[PATCH net] bridge: ebtables: fix reception of frames DNAT-ed to bridge device

When trying to redirect bridged frames to the bridge device itself via the ebtables nat-prerouting chain and the dnat target then this currently fails: The ethernet destination of the frame is dnat'ed to the MAC address of the bridge itself just fine and the correctly altered frame can even be

[PATCH nf-next 1/1] netfilter: ctlink: Remove duplicated condition check in nfnl_cthelper_create

From: Gao Feng Because its caller nfnl_cthelper_new has already checked the tb[NFCTH_TUPLE], so it is unnecessary to check it again in nfnl_cthelper_create. Signed-off-by: Gao Feng --- net/netfilter/nfnetlink_cthelper.c | 2 +- 1 file changed, 1 insertion(+),

Re: [PATCH nft 5/9] ct: add conntrack event mask support

Florian Westphal wrote: [ nft .. ct eventmask set ...] ahem. I did not mean to submit this yet as the kernel patch assumes that the untracked object doesn't exist anymore (which is why I haven't submitted it yet). I will not push this patch until the kernel patch is in

[PATCH nft 8/9] doc: ct zone set support

Signed-off-by: Florian Westphal --- doc/nft.xml | 28 +++- 1 file changed, 27 insertions(+), 1 deletion(-) diff --git a/doc/nft.xml b/doc/nft.xml index de86d2a18258..8ea280417742 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -3347,6 +3347,7 @@ ip6 filter

[PATCH nft 4/9] src: implement add/create/delete for ct helper objects

Signed-off-by: Florian Westphal --- include/rule.h | 4 src/evaluate.c | 4 src/parser_bison.y | 63 -- src/rule.c | 22 +++ 4 files changed, 91 insertions(+), 2 deletions(-) diff

[PATCH nft 7/9] files: provide 'raw' table equivalent

useful for the 'ct zone set' statement, it has to be done before the conntrack lookup but preferrably after the defragmention hook. In iptables, the functionality resides in the CT target which is restricted to the raw table. This provides the skeleton for nft. Signed-off-by: Florian Westphal

[PATCH nft 6/9] tests: py: add ct helper tests

needs minor tweak to nft-test.py so we don't zap the ';' within the {} before attempting to add the rule/ct helper object. Signed-off-by: Florian Westphal --- tests/py/ip/objects.t | 4 tests/py/ip/objects.t.payload | 14 ++ tests/py/nft-test.py

[PATCH nft 5/9] ct: add conntrack event mask support

Signed-off-by: Florian Westphal --- include/datatype.h| 1 + include/linux/netfilter/nf_conntrack_common.h | 80 ++- include/linux/netfilter/nf_tables.h | 2 + src/ct.c | 30

[PATCH nft 9/9] doc: helper assignement

Signed-off-by: Florian Westphal --- doc/nft.xml | 71 + 1 file changed, 71 insertions(+) diff --git a/doc/nft.xml b/doc/nft.xml index 8ea280417742..ffca6cc9322e 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -950,6

[PATCH nft 3/9] src: allow listing all ct helpers

this implements nft list ct helpers table filter table ip filter { ct helper ftp-standard { .. Signed-off-by: Florian Westphal --- include/rule.h | 1 + src/evaluate.c | 1 + src/parser_bison.y | 19 +++ src/rule.c | 2 ++ 4 files changed,

[PATCH nft 2/9] evaluate: refactor CMD_OBJ_QUOTA/COUNTER handling

... to make adding CMD_OBJ_CT_HELPER support easier. Signed-off-by: Florian Westphal --- src/evaluate.c | 32 1 file changed, 20 insertions(+), 12 deletions(-) diff --git a/src/evaluate.c b/src/evaluate.c index 7ddbb658f96f..ae30bc9bb3b9 100644

[PATCH nft 0/9] ct helper set support

This series adds the frontend/nft support to define and assign connection tracking helpers. Example: table inet myhelpers { ct helper ftp-standard { type "ftp" protocol tcp } chain prerouting { type filter hook prerouting priority 0; tcp dport 21 ct helper set

[PATCH libnftnl 2/2] src: ct helper support

add support for ct helper objects, these are used to assign helpers to connections, similar to iptables -j CT --set-helper target. Signed-off-by: Florian Westphal --- include/libnftnl/object.h | 6 ++ include/linux/netfilter/nf_tables.h | 12 ++- include/obj.h

[PATCH libnftnl 1/2] object: extend set/get api for u8/u16 types

Signed-off-by: Florian Westphal --- include/libnftnl/object.h | 4 src/libnftnl.map | 4 src/object.c | 26 ++ 3 files changed, 34 insertions(+) diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h index

[PATCH libnftnl 0/2] add backend support to define ct helpers

This adds libnftnl support to define connection tracking helpers. Frontend (nft) support will follow soon. include/libnftnl/object.h | 10 + include/linux/netfilter/nf_tables.h | 12 +- include/obj.h |6 + src/Makefile.am |1

Re: [PATCH 1/2 nf] netfilter: nft_set_bitmap: keep a list of dummy elements

On Tue, Mar 14, 2017 at 10:44:43PM +0800, Liping Zhang wrote: > Hi Pablo, > 2017-03-14 20:19 GMT+08:00 Pablo Neira Ayuso : > [...] > > Another possibility is to simply regard desc->size over the memory > > scalability notation when provided. I think this just needs an update >

Re: [PATCH 1/2 nf] netfilter: nft_set_bitmap: keep a list of dummy elements

Hi Pablo, 2017-03-14 20:19 GMT+08:00 Pablo Neira Ayuso : [...] > Another possibility is to simply regard desc->size over the memory > scalability notation when provided. I think this just needs an update > from nft userspace. Look, bitmap and hashtable are both described as >

Re: [iptables PATCH] extensions: libxt_statistic: Complete nft translator

On Mon, Mar 13, 2017 at 05:53:53PM +0100, Pablo Neira Ayuso wrote: > On Mon, Mar 13, 2017 at 05:01:53PM +0100, Phil Sutter wrote: > [...] > > The nftables numgen expression works differently: > > Phil, if you think we need a 1:1 mapping so iptables users moving to > nftables don't get confused,

Re: [PATCH 1/2 nf] netfilter: nft_set_bitmap: keep a list of dummy elements

On Tue, Mar 14, 2017 at 11:21:31AM +0100, Pablo Neira Ayuso wrote: > On Tue, Mar 14, 2017 at 05:04:17PM +0800, Liping Zhang wrote: > > 2017-03-14 1:23 GMT+08:00 Pablo Neira Ayuso : > > [...] > > > Anyway, I'll be fine if this triggers some discussions on the set > > > backend

ANNOUNCE: New talk accepted on Netesto tool suite

The tech committee would like to announce a new accepted talk. Lawrence Brakmo will talk about Netesto tool suite Details are as follows: - Netesto (NEtwork TESting TOolkit) is a suite of tools for running multi-host network experiments that supports the collection and display of

Re: conntrack (possibly) hangs on our ARM CPU in case we delete 5k+ connections as fast as possible

Peter Marczis wrote: > I mean we destroy the sockets, we used two very basic python script to > open and close TCP sockets between the WAN and LAN interface. Then my guess wrt. nf_ct_iterate_cleanup is certainly wrong. -- To unsubscribe from this list: send

Re: conntrack (possibly) hangs on our ARM CPU in case we delete 5k+ connections as fast as possible

Hi, I mean we destroy the sockets, we used two very basic python script to open and close TCP sockets between the WAN and LAN interface. Thanks for the hint, I will try those ! Br, Peter On Tue, Mar 14, 2017 at 11:33 AM, Florian Westphal wrote: > Peter Marczis

Re: conntrack (possibly) hangs on our ARM CPU in case we delete 5k+ connections as fast as possible

Peter Marczis wrote: > Hello developers, > I'm seeking some help to debug and solve one of my issues. > > We observed that if we create 30k connections, everything works as > expected, but when we start to disconnect them, > conntrack (well not confirmed yet

Re: [PATCH] iptables: set the path of the lock file via a configure option.

On Tue, Mar 14, 2017 at 05:55:50PM +0900, Lorenzo Colitti wrote: > Currently the iptables lock is hardcoded as "/run/xtables.lock". > Allow users to change this path using the --with-xt-lock-name > option to ./configure option. This is useful on systems like > Android which do not have /run. > >

Re: [PATCH 1/2 nf] netfilter: nft_set_bitmap: keep a list of dummy elements

On Tue, Mar 14, 2017 at 05:04:17PM +0800, Liping Zhang wrote: > 2017-03-14 1:23 GMT+08:00 Pablo Neira Ayuso : > [...] > > Anyway, I'll be fine if this triggers some discussions on the set > > backend selection at some point, as well as more detailed performance > > evaluation.

conntrack (possibly) hangs on our ARM CPU in case we delete 5k+ connections as fast as possible

Hello developers, I'm seeking some help to debug and solve one of my issues. At GreenWave I'm working on a "SOHO" Router product, and of course we use linux / netfilter. We observed that if we create 30k connections, everything works as expected, but when we start to disconnect them, conntrack

Re: [PATCH 1/2 nf] netfilter: nft_set_bitmap: keep a list of dummy elements

Hi Pablo, 2017-03-14 1:23 GMT+08:00 Pablo Neira Ayuso : [...] > I would like this only describes the representation that is exposed to > the packet path, not the real memory consumption of it. I know I'm > kind of cheating, but with this I'm also giving this bitmap an >

[PATCH] iptables: set the path of the lock file via a configure option.

Currently the iptables lock is hardcoded as "/run/xtables.lock". Allow users to change this path using the --with-xt-lock-name option to ./configure option. This is useful on systems like Android which do not have /run. Tested on Ubuntu, as follows: 1. By default, the lock is placed in

Re: [PATCH net-next 1/1] netfilter: helper: Remove the rcu lock in nf_ct_helper_expectfn_find_by_name and nf_ct_helper_expectfn_find_by_symbol.

Hi Palbo, On Tue, Mar 14, 2017 at 4:29 PM, wrote: > From: Gao Feng > > Because these two functions return the nf_ct_helper_expectfn pointer > which should be protected by rcu lock. So it should makes sure the > caller should hold the rcu lock, not inside

[PATCH nf 1/1] netfilter: helper: Fix possible panic caused by invoking expectfn unloaded

From: Gao Feng The helper module permits the helper modules register expectfn, and it could be hold by external caller. But when the module is unloaded, there may be some pending expect nodes which still hold the function reference. It may cause unexpected behavior, even panic.