Pablo Neira Ayuso wrote:
> diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h
> b/include/uapi/linux/netfilter/nf_conntrack_common.h
> index dc947e59d03a..6b463b88182d 100644
> --- a/include/uapi/linux/netfilter/nf_conntrack_common.h
> +++
Yi-Hung Wei wrote:
> On Wed, Dec 6, 2017 at 4:41 AM, Florian Westphal wrote:
> > +static int __init nf_conncount_modinit(void)
> > +{
> > + int ret, i;
> > +
> > + BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS);
> > +
On Wed, Dec 6, 2017 at 4:41 AM, Florian Westphal wrote:
> +static int __init nf_conncount_modinit(void)
> +{
> + int ret, i;
> +
> + BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS);
> + BUILD_BUG_ON((CONNCOUNT_SLOTS % CONNCOUNT_LOCK_SLOTS) != 0);
> +
> +
On Fri, Dec 08, 2017 at 06:46:06AM +0100, Linus Lüssing wrote:
> Extending the usersize to include info->prev would probably be too
> hackish/ugly, right?
And wouldn't be enough anyway, since
info->{credit,credit_cap,cost} would still be zeroed... Hm.
--
To unsubscribe from this list: send the
On Thu, Dec 07, 2017 at 01:26:19AM +0100, Pablo Neira Ayuso wrote:
> > I also had a quick look at a 4.15-rc1 kernel in a VM now. I still
> > end up in ebt_limit_mt_check() with the variables being reset
> > when editing the table somewhere.
>
> My question is if your fix would work with 4.15-rc1.
On Thu, Dec 07, 2017 at 02:26:09PM +0100, Arnd Bergmann wrote:
> The added check produces a build error when CONFIG_PROC_FS is
> disabled:
>
> net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_net_exit':
> net/ipv4/netfilter/ipt_CLUSTERIP.c:822:28: error: 'cn' undeclared (first use
> in
thank you,
it was mu fault.
Reviewed-by: Vasily Averin
On 2017-12-07 16:26, Arnd Bergmann wrote:
> The added check produces a build error when CONFIG_PROC_FS is
> disabled:
>
> net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_net_exit':
>
This series further reduces size of the hook arrays by only resevering space
for the hooks that are implemented/supported (e.g., arp only supports 3
different
hook points as it lacks PRE/POST_ROUTING).
Furthermore, add #ifdef guard to not declare arp/bridge/decnet hooks unless
they are needed.
no need to define hook points if the family isn't supported.
Because we need these hooks for either nftables, arp/ebtables
or the 'call-iptables' hack we have in the bridge layer add two
new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the
users select them.
Signed-off-by: Florian
no need to define hook points if the family isn't supported.
Signed-off-by: Florian Westphal
---
changes since v2:
split this from a different patch.
include/linux/netfilter.h | 2 ++
include/net/netns/netfilter.h | 2 ++
net/netfilter/core.c | 4
3 files
The kernel already has defines for this, but they are in uapi exposed
headers.
Including these from netns.h causes build errors and also adds unneeded
dependencies on heads that we don't need.
So move these defines to netfilter_defs.h and place the uapi ones
in ifndef __KERNEL__ to keep them for
This can be same as NF_INET_NUMHOOKS if we don't support DECNET.
Signed-off-by: Florian Westphal
---
new in v3.
include/linux/netfilter_defs.h | 10 +++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/include/linux/netfilter_defs.h
The added check produces a build error when CONFIG_PROC_FS is
disabled:
net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_net_exit':
net/ipv4/netfilter/ipt_CLUSTERIP.c:822:28: error: 'cn' undeclared (first use in
this function)
This moves the variable declaration out of the #ifdef to
Pablo Neira Ayuso wrote:
> On Thu, Dec 07, 2017 at 02:06:18PM +0100, Florian Westphal wrote:
> > Not all families share the same hook count.
> >
> > Can't use the corresponding ARP, BRIDGE, DECNET defines because they are
> > defined in uapi headers and including them causes
On Thu, Dec 07, 2017 at 02:06:18PM +0100, Florian Westphal wrote:
> Not all families share the same hook count.
>
> Can't use the corresponding ARP, BRIDGE, DECNET defines because they are
> defined in uapi headers and including them causes build failures.
>
> struct net before:
> /* size: 6592,
no need to define hook points if the family isn't supported.
Because we need these hooks for either nftables, arp/ebtables
or the 'call-iptables' hack we have in the bridge layer add two
new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the
users select them.
Signed-off-by: Florian
This series further reduces size of the hook arrays by only resevering space
for the hooks that are implemented/supported (e.g., arp only supports 3
different
hook points as it lacks PRE/POST_ROUTING).
Furthermore, add #ifdef guard to not declare arp/bridge/decnet hooks unless
they are needed.
Not all families share the same hook count.
Can't use the corresponding ARP, BRIDGE, DECNET defines because they are
defined in uapi headers and including them causes build failures.
struct net before:
/* size: 6592, cachelines: 103, members: 46 */
after:
/* size: 5952, cachelines: 93, members:
no need to define hook points if the family isn't supported.
Signed-off-by: Florian Westphal
---
include/linux/netfilter.h | 2 ++
include/net/netns/netfilter.h | 2 ++
net/netfilter/core.c | 4
3 files changed, 8 insertions(+)
diff --git
This patch defines the API to interact with flow tables, this allows to
add, delete and lookup for entries in the flow table. This also adds the
generic garbage code that removes entries that have expired, ie. no
traffic has been seen for a while.
Users of the flow table infrastructure can delete
This new bit tells us that the conntrack entry is owned by the flow
table offload infrastructure.
# cat /proc/net/nf_conntrack
ipv4 2 tcp 6 src=10.141.10.2 dst=147.75.205.195 sport=36392 dport=443
src=147.75.205.195 dst=192.168.2.195 sport=443 dport=36392 [OFFLOAD] mark=0
zone=0
This patch adds the infrastructure to offload flows to hardware, in case
the nic/switch comes with built-in flow tables capabilities.
If the hardware comes with no hardware flow tables or they have
limitations in terms of features, this falls back to the software
generic flow table
Add new instruction for the nf_tables VM that allows us to specify what
flows are offloaded into a given flow table via name. This new
instruction creates the flow entry and adds it to the flow table.
Only established flows, ie. we have seen traffic in both directions, are
added to the flow
This patch adds the IPv4 flow table type, that implements the datapath
flow table to forward IPv4 traffic. Rationale is:
1) Look up for the packet in the flow table, from the ingress hook.
2) If there's a hit, decrement ttl and pass it on to the neighbour layer
for transmission.
3) If there's
Hi,
This patchset is a new iteration of the flow offload infrastructure [1].
This round adds a netlink control plane to configure flow table, so
there is no one single flow table, as in the previous patchset, that
gets registered unconditionally.
The following example shows how to create a flow
This patch introduces a netlink control plane to create, delete and dump
flow tables. Flow tables are identified by name, this name is used from
rules to refer to an specific flow table. Flow tables use the rhashtable
class and a generic garbage collector to remove expired entries.
This also adds
Hi Pablo,
On Thu, Dec 07, 2017 at 01:05:45AM +0100, Pablo Neira Ayuso wrote:
> On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote:
[...]
> > After tweaking the parser a bit, I can use it now to parse just a
> > set_list_member_expr and use the struct expr it returns. This made it
> >
27 matches
Mail list logo