Eric Sesterhenn wrote:
> Add missing counter decrement to prevent out of bounds memory read.
>
> Signed-off-by: Eric Sesterhenn
>
> diff --git a/net/netfilter/nf_conntrack_h323_asn1.c
> b/net/netfilter/nf_conntrack_h323_asn1.c
> index
xt_replace_table relies on table replacement counter retrieval (which
uses xt_recseq to synchronize pcpu counters).
This is fine, however with large rule set get_counters() can take
a very long time -- it needs to synchronize all counters because
it has to assume concurrent modifications can
after previous commit xt_replace_table will wait until all cpus
had even seqcount (i.e., no cpu is accessing old ruleset).
Add a 'old' counter retrival version that doesn't synchronize counters.
Its not needed, the old counters are not in use anymore at this point.
This speeds up table
iptables-restore can take quite a long time when sytem is busy, in order
of half a minute or more.
The main reason for this is the way ip(6)tables performs table swap:
When xt_replace_table assigns the new ruleset pointer, it does
not wait for other processors to finish with old ruleset.
On Wed, Oct 11, 2017 at 11:18 AM, Florian Westphal wrote:
> Eric Dumazet wrote:
>> On Wed, Oct 11, 2017 at 10:48 AM, Florian Westphal wrote:
>> > Eric Dumazet wrote:
>> >> On Wed, Oct 11, 2017 at 7:26 AM, Florian
Eric Dumazet wrote:
> On Wed, Oct 11, 2017 at 10:48 AM, Florian Westphal wrote:
> > Eric Dumazet wrote:
> >> On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote:
> >> > xt_replace_table relies on table replacement
On Wed, Oct 11, 2017 at 11:03 AM, Florian Westphal wrote:
> Eric Dumazet wrote:
> But it seems we need an extra smp_wmb() after
> smp_wmb();
> table->private = newinfo;
>
> Otherwise we have no guarantee other cpus actually see the new
> ->private value.
>
>
Eric Dumazet wrote:
But it seems we need an extra smp_wmb() after
smp_wmb();
table->private = newinfo;
Otherwise we have no guarantee other cpus actually see the new
->private value.
Suggested-by: Eric Dumazet
Signed-off-by: Florian Westphal
On Wed, Oct 11, 2017 at 10:48 AM, Florian Westphal wrote:
> Eric Dumazet wrote:
>> On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote:
>> > xt_replace_table relies on table replacement counter retrieval (which
>> > uses xt_recseq to
Eric Dumazet wrote:
> On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote:
> > xt_replace_table relies on table replacement counter retrieval (which
> > uses xt_recseq to synchronize pcpu counters).
> >
> > This is fine, however with large rule set
On Fri, Oct 6, 2017 at 1:06 PM, Harsha Sharma
wrote:
> Add support for IPV6 routing header type 0 reserved field and addresses
> with corresponding tests
>
> Signed-off-by: Harsha Sharma
> ---
> For struct exthdr_rt0, I have specified type
On Wed, Oct 11, 2017 at 7:26 AM, Florian Westphal wrote:
> xt_replace_table relies on table replacement counter retrieval (which
> uses xt_recseq to synchronize pcpu counters).
>
> This is fine, however with large rule set get_counters() can take
> a very long time -- it needs to
after previous commit xt_replace_table will wait until all cpus
had even seqcount (i.e., no cpu is accessing old ruleset).
Add a 'old' counter retrival version that doesn't synchronize counters.
Its not needed, the old counters are not in use anymore at this point.
This speeds up table
iptables-restore can take quite a long time when sytem is busy, in order
of half a minute or more.
The main reason for this is the way ip(6)tables performs table swap:
When xt_replace_table assigns the new ruleset pointer, it does
not wait for other processors to finish with old ruleset.
xt_replace_table relies on table replacement counter retrieval (which
uses xt_recseq to synchronize pcpu counters).
This is fine, however with large rule set get_counters() can take
a very long time -- it needs to synchronize all counters because
it has to assume concurrent modifications can
Hi Varsha,
On Wed, Oct 11, 2017 at 10:03:56AM +0530, Varsha Rao wrote:
> Test files of tests/files/ are moved to tests/shell.
We have more than 100 tests these days, could you have a look at the
repository to see if this is adding redundant tests for what we have?
If we already have a test
not needed/used anymore.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 1 -
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 1 -
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 1 -
net/netfilter/nf_conntrack_core.c | 2 +-
We currently pass down the l4 protocol to the conntrack ->packet()
function, but the only user of this is the debug info decision.
Same information can be derived from struct nf_conn.
Add a wrapper for the previous patch that extracs the information
from nf_conn and passes it to
We currently pass pf to the packet() function of the l4 trackers,
but this isn't needed -- its only required for the 'log invalid' check
and the l4 protocol is also available in the nf_conn entry.
This series adds helpers for logging invalid packets, similar
to nf_ct_helper_log().
I added a
We currently pass down the l4 protocol to the conntrack ->packet()
function, but the only user of this is the debug info decision.
Same information can be derived from struct nf_conn.
As a first step, add and use a new log function for this, similar to
nf_ct_helper_log().
Add __cold annotation
Hey,
There's a patch that may be of interest to this group.
[ I'll admit, I share interest in this patch ].
It was sent to netdev.
Though it looks like it should have been sent here.
Link:
https://patchwork.ozlabs.org/patch/765233/
I wouldn't want to send the patch again, since it's from Blair
21 matches
Mail list logo