From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 00/36] Netfilter updates for net-next
Date: Mon, 9 May 2016 20:46:18 +0200 [thread overview]
Message-ID: <1462819614-5402-1-git-send-email-pablo@netfilter.org> (raw)
Hi David,
The following large patchset contains Netfilter updates for your
net-next tree. My initial intention was to send you this in two goes but
when I looked back twice I already had this burden on top of me.
Several updates for IPVS from Marco Angaroni:
1) Allow SIP connections originating from real-servers to be load
balanced by the SIP persistence engine as is already implemented
in the other direction.
2) Release connections immediately for One-packet-scheduling (OPS)
in IPVS, instead of making it via timer and rcu callback.
3) Skip deleting conntracks for each one packet in OPS, and don't call
nf_conntrack_alter_reply() since no reply is expected.
4) Enable drop on exhaustion for OPS + SIP persistence.
Miscelaneous conntrack updates from Florian Westphal, including fix for
hash resize:
5) Move conntrack generation counter out of conntrack pernet structure
since this is only used by the init_ns to allow hash resizing.
6) Use get_random_once() from packet path to collect hash random seed
instead of our compound.
7) Don't disable BH from ____nf_conntrack_find() for statistics,
use NF_CT_STAT_INC_ATOMIC() instead.
8) Fix lookup race during conntrack hash resizing.
9) Introduce clash resolution on conntrack insertion for connectionless
protocol.
Then, Florian's netns rework to get rid of per-netns conntrack table,
thus we use one single table for them all. There was consensus on this
change during the NFWS 2015 and, on top of that, it has recently been
pointed as a source of multiple problems from unpriviledged netns:
11) Use a single conntrack hashtable for all namespaces. Include netns
in object comparisons and make it part of the hash calculation.
Adapt early_drop() to consider netns.
12) Use single expectation and NAT hashtable for all namespaces.
13) Use a single slab cache for all namespaces for conntrack objects.
14) Skip full table scanning from nf_ct_iterate_cleanup() if the pernet
conntrack counter tells us the table is empty (ie. equals zero).
Fixes for nf_tables interval set element handling, support to set
conntrack connlabels and allow set names up to 32 bytes.
15) Parse element flags from element deletion path and pass it up to the
backend set implementation.
16) Allow adjacent intervals in the rbtree set type for dynamic interval
updates.
17) Add support to set connlabel from nf_tables, from Florian Westphal.
18) Allow set names up to 32 bytes in nf_tables.
Several x_tables fixes and updates:
19) Fix incorrect use of IS_ERR_VALUE() in x_tables, original patch
from Andrzej Hajda.
And finally, miscelaneous netfilter updates such as:
20) Disable automatic helper assignment by default. Note this proc knob
was introduced by a9006892643a ("netfilter: nf_ct_helper: allow to
disable automatic helper assignment") 4 years ago to start moving
towards explicit conntrack helper configuration via iptables CT
target.
21) Get rid of obsolete and inconsistent debugging instrumentation
in x_tables.
22) Remove unnecessary check for null after ip6_route_output().
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Thanks!
----------------------------------------------------------------
The following changes since commit 15cfd40771e18a4e9b788c64c9db2606f958b93d:
hv_netvsc: Fix the list processing for network change event (2016-04-24 23:27:58 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD
for you to fetch changes up to 0c5366b3a8c77fd6d67b763c5a76dfdc314e7726:
netfilter: conntrack: use single slab cache (2016-05-09 16:45:50 +0200)
----------------------------------------------------------------
Florian Westphal (19):
netfilter: conntrack: move generation seqcnt out of netns_ct
netfilter: conntrack: use get_random_once for nat and expectations
netfilter: conntrack: use get_random_once for conntrack hash seed
netfilter: nftables: add connlabel set support
netfilter: conntrack: keep BH enabled during lookup
netfilter: conntrack: fix lookup race during hash resize
netfilter: conntrack: don't attempt to iterate over empty table
netfilter: conntrack: use nf_ct_key_equal() in more places
netfilter: conntrack: small refactoring of conntrack seq_printf
netfilter: conntrack: check netns when comparing conntrack objects
netfilter: conntrack: make netns address part of hash
netfilter: conntrack: use a single hashtable for all namespaces
netfilter: conntrack: consider ct netns in early_drop logic
netfilter: conntrack: check netns when walking expect hash
netfilter: conntrack: make netns address part of expect hash
netfilter: conntrack: use a single expectation table for all namespaces
netfilter: conntrack: make netns address part of nat bysrc hash
netfilter: conntrack: use a single nat bysource table for all namespaces
netfilter: conntrack: use single slab cache
Liping Zhang (1):
netfilter: ip6t_SYNPROXY: unnecessary to check whether ip6_route_output returns NULL
Marco Angaroni (4):
ipvs: handle connections started by real-servers
ipvs: optimize release of connections in OPS mode
ipvs: don't alter conntrack in OPS mode
ipvs: make drop_entry protection effective for SIP-pe
Pablo Neira Ayuso (14):
netfilter: nf_tables: introduce nft_setelem_parse_flags() helper
netfilter: nf_tables: parse element flags from nft_del_setelem()
netfilter: nft_rbtree: introduce nft_rbtree_interval_end() helper
netfilter: nft_rbtree: allow adjacent intervals with dynamic updates
netfilter: nf_ct_helper: disable automatic helper assignment
Merge tag 'ipvs-for-v4.7' of https://git.kernel.org/.../horms/ipvs-next
netfilter: fix IS_ERR_VALUE usage
netfilter: conntrack: __nf_ct_l4proto_find() always returns valid pointer
netfilter: conntrack: introduce nf_ct_acct_update()
netfilter: conntrack: introduce clash resolution on insertion race
openvswitch: __nf_ct_l{3,4}proto_find() always return a valid pointer
netfilter: x_tables: get rid of old and inconsistent debugging
netfilter: nf_tables: allow set names up to 32 bytes
Merge tag 'ipvs2-for-v4.7' of https://git.kernel.org/.../horms/ipvs-next
include/linux/netfilter/x_tables.h | 6 +-
include/net/ip_vs.h | 17 +
include/net/netfilter/nf_conntrack.h | 2 -
include/net/netfilter/nf_conntrack_core.h | 1 +
include/net/netfilter/nf_conntrack_expect.h | 1 +
include/net/netfilter/nf_conntrack_l4proto.h | 3 +
include/net/netfilter/nf_tables.h | 2 +-
include/net/netns/conntrack.h | 10 -
include/uapi/linux/netfilter/nf_tables.h | 1 +
net/ipv4/netfilter/arp_tables.c | 223 ++---------
net/ipv4/netfilter/ip_tables.c | 250 +++----------
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 2 +-
.../netfilter/nf_conntrack_l3proto_ipv4_compat.c | 47 ++-
net/ipv6/netfilter/ip6_tables.c | 235 +++---------
net/ipv6/netfilter/ip6t_SYNPROXY.c | 2 +-
net/netfilter/ipvs/ip_vs_conn.c | 51 ++-
net/netfilter/ipvs/ip_vs_core.c | 162 +++++++-
net/netfilter/ipvs/ip_vs_ctl.c | 46 ++-
net/netfilter/ipvs/ip_vs_nfct.c | 4 +
net/netfilter/ipvs/ip_vs_pe_sip.c | 15 +
net/netfilter/nf_conntrack_core.c | 415 +++++++++++----------
net/netfilter/nf_conntrack_expect.c | 83 +++--
net/netfilter/nf_conntrack_helper.c | 12 +-
net/netfilter/nf_conntrack_netlink.c | 29 +-
net/netfilter/nf_conntrack_proto_udp.c | 2 +
net/netfilter/nf_conntrack_proto_udplite.c | 2 +
net/netfilter/nf_conntrack_standalone.c | 13 +-
net/netfilter/nf_nat_core.c | 39 +-
net/netfilter/nf_tables_api.c | 78 +++-
net/netfilter/nfnetlink_cttimeout.c | 6 +-
net/netfilter/nft_ct.c | 30 ++
net/netfilter/nft_rbtree.c | 49 ++-
net/openvswitch/conntrack.c | 8 -
33 files changed, 916 insertions(+), 930 deletions(-)
next reply other threads:[~2016-05-09 18:46 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 18:46 Pablo Neira Ayuso [this message]
2016-05-09 18:46 ` [PATCH 01/36] ipvs: handle connections started by real-servers Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 02/36] ipvs: optimize release of connections in OPS mode Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 03/36] ipvs: don't alter conntrack " Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 04/36] netfilter: conntrack: move generation seqcnt out of netns_ct Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 05/36] netfilter: conntrack: use get_random_once for nat and expectations Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 06/36] netfilter: conntrack: use get_random_once for conntrack hash seed Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 07/36] netfilter: nf_tables: introduce nft_setelem_parse_flags() helper Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 08/36] netfilter: nf_tables: parse element flags from nft_del_setelem() Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 09/36] netfilter: nft_rbtree: introduce nft_rbtree_interval_end() helper Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 10/36] netfilter: nft_rbtree: allow adjacent intervals with dynamic updates Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 11/36] netfilter: nf_ct_helper: disable automatic helper assignment Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 12/36] netfilter: ip6t_SYNPROXY: unnecessary to check whether ip6_route_output returns NULL Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 13/36] netfilter: fix IS_ERR_VALUE usage Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 14/36] netfilter: nftables: add connlabel set support Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 15/36] netfilter: conntrack: keep BH enabled during lookup Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 16/36] netfilter: conntrack: fix lookup race during hash resize Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 17/36] netfilter: conntrack: don't attempt to iterate over empty table Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 18/36] netfilter: conntrack: use nf_ct_key_equal() in more places Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 19/36] netfilter: conntrack: small refactoring of conntrack seq_printf Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 20/36] netfilter: conntrack: check netns when comparing conntrack objects Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 21/36] netfilter: conntrack: make netns address part of hash Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 22/36] netfilter: conntrack: use a single hashtable for all namespaces Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 23/36] netfilter: conntrack: consider ct netns in early_drop logic Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 24/36] netfilter: conntrack: __nf_ct_l4proto_find() always returns valid pointer Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 25/36] netfilter: conntrack: introduce nf_ct_acct_update() Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 26/36] netfilter: conntrack: introduce clash resolution on insertion race Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 27/36] openvswitch: __nf_ct_l{3,4}proto_find() always return a valid pointer Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 28/36] netfilter: x_tables: get rid of old and inconsistent debugging Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 29/36] netfilter: nf_tables: allow set names up to 32 bytes Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 30/36] ipvs: make drop_entry protection effective for SIP-pe Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 31/36] netfilter: conntrack: check netns when walking expect hash Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 32/36] netfilter: conntrack: make netns address part of " Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 33/36] netfilter: conntrack: use a single expectation table for all namespaces Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 34/36] netfilter: conntrack: make netns address part of nat bysrc hash Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 35/36] netfilter: conntrack: use a single nat bysource table for all namespaces Pablo Neira Ayuso
2016-05-09 18:46 ` [PATCH 36/36] netfilter: conntrack: use single slab cache Pablo Neira Ayuso
2016-05-09 19:15 ` [PATCH 00/36] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462819614-5402-1-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).