Hi Florian,
This patch has not been applied yet.
This is actually a older version of the patch thats reviewed :P, unfortunately
I refactored it bit and caused this regression.
Do we still need the section "changes since v2" ? To me, this should be the
first patch that starts supporting v2.
On Mon, Apr 16, 2018 at 4:28 PM, Stephen Rothwell wrote:
> Hi all,
>
> After merging the netfilter tree, today's linux-next build (powerpc
> ppc64_defconfig) failed like this:
>
> net/netfilter/nf_conntrack_extend.c: In function 'nf_ct_ext_
> add':
>
Hello
Greeetings to you please did you get my previous email regarding my
investment proposal last week friday ?
MS.Zeliha ömer faruk
zeliha.omer.fa...@gmail.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-nf_tables-support-timeouts-larger-than-23-days/20180417-032146
base:
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.
This eases some downstream use cases when dealing with default configs to
be shipped to final users.
This could be a mid-point solution, given some
Similar to previous patch, this time, merge redirect+nat.
The redirect module is just 2k in size, get rid of it and make
redirect parts avaialble from the nat core.
before:
textdata bss dec hex filename
1698012724138 223905776 net/netfilter/nf_nat.ko
1383
It overcomplicates things for no reason.
nft_meta_bridge only offers retrieval of bridge port interface name.
Because of this being its own module, we had to export all nft_meta
functions, which we can then make static again (which even reduces
the size of nft_meta -- including bridge port
before:
textdata bss dec hex filename
5056 844 05900170c net/netfilter/nft_exthdr.ko
1024562316 401 105173 19ad5 net/netfilter/nf_tables.ko
after:
1064102392 401 109203 1aa93 net/netfilter/nf_tables.ko
Signed-off-by: Florian
This series removes following following module options by merging
them into the nftables core:
CONFIG_NFT_EXTHDR=y
CONFIG_NFT_META=y
CONFIG_NFT_RT=y
CONFIG_NFT_BRIDGE_META=y
Before:
964072064 400 98871 18237 net/netfilter/nf_tables.ko
After:
1064102392 401 109203 1aa93
Instead of using extra modules for these, turn the fconfig options into
an implicit dependency that adds masq feature to the protocols nf_nat modules.
before:
textdata bss dec hex filename
2155 860 43019 bcb
net/ipv4/netfilter/nf_nat_masquerade_ipv4.ko
before:
textdata bss dec hex filename
2657 844 03501 dad net/netfilter/nft_rt.ko
1008262240 401 103467 1942b net/netfilter/nf_tables.ko
after:
2657 844 03501 dad net/netfilter/nft_rt.ko
1024562316 401 105173 19ad5
size net/netfilter/nft_meta.ko
textdata bss dec hex filename
5826 936 167631a6b net/netfilter/nft_meta.ko
964072064 400 98871 18237 net/netfilter/nf_tables.ko
after:
1008262240 401 103467 1942b net/netfilter/nf_tables.ko
Move this to test/
Signed-off-by: Arturo Borrero Gonzalez
---
doc/cli/test.sh | 106 ---
tests/conntrack/cli-test.sh | 106 +++
2 files changed, 106 insertions(+), 106
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.
This eases some downstream use cases when dealing with default configs to
be shipped to final users.
This could be a mid-point solution, given some
Modern GCC compilers will warn if an explicit comment isn't present.
Perhaps this should be better done with a proper compiler instruction,
but the code comment is more similar to the rest of the codebase.
Signed-off-by: Arturo Borrero Gonzalez
---
src/cache-ct.c |2
nft rejects rules that lack a timeout and a size limit when they're used
to add elements from packet path.
Pick a sane upperlimit instead of rejecting outright.
The upperlimit is visible to userspace, just as if it would have been
given during set declaration.
Signed-off-by: Florian Westphal
Jan Engelhardt wrote:
>
> On Monday 2018-04-16 18:04, Florian Westphal wrote:
> >+u64 max = (u64)(~((u64)0));
> >+max = div_u64(max, NSEC_PER_MSEC);
> >+if (ms >= max)
>
> Why opencode, is there a problem with UINT64_MAX?
There is no UINT64_MAX in kernel (some
On Monday 2018-04-16 18:04, Florian Westphal wrote:
>+ u64 max = (u64)(~((u64)0));
>+ max = div_u64(max, NSEC_PER_MSEC);
>+ if (ms >= max)
Why opencode, is there a problem with UINT64_MAX?
Just this:
u64 max = div_u64(UINT64_MAX, NSEC_PER_MSEC);
--
To unsubscribe from
Marco De Benedetto says:
I would like to use a timeout of 30 days for elements in a set but it
seems there is a some kind of problem above 24d20h31m23s.
Fix this by using 'jiffies64' for timeout handling to get same behaviour
on 32 and 64bit systems.
nftables passes timeouts as u64 in
On Tue, Apr 10, 2018 at 09:30:27AM +0200, Florian Westphal wrote:
> rules in nftables a free'd using kfree, but protected by rcu, i.e. we
> must wait for a grace period to elapse.
>
> Normal removal patch does this, but nf_tables_newrule() doesn't obey
> this rule during error handling.
>
> It
On Fri, Mar 30, 2018 at 01:22:06PM -0700, Cong Wang wrote:
> The following memory leak is false postive:
>
> unreferenced object 0x8f37f156fb38 (size 128):
> comm "softirq", pid 0, jiffies 4294899665 (age 11.292s)
> hex dump (first 32 bytes):
> 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
On Tue, Apr 10, 2018 at 09:00:24AM +0200, Florian Westphal wrote:
> set->name must be free'd here in case ops->init fails.
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo
Jack Ma wrote:
> This patch adds a new feature to iptables that allow bitshifting for
> --restore,set and save-mark operations. This allows existing logic
> operators (and, or and xor) and mask to co-operate with new bitshift
> operations.
>
> The intention is to
23 matches
Mail list logo