On 09/04/2017 06:14 AM, Pablo Neira Ayuso wrote:
> Sounds good, applied, thanks.
>
> A couple of questions: Does it really make sense to expose
> --hashlimit-rate-interval or are you using 1 second always there? I
> always wonder if it makes sense to expose yet another toggle that it's
> not
commit bea74641e378 ("netfilter: xt_hashlimit: add rate match mode")
introduced a line where we divide two 64bit unsigned integers. This
breaks on ARM processors with the error:
ERROR: "__aeabi_uldivmod" [net/netfilter/xt_hashlimit.ko] undefined!
We can fix it by using div64_u64 instead.
Fixes:
Test upcoming "import json" statement.
Basically it loads same set of rules by "nft -f" and "nft import json" and
prints differences(if any) in the ruleset listed by "nft list ruleset" in
each case.
For Example:
$ ./run-tests.sh testcases/import/json_import_0
Signed-off-by:
On Wed, Aug 23, 2017 at 10:41:25PM +0200, Pablo M. Bermudo Garay wrote:
> Register a new limit stateful object type into the stateful object
> infrastructure.
Applied, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to
On Wed, Aug 23, 2017 at 10:41:24PM +0200, Pablo M. Bermudo Garay wrote:
> Just a small refactor patch in order to improve the code readability.
Applied with changes, see below.
> Signed-off-by: Pablo M. Bermudo Garay
> ---
> include/uapi/linux/netfilter/nf_tables.h | 2 +-
On Mon, Sep 04, 2017 at 12:14:33PM +0200, Pablo Neira Ayuso wrote:
> On Fri, Aug 18, 2017 at 04:58:59PM -0400, Vishwanath Pai wrote:
> [...]
> > The main difference between the existing algorithm and the new one is
> > that the existing algorithm rate-limits the flow whereas the new
> > algorithm
On Fri, Aug 18, 2017 at 04:58:59PM -0400, Vishwanath Pai wrote:
[...]
> The main difference between the existing algorithm and the new one is
> that the existing algorithm rate-limits the flow whereas the new
> algorithm does not. Instead it *classifies* the flow based on whether
> it is above or
On Wed, Aug 23, 2017 at 10:41:23PM +0200, Pablo M. Bermudo Garay wrote:
> This patch adds support for overloading stateful objects operations
> through the select_ops() callback, just as it is implemented for
> expressions.
>
> This change is needed for upcoming additions to the stateful objects
On 3 September 2017 at 01:32, Shyam Saini wrote:
> These test cases can be used to test upcoming "import json" command.
>
> Here is the short description of the files:
> all_ruleset_list ->contains list of all the individual rules
> json_import_0 ->script
By adding flags to nft_ctx_new, we will have a minimum capabilities
of changing the way the nft_ctx is created.
For now, this patch uses a simple value that allow the user to specify
that he will handle netlink by himself.
Signed-off-by: Eric Leblond
---
include/nftables.h | 3
Hi,
This patchset update previous one following Pablo's suggestion:
* remove unused custom netlink flag
* rename ouput function to nft_print
* change default output buffer size to 4k instead of 128 that was used
for debug (and causing a lot of realloc)
BR,
--
Eric
--
To unsubscribe from this
Hi,
On Mon, 2017-09-04 at 00:34 +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 04, 2017 at 12:03:56AM +0200, Eric Leblond wrote:
> > This patch introduces the nft_print_to_output_ctx function that has
> > to be used instead of printf to output information that where
> > previously send to stdout.
This patch introduces the nft_print function that has to be used
instead of printf to output information that were previously send
to stdout. This function accumulate the output in a buffer that can
be fetched by the user with the nft_ctx_get_output() function.
This modification will allow the
Hi,
On Mon, 2017-09-04 at 00:45 +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 04, 2017 at 12:33:09AM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Sep 04, 2017 at 12:03:55AM +0200, Eric Leblond wrote:
> > > By adding flags to nft_ctx_new, we will have a minimum
> > > capabilities
> > > of changing
>> These test cases can be used to test upcoming "import json" command.
>>
>> Here is the short description of the files:
>> all_ruleset_list ->contains list of all the individual rules
>> json_import_0 ->script that runs json run-tests.sh
>>
>> For Example:
>> $
From: Varsha Rao
This patch removes NF_CT_ASSERT() and instead uses WARN_ON().
Signed-off-by: Varsha Rao
---
include/net/netfilter/nf_conntrack.h | 2 +-
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 2 +-
From: Varsha Rao
This patch removes CONFIG_NETFILTER_DEBUG and _ASSERT() macros as they
are no longer required. Replace _ASSERT() macros with WARN_ON().
Signed-off-by: Varsha Rao
Signed-off-by: Pablo Neira Ayuso
---
From: "Pablo M. Bermudo Garay"
Register a new limit stateful object type into the stateful object
infrastructure.
Signed-off-by: Pablo M. Bermudo Garay
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h |
Wrap the chain addition path in a function to make it more maintainable.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 199 ++
1 file changed, 106 insertions(+), 93 deletions(-)
diff --git
On Mon, Aug 28, 2017 at 08:20:49PM +0200, Pablo M. Bermudo Garay wrote:
> The patch also reorganizes ip/objects.t file.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at
On Tue, Aug 29, 2017 at 06:19:36PM +0530, Shyam Saini wrote:
> ==11688== HEAP SUMMARY:
> ==11688== in use at exit: 40 bytes in 1 blocks
> ==11688== total heap usage: 7 allocs, 6 frees, 220 bytes allocated
> ==11688==
> ==11688== 40 bytes in 1 blocks are definitely lost in loss record 1 of 1
From: "Pablo M. Bermudo Garay"
Just a small refactor patch in order to improve the code readability.
Signed-off-by: Pablo M. Bermudo Garay
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nft_limit.c | 26
From: Vishwanath Pai
This patch adds a new feature to hashlimit that allows matching on the
current packet/byte rate without rate limiting. This can be enabled
with a new flag --hashlimit-rate-match. The match returns true if the
current rate of packets is above/below the user
From: "Pablo M. Bermudo Garay"
This patch adds support for overloading stateful objects operations
through the select_ops() callback, just as it is implemented for
expressions.
This change is needed for upcoming additions to the stateful objects
infrastructure.
From: Florian Westphal
tested with allmodconfig build.
Signed-off-by: Florian Westphal
---
include/net/netfilter/nf_conntrack_l4proto.h | 1 -
net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 1 -
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 6 ++
This patch sorts out an asymmetry in deletions. Currently, table and set
deletion commands come with an implicit content flush on deletion.
However, chain deletion results in -EBUSY if there is content in this
chain, so no implicit flush happens. So you have to send a flush command
in first place
Hi David,
The following patchset contains Netfilter updates for net-next. This
patchset includes updates for nf_tables, removal of
CONFIG_NETFILTER_DEBUG and a new mode for xt_hashlimit. More
specifically, they:
1) Add new rate match mode for hashlimit, this introduces a new revision
for this
Bail out if user requests non-recursive deletion for tables and sets.
This new flags tells nf_tables netlink interface to reject deletions if
tables and sets have content.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 8 +++-
1 file changed, 7
In the last NFWS in Faro, Portugal, we discussed that netlink is lacking
the semantics to request non recursive deletions, ie. do not delete an
object iff it has child objects that hang from this parent object that
the user requests to be deleted.
We need this new flag to solve a problem for the
nf_tables_newchain() is too large, wrap the chain update path in a
function to make it more maintainable.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 170 +++---
1 file changed, 92 insertions(+), 78 deletions(-)
On Wed, Aug 23, 2017 at 10:42:24PM +0200, Pablo M. Bermudo Garay wrote:
> This patch adds support for a new type of stateful object: limit.
Applied, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More
On Mon, Sep 04, 2017 at 09:55:58AM +0200, Eric Leblond wrote:
> This patch introduces the nft_print function that has to be used
> instead of printf to output information that were previously send
> to stdout. This function accumulate the output in a buffer that can
> be fetched by the user with
On Mon, Sep 04, 2017 at 09:55:57AM +0200, Eric Leblond wrote:
> By adding flags to nft_ctx_new, we will have a minimum capabilities
> of changing the way the nft_ctx is created.
>
> For now, this patch uses a simple value that allow the user to specify
> that he will handle netlink by himself.
On Mon, Sep 04, 2017 at 10:43:48PM +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 04, 2017 at 09:55:58AM +0200, Eric Leblond wrote:
> > This patch introduces the nft_print function that has to be used
> > instead of printf to output information that were previously send
> > to stdout. This function
Hi,
On Mon, 2017-09-04 at 22:53 +0200, Pablo Neira Ayuso wrote:
> On Mon, Sep 04, 2017 at 10:43:48PM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Sep 04, 2017 at 09:55:58AM +0200, Eric Leblond wrote:
> > > This patch introduces the nft_print function that has to be used
> > > instead of printf to
From: Pablo Neira Ayuso
Date: Mon, 4 Sep 2017 22:11:02 +0200
> The following patchset contains Netfilter updates for net-next. This
> patchset includes updates for nf_tables, removal of
> CONFIG_NETFILTER_DEBUG and a new mode for xt_hashlimit. More
> specifically, they:
If it isn't a bug fix and it isn't in patchwork right now, I don't
want to see it.
This time around inappropriate submissions will be silently marked
as "deferred" in patchwork and not even looked at by me.
Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
head: 9dee1474121550b20542321f9e0579801c6b587c
commit: bea74641e3786d51dcf1175527cc1781420961c9 [1/12] netfilter:
xt_hashlimit: add rate match mode
config: arm-ezx_defconfig (attached as .config)
compiler:
38 matches
Mail list logo