Re: [PATCH 1/2] netfilter/xt_hashlimit: new feature/algorithm for xt_hashlimit

On 09/04/2017 06:14 AM, Pablo Neira Ayuso wrote: > Sounds good, applied, thanks. > > A couple of questions: Does it really make sense to expose > --hashlimit-rate-interval or are you using 1 second always there? I > always wonder if it makes sense to expose yet another toggle that it's > not

[PATCH] netfilter: xt_hashlimit: fix 64 bit division compile error

commit bea74641e378 ("netfilter: xt_hashlimit: add rate match mode") introduced a line where we divide two 64bit unsigned integers. This breaks on ARM processors with the error: ERROR: "__aeabi_uldivmod" [net/netfilter/xt_hashlimit.ko] undefined! We can fix it by using div64_u64 instead. Fixes:

[PATCH nft V3] tests: shell: Add tests for json import

Test upcoming "import json" statement. Basically it loads same set of rules by "nft -f" and "nft import json" and prints differences(if any) in the ruleset listed by "nft list ruleset" in each case. For Example: $ ./run-tests.sh testcases/import/json_import_0 Signed-off-by:

Re: [PATCH nf-next 3/3] netfilter: nft_limit: add stateful object type

On Wed, Aug 23, 2017 at 10:41:25PM +0200, Pablo M. Bermudo Garay wrote: > Register a new limit stateful object type into the stateful object > infrastructure. Applied, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

Re: [PATCH nf-next 2/3] netfilter: nft_limit: replace pkt_bytes with bytes

On Wed, Aug 23, 2017 at 10:41:24PM +0200, Pablo M. Bermudo Garay wrote: > Just a small refactor patch in order to improve the code readability. Applied with changes, see below. > Signed-off-by: Pablo M. Bermudo Garay > --- > include/uapi/linux/netfilter/nf_tables.h | 2 +-

Re: [PATCH 1/2] netfilter/xt_hashlimit: new feature/algorithm for xt_hashlimit

On Mon, Sep 04, 2017 at 12:14:33PM +0200, Pablo Neira Ayuso wrote: > On Fri, Aug 18, 2017 at 04:58:59PM -0400, Vishwanath Pai wrote: > [...] > > The main difference between the existing algorithm and the new one is > > that the existing algorithm rate-limits the flow whereas the new > > algorithm

Re: [PATCH 1/2] netfilter/xt_hashlimit: new feature/algorithm for xt_hashlimit

On Fri, Aug 18, 2017 at 04:58:59PM -0400, Vishwanath Pai wrote: [...] > The main difference between the existing algorithm and the new one is > that the existing algorithm rate-limits the flow whereas the new > algorithm does not. Instead it *classifies* the flow based on whether > it is above or

Re: [PATCH nf-next 1/3] netfilter: nf_tables: add select_ops for stateful objects

On Wed, Aug 23, 2017 at 10:41:23PM +0200, Pablo M. Bermudo Garay wrote: > This patch adds support for overloading stateful objects operations > through the select_ops() callback, just as it is implemented for > expressions. > > This change is needed for upcoming additions to the stateful objects

Re: [nft PATCH V2] tests: shell: Add tests for json import

On 3 September 2017 at 01:32, Shyam Saini wrote: > These test cases can be used to test upcoming "import json" command. > > Here is the short description of the files: > all_ruleset_list ->contains list of all the individual rules > json_import_0 ->script

[nft PATCH v2 1/2] src: add flags fo nft_ctx_new

By adding flags to nft_ctx_new, we will have a minimum capabilities of changing the way the nft_ctx is created. For now, this patch uses a simple value that allow the user to specify that he will handle netlink by himself. Signed-off-by: Eric Leblond --- include/nftables.h | 3

[nft PATCH v2] libnftables preparation work

Hi, This patchset update previous one following Pablo's suggestion: * remove unused custom netlink flag * rename ouput function to nft_print * change default output buffer size to 4k instead of 128 that was used for debug (and causing a lot of realloc) BR, -- Eric -- To unsubscribe from this

Re: [nft PATCH 2/2] src: get rid of printf

Hi, On Mon, 2017-09-04 at 00:34 +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 04, 2017 at 12:03:56AM +0200, Eric Leblond wrote: > > This patch introduces the nft_print_to_output_ctx function that has > > to be used instead of printf to output information that where > > previously send to stdout.

[nft PATCH v2 2/2] src: get rid of printf

This patch introduces the nft_print function that has to be used instead of printf to output information that were previously send to stdout. This function accumulate the output in a buffer that can be fetched by the user with the nft_ctx_get_output() function. This modification will allow the

Re: [nft PATCH 1/2] src: add flags fo nft_ctx_new

Hi, On Mon, 2017-09-04 at 00:45 +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 04, 2017 at 12:33:09AM +0200, Pablo Neira Ayuso wrote: > > On Mon, Sep 04, 2017 at 12:03:55AM +0200, Eric Leblond wrote: > > > By adding flags to nft_ctx_new, we will have a minimum > > > capabilities > > > of changing

Re: [nft PATCH V2] tests: shell: Add tests for json import

>> These test cases can be used to test upcoming "import json" command. >> >> Here is the short description of the files: >> all_ruleset_list ->contains list of all the individual rules >> json_import_0 ->script that runs json run-tests.sh >> >> For Example: >> $

[PATCH 06/12] net: Replace NF_CT_ASSERT() with WARN_ON().

From: Varsha Rao This patch removes NF_CT_ASSERT() and instead uses WARN_ON(). Signed-off-by: Varsha Rao --- include/net/netfilter/nf_conntrack.h | 2 +- net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 +-

[PATCH 07/12] net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros.

From: Varsha Rao This patch removes CONFIG_NETFILTER_DEBUG and _ASSERT() macros as they are no longer required. Replace _ASSERT() macros with WARN_ON(). Signed-off-by: Varsha Rao Signed-off-by: Pablo Neira Ayuso ---

[PATCH 04/12] netfilter: nft_limit: add stateful object type

From: "Pablo M. Bermudo Garay" Register a new limit stateful object type into the stateful object infrastructure. Signed-off-by: Pablo M. Bermudo Garay Signed-off-by: Pablo Neira Ayuso --- include/uapi/linux/netfilter/nf_tables.h |

[PATCH 09/12] netfilter: nf_tables: add nf_tables_addchain()

Wrap the chain addition path in a function to make it more maintainable. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 199 ++ 1 file changed, 106 insertions(+), 93 deletions(-) diff --git

Re: [PATCH nft] tests: py: add tests for limit stateful object

On Mon, Aug 28, 2017 at 08:20:49PM +0200, Pablo M. Bermudo Garay wrote: > The patch also reorganizes ip/objects.t file. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at

Re: [PATCH] examples: Fix memory leaks detected by Valgrind

On Tue, Aug 29, 2017 at 06:19:36PM +0530, Shyam Saini wrote: > ==11688== HEAP SUMMARY: > ==11688== in use at exit: 40 bytes in 1 blocks > ==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated > ==11688== > ==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1

[PATCH 03/12] netfilter: nft_limit: replace pkt_bytes with bytes

From: "Pablo M. Bermudo Garay" Just a small refactor patch in order to improve the code readability. Signed-off-by: Pablo M. Bermudo Garay Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_limit.c | 26

[PATCH 01/12] netfilter: xt_hashlimit: add rate match mode

From: Vishwanath Pai This patch adds a new feature to hashlimit that allows matching on the current packet/byte rate without rate limiting. This can be enabled with a new flag --hashlimit-rate-match. The match returns true if the current rate of packets is above/below the user

[PATCH 02/12] netfilter: nf_tables: add select_ops for stateful objects

From: "Pablo M. Bermudo Garay" This patch adds support for overloading stateful objects operations through the select_ops() callback, just as it is implemented for expressions. This change is needed for upcoming additions to the stateful objects infrastructure.

[PATCH 05/12] netfilter: remove unused hooknum arg from packet functions

From: Florian Westphal tested with allmodconfig build. Signed-off-by: Florian Westphal --- include/net/netfilter/nf_conntrack_l4proto.h | 1 - net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 1 - net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 6 ++

[PATCH 12/12] netfilter: nf_tables: support for recursive chain deletion

This patch sorts out an asymmetry in deletions. Currently, table and set deletion commands come with an implicit content flush on deletion. However, chain deletion results in -EBUSY if there is content in this chain, so no implicit flush happens. So you have to send a flush command in first place

[PATCH 00/12] Netfilter updates for next-net (part 2)

Hi David, The following patchset contains Netfilter updates for net-next. This patchset includes updates for nf_tables, removal of CONFIG_NETFILTER_DEBUG and a new mode for xt_hashlimit. More specifically, they: 1) Add new rate match mode for hashlimit, this introduces a new revision for this

[PATCH 11/12] netfilter: nf_tables: use NLM_F_NONREC for deletion requests

Bail out if user requests non-recursive deletion for tables and sets. This new flags tells nf_tables netlink interface to reject deletions if tables and sets have content. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 8 +++- 1 file changed, 7

[PATCH 10/12] netlink: add NLM_F_NONREC flag for deletion requests

In the last NFWS in Faro, Portugal, we discussed that netlink is lacking the semantics to request non recursive deletions, ie. do not delete an object iff it has child objects that hang from this parent object that the user requests to be deleted. We need this new flag to solve a problem for the

[PATCH 08/12] netfilter: nf_tables: add nf_tables_updchain()

nf_tables_newchain() is too large, wrap the chain update path in a function to make it more maintainable. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 170 +++--- 1 file changed, 92 insertions(+), 78 deletions(-)

Re: [PATCH libnftnl] src: limit stateful object support

On Wed, Aug 23, 2017 at 10:42:24PM +0200, Pablo M. Bermudo Garay wrote: > This patch adds support for a new type of stateful object: limit. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More

Re: [nft PATCH v2 2/2] src: get rid of printf

On Mon, Sep 04, 2017 at 09:55:58AM +0200, Eric Leblond wrote: > This patch introduces the nft_print function that has to be used > instead of printf to output information that were previously send > to stdout. This function accumulate the output in a buffer that can > be fetched by the user with

Re: [nft PATCH v2 1/2] src: add flags fo nft_ctx_new

On Mon, Sep 04, 2017 at 09:55:57AM +0200, Eric Leblond wrote: > By adding flags to nft_ctx_new, we will have a minimum capabilities > of changing the way the nft_ctx is created. > > For now, this patch uses a simple value that allow the user to specify > that he will handle netlink by himself.

Re: [nft PATCH v2 2/2] src: get rid of printf

On Mon, Sep 04, 2017 at 10:43:48PM +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 04, 2017 at 09:55:58AM +0200, Eric Leblond wrote: > > This patch introduces the nft_print function that has to be used > > instead of printf to output information that were previously send > > to stdout. This function

Re: [nft PATCH v2 2/2] src: get rid of printf

Hi, On Mon, 2017-09-04 at 22:53 +0200, Pablo Neira Ayuso wrote: > On Mon, Sep 04, 2017 at 10:43:48PM +0200, Pablo Neira Ayuso wrote: > > On Mon, Sep 04, 2017 at 09:55:58AM +0200, Eric Leblond wrote: > > > This patch introduces the nft_print function that has to be used > > > instead of printf to

Re: [PATCH 00/12] Netfilter updates for next-net (part 2)

From: Pablo Neira Ayuso Date: Mon, 4 Sep 2017 22:11:02 +0200 > The following patchset contains Netfilter updates for net-next. This > patchset includes updates for nf_tables, removal of > CONFIG_NETFILTER_DEBUG and a new mode for xt_hashlimit. More > specifically, they:

net-next is CLOSED

If it isn't a bug fix and it isn't in patchwork right now, I don't want to see it. This time around inappropriate submissions will be silently marked as "deferred" in patchwork and not even looked at by me. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in

[nf-next:master 1/12] ERROR: "__aeabi_uldivmod" [net/netfilter/xt_hashlimit.ko] undefined!

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: 9dee1474121550b20542321f9e0579801c6b587c commit: bea74641e3786d51dcf1175527cc1781420961c9 [1/12] netfilter: xt_hashlimit: add rate match mode config: arm-ezx_defconfig (attached as .config) compiler: