Re: [PATCH nf] netfilter: nf_tables: skip synchronize_rcu if transaction log is empty

On Wed, Apr 25, 2018 at 03:11:07PM +0200, Florian Westphal wrote: > After processing the transaction log, the remaining entries of the log > need to be released. > > However, in some cases no entries remain, e.g. because the transaction > did not remove anything. Also applied, thanks. -- To

Re: [PATCH nf] netfilter: x_tables: check name length in find_match/target, too

On Wed, Apr 25, 2018 at 01:38:47PM +0200, Florian Westphal wrote: > ebtables uses find_match() rather than find_request_match in one case > (see bcf4934288402be3464110109a4dae3bd6fb3e93, > "netfilter: ebtables: Fix extension lookup with identical name"), so > extend the check on name length to

Re: [PATCH 1/1] netfilter: Fix handling simultaneous open in TCP conntrack

On Sat, Apr 21, 2018 at 01:43:48PM +0200, Jozsef Kadlecsik wrote: > Dominique Martinet reported a TCP hang problem when simultaneous open was > used. > The problem is that the tcp_conntracks state table is not smart enough > to handle the case. The state table could be fixed by introducing a new

Re: [PATCH] netfilter: ctnetlink: export nf_conntrack_max

Hi Florent, On Fri, Apr 20, 2018 at 10:48:55AM +0200, Florent Fourcot wrote: > IPCTNL_MSG_CT_GET_STATS netlink command allow to monitor current number > of conntrack entries. However, if one wants to compare it with the > maximum (and detect exhaustion), the only solution is currently to read >

Re: [ebtables PATCH v2] Add string filter to ebtables

On Wed, Mar 21, 2018 at 03:42:29PM +1300, Bernie Harris wrote: > This patch is part of a proposal to add a string filter to > ebtables, which would be similar to the string filter in > iptables. > > Like iptables, the ebtables filter uses the xt_string module, > however some modifications have

Re: [nf-next PATCH] net: nftables: Make rule position deterministic

On Fri, Apr 27, 2018 at 12:25:25AM +0200, Pablo Neira Ayuso wrote: > On Tue, Apr 24, 2018 at 08:49:33PM +0200, Phil Sutter wrote: > > Hi, > > > > On Tue, Apr 24, 2018 at 05:51:39PM +0200, Pablo Neira Ayuso wrote: > > > On Fri, Apr 20, 2018 at 09:21:12AM -0400, Eric Garver wrote: > > > > On Fri,

Re: [nf-next PATCH] net: nftables: Make rule position deterministic

On Tue, Apr 24, 2018 at 08:49:33PM +0200, Phil Sutter wrote: > Hi, > > On Tue, Apr 24, 2018 at 05:51:39PM +0200, Pablo Neira Ayuso wrote: > > On Fri, Apr 20, 2018 at 09:21:12AM -0400, Eric Garver wrote: > > > On Fri, Apr 20, 2018 at 12:00:54PM +0200, Jan Engelhardt wrote: > > > > > > > > On

Re: [Patch nf] ipvs: initialize tbl->entries after allocation

On Thu, Apr 26, 2018 at 02:14:25PM +0200, Simon Horman wrote: > On Tue, Apr 24, 2018 at 08:16:14AM +0300, Julian Anastasov wrote: > > > > Hello, > > > > On Mon, 23 Apr 2018, Cong Wang wrote: > > > > > tbl->entries is not initialized after kmalloc(), therefore > > > causes an uninit-value

Re: [Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

On Thu, Apr 26, 2018 at 02:14:36PM +0200, Simon Horman wrote: > On Tue, Apr 24, 2018 at 08:17:06AM +0300, Julian Anastasov wrote: > > > > Hello, > > > > On Mon, 23 Apr 2018, Cong Wang wrote: > > > > > Similarly, tbl->entries is not initialized after kmalloc(), > > > therefore causes an

Re: [GIT PULL 0/5] IPVS Updates for v4.18

On Thu, Apr 19, 2018 at 10:56:09AM +0200, Simon Horman wrote: > Hi Pablo, > > please consider these IPVS enhancements for v4.18. > > * Whitepace cleanup > > * Add Maglev hashing algorithm as a IPVS scheduler > > Inju Song says "Implements the Google's Maglev hashing algorithm as a > IPVS

Re: [PATCH] netfilter: fix nf_tables filter chain type build

On Sat, Apr 21, 2018 at 09:10:09PM -0700, Randy Dunlap wrote: > From: Randy Dunlap > > Fix build errors due to a missing Kconfig dependency term. > Fixes these build errors: > > net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain': >

Re: [PATCH nf-next 4/6] netfilter: nf_tables: merge exthdr expression into nft core

On Mon, Apr 16, 2018 at 07:15:56PM +0200, Florian Westphal wrote: > before: >textdata bss dec hex filename >5056 844 05900170c net/netfilter/nft_exthdr.ko > 1024562316 401 105173 19ad5 net/netfilter/nf_tables.ko > > after: > 1064102392

Re: [PATCH nf-next 3/6] netfilter: nf_tables: merge rt expression into nft core

On Mon, Apr 16, 2018 at 07:15:55PM +0200, Florian Westphal wrote: > before: >textdata bss dec hex filename >2657 844 03501 dad net/netfilter/nft_rt.ko > 1008262240 401 103467 1942b net/netfilter/nf_tables.ko > after: >2657 844 0

Re: [PATCH nf-next] netfilter: nf_tables: support timeouts larger than 23 days

On Mon, Apr 16, 2018 at 06:04:49PM +0200, Florian Westphal wrote: > Marco De Benedetto says: > I would like to use a timeout of 30 days for elements in a set but it > seems there is a some kind of problem above 24d20h31m23s. > > Fix this by using 'jiffies64' for timeout handling to get same

Re: [PATCH nf-next] netfilter: nf_tables: always use an upper set size for dynsets

On Mon, Apr 16, 2018 at 06:52:58PM +0200, Florian Westphal wrote: > nft rejects rules that lack a timeout and a size limit when they're used > to add elements from packet path. > > Pick a sane upperlimit instead of rejecting outright. > The upperlimit is visible to userspace, just as if it would

Re: [PATCH nf-next 1/6] netfilter: merge meta_bridge into nft_meta

On Mon, Apr 16, 2018 at 07:15:53PM +0200, Florian Westphal wrote: > It overcomplicates things for no reason. > nft_meta_bridge only offers retrieval of bridge port interface name. > > Because of this being its own module, we had to export all nft_meta > functions, which we can then make static

Re: [PATCH nf-next] netfilter: ebtables: add ebt_free_table_info function

On Mon, Apr 09, 2018 at 12:00:21AM +0900, Taehee Yoo wrote: > A ebt_free_table_info frees all of chainstacks. > It similar to xt_free_table_info. this inline function > reduces code line. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of

Re: [PATCH nf-next] netfilter: x_tables: remove duplicate ip6t_get_target function call

On Mon, Apr 09, 2018 at 12:01:24AM +0900, Taehee Yoo wrote: > In the check_target, ip6t_get_target is called twice. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH nf-next] netfilter: xtables: use ipt_get_target_c instead of ipt_get_target

On Fri, Apr 13, 2018 at 11:10:20PM +0900, Taehee Yoo wrote: > ipt_get_target is used to get struct xt_entry_target > and ipt_get_target_c is used to get const struct xt_entry_target. > However in the ipt_do_table, ipt_get_target is used to get > const struct xt_entry_target. it should be replaced

Re: [PATCH nf-next] netfilter: ebtables: add ebt_get_target and ebt_get_target_c

On Fri, Apr 13, 2018 at 11:09:58PM +0900, Taehee Yoo wrote: > ebt_get_target similar to {ip/ip6/arp}t_get_target. > and ebt_get_target_c similar to {ip/ip6/arp}t_get_target_c. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

Re: [PATCH nf-next] netfilter: ebtables: remove EBT_MATCH and EBT_NOMATCH

On Mon, Apr 09, 2018 at 12:00:57AM +0900, Taehee Yoo wrote: > EBT_MATCH and EBT_NOMATCH are used to change return value. > match functions(ebt_xxx.c) return false when received frame is not matched > and returns true when received frame is matched. > but, EBT_MATCH_ITERATE understands oppositely.

Re: [PATCH v2 1/2] net: nftables: Simplify set backend selection

On Tue, Apr 03, 2018 at 11:15:39PM +0200, Phil Sutter wrote: > Drop nft_set_type's ability to act as a container of multiple backend > implementations it chooses from. Instead consolidate the whole selection > logic in nft_select_set_ops() and the actual backend provided estimate() > callback. >

Re: [PATCH v6] netfilter : add NAT support for shifted portmap ranges

On Wed, Apr 04, 2018 at 03:38:22PM +0200, Thierry Du Tre wrote: > This is a patch proposal to support shifted ranges in portmaps. > (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN > 192.168.1.5:2000-2100) > > Currently DNAT only works for single port or identical port ranges. >

Re: [PATCH v3 0/17] netfilter: nf_flow_table: refactoring, TCP state tracking, sending flows to slow path

On Mon, Feb 26, 2018 at 10:15:07AM +0100, Felix Fietkau wrote: > Fixes issues with connections hanging after >30 seconds idle time. > > Changes since v2: > - Include the previous patch series > - Rebase to current nf.git > - Provide longer description for the teardown state and the changes >

[PATCH nft 2/2] rule: do not hardcode ingress when printing flowtable

Call hook number to string function instead. Signed-off-by: Pablo Neira Ayuso --- src/rule.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/rule.c b/src/rule.c index e0e06c523241..589bf21ac4d3 100644 --- a/src/rule.c +++ b/src/rule.c @@ -1637,7

[PATCH nft 1/2] evaluate: missing flowtable evaluation from nested notation

Signed-off-by: Pablo Neira Ayuso --- src/evaluate.c | 7 +++ 1 file changed, 7 insertions(+) diff --git a/src/evaluate.c b/src/evaluate.c index 265a73fe9b65..035d07632a9e 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -2956,6 +2956,7 @@ static int

[PATCH nf-next] netfilter: nf_nat: remove unused ct arg from lookup functions

Signed-off-by: Florian Westphal --- include/net/netfilter/nf_nat_l3proto.h | 24 net/ipv4/netfilter/iptable_nat.c | 3 +-- net/ipv4/netfilter/nf_nat_l3proto_ipv4.c | 14 +- net/ipv4/netfilter/nft_chain_nat_ipv4.c | 3 +--

Re: [Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

On Tue, Apr 24, 2018 at 08:17:06AM +0300, Julian Anastasov wrote: > > Hello, > > On Mon, 23 Apr 2018, Cong Wang wrote: > > > Similarly, tbl->entries is not initialized after kmalloc(), > > therefore causes an uninit-value warning in ip_vs_lblc_check_expire(), > > as reported by syzbot. >

Re: [Patch nf] ipvs: initialize tbl->entries after allocation

On Tue, Apr 24, 2018 at 08:16:14AM +0300, Julian Anastasov wrote: > > Hello, > > On Mon, 23 Apr 2018, Cong Wang wrote: > > > tbl->entries is not initialized after kmalloc(), therefore > > causes an uninit-value warning in ip_vs_lblc_check_expire() > > as reported by syzbot. > > > >