[PATCH v2 nf-next 2/7] netfilter: conntrack: get rid of conntrack timer

With stats enabled this eats 80 bytes on x86_64 per nf_conn entry, as Eric Dumazet pointed out during netfilter workshop 2016. Remove the timer and use a 32bit jiffies value containing timestamp until entry is valid. During conntrack lookup, even before doing tuple comparision, check the timeout

[PATCH v2 nf-next 1/7] netfilter: don't rely on DYING bit to detect when destroy event was sent

The reliable event delivery mode currently (ab)uses the DYING bit to detect which entries on the dying list have to be skipped when re-delivering events from the eache worker in reliable event mode. Currently when we delete the conntrack from main table we only set this bit if we could also

[PATCH v2 nf-next 4/7] netfilter: conntrack: add gc worker to remove timed-out entries

Conntrack gc worker to evict stale entries. GC happens once every 5 seconds, but we only scan at most 1/64th of the table (and not more than 8k) buckets to avoid hogging cpu. This means that a complete scan of the table will take several minutes of wall-clock time. Considering that the gc run

[PATCH v2 nf-next 6/7] netfilter: remove __nf_ct_kill_acct helper

After timer removal this just calls nf_ct_delete so remove the __ prefix version and make nf_ct_kill a shorthand for nf_ct_delete. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack.h | 13 +++-- net/netfilter/nf_conntrack_core.c| 12 +---

[PATCH nf-next 1/2] rhashtable: add rhashtable_lookup_get_insert_key()

This patch modifies __rhashtable_insert_fast() so it returns the existing element that clashes with the one that you want to insert. This adds a new rhashtable_lookup_get_insert_key() interface to fetch this existing element. nf_tables needs this change to improve handling of EEXIST cases via

[PATCH nf-next 2/2] netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion

If the NLM_F_EXCL flag is set, then new elements that clash with an existing one return EEXIST. In case you try to add an element whose data area differs from what we have, then this returns EBUSY. If no flag is specified at all, then this returns success to userspace. This patch also update the

[PATCH nft 4/4] tests: shell: cover add and create set command

This patch validates that creation of an already existing element bails out with EEXIST. Signed-off-by: Pablo Neira Ayuso --- tests/shell/testcases/sets/0007create_element_0 | 15 +++ 1 file changed, 15 insertions(+) create mode 100755

[PATCH nft 1/4] src: add create set command

Add support for the 'create' command, we already support this in other existing objects, so support this for sets too, eg. # nft add set x y { type ipv4_addr\; } # nft create set x y { type ipv4_addr\; } :1:1-35: Error: Could not process rule: File exists create set x y { type ipv4_addr; }

Re: [PATCH libnftnl] expr: data_reg: Fix DATA_CHAIN comparison

On Wed, Aug 24, 2016 at 02:22:16PM +0200, Carlos Falgueras García wrote: > Splits DATA_VERDICT and DATA_CHAIN comparison. A verdict can have a NULL > chain (accept, drop, etc) so segfault will happen when strcmp is call. Applied, thanks Carlos. -- To unsubscribe from this list: send the line

[ANNOUNCE] Netdev 1.2 weekly updates (24th August, 2016)

Hello folks, Here is an weekly update of Netdev 1.2 Tokyo. The early bird registration is still available. Please don't miss the discount ticket - and your early registration will be definitely helpful to prepare the conference. http://netdevconf.org/1.2/registration.html The session

Re: [PATCH v2 nf-next 1/7] netfilter: don't rely on DYING bit to detect when destroy event was sent

On Wed, 2016-08-24 at 13:55 +0200, Florian Westphal wrote: > The reliable event delivery mode currently (ab)uses the DYING bit to > detect which entries on the dying list have to be skipped when > re-delivering events from the eache worker in reliable event mode. > > Currently when we delete the

Re: [PATCH v2 nf-next 2/7] netfilter: conntrack: get rid of conntrack timer

On Wed, 2016-08-24 at 13:55 +0200, Florian Westphal wrote: > With stats enabled this eats 80 bytes on x86_64 per nf_conn entry, as > Eric Dumazet pointed out during netfilter workshop 2016. Another reason was the fact that Thomas was about to change max timer range :

Re: [PATCH v2 nf-next 4/7] netfilter: conntrack: add gc worker to remove timed-out entries

On Wed, 2016-08-24 at 13:55 +0200, Florian Westphal wrote: > Conntrack gc worker to evict stale entries. > static struct nf_conn * > __nf_conntrack_alloc(struct net *net, >const struct nf_conntrack_zone *zone, > @@ -1527,6 +1597,7 @@ static int untrack_refs(void) > >

Re: [PATCH nf-next 7/7] netfilter: restart search if moved to other chain

On Wed, 2016-08-24 at 13:55 +0200, Florian Westphal wrote: > In case nf_conntrack_tuple_taken did not find a conflicting entry > check that all entries in this hash slot were tested and restart > in case an entry was moved to another chain. > > Reported-by: Eric Dumazet >

Re: [PATCH v2 nf-next 4/7] netfilter: conntrack: add gc worker to remove timed-out entries

Eric Dumazet wrote: > On Wed, 2016-08-24 at 13:55 +0200, Florian Westphal wrote: > > Conntrack gc worker to evict stale entries. > > > > static struct nf_conn * > > __nf_conntrack_alloc(struct net *net, > > const struct nf_conntrack_zone *zone, > > @@

Re: [PATCH v2 nf-next 4/7] netfilter: conntrack: add gc worker to remove timed-out entries

On Wed, 2016-08-24 at 22:11 +0200, Florian Westphal wrote: > Eric Dumazet wrote: > > On Wed, 2016-08-24 at 13:55 +0200, Florian Westphal wrote: > > > Conntrack gc worker to evict stale entries. > > > > > > > static struct nf_conn * > > > __nf_conntrack_alloc(struct net