Re: [PATCH nf-next RFC,v2 1/6] netfilter: nf_conntrack: add IPS_OFFLOAD status bit

Pablo Neira Ayuso wrote: > diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h > b/include/uapi/linux/netfilter/nf_conntrack_common.h > index dc947e59d03a..6b463b88182d 100644 > --- a/include/uapi/linux/netfilter/nf_conntrack_common.h > +++

Re: [PATCH v3 nf-next] netfilter: connlimit: split xt_connlimit into front/backend

Yi-Hung Wei wrote: > On Wed, Dec 6, 2017 at 4:41 AM, Florian Westphal wrote: > > +static int __init nf_conncount_modinit(void) > > +{ > > + int ret, i; > > + > > + BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS); > > +

Re: [PATCH v3 nf-next] netfilter: connlimit: split xt_connlimit into front/backend

On Wed, Dec 6, 2017 at 4:41 AM, Florian Westphal wrote: > +static int __init nf_conncount_modinit(void) > +{ > + int ret, i; > + > + BUILD_BUG_ON(CONNCOUNT_LOCK_SLOTS > CONNCOUNT_SLOTS); > + BUILD_BUG_ON((CONNCOUNT_SLOTS % CONNCOUNT_LOCK_SLOTS) != 0); > + > +

Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state

On Fri, Dec 08, 2017 at 06:46:06AM +0100, Linus Lüssing wrote: > Extending the usersize to include info->prev would probably be too > hackish/ugly, right? And wouldn't be enough anyway, since info->{credit,credit_cap,cost} would still be zeroed... Hm. -- To unsubscribe from this list: send the

Re: [PATCH net-next] bridge: ebtables: Avoid resetting limit rule state

On Thu, Dec 07, 2017 at 01:26:19AM +0100, Pablo Neira Ayuso wrote: > > I also had a quick look at a 4.15-rc1 kernel in a VM now. I still > > end up in ebt_limit_mt_check() with the variables being reset > > when editing the table somewhere. > > My question is if your fix would work with 4.15-rc1.

Re: [PATCH] netfilter: fix clusterip_net_exit build regression

On Thu, Dec 07, 2017 at 02:26:09PM +0100, Arnd Bergmann wrote: > The added check produces a build error when CONFIG_PROC_FS is > disabled: > > net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_net_exit': > net/ipv4/netfilter/ipt_CLUSTERIP.c:822:28: error: 'cn' undeclared (first use > in

Re: [PATCH] netfilter: fix clusterip_net_exit build regression

thank you, it was mu fault. Reviewed-by: Vasily Averin On 2017-12-07 16:26, Arnd Bergmann wrote: > The added check produces a build error when CONFIG_PROC_FS is > disabled: > > net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_net_exit': >

[PATCH v3 nf-next 0/5] netfilter: reduce hook array sizes

This series further reduces size of the hook arrays by only resevering space for the hooks that are implemented/supported (e.g., arp only supports 3 different hook points as it lacks PRE/POST_ROUTING). Furthermore, add #ifdef guard to not declare arp/bridge/decnet hooks unless they are needed.

[PATCH v3 nf-next 4/5] netfilter: don't allocate space for arp/bridge hooks unless needed

no need to define hook points if the family isn't supported. Because we need these hooks for either nftables, arp/ebtables or the 'call-iptables' hack we have in the bridge layer add two new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the users select them. Signed-off-by: Florian

[PATCH v3 nf-next 3/5] netfilter: don't allocate space for decnet hooks unless needed

no need to define hook points if the family isn't supported. Signed-off-by: Florian Westphal --- changes since v2: split this from a different patch. include/linux/netfilter.h | 2 ++ include/net/netns/netfilter.h | 2 ++ net/netfilter/core.c | 4 3 files

[PATCH v3 nf-next 1/5] netfilter: add defines for arp/decnet max hooks

The kernel already has defines for this, but they are in uapi exposed headers. Including these from netns.h causes build errors and also adds unneeded dependencies on heads that we don't need. So move these defines to netfilter_defs.h and place the uapi ones in ifndef __KERNEL__ to keep them for

[PATCH v3 nf-next 5/5] netfilter: reduce NF_MAX_HOOKS define

This can be same as NF_INET_NUMHOOKS if we don't support DECNET. Signed-off-by: Florian Westphal --- new in v3. include/linux/netfilter_defs.h | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/include/linux/netfilter_defs.h

[PATCH] netfilter: fix clusterip_net_exit build regression

The added check produces a build error when CONFIG_PROC_FS is disabled: net/ipv4/netfilter/ipt_CLUSTERIP.c: In function 'clusterip_net_exit': net/ipv4/netfilter/ipt_CLUSTERIP.c:822:28: error: 'cn' undeclared (first use in this function) This moves the variable declaration out of the #ifdef to

Re: [PATCH nf-next 1/3] netfilter: reduce hook array sizes to what is needed

Pablo Neira Ayuso wrote: > On Thu, Dec 07, 2017 at 02:06:18PM +0100, Florian Westphal wrote: > > Not all families share the same hook count. > > > > Can't use the corresponding ARP, BRIDGE, DECNET defines because they are > > defined in uapi headers and including them causes

Re: [PATCH nf-next 1/3] netfilter: reduce hook array sizes to what is needed

On Thu, Dec 07, 2017 at 02:06:18PM +0100, Florian Westphal wrote: > Not all families share the same hook count. > > Can't use the corresponding ARP, BRIDGE, DECNET defines because they are > defined in uapi headers and including them causes build failures. > > struct net before: > /* size: 6592,

[PATCH nf-next 3/3] netfilter: don't allocate space for arp/bridge hooks unless needed

no need to define hook points if the family isn't supported. Because we need these hooks for either nftables, arp/ebtables or the 'call-iptables' hack we have in the bridge layer add two new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the users select them. Signed-off-by: Florian

[PATCH nf-next 0/3] netfilter: reduce hook array sizes to what is needed

This series further reduces size of the hook arrays by only resevering space for the hooks that are implemented/supported (e.g., arp only supports 3 different hook points as it lacks PRE/POST_ROUTING). Furthermore, add #ifdef guard to not declare arp/bridge/decnet hooks unless they are needed.

[PATCH nf-next 1/3] netfilter: reduce hook array sizes to what is needed

Not all families share the same hook count. Can't use the corresponding ARP, BRIDGE, DECNET defines because they are defined in uapi headers and including them causes build failures. struct net before: /* size: 6592, cachelines: 103, members: 46 */ after: /* size: 5952, cachelines: 93, members:

[PATCH nf-next 2/3] netfilter: don't allocate space for decnet hooks unless needed

no need to define hook points if the family isn't supported. Signed-off-by: Florian Westphal --- include/linux/netfilter.h | 2 ++ include/net/netns/netfilter.h | 2 ++ net/netfilter/core.c | 4 3 files changed, 8 insertions(+) diff --git

[PATCH nf-next RFC,v2 3/6] netfilter: add generic flow table infrastructure

This patch defines the API to interact with flow tables, this allows to add, delete and lookup for entries in the flow table. This also adds the generic garbage code that removes entries that have expired, ie. no traffic has been seen for a while. Users of the flow table infrastructure can delete

[PATCH nf-next RFC,v2 1/6] netfilter: nf_conntrack: add IPS_OFFLOAD status bit

This new bit tells us that the conntrack entry is owned by the flow table offload infrastructure. # cat /proc/net/nf_conntrack ipv4 2 tcp 6 src=10.141.10.2 dst=147.75.205.195 sport=36392 dport=443 src=147.75.205.195 dst=192.168.2.195 sport=443 dport=36392 [OFFLOAD] mark=0 zone=0

[PATCH nf-next RFC,v2 6/6] netfilter: nft_flow_offload: add ndo hooks for hardware offload

This patch adds the infrastructure to offload flows to hardware, in case the nic/switch comes with built-in flow tables capabilities. If the hardware comes with no hardware flow tables or they have limitations in terms of features, this falls back to the software generic flow table

[PATCH nf-next RFC,v2 5/6] netfilter: nf_tables: flow offload expression

Add new instruction for the nf_tables VM that allows us to specify what flows are offloaded into a given flow table via name. This new instruction creates the flow entry and adds it to the flow table. Only established flows, ie. we have seen traffic in both directions, are added to the flow

[PATCH nf-next RFC,v2 4/6] netfilter: flow table support for IPv4

This patch adds the IPv4 flow table type, that implements the datapath flow table to forward IPv4 traffic. Rationale is: 1) Look up for the packet in the flow table, from the ingress hook. 2) If there's a hit, decrement ttl and pass it on to the neighbour layer for transmission. 3) If there's

[PATCH nf-next RFC,v2 0/6] Flow offload infrastructure

Hi, This patchset is a new iteration of the flow offload infrastructure [1]. This round adds a netlink control plane to configure flow table, so there is no one single flow table, as in the previous patchset, that gets registered unconditionally. The following example shows how to create a flow

[PATCH nf-next RFC,v2 2/6] netfilter: nf_tables: add flow table netlink frontend

This patch introduces a netlink control plane to create, delete and dump flow tables. Flow tables are identified by name, this name is used from rules to refer to an specific flow table. Flow tables use the rhashtable class and a generic garbage collector to remove expired entries. This also adds

Re: libnftables extended API proposal (Was: Re: [nft PATCH] libnftables: Fix for multiple context instances)

Hi Pablo, On Thu, Dec 07, 2017 at 01:05:45AM +0100, Pablo Neira Ayuso wrote: > On Tue, Dec 05, 2017 at 02:43:17PM +0100, Phil Sutter wrote: [...] > > After tweaking the parser a bit, I can use it now to parse just a > > set_list_member_expr and use the struct expr it returns. This made it > >