Re: [RFC PATCH nft V2] src: Add import command for json

2017-09-11 Thread Shyam Saini
>> This new operation allows to import ruleset in json to make >> incremental changes using the parse functions of libnftnl. >> >> A basic way to test this new functionality is: >> >> % cat file.json | nft import json >> >> where the file.json is a ruleset exported in json format. >> >> Highly

Re: [PATCH nf 0/2] netfilter: nat: do not use rhltable

2017-09-11 Thread Guillaume Nault
On Fri, Sep 08, 2017 at 01:55:36PM +0200, Pablo Neira Ayuso wrote: > On Wed, Sep 06, 2017 at 02:39:50PM +0200, Florian Westphal wrote: > > This reverts the conversion of the nat bysource table to rhlist that > > I did last year. > > > > It was a bad idea to begin with. > > > > Fast lookup is not

Re: [RFC PATCH nft V2] src: Add import command for json

2017-09-11 Thread Arturo Borrero Gonzalez
On 10 September 2017 at 14:31, Shyam Saini wrote: > This new operation allows to import ruleset in json to make > incremental changes using the parse functions of libnftnl. > > A basic way to test this new functionality is: > > % cat file.json | nft import json > > where

Re: [PATCH] netfilter: ipset: ipset list may return wrong member count for set with timeout

2017-09-11 Thread Jozsef Kadlecsik
Hi, Your patch is applied in the ipset git tree and I'm going to push it for kernel inclusion. I modified the comment part: the elements counter can still be incorrect in the case of a huge set, because elements might time out during the listing. Thanks for your patience! Best regards,

[RFC PATCH nft V3] src: Add import command for json

2017-09-11 Thread Shyam Saini
This new operation allows to import ruleset in json to make incremental changes using the parse functions of libnftnl. A basic way to test this new functionality is: % cat file.json | nft import json where the file.json is a ruleset exported in json format. Highly based on work from Alvaro

Re: [PATCH] netfilter: ipset: ipset list may return wrong member count for set with timeout

2017-09-11 Thread Vishwanath Pai
Hi Jozsef, Thank you. Yes, that is true, the count can still be incorrect in the case of a huge set. Thanks, Vishwanath On 09/11/2017 03:36 PM, Jozsef Kadlecsik wrote: > Hi, > > Your patch is applied in the ipset git tree and I'm going to push it for > kernel inclusion. > > I modified the

[no subject]

2017-09-11 Thread roeper
<>

[PATCH 3/4] netfilter: ipset: deduplicate prefixlen maps

2017-09-11 Thread Jozsef Kadlecsik
From: Aaron Conole The prefixlen maps used here are identical, and have been since introduction. It seems to make sense to use a single large map, that the preprocessor will fill appropriately. Signed-off-by: Aaron Conole Signed-off-by: Jozsef Kadlecsik

[PATCH 0/4] ipset patches for nf-next

2017-09-11 Thread Jozsef Kadlecsik
Hi Pablo, Here follows a few ipset patches for the nf-next tree: * Merge assignment and simplify return in a fuction by Simran Singhal * Fix a sparse warning from me * Deduplicate prefixlen maps by Aaron Conole * Fix the outdated element counter for sets with timeout by Vishwanath Pai Please

[PATCH 2/4] netfilter: ipset: Fix sparse warnings

2017-09-11 Thread Jozsef Kadlecsik
Signed-off-by: Jozsef Kadlecsik --- net/netfilter/ipset/ip_set_hash_ipportnet.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c index 5ab1b99..24bf558 100644