2016-04-08 11:07 GMT+08:00 Subash Abhinov Kasiviswanathan
:
> ip[6]tables currently waits for 1 second for the xtables lock to
> be freed if the -w option is used. We have seen that the lock is
> held much less than that resulting in unnecessary delay when
> trying to acquire the lock. This problem
On Wed, Apr 27, 2016 at 07:36:38PM +0200, Jozsef Kadlecsik wrote:
> On Wed, 27 Apr 2016, Pablo Neira Ayuso wrote:
>
> > On Wed, Apr 20, 2016 at 03:43:00PM +0200, Arturo Borrero Gonzalez wrote:
> > > Currently, if we choose a set name larger than allowed, the error message
> > > is:
> > > Error:
On Wed, 27 Apr 2016, Pablo Neira Ayuso wrote:
> On Wed, Apr 20, 2016 at 03:43:00PM +0200, Arturo Borrero Gonzalez wrote:
> > Currently, if we choose a set name larger than allowed, the error message
> > is:
> > Error: Could not process rule: Numerical result out of range
> >
> > Let's inform th
On Thu, Apr 21, 2016 at 11:43:54AM +0200, Arturo Borrero Gonzalez wrote:
> Allow to run tests with other nft binaries by reading a 'NFT'
> environment variable, allowing arbitrary locations for the nft binary.
>
> This is what the tests/shell/run-tests.sh script does.
>
> Among other thing, this
On Wed, Apr 20, 2016 at 03:43:00PM +0200, Arturo Borrero Gonzalez wrote:
> Currently, if we choose a set name larger than allowed, the error message is:
> Error: Could not process rule: Numerical result out of range
>
> Let's inform the user with a better error message.
>
> We can discuss later
On Tue, Apr 26, 2016 at 09:27:58PM +0200, Giuseppe Longo wrote:
> From: Giuseppe Longo
>
> Iptables building is broken if either libmnl orlibnftnl
> is not installed on the system.
>
> Configure script actually checks if libmnl and libnftnl are installed,
> but doesn't exit if they are not.
App
On Thu, Apr 14, 2016 at 08:55:58PM +0530, Shivani Bhardwaj wrote:
> NFQUEUE had a bug with the ordering of fanout and bypass options which
> was arising due to same and odd values for flags and bypass when used
> together. Because of this, during bitwise ANDing of flags and
> NFQ_FLAG_CPU_FANOUT, t
On Thu, Apr 14, 2016 at 08:56:49PM +0530, Shivani Bhardwaj wrote:
> Remove the stacking of older version into the newer one by adding the
> appropriate code corresponding to each version.
Also applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the bod
From: Nicolas Dichtel
Date: Wed, 27 Apr 2016 17:53:08 +0200
> The type TASKSTATS_TYPE_NULL should always be ignored.
>
> When jumping to the next attribute, only the length of the current
> attribute should be added, not the length of all nested attributes.
> This last bug was not visible before
From: Balbir Singh
Date: Wed, 27 Apr 2016 22:29:22 +1000
> My concern is ABI breakage of user space.
The "ABI" is that unrecognized attributes must be silently ignored by
userspace.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord..
On Wed, Apr 27, 2016 at 12:29:50PM +0100, Patrick McHardy wrote:
> The flow statement allows to instantiate per flow statements for user
> defined flows. This can so far be used for per flow accounting or limiting,
> similar to what the iptables hashlimit provides. Flows can be aged using
> the tim
Le 27/04/2016 17:47, Nicolas Dichtel a écrit :
> The type TASKSTATS_TYPE_NULL should always be ignored.
>
> When jumping to the next attribute, only the length of the current
> attribute should be added, not the length of all nested attributes.
> This last bug was not visible before commit 80df554
The type TASKSTATS_TYPE_NULL should always be ignored.
When jumping to the next attribute, only the length of the current
attribute should be added, not the length of all nested attributes.
This last bug was not visible before commit 80df554275c2, because the
kernel didn't put more than two nested
The type TASKSTATS_TYPE_NULL should always be ignored.
When jumping to the next attribute, only the length of the current
attribute should be added, not the length of all nested attributes.
This last bug was not visible before commit 80df554275c2, because the
kernel didn't put more than two nested
Le 27/04/2016 14:29, Balbir Singh a écrit :
[snip]
> Please try
>
> https://www.kernel.org/doc/Documentation/accounting/getdelays.c
A patch follows this mail to fix that.
>
> iotop uses it as well. My concern is ABI breakage of user space.
My test is ok here, I didn't see a problem.
Code review
On Mon, Apr 25, 2016 at 12:20:57PM +0200, Arturo Borrero Gonzalez wrote:
> Let's add some testcases for named sets with intervals and ranges.
Applied, thanks Arturo!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
Signed-off-by: Pablo Neira Ayuso
---
tests/py/any/ct.t | 1 +
tests/py/any/ct.t.payload | 9 +
tests/py/any/meta.t | 3 +++
tests/py/any/meta.t.payload | 27 +++
4 files changed, 40 insertions(+)
diff --git a/tests/py/any/ct.t b/tests/py/any
Add some initial tests to cover dynamic interval sets.
Signed-off-by: Pablo Neira Ayuso
---
tests/py/ip/sets.t | 12
tests/py/ip6/sets.t | 11 +++
2 files changed, 23 insertions(+)
diff --git a/tests/py/ip/sets.t b/tests/py/ip/sets.t
index 2b4e7e1..0e2b193 100644
--- a/tes
This patch adds explicit set type in test definitions, as well as flags.
This has triggered a rework that starts by introducing a Set class to
make this whole code more extensible and maintainable.
Signed-off-by: Pablo Neira Ayuso
---
tests/py/ip/sets.t | 12
tests/py/ip6/sets.t | 1
On 27/04/16 17:29, Nicolas Dichtel wrote:
> Le 27/04/2016 03:14, Balbir Singh a écrit :
>>
>>
>> On 23/04/16 01:31, Nicolas Dichtel wrote:
>>> Goal of this patch is to use the new libnl API to align netlink attribute
>>> when needed.
>>> The layout of the netlink message will be a bit different a
The flow statement contains a stateful per flow statement, which is not
directly part of the rule. Allow generating these statements without adding
them to the rule and mark the supported statements using a new flag
STMT_F_STATEFUL.
Signed-off-by: Patrick McHardy
---
include/statement.h | 1
The flow statement allows to instantiate per flow statements for user
defined flows. This can so far be used for per flow accounting or limiting,
similar to what the iptables hashlimit provides. Flows can be aged using
the timeout option.
Examples:
# nft filter input flow ip saddr . tcp dport lim
Return the parsed statement instead of adding it to the rule in order to
parse statements contained in the flow statement.
Signed-off-by: Patrick McHardy
---
include/netlink.h | 2 +-
src/netlink_delinearize.c | 70 ---
2 files changed, 43 ins
Currently all implicitly declared sets are marked as constant. The flow
statement needs to implicitly declare non-constant sets, so instead of
unconditionally marking the set as constant, only do so if the declaring
expression is itself a constant set.
Signed-off-by: Patrick McHardy
---
src/eval
Support explicitly names implicitly declared sets.
Also change the template names for literal sets and maps to use identifiers
that can not clash with user supplied identifiers.
Signed-off-by: Patrick McHardy
---
src/evaluate.c | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
d
Signed-off-by: Patrick McHardy
---
include/netlink.h | 10 +-
include/nftables.h | 2 +-
src/netlink.c | 10 +-
3 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/include/netlink.h b/include/netlink.h
index 8444742..80b7c60 100644
--- a/include/netlink.h
+++ b
The following patches add the "flow" statement to dynamically instantiate
stateful expression for each user defined flow. This can currently be used
for per flow accounting and per flow rate limiting, similar to what hashlimit
provides, but with a much more flexible definition of a flow.
Examples:
Le 27/04/2016 03:14, Balbir Singh a écrit :
>
>
> On 23/04/16 01:31, Nicolas Dichtel wrote:
>> Goal of this patch is to use the new libnl API to align netlink attribute
>> when needed.
>> The layout of the netlink message will be a bit different after the patch,
>> because the padattr (TASKSTATS_
28 matches
Mail list logo