Followup patch renames skb->nfct and changes its type so add a helper to
avoid intrusive rename change later.
Signed-off-by: Florian Westphal
---
changes since v2: this patch is new, it was split from
v2 'netfilter: merge ctinfo into nfct pointer storage area'.
We should also toss nf_bridge_info, if any -- packet is leaving via
ip_local_out, also, this skb isn't bridged -- it is a locally generated
copy. Also this avoids the need to touch this later when skb->nfct is
replaced with 'unsigned long _nfct' in followup patch.
Signed-off-by: Florian Westphal
Next patch makes direct skb->nfct access illegal, reduce noise
in next patch by using accessors we already have.
Signed-off-by: Florian Westphal
---
No changes in v1 and v2.
include/net/ip_vs.h | 9 ++---
net/netfilter/nf_conntrack_core.c | 15
It is never accessed for reading and the only places that write to it
are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo).
The conntrack core specifically checks for attached skb->nfct after
->error() invocation and returns early in this case.
Signed-off-by: Florian Westphal
Hi Phil,
On Tue, Jan 17, 2017 at 11:10:04PM +0100, Phil Sutter wrote:
> The following series adds two distinct features to nftables, though
> since the second one depends on presence of the first one this is
> submitted as a series.
>
> Patch 1 adds support for a boolean variant of relational
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.
Suggested-by: Pablo Neira Ayuso
Signed-off-by: Florian Westphal
---
Not part of
The next change will merge skb->nfct pointer and skb->nfctinfo
status bits into single skb->_nfct (unsigned long) area.
For this to work nf_conn addresses must always be aligned at least on
an 8 byte boundary since we will need the lower 3bits to store nfctinfo.
Conntrack templates are allocated
After this change conntrack operations (lookup, creation, matching from
ruleset) only access one instead of two sk_buff cache lines.
This works for normal conntracks because those are allocated from a slab
that guarantees hw cacheline or 8byte alignment (whatever is larger)
so the 3 bits needed
Whenever we fetch skb conntrack info, we need to access two
distinct cache lines in sk_buff, #2 (nfct pointer) and #3
(nfctinfo bits). This series removes nfctinfo and joins it
with the data pointer in a single ulong.
We have 3 nfctinfo bits, the slab cache used for nf_conn objects
guarantees at
On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote:
> diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> index 0c629fdf90e1..ce6adfae521a 100644
> --- a/net/netfilter/core.c
> +++ b/net/netfilter/core.c
> @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct
On Fri, Jan 20, 2017 at 09:03:03PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> Currently, if the user add a stateful object with the name size exceed
> NFT_OBJ_MAXNAMELEN - 1 (i.e. 31), we truncate it down to 31 silently.
> This is not friendly, furthermore, this
Good Day Dear,
My name is Ms. Joyes Dadi, I am glad you are reading this letter and I hope
we will start our communication and I know that this message will look strange,
surprising and probably unbelievable to you, but it is the reality. I want to
make a donation of money to you.
I contact you
On Wed, Jan 18, 2017 at 09:06:47PM -0200, Elise Lennion wrote:
Please, next time always add a description here, even is small one,
this is good to help other follow track of what we're doing.
I have applied this, but one more comment below.
> Signed-off-by: Elise Lennion
Catch -1 case, so we have a chance to handle EINTR.
Signed-off-by: Pablo Neira Ayuso
---
src/rule.c | 7 +++
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/src/rule.c b/src/rule.c
index f2ffd4b27e8a..b5181a90f795 100644
--- a/src/rule.c
+++ b/src/rule.c
On Thu, Jan 19, 2017 at 02:29:47PM -0200, Elise Lennion wrote:
> This tests for a bug where a repeated element is added and the set
> elements counter is incorrectly increased.
Applied, thanks.
It would be good to have another test to catch the 'nft flush set x y'
bug that you uncover, this
Pablo Neira Ayuso wrote:
> On Mon, Jan 23, 2017 at 01:28:48PM +0100, Florian Westphal wrote:
> > diff --git a/net/netfilter/core.c b/net/netfilter/core.c
> > index 0c629fdf90e1..ce6adfae521a 100644
> > --- a/net/netfilter/core.c
> > +++ b/net/netfilter/core.c
> > @@ -375,7
Currently the stateful objects can only be reseted in groups. With this
patch reseting a single object is allowed:
$ nft reset counter x https-traffic
table ip x {
counter https-traffic {
packets 8774 bytes 542668
}
}
$ nft reset quota x https-quota
table ip x {
This tests for a bug where elements can't be added after flushing a
full set with the flag NFTNL_SET_DESC_SIZE set.
Signed-off-by: Elise Lennion
---
tests/shell/testcases/sets/0017add_after_flush_0 | 12
1 file changed, 12 insertions(+)
create mode 100755
On Mon, Jan 23, 2017 at 05:09:55PM -0800, Linus Torvalds wrote:
> On Mon, Jan 23, 2017 at 4:06 PM, Jiri Kosina wrote:
> >
> > Considering this being really close to the "userspace breakage"
> > borderline, I'm CCing Linus as well.
>
> For all I know, there may be some security
On Mon, Jan 23, 2017 at 4:06 PM, Jiri Kosina wrote:
>
> Considering this being really close to the "userspace breakage"
> borderline, I'm CCing Linus as well.
For all I know, there may be some security reason why we really don't
want the automatic helpers, even if they can be
From: Jiri Kosina
This reverts commit 486dcf43da7815baa615822f3e46883ccca5400f. The commit
that flipped the default has been reverted as well.
Signed-off-by: Jiri Kosina
---
Documentation/networking/nf_conntrack-sysctl.txt | 7 ++-
1 file changed, 2
From: Jiri Kosina
This reverts commit 3bb398d925ec73e42b778cf823c8f4aecae359ea. It breaks
existing firewall configurations.
Signed-off-by: Jiri Kosina
---
net/netfilter/nf_conntrack_helper.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff
On Mon, 23 Jan 2017, Florian Westphal wrote:
> Jozsef Kadlecsik wrote:
> > > > > --- a/net/netfilter/core.c
> > > > > +++ b/net/netfilter/core.c
> > > > > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const
> > > > > struct sk_buff *skb)
> > > > > {
> > >
Jozsef Kadlecsik wrote:
> > > > --- a/net/netfilter/core.c
> > > > +++ b/net/netfilter/core.c
> > > > @@ -375,7 +375,7 @@ void nf_ct_attach(struct sk_buff *new, const struct
> > > > sk_buff *skb)
> > > > {
> > > > void (*attach)(struct sk_buff *, const struct
On Mon, 23 Jan 2017, Linus Torvalds wrote:
> For all I know, there may be some security reason why we really don't
> want the automatic helpers, even if they can be convenient.
>
> Also, you can just enable them with a kernel command line or a sysctl,
> so it's not like you can't get the old
Hi !
I think nobody here will answer you.
Those who know the answer will not answer you because they think it's
trivial or don't want to spend time to. And those who don't know it will
not answer you because they do not want show they don't know the
answer(like me).
I asked some help for 2
The next change will merge skb->nfct pointer and skb->nfctinfo
status bits into single skb->_nfct (unsigned long) area.
For this to work nf_conn addresses must always be aligned at least on
an 8 byte boundary since we will need the lower 3bits to store nfctinfo.
Conntrack templates are allocated
After this change conntrack operations (lookup, creation, matching from
ruleset) only access one instead of two sk_buff cache lines.
This works for normal conntracks because those are allocated from a slab
that guarantees hw cacheline or 8byte alignment (whatever is larger)
so the 3 bits needed
Followup patch renames skb->nfct and changes its type so add a helper to
avoid intrusive rename change later.
Signed-off-by: Florian Westphal
---
changes since v3: don't alter core.c --
we should check skb->nfct, skb_nfct() won't be enough after
removal of conntrack untracked
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.
Signed-off-by: Florian Westphal
---
changes since v3:
get rid of an unneeded hunk (core.c), previous
Next patch makes direct skb->nfct access illegal, reduce noise
in next patch by using accessors we already have.
Signed-off-by: Florian Westphal
---
no changes since v1.
include/net/ip_vs.h | 9 ++---
net/netfilter/nf_conntrack_core.c | 15 +--
2
We should also toss nf_bridge_info, if any -- packet is leaving via
ip_local_out, also, this skb isn't bridged -- it is a locally generated
copy. Also this avoids the need to touch this later when skb->nfct is
replaced with 'unsigned long _nfct' in followup patch.
Signed-off-by: Florian Westphal
It is never accessed for reading and the only places that write to it
are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo).
The conntrack core specifically checks for attached skb->nfct after
->error() invocation and returns early in this case.
Signed-off-by: Florian Westphal
Whenever we fetch skb conntrack info, we need to access two
distinct cache lines in sk_buff, #2 (nfct pointer) and #3
(nfctinfo bits). This series removes nfctinfo and joins it
with the data pointer in a single ulong.
We have 3 nfctinfo bits, the slab cache used for nf_conn objects
guarantees at
34 matches
Mail list logo