[PATCH v2 nft 2/4] src: add offset attribute for hash expression

Add support to add an offset to the hash generator, eg. ct mark set hash ip saddr mod 10 offset 100 This will generate marks with series between 100-109. Signed-off-by: Laura Garcia Liebana --- Changes in v2: - Adapt the code to the repository changes. -

[PATCH v2 nft 1/4] src: make hash seed attribute optional

The hash expression requires a seed attribute to call the jhash operation, eg. # nft add rule x y meta mark set jhash ip saddr . ip daddr mod 2 \ seed 0xdeadbeef With this patch the seed attribute is optional and it's generated by a random function from userspace, eg. # nft add rule x

Re: [PATCH 00/22] ipset patches for nf-next, v2

On Thu, Oct 27, 2016 at 06:53:51PM +0200, Pablo Neira Ayuso wrote: [...] > Pulled, thanks Jozsef. Sorry Jozsef for not coming to you any sooner. I'm finding several problems in this patchset that forces me to toss it again. I'm going to follow up on a deeper review on your submission with

Re: [PATCH 03/22] netfilter: ipset: Improve skbinfo get/init helpers

On Sun, Oct 23, 2016 at 10:37:36PM +0200, Jozsef Kadlecsik wrote: > Use struct ip_set_skbinfo in struct ip_set_ext instead of open > coded fields and assign structure members in get/init helpers > instead of copying members one by one. > > Ported from a patch proposed by Sergey Popovich

Re: [PATCH nf] netfilter: conntrack: refine gc worker heuristics

On Tue, 2016-11-01 at 21:01 +0100, Florian Westphal wrote: > schedule_delayed_work(_work->dwork, next_run); > @@ -993,6 +1029,7 @@ static void gc_worker(struct work_struct *work) > static void conntrack_gc_work_init(struct conntrack_gc_work *gc_work) > { >

[PATCH nf] netfilter: conntrack: refine gc worker heuristics

Nicholas Dichtel says: After commit b87a2f9199ea ("netfilter: conntrack: add gc worker to remove timed-out entries"), netlink conntrack deletion events may be sent with a huge delay. Nicholas further points at this line: goal = min(nf_conntrack_htable_size / GC_MAX_BUCKETS_DIV,

Re: [PATCH 02/22] netfilter: ipset: Headers file cleanup

On Sun, Oct 23, 2016 at 10:37:35PM +0200, Jozsef Kadlecsik wrote: > Remove extra whitespace, group counter helper together. Mark some of > the helpers arguments as const. It would be better to split this in two patches, one to remove extra whitespace. And another to group counter helper

Re: [PATCH 07/22] netfilter: ipset: Regroup ip_set_put_extensions and add extern

On Sun, Oct 23, 2016 at 10:37:40PM +0200, Jozsef Kadlecsik wrote: > Signed-off-by: Jozsef Kadlecsik A bit pendantic, but please, add description, oneline is fine indicating why this belongs there is good. Thanks. -- To unsubscribe from this list: send the line

Rebasing nf-next...

Hi, I'm rebasing nf-next because I found problems on the ipset batch. As part of the rebase, I'm going to squash this Arnd's patch: http://patchwork.ozlabs.org/patch/688615/ into original Florian's fib nf_tables expression patch. As well as this one:

Re: [PATCH 16/22] netfilter: ipset: Collapse same condition body to a single one

On Sun, Oct 23, 2016 at 10:37:49PM +0200, Jozsef Kadlecsik wrote: > Signed-off-by: Jozsef Kadlecsik Please, document that net_ratelimit() and pr_warn is not useful anymore, so you remove. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

Re: [PATCH 05/22] netfilter: ipset: Split extensions into separate files

On Sun, Oct 23, 2016 at 10:37:38PM +0200, Jozsef Kadlecsik wrote: > Ported from a patch proposed by Sergey Popovich . > > Suggested-by: Sergey Popovich > Signed-off-by: Jozsef Kadlecsik > --- >

Re: [PATCH 06/22] netfilter: ipset: Separate memsize calculation code into dedicated function

On Sun, Oct 23, 2016 at 10:37:39PM +0200, Jozsef Kadlecsik wrote: > Hash types already has it's memsize calculation code in separate > functions. Do the same for *bitmap* and *list* sets. This is just a cleanup, right? More comments below. > Ported from a patch proposed by Sergey Popovich

Re: [PATCH nf-next v2] netfilter: conntrack: simplify init/uninit of L4 protocol trackers

Minor nitpicks as I said, see below. On Fri, Oct 28, 2016 at 10:42:09AM +0200, Davide Caratti wrote: > modify registration and deregistration of layer-4 protocol trackers to > facilitate inclusion of new elements into the current list of builtin > protocols. Both builtin (TCP, UDP, ICMP) and

[PATCH 06/12] netfilter: nft_ct: add notrack support

This patch adds notrack support. I decided to add a new expression, given that this doesn't fit into the existing set operation. Notrack doesn't need a source register, and an hypothetical NFT_CT_NOTRACK key makes no sense since matching the untracked state is done through NFT_CT_STATE. I'm

[PATCH 00/12] Netfilter updates for net-next

Hi David, The following patchset contains Netfilter updates for your net-next tree. This includes better integration with the routing subsystem for nf_tables, explicit notrack support and smaller updates. More specifically, they are: 1) Add fib lookup expression for nf_tables, from Florian

[PATCH 05/12] netfilter: nft_meta: permit pkttype mangling in ip/ip6 prerouting

From: Liping Zhang After supporting this, we can combine it with hash expression to emulate the 'cluster match'. Suggested-by: Pablo Neira Ayuso Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso

[PATCH 07/12] netfilter: nf_tables: add fib expression

From: Florian Westphal Add FIB expression, supported for ipv4, ipv6 and inet family (the latter just dispatches to ipv4 or ipv6 one based on nfproto). Currently supports fetching output interface index/name and the rtm_type associated with an address. This can be used for

[PATCH 10/12] netfilter: nf_tables: introduce routing expression

From: "Anders K. Pedersen" Introduces an nftables rt expression for routing related data with support for nexthop (i.e. the directly connected IP address that an outgoing packet is sent to), which can be used either for matching or accounting, eg. # nft add rule filter

[PATCH 09/12] netfilter: move socket lookup infrastructure to nf_socket_ipv{4,6}.c

We need this split to reuse existing codebase for the upcoming nf_tables socket expression. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_socket.h | 27 net/ipv4/netfilter/Kconfig | 6 + net/ipv4/netfilter/Makefile | 2 +

[PATCH 04/12] netfilter: nft_numgen: start round robin from zero

From: Liping Zhang Currently we start round robin from 1, but it's better to start round robin from 0. This is to keep consistent with xt_statistic in iptables. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso

[PATCH 11/12] netfilter: nf_tables: remove useless U8_MAX validation

From: Liping Zhang After call nft_data_init, size is already validated and desc.len will not exceed the sizeof(struct nft_data), i.e. 16 bytes. So it will never exceed U8_MAX. Furthermore, in nft_immediate_init, we forget to call nft_data_uninit when desc.len exceeds

[PATCH 08/12] netfilter: nf_log: add packet logging for netdev family

Move layer 2 packet logging into nf_log_l2packet() that resides in nf_log_common.c, so this can be shared by both bridge and netdev families. This patch adds the boiler plate code to register the netdev logging family. Signed-off-by: Pablo Neira Ayuso ---

[PATCH 03/12] netfilter: nf_tables: allow expressions to return STOLEN

From: Florian Westphal Currently not supported, we'd oops as skb was (or is) free'd elsewhere. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_core.c | 1 + 1 file changed, 1 insertion(+) diff

Re: [PATCH nf] netfilter: conntrack: refine gc worker heuristics

Eric Dumazet wrote: > On Tue, 2016-11-01 at 21:01 +0100, Florian Westphal wrote: > > schedule_delayed_work(_work->dwork, next_run); > > > > @@ -993,6 +1029,7 @@ static void gc_worker(struct work_struct *work) > > static void conntrack_gc_work_init(struct

Re: [PATCH 04/22] netfilter: ipset: Improve comment extension helpers

On Sun, Oct 23, 2016 at 10:37:37PM +0200, Jozsef Kadlecsik wrote: > Allocate memory with kmalloc() rather than kzalloc(). > > Ported from a patch proposed by Sergey Popovich . > > Suggested-by: Sergey Popovich > Signed-off-by: Jozsef Kadlecsik

Re: [PATCH 05/22] netfilter: ipset: Split extensions into separate files

On Sun, Oct 23, 2016 at 10:37:38PM +0200, Jozsef Kadlecsik wrote: > Ported from a patch proposed by Sergey Popovich . And please, provide a better description for this. Probably oneline indicating that this is a cleanup should be fine. -- To unsubscribe from this list:

Re: [PATCH 11/22] netfilter: ipset: Simplify mtype_expire() for hash types

On Sun, Oct 23, 2016 at 10:37:44PM +0200, Jozsef Kadlecsik wrote: > Remove redundant parameters nets_length and dsize: > they could be get from other parameters. > > Remove one leve of intendation by using continue while > iterating over elements in bucket. Please, split this in two patches,

Re: [PATCH 19/22] netfilter: ipset: use setup_timer() and mod_timer().

On Sun, Oct 23, 2016 at 10:37:52PM +0200, Jozsef Kadlecsik wrote: > From: Muhammad Falak R Wani > > Use setup_timer() and instead of init_timer(), being the preferred way > of setting up a timer. > > Also, quoting the mod_timer() function comment: > -> mod_timer() is a