Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On 06/01/2016 05:31 AM, Peter Zijlstra wrote: On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote: You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we change it to do just one READ_ONCE, like --- a/include/asm-generic/barrier.h +++ b/include/asm-generic/barrier.h @@

Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On Wed, Jun 01, 2016 at 03:07:14PM +0100, Will Deacon wrote: > On Wed, Jun 01, 2016 at 02:45:41PM +0200, Peter Zijlstra wrote: > > On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote: > > > On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote: > > > > > > Works for me; but that

Re: [PATCH -v3 3/8] locking: Introduce smp_acquire__after_ctrl_dep

On Wed, Jun 01, 2016 at 09:52:14PM +0800, Boqun Feng wrote: > On Tue, May 31, 2016 at 11:41:37AM +0200, Peter Zijlstra wrote: > > @@ -292,7 +282,7 @@ static void sem_wait_array(struct sem_ar > > sem = sma->sem_base + i; > > spin_unlock_wait(>lock); > > } > > -

[PATCH 2/3] netfilter: Create revision 2 of xt_hashlimit to support higher pps rates

netfilter: Create revision 2 of xt_hashlimit to support higher pps rates Create a new revision for the hashlimit iptables extension module. Rev 2 will support higher pps of upto 1 million, Version 1 supports only 10k. To support this we have to increase the size of the variables avg and burst in

[PATCH 3/3] netfilter: iptables-restore does not work as expected with xt_hashlimit

netfilter: iptables-restore does not work as expected with xt_hashlimit Add the following iptables rule. $ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \ --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name hashlimit1 \ --hashlimit-htable-expire 3 -j DROP $

[PATCH iptables 2/3] libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates

libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates Create a new revision for the hashlimit iptables extension module. Rev 2 will support higher pps of upto 1 million, Version 1 supports only 10k. To support this we have to increase the size of the variables avg and

[PATCH iptables 3/3] libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit

libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit Add the following iptables rule. $ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \ --hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name hashlimit1 \ --hashlimit-htable-expire 3 -j DROP $

Re: [PATCH 0/7] Netfilter fixes for net

From: Pablo Neira Ayuso Date: Wed, 1 Jun 2016 14:03:17 +0200 > The following patchset contains Netfilter fixes for your net tree, > they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thanks Pablo. --

[PATCH] extensions: libxt_connmark: Fix order of mask and mark

The order of mask and mark in the output is wrong. This has been pointed out: http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d by Liping Zhang . This patch fixes the same issue with connmark. Signed-off-by: Shivani Bhardwaj

Re: [PATCH v3] extensions: libxt_multiport: Add translation to nft

On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote: > On 31 May 2016 at 20:26, Laura Garcia Liebana wrote: > > +static int __multiport_xlate_v1(const void *ip, > > + const struct xt_entry_match *match, > > +

[PATCH] extensions: libip6t_hbh: Add translation to nft

Add translation for Hop-By-Hop header to nftables. Hbh options are not supported yet in nft. $ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22 nft add rule ip6 filter INPUT hbh hdrlength 22 counter $ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22 nft add rule

[PATCH] doc: fix old parameters and update datatypes

Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation' instead. Update some FIXME datatypes. Signed-off-by: Laura Garcia Liebana --- doc/nft.xml | 16 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/doc/nft.xml b/doc/nft.xml index

[PATCH iptables 1/3] libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2

libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2 I am planning to add a revision 2 for the hashlimit xtables module to support higher packets per second rates. This patch renames all the functions and variables related to revision 1 by adding _v1 at the end of the names. Signed-off-by:

[PATCH] netfilter/nflog: nflog-range does not truncate packets

netfilter/nflog: nflog-range does not truncate packets The --nflog-range parameter from userspace is ignored in the kernel and the entire packet is sent to the userspace. The per-instance parameter copy_range still works, with this change --nflog-range will have preference over copy_range.

Re: [PATCH -v3 4/8] locking, arch: Update spin_unlock_wait()

Hi Peter, On Tue, May 31, 2016 at 11:41:38AM +0200, Peter Zijlstra wrote: > This patch updates/fixes all spin_unlock_wait() implementations. > > The update is in semantics; where it previously was only a control > dependency, we now upgrade to a full load-acquire to match the > store-release

Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote: > On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote: > > You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we > > change it to do just one READ_ONCE, like > > > > --- a/include/asm-generic/barrier.h > >

Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote: > On Wed, Jun 01, 2016 at 01:00:10PM +0100, Will Deacon wrote: > > On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote: > > > Will, since ARM64 seems to want to use this, does the below make sense > > > to you? > > > > Not

Re: [PATCH nft v2] evaluate: fix "list set" unexpected behaviour

On Wed, Jun 01, 2016 at 12:16:51PM +0200, Pablo M. Bermudo Garay wrote: > Special sets like maps and flow tables have their own commands to be > listed and inspected. > > Before this patch, "nft list set" was able to display these special sets > content: > > # nft list set filter test >

[PATCH 5/7] netfilter: nf_dup_ipv6: set again FLOWI_FLAG_KNOWN_NH at flowi6_flags

From: Paolo Abeni With the commit 48e8aa6e3137 ("ipv6: Set FLOWI_FLAG_KNOWN_NH at flowi6_flags") ip6_pol_route() callers were asked to to set the FLOWI_FLAG_KNOWN_NH properly and xt_TEE was updated accordingly, but with the later refactor in commit bbde9fc1824a ("netfilter:

[PATCH 3/7] netfilter: nf_queue: Make the queue_handler pernet

From: "Eric W. Biederman" Florian Weber reported: > Under full load (unshare() in loop -> OOM conditions) we can > get kernel panic: > > BUG: unable to handle kernel NULL pointer dereference at 0008 > IP: [] nfqnl_nf_hook_drop+0x35/0x70 > [..] > task:

[PATCH 2/7] netfilter: conntrack: remove leftover binary sysctl define

From: Florian Westphal Users got removed in f8572d8f2a2ba ("sysctl net: Remove unused binary sysctl code"). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_standalone.c | 2 -- 1 file

[PATCH 1/7] netfilter: nfnetlink_queue: fix timestamp attribute

From: Florian Westphal Since 4.4 we erronously use timestamp of the netlink skb (which is zero). Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1066 Fixes: b28b1e826f818c30ea7 ("netfilter: nfnetlink_queue: use y2038 safe timestamp") Signed-off-by: Florian Westphal

[PATCH 6/7] netfilter: nf_tables: validate NFTA_SET_TABLE parameter

From: Phil Turnbull If the NFTA_SET_TABLE parameter is missing and the NLM_F_DUMP flag is not set, then a NULL pointer dereference is triggered in nf_tables_set_lookup because ctx.table is NULL. Signed-off-by: Phil Turnbull Signed-off-by:

Re: [PATCH -v3 4/8] locking, arch: Update spin_unlock_wait()

On Wed, Jun 01, 2016 at 12:24:32PM +0100, Will Deacon wrote: > > --- a/arch/arm/include/asm/spinlock.h > > +++ b/arch/arm/include/asm/spinlock.h > > @@ -50,8 +50,22 @@ static inline void dsb_sev(void) > > * memory. > > */ > > > > -#define arch_spin_unlock_wait(lock) \ > > - do { while

Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On Wed, Jun 01, 2016 at 01:00:10PM +0100, Will Deacon wrote: > On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote: > > Will, since ARM64 seems to want to use this, does the below make sense > > to you? > > Not especially -- I was going to override smp_cond_load_acquire anyway >

[PATCH nft] evaluate: fix "list set" unexpected behaviour

Special sets like maps and flow tables have their own commands to be listed and inspected. Before this patch, "nft list set" was able to display these special sets content: # nft list set filter test table ip filter { map test { type ipv4_addr : inet_service

[PATCH nft v2] evaluate: fix "list set" unexpected behaviour

Special sets like maps and flow tables have their own commands to be listed and inspected. Before this patch, "nft list set" was able to display these special sets content: # nft list set filter test table ip filter { map test { type ipv4_addr : inet_service

Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote: > You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we > change it to do just one READ_ONCE, like > > --- a/include/asm-generic/barrier.h > +++ b/include/asm-generic/barrier.h > @@ -229,12 +229,18 @@ do { > * value;

Re: [PATCH nft] evaluate: fix "list set" unexpected behaviour

2016-06-01 11:20 GMT+02:00 Pablo Neira Ayuso : > I'd suggest: > > set == NULL && set->flags & (SET_F_EVAL | SET_F_MAP) Oh, sure. Thank you for pointing that out. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a

Re: [nf-next PATCH] netfilter: nf_tables: add support for inverted login in nft_lookup

Arturo Borrero Gonzalez wrote: > On 31 May 2016 at 17:50, Arturo Borrero Gonzalez > wrote: > > On 31 May 2016 at 16:44, Florian Westphal wrote: > >> I think its better to use a > >> > >> } else if (priv->invert) { >

Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote: > On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote: > > Works for me; but that would loose using cmpwait() for > > !smp_cond_load_acquire() spins, you fine with that? > > > > The two conversions in the patch were both

Re: [PATCH -v3 3/8] locking: Introduce smp_acquire__after_ctrl_dep

On Tue, May 31, 2016 at 11:41:37AM +0200, Peter Zijlstra wrote: [snip] > @@ -260,16 +260,6 @@ static void sem_rcu_free(struct rcu_head > } > > /* > - * spin_unlock_wait() and !spin_is_locked() are not memory barriers, they > - * are only control barriers. > - * The code must pair with

Re: [PATCH -v3 7/8] locking: Move smp_cond_load_acquire() and friends into asm-generic/barrier.h

On Wed, Jun 01, 2016 at 02:45:41PM +0200, Peter Zijlstra wrote: > On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote: > > On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote: > > > > Works for me; but that would loose using cmpwait() for > > > !smp_cond_load_acquire() spins,

Re: [PATCH v3] extensions: libxt_multiport: Add translation to nft

On 31 May 2016 at 20:26, Laura Garcia Liebana wrote: > +static int __multiport_xlate_v1(const void *ip, > + const struct xt_entry_match *match, > + struct xt_xlate *xl, int numeric) > +{ > + const struct

Re: [PATCH] extensions: libxt_mark: fix a wrong translation to nft when mask is specified

On Wed, Jun 01, 2016 at 08:07:17PM +0800, Liping Zhang wrote: > From: Liping Zhang > > The mask and mark's order is reversed, so when we specify the mask, we will > get the wrong translation result: > # iptables-translate -A INPUT -m mark --mark 0x1/0xff > nft

Re: [PATCH] extensions: libxt_ipcomp: Add translation to nft

On Wed, Jun 01, 2016 at 12:06:59AM +0200, Laura Garcia Liebana wrote: > Add translation of ipcomp to nftables. > > First value of the parameter 'ipcompspi' will be translated to 'cpi' > parameter in nftables. Parameter 'compres' is not supported in nftables. > > Examples: > > $ sudo