[PATCH 2/2 nf-next] nfnetlink_osf: rename nf_osf header file to nfnetlink_osf

As the first client of nf_osf userspace header is nft_osf and xt_osf, we rename it to nfnetlink_osf.h Suggested-by: Jan Engelhardt Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/{nf_osf.h => nfnetlink_osf.h} | 2 +- include/uapi/linux/netfilter/{nf_osf.h =>

[PATCH nf-next 1/2] fixup: nf_osf: move nf_osf_fingers to non-uapi nf_osf header file

Signed-off-by: Fernando Fernandez Mancera --- include/linux/netfilter/nf_osf.h | 2 ++ include/uapi/linux/netfilter/nf_osf.h | 2 -- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/linux/netfilter/nf_osf.h b/include/linux/netfilter/nf_osf.h index

[PATCH] nft: doc: changes in configure file for PDF creation

changes in package dependencies for PDF creation (nft.pdf) from asciidoc. Signed-off-by: Arushi Singhal --- configure.ac | 10 ++ 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/configure.ac b/configure.ac index c1c9035..06f15c9 100644 --- a/configure.ac +++ b/configure.ac

[PATCH nf-next] netfilter: nf_tables: flow event notifier must use transaction mutex

Fixes: f102d66b335a4 ("netfilter: nf_tables: use dedicated mutex to guard transactions") Signed-off-by: Florian Westphal --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 07/31/2018 05:05 PM, Florian Westphal wrote: > Georgi Nikolov wrote: >>> No, I think that's rather for the netfilter folks to decide. However, it >>> seems there has been the debate already [1] and it was not found. The >>> conclusion was that __GFP_NORETRY worked fine before, so it should

[PATCH nf-next] netfilter: kconfig: make ct zone/labels selectable without xtables

connection tracking zones currently depend on the xtables CT target, connection tracking labels are handled via hidden dependency that gets auto-selected by the connlabel match. Make NF_CONNTRACK_LABELS a normal config knob and make both depend on either the xtables target/match or the nft

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

Georgi Nikolov wrote: > > No, I think that's rather for the netfilter folks to decide. However, it > > seems there has been the debate already [1] and it was not found. The > > conclusion was that __GFP_NORETRY worked fine before, so it should work > > again after it's added back. But now we know

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 07/31/2018 09:38 AM, Vlastimil Babka wrote: > On 07/30/2018 08:51 PM, Georgi Nikolov wrote: >> On 07/30/2018 09:38 PM, Michal Hocko wrote: >>> On Mon 30-07-18 18:54:24, Georgi Nikolov wrote: >>> [...] No i was wrong. The regression starts actually with 0537250fdc6c8. - old code, which

[PATCH] nft: doc: correct some typos in asciidoc

Correct some typo mistakes done while converting man page source to asciidoc. Signed-off-by: Arushi Singhal --- doc/data-types.txt | 33 ++--- doc/nft.txt| 11 --- doc/payload-expression.txt | 9 +++-- doc/primary-expression.txt |

[PATCH nf] netfilter: fix memory leaks on netlink_dump_start error

Shaochun Chen points out we leak dumper filter state allocations stored in dump_control->data in case there is an error before netlink sets cb_running (after which ->done will be called at some point). In order to fix this, add .start functions and move allocations there. Same pattern as used in

[PATCH nf-next v3 2/2] netfilter: cttimeout: move ctnl_untimeout to nf_conntrack

As, ctnl_untimeout is required by nft_ct, so move ctnl_timeout from nfnetlink_cttimeout to nf_conntrack_timeout and rename as nf_ct_timeout. Signed-off-by: Harsha Sharma --- Changes in v3: - Add static inline definition for nf_ct_untimeout when CONFIG_NF_CONNTRACK_TIMEOUT is not defined

[PATCH nf-next v3 1/2] netfilter: Kconfig: Make NF_CT_NETLINK_TIMEOUT depend on NF_CONNTRACK_TIMEOUT

With this, remove ifdef for NF_CONNTRACK_CTTIMEOUT in nfnetlink_cttimeout. This is also required for moving ctnl_untimeout from nfnetlink_cttimeout to nf_conntrack_timeout. Signed-off-by: Harsha Sharma --- Changes in v3: - No changes Changes in v2: - No changes net/netfilter/Kconfig

[PATCH nf-next v10] netfilter: nft_ct: add ct timeout support

This patch allows to add, list and delete connection tracking timeout policies via nft objref infrastructure and assigning these timeout via nft rule. %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp Ruleset: table ip raw { ct timeout cttime { protocol tcp established

Re: [netfilter-core] [nf-next:master 5/7] ./usr/include/linux/netfilter/nf_osf.h:73: userspace cannot reference function or variable defined in the kernel

El 31 de julio de 2018 7:52:26 CEST, Florian Westphal escribió: >kbuild test robot wrote: >> tree: >https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git >master >> head: 4ed8eb6570a49931c705512060acd50058d61616 >> commit: f9324952088f1cd62ea4addf9ff532f1e6452a22 [5/7] netfilter:

Re: [Bug 200651] New: cgroups iptables-restor: vmalloc: allocation failure

On 07/30/2018 08:51 PM, Georgi Nikolov wrote: > On 07/30/2018 09:38 PM, Michal Hocko wrote: >> On Mon 30-07-18 18:54:24, Georgi Nikolov wrote: >> [...] >>> No i was wrong. The regression starts actually with 0537250fdc6c8. >>> - old code, which opencodes kvmalloc, is masking error but error is