Jack Ma wrote:
> This patch adds a new feature to iptables that allow bitshifting for
> --restore,set and save-mark operations. This allows existing logic
> operators (and, or and xor) and mask to co-operate with new bitshift
> operations.
>
> The intention is to provide uses with more fexible us
On Tue, Apr 10, 2018 at 09:00:24AM +0200, Florian Westphal wrote:
> set->name must be free'd here in case ops->init fails.
Applied, thanks Florian.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo inf
On Fri, Mar 30, 2018 at 01:22:06PM -0700, Cong Wang wrote:
> The following memory leak is false postive:
>
> unreferenced object 0x8f37f156fb38 (size 128):
> comm "softirq", pid 0, jiffies 4294899665 (age 11.292s)
> hex dump (first 32 bytes):
> 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b
On Tue, Apr 10, 2018 at 09:30:27AM +0200, Florian Westphal wrote:
> rules in nftables a free'd using kfree, but protected by rcu, i.e. we
> must wait for a grace period to elapse.
>
> Normal removal patch does this, but nf_tables_newrule() doesn't obey
> this rule during error handling.
>
> It ca
Marco De Benedetto says:
I would like to use a timeout of 30 days for elements in a set but it
seems there is a some kind of problem above 24d20h31m23s.
Fix this by using 'jiffies64' for timeout handling to get same behaviour
on 32 and 64bit systems.
nftables passes timeouts as u64 in milliseco
On Monday 2018-04-16 18:04, Florian Westphal wrote:
>+ u64 max = (u64)(~((u64)0));
>+ max = div_u64(max, NSEC_PER_MSEC);
>+ if (ms >= max)
Why opencode, is there a problem with UINT64_MAX?
Just this:
u64 max = div_u64(UINT64_MAX, NSEC_PER_MSEC);
--
To unsubscribe from this
Jan Engelhardt wrote:
>
> On Monday 2018-04-16 18:04, Florian Westphal wrote:
> >+u64 max = (u64)(~((u64)0));
> >+max = div_u64(max, NSEC_PER_MSEC);
> >+if (ms >= max)
>
> Why opencode, is there a problem with UINT64_MAX?
There is no UINT64_MAX in kernel (some private defines, but
n
nft rejects rules that lack a timeout and a size limit when they're used
to add elements from packet path.
Pick a sane upperlimit instead of rejecting outright.
The upperlimit is visible to userspace, just as if it would have been
given during set declaration.
Signed-off-by: Florian Westphal
---
Modern GCC compilers will warn if an explicit comment isn't present.
Perhaps this should be better done with a proper compiler instruction,
but the code comment is more similar to the rest of the codebase.
Signed-off-by: Arturo Borrero Gonzalez
---
src/cache-ct.c |2 ++
src/cache-exp.c |
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.
This eases some downstream use cases when dealing with default configs to
be shipped to final users.
This could be a mid-point solution, given some us
Move this to test/
Signed-off-by: Arturo Borrero Gonzalez
---
doc/cli/test.sh | 106 ---
tests/conntrack/cli-test.sh | 106 +++
2 files changed, 106 insertions(+), 106 deletions(-)
delete mode 100644 d
size net/netfilter/nft_meta.ko
textdata bss dec hex filename
5826 936 167631a6b net/netfilter/nft_meta.ko
964072064 400 98871 18237 net/netfilter/nf_tables.ko
after:
1008262240 401 103467 1942b net/netfilter/nf_tables.ko
Signed-off
It overcomplicates things for no reason.
nft_meta_bridge only offers retrieval of bridge port interface name.
Because of this being its own module, we had to export all nft_meta
functions, which we can then make static again (which even reduces
the size of nft_meta -- including bridge port retriev
before:
textdata bss dec hex filename
5056 844 05900170c net/netfilter/nft_exthdr.ko
1024562316 401 105173 19ad5 net/netfilter/nf_tables.ko
after:
1064102392 401 109203 1aa93 net/netfilter/nf_tables.ko
Signed-off-by: Florian Westphal
This series removes following following module options by merging
them into the nftables core:
CONFIG_NFT_EXTHDR=y
CONFIG_NFT_META=y
CONFIG_NFT_RT=y
CONFIG_NFT_BRIDGE_META=y
Before:
964072064 400 98871 18237 net/netfilter/nf_tables.ko
After:
1064102392 401 109203 1aa93 net
Instead of using extra modules for these, turn the fconfig options into
an implicit dependency that adds masq feature to the protocols nf_nat modules.
before:
textdata bss dec hex filename
2155 860 43019 bcb
net/ipv4/netfilter/nf_nat_masquerade_ipv4.ko
6
before:
textdata bss dec hex filename
2657 844 03501 dad net/netfilter/nft_rt.ko
1008262240 401 103467 1942b net/netfilter/nf_tables.ko
after:
2657 844 03501 dad net/netfilter/nft_rt.ko
1024562316 401 105173 19ad5
Similar to previous patch, this time, merge redirect+nat.
The redirect module is just 2k in size, get rid of it and make
redirect parts avaialble from the nat core.
before:
textdata bss dec hex filename
1698012724138 223905776 net/netfilter/nf_nat.ko
1383
We may assume that if an user does build conntrackd with such feature, is with
the intention to use it. So, if that's the case, default to use it.
This eases some downstream use cases when dealing with default configs to
be shipped to final users.
This could be a mid-point solution, given some us
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url:
https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-nf_tables-support-timeouts-larger-than-23-days/20180417-032146
base: https://git.kernel.org/pub/scm/linux/kernel
Hello
Greeetings to you please did you get my previous email regarding my
investment proposal last week friday ?
MS.Zeliha ömer faruk
zeliha.omer.fa...@gmail.com
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
Hi all,
After merging the netfilter tree, today's linux-next build (powerpc
ppc64_defconfig) failed like this:
net/netfilter/nf_conntrack_extend.c: In function 'nf_ct_ext_
add':
net/netfilter/nf_conntrack_extend.c:74:2: error: implicit declaration of
function 'kmemleak_not_leak' [-Werror=implici
On Mon, Apr 16, 2018 at 4:28 PM, Stephen Rothwell wrote:
> Hi all,
>
> After merging the netfilter tree, today's linux-next build (powerpc
> ppc64_defconfig) failed like this:
>
> net/netfilter/nf_conntrack_extend.c: In function 'nf_ct_ext_
> add':
> net/netfilter/nf_conntrack_extend.c:74:2: error
Hi Florian,
This patch has not been applied yet.
This is actually a older version of the patch thats reviewed :P, unfortunately
I refactored it bit and caused this regression.
Do we still need the section "changes since v2" ? To me, this should be the
first patch that starts supporting v2.
24 matches
Mail list logo