From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net
Subject: [PATCH 00/25] Netfilter/IPVS updates for net-next
Date: Sat, 23 Jul 2016 13:02:00 +0200 [thread overview]
Message-ID: <1469271745-14523-1-git-send-email-pablo@netfilter.org> (raw)
Hi David,
The following patchset contains Netfilter/IPVS updates for net-next,
they are:
1) Count pre-established connections as active in "least connection"
schedulers such that pre-established connections to avoid overloading
backend servers on peak demands, from Michal Kubecek via Simon Horman.
2) Address a race condition when resizing the conntrack table by caching
the bucket size when fulling iterating over the hashtable in these
three possible scenarios: 1) dump via /proc/net/nf_conntrack,
2) unlinking userspace helper and 3) unlinking custom conntrack timeout.
From Liping Zhang.
3) Revisit early_drop() path to perform lockless traversal on conntrack
eviction under stress, use del_timer() as synchronization point to
avoid two CPUs evicting the same entry, from Florian Westphal.
4) Move NAT hlist_head to nf_conn object, this simplifies the existing
NAT extension and it doesn't increase size since recent patches to
align nf_conn, from Florian.
5) Use rhashtable for the by-source NAT hashtable, also from Florian.
6) Don't allow --physdev-is-out from OUTPUT chain, just like
--physdev-out is not either, from Hangbin Liu.
7) Automagically set on nf_conntrack counters if the user tries to
match ct bytes/packets from nftables, from Liping Zhang.
8) Remove possible_net_t fields in nf_tables set objects since we just
simply pass the net pointer to the backend set type implementations.
9) Fix possible off-by-one in h323, from Toby DiPasquale.
10) early_drop() may be called from ctnetlink patch, so we must hold
rcu read size lock from them too, this amends Florian's patch #3
coming in this batch, from Liping Zhang.
11) Use binary search to validate jump offset in x_tables, this
addresses the O(n!) validation that was introduced recently
resolve security issues with unpriviledge namespaces, from Florian.
12) Fix reference leak to connlabel in error path of nft_ct, from Zhang.
13) Three updates for nft_log: Fix log prefix leak in error path. Bail
out on loglevel larger than debug in nft_log and set on the new
NF_LOG_F_COPY_LEN flag when snaplen is specified. Again from Zhang.
14) Allow to filter rule dumps in nf_tables based on table and chain
names.
15) Simplify connlabel to always use 128 bits to store labels and
get rid of unused function in xt_connlabel, from Florian.
16) Replace set_expect_timeout() by mod_timer() from the h323 conntrack
helper, by Gao Feng.
17) Put back x_tables module reference in nft_compat on error, from
Liping Zhang.
18) Add a reference count to the x_tables extensions cache in
nft_compat, so we can remove them when unused and avoid a crash
if the extensions are rmmod, again from Zhang.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit a90a6e55f34f28190e4dc2a6a3660ef157827a8f:
Merge tag 'mac80211-next-for-davem-2016-07-06' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next (2016-07-06 22:32:15 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to 4b512e1c1f8de6b9ceb796ecef8658e0a083cab7:
netfilter: nft_compat: fix crash when related match/target module is removed (2016-07-23 12:25:00 +0200)
----------------------------------------------------------------
Florian Westphal (7):
netfilter: conntrack: simplify early_drop
netfilter: move nat hlist_head to nf_conn
netfilter: nat: convert nat bysrc hash to rhashtable
netfilter: constify arg to is_dying/confirmed
netfilter: x_tables: speed up jump target validation
netfilter: conntrack: support a fixed size of 128 distinct labels
netfilter: connlabels: move set helper to xt_connlabel
Gao Feng (2):
netfilter: Add helper array register/unregister functions
netfilter: h323: Use mod_timer instead of set_expect_timeout
Hangbin Liu (1):
netfilter: physdev: physdev-is-out should not work with OUTPUT chain
Liping Zhang (11):
netfilter: conntrack: fix race between nf_conntrack proc read and hash resize
netfilter: cttimeout: unlink timeout obj again when hash resize happen
netfilter: nf_ct_helper: unlink helper again when hash resize happen
netfilter: nft_ct: make byte/packet expr more friendly
netfilter: conntrack: protect early_drop by rcu read lock
netfilter: nft_ct: fix unpaired nf_connlabels_get/put call
netfilter: nft_log: fix possible memory leak if log expr init fail
netfilter: nft_log: check the validity of log level
netfilter: nft_log: fix snaplen does not truncate packets
netfilter: nft_compat: put back match/target module if init fail
netfilter: nft_compat: fix crash when related match/target module is removed
Michal Kubecek (1):
ipvs: count pre-established TCP states as active
Pablo Neira Ayuso (3):
netfilter: nf_tables: get rid of possible_net_t from set and basechain
Merge tag 'ipvs-for-v4.8' of https://git.kernel.org/.../horms/ipvs-next
netfilter: nf_tables: allow to filter out rules by table and chain
Toby DiPasquale (1):
netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931
include/linux/netfilter/x_tables.h | 4 +
include/net/netfilter/nf_conntrack.h | 9 +-
include/net/netfilter/nf_conntrack_core.h | 2 +
include/net/netfilter/nf_conntrack_extend.h | 3 -
include/net/netfilter/nf_conntrack_helper.h | 15 +++
include/net/netfilter/nf_conntrack_labels.h | 18 +--
include/net/netfilter/nf_nat.h | 3 +-
include/net/netfilter/nf_tables.h | 21 +--
net/ipv4/netfilter/arp_tables.c | 47 ++++---
net/ipv4/netfilter/ip_tables.c | 45 ++++---
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 14 +-
net/ipv6/netfilter/ip6_tables.c | 45 ++++---
net/netfilter/ipvs/ip_vs_proto_tcp.c | 25 +++-
net/netfilter/nf_conntrack_core.c | 115 +++++++++-------
net/netfilter/nf_conntrack_extend.c | 15 +--
net/netfilter/nf_conntrack_ftp.c | 58 +++-----
net/netfilter/nf_conntrack_h323_asn1.c | 3 +-
net/netfilter/nf_conntrack_h323_main.c | 15 +--
net/netfilter/nf_conntrack_helper.c | 76 ++++++++++-
net/netfilter/nf_conntrack_irc.c | 36 ++---
net/netfilter/nf_conntrack_labels.c | 28 +---
net/netfilter/nf_conntrack_netlink.c | 10 +-
net/netfilter/nf_conntrack_sane.c | 57 +++-----
net/netfilter/nf_conntrack_sip.c | 75 ++++-------
net/netfilter/nf_conntrack_standalone.c | 14 +-
net/netfilter/nf_conntrack_tftp.c | 48 +++----
net/netfilter/nf_nat_core.c | 149 ++++++++++-----------
net/netfilter/nf_tables_api.c | 48 ++++++-
net/netfilter/nfnetlink_cttimeout.c | 20 ++-
net/netfilter/nft_compat.c | 75 ++++++-----
net/netfilter/nft_ct.c | 41 +++---
net/netfilter/nft_hash.c | 20 +--
net/netfilter/nft_log.c | 34 +++--
net/netfilter/nft_lookup.c | 2 +-
net/netfilter/nft_rbtree.c | 26 ++--
net/netfilter/x_tables.c | 50 +++++++
net/netfilter/xt_connlabel.c | 29 ++--
net/netfilter/xt_physdev.c | 8 +-
net/openvswitch/conntrack.c | 4 +-
39 files changed, 718 insertions(+), 589 deletions(-)
next reply other threads:[~2016-07-23 11:02 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-23 11:02 Pablo Neira Ayuso [this message]
2016-07-23 11:02 ` [PATCH 01/25] ipvs: count pre-established TCP states as active Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 02/25] netfilter: conntrack: fix race between nf_conntrack proc read and hash resize Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 03/25] netfilter: cttimeout: unlink timeout obj again when hash resize happen Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 04/25] netfilter: nf_ct_helper: unlink helper " Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 05/25] netfilter: conntrack: simplify early_drop Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 06/25] netfilter: move nat hlist_head to nf_conn Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 07/25] netfilter: nat: convert nat bysrc hash to rhashtable Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 08/25] netfilter: physdev: physdev-is-out should not work with OUTPUT chain Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 09/25] netfilter: nft_ct: make byte/packet expr more friendly Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 10/25] netfilter: constify arg to is_dying/confirmed Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 11/25] netfilter: nf_tables: get rid of possible_net_t from set and basechain Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 12/25] netfilter: nf_conntrack_h323: fix off-by-one in DecodeQ931 Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 13/25] netfilter: conntrack: protect early_drop by rcu read lock Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 14/25] netfilter: x_tables: speed up jump target validation Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 15/25] netfilter: nft_ct: fix unpaired nf_connlabels_get/put call Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 16/25] netfilter: Add helper array register/unregister functions Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 17/25] netfilter: nft_log: fix possible memory leak if log expr init fail Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 18/25] netfilter: nft_log: check the validity of log level Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 19/25] netfilter: nft_log: fix snaplen does not truncate packets Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 20/25] netfilter: nf_tables: allow to filter out rules by table and chain Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 21/25] netfilter: conntrack: support a fixed size of 128 distinct labels Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 22/25] netfilter: connlabels: move set helper to xt_connlabel Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 23/25] netfilter: h323: Use mod_timer instead of set_expect_timeout Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 24/25] netfilter: nft_compat: put back match/target module if init fail Pablo Neira Ayuso
2016-07-23 11:02 ` [PATCH 25/25] netfilter: nft_compat: fix crash when related match/target module is removed Pablo Neira Ayuso
2016-07-25 5:03 ` [PATCH 00/25] Netfilter/IPVS updates for net-next David Miller
2016-07-23 11:08 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1469271745-14523-1-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).