[PATCH nft] src: Pass stateless, numeric, ip2name and handle variables as structure members.

libnftables library will be created soon. So, declare numeric_output, stateless_output, ip2name_output and handle_output as members of structure print_ctx, instead of global variables. Signed-off-by: Varsha Rao --- include/datatype.h | 8 +-- include/expression.h | 7

Re: using nft & iptables nat in parallel

Pablo Neira Ayuso wrote: > On Wed, Jun 14, 2017 at 01:53:38PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > > > The extra hook has a performance impact though, is it something that > > > would just go away one x_tables is gone? What

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 07:13:12PM +0200, Pablo Neira Ayuso wrote: > On Wed, Jun 14, 2017 at 01:53:38PM +0200, Florian Westphal wrote: > > Pablo Neira Ayuso wrote: > > > > > The extra hook has a performance impact though, is it something that > > > would just go away one

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 01:53:38PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > > The extra hook has a performance impact though, is it something that > > would just go away one x_tables is gone? What is your plan on this? > > Once we do it we can't remove

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Pablo Neira Ayuso writes: > Hi! > > On Tue, Jun 13, 2017 at 09:35:20AM -0700, Cong Wang wrote: >> On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: >> > Cong Wang wrote: >> >> On Thu, Jun 1, 2017 at 1:52 AM, Florian

Re: using nft & iptables nat in parallel

On 14 June 2017 at 11:58, Florian Westphal wrote: > Arturo Borrero Gonzalez wrote: >> I'm curious, What is the use case of using both nftables and iptables >> at the same time? >> Some missing functionality in nft? >> Perhaps some ipt->nft partial migration

Re: using nft & iptables nat in parallel

Pablo Neira Ayuso wrote: > > That still means drastic change, swapping out xt_core for nftables > > rather than using "old" iptables is still a big difference... > > Not drastic. The idea is that compat provides same semantics. Did you > give it a try to evaluate the state

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 01:19:34PM +0200, Florian Westphal wrote: > Pablo Neira Ayuso wrote: > > On Wed, Jun 14, 2017 at 11:58:03AM +0200, Florian Westphal wrote: > > > Arturo Borrero Gonzalez wrote: > > > > I'm curious, What is the use case of using both

Re: using nft & iptables nat in parallel

Pablo Neira Ayuso wrote: > On Wed, Jun 14, 2017 at 11:58:03AM +0200, Florian Westphal wrote: > > Arturo Borrero Gonzalez wrote: > > > I'm curious, What is the use case of using both nftables and iptables > > > at the same time? > > > Some missing

Re: using nft & iptables nat in parallel

On Wed, Jun 14, 2017 at 11:58:03AM +0200, Florian Westphal wrote: > Arturo Borrero Gonzalez wrote: > > I'm curious, What is the use case of using both nftables and iptables > > at the same time? > > Some missing functionality in nft? > > Perhaps some ipt->nft partial migration

Re: using nft & iptables nat in parallel

Arturo Borrero Gonzalez wrote: > I'm curious, What is the use case of using both nftables and iptables > at the same time? > Some missing functionality in nft? > Perhaps some ipt->nft partial migration procedure? Yes, partial migration. Right now there are an awful lot of

[PATCH nf-next] netfilter: conntrack: use NFPROTO_MAX to size array

We don't support anything larger than NFPROTO_MAX, so we can shrink this a bit: text data dec hex filename old: 8259 1096 9355 248b net/netfilter/nf_conntrack_proto.o new: 8259 624 8883 22b3 net/netfilter/nf_conntrack_proto.o Signed-off-by: Florian Westphal ---

Re: using nft & iptables nat in parallel

On 14 June 2017 at 11:24, Florian Westphal wrote: > > Another side effect is that this avoids the need to add (in nft case) > the 'empty' nat base chains to take care of reply translation. > good! > Thoughts? > I'm curious, What is the use case of using both nftables and

using nft & iptables nat in parallel

Hi. As you might know its currently not possible to use iptables and nft nat at the same time. I had a look at this and think we should fix this as follows: 1. decouple nat rewrite from nat chain/iptable_nat iteration. Currently we do this from nf_nat_ipv4/6_fn, so first call (be it nft nat or

Re: [PATCH nf-next] netns: add and use net_ns_barrier

Hi! On Tue, Jun 13, 2017 at 09:35:20AM -0700, Cong Wang wrote: > On Mon, Jun 12, 2017 at 11:16 PM, Florian Westphal wrote: > > Cong Wang wrote: > >> On Thu, Jun 1, 2017 at 1:52 AM, Florian Westphal wrote: > >> > Joe described it nicely,

[PATCH] netfilter: conntrack: fix clash resolution in nat

In our openstack environment, slow dns lookup for hostname when parallel dns requests for IPv4 and IPv6 addresses from VM, the second IPv6 request( record) is dropped on its way in compute node. We found many similar related links: https://bbs.archlinux.org/viewtopic.php?id=75770