[PATCH nf-next v4] netfilter: nf_defrag: Skip defrag if NOTRACK is set

conntrack defrag is needed only if some module like CONNTRACK or NAT explicitly requests it. For plain forwarding scenarios, defrag is not needed and can be skipped if NOTRACK is set in a rule. Since conntrack defrag is currently higher priority than raw table, setting NOTRACK is not sufficient.

Re: [nft PATCH] Don't merge adjacent/overlapping ranges by default

On Wed, Jan 10, 2018 at 01:44:26PM +0100, Phil Sutter wrote: > Hey! > > On Wed, Jan 10, 2018 at 01:08:01PM +0100, Pablo Neira Ayuso wrote: > > On Wed, Jan 10, 2018 at 12:57:25PM +0100, Phil Sutter wrote: > > > Hi Pablo, > > > > > > On Wed, Jan 10, 2018 at 12:51:00PM +0100, Pablo Neira Ayuso

Re: [PATCH net-next] netfilter: nf_flow_table: remove duplicated include from nf_flow_table_ipv6.c

On Wed, Jan 10, 2018 at 01:07:06PM +, Wei Yongjun wrote: > Remove duplicated include. I'm going to collapse this patch to: http://patchwork.ozlabs.org/patch/858284/ and call it "netfilter: remove duplicated include" So we don't need two patches for the same thing. OK? -- To unsubscribe

Re: libnftables extended API proposal

Hi Mark, On Tue, Jan 09, 2018 at 10:46:14PM -0600, mark diener wrote: > Why don't you just put a JSON layer above the c-based libnftl 0.9 ? > > That way, whatever is working in C-based API can then get JSON support > and disrupt the apple cart. > > Call it libnftljson-0.9.so, which is then

Re: [nft PATCH] src/Makefile: Restore per object CFLAGS

On Wed, Jan 10, 2018 at 01:43:21PM +0100, Phil Sutter wrote: > As per the automake manual, create internal libraries for parser and > mini-gmp sources so per-object flags can be set. Applied, thanks Phil. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of

Re: [iptables] extensions: add support for 'srh' match

On Fri, Dec 29, 2017 at 12:08:25PM +0100, Ahmed Abdelsalam wrote: > This patch adds a new exetension to iptables to supprt 'srh' match > The implementation considers revision 7 of the SRH draft. > https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07 > > Signed-off-by: Ahmed

Re: [PATCH net-next] netfilter: nf_queue: remove duplicated include from nf_queue.c

On Wed, Jan 10, 2018 at 01:06:46PM +, Wei Yongjun wrote: > Remove duplicated include. Applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: nf_tables: copy and paste bug in nf_tables_getflowtable()

On Wed, Jan 10, 2018 at 12:47:35PM +0300, Dan Carpenter wrote: > We should be testing "flowtable" instead of "table". Your robot was too late, sorry :) I'm taking the patch from Wei Yongjun. Thank you. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of

RE: [PATCH net-next] netfilter: nf_flow_table: remove duplicated include from nf_flow_table_ipv6.c

> > On Wed, Jan 10, 2018 at 01:07:06PM +, Wei Yongjun wrote: > > Remove duplicated include. > > I'm going to collapse this patch to: > > http://patchwork.ozlabs.org/patch/858284/ > > and call it "netfilter: remove duplicated include" > > So we don't need two patches for the same thing. >

[PATCH nf-next] netfilter: core: return EBUSY in case NAT hook is already in use

EEXIST is used for an object that already exists, with the same name/handle. However, there no same object there, instead there is a object that is using the single slot that is available for NAT hooks since patch f92b40a8b264 ("netfilter: core: only allow one nat hook per hook point"). Let's

Re: [PATCH net-next] netfilter: improve flow table Kconfig dependencies

On Wed, Jan 10, 2018 at 06:10:59PM +0100, Arnd Bergmann wrote: > The newly added NF_FLOW_TABLE options cause some build failures in > randconfig kernels: Applied, thanks Arnd. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH 0/2] parser_bison: delete chains via chain handle

On Wed, Jan 10, 2018 at 12:28:24AM +0530, Harsha Sharma wrote: > Print chain handles with option '-a' and delete chains via chain handle Harsha, could you send a follow up patch to add tests to tests/shell/ so we can automate that this works fine. Thanks! -- To unsubscribe from this list: send

[nft PATCH] Don't merge adjacent/overlapping ranges by default

This patch introduces a new commandline parameter -m/--merge which restores the old behaviour. Previously, when adding multiple ranges to a set they were merged if overlapping or adjacent. This might cause inconvenience though since it is afterwards not easily possible anymore to remove one of

[PATCH] netfilter: nf_tables: copy and paste bug in nf_tables_getflowtable()

We should be testing "flowtable" instead of "table". Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") Signed-off-by: Dan Carpenter --- The bug hasn't hit net-next yet, it's still in the netfilter tree. diff --git

Re: [nft PATCH] Don't merge adjacent/overlapping ranges by default

Hi Phil, Thanks for working on this! On Wed, Jan 10, 2018 at 11:42:21AM +0100, Phil Sutter wrote: > This patch introduces a new commandline parameter -m/--merge which > restores the old behaviour. > > Previously, when adding multiple ranges to a set they were merged if > overlapping or

Re: [nft PATCH] Don't merge adjacent/overlapping ranges by default

Hi Pablo, On Wed, Jan 10, 2018 at 12:51:00PM +0100, Pablo Neira Ayuso wrote: [...] > I would disable this by default by now, no option. > > Then, revisit this later on to see if it's worth adding this, thanks! Should I drop everything that's needed to make it optional or just remove the option

[nft PATCH v2] Don't merge adjacent/overlapping ranges

Previously, when adding multiple ranges to a set they were merged if overlapping or adjacent. This might cause inconvenience though since it is afterwards not easily possible anymore to remove one of the merged ranges again while keeping the others in place. Since it is not possible to have

Re: [nft PATCH] Don't merge adjacent/overlapping ranges by default

Hey! On Wed, Jan 10, 2018 at 01:08:01PM +0100, Pablo Neira Ayuso wrote: > On Wed, Jan 10, 2018 at 12:57:25PM +0100, Phil Sutter wrote: > > Hi Pablo, > > > > On Wed, Jan 10, 2018 at 12:51:00PM +0100, Pablo Neira Ayuso wrote: > > [...] > > > I would disable this by default by now, no option. > > >

Re: [PATCH nf-next] netfilter: x_tables: unbreak module auto loading

On Tue, Jan 09, 2018 at 02:30:48PM +0100, Florian Westphal wrote: > a typo causes module auto load support to never be compiled in. Applied, thanks Florian! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More

[PATCH net-next] netfilter: nf_queue: remove duplicated include from nf_queue.c

Remove duplicated include. Signed-off-by: Wei Yongjun --- net/netfilter/nf_queue.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c index 7f55af5..d67a96a 100644 --- a/net/netfilter/nf_queue.c +++

[PATCH net-next] netfilter: nf_flow_table: remove duplicated include from nf_flow_table_ipv6.c

Remove duplicated include. Signed-off-by: Wei Yongjun --- net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/ipv6/netfilter/nf_flow_table_ipv6.c b/net/ipv6/netfilter/nf_flow_table_ipv6.c index 0c3b9d3..fff2160 100644 ---

Re: [PATCH net-next] netfilter: core: make local function __nf_unregister_net_hook static

On Wed, Jan 10, 2018 at 07:05:06AM +, Wei Yongjun wrote: > Fixes the following sparse warning: > > net/netfilter/core.c:380:6: warning: > symbol '__nf_unregister_net_hook' was not declared. Should it be static? Also applied, thanks. -- To unsubscribe from this list: send the line

Re: [PATCH net-next] netfilter: nf_tables: fix a typo in nf_tables_getflowtable()

On Wed, Jan 10, 2018 at 07:04:54AM +, Wei Yongjun wrote: > Fix a typo, we should check 'flowtable' instead of 'table'. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH 0/2] parser_bison: delete chains via chain handle

On Wed, Jan 10, 2018 at 04:34:41PM +0100, Pablo Neira Ayuso wrote: > On Wed, Jan 10, 2018 at 12:28:24AM +0530, Harsha Sharma wrote: > > Print chain handles with option '-a' and delete chains via chain handle > > Harsha, could you send a follow up patch to add tests to tests/shell/ > so we can

[PATCH net-next] netfilter: improve flow table Kconfig dependencies

The newly added NF_FLOW_TABLE options cause some build failures in randconfig kernels: - when CONFIG_NF_CONNTRACK is disabled, or is a loadable module but NF_FLOW_TABLE is built-in: In file included from net/netfilter/nf_flow_table.c:8:0: include/net/netfilter/nf_conntrack.h:59:22: error: