Re: [PATCH v2 0/5] ipvs: fix backup sync daemon with IPv6, and minor updates

Hello, On Tue, 14 Jun 2016, Quentin Armitage wrote: > This series of patches arise from discovering that: > ipvsadm --start-daemon backup --mcast-group IPv6_address ... > would always fail. > > The first patch resolves the problem. The second and third patches are > optimizations that

[PATCH v4] xtables: Add an interval option for xtables lock wait

ip[6]tables currently waits for 1 second for the xtables lock to be freed if the -w option is used. We have seen that the lock is held much less than that resulting in unnecessary delay when trying to acquire the lock. This problem is even severe in case of latency sensitive applications.

[PATCH V3] net: Allow xt_owner in any user namespace

From: "Eric W. Biederman" Making this work is a little tricky as it really isn't kosher to change the xt_owner_match_info in a check function. Without changing xt_owner_match_info we need to know the user namespace the uids and gids are specified in. In the common case

[PATCH] libipt_NETMAP: Avoid listing 32 bit mask and fix tests

(1) If subnet mask is unspecified with an IPv4 address, the rule lists as iptables -I PREROUTING -t nat -j NETMAP --to to:1.2.3.4/32 Remove this and make the rule list as iptables -I PREROUTING -t nat -j NETMAP --to to:1.2.3.4 (2) Fix the tests for NETMAP for IPv4. Before this patch,

[PATCH] extensions: libxt_conntrack: Add translation to nft

Add translation of conntrack to nftables. Examples: $ sudo iptables-translate -t filter -A INPUT -m conntrack --ctstate NEW,RELATED -j ACCEPT nft add rule ip filter INPUT ct state { new,related } counter accept $ sudo ip6tables-translate -t filter -A INPUT -m conntrack ! --ctstate NEW,RELATED

Re: [PATCH] iptables: extensions: libxt_MARK: Add translation to nft

On Tue, Jun 14, 2016 at 07:12:22PM +0200, rodan...@gmail.com wrote: > From: Roberto García > > Add translation for the MARK target to nftables. > > Examples: > > $ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64 > > nft add rule ip mangle OUTPUT counter

[PATCH] iptables: extensions: libxt_MARK: Add translation to nft

From: Roberto García Add translation for the MARK target to nftables. Examples: $ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-mark 64 nft add rule ip mangle OUTPUT counter meta mark set 0x40 $ sudo iptables-translate -t mangle -A OUTPUT -j MARK --set-xmark

Re: [PATCH] extensions: libxt_cgroup: Add translation to nft

On Thu, Jun 09, 2016 at 09:54:22PM +0200, Laura Garcia Liebana wrote: > Add translation for cgroup to nft. Path parameter not supported in nft > yet. > > Examples: > > $ sudo iptables-translate -t filter -A INPUT -m cgroup --cgroup 0 -j ACCEPT > nft add rule ip filter INPUT meta cgroup 0 counter

Re: [PATCH] netfilter: fix buffer null termination

Hi Pablo, On Tue, Jun 14, 2016 at 8:38 PM, Pablo Neira Ayuso wrote: > Cc'ing netfilter-devel. > > On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep wrote: >> + netdev >> >> On Sat, Jun 11, 2016 at 10:18 AM, Kishan Sandeep >> wrote: >> >

Re: [PATCH 2/2 v2,libnftnl] Check memory allocations in setters

On Fri, Jun 10, 2016 at 02:22:46PM +0200, Carlos Falgueras García wrote: > When you set an object attribute the memory is copied, sometimes an > allocations is needed and it must be checked. Before this patch all setters > method return void, so this patch makes all setters return int instead void

Re: [PATCH 1/2 v2,libnftnl] Fix leak in nftnl_*_unset()

Applied, thanks Carlos. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html

Re: Re: [PATCH nf-next 2/3] netfilter: nf_tables: fix a endless jump loop when use vmap

On Tue, Jun 14, 2016 at 08:07:41PM +0800, Liping Zhang wrote: > Hi pablo, > > At 2016-06-14 02:19:02, "Pablo Neira Ayuso" wrote: > >On Sat, Jun 11, 2016 at 12:20:27PM +0800, Liping Zhang wrote: > > > >Thanks for tracking down and fixing this one. > > > >I've made a new

Re: [PATCH] netfilter: fix buffer null termination

Cc'ing netfilter-devel. On Tue, Jun 14, 2016 at 07:39:27PM +0530, Kishan Sandeep wrote: > + netdev > > On Sat, Jun 11, 2016 at 10:18 AM, Kishan Sandeep > wrote: > > strncpy generally perferable fo non-terminated > > fixed-width strings. For NULL termination strlcpy >

[PATCH v2 1/5] ipvs: Enable setting IPv6 multicast address for ipvs sync daemon backup

When using HEAD from https://git.kernel.org/cgit/utils/kernel/ipvsadm/ipvsadm.git/, the command: ipvsadm --start-daemon backup --mcast-interface eth0.60 --mcast-group ff01::1:81 fails with the error message: Argument list too long whereas both: ipvsadm --start-daemon master --mcast-interface

[PATCH v2 2/5] ipvs: Stop calling __dev_get_by_name() repeatedly when starting sync daemon

Optimise starting sync daemons by using the result of the first call to __dev_get_by_name() and pass the result or ifindex to subsequent functions to avoid them having to call __dev_get_by_name() again. Signed-off-by: Quentin Armitage --- net/netfilter/ipvs/ip_vs_sync.c

[PATCH v2 0/5] ipvs: fix backup sync daemon with IPv6, and minor updates

This series of patches arise from discovering that: ipvsadm --start-daemon backup --mcast-group IPv6_address ... would always fail. The first patch resolves the problem. The second and third patches are optimizations that were noticed while investigating the original problem. The fourth patch

[PATCH v2 3/5] ipvs: Don't check result < 0 after setting result = 0

Move the block testing result < 0 to avoid the test immediately after setting result = 0 Signed-off-by: Quentin Armitage --- net/netfilter/ipvs/ip_vs_sync.c | 12 ++-- 1 files changed, 6 insertions(+), 6 deletions(-) diff --git

[PATCH v2 5/5] ipvs: log additional sync daemon parameters

Add new multicast parameters to log messages when sync daemons start. Commits ("ipvs: add sync_maxlen parameter for the sync daemon") and ("ipvs: add more mcast parameters for the sync daemon") added additional multicast parameters, but didn't add them to the log messages when the sync daemons

[PATCH v2 4/5] ipvs: Lock socket before setting SK_CAN_REUSE

When other settings are changed in the socket it is locked, so lock the socket before setting SK_CAN_REUSE. Signed-off-by: Quentin Armitage --- net/netfilter/ipvs/ip_vs_sync.c |2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git

Re: [PATCH V2] net: Allow xt_owner in any user namespace

On Mon, Jun 13, 2016 at 09:06:55PM -0500, Eric W. Biederman wrote: > Florian Westphal writes: > > > Kevin Cernekee wrote: > >> @@ -35,6 +63,7 @@ owner_mt(const struct sk_buff *skb, struct > >> xt_action_param *par) > >>const struct xt_owner_match_info

[PATCH libnftnl 1/9] src: get rid of aliases

This machinery was introduced to avoid sudden compilation breakage of old nftables releases. With the release of 0.6 (and 0.5 which is now 9 months old) this is not required anymore. Moreover, users gain nothing from older releases since they are half-boiled and full of bugs. So let's get rid of

[PATCH libnftnl 8/9] tests: shuffle values that are injected

Shuffle value that are used to set attributes, this variability should help us catch more problems in the future. Signed-off-by: Pablo Neira Ayuso --- tests/nft-chain-test.c | 10 +- tests/nft-expr_bitwise-test.c | 4 ++-- tests/nft-expr_cmp-test.c

[PATCH libnftnl 2/9] src: assert when setting unknown attributes

If this attribute is not supported by the library, we should rise an assertion so the client knows something is wrong, instead of silently going through. The only case I can think may hit this problem is version mismatch between library and tools. This should not ever really happen, so better

[PATCH libnftnl 5/9] expr: data_reg: get rid of leftover perror() calls

Let the client of this library decide when to display error messages. Signed-off-by: Pablo Neira Ayuso --- src/expr/data_reg.c | 9 +++-- 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/src/expr/data_reg.c b/src/expr/data_reg.c index 6aa47bc..688823b

[PATCH libnftnl 9/9] chain: dynamically allocate name

Just in case we ever support chain with larger names in the future, this will ensure the library doesn't break. Although I don't expect allocating more bytes for this anytime soon, but let's be conservative here. Signed-off-by: Pablo Neira Ayuso --- src/chain.c | 23

[PATCH libnftnl 6/9] src: simplify unsetters

If the attribute is set as we already check at the beginning of this function, then we can release the object. Signed-off-by: Pablo Neira Ayuso --- src/chain.c| 15 +++ src/rule.c | 10 ++ src/ruleset.c | 4 src/set.c | 15

[PATCH libnftnl 4/9] src: check for strdup() errors from setters and parsers

And pass up an error to the caller. Signed-off-by: Pablo Neira Ayuso --- src/chain.c | 6 ++ src/expr/data_reg.c | 3 +++ src/expr/dynset.c| 4 src/expr/immediate.c | 2 ++ src/expr/log.c | 4 src/expr/lookup.c| 4 src/rule.c

[PATCH libnftnl 3/9] src: return value on setters that internally allocate memory

So the client can bail out of memory allocation errors. Or in case of daemon, make sure things are left in consistent state before bailing out. Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/chain.h | 4 ++-- include/libnftnl/expr.h | 4 ++--

[PATCH libnftnl 7/9] src: check for flags before releasing attributes

Now that unsetters don't set pointers to NULL, check if the attribute is set before trying to release it. Signed-off-by: Pablo Neira Ayuso --- src/chain.c | 18 ++ src/expr/immediate.c | 2 +- src/expr/log.c | 2 +- src/expr/match.c | 4

Re: [PATCH nf-next 4/4] netfilter: nft_meta: add explicitly nf_logger_find_get call

Hi Florian, At 2016-06-08 20:59:32, "Florian Westphal" wrote: > >With nftables we have a new infrastructure in place that emits trace info via >nfnetlink. > >So loading nf_log_ipX isn't needed anymore in nft. Yes, in nftables, user can use "nft monitor" to get the trace info.

[PATCH nf-next] netfilter: nf_tables: fix a wrong check to skip the inactive rules

From: Liping Zhang nft_genmask_cur has already done left-shift operator on the gencursor, so there's no need to do left-shift operator on it again. Fixes: ea4bd995b0f2 ("netfilter: nf_tables: add transaction helper functions") Cc: Patrick McHardy