Re: linux-next: build warning after merge of the netfilter-next tree

Hi all, On Mon, 7 May 2018 10:55:19 +1000 Stephen Rothwell wrote: > > After merging the netfilter-next tree, today's linux-next build (x86_64 > allmodconfig) produced this warning: > > ./usr/include/linux/netfilter/nf_osf.h:25: found __[us]{8,16,32,64} type > without

Re: [RFC PATCH nft] WIP: Introducing socket matching

Máté Eckl wrote: > I have been working on a skeleton for socket matching which is required by > tproxy support. > > See the WIP patch below and please comment if you have something to note. Excellent, thanks for working on this. > My thoughts: > * The parser is fine with

[RFC PATCH nft] WIP: Introducing socket matching

Hi, I have been working on a skeleton for socket matching which is required by tproxy support. See the WIP patch below and please comment if you have something to note. My thoughts: * The parser is fine with this version of socket matching, matching the flags is still to be implemented. * We

[PATCH nft] parser: added missing semicolon

It did not make any harm, but it was certainly missing. Signed-off-by: Máté Eckl --- src/parser_bison.y | 1 + 1 file changed, 1 insertion(+) diff --git a/src/parser_bison.y b/src/parser_bison.y index eed6000..7238a94 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y

[PATCH iptables] tests added for shifted portmap range with DNAT

I added and verified these tests after applying Florian's fixed wrt. nf_nat_range2 size for rev2. Signed-off-by: Thierry Du Tre ---  extensions/libip6t_DNAT.t | 5 +  extensions/libipt_DNAT.t  | 5 +  2 files changed, 10 insertions(+) diff --git

Re: is updated hook documentation available?

Chris Caudle wrote: > I need to update a driver which using nf_register_hook() and > nf_unregister_hook(); calls to those functions fail on recent kernels, so > I need to change to (according to gcc error message recommendation) > nf_register_net_hook() and

is updated hook documentation available?

I need to update a driver which using nf_register_hook() and nf_unregister_hook(); calls to those functions fail on recent kernels, so I need to change to (according to gcc error message recommendation) nf_register_net_hook() and nf_unregister_net_hook(). The documentation I found while searching

[PATCH xtables-compat,v3 2/3] xtables-compat-restore: flush user-defined chains with -n

-n still flushes user-defined chains and its content, the following snippet: iptables-compat -N FOO iptables-compat -I INPUT iptables-compat -I FOO iptables-compat -I FOO iptables-compat-save > A iptables-compat-restore < A iptables-compat -N BAR iptables-compat -A BAR

[PATCH nf] netfilter: nf_tables_api: set min dump size to 8k

Under rare conditions its possible that nfnetlink dump of nft ruleset will not return any result. Problem occurs when netlink_dump() is invoked for first time, in response to incoming dump request. In that case, netlink socket hasn't recored the size of the userspace buffer yet, as userspace did

[PATCH xtables-compat 3/3] xtables-compat: fix bogus error with -X and no user-defined chains

# iptables-compat -X iptables: No chain/target/match by that name. While it should display no error message at all. Signed-off-by: Pablo Neira Ayuso --- iptables/nft.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iptables/nft.c b/iptables/nft.c

[PATCH xtables-compat,v2 2/3] xtables-compat-restore: flush user-defined chains with -n

-n still flushes user-defined chains and its content, the following snippet: iptables-compat -N FOO iptables-compat -I INPUT iptables-compat -I FOO iptables-compat -I FOO iptables-compat-save > A iptables-compat-restore < A iptables-compat -N BAR iptables-compat-restore -n < A results

[PATCH nf 0/2] netfilter: nft_compat: prepare for indirect info storage

These two patches fix handling of large xtables matches from nft_compat. First patch just separates the match handling functions to not assume matchinfo is stored in expr private area. Second patch is the actual fix. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel"

[PATCH nf 2/2] nft_compat: fix handling of large matchinfo size

currently matchinfo gets stored in the expression, but some xt matches are very large. To handle those we either need to switch nft core to kvmalloc and increase size limit, or allocate the info blob of large matches separately. This does the latter, this limits the scope of the changes to

[PATCH nf 1/2] netfilter: nft_compat: prepare for indirect info storage

Next patch will make it possible for *info to be stored in a separate allocation instead of the expr private area. This removes the 'expr priv area is info blob' assumption from the match init/destroy/eval functions. Signed-off-by: Florian Westphal ---

Re: [PATCH net] ipvs: fix stats update from local clients

On Thu, May 03, 2018 at 10:02:18PM +0300, Julian Anastasov wrote: > Local clients are not properly synchronized on 32-bit CPUs when > updating stats (3.10+). Now it is possible estimation_timer (timer), > a stats reader, to interrupt the local client in the middle of > write_seqcount_{begin,end}

Re: [PATCH] netfilter: nf_queue: Replace conntrack entry

Hi Kristian, Thank you for the patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] [also build test WARNING on v4.17-rc3 next-20180504] [if your patch is applied to the wrong git tree, please drop us a note to help improve the system] url: