority than raw table, setting NOTRACK is not sufficient.

And another thing

2018-01-03 Thread Duncan Roe
On Thu, Jan 04, 2018 at 09:26:40AM +1100, Duncan Roe wrote: > On Wed, Jan 03, 2018 at 03:41:08PM +0100, Pablo Neira Ayuso wrote: > > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit > > --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode > > srcip,dstport

Re: [PATCH iptables] extensions: hashlimit: fix incorrect burst in translations

2018-01-03 Thread Duncan Roe
On Wed, Jan 03, 2018 at 03:41:08PM +0100, Pablo Neira Ayuso wrote: > iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit > --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode > srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP > > shows: > >

[tip:core/rcu] netlink: Remove smp_read_barrier_depends() from comment

2018-01-03 Thread tip-bot for Paul E. McKenney
Commit-ID: dfe1b4427835f995aed593d063e6fcdf78b00823 Gitweb: https://git.kernel.org/tip/dfe1b4427835f995aed593d063e6fcdf78b00823 Author: Paul E. McKenney AuthorDate: Mon, 27 Nov 2017 09:26:06 -0800 Committer: Paul E. McKenney

[tip:core/rcu] netfilter: Remove now-redundant smp_read_barrier_depends()

2018-01-03 Thread tip-bot for Paul E. McKenney
Commit-ID: 4be2b04e43fd3d8164d7aeb1808e47fbeb0c0de0 Gitweb: https://git.kernel.org/tip/4be2b04e43fd3d8164d7aeb1808e47fbeb0c0de0 Author: Paul E. McKenney AuthorDate: Mon, 9 Oct 2017 12:09:04 -0700 Committer: Paul E. McKenney

[tip:core/rcu] netfilter: Eliminate cond_resched_rcu_qs() in favor of cond_resched()

2018-01-03 Thread tip-bot for Paul E. McKenney
Commit-ID: ffa53c5863ddb265f9a25729023f4d0409cdacf7 Gitweb: https://git.kernel.org/tip/ffa53c5863ddb265f9a25729023f4d0409cdacf7 Author: Paul E. McKenney AuthorDate: Tue, 24 Oct 2017 06:48:39 -0700 Committer: Paul E. McKenney

[PATCH iptables] extensions: hashlimit: fix incorrect burst in translations

2018-01-03 Thread Pablo Neira Ayuso
iptables-translate -A INPUT -m tcp -p tcp --dport 80 -m hashlimit --hashlimit-above 200kb/s --hashlimit-burst 1mb --hashlimit-mode srcip,dstport --hashlimit-name http2 --hashlimit-htable-expire 3000 -j DROP shows: nft add rule ip filter INPUT tcp dport 80 flow table http2 { tcp dport . ip

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

2018-01-03 Thread Pablo Neira Ayuso
On Wed, Jan 03, 2018 at 09:47:46AM +1100, Duncan Roe wrote: > Hi Pablo, > > On Sun, Dec 31, 2017 at 12:16:30AM +0100, Pablo Neira Ayuso wrote: > > Hi Harsha, > > > > On Sun, Dec 31, 2017 at 09:51:10AM +1100, Duncan Roe wrote: > > > On Thu, Dec 28, 2017 at 11:52:36AM +0100, Pablo Neira Ayuso

[PATCH v3] extensions: libxt_hashlimit: Do not insert default timeout or burst

2018-01-03 Thread Duncan Roe
Do not output timeout or burst if not in original iptables command. This version correctly translates all 3 examples in the wiki. (This is a patch to previous commit 27de281d8aca84e3c841b3ae72a17616b1382ac4) Signed-off-by: Duncan Roe ---