ip[6]tables currently waits for 1 second for the xtables lock to be
freed if the -w option is used. We have seen that the lock is held
much less than that resulting in unnecessary delay when trying to
acquire the lock. This problem is even severe in case of latency
sensitive applications.
Introduc
On Thu, Jun 02, 2016 at 06:57:00PM +0100, Will Deacon wrote:
> > +++ b/include/asm-generic/qspinlock.h
> > @@ -28,30 +28,13 @@
> > */
> > static __always_inline int queued_spin_is_locked(struct qspinlock *lock)
> > {
> > + /*
> > +* See queued_spin_unlock_wait().
> > *
> > +* An
On Thursday 2016-06-02 18:59, Pablo Neira Ayuso wrote:
>Resources
>=
>The nftables code can be obtained from:[...]
>To build the code, libnftnl 1.0.6 and libmnl >= 1.0.2 are required:
According to configure.ac, libnftnl >=1.0.5 and libmnl >=1.0.3
are requested. Something probably needs a
On Thu, Jun 02, 2016 at 06:34:25PM +0200, Peter Zijlstra wrote:
> On Thu, Jun 02, 2016 at 04:44:24PM +0200, Peter Zijlstra wrote:
> > On Thu, Jun 02, 2016 at 10:24:40PM +0800, Boqun Feng wrote:
> > > On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote:
> > > About spin_unlock_wait() on p
Add translation for multiport to nftables, which it's supported natively.
Examples:
$ sudo iptables-translate -t filter -A INPUT -p tcp -m multiport --dports 80,81
-j ACCEPT
nft add rule ip filter INPUT ip protocol tcp tcp dport { 80,81} counter accept
$ sudo iptables-translate -t filter -A INP
On Thu, Jun 02, 2016 at 07:01:58PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 02, 2016 at 06:21:50PM +0200, Guillaume Nault wrote:
> > Hi,
> >
> > Are there any plans for a new libmnl release? Sure there aren't so many
> > changes, but there are still valuable features, fixes and documentation
On Thu, Jun 02, 2016 at 06:21:50PM +0200, Guillaume Nault wrote:
> Hi,
>
> Are there any plans for a new libmnl release? Sure there aren't so many
> changes, but there are still valuable features, fixes and documentation
> updates. Releasing a new version and updating the online documentation
> wo
Hi!
The Netfilter project proudly presents:
nftables 0.6
This release contains many accumulated bug fixes and new features
availale up to the Linux 4.7-rc1 kernel release.
New features
* Rule replacement: You can replace any rule from the unique 64-bits
handle. You have
Add translation for frag to nftables. Not supported yet in nft: fraglen,
fragfirst and fraglast.
Examples:
$ sudo iptables-translate -t filter -A INPUT -m frag --fragid 100:200 -j ACCEPT
nft add rule ip6 filter INPUT frag id 100-200 counter accept
$ sudo iptables-translate -t filter -A INPUT -m
On Thu, Jun 02, 2016 at 04:44:24PM +0200, Peter Zijlstra wrote:
> On Thu, Jun 02, 2016 at 10:24:40PM +0800, Boqun Feng wrote:
> > On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote:
> > About spin_unlock_wait() on ppc, I actually have a fix pending review:
> >
> > http://lkml.kernel.or
Hi,
Are there any plans for a new libmnl release? Sure there aren't so many
changes, but there are still valuable features, fixes and documentation
updates. Releasing a new version and updating the online documentation
would help making them widely available.
Regards,
Guillaume
--
To unsubscribe
On Thu, Jun 02, 2016 at 11:11:07PM +0800, Boqun Feng wrote:
> On Thu, Jun 02, 2016 at 04:44:24PM +0200, Peter Zijlstra wrote:
> > Let me go ponder that some :/
> >
>
> An intial thought of the fix is making queued_spin_unlock_wait() an
> atomic-nop too:
>
> static inline void queued_spin_unlock_
On Thu, Jun 02, 2016 at 11:11:07PM +0800, Boqun Feng wrote:
[snip]
>
> OK, I will resend a new patch making spin_unlock_wait() align the
> semantics in your series.
>
I realize that if my patch goes first then it's more safe and convenient
to keep the two smp_mb()s in ppc arch_spin_unlock_wait()
On Thu, Jun 02, 2016 at 01:08:47PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote:
> > Add translation for Hop-By-Hop header to nftables. Hbh options are not
> > supported yet in nft.
>
> It would be good to document this in the wiki, as Shiv
On Thu, Jun 02, 2016 at 04:44:24PM +0200, Peter Zijlstra wrote:
> On Thu, Jun 02, 2016 at 10:24:40PM +0800, Boqun Feng wrote:
> > On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote:
> > About spin_unlock_wait() on ppc, I actually have a fix pending review:
> >
> > http://lkml.kernel.or
On Thu, Jun 02, 2016 at 06:54:42PM +0530, Shivani Bhardwaj wrote:
> The order of mask and id in the translated code is not apt
> so fix it.
> This patch follows commit 8548dd by Liping Zhang.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body
On Thu, Jun 02, 2016 at 10:24:40PM +0800, Boqun Feng wrote:
> On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote:
> About spin_unlock_wait() on ppc, I actually have a fix pending review:
>
> http://lkml.kernel.org/r/1461130033-70898-1-git-send-email-boqun.f...@gmail.com
Please use the
On Thu, Jun 02, 2016 at 01:52:02PM +0200, Peter Zijlstra wrote:
[snip]
> --- a/arch/powerpc/include/asm/spinlock.h
> +++ b/arch/powerpc/include/asm/spinlock.h
> @@ -27,6 +27,8 @@
> #include
> #include
> #include
> +#include
> +#include
>
> #ifdef CONFIG_PPC64
> /* use 0x80yy when lo
The order of mask and id in the translated code is not apt
so fix it.
This patch follows commit 8548dd by Liping Zhang.
Signed-off-by: Shivani Bhardwaj
---
extensions/libxt_devgroup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/extensions/libxt_devgroup.c b/extensions
On Wed, Jun 01, 2016 at 02:04:44AM +0200, Florian Westphal wrote:
> Quoting John Stultz:
> In updating a 32bit arm device from 4.6 to Linus' current HEAD, I
> noticed I was having some trouble with networking, and realized that
> /proc/net/ip_tables_names was suddenly empty.
> Digging throu
Since all asm/barrier.h should/must include asm-generic/barrier.h the
latter is a good place for generic infrastructure like this.
This also allows archs to override the new
smp_acquire__after_ctrl_dep().
Signed-off-by: Peter Zijlstra (Intel)
---
include/asm-generic/barrier.h | 39 +++
Even with spin_unlock_wait() fixed, nf_conntrack_lock{,_all}() is
borken as it misses a bunch of memory barriers to order the whole
global vs local locks scheme.
Even x86 (and other TSO archs) are affected.
Signed-off-by: Peter Zijlstra (Intel)
---
net/netfilter/nf_conntrack_core.c | 18 +
This new form allows using hardware assisted waiting.
Some hardware (ARM64 and x86) allow monitoring an address for changes,
so by providing a pointer we can use this to replace the cpu_relax().
Requested-by: Will Deacon
Suggested-by: Linus Torvalds
Signed-off-by: Peter Zijlstra (Intel)
---
i
With the modified semantics of spin_unlock_wait() a number of
explicit barriers can be removed. And update the comment for the
do_exit() usecase, as that was somewhat stale/obscure.
Signed-off-by: Peter Zijlstra (Intel)
---
ipc/sem.c |1 -
kernel/exit.c |8 ++--
kernel/
Similar to -v3 in that it rewrites spin_unlock_wait() for all.
The new spin_unlock_wait() provides ACQUIRE semantics to match the RELEASE of
the spin_unlock() we waited for and thereby ensure we can fully observe its
critical section.
This fixes a number (pretty much all) spin_unlock_wait() users
This patch updates/fixes all spin_unlock_wait() implementations.
The update is in semantics; where it previously was only a control
dependency, we now upgrade to a full load-acquire to match the
store-release from the spin_unlock() we waited on. This ensures that
when spin_unlock_wait() returns, w
Introduce smp_acquire__after_ctrl_dep(), this construct is not
uncommen, but the lack of this barrier is.
Signed-off-by: Peter Zijlstra (Intel)
---
include/linux/compiler.h | 17 -
ipc/sem.c| 14 ++
2 files changed, 14 insertions(+), 17 deletions(-
Since TILE doesn't do read speculation, its control dependencies also
guarantee LOAD->LOAD order and we don't need the additional RMB
otherwise required to provide ACQUIRE semantics.
Acked-by: Chris Metcalf
Signed-off-by: Peter Zijlstra (Intel)
---
arch/tile/include/asm/barrier.h |7 +++
On Thu, Jun 02, 2016 at 12:08:08AM +0200, Laura Garcia Liebana wrote:
> Add translation for Hop-By-Hop header to nftables. Hbh options are not
> supported yet in nft.
It would be good to document this in the wiki, as Shivani did already.
It would be also good if you can document what is missing to
On Wed, Jun 01, 2016 at 11:38:27PM +0530, Shivani Bhardwaj wrote:
> The order of mask and mark in the output is wrong. This has been pointed
> out:
> http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
> by Liping Zhang .
> This patch fixes the same issue with con
On Thu, Jun 02, 2016 at 12:55:38PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 02, 2016 at 12:40:23PM +0200, Carlos Falgueras García wrote:
> > Signed-off-by: Carlos Falgueras García
> > ---
> > src/rule.c | 2 ++
> > src/set_elem.c | 2 ++
> > 2 files changed, 4 insertions(+)
> >
> > diff
On Thu, Jun 02, 2016 at 12:40:24PM +0200, Carlos Falgueras García wrote:
> When you set an object attribute the memory is copied, sometimes an
> allocations is needed and it must be checked. By now all setters methods
> returns void, so the policy adopted in case of error is keep the object
> uncha
On Thu, Jun 02, 2016 at 12:40:23PM +0200, Carlos Falgueras García wrote:
> Signed-off-by: Carlos Falgueras García
> ---
> src/rule.c | 2 ++
> src/set_elem.c | 2 ++
> 2 files changed, 4 insertions(+)
>
> diff --git a/src/rule.c b/src/rule.c
> index 8ee8648..3576e32 100644
> --- a/src/rule.c
On Thu, Jun 02, 2016 at 12:25:13AM +0200, Laura Garcia Liebana wrote:
> Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation'
> instead. Update some FIXME datatypes.
Applied, thanks Laura.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of
On Wed, Jun 01, 2016 at 10:16:18PM +0200, Laura Garcia wrote:
> On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote:
> > On 31 May 2016 at 20:26, Laura Garcia Liebana wrote:
> > > +static int __multiport_xlate_v1(const void *ip,
> > > + const struc
When you set an object attribute the memory is copied, sometimes an
allocations is needed and it must be checked. By now all setters methods
returns void, so the policy adopted in case of error is keep the object
unchanged.
What this patch makes:
* All memory allocations inside setters are
Signed-off-by: Carlos Falgueras García
---
src/rule.c | 2 ++
src/set_elem.c | 2 ++
2 files changed, 4 insertions(+)
diff --git a/src/rule.c b/src/rule.c
index 8ee8648..3576e32 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -112,6 +112,8 @@ void nftnl_rule_unset(struct nftnl_rule *r, uint16_t
37 matches
Mail list logo