On 06/01/2016 05:31 AM, Peter Zijlstra wrote:
On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote:
You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we
change it to do just one READ_ONCE, like
--- a/include/asm-generic/barrier.h
+++ b/include/asm-generic/barrier.h
@@
On Wed, Jun 01, 2016 at 03:07:14PM +0100, Will Deacon wrote:
> On Wed, Jun 01, 2016 at 02:45:41PM +0200, Peter Zijlstra wrote:
> > On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote:
> > > On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
> >
> > > > Works for me; but that
On Wed, Jun 01, 2016 at 09:52:14PM +0800, Boqun Feng wrote:
> On Tue, May 31, 2016 at 11:41:37AM +0200, Peter Zijlstra wrote:
> > @@ -292,7 +282,7 @@ static void sem_wait_array(struct sem_ar
> > sem = sma->sem_base + i;
> > spin_unlock_wait(>lock);
> > }
> > -
netfilter: Create revision 2 of xt_hashlimit to support higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
burst in
netfilter: iptables-restore does not work as expected with xt_hashlimit
Add the following iptables rule.
$ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name hashlimit1 \
--hashlimit-htable-expire 3 -j DROP
$
libxt_hashlimit: Create revision 2 of xt_hashlimit to support higher pps rates
Create a new revision for the hashlimit iptables extension module. Rev 2
will support higher pps of upto 1 million, Version 1 supports only 10k.
To support this we have to increase the size of the variables avg and
libxt_hashlimit: iptables-restore does not work as expected with xt_hashlimit
Add the following iptables rule.
$ iptables -A INPUT -m hashlimit --hashlimit-above 200/sec \
--hashlimit-burst 5 --hashlimit-mode srcip --hashlimit-name hashlimit1 \
--hashlimit-htable-expire 3 -j DROP
$
From: Pablo Neira Ayuso
Date: Wed, 1 Jun 2016 14:03:17 +0200
> The following patchset contains Netfilter fixes for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
--
The order of mask and mark in the output is wrong. This has been pointed
out:
http://git.netfilter.org/iptables/commit/?id=8548dd253833027c68ac6400c3118ef788fabe5d
by Liping Zhang .
This patch fixes the same issue with connmark.
Signed-off-by: Shivani Bhardwaj
On Wed, Jun 01, 2016 at 04:43:45PM +0200, Arturo Borrero Gonzalez wrote:
> On 31 May 2016 at 20:26, Laura Garcia Liebana wrote:
> > +static int __multiport_xlate_v1(const void *ip,
> > + const struct xt_entry_match *match,
> > +
Add translation for Hop-By-Hop header to nftables. Hbh options are not
supported yet in nft.
$ sudo ip6tables-translate -t filter -A INPUT -m hbh --hbh-len 22
nft add rule ip6 filter INPUT hbh hdrlength 22 counter
$ sudo ip6tables-translate -t filter -A INPUT -m hbh ! --hbh-len 22
nft add rule
Fix old identifiers like 'ipcomp' and 'op' with 'comp' and 'operation'
instead. Update some FIXME datatypes.
Signed-off-by: Laura Garcia Liebana
---
doc/nft.xml | 16
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/doc/nft.xml b/doc/nft.xml
index
libxt_hashlimit: Prepare libxt_hashlimit.c for revision 2
I am planning to add a revision 2 for the hashlimit xtables module to
support higher packets per second rates. This patch renames all the
functions and variables related to revision 1 by adding _v1 at the end of
the names.
Signed-off-by:
netfilter/nflog: nflog-range does not truncate packets
The --nflog-range parameter from userspace is ignored in the kernel and
the entire packet is sent to the userspace. The per-instance parameter
copy_range still works, with this change --nflog-range will have
preference over copy_range.
Hi Peter,
On Tue, May 31, 2016 at 11:41:38AM +0200, Peter Zijlstra wrote:
> This patch updates/fixes all spin_unlock_wait() implementations.
>
> The update is in semantics; where it previously was only a control
> dependency, we now upgrade to a full load-acquire to match the
> store-release
On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote:
> On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote:
> > You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we
> > change it to do just one READ_ONCE, like
> >
> > --- a/include/asm-generic/barrier.h
> >
On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
> On Wed, Jun 01, 2016 at 01:00:10PM +0100, Will Deacon wrote:
> > On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote:
> > > Will, since ARM64 seems to want to use this, does the below make sense
> > > to you?
> >
> > Not
On Wed, Jun 01, 2016 at 12:16:51PM +0200, Pablo M. Bermudo Garay wrote:
> Special sets like maps and flow tables have their own commands to be
> listed and inspected.
>
> Before this patch, "nft list set" was able to display these special sets
> content:
>
> # nft list set filter test
>
From: Paolo Abeni
With the commit 48e8aa6e3137 ("ipv6: Set FLOWI_FLAG_KNOWN_NH at
flowi6_flags") ip6_pol_route() callers were asked to to set the
FLOWI_FLAG_KNOWN_NH properly and xt_TEE was updated accordingly,
but with the later refactor in commit bbde9fc1824a ("netfilter:
From: "Eric W. Biederman"
Florian Weber reported:
> Under full load (unshare() in loop -> OOM conditions) we can
> get kernel panic:
>
> BUG: unable to handle kernel NULL pointer dereference at 0008
> IP: [] nfqnl_nf_hook_drop+0x35/0x70
> [..]
> task:
From: Florian Westphal
Users got removed in f8572d8f2a2ba ("sysctl net: Remove unused binary
sysctl code").
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_conntrack_standalone.c | 2 --
1 file
From: Florian Westphal
Since 4.4 we erronously use timestamp of the netlink skb (which is zero).
Bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1066
Fixes: b28b1e826f818c30ea7 ("netfilter: nfnetlink_queue: use y2038 safe
timestamp")
Signed-off-by: Florian Westphal
From: Phil Turnbull
If the NFTA_SET_TABLE parameter is missing and the NLM_F_DUMP flag is
not set, then a NULL pointer dereference is triggered in
nf_tables_set_lookup because ctx.table is NULL.
Signed-off-by: Phil Turnbull
Signed-off-by:
On Wed, Jun 01, 2016 at 12:24:32PM +0100, Will Deacon wrote:
> > --- a/arch/arm/include/asm/spinlock.h
> > +++ b/arch/arm/include/asm/spinlock.h
> > @@ -50,8 +50,22 @@ static inline void dsb_sev(void)
> > * memory.
> > */
> >
> > -#define arch_spin_unlock_wait(lock) \
> > - do { while
On Wed, Jun 01, 2016 at 01:00:10PM +0100, Will Deacon wrote:
> On Wed, Jun 01, 2016 at 11:31:58AM +0200, Peter Zijlstra wrote:
> > Will, since ARM64 seems to want to use this, does the below make sense
> > to you?
>
> Not especially -- I was going to override smp_cond_load_acquire anyway
>
Special sets like maps and flow tables have their own commands to be
listed and inspected.
Before this patch, "nft list set" was able to display these special sets
content:
# nft list set filter test
table ip filter {
map test {
type ipv4_addr : inet_service
Special sets like maps and flow tables have their own commands to be
listed and inspected.
Before this patch, "nft list set" was able to display these special sets
content:
# nft list set filter test
table ip filter {
map test {
type ipv4_addr : inet_service
On Tue, May 31, 2016 at 04:01:06PM -0400, Waiman Long wrote:
> You are doing two READ_ONCE's in the smp_cond_load_acquire loop. Can we
> change it to do just one READ_ONCE, like
>
> --- a/include/asm-generic/barrier.h
> +++ b/include/asm-generic/barrier.h
> @@ -229,12 +229,18 @@ do {
> * value;
2016-06-01 11:20 GMT+02:00 Pablo Neira Ayuso :
> I'd suggest:
>
> set == NULL && set->flags & (SET_F_EVAL | SET_F_MAP)
Oh, sure. Thank you for pointing that out.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a
Arturo Borrero Gonzalez wrote:
> On 31 May 2016 at 17:50, Arturo Borrero Gonzalez
> wrote:
> > On 31 May 2016 at 16:44, Florian Westphal wrote:
> >> I think its better to use a
> >>
> >> } else if (priv->invert) {
>
On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote:
> On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
> > Works for me; but that would loose using cmpwait() for
> > !smp_cond_load_acquire() spins, you fine with that?
> >
> > The two conversions in the patch were both
On Tue, May 31, 2016 at 11:41:37AM +0200, Peter Zijlstra wrote:
[snip]
> @@ -260,16 +260,6 @@ static void sem_rcu_free(struct rcu_head
> }
>
> /*
> - * spin_unlock_wait() and !spin_is_locked() are not memory barriers, they
> - * are only control barriers.
> - * The code must pair with
On Wed, Jun 01, 2016 at 02:45:41PM +0200, Peter Zijlstra wrote:
> On Wed, Jun 01, 2016 at 01:13:33PM +0100, Will Deacon wrote:
> > On Wed, Jun 01, 2016 at 02:06:54PM +0200, Peter Zijlstra wrote:
>
> > > Works for me; but that would loose using cmpwait() for
> > > !smp_cond_load_acquire() spins,
On 31 May 2016 at 20:26, Laura Garcia Liebana wrote:
> +static int __multiport_xlate_v1(const void *ip,
> + const struct xt_entry_match *match,
> + struct xt_xlate *xl, int numeric)
> +{
> + const struct
On Wed, Jun 01, 2016 at 08:07:17PM +0800, Liping Zhang wrote:
> From: Liping Zhang
>
> The mask and mark's order is reversed, so when we specify the mask, we will
> get the wrong translation result:
> # iptables-translate -A INPUT -m mark --mark 0x1/0xff
> nft
On Wed, Jun 01, 2016 at 12:06:59AM +0200, Laura Garcia Liebana wrote:
> Add translation of ipcomp to nftables.
>
> First value of the parameter 'ipcompspi' will be translated to 'cpi'
> parameter in nftables. Parameter 'compres' is not supported in nftables.
>
> Examples:
>
> $ sudo
36 matches
Mail list logo