Re: [PATCH v3] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

Hi Florian, This patch has not been applied yet. This is actually a older version of the patch thats reviewed :P, unfortunately I refactored it bit and caused this regression. Do we still need the section "changes since v2" ? To me, this should be the first patch that starts supporting v2.

Re: linux-next: build failure after merge of the netfilter tree

On Mon, Apr 16, 2018 at 4:28 PM, Stephen Rothwell wrote: > Hi all, > > After merging the netfilter tree, today's linux-next build (powerpc > ppc64_defconfig) failed like this: > > net/netfilter/nf_conntrack_extend.c: In function 'nf_ct_ext_ > add': >

Proposal

Hello Greeetings to you please did you get my previous email regarding my investment proposal last week friday ? MS.Zeliha ömer faruk zeliha.omer.fa...@gmail.com -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nf-next] netfilter: nf_tables: support timeouts larger than 23 days

Hi Florian, I love your patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-nf_tables-support-timeouts-larger-than-23-days/20180417-032146 base:

[conntrack-tools PATCH v2] systemd: default to use libsystemd if build with support for it

We may assume that if an user does build conntrackd with such feature, is with the intention to use it. So, if that's the case, default to use it. This eases some downstream use cases when dealing with default configs to be shipped to final users. This could be a mid-point solution, given some

[PATCH nf-next 6/6] netfilter: nat: merge nf_nat_redirect into nf_nat

Similar to previous patch, this time, merge redirect+nat. The redirect module is just 2k in size, get rid of it and make redirect parts avaialble from the nat core. before: textdata bss dec hex filename 1698012724138 223905776 net/netfilter/nf_nat.ko 1383

[PATCH nf-next 1/6] netfilter: merge meta_bridge into nft_meta

It overcomplicates things for no reason. nft_meta_bridge only offers retrieval of bridge port interface name. Because of this being its own module, we had to export all nft_meta functions, which we can then make static again (which even reduces the size of nft_meta -- including bridge port

[PATCH nf-next 4/6] netfilter: nf_tables: merge exthdr expression into nft core

before: textdata bss dec hex filename 5056 844 05900170c net/netfilter/nft_exthdr.ko 1024562316 401 105173 19ad5 net/netfilter/nf_tables.ko after: 1064102392 401 109203 1aa93 net/netfilter/nf_tables.ko Signed-off-by: Florian

[PATCH nf-next 0/6] netfilter: remove kconfig options

This series removes following following module options by merging them into the nftables core: CONFIG_NFT_EXTHDR=y CONFIG_NFT_META=y CONFIG_NFT_RT=y CONFIG_NFT_BRIDGE_META=y Before: 964072064 400 98871 18237 net/netfilter/nf_tables.ko After: 1064102392 401 109203 1aa93

[PATCH nf-next 5/6] netfilter: nat: merge ipv4/ipv6 masquerade code into main nat module

Instead of using extra modules for these, turn the fconfig options into an implicit dependency that adds masq feature to the protocols nf_nat modules. before: textdata bss dec hex filename 2155 860 43019 bcb net/ipv4/netfilter/nf_nat_masquerade_ipv4.ko

[PATCH nf-next 3/6] netfilter: nf_tables: merge rt expression into nft core

before: textdata bss dec hex filename 2657 844 03501 dad net/netfilter/nft_rt.ko 1008262240 401 103467 1942b net/netfilter/nf_tables.ko after: 2657 844 03501 dad net/netfilter/nft_rt.ko 1024562316 401 105173 19ad5

[PATCH nf-next 2/6] netfilter: nftables: make meta expression builtin

size net/netfilter/nft_meta.ko textdata bss dec hex filename 5826 936 167631a6b net/netfilter/nft_meta.ko 964072064 400 98871 18237 net/netfilter/nf_tables.ko after: 1008262240 401 103467 1942b net/netfilter/nf_tables.ko

[conntrack-tools PATCH] tests: reallocate cli testing script

Move this to test/ Signed-off-by: Arturo Borrero Gonzalez --- doc/cli/test.sh | 106 --- tests/conntrack/cli-test.sh | 106 +++ 2 files changed, 106 insertions(+), 106

[conntrack-tools PATCH] systemd: default to use libsystemd if build with support for it

We may assume that if an user does build conntrackd with such feature, is with the intention to use it. So, if that's the case, default to use it. This eases some downstream use cases when dealing with default configs to be shipped to final users. This could be a mid-point solution, given some

[conntrack-tools PATCH] conntrackd: add missing fall-through annotation in switch statements

Modern GCC compilers will warn if an explicit comment isn't present. Perhaps this should be better done with a proper compiler instruction, but the code comment is more similar to the rest of the codebase. Signed-off-by: Arturo Borrero Gonzalez --- src/cache-ct.c |2

[PATCH nf-next] netfilter: nf_tables: always use an upper set size for dynsets

nft rejects rules that lack a timeout and a size limit when they're used to add elements from packet path. Pick a sane upperlimit instead of rejecting outright. The upperlimit is visible to userspace, just as if it would have been given during set declaration. Signed-off-by: Florian Westphal

Re: [PATCH nf-next] netfilter: nf_tables: support timeouts larger than 23 days

Jan Engelhardt wrote: > > On Monday 2018-04-16 18:04, Florian Westphal wrote: > >+u64 max = (u64)(~((u64)0)); > >+max = div_u64(max, NSEC_PER_MSEC); > >+if (ms >= max) > > Why opencode, is there a problem with UINT64_MAX? There is no UINT64_MAX in kernel (some

Re: [PATCH nf-next] netfilter: nf_tables: support timeouts larger than 23 days

On Monday 2018-04-16 18:04, Florian Westphal wrote: >+ u64 max = (u64)(~((u64)0)); >+ max = div_u64(max, NSEC_PER_MSEC); >+ if (ms >= max) Why opencode, is there a problem with UINT64_MAX? Just this: u64 max = div_u64(UINT64_MAX, NSEC_PER_MSEC); -- To unsubscribe from

[PATCH nf-next] netfilter: nf_tables: support timeouts larger than 23 days

Marco De Benedetto says: I would like to use a timeout of 30 days for elements in a set but it seems there is a some kind of problem above 24d20h31m23s. Fix this by using 'jiffies64' for timeout handling to get same behaviour on 32 and 64bit systems. nftables passes timeouts as u64 in

Re: [PATCH nf] netfilter: nf_tables: can't fail after linking rule into active rule list

On Tue, Apr 10, 2018 at 09:30:27AM +0200, Florian Westphal wrote: > rules in nftables a free'd using kfree, but protected by rcu, i.e. we > must wait for a grace period to elapse. > > Normal removal patch does this, but nf_tables_newrule() doesn't obey > this rule during error handling. > > It

Re: [Patch nf] nf_conntrack_extend: silent a memory leak warning

On Fri, Mar 30, 2018 at 01:22:06PM -0700, Cong Wang wrote: > The following memory leak is false postive: > > unreferenced object 0x8f37f156fb38 (size 128): > comm "softirq", pid 0, jiffies 4294899665 (age 11.292s) > hex dump (first 32 bytes): > 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b

Re: [PATCH nf] netfilter: nf_tables: free set name in error path

On Tue, Apr 10, 2018 at 09:00:24AM +0200, Florian Westphal wrote: > set->name must be free'd here in case ops->init fails. Applied, thanks Florian. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo

Re: [PATCH v3] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

Jack Ma wrote: > This patch adds a new feature to iptables that allow bitshifting for > --restore,set and save-mark operations. This allows existing logic > operators (and, or and xor) and mask to co-operate with new bitshift > operations. > > The intention is to