netfilter & ipv6

netfilter & ipv6

[Jonas Berlin]

Hi!

I have found that there seems to be a bunch of match & target modules 
for iptables that don't exist for ip6tables.. Like CLASSIFY for example. 
And some that exist have only a subset of the features.

Also some modules exist only for linux 2.4 but were never ported to 2.6 
or don't compile cleanly anymore on the newest 2.6 kernels.

While I don't have that much experience of 2.6 yet and only have been 
hacking some smaller modules for 2.4 in the past, I think I should have 
enough skills to at least port/update some of these.

So I thought maybe I could help out with this task - ipv6 is something 
that I hope and think will take over ipv4 some day and I'd like for 
linux to be able to provide the same experience then as ipv4 users of 
iptables have today.

I have some questions..

1. Some modules (will) look almost identical on ipv4 on and ipv6 - would 
there be any point in making the ipv4 modules export some symbols and 
then re-use those methods in ipv6 if it wouldn't imply any (major) 
changes to the ipv4 modules?

2. I think it could be nice to keep track of what modules exist for ipv4 
and ipv6 on some web page and maybe also let people sign up to join the 
porting effort (if there are any =). What do you think? And is that 
something I could help out with as well? I have a server at home that 
could run it, however behind an 0,5M adsl line..

3. If I succeed porting something, what should I name the patch to be 
sent to patch-o-matic-ng? I don't think I could just extend the existing 
ones as that would suggest the original authors have something to do 
with it and also some of them also are pending or already included in 
the ekernel. So, would CLASSIFY_v6 be an acceptable name for the ipv6 
version of CLASSIFY? And maybe condition_26 for the 2.6 port of 
condition from 2.4? What's your general procedure if someone have 
updates to a module that someone else did? Should the original authors 
be contacted instead of sending patches to this list?

Any suggestions you have are welcome!

-- 
- xkr47

Re: netfilter & ipv6

[Jonas Berlin]

Jonas Berlin wrote:

> 3. If I succeed porting something, what should I name the patch to be 
> sent to patch-o-matic-ng? I don't think I could just extend the 
> existing ones as that would suggest the original authors have 
> something to do with it and also some of them also are pending or 
> already included in the ekernel. So, would CLASSIFY_v6 be an 
> acceptable name for the ipv6 version of CLASSIFY?

After twisting some bits around, my CLASSIFY_v6 seems to work 
succesfully, however the naming is awkward since the name of the name of 
the module essentially determines the name of the target, the module 
etc. So one has to write

  ip6tables ... -j CLASSIFY_v6 --set-class 1:20

Although this works fine, having some modules with suffix _v6 and some 
not is just plain confusing. Is there any way to reuse the CLASSIFY for 
ipv6 name without conflicting with the CLASSIFY module already in pom? 
Maybe I missed something?

-- 
- xkr47

Re: netfilter & ipv6

[Samuel Jean]

On Thu, February 10, 2005 9:07 am, Jonas Berlin said:

Hi Jonas!

>
>   ip6tables ... -j CLASSIFY_v6 --set-class 1:20
>
> Although this works fine, having some modules with suffix _v6 and some
> not is just plain confusing. Is there any way to reuse the CLASSIFY for
> ipv6 name without conflicting with the CLASSIFY module already in pom?
> Maybe I missed something?

You have to create an ipv6 directory into the CLASSIFY in pom.

CLASSIFY/linux/net/ipv6/netfilter/ip6t_CLASSIFY.c

Same for the include
CLASSIFY/linux/include/linux/netfilter_ipv6/ip6t_CLASSIFY.h

Also, just register your target against ip6_tables with the same name
as CLASSIFY would do with ip_tables. There's no conflict in that way.

All of this is a AFAIK.

>
> --
> - xkr47
>

Thanks for your effort,
Samuel

iptables compile error: NFC_IP_TOS undeclared

[Alexander Piavka]

 Hi, compiling iptables-1.3.0rc gives the following error:

 Extensions found: IPv4:CLUSTERIP IPv4:mport IPv4:psd IPv4:recent
IPv4:ROUTE IPv4:set IPv4:SET IPv6:ah IPv6:esp IPv6:frag IPv6:ipv6header
IPv6:hbh IPv6:dst IPv6:ROUTE IPv6:rt
gcc -O2 -Wall -Wunused -I/usr/src/linux-2.6.10-ct_sync-rc1/include
-Iinclude/ -DIPTABLES_VERSION=\"1.3.0rc1\"  -fPIC -o
extensions/libipt_dscp_sh.o -c extensions/libipt_dscp.c
extensions/libipt_dscp.c: In function `init':
extensions/libipt_dscp.c:29: error: `NFC_IP_TOS' undeclared (first use in
this function)
extensions/libipt_dscp.c:29: error: (Each undeclared identifier is
reported only once
extensions/libipt_dscp.c:29: error: for each function it appears in.)
extensions/libipt_dscp.c: At top level:
extensions/libipt_dscp_helper.c:69: warning: 'dscp_to_name' defined but
not used
make: *** [extensions/libipt_dscp_sh.o] Error 1

 Please help.

Re: iptables compile error: NFC_IP_TOS undeclared

[Jonas Berlin]

Alexander Piavka wrote:

>gcc -O2 -Wall -Wunused -I/usr/src/linux-2.6.10-ct_sync-rc1/include
>-Iinclude/ -DIPTABLES_VERSION=\"1.3.0rc1\"  -fPIC -o
>extensions/libipt_dscp_sh.o -c extensions/libipt_dscp.c
>extensions/libipt_dscp.c: In function `init':
>extensions/libipt_dscp.c:29: error: `NFC_IP_TOS' undeclared (first use in
>this function)
>  
>
Could you give the output of the following three commands (run them from 
your iptables-1.3.0rc1 source directory):

  grep NFC_IP_TOS 
/usr/src/linux-2.6.10-ct_sync-rc1/include/linux/netfilter_ipv4.h

  grep netfilter_ipv4.h 
/usr/src/linux-2.6.10-ct_sync-rc1/include/linux/netfilter_ipv4/ip_tables.h

  grep ip_tables.h extensions/libipt_dscp.c

That could help solve the problem.

-- 
- xkr47

Re: iptables compile error: NFC_IP_TOS undeclared

[Alexander Piavka]

On Thu, 10 Feb 2005, Jonas Berlin wrote:

> Alexander Piavka wrote:
>
> >gcc -O2 -Wall -Wunused -I/usr/src/linux-2.6.10-ct_sync-rc1/include
> >-Iinclude/ -DIPTABLES_VERSION=\"1.3.0rc1\"  -fPIC -o
> >extensions/libipt_dscp_sh.o -c extensions/libipt_dscp.c
> >extensions/libipt_dscp.c: In function `init':
> >extensions/libipt_dscp.c:29: error: `NFC_IP_TOS' undeclared (first use in
> >this function)
> >
> >
> Could you give the output of the following three commands (run them from
> your iptables-1.3.0rc1 source directory):
>
>   grep NFC_IP_TOS
> /usr/src/linux-2.6.10-ct_sync-rc1/include/linux/netfilter_ipv4.h
 no match

actually there is no match from  NFC_IP_TOS in the whole
/usr/src/linux-2.6.10-ct_sync-rc1/include subtree

>
>   grep netfilter_ipv4.h
> /usr/src/linux-2.6.10-ct_sync-rc1/include/linux/netfilter_ipv4/ip_tables.h
#include <linux/netfilter_ipv4.h>

>
>   grep ip_tables.h extensions/libipt_dscp.c

#include <linux/netfilter_ipv4/ip_tables.h>
>
> That could help solve the problem.
>
> --

 Thanks

Re: iptables compile error: NFC_IP_TOS undeclared

[Jonas Berlin]

Alexander Piavka wrote:

>On Thu, 10 Feb 2005, Jonas Berlin wrote:
>  
>
>>Alexander Piavka wrote:
>>    
>>
>>>gcc -O2 -Wall -Wunused -I/usr/src/linux-2.6.10-ct_sync-rc1/include
>>>-Iinclude/ -DIPTABLES_VERSION=\"1.3.0rc1\"  -fPIC -o
>>>extensions/libipt_dscp_sh.o -c extensions/libipt_dscp.c
>>>extensions/libipt_dscp.c: In function `init':
>>>extensions/libipt_dscp.c:29: error: `NFC_IP_TOS' undeclared (first use in
>>>this function)
>>>
>>  grep NFC_IP_TOS
>>/usr/src/linux-2.6.10-ct_sync-rc1/include/linux/netfilter_ipv4.h
>>    
>>
> no match
>
>actually there is no match from  NFC_IP_TOS in the whole
>/usr/src/linux-2.6.10-ct_sync-rc1/include subtree
>  
>
Ok, I'm not that familiar with different kernel versions, but my 2.6.10 
at least has that one. Could it be that the ct_sync patch takes it away? 
Do you have ct_sync as a patch or did you get the kernel pre-patched?

-- 
- xkr47

Re: netfilter & ipv6

[Jonas Berlin]

Samuel Jean wrote:

>On Thu, February 10, 2005 9:07 am, Jonas Berlin said:
>
>Hi Jonas!
>  
>
Hello Samuel!

>>  ip6tables ... -j CLASSIFY_v6 --set-class 1:20
>>
>>Although this works fine, having some modules with suffix _v6 and some
>>not is just plain confusing. Is there any way to reuse the CLASSIFY for
>>ipv6 name without conflicting with the CLASSIFY module already in pom?
>>Maybe I missed something?
>>    
>>
>
>You have to create an ipv6 directory into the CLASSIFY in pom.
>
>CLASSIFY/linux/net/ipv6/netfilter/ip6t_CLASSIFY.c
>  
>
Yeah that would be nice, but I think there is a problem: the newest 
kernels already have the ipv4 version included, and so patch-o-matic 
would either consider CLASSIFY already installed and skip it or then it 
would probably complain while installing that it there were some 
conflicts with the files. I haven't tested though, but I wouldn't assume 
it has the logic to pick out the ipv6-specific parts from the directory..

>Also, just register your target against ip6_tables with the same name
>as CLASSIFY would do with ip_tables. There's no conflict in that way.
>  
>
Yeah, it does work fine as CLASSIFY_v6..

>All of this is a AFAIK.
>  
>
Same here :D

>Thanks for your effort,
>Samuel
>  
>
Thanks for the reply.. I haven't got any others yet.

-- 
- xkr47

Re: iptables compile error: NFC_IP_TOS undeclared

[Patrick McHardy]

Jonas Berlin wrote:

> Alexander Piavka wrote:
>
>>
>> actually there is no match from  NFC_IP_TOS in the whole
>> /usr/src/linux-2.6.10-ct_sync-rc1/include subtree
>>  
>>
> Ok, I'm not that familiar with different kernel versions, but my 
> 2.6.10 at least has that one. Could it be that the ct_sync patch takes 
> it away? Do you have ct_sync as a patch or did you get the kernel 
> pre-patched?

Yes, it reuses the bits to record state changes. The nfcache bits
don't affect any functionality, just define it to anything you want
or remove it.

Regards
Patrick

Re: netfilter & ipv6

[Sven-Haegar Koch]

On Thu, 10 Feb 2005, Jonas Berlin wrote:

> Jonas Berlin wrote:
>
>> 3. If I succeed porting something, what should I name the patch to be sent 
>> to patch-o-matic-ng? I don't think I could just extend the existing ones as 
>> that would suggest the original authors have something to do with it and 
>> also some of them also are pending or already included in the ekernel. So, 
>> would CLASSIFY_v6 be an acceptable name for the ipv6 version of CLASSIFY?

[...]
> since the name of the name of the module 
> essentially determines the name of the target, the module etc.

why?
the module in patch-o-matic-ng (the top directory name) could be named 
CLASSIFY_v6, containing the target CLASSIFY for ipv6, with the kernel 
module named ip6t_CLASSIFY.
I see nothing which prevents this.

c'ya
sven

-- 

The Internet treats censorship as a routing problem, and routes around it.
(John Gilmore on http://www.cygnus.com/~gnu/)

ULOG target for ipv6

[Jonas Berlin]

[-- Attachment #1: Type: text/plain, Size: 678 bytes --]

Martijn Lievaart wrote:

>What I mostly miss in ipv6 support is conntrack and ULOG.
>  
>
Here's my first attempt of ULOG for ipv6. It's _untested_, but it 
compiles at least on 2.6 and it patches fine against 2.4.28 also.

As a side note - I have no idea how a (the) userspace daemon will react 
to getting ipv6 packets. :)

Feel free to send me any problems you encounter with the kernel module 
or iptables extension though.

Good luck :)

--------

Someone could also point me to the latest instructions on how to 
contribute - the online docs I found here didn't work very well:

  
http://netfilter.org/documentation/HOWTO//netfilter-extensions-HOWTO-9.html

-- 
- xkr47


[-- Attachment #2: ipv6-ULOG-1.tar.bz2 --]
[-- Type: application/octet-stream, Size: 5806 bytes --]

[PATCH] kill NFC_* stuff in iptables [was Re: iptables compile error: NFC_IP_TOS undeclared]

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

Hi Patrick,

Patrick McHardy wrote:

> Jonas Berlin wrote:
>
>> Alexander Piavka wrote:
>>
>>>
>>> actually there is no match from  NFC_IP_TOS in the whole
>>> /usr/src/linux-2.6.10-ct_sync-rc1/include subtree
>>>  
>>>
>> Ok, I'm not that familiar with different kernel versions, but my 
>> 2.6.10 at least has that one. Could it be that the ct_sync patch 
>> takes it away? Do you have ct_sync as a patch or did you get the 
>> kernel pre-patched?
>
>
> Yes, it reuses the bits to record state changes. The nfcache bits
> don't affect any functionality, just define it to anything you want
> or remove it.


I've renamed all NFC_* stuff != NFC_UNKNOWN to NFC_UNKNOWN. So people 
using ct_sync won't complain about this again. I see this as a first 
step to remove the old behaviour of nfcache. Please, see the patch attached.

--
Pablo

[-- Attachment #2: kill-NFC.patch --]
[-- Type: text/x-patch, Size: 16262 bytes --]

Index: iptables.c
===================================================================
--- iptables.c	(revision 3656)
+++ iptables.c	(working copy)
@@ -1987,7 +1987,7 @@
 			    && (fw.ip.invflags & IPT_INV_PROTO))
 				exit_error(PARAMETER_PROBLEM,
 					   "rule would never match protocol");
-			fw.nfcache |= NFC_IP_PROTO;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 's':
@@ -1995,7 +1995,7 @@
 			set_option(&options, OPT_SOURCE, &fw.ip.invflags,
 				   invert);
 			shostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP_SRC;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'd':
@@ -2003,7 +2003,7 @@
 			set_option(&options, OPT_DESTINATION, &fw.ip.invflags,
 				   invert);
 			dhostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP_DST;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'j':
@@ -2037,7 +2037,7 @@
 			parse_interface(argv[optind-1],
 					fw.ip.iniface,
 					fw.ip.iniface_mask);
-			fw.nfcache |= NFC_IP_IF_IN;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'o':
@@ -2047,14 +2047,14 @@
 			parse_interface(argv[optind-1],
 					fw.ip.outiface,
 					fw.ip.outiface_mask);
-			fw.nfcache |= NFC_IP_IF_OUT;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'f':
 			set_option(&options, OPT_FRAGMENT, &fw.ip.invflags,
 				   invert);
 			fw.ip.flags |= IPT_F_FRAG;
-			fw.nfcache |= NFC_IP_FRAG;
+			fw.nfcache |= NFC_UNKNOWN; 
 			break;
 
 		case 'v':
Index: libiptc/libip4tc.c
===================================================================
--- libiptc/libip4tc.c	(revision 3656)
+++ libiptc/libip4tc.c	(working copy)
@@ -149,17 +149,6 @@
 	printf("Cache: %08X ", e->nfcache);
 	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
 	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
-	if (e->nfcache & NFC_IP_SRC) printf("IP_SRC ");
-	if (e->nfcache & NFC_IP_DST) printf("IP_DST ");
-	if (e->nfcache & NFC_IP_IF_IN) printf("IP_IF_IN ");
-	if (e->nfcache & NFC_IP_IF_OUT) printf("IP_IF_OUT ");
-	if (e->nfcache & NFC_IP_TOS) printf("IP_TOS ");
-	if (e->nfcache & NFC_IP_PROTO) printf("IP_PROTO ");
-	if (e->nfcache & NFC_IP_OPTIONS) printf("IP_OPTIONS ");
-	if (e->nfcache & NFC_IP_TCPFLAGS) printf("IP_TCPFLAGS ");
-	if (e->nfcache & NFC_IP_SRC_PT) printf("IP_SRC_PT ");
-	if (e->nfcache & NFC_IP_DST_PT) printf("IP_DST_PT ");
-	if (e->nfcache & NFC_IP_PROTO_UNKNOWN) printf("IP_PROTO_UNKNOWN ");
 	printf("\n");
 
 	IPT_MATCH_ITERATE(e, print_match);
Index: libiptc/libip6tc.c
===================================================================
--- libiptc/libip6tc.c	(revision 3656)
+++ libiptc/libip6tc.c	(working copy)
@@ -180,17 +180,6 @@
 	printf("Cache: %08X ", e->nfcache);
 	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
 	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
-	if (e->nfcache & NFC_IP6_SRC) printf("IP6_SRC ");
-	if (e->nfcache & NFC_IP6_DST) printf("IP6_DST ");
-	if (e->nfcache & NFC_IP6_IF_IN) printf("IP6_IF_IN ");
-	if (e->nfcache & NFC_IP6_IF_OUT) printf("IP6_IF_OUT ");
-	if (e->nfcache & NFC_IP6_TOS) printf("IP6_TOS ");
-	if (e->nfcache & NFC_IP6_PROTO) printf("IP6_PROTO ");
-	if (e->nfcache & NFC_IP6_OPTIONS) printf("IP6_OPTIONS ");
-	if (e->nfcache & NFC_IP6_TCPFLAGS) printf("IP6_TCPFLAGS ");
-	if (e->nfcache & NFC_IP6_SRC_PT) printf("IP6_SRC_PT ");
-	if (e->nfcache & NFC_IP6_DST_PT) printf("IP6_DST_PT ");
-	if (e->nfcache & NFC_IP6_PROTO_UNKNOWN) printf("IP6_PROTO_UNKNOWN ");
 	printf("\n");
 	
 	IP6T_MATCH_ITERATE(e, print_match);
Index: extensions/libip6t_multiport.c
===================================================================
--- extensions/libip6t_multiport.c	(revision 3656)
+++ extensions/libip6t_multiport.c	(working copy)
@@ -117,7 +117,7 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IP6T_MULTIPORT_SOURCE;
-		*nfcache |= NFC_IP6_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -126,7 +126,7 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IP6T_MULTIPORT_DESTINATION;
-		*nfcache |= NFC_IP6_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '3':
@@ -135,7 +135,7 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IP6T_MULTIPORT_EITHER;
-		*nfcache |= NFC_IP6_SRC_PT | NFC_IP6_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_multiport.c
===================================================================
--- extensions/libipt_multiport.c	(revision 3656)
+++ extensions/libipt_multiport.c	(working copy)
@@ -179,7 +179,7 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IPT_MULTIPORT_SOURCE;
-		*nfcache |= NFC_IP_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -188,7 +188,7 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IPT_MULTIPORT_DESTINATION;
-		*nfcache |= NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '3':
@@ -197,7 +197,7 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IPT_MULTIPORT_EITHER;
-		*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
@@ -231,7 +231,7 @@
 		proto = check_proto(entry);
 		parse_multi_ports_v1(argv[optind-1], multiinfo, proto);
 		multiinfo->flags = IPT_MULTIPORT_SOURCE;
-		*nfcache |= NFC_IP_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -239,7 +239,7 @@
 		proto = check_proto(entry);
 		parse_multi_ports_v1(argv[optind-1], multiinfo, proto);
 		multiinfo->flags = IPT_MULTIPORT_DESTINATION;
-		*nfcache |= NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '3':
@@ -247,7 +247,7 @@
 		proto = check_proto(entry);
 		parse_multi_ports_v1(argv[optind-1], multiinfo, proto);
 		multiinfo->flags = IPT_MULTIPORT_EITHER;
-		*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_tos.c
===================================================================
--- extensions/libipt_tos.c	(revision 3656)
+++ extensions/libipt_tos.c	(working copy)
@@ -51,7 +51,7 @@
 static void
 init(struct ipt_entry_match *m, unsigned int *nfcache)
 {
-	*nfcache |= NFC_IP_TOS;
+	*nfcache |= NFC_UNKNOWN;
 }
 
 static void
Index: extensions/libipt_TCPLAG.c
===================================================================
--- extensions/libipt_TCPLAG.c	(revision 3656)
+++ extensions/libipt_TCPLAG.c	(working copy)
@@ -70,18 +70,6 @@
  * our own private data structure (which is at t->data).
  * Probably we could fiddle with t->tflags too but there is
  * no great advantage in doing so.
- * 
- * TODO: Find documentation for the above flags which
- *       can be ored into nfcache...
- *
- * NFC_IP6_DST_PT
- * NFC_IP6_PROTO_UNKNOWN
- * NFC_IP6_SRC_PT
- * NFC_IP6_TCPFLAGS
- * NFC_IP_DST_PT
- * NFC_IP_SRC_PT
- * NFC_IP_TOS
- * NFC_UNKNOWN             -- This one seems safest
  */
 static void init( struct ipt_entry_target *t, unsigned int *nfcache )
 {
Index: extensions/libip6t_udp.c
===================================================================
--- extensions/libip6t_udp.c	(revision 3656)
+++ extensions/libip6t_udp.c	(working copy)
@@ -109,7 +109,7 @@
 		if (invert)
 			udpinfo->invflags |= IP6T_UDP_INV_SRCPT;
 		*flags |= UDP_SRC_PORTS;
-		*nfcache |= NFC_IP6_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -121,7 +121,7 @@
 		if (invert)
 			udpinfo->invflags |= IP6T_UDP_INV_DSTPT;
 		*flags |= UDP_DST_PORTS;
-		*nfcache |= NFC_IP6_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_tcpmss.c
===================================================================
--- extensions/libipt_tcpmss.c	(revision 3656)
+++ extensions/libipt_tcpmss.c	(working copy)
@@ -28,7 +28,7 @@
 static void
 init(struct ipt_entry_match *m, unsigned int *nfcache)
 {
-	*nfcache |= NFC_IP_PROTO_UNKNOWN;
+	*nfcache |= NFC_UNKNOWN;
 }
 
 static u_int16_t
Index: extensions/libip6t_tcp.c
===================================================================
--- extensions/libip6t_tcp.c	(revision 3656)
+++ extensions/libip6t_tcp.c	(working copy)
@@ -187,7 +187,7 @@
 		if (invert)
 			tcpinfo->invflags |= IP6T_TCP_INV_SRCPT;
 		*flags |= TCP_SRC_PORTS;
-		*nfcache |= NFC_IP6_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -199,7 +199,7 @@
 		if (invert)
 			tcpinfo->invflags |= IP6T_TCP_INV_DSTPT;
 		*flags |= TCP_DST_PORTS;
-		*nfcache |= NFC_IP6_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '3':
@@ -209,7 +209,7 @@
 				   " allowed");
 		parse_tcp_flags(tcpinfo, "SYN,RST,ACK", "SYN", invert);
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP6_TCPFLAGS;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '4':
@@ -228,7 +228,7 @@
 				invert);
 		optind++;
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP6_TCPFLAGS;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '5':
@@ -240,7 +240,7 @@
 		if (invert)
 			tcpinfo->invflags |= IP6T_TCP_INV_OPTION;
 		*flags |= TCP_OPTION;
-		*nfcache |= NFC_IP6_PROTO_UNKNOWN;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_mport.c
===================================================================
--- extensions/libipt_mport.c	(revision 3656)
+++ extensions/libipt_mport.c	(working copy)
@@ -140,7 +140,7 @@
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_SOURCE;
-		*nfcache |= NFC_IP_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -148,7 +148,7 @@
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_DESTINATION;
-		*nfcache |= NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '3':
@@ -156,7 +156,7 @@
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_EITHER;
-		*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_sctp.c
===================================================================
--- extensions/libipt_sctp.c	(revision 3656)
+++ extensions/libipt_sctp.c	(working copy)
@@ -293,7 +293,7 @@
 		if (invert)
 			einfo->invflags |= IPT_SCTP_SRC_PORTS;
 		*flags |= IPT_SCTP_SRC_PORTS;
-		*nfcache |= NFC_IP_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -306,7 +306,7 @@
 		if (invert)
 			einfo->invflags |= IPT_SCTP_DEST_PORTS;
 		*flags |= IPT_SCTP_DEST_PORTS;
-		*nfcache |= NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '3':
Index: extensions/libipt_icmp.c
===================================================================
--- extensions/libipt_icmp.c	(revision 3656)
+++ extensions/libipt_icmp.c	(working copy)
@@ -114,7 +114,7 @@
 	{0}
 };
 
-static unsigned int
+static void 
 parse_icmp(const char *icmptype, u_int8_t *type, u_int8_t code[])
 {
 	unsigned int limit = sizeof(icmp_codes)/sizeof(struct icmp_names);
@@ -165,10 +165,6 @@
 			code[1] = 0xFF;
 		}
 	}
-
-	if (code[0] == 0 && code[1] == 0xFF)
-		return NFC_IP_SRC_PT;
-	else return NFC_IP_SRC_PT | NFC_IP_DST_PT;
 }
 
 /* Initialize the match. */
@@ -194,9 +190,9 @@
 	switch (c) {
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		*nfcache |= parse_icmp(argv[optind-1],
-				       &icmpinfo->type,
-				       icmpinfo->code);
+		*nfcache |= NFC_UNKNOWN;
+		parse_icmp(argv[optind-1], &icmpinfo->type, 
+			   icmpinfo->code);
 		if (invert)
 			icmpinfo->invflags |= IPT_ICMP_INV;
 		break;
Index: extensions/libipt_dscp.c
===================================================================
--- extensions/libipt_dscp.c	(revision 3656)
+++ extensions/libipt_dscp.c	(working copy)
@@ -26,7 +26,7 @@
 
 static void init(struct ipt_entry_match *m, unsigned int *nfcache) 
 {
-	*nfcache |= NFC_IP_TOS;
+	*nfcache |= NFC_UNKNOWN;
 }
 
 static void help(void) 
Index: extensions/libip6t_icmpv6.c
===================================================================
--- extensions/libip6t_icmpv6.c	(revision 3656)
+++ extensions/libip6t_icmpv6.c	(working copy)
@@ -90,7 +90,7 @@
 	{0}
 };
 
-static unsigned int
+static void
 parse_icmpv6(const char *icmpv6type, u_int8_t *type, u_int8_t code[])
 {
 	unsigned int limit = sizeof(icmpv6_codes)/sizeof(struct icmpv6_names);
@@ -141,10 +141,6 @@
 			code[1] = 0xFF;
 		}
 	}
-
-	if (code[0] == 0 && code[1] == 0xFF)
-		return NFC_IP6_SRC_PT;
-	else return NFC_IP6_SRC_PT | NFC_IP6_DST_PT;
 }
 
 /* Initialize the match. */
@@ -169,9 +165,9 @@
 	switch (c) {
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		*nfcache |= parse_icmpv6(argv[optind-1],
-				       &icmpv6info->type,
-				       icmpv6info->code);
+		*nfcache |= NFC_UNKNOWN;
+		parse_icmpv6(argv[optind-1], &icmpv6info->type, 
+			     icmpv6info->code);
 		if (invert)
 			icmpv6info->invflags |= IP6T_ICMP_INV;
 		break;
Index: extensions/libipt_udp.c
===================================================================
--- extensions/libipt_udp.c	(revision 3656)
+++ extensions/libipt_udp.c	(working copy)
@@ -109,7 +109,7 @@
 		if (invert)
 			udpinfo->invflags |= IPT_UDP_INV_SRCPT;
 		*flags |= UDP_SRC_PORTS;
-		*nfcache |= NFC_IP_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -121,7 +121,7 @@
 		if (invert)
 			udpinfo->invflags |= IPT_UDP_INV_DSTPT;
 		*flags |= UDP_DST_PORTS;
-		*nfcache |= NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_ecn.c
===================================================================
--- extensions/libipt_ecn.c	(revision 3656)
+++ extensions/libipt_ecn.c	(working copy)
@@ -18,7 +18,7 @@
 
 static void init(struct ipt_entry_match *m, unsigned int *nfcache) 
 {
-	*nfcache |= NFC_IP_TOS;
+	*nfcache |= NFC_UNKNOWN;
 }
 
 static void help(void) 
Index: extensions/libipt_tcp.c
===================================================================
--- extensions/libipt_tcp.c	(revision 3656)
+++ extensions/libipt_tcp.c	(working copy)
@@ -187,7 +187,7 @@
 		if (invert)
 			tcpinfo->invflags |= IPT_TCP_INV_SRCPT;
 		*flags |= TCP_SRC_PORTS;
-		*nfcache |= NFC_IP_SRC_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '2':
@@ -199,7 +199,7 @@
 		if (invert)
 			tcpinfo->invflags |= IPT_TCP_INV_DSTPT;
 		*flags |= TCP_DST_PORTS;
-		*nfcache |= NFC_IP_DST_PT;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '3':
@@ -209,7 +209,7 @@
 				   " allowed");
 		parse_tcp_flags(tcpinfo, "SYN,RST,ACK", "SYN", invert);
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP_TCPFLAGS;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '4':
@@ -228,7 +228,7 @@
 				invert);
 		optind++;
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP_TCPFLAGS;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	case '5':
@@ -240,7 +240,7 @@
 		if (invert)
 			tcpinfo->invflags |= IPT_TCP_INV_OPTION;
 		*flags |= TCP_OPTION;
-		*nfcache |= NFC_IP_PROTO_UNKNOWN;
+		*nfcache |= NFC_UNKNOWN;
 		break;
 
 	default:
Index: ip6tables.c
===================================================================
--- ip6tables.c	(revision 3656)
+++ ip6tables.c	(working copy)
@@ -1887,7 +1887,7 @@
 			    && (fw.ipv6.invflags & IP6T_INV_PROTO))
 				exit_error(PARAMETER_PROBLEM,
 					   "rule would never match protocol");
-			fw.nfcache |= NFC_IP6_PROTO;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 's':
@@ -1895,7 +1895,7 @@
 			set_option(&options, OPT_SOURCE, &fw.ipv6.invflags,
 				   invert);
 			shostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP6_SRC;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'd':
@@ -1903,7 +1903,7 @@
 			set_option(&options, OPT_DESTINATION, &fw.ipv6.invflags,
 				   invert);
 			dhostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP6_DST;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'j':
@@ -1935,7 +1935,7 @@
 			parse_interface(argv[optind-1],
 					fw.ipv6.iniface,
 					fw.ipv6.iniface_mask);
-			fw.nfcache |= NFC_IP6_IF_IN;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'o':
@@ -1945,7 +1945,7 @@
 			parse_interface(argv[optind-1],
 					fw.ipv6.outiface,
 					fw.ipv6.outiface_mask);
-			fw.nfcache |= NFC_IP6_IF_OUT;
+			fw.nfcache |= NFC_UNKNOWN;
 			break;
 
 		case 'v':

Re: [PATCH] kill NFC_* stuff in iptables [was Re: iptables compile error: NFC_IP_TOS undeclared]

[Patrick McHardy]

Pablo Neira wrote:

> I've renamed all NFC_* stuff != NFC_UNKNOWN to NFC_UNKNOWN. So people 
> using ct_sync won't complain about this again. I see this as a first 
> step to remove the old behaviour of nfcache. Please, see the patch 
> attached.

Why didn't you remove it entirely instead ?

Regards
Patrick

Re: [PATCH] kill NFC_* stuff in iptables [was Re: iptables compile error: NFC_IP_TOS undeclared]

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 523 bytes --]

Patrick McHardy wrote:

> Pablo Neira wrote:
>
>> I've renamed all NFC_* stuff != NFC_UNKNOWN to NFC_UNKNOWN. So people 
>> using ct_sync won't complain about this again. I see this as a first 
>> step to remove the old behaviour of nfcache. Please, see the patch 
>> attached.
>
>
> Why didn't you remove it entirely instead ?


true :), patch attached. I've gzip'ed it, it's too big for sending it in 
clear text.

Next step, what do you think about removing nfcache passed as parameter 
from the iptables API?

--
Pablo

[-- Attachment #2: kill-NFChicken.patch.gz --]
[-- Type: application/gzip, Size: 5703 bytes --]

netfilter question

[Pedro Fortuna]

Hello guys. I'll try to make it as short an simple as I can.

I want to develop a kernel module which will be running in two linux
hosts, connected by a crossover network cable (ethernet). This kernel
module will intercept a specific type of traffic (as an example, let's
say FTP packets (encapsulated in DIX frames)), both incomming and
outgoing, and change the ethertype in the frame header.

Outgoing dix frames carrying FTP packets get their ethertype changed
to a private, non standard ethertype number, just before they leave
the host (i.e. before they are passed to the network driver). The
frame is intercepted with the NF_IP_POST_ROUTING hook.

Incoming dix frames carrying FTP packets are get their ethertype
changed (at this point, a non standard ethertype number) to the
standard IPv4 ethertype number (i.e. 0x800), just after they are
processed by the network driver. The frame is intercepted with the
NF_IP_PRE_ROUTING hook.

My doubt is:
I'm not sure if I will be able to intercept the incoming frames
because they have a non standard ethertype number. They might get
dropped before passing through the NF_IP_PRE_ROUTING hook, due to the
unrecognized ethertype number. Is this true or false?
If the frame passes the hook before trying to identify the packet
type, then I'll have no trouble, because my netfilter module changes
the frame to the original ethertype number, thus making the hole
process transparent to the TCP/IP stacks running in both hosts.

I could explain what the hell I need to this for, but then you would
have three times more text to read :P I tried to restrict this post to
a minimum-painless-size.

Regards,
-Pedro Fortuna

Re: [PATCH] kill NFC_* stuff in iptables [was Re: iptables compile error: NFC_IP_TOS undeclared]

[Patrick McHardy]

Pablo Neira wrote:

> Patrick McHardy wrote:
>
>> Why didn't you remove it entirely instead ?
>
> true :), patch attached. I've gzip'ed it, it's too big for sending it 
> in clear text.

Thanks a lot. Hopeing I don't annoy you .. I haven't actually checked
the API, but can't we remove all those now empty init functions ?
If not I think it would be nicer to change the API to check for
->init == NULL instead of leaving all these empty funtion bodies around.

> Next step, what do you think about removing nfcache passed as 
> parameter from the iptables API?

I don't think we can remove it from struct ipt_entry without
breaking userspace compatibility. But we could stop using it.

Regards
Patrick

Re: [PATCH] kill NFC_* stuff in iptables [was Re: iptables compile error: NFC_IP_TOS undeclared]

[Pablo Neira]

[-- Attachment #1: Type: text/plain, Size: 1073 bytes --]

Patrick McHardy wrote:

>>> Why didn't you remove it entirely instead ?
>>
>>
>> true :), patch attached. I've gzip'ed it, it's too big for sending it 
>> in clear text.
>
>
> Thanks a lot. Hopeing I don't annoy you ..


No way, thanks Patrick.

> I haven't actually checked
> the API, but can't we remove all those now empty init functions ?
> If not I think it would be nicer to change the API to check for
> ->init == NULL instead of leaving all these empty funtion bodies around.


Yes, I agree and I did it, I must confess that it was kinda boring a 
bit. See the patch attached.

>> Next step, what do you think about removing nfcache passed as 
>> parameter from the iptables API?
>
>
> I don't think we can remove it from struct ipt_entry without
> breaking userspace compatibility. But we could stop using it.


Yes, I was aware of that :). I didn't talk about modifying ipt_entry 
which is not possible because of backward compatibility. I mean that, as 
next step, we could kill those nfcache arguments passed as parameter 
that aren't useful anymore.

--
Pablo

[-- Attachment #2: die-die-NFC-die.patch --]
[-- Type: text/x-patch, Size: 57576 bytes --]

Index: iptables.c
===================================================================
--- iptables.c	(revision 3656)
+++ iptables.c	(working copy)
@@ -1987,7 +1987,6 @@
 			    && (fw.ip.invflags & IPT_INV_PROTO))
 				exit_error(PARAMETER_PROBLEM,
 					   "rule would never match protocol");
-			fw.nfcache |= NFC_IP_PROTO;
 			break;
 
 		case 's':
@@ -1995,7 +1994,6 @@
 			set_option(&options, OPT_SOURCE, &fw.ip.invflags,
 				   invert);
 			shostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP_SRC;
 			break;
 
 		case 'd':
@@ -2003,7 +2001,6 @@
 			set_option(&options, OPT_DESTINATION, &fw.ip.invflags,
 				   invert);
 			dhostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP_DST;
 			break;
 
 		case 'j':
@@ -2024,7 +2021,8 @@
 				strcpy(target->t->u.user.name, jumpto);
 				set_revision(target->t->u.user.name,
 					     target->revision);
-				target->init(target->t, &fw.nfcache);
+				if (target->init != NULL)
+					target->init(target->t, &fw.nfcache);
 				opts = merge_options(opts, target->extra_opts, &target->option_offset);
 			}
 			break;
@@ -2037,7 +2035,6 @@
 			parse_interface(argv[optind-1],
 					fw.ip.iniface,
 					fw.ip.iniface_mask);
-			fw.nfcache |= NFC_IP_IF_IN;
 			break;
 
 		case 'o':
@@ -2047,14 +2044,12 @@
 			parse_interface(argv[optind-1],
 					fw.ip.outiface,
 					fw.ip.outiface_mask);
-			fw.nfcache |= NFC_IP_IF_OUT;
 			break;
 
 		case 'f':
 			set_option(&options, OPT_FRAGMENT, &fw.ip.invflags,
 				   invert);
 			fw.ip.flags |= IPT_F_FRAG;
-			fw.nfcache |= NFC_IP_FRAG;
 			break;
 
 		case 'v':
@@ -2078,7 +2073,8 @@
 			m->m->u.match_size = size;
 			strcpy(m->m->u.user.name, m->name);
 			set_revision(m->m->u.user.name, m->revision);
-			m->init(m->m, &fw.nfcache);
+			if (m->init != NULL)
+				m->init(m->m, &fw.nfcache);
 			opts = merge_options(opts, m->extra_opts, &m->option_offset);
 		}
 		break;
@@ -2221,7 +2217,8 @@
 					strcpy(m->m->u.user.name, m->name);
 					set_revision(m->m->u.user.name,
 						     m->revision);
-					m->init(m->m, &fw.nfcache);
+					if (m->init != NULL)
+						m->init(m->m, &fw.nfcache);
 
 					opts = merge_options(opts,
 					    m->extra_opts, &m->option_offset);
@@ -2349,7 +2346,8 @@
 			target->t->u.target_size = size;
 			strcpy(target->t->u.user.name, jumpto);
 			set_revision(target->t->u.user.name, target->revision);
-			target->init(target->t, &fw.nfcache);
+			if (target->init != NULL)
+				target->init(target->t, &fw.nfcache);
 		}
 
 		if (!target) {
Index: libiptc/libip4tc.c
===================================================================
--- libiptc/libip4tc.c	(revision 3656)
+++ libiptc/libip4tc.c	(working copy)
@@ -149,17 +149,6 @@
 	printf("Cache: %08X ", e->nfcache);
 	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
 	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
-	if (e->nfcache & NFC_IP_SRC) printf("IP_SRC ");
-	if (e->nfcache & NFC_IP_DST) printf("IP_DST ");
-	if (e->nfcache & NFC_IP_IF_IN) printf("IP_IF_IN ");
-	if (e->nfcache & NFC_IP_IF_OUT) printf("IP_IF_OUT ");
-	if (e->nfcache & NFC_IP_TOS) printf("IP_TOS ");
-	if (e->nfcache & NFC_IP_PROTO) printf("IP_PROTO ");
-	if (e->nfcache & NFC_IP_OPTIONS) printf("IP_OPTIONS ");
-	if (e->nfcache & NFC_IP_TCPFLAGS) printf("IP_TCPFLAGS ");
-	if (e->nfcache & NFC_IP_SRC_PT) printf("IP_SRC_PT ");
-	if (e->nfcache & NFC_IP_DST_PT) printf("IP_DST_PT ");
-	if (e->nfcache & NFC_IP_PROTO_UNKNOWN) printf("IP_PROTO_UNKNOWN ");
 	printf("\n");
 
 	IPT_MATCH_ITERATE(e, print_match);
Index: libiptc/libip6tc.c
===================================================================
--- libiptc/libip6tc.c	(revision 3656)
+++ libiptc/libip6tc.c	(working copy)
@@ -180,17 +180,6 @@
 	printf("Cache: %08X ", e->nfcache);
 	if (e->nfcache & NFC_ALTERED) printf("ALTERED ");
 	if (e->nfcache & NFC_UNKNOWN) printf("UNKNOWN ");
-	if (e->nfcache & NFC_IP6_SRC) printf("IP6_SRC ");
-	if (e->nfcache & NFC_IP6_DST) printf("IP6_DST ");
-	if (e->nfcache & NFC_IP6_IF_IN) printf("IP6_IF_IN ");
-	if (e->nfcache & NFC_IP6_IF_OUT) printf("IP6_IF_OUT ");
-	if (e->nfcache & NFC_IP6_TOS) printf("IP6_TOS ");
-	if (e->nfcache & NFC_IP6_PROTO) printf("IP6_PROTO ");
-	if (e->nfcache & NFC_IP6_OPTIONS) printf("IP6_OPTIONS ");
-	if (e->nfcache & NFC_IP6_TCPFLAGS) printf("IP6_TCPFLAGS ");
-	if (e->nfcache & NFC_IP6_SRC_PT) printf("IP6_SRC_PT ");
-	if (e->nfcache & NFC_IP6_DST_PT) printf("IP6_DST_PT ");
-	if (e->nfcache & NFC_IP6_PROTO_UNKNOWN) printf("IP6_PROTO_UNKNOWN ");
 	printf("\n");
 	
 	IP6T_MATCH_ITERATE(e, print_match);
Index: extensions/libipt_connlimit.c
===================================================================
--- extensions/libipt_connlimit.c	(revision 3656)
+++ extensions/libipt_connlimit.c	(working copy)
@@ -26,14 +26,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -127,7 +119,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_connlimit_info)),
 	.userspacesize 	= offsetof(struct ipt_connlimit_info,data),
 	.help		= help,
-	.init		= init,
 	.parse 		= parse,
 	.final_check	= final_check,
 	.print		= print,
Index: extensions/libipt_account.c
===================================================================
--- extensions/libipt_account.c	(revision 3656)
+++ extensions/libipt_account.c	(working copy)
@@ -168,7 +168,6 @@
 	
 	struct t_ipt_account_info *info = (struct t_ipt_account_info *)(match)->data;
 
-	*nfcache |= NFC_UNKNOWN;
 
 	/* set default table name to DEFAULT */
 	strncpy(info->name, "DEFAULT", IPT_ACCOUNT_NAME_LEN);
Index: extensions/libipt_pkttype.c
===================================================================
--- extensions/libipt_pkttype.c	(revision 3656)
+++ extensions/libipt_pkttype.c	(working copy)
@@ -69,11 +69,6 @@
 	{0}
 };
 
-static void init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static void parse_pkttype(const char *pkttype, struct ipt_pkttype_info *info)
 {
 	unsigned int	i;
@@ -159,7 +154,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_pkttype_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_pkttype_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse, 
 	.final_check	= &final_check, 
 	.print		= &print,
Index: extensions/libip6t_random.c
===================================================================
--- extensions/libip6t_random.c	(revision 3656)
+++ extensions/libip6t_random.c	(working copy)
@@ -52,7 +52,6 @@
 init(struct ip6t_entry_match *m, unsigned int *nfcache)
 {
 	struct ip6t_rand_info *randinfo = (struct ip6t_rand_info *)(m)->data;
-	*nfcache |= NFC_UNKNOWN;
 
 	/* We assign the average to be 50 which is our default value */
 	/* 50 * 2.55 = 128 */
Index: extensions/libipt_IPV4OPTSSTRIP.c
===================================================================
--- extensions/libipt_IPV4OPTSSTRIP.c	(revision 3656)
+++ extensions/libipt_IPV4OPTSSTRIP.c	(working copy)
@@ -13,11 +13,6 @@
 #include <iptables.h>
 #include <linux/netfilter_ipv4/ip_tables.h>
 
-static void init(struct ipt_entry_target *t, unsigned int *nfcache) 
-{
-        *nfcache |= NFC_UNKNOWN;
-}
-
 static void help(void) 
 {
 	printf("IPV4OPTSSTRIP v%s target takes no option !! Make sure you use it in the mangle table.\n",
@@ -66,7 +61,6 @@
 	.size		= IPT_ALIGN(0),
 	.userspacesize	= IPT_ALIGN(0),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_childlevel.c
===================================================================
--- extensions/libipt_childlevel.c	(revision 3656)
+++ extensions/libipt_childlevel.c	(working copy)
@@ -39,12 +39,6 @@
 	{ .name = 0 }
 };
 
-/* Initialize the match. */
-static void init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it ate an option */
 static int parse(int c, char **argv, int invert, unsigned int *flags,
       const struct ipt_entry *entry, unsigned int *nfcache,
@@ -108,7 +102,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_childlevel_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_conntrack.c
===================================================================
--- extensions/libipt_conntrack.c	(revision 3656)
+++ extensions/libipt_conntrack.c	(working copy)
@@ -56,14 +56,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static int
 parse_state(const char *state, size_t strlen, struct ipt_conntrack_info *sinfo)
 {
@@ -538,7 +530,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_conntrack_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_conntrack_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libip6t_multiport.c
===================================================================
--- extensions/libip6t_multiport.c	(revision 3656)
+++ extensions/libip6t_multiport.c	(working copy)
@@ -117,7 +117,6 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IP6T_MULTIPORT_SOURCE;
-		*nfcache |= NFC_IP6_SRC_PT;
 		break;
 
 	case '2':
@@ -126,7 +125,6 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IP6T_MULTIPORT_DESTINATION;
-		*nfcache |= NFC_IP6_DST_PT;
 		break;
 
 	case '3':
@@ -135,7 +133,6 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IP6T_MULTIPORT_EITHER;
-		*nfcache |= NFC_IP6_SRC_PT | NFC_IP6_DST_PT;
 		break;
 
 	default:
Index: extensions/libipt_multiport.c
===================================================================
--- extensions/libipt_multiport.c	(revision 3656)
+++ extensions/libipt_multiport.c	(working copy)
@@ -179,7 +179,6 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IPT_MULTIPORT_SOURCE;
-		*nfcache |= NFC_IP_SRC_PT;
 		break;
 
 	case '2':
@@ -188,7 +187,6 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IPT_MULTIPORT_DESTINATION;
-		*nfcache |= NFC_IP_DST_PT;
 		break;
 
 	case '3':
@@ -197,7 +195,6 @@
 		multiinfo->count = parse_multi_ports(argv[optind-1],
 						     multiinfo->ports, proto);
 		multiinfo->flags = IPT_MULTIPORT_EITHER;
-		*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
 		break;
 
 	default:
@@ -231,7 +228,6 @@
 		proto = check_proto(entry);
 		parse_multi_ports_v1(argv[optind-1], multiinfo, proto);
 		multiinfo->flags = IPT_MULTIPORT_SOURCE;
-		*nfcache |= NFC_IP_SRC_PT;
 		break;
 
 	case '2':
@@ -239,7 +235,6 @@
 		proto = check_proto(entry);
 		parse_multi_ports_v1(argv[optind-1], multiinfo, proto);
 		multiinfo->flags = IPT_MULTIPORT_DESTINATION;
-		*nfcache |= NFC_IP_DST_PT;
 		break;
 
 	case '3':
@@ -247,7 +242,6 @@
 		proto = check_proto(entry);
 		parse_multi_ports_v1(argv[optind-1], multiinfo, proto);
 		multiinfo->flags = IPT_MULTIPORT_EITHER;
-		*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
 		break;
 
 	default:
Index: extensions/libipt_REDIRECT.c
===================================================================
--- extensions/libipt_REDIRECT.c	(revision 3656)
+++ extensions/libipt_REDIRECT.c	(working copy)
@@ -33,8 +33,6 @@
 	/* Actually, it's 0, but it's ignored at the moment. */
 	mr->rangesize = 1;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Parses ports */
Index: extensions/libipt_addrtype.c
===================================================================
--- extensions/libipt_addrtype.c	(revision 3656)
+++ extensions/libipt_addrtype.c	(working copy)
@@ -48,12 +48,6 @@
 	help_types();
 }
 
-static void init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* caching not yet implemented */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static int
 parse_type(const char *name, size_t strlen, u_int16_t *mask)
 {
@@ -199,7 +193,6 @@
 	.size 		= IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
 	.userspacesize 	= IPT_ALIGN(sizeof(struct ipt_addrtype_info)),
 	.help 		= &help,
-	.init 		= &init,
 	.parse 		= &parse,
 	.final_check 	= &final_check,
 	.print 		= &print,
Index: extensions/libip6t_fuzzy.c
===================================================================
--- extensions/libip6t_fuzzy.c	(revision 3656)
+++ extensions/libip6t_fuzzy.c	(working copy)
@@ -44,8 +44,6 @@
 init(struct ip6t_entry_match *m, unsigned int *nfcache)
 {
 	struct ip6t_fuzzy_info *presentinfo = (struct ip6t_fuzzy_info *)(m)->data;
-	*nfcache |= NFC_UNKNOWN;
-
 	/*
 	 * Default rates ( I'll improve this very soon with something based
 	 * on real statistics of the running machine ) .
Index: extensions/libipt_length.c
===================================================================
--- extensions/libipt_length.c	(revision 3656)
+++ extensions/libipt_length.c	(working copy)
@@ -25,13 +25,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static u_int16_t
 parse_length(const char *s)
 {
@@ -145,7 +138,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_length_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_length_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_hashlimit.c
===================================================================
--- extensions/libipt_hashlimit.c	(revision 3656)
+++ extensions/libipt_hashlimit.c	(working copy)
@@ -104,8 +104,6 @@
 	r->cfg.gc_interval = IPT_HASHLIMIT_GCINTERVAL;
 	r->cfg.expire = IPT_HASHLIMIT_EXPIRE;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 
Index: extensions/libipt_MASQUERADE.c
===================================================================
--- extensions/libipt_MASQUERADE.c	(revision 3656)
+++ extensions/libipt_MASQUERADE.c	(working copy)
@@ -33,8 +33,6 @@
 	/* Actually, it's 0, but it's ignored at the moment. */
 	mr->rangesize = 1;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Parses ports */
Index: extensions/libipt_fuzzy.c
===================================================================
--- extensions/libipt_fuzzy.c	(revision 3656)
+++ extensions/libipt_fuzzy.c	(working copy)
@@ -43,7 +43,6 @@
 init(struct ipt_entry_match *m, unsigned int *nfcache)
 {
 	struct ipt_fuzzy_info *presentinfo = (struct ipt_fuzzy_info *)(m)->data;
-	*nfcache |= NFC_UNKNOWN;
 
 	/*
 	 * Default rates ( I'll improve this very soon with something based 
Index: extensions/libipt_set.c
===================================================================
--- extensions/libipt_set.c	(revision 3656)
+++ extensions/libipt_set.c	(working copy)
@@ -47,8 +47,6 @@
 
 	memset(info, 0, sizeof(struct ipt_set_info_match));
 
-	/* Can't cache this - XXX */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it ate an option */
Index: extensions/libipt_realm.c
===================================================================
--- extensions/libipt_realm.c	(revision 3656)
+++ extensions/libipt_realm.c	(working copy)
@@ -28,14 +28,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -122,7 +114,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_realm_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_realm_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_connbytes.c
===================================================================
--- extensions/libipt_connbytes.c	(revision 3656)
+++ extensions/libipt_connbytes.c	(working copy)
@@ -27,15 +27,7 @@
 	{0}
 };
 
-/* Initialize the match. */
 static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
-static void
 parse_range(const char *arg, struct ipt_connbytes_info *si)
 {
 	char *colon,*p;
@@ -199,7 +191,6 @@
 	.size 		= IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_connbytes_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_tos.c
===================================================================
--- extensions/libipt_tos.c	(revision 3656)
+++ extensions/libipt_tos.c	(working copy)
@@ -47,14 +47,7 @@
 	{0}
 };
 
-/* Initialize the match. */
 static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_IP_TOS;
-}
-
-static void
 parse_tos(const unsigned char *s, struct ipt_tos_info *info)
 {
 	unsigned int i;
@@ -166,7 +159,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_tos_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_tos_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libip6t_LOG.c
===================================================================
--- extensions/libip6t_LOG.c	(revision 3656)
+++ extensions/libip6t_LOG.c	(working copy)
@@ -42,8 +42,6 @@
 
 	loginfo->level = LOG_DEFAULT_LEVEL;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 struct ip6t_log_names {
Index: extensions/libipt_POOL.c
===================================================================
--- extensions/libipt_POOL.c	(revision 3656)
+++ extensions/libipt_POOL.c	(working copy)
@@ -51,8 +51,6 @@
 	ipi->src = ipi->dst = IP_POOL_NONE;
 	ipi->flags = 0;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it
Index: extensions/libipt_TCPLAG.c
===================================================================
--- extensions/libipt_TCPLAG.c	(revision 3656)
+++ extensions/libipt_TCPLAG.c	(working copy)
@@ -70,18 +70,6 @@
  * our own private data structure (which is at t->data).
  * Probably we could fiddle with t->tflags too but there is
  * no great advantage in doing so.
- * 
- * TODO: Find documentation for the above flags which
- *       can be ored into nfcache...
- *
- * NFC_IP6_DST_PT
- * NFC_IP6_PROTO_UNKNOWN
- * NFC_IP6_SRC_PT
- * NFC_IP6_TCPFLAGS
- * NFC_IP_DST_PT
- * NFC_IP_SRC_PT
- * NFC_IP_TOS
- * NFC_UNKNOWN             -- This one seems safest
  */
 static void init( struct ipt_entry_target *t, unsigned int *nfcache )
 {
@@ -89,7 +77,6 @@
 	memset( el, 0, sizeof( struct ipt_tcplag ));
 	el->level = 4; /* Default to warning level */
 	strcpy( el->prefix, "TCPLAG:" ); /* Give a reasonable default prefix */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /*
Index: extensions/libip6t_udp.c
===================================================================
--- extensions/libip6t_udp.c	(revision 3656)
+++ extensions/libip6t_udp.c	(working copy)
@@ -109,7 +109,6 @@
 		if (invert)
 			udpinfo->invflags |= IP6T_UDP_INV_SRCPT;
 		*flags |= UDP_SRC_PORTS;
-		*nfcache |= NFC_IP6_SRC_PT;
 		break;
 
 	case '2':
@@ -121,7 +120,6 @@
 		if (invert)
 			udpinfo->invflags |= IP6T_UDP_INV_DSTPT;
 		*flags |= UDP_DST_PORTS;
-		*nfcache |= NFC_IP6_DST_PT;
 		break;
 
 	default:
Index: extensions/libipt_recent.c
===================================================================
--- extensions/libipt_recent.c	(revision 3656)
+++ extensions/libipt_recent.c	(working copy)
@@ -72,7 +72,6 @@
 {
 	struct ipt_recent_info *info = (struct ipt_recent_info *)(match)->data;
 
-	*nfcache |= NFC_UNKNOWN;
 
 	strncpy(info->name,"DEFAULT",IPT_RECENT_NAME_LEN);
 	/* eventhough IPT_RECENT_NAME_LEN is currently defined as 200,
Index: extensions/libipt_random.c
===================================================================
--- extensions/libipt_random.c	(revision 3656)
+++ extensions/libipt_random.c	(working copy)
@@ -51,7 +51,6 @@
 init(struct ipt_entry_match *m, unsigned int *nfcache)
 {
 	struct ipt_rand_info *randinfo = (struct ipt_rand_info *)(m)->data;
-	*nfcache |= NFC_UNKNOWN;
 
 	/* We assign the average to be 50 which is our default value */
 	/* 50 * 2.55 = 128 */
Index: extensions/libipt_unclean.c
===================================================================
--- extensions/libipt_unclean.c	(revision 3656)
+++ extensions/libipt_unclean.c	(working copy)
@@ -17,14 +17,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -49,7 +41,6 @@
 	.size		= IPT_ALIGN(0),
 	.userspacesize	= IPT_ALIGN(0),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= NULL,
Index: extensions/libipt_dstlimit.c
===================================================================
--- extensions/libipt_dstlimit.c	(revision 3656)
+++ extensions/libipt_dstlimit.c	(working copy)
@@ -105,8 +105,6 @@
 	r->cfg.gc_interval = IPT_DSTLIMIT_GCINTERVAL;
 	r->cfg.expire = IPT_DSTLIMIT_EXPIRE;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 #define PARAM_LIMIT		0x00000001
Index: extensions/libipt_nth.c
===================================================================
--- extensions/libipt_nth.c	(revision 3656)
+++ extensions/libipt_nth.c	(working copy)
@@ -50,13 +50,6 @@
 	{ 0 }
 };
 
-/* Initialize the target. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
 #define IPT_NTH_OPT_EVERY	0x01
 #define IPT_NTH_OPT_NOT_EVERY	0x02
 #define IPT_NTH_OPT_START	0x04
@@ -224,7 +217,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_nth_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_nth_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_mac.c
===================================================================
--- extensions/libipt_mac.c	(revision 3656)
+++ extensions/libipt_mac.c	(working copy)
@@ -28,15 +28,7 @@
 	{0}
 };
 
-/* Initialize the match. */
 static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
-static void
 parse_mac(const char *mac, struct ipt_mac_info *info)
 {
 	unsigned int i = 0;
@@ -135,7 +127,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_mac_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_mac_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_TARPIT.c
===================================================================
--- extensions/libipt_TARPIT.c	(revision 3656)
+++ extensions/libipt_TARPIT.c	(working copy)
@@ -15,13 +15,6 @@
 	{ 0 }
 };
 
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const struct ipt_entry *entry,
@@ -52,7 +45,6 @@
 	.size		= IPT_ALIGN(0),
 	.userspacesize	= IPT_ALIGN(0),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_ttl.c
===================================================================
--- extensions/libipt_ttl.c	(revision 3656)
+++ extensions/libipt_ttl.c	(working copy)
@@ -24,12 +24,6 @@
 , IPTABLES_VERSION);
 }
 
-static void init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* caching not yet implemented */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static int parse(int c, char **argv, int invert, unsigned int *flags,
 		const struct ipt_entry *entry, unsigned int *nfcache,
 		struct ipt_entry_match **match)
@@ -156,7 +150,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_ttl_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_ttl_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_SNAT.c
===================================================================
--- extensions/libipt_SNAT.c	(revision 3656)
+++ extensions/libipt_SNAT.c	(working copy)
@@ -33,14 +33,6 @@
 	{ 0 }
 };
 
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static struct ipt_natinfo *
 append_range(struct ipt_natinfo *info, const struct ip_nat_range *range)
 {
@@ -236,7 +228,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_tcpmss.c
===================================================================
--- extensions/libipt_tcpmss.c	(revision 3656)
+++ extensions/libipt_tcpmss.c	(working copy)
@@ -24,13 +24,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_IP_PROTO_UNKNOWN;
-}
-
 static u_int16_t
 parse_tcp_mssvalue(const char *mssvalue)
 {
@@ -146,7 +139,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_tcpmss_match_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_tcpmss_match_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_connrate.c
===================================================================
--- extensions/libipt_connrate.c	(revision 3656)
+++ extensions/libipt_connrate.c	(working copy)
@@ -34,14 +34,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* caching not yet implemented */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static u_int32_t
 parse_value(const char *arg, u_int32_t def)
 {
@@ -174,7 +166,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_connrate_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_connrate_info)),
 	.help 		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libip6t_tcp.c
===================================================================
--- extensions/libip6t_tcp.c	(revision 3656)
+++ extensions/libip6t_tcp.c	(working copy)
@@ -187,7 +187,6 @@
 		if (invert)
 			tcpinfo->invflags |= IP6T_TCP_INV_SRCPT;
 		*flags |= TCP_SRC_PORTS;
-		*nfcache |= NFC_IP6_SRC_PT;
 		break;
 
 	case '2':
@@ -199,7 +198,6 @@
 		if (invert)
 			tcpinfo->invflags |= IP6T_TCP_INV_DSTPT;
 		*flags |= TCP_DST_PORTS;
-		*nfcache |= NFC_IP6_DST_PT;
 		break;
 
 	case '3':
@@ -209,7 +207,6 @@
 				   " allowed");
 		parse_tcp_flags(tcpinfo, "SYN,RST,ACK", "SYN", invert);
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP6_TCPFLAGS;
 		break;
 
 	case '4':
@@ -228,7 +225,6 @@
 				invert);
 		optind++;
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP6_TCPFLAGS;
 		break;
 
 	case '5':
@@ -240,7 +236,6 @@
 		if (invert)
 			tcpinfo->invflags |= IP6T_TCP_INV_OPTION;
 		*flags |= TCP_OPTION;
-		*nfcache |= NFC_IP6_PROTO_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_state.c
===================================================================
--- extensions/libipt_state.c	(revision 3656)
+++ extensions/libipt_state.c	(working copy)
@@ -28,14 +28,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static int
 parse_state(const char *state, size_t strlen, struct ipt_state_info *sinfo)
 {
@@ -158,7 +150,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_state_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_state_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libip6t_owner.c
===================================================================
--- extensions/libip6t_owner.c	(revision 3656)
+++ extensions/libip6t_owner.c	(working copy)
@@ -47,14 +47,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -243,7 +235,6 @@
 	.size		= IP6T_ALIGN(sizeof(struct ip6t_owner_info)),
 	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_owner_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_IPMARK.c
===================================================================
--- extensions/libipt_IPMARK.c	(revision 3656)
+++ extensions/libipt_IPMARK.c	(working copy)
@@ -53,7 +53,6 @@
 	ipmarkinfo->andmask=0xffffffff;
 	ipmarkinfo->ormask=0;
 
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it
Index: extensions/libipt_owner.c
===================================================================
--- extensions/libipt_owner.c	(revision 3656)
+++ extensions/libipt_owner.c	(working copy)
@@ -49,14 +49,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -245,7 +237,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_owner_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_owner_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_mport.c
===================================================================
--- extensions/libipt_mport.c	(revision 3656)
+++ extensions/libipt_mport.c	(working copy)
@@ -140,7 +140,6 @@
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_SOURCE;
-		*nfcache |= NFC_IP_SRC_PT;
 		break;
 
 	case '2':
@@ -148,7 +147,6 @@
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_DESTINATION;
-		*nfcache |= NFC_IP_DST_PT;
 		break;
 
 	case '3':
@@ -156,7 +154,6 @@
 		proto = check_proto(entry);
 		parse_multi_ports(argv[optind-1], minfo, proto);
 		minfo->flags = IPT_MPORT_EITHER;
-		*nfcache |= NFC_IP_SRC_PT | NFC_IP_DST_PT;
 		break;
 
 	default:
Index: extensions/libip6t_REJECT.c
===================================================================
--- extensions/libip6t_REJECT.c	(revision 3656)
+++ extensions/libip6t_REJECT.c	(working copy)
@@ -79,8 +79,6 @@
 	/* default */
 	reject->with = IP6T_ICMP6_PORT_UNREACH;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it
Index: extensions/libipt_NETLINK.c
===================================================================
--- extensions/libipt_NETLINK.c	(revision 3656)
+++ extensions/libipt_NETLINK.c	(working copy)
@@ -32,7 +32,6 @@
 	
 	nld->flags=0;
 	
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Parse command options */
Index: extensions/libipt_sctp.c
===================================================================
--- extensions/libipt_sctp.c	(revision 3656)
+++ extensions/libipt_sctp.c	(working copy)
@@ -293,7 +293,6 @@
 		if (invert)
 			einfo->invflags |= IPT_SCTP_SRC_PORTS;
 		*flags |= IPT_SCTP_SRC_PORTS;
-		*nfcache |= NFC_IP_SRC_PT;
 		break;
 
 	case '2':
@@ -306,7 +305,6 @@
 		if (invert)
 			einfo->invflags |= IPT_SCTP_DEST_PORTS;
 		*flags |= IPT_SCTP_DEST_PORTS;
-		*nfcache |= NFC_IP_DST_PT;
 		break;
 
 	case '3':
Index: extensions/libipt_u32.c
===================================================================
--- extensions/libipt_u32.c	(revision 3656)
+++ extensions/libipt_u32.c	(working copy)
@@ -37,13 +37,6 @@
 	{ 0 }
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* shared printing code */
 static void print_u32(struct ipt_u32 *data)
 {
@@ -257,7 +250,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_u32)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_u32)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libip6t_condition.c
===================================================================
--- extensions/libip6t_condition.c	(revision 3656)
+++ extensions/libip6t_condition.c	(working copy)
@@ -24,14 +24,6 @@
 	{ .name = 0 }
 };
 
-
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
-
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const struct ip6t_entry *entry, unsigned int *nfcache,
@@ -99,7 +91,6 @@
 	.size = IP6T_ALIGN(sizeof(struct condition6_info)),
 	.userspacesize = IP6T_ALIGN(sizeof(struct condition6_info)),
 	.help = &help,
-	.init = &init,
 	.parse = &parse,
 	.final_check = &final_check,
 	.print = &print,
Index: extensions/libip6t_eui64.c
===================================================================
--- extensions/libip6t_eui64.c	(revision 3656)
+++ extensions/libip6t_eui64.c	(working copy)
@@ -26,14 +26,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -71,7 +63,6 @@
 	.size		= IP6T_ALIGN(sizeof(int)),
 	.userspacesize	= IP6T_ALIGN(sizeof(int)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_record_rpc.c
===================================================================
--- extensions/libipt_record_rpc.c	(revision 3656)
+++ extensions/libipt_record_rpc.c	(working copy)
@@ -16,14 +16,6 @@
 	{0}
 };
 
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -53,19 +45,18 @@
 }
 
 static
-struct iptables_match record_rpc
-= { NULL,
-    "record_rpc",
-    IPTABLES_VERSION,
-    IPT_ALIGN(0),
-    IPT_ALIGN(0),
-    &help,
-    &init,
-    &parse,
-    &final_check,
-    &print,
-    &save,
-    opts
+struct iptables_match record_rpc = { 
+	.next		= NULL,
+	.name 		= "record_rpc",
+	.version	= IPTABLES_VERSION,
+	.size		= IPT_ALIGN(0),
+	.userspacesize	= IPT_ALIGN(0),
+	.help		= &help,
+	.parse		= &parse,
+	.final_check	= &final_check,
+	.print		= &print,
+	.save		= &save,
+	.extra_opts	= opts
 };
 
 void _init(void)
Index: extensions/libipt_rpc.c
===================================================================
--- extensions/libipt_rpc.c	(revision 3656)
+++ extensions/libipt_rpc.c	(working copy)
@@ -180,8 +180,6 @@
 	struct ipt_rpc_info *rpcinfo = ((struct ipt_rpc_info *)match->data);
 
 
-	/* caching not yet implemented */
-        *nfcache |= NFC_UNKNOWN;
 
 	/* initialise those funky user vars */
 	rpcinfo->i_procs = -1;
Index: extensions/libipt_SAME.c
===================================================================
--- extensions/libipt_SAME.c	(revision 3656)
+++ extensions/libipt_SAME.c	(working copy)
@@ -43,8 +43,6 @@
 	mr->info = 0;
 	mr->ipnum = 0;
 	
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Parses range of IPs */
Index: extensions/libipt_condition.c
===================================================================
--- extensions/libipt_condition.c	(revision 3656)
+++ extensions/libipt_condition.c	(working copy)
@@ -24,14 +24,6 @@
 	{ .name = 0 }
 };
 
-
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
-
 static int
 parse(int c, char **argv, int invert, unsigned int *flags,
       const struct ipt_entry *entry, unsigned int *nfcache,
@@ -99,7 +91,6 @@
 	.size 		= IPT_ALIGN(sizeof(struct condition_info)),
 	.userspacesize 	= IPT_ALIGN(sizeof(struct condition_info)),
 	.help 		= &help,
-	.init 		= &init,
 	.parse 		= &parse,
 	.final_check	= &final_check,
 	.print 		= &print,
Index: extensions/libipt_icmp.c
===================================================================
--- extensions/libipt_icmp.c	(revision 3656)
+++ extensions/libipt_icmp.c	(working copy)
@@ -114,7 +114,7 @@
 	{0}
 };
 
-static unsigned int
+static void 
 parse_icmp(const char *icmptype, u_int8_t *type, u_int8_t code[])
 {
 	unsigned int limit = sizeof(icmp_codes)/sizeof(struct icmp_names);
@@ -165,10 +165,6 @@
 			code[1] = 0xFF;
 		}
 	}
-
-	if (code[0] == 0 && code[1] == 0xFF)
-		return NFC_IP_SRC_PT;
-	else return NFC_IP_SRC_PT | NFC_IP_DST_PT;
 }
 
 /* Initialize the match. */
@@ -194,9 +190,8 @@
 	switch (c) {
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		*nfcache |= parse_icmp(argv[optind-1],
-				       &icmpinfo->type,
-				       icmpinfo->code);
+		parse_icmp(argv[optind-1], &icmpinfo->type, 
+			   icmpinfo->code);
 		if (invert)
 			icmpinfo->invflags |= IPT_ICMP_INV;
 		break;
Index: extensions/libipt_quota.c
===================================================================
--- extensions/libipt_quota.c	(revision 3656)
+++ extensions/libipt_quota.c	(working copy)
@@ -24,14 +24,6 @@
                " --quota quota			quota (bytes)\n" "\n");
 }
 
-/* initialise match */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-        /* no can cache */
-        *nfcache |= NFC_UNKNOWN;
-}
-
 /* print matchinfo */
 static void
 print(const struct ipt_ip *ip, const struct ipt_entry_match *match, int numeric)
@@ -100,7 +92,6 @@
 	.size		= IPT_ALIGN(sizeof (struct ipt_quota_info)),
 	.userspacesize	= IPT_ALIGN(sizeof (struct ipt_quota_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_string.c
===================================================================
--- extensions/libipt_string.c	(revision 3656)
+++ extensions/libipt_string.c	(working copy)
@@ -44,16 +44,7 @@
 	{ .name = 0 }
 };
 
-
-/* Initialize the match. */
 static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
-
-static void
 parse_string(const unsigned char *s, struct ipt_string_info *info)
 {	
 	if (strlen(s) <= BM_MAX_NLEN) strcpy(info->string, s);
@@ -279,7 +270,6 @@
     .size          = IPT_ALIGN(sizeof(struct ipt_string_info)),
     .userspacesize = IPT_ALIGN(sizeof(struct ipt_string_info)),
     .help          = &help,
-    .init          = &init,
     .parse         = &parse,
     .final_check   = &final_check,
     .print         = &print,
Index: extensions/libipt_ULOG.c
===================================================================
--- extensions/libipt_ULOG.c	(revision 3656)
+++ extensions/libipt_ULOG.c	(working copy)
@@ -60,8 +60,6 @@
 	loginfo->nl_group = ULOG_DEFAULT_NLGROUP;
 	loginfo->qthreshold = ULOG_DEFAULT_QTHRESHOLD;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 #define IPT_LOG_OPT_NLGROUP 0x01
Index: extensions/libip6t_ipv6header.c
===================================================================
--- extensions/libip6t_ipv6header.c	(revision 3656)
+++ extensions/libip6t_ipv6header.c	(working copy)
@@ -162,8 +162,6 @@
 	info->matchflags = 0x00;
 	info->invflags = 0x00;
 	info->modeflag = 0x00;
-	/* No caching (yet) */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static unsigned int
Index: extensions/libip6t_hl.c
===================================================================
--- extensions/libip6t_hl.c	(revision 3656)
+++ extensions/libip6t_hl.c	(working copy)
@@ -25,12 +25,6 @@
 , IPTABLES_VERSION);
 }
 
-static void init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	/* caching not yet implemented */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static int parse(int c, char **argv, int invert, unsigned int *flags,
 		const struct ip6t_entry *entry, unsigned int *nfcache,
 		struct ip6t_entry_match **match)
@@ -141,7 +135,6 @@
 	.size          = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
 	.userspacesize = IP6T_ALIGN(sizeof(struct ip6t_hl_info)),
 	.help          = &help,
-	.init          = &init,
 	.parse         = &parse,
 	.final_check   = &final_check,
 	.print         = &print,
Index: extensions/libipt_dscp.c
===================================================================
--- extensions/libipt_dscp.c	(revision 3656)
+++ extensions/libipt_dscp.c	(working copy)
@@ -24,11 +24,6 @@
 /* This is evil, but it's my code - HW*/
 #include "libipt_dscp_helper.c"
 
-static void init(struct ipt_entry_match *m, unsigned int *nfcache) 
-{
-	*nfcache |= NFC_IP_TOS;
-}
-
 static void help(void) 
 {
 	printf(
@@ -164,7 +159,6 @@
 	.size 		= IPT_ALIGN(sizeof(struct ipt_dscp_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_dscp_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_mark.c
===================================================================
--- extensions/libipt_mark.c	(revision 3656)
+++ extensions/libipt_mark.c	(working copy)
@@ -25,14 +25,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -138,7 +130,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_mark_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_mark_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libip6t_icmpv6.c
===================================================================
--- extensions/libip6t_icmpv6.c	(revision 3656)
+++ extensions/libip6t_icmpv6.c	(working copy)
@@ -90,7 +90,7 @@
 	{0}
 };
 
-static unsigned int
+static void
 parse_icmpv6(const char *icmpv6type, u_int8_t *type, u_int8_t code[])
 {
 	unsigned int limit = sizeof(icmpv6_codes)/sizeof(struct icmpv6_names);
@@ -141,10 +141,6 @@
 			code[1] = 0xFF;
 		}
 	}
-
-	if (code[0] == 0 && code[1] == 0xFF)
-		return NFC_IP6_SRC_PT;
-	else return NFC_IP6_SRC_PT | NFC_IP6_DST_PT;
 }
 
 /* Initialize the match. */
@@ -169,9 +165,8 @@
 	switch (c) {
 	case '1':
 		check_inverse(optarg, &invert, &optind, 0);
-		*nfcache |= parse_icmpv6(argv[optind-1],
-				       &icmpv6info->type,
-				       icmpv6info->code);
+		parse_icmpv6(argv[optind-1], &icmpv6info->type, 
+			     icmpv6info->code);
 		if (invert)
 			icmpv6info->invflags |= IP6T_ICMP_INV;
 		break;
Index: extensions/libipt_time.c
===================================================================
--- extensions/libipt_time.c	(revision 3656)
+++ extensions/libipt_time.c	(working copy)
@@ -57,8 +57,6 @@
 {
 	struct ipt_time_info *info = (struct ipt_time_info *)m->data;
 	globaldays = 0;
-	/* caching not yet implemented */
-        *nfcache |= NFC_UNKNOWN;
         /* By default, we match on everyday */
 	info->days_match = 127;
 	/* By default, we match on every hour:min of the day */
Index: extensions/libipt_ipv4options.c
===================================================================
--- extensions/libipt_ipv4options.c	(revision 3656)
+++ extensions/libipt_ipv4options.c	(working copy)
@@ -35,14 +35,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* caching not yet implemented */
-        *nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -306,7 +298,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_ipv4options_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_comment.c
===================================================================
--- extensions/libipt_comment.c	(revision 3656)
+++ extensions/libipt_comment.c	(working copy)
@@ -29,14 +29,7 @@
 	{0}
 };
 
-/* Initialize the match. */
 static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
-static void
 parse_comment(const unsigned char *s, struct ipt_comment_info *info)
 {	
 	int slen = strlen(s);
@@ -113,7 +106,6 @@
     .size 		= IPT_ALIGN(sizeof(struct ipt_comment_info)),
     .userspacesize	= IPT_ALIGN(sizeof(struct ipt_comment_info)),
     .help		= &help,
-    .init 		= &init,
     .parse 		= &parse,
     .final_check 	= &final_check,
     .print 		= &print,
Index: extensions/libipt_pool.c
===================================================================
--- extensions/libipt_pool.c	(revision 3656)
+++ extensions/libipt_pool.c	(working copy)
@@ -43,8 +43,6 @@
 	info->src = IP_POOL_NONE;
 	info->dst = IP_POOL_NONE;
 	info->flags = 0;
-	/* Can't cache this - XXX */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it ate an option */
Index: extensions/libipt_REJECT.c
===================================================================
--- extensions/libipt_REJECT.c	(revision 3656)
+++ extensions/libipt_REJECT.c	(working copy)
@@ -94,8 +94,6 @@
 	/* default */
 	reject->with = IPT_ICMP_PORT_UNREACHABLE;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Function which parses command options; returns true if it
Index: extensions/libipt_helper.c
===================================================================
--- extensions/libipt_helper.c	(revision 3656)
+++ extensions/libipt_helper.c	(working copy)
@@ -24,14 +24,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -96,7 +88,6 @@
 	.version	= IPTABLES_VERSION,
 	.size		= IPT_ALIGN(sizeof(struct ipt_helper_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libip6t_nth.c
===================================================================
--- extensions/libip6t_nth.c	(revision 3656)
+++ extensions/libip6t_nth.c	(working copy)
@@ -50,13 +50,6 @@
 	{ 0 }
 };
 
-/* Initialize the target. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
 #define IP6T_NTH_OPT_EVERY	0x01
 #define IP6T_NTH_OPT_NOT_EVERY	0x02
 #define IP6T_NTH_OPT_START	0x04
@@ -223,7 +216,6 @@
 	.size		= IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
 	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_nth_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_LOG.c
===================================================================
--- extensions/libipt_LOG.c	(revision 3656)
+++ extensions/libipt_LOG.c	(working copy)
@@ -50,8 +50,6 @@
 
 	loginfo->level = LOG_DEFAULT_LEVEL;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 struct ipt_log_names {
Index: extensions/libipt_NETMAP.c
===================================================================
--- extensions/libipt_NETMAP.c	(revision 3656)
+++ extensions/libipt_NETMAP.c	(working copy)
@@ -63,8 +63,6 @@
 	/* Actually, it's 0, but it's ignored at the moment. */
 	mr->rangesize = 1;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Parses network address */
Index: extensions/libipt_BALANCE.c
===================================================================
--- extensions/libipt_BALANCE.c	(revision 3656)
+++ extensions/libipt_BALANCE.c	(working copy)
@@ -35,8 +35,6 @@
 	/* Actually, it's 0, but it's ignored at the moment. */
 	mr->rangesize = 1;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* Parses range of IPs */
Index: extensions/libip6t_mac.c
===================================================================
--- extensions/libip6t_mac.c	(revision 3656)
+++ extensions/libip6t_mac.c	(working copy)
@@ -28,15 +28,7 @@
 	{0}
 };
 
-/* Initialize the match. */
 static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
-static void
 parse_mac(const char *mac, struct ip6t_mac_info *info)
 {
 	unsigned int i = 0;
@@ -134,7 +126,6 @@
 	.size		= IP6T_ALIGN(sizeof(struct ip6t_mac_info)),
 	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_mac_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_udp.c
===================================================================
--- extensions/libipt_udp.c	(revision 3656)
+++ extensions/libipt_udp.c	(working copy)
@@ -109,7 +109,6 @@
 		if (invert)
 			udpinfo->invflags |= IPT_UDP_INV_SRCPT;
 		*flags |= UDP_SRC_PORTS;
-		*nfcache |= NFC_IP_SRC_PT;
 		break;
 
 	case '2':
@@ -121,7 +120,6 @@
 		if (invert)
 			udpinfo->invflags |= IPT_UDP_INV_DSTPT;
 		*flags |= UDP_DST_PORTS;
-		*nfcache |= NFC_IP_DST_PT;
 		break;
 
 	default:
Index: extensions/libipt_SET.c
===================================================================
--- extensions/libipt_SET.c	(revision 3656)
+++ extensions/libipt_SET.c	(working copy)
@@ -51,8 +51,6 @@
 	info->add_set.index =
 	info->del_set.index = IP_SET_INVALID_ID;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 static void
Index: extensions/libip6t_limit.c
===================================================================
--- extensions/libip6t_limit.c	(revision 3656)
+++ extensions/libip6t_limit.c	(working copy)
@@ -81,8 +81,6 @@
 	parse_rate(IP6T_LIMIT_AVG, &r->avg);
 	r->burst = IP6T_LIMIT_BURST;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* FIXME: handle overflow:
Index: extensions/libipt_ecn.c
===================================================================
--- extensions/libipt_ecn.c	(revision 3656)
+++ extensions/libipt_ecn.c	(working copy)
@@ -16,11 +16,6 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv4/ipt_ecn.h>
 
-static void init(struct ipt_entry_match *m, unsigned int *nfcache) 
-{
-	*nfcache |= NFC_IP_TOS;
-}
-
 static void help(void) 
 {
 	printf(
@@ -163,7 +158,6 @@
     .size          = IPT_ALIGN(sizeof(struct ipt_ecn_info)),
     .userspacesize = IPT_ALIGN(sizeof(struct ipt_ecn_info)),
     .help          = &help,
-    .init          = &init,
     .parse         = &parse,
     .final_check   = &final_check,
     .print         = &print,
Index: extensions/libip6t_length.c
===================================================================
--- extensions/libip6t_length.c	(revision 3656)
+++ extensions/libip6t_length.c	(working copy)
@@ -26,13 +26,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static u_int16_t
 parse_length(const char *s)
 {
@@ -146,7 +139,6 @@
 	.size		= IP6T_ALIGN(sizeof(struct ip6t_length_info)),
 	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_length_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_limit.c
===================================================================
--- extensions/libipt_limit.c	(revision 3656)
+++ extensions/libipt_limit.c	(working copy)
@@ -81,8 +81,6 @@
 	parse_rate(IPT_LIMIT_AVG, &r->avg);
 	r->burst = IPT_LIMIT_BURST;
 
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 /* FIXME: handle overflow:
Index: extensions/libip6t_mark.c
===================================================================
--- extensions/libip6t_mark.c	(revision 3656)
+++ extensions/libip6t_mark.c	(working copy)
@@ -25,14 +25,6 @@
 	{0}
 };
 
-/* Initialize the match. */
-static void
-init(struct ip6t_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 /* Function which parses command options; returns true if it
    ate an option */
 static int
@@ -137,7 +129,6 @@
 	.size		= IP6T_ALIGN(sizeof(struct ip6t_mark_info)),
 	.userspacesize	= IP6T_ALIGN(sizeof(struct ip6t_mark_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_iprange.c
===================================================================
--- extensions/libipt_iprange.c	(revision 3656)
+++ extensions/libipt_iprange.c	(working copy)
@@ -26,15 +26,7 @@
 	{0}
 };
 
-/* Initialize the match. */
 static void
-init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	/* Can't cache this. */
-	*nfcache |= NFC_UNKNOWN;
-}
-
-static void
 parse_iprange(char *arg, struct ipt_iprange *range)
 {
 	char *dash;
@@ -180,7 +172,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ipt_iprange_info)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ipt_iprange_info)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_tcp.c
===================================================================
--- extensions/libipt_tcp.c	(revision 3656)
+++ extensions/libipt_tcp.c	(working copy)
@@ -187,7 +187,6 @@
 		if (invert)
 			tcpinfo->invflags |= IPT_TCP_INV_SRCPT;
 		*flags |= TCP_SRC_PORTS;
-		*nfcache |= NFC_IP_SRC_PT;
 		break;
 
 	case '2':
@@ -199,7 +198,6 @@
 		if (invert)
 			tcpinfo->invflags |= IPT_TCP_INV_DSTPT;
 		*flags |= TCP_DST_PORTS;
-		*nfcache |= NFC_IP_DST_PT;
 		break;
 
 	case '3':
@@ -209,7 +207,6 @@
 				   " allowed");
 		parse_tcp_flags(tcpinfo, "SYN,RST,ACK", "SYN", invert);
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP_TCPFLAGS;
 		break;
 
 	case '4':
@@ -228,7 +225,6 @@
 				invert);
 		optind++;
 		*flags |= TCP_FLAGS;
-		*nfcache |= NFC_IP_TCPFLAGS;
 		break;
 
 	case '5':
@@ -240,7 +236,6 @@
 		if (invert)
 			tcpinfo->invflags |= IPT_TCP_INV_OPTION;
 		*flags |= TCP_OPTION;
-		*nfcache |= NFC_IP_PROTO_UNKNOWN;
 		break;
 
 	default:
Index: extensions/libipt_DNAT.c
===================================================================
--- extensions/libipt_DNAT.c	(revision 3656)
+++ extensions/libipt_DNAT.c	(working copy)
@@ -33,14 +33,6 @@
 	{ 0 }
 };
 
-/* Initialize the target. */
-static void
-init(struct ipt_entry_target *t, unsigned int *nfcache)
-{
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
-}
-
 static struct ipt_natinfo *
 append_range(struct ipt_natinfo *info, const struct ip_nat_range *range)
 {
@@ -236,7 +228,6 @@
 	.size		= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
 	.userspacesize	= IPT_ALIGN(sizeof(struct ip_nat_multi_range)),
 	.help		= &help,
-	.init		= &init,
 	.parse		= &parse,
 	.final_check	= &final_check,
 	.print		= &print,
Index: extensions/libipt_psd.c
===================================================================
--- extensions/libipt_psd.c	(revision 3656)
+++ extensions/libipt_psd.c	(working copy)
@@ -56,8 +56,6 @@
 	psdinfo->delay_threshold = SCAN_DELAY_THRESHOLD;
 	psdinfo->lo_ports_weight = PORT_WEIGHT_PRIV;
 	psdinfo->hi_ports_weight = PORT_WEIGHT_HIGH;
-	/* Can't cache this */
-	*nfcache |= NFC_UNKNOWN;
 }
 
 
Index: extensions/libipt_osf.c
===================================================================
--- extensions/libipt_osf.c	(revision 3656)
+++ extensions/libipt_osf.c	(working copy)
@@ -54,13 +54,6 @@
 	{ .name = 0 }
 };
 
-
-static void init(struct ipt_entry_match *m, unsigned int *nfcache)
-{
-	*nfcache |= NFC_UNKNOWN;
-}
-
-
 static void parse_string(const unsigned char *s, struct ipt_osf_info *info)
 {
 	if (strlen(s) < MAXGENRELEN) 
@@ -142,7 +135,6 @@
     .size          = IPT_ALIGN(sizeof(struct ipt_osf_info)),
     .userspacesize = IPT_ALIGN(sizeof(struct ipt_osf_info)),
     .help          = &help,
-    .init          = &init,
     .parse         = &parse,
     .final_check   = &final_check,
     .print         = &print,
Index: ip6tables.c
===================================================================
--- ip6tables.c	(revision 3656)
+++ ip6tables.c	(working copy)
@@ -1887,7 +1887,6 @@
 			    && (fw.ipv6.invflags & IP6T_INV_PROTO))
 				exit_error(PARAMETER_PROBLEM,
 					   "rule would never match protocol");
-			fw.nfcache |= NFC_IP6_PROTO;
 			break;
 
 		case 's':
@@ -1895,7 +1894,6 @@
 			set_option(&options, OPT_SOURCE, &fw.ipv6.invflags,
 				   invert);
 			shostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP6_SRC;
 			break;
 
 		case 'd':
@@ -1903,7 +1901,6 @@
 			set_option(&options, OPT_DESTINATION, &fw.ipv6.invflags,
 				   invert);
 			dhostnetworkmask = argv[optind-1];
-			fw.nfcache |= NFC_IP6_DST;
 			break;
 
 		case 'j':
@@ -1935,7 +1932,6 @@
 			parse_interface(argv[optind-1],
 					fw.ipv6.iniface,
 					fw.ipv6.iniface_mask);
-			fw.nfcache |= NFC_IP6_IF_IN;
 			break;
 
 		case 'o':
@@ -1945,7 +1941,6 @@
 			parse_interface(argv[optind-1],
 					fw.ipv6.outiface,
 					fw.ipv6.outiface_mask);
-			fw.nfcache |= NFC_IP6_IF_OUT;
 			break;
 
 		case 'v':

Re: [PATCH] kill NFC_* stuff in iptables [was Re: iptables compile error: NFC_IP_TOS undeclared]

[Patrick McHardy]

Pablo Neira wrote:

> Patrick McHardy wrote:
>
>> I haven't actually checked
>> the API, but can't we remove all those now empty init functions ?
>> If not I think it would be nicer to change the API to check for
>> ->init == NULL instead of leaving all these empty funtion bodies around.
>
> Yes, I agree and I did it, I must confess that it was kinda boring a 
> bit. See the patch attached.

Thanks Pablo. I'm going to apply it once iptables 1.3.0 is released.

>> I don't think we can remove it from struct ipt_entry without
>> breaking userspace compatibility. But we could stop using it.
>
> Yes, I was aware of that :). I didn't talk about modifying ipt_entry 
> which is not possible because of backward compatibility. I mean that, 
> as next step, we could kill those nfcache arguments passed as 
> parameter that aren't useful anymore.

Sure, go ahead.

Regards
Patrick

Re: ULOG target for ipv6

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1013 bytes --]

On Fri, Feb 11, 2005 at 01:15:07AM +0200, Jonas Berlin wrote:

> Here's my first attempt of ULOG for ipv6. It's _untested_, but it 
> compiles at least on 2.6 and it patches fine against 2.4.28 also.

;) I've merged it into pom-ng (Rev. 3694).  I'm not quite happy about
ulogd from userspace having no idea whether the packet came from the
ipv4 or ipv6 stack - but I think it's fine for now.

> Someone could also point me to the latest instructions on how to 
> contribute - the online docs I found here didn't work very well:

Well, there are no instructions.  Patches to the HOWTO's or new
documentation is always welcome.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: ULOG target for ipv6

[Jonas Berlin]

Harald Welte wrote:

>;) I've merged it into pom-ng (Rev. 3694).  I'm not quite happy about
>ulogd from userspace having no idea whether the packet came from the
>ipv4 or ipv6 stack - but I think it's fine for now.
>  
>
Nice :)

I actually meant that ulogd probably isn't expecting ipv6 packets (since 
there was no ipv6 support before) and I thus don't know what ulogd will 
do when it gets one.

Ulogd can figure out which stack the packet came from simply by looking 
at the it (check if it contains an ipv4 or ipv6 header). Or at least 
that's how I think it should work :)

>Well, there are no instructions.  Patches to the HOWTO's or new
>documentation is always welcome.
>  
>
Sure.. I found README.newpatches in pom-ng which helped creating the 
patch but did not mention how to submit.. Is the proper way to send a 
message to netfilter-devel with a subject starting with [ANNOUNCE] or 
[PATCH] or something like that? And any wishes/requirements regarding 
the message content of the announcement?

-- 
- xkr47

Re: netfilter & ipv6

[Jonas Berlin]

Sven-Haegar Koch wrote:

>> since the name of the name of the module essentially determines the 
>> name of the target, the module etc.
>
> why?
> the module in patch-o-matic-ng (the top directory name) could be named 
> CLASSIFY_v6, containing the target CLASSIFY for ipv6, with the kernel 
> module named ip6t_CLASSIFY.
> I see nothing which prevents this.

Oh! You're right, it worked. I must have had something wrong somewhere 
before when it complained. Excellent! :)

> c'ya
> sven

Thanks,

-- 
- xkr47

Re: netfilter question

[Eric Dumazet]

On Wed, Nov 16, 2016 at 2:22 AM, Eric Desrochers <ericd@miromedia.ca> wrote:
> Hi Eric,
>
> My name is Eric and I'm reaching you today as I found your name in multiple netfilter kernel commits, and was hoping we can discuss about a potential regression.
>
> I identified (git bisect) this commit [https://github.com/torvalds/linux/commit/71ae0dff02d756e4d2ca710b79f2ff5390029a5f] as the one introducing a serious performance slowdown when using the binary ip/ip6tables with a large number of policies.
>
> I also tried with the latest and greatest v4.9-rc4 mainline kernel, and the slowdown is still present.
>
> So even commit [https://github.com/torvalds/linux/commit/a1a56aaa0735c7821e85c37268a7c12e132415cb] which introduce a 16 bytes alignment on xt_counter percpu allocations so that bytes and packets sit in same cache line, doesn't have impact too.
>
>
> Everything I found is detailed in the following bug : https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1640786
>
> Of course, I'm totally aware that "iptables-restore" should be the favorite choice as it is way more efficient (note that using iptables-restore doesn't exhibit the problem) but some folks still rely on ip/ip6tables and might face this performance slowdown.
>
> I found the problem today, I will continue to investigate on my side, but I was wondering if we could have a discussion about this subject.
>
> Thanks in advance.
>
> Regards,
>
> Eric
>

Hi Eric

Thanks for your mail. But you should CC it on netfilter-devel mailing list.

Key point is that we really care about fast path : packet processing.
And cited commit helps this a lot by lowering the memory foot print on
hosts with many cores.
This is a step into right direction.

Now we probably should batch the percpu allocations one page at a
time, or ask Tejun if percpu allocations could be really really fast
(probably much harder)

But really you should not use iptables one rule at a time...
This will never compete with iptables-restore. ;)

Florian, would you have time to work on a patch trying to group the
percpu allocations one page at a time ?

Re: netfilter question

[Florian Westphal]

Eric Dumazet <edumazet@google.com> wrote:
> On Wed, Nov 16, 2016 at 2:22 AM, Eric Desrochers <ericd@miromedia.ca> wrote:
> > Hi Eric,
> >
> > My name is Eric and I'm reaching you today as I found your name in multiple netfilter kernel commits, and was hoping we can discuss about a potential regression.
> >
> > I identified (git bisect) this commit [https://github.com/torvalds/linux/commit/71ae0dff02d756e4d2ca710b79f2ff5390029a5f] as the one introducing a serious performance slowdown when using the binary ip/ip6tables with a large number of policies.
> >
> > I also tried with the latest and greatest v4.9-rc4 mainline kernel, and the slowdown is still present.
> >
> > So even commit [https://github.com/torvalds/linux/commit/a1a56aaa0735c7821e85c37268a7c12e132415cb] which introduce a 16 bytes alignment on xt_counter percpu allocations so that bytes and packets sit in same cache line, doesn't have impact too.
> >
> >
> > Everything I found is detailed in the following bug : https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1640786
> >
> > Of course, I'm totally aware that "iptables-restore" should be the favorite choice as it is way more efficient (note that using iptables-restore doesn't exhibit the problem) but some folks still rely on ip/ip6tables and might face this performance slowdown.
> >
> > I found the problem today, I will continue to investigate on my side, but I was wondering if we could have a discussion about this subject.
> >
> > Thanks in advance.

[..]

> Key point is that we really care about fast path : packet processing.
> And cited commit helps this a lot by lowering the memory foot print on
> hosts with many cores.
> This is a step into right direction.
> 
> Now we probably should batch the percpu allocations one page at a
> time, or ask Tejun if percpu allocations could be really really fast
> (probably much harder)
> 
> But really you should not use iptables one rule at a time...
> This will never compete with iptables-restore. ;)
> 
> Florian, would you have time to work on a patch trying to group the
> percpu allocations one page at a time ?

You mean something like this ? :
        xt_entry_foreach(iter, entry0, newinfo->size) {
-               ret = find_check_entry(iter, net, repl->name, repl->size);
-               if (ret != 0)
+               if (pcpu_alloc == 0) {
+                       pcnt = __alloc_percpu(PAGE_SIZE, sizeof(struct xt_counters));
+                       if (IS_ERR_VALUE(pcnt))
+                               BUG();
+               }
+
+               iter->counters.pcnt = pcnt + pcpu_alloc;
+               iter->counters.bcnt = !!pcpu_alloc;
+               pcpu_alloc += sizeof(struct xt_counters);
+
+               if (pcpu_alloc > PAGE_SIZE - sizeof(struct xt_counters))
+                       pcpu_alloc = 0;
+
+               ret = find_check_entry(iter, net, repl->name, repl->size)
 ...

This is going to be ugly since we'll have to deal with SMP vs. NONSMP (i.e. no perpcu allocations)
in ip/ip6/arptables.

Error unwind will also be a mess (we can abuse .bcnt to tell if pcpu offset should be free'd or not).

But maybe I don't understand what you are suggesting :)
Can you elaborate?

Thanks!

Re: netfilter question

[Eric Dumazet]

On Wed, 2016-11-16 at 16:02 +0100, Florian Westphal wrote:
> Eric Dumazet <edumazet@google.com> wrote:
> > On Wed, Nov 16, 2016 at 2:22 AM, Eric Desrochers <ericd@miromedia.ca> wrote:
> > > Hi Eric,
> > >
> > > My name is Eric and I'm reaching you today as I found your name in multiple netfilter kernel commits, and was hoping we can discuss about a potential regression.
> > >
> > > I identified (git bisect) this commit [https://github.com/torvalds/linux/commit/71ae0dff02d756e4d2ca710b79f2ff5390029a5f] as the one introducing a serious performance slowdown when using the binary ip/ip6tables with a large number of policies.
> > >
> > > I also tried with the latest and greatest v4.9-rc4 mainline kernel, and the slowdown is still present.
> > >
> > > So even commit [https://github.com/torvalds/linux/commit/a1a56aaa0735c7821e85c37268a7c12e132415cb] which introduce a 16 bytes alignment on xt_counter percpu allocations so that bytes and packets sit in same cache line, doesn't have impact too.
> > >
> > >
> > > Everything I found is detailed in the following bug : https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1640786
> > >
> > > Of course, I'm totally aware that "iptables-restore" should be the favorite choice as it is way more efficient (note that using iptables-restore doesn't exhibit the problem) but some folks still rely on ip/ip6tables and might face this performance slowdown.
> > >
> > > I found the problem today, I will continue to investigate on my side, but I was wondering if we could have a discussion about this subject.
> > >
> > > Thanks in advance.
> 
> [..]
> 
> > Key point is that we really care about fast path : packet processing.
> > And cited commit helps this a lot by lowering the memory foot print on
> > hosts with many cores.
> > This is a step into right direction.
> > 
> > Now we probably should batch the percpu allocations one page at a
> > time, or ask Tejun if percpu allocations could be really really fast
> > (probably much harder)
> > 
> > But really you should not use iptables one rule at a time...
> > This will never compete with iptables-restore. ;)
> > 
> > Florian, would you have time to work on a patch trying to group the
> > percpu allocations one page at a time ?
> 
> You mean something like this ? :
>         xt_entry_foreach(iter, entry0, newinfo->size) {
> -               ret = find_check_entry(iter, net, repl->name, repl->size);
> -               if (ret != 0)
> +               if (pcpu_alloc == 0) {
> +                       pcnt = __alloc_percpu(PAGE_SIZE, sizeof(struct xt_counters));

alignment should be a page.

> +                       if (IS_ERR_VALUE(pcnt))
> +                               BUG();

well. no BUG() for sure ;)

> +               }
> +
> +               iter->counters.pcnt = pcnt + pcpu_alloc;
> +               iter->counters.bcnt = !!pcpu_alloc;
> +               pcpu_alloc += sizeof(struct xt_counters);
> +
> +               if (pcpu_alloc > PAGE_SIZE - sizeof(struct xt_counters))
> +                       pcpu_alloc = 0;
> +
> +               ret = find_check_entry(iter, net, repl->name, repl->size)
>  ...
> 
> This is going to be ugly since we'll have to deal with SMP vs. NONSMP (i.e. no perpcu allocations)
> in ip/ip6/arptables.

Time for a common helper then ...

> 
> Error unwind will also be a mess (we can abuse .bcnt to tell if pcpu offset should be free'd or not).

Free if the address is aligned to a page boundary ?

Otherwise skip it, it already has been freed earlier.

> 
> But maybe I don't understand what you are suggesting :)
> Can you elaborate?

Note that this grouping will also help data locality.

I definitely have servers with a huge number of percpu allocations and I
fear we might have many TLB misses because of possible spread of
xt_counters.

Note that percpu pages must not be shared by multiple users
(ip/ip6/arptable), each table should get its own cache.

Re: netfilter question

[Florian Westphal]

Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > > On Wed, Nov 16, 2016 at 2:22 AM, Eric Desrochers <ericd@miromedia.ca> wrote:
> > > > Hi Eric,
> > > >
> > > > My name is Eric and I'm reaching you today as I found your name in multiple netfilter kernel commits, and was hoping we can discuss about a potential regression.
> > > >
> > > > I identified (git bisect) this commit [https://github.com/torvalds/linux/commit/71ae0dff02d756e4d2ca710b79f2ff5390029a5f] as the one introducing a serious performance slowdown when using the binary ip/ip6tables with a large number of policies.
> > > >
> > > > I also tried with the latest and greatest v4.9-rc4 mainline kernel, and the slowdown is still present.
> > > >
> > > > So even commit [https://github.com/torvalds/linux/commit/a1a56aaa0735c7821e85c37268a7c12e132415cb] which introduce a 16 bytes alignment on xt_counter percpu allocations so that bytes and packets sit in same cache line, doesn't have impact too.
> > > >
> > > >
> > > > Everything I found is detailed in the following bug : https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1640786
> > > >
> > > > Of course, I'm totally aware that "iptables-restore" should be the favorite choice as it is way more efficient (note that using iptables-restore doesn't exhibit the problem) but some folks still rely on ip/ip6tables and might face this performance slowdown.
> > > >
> > > > I found the problem today, I will continue to investigate on my side, but I was wondering if we could have a discussion about this subject.
> > > >
> > > > Thanks in advance.
> > 
> > [..]
> > 
> > > Key point is that we really care about fast path : packet processing.
> > > And cited commit helps this a lot by lowering the memory foot print on
> > > hosts with many cores.
> > > This is a step into right direction.
> > > 
> > > Now we probably should batch the percpu allocations one page at a
> > > time, or ask Tejun if percpu allocations could be really really fast
> > > (probably much harder)
> > > 
> > > But really you should not use iptables one rule at a time...
> > > This will never compete with iptables-restore. ;)
> > > 
> > > Florian, would you have time to work on a patch trying to group the
> > > percpu allocations one page at a time ?
> > 
> > You mean something like this ? :
> >         xt_entry_foreach(iter, entry0, newinfo->size) {
> > -               ret = find_check_entry(iter, net, repl->name, repl->size);
> > -               if (ret != 0)
> > +               if (pcpu_alloc == 0) {
> > +                       pcnt = __alloc_percpu(PAGE_SIZE, sizeof(struct xt_counters));
> 
> alignment should be a page.

[..]

> > Error unwind will also be a mess (we can abuse .bcnt to tell if pcpu offset should be free'd or not).
> 
> Free if the address is aligned to a page boundary ?

Good idea.  This seems to work for me.  Eric (Desrochers), does this
improve the situation for you as well?

diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
--- a/include/linux/netfilter/x_tables.h
+++ b/include/linux/netfilter/x_tables.h
@@ -403,38 +403,14 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
 	return ret;
 }
 
+struct xt_percpu_counter_alloc_state {
+	unsigned int off;
+	const char *mem;
+};
 
-/* On SMP, ip(6)t_entry->counters.pcnt holds address of the
- * real (percpu) counter.  On !SMP, its just the packet count,
- * so nothing needs to be done there.
- *
- * xt_percpu_counter_alloc returns the address of the percpu
- * counter, or 0 on !SMP. We force an alignment of 16 bytes
- * so that bytes/packets share a common cache line.
- *
- * Hence caller must use IS_ERR_VALUE to check for error, this
- * allows us to return 0 for single core systems without forcing
- * callers to deal with SMP vs. NONSMP issues.
- */
-static inline unsigned long xt_percpu_counter_alloc(void)
-{
-	if (nr_cpu_ids > 1) {
-		void __percpu *res = __alloc_percpu(sizeof(struct xt_counters),
-						    sizeof(struct xt_counters));
-
-		if (res == NULL)
-			return -ENOMEM;
-
-		return (__force unsigned long) res;
-	}
-
-	return 0;
-}
-static inline void xt_percpu_counter_free(u64 pcnt)
-{
-	if (nr_cpu_ids > 1)
-		free_percpu((void __percpu *) (unsigned long) pcnt);
-}
+bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
+			     struct xt_counters *counter);
+void xt_percpu_counter_free(struct xt_counters *cnt);
 
 static inline struct xt_counters *
 xt_get_this_cpu_counter(struct xt_counters *cnt)
diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
index 39004da318e2..cbea0cb030da 100644
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
@@ -411,17 +411,15 @@ static inline int check_target(struct arpt_entry *e, const char *name)
 }
 
 static inline int
-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
+find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
+		 struct xt_percpu_counter_alloc_state *alloc_state)
 {
 	struct xt_entry_target *t;
 	struct xt_target *target;
-	unsigned long pcnt;
 	int ret;
 
-	pcnt = xt_percpu_counter_alloc();
-	if (IS_ERR_VALUE(pcnt))
+	if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
 		return -ENOMEM;
-	e->counters.pcnt = pcnt;
 
 	t = arpt_get_target(e);
 	target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
@@ -439,7 +437,7 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
 err:
 	module_put(t->u.kernel.target->me);
 out:
-	xt_percpu_counter_free(e->counters.pcnt);
+	xt_percpu_counter_free(&e->counters);
 
 	return ret;
 }
@@ -519,7 +517,7 @@ static inline void cleanup_entry(struct arpt_entry *e)
 	if (par.target->destroy != NULL)
 		par.target->destroy(&par);
 	module_put(par.target->me);
-	xt_percpu_counter_free(e->counters.pcnt);
+	xt_percpu_counter_free(&e->counters);
 }
 
 /* Checks and translates the user-supplied table segment (held in
@@ -528,6 +526,7 @@ static inline void cleanup_entry(struct arpt_entry *e)
 static int translate_table(struct xt_table_info *newinfo, void *entry0,
 			   const struct arpt_replace *repl)
 {
+	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
 	struct arpt_entry *iter;
 	unsigned int *offsets;
 	unsigned int i;
@@ -590,7 +589,7 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
 	/* Finally, each sanity check must pass */
 	i = 0;
 	xt_entry_foreach(iter, entry0, newinfo->size) {
-		ret = find_check_entry(iter, repl->name, repl->size);
+		ret = find_check_entry(iter, repl->name, repl->size, &alloc_state);
 		if (ret != 0)
 			break;
 		++i;
diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
index 46815c8a60d7..0024550516d1 100644
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
@@ -531,7 +531,8 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name)
 
 static int
 find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
-		 unsigned int size)
+		 unsigned int size,
+		 struct xt_percpu_counter_alloc_state *alloc_state)
 {
 	struct xt_entry_target *t;
 	struct xt_target *target;
@@ -539,12 +540,9 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
 	unsigned int j;
 	struct xt_mtchk_param mtpar;
 	struct xt_entry_match *ematch;
-	unsigned long pcnt;
 
-	pcnt = xt_percpu_counter_alloc();
-	if (IS_ERR_VALUE(pcnt))
+	if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
 		return -ENOMEM;
-	e->counters.pcnt = pcnt;
 
 	j = 0;
 	mtpar.net	= net;
@@ -582,7 +580,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
 		cleanup_match(ematch, net);
 	}
 
-	xt_percpu_counter_free(e->counters.pcnt);
+	xt_percpu_counter_free(&e->counters);
 
 	return ret;
 }
@@ -670,7 +668,7 @@ cleanup_entry(struct ipt_entry *e, struct net *net)
 	if (par.target->destroy != NULL)
 		par.target->destroy(&par);
 	module_put(par.target->me);
-	xt_percpu_counter_free(e->counters.pcnt);
+	xt_percpu_counter_free(&e->counters);
 }
 
 /* Checks and translates the user-supplied table segment (held in
@@ -679,6 +677,7 @@ static int
 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
 		const struct ipt_replace *repl)
 {
+	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
 	struct ipt_entry *iter;
 	unsigned int *offsets;
 	unsigned int i;
@@ -738,7 +737,7 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
 	/* Finally, each sanity check must pass */
 	i = 0;
 	xt_entry_foreach(iter, entry0, newinfo->size) {
-		ret = find_check_entry(iter, net, repl->name, repl->size);
+		ret = find_check_entry(iter, net, repl->name, repl->size, &alloc_state);
 		if (ret != 0)
 			break;
 		++i;
diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
index 6ff42b8301cc..123d9af6742e 100644
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
@@ -562,7 +562,8 @@ static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
 
 static int
 find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
-		 unsigned int size)
+		 unsigned int size,
+		 struct xt_percpu_counter_alloc_state *alloc_state)
 {
 	struct xt_entry_target *t;
 	struct xt_target *target;
@@ -570,12 +571,9 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
 	unsigned int j;
 	struct xt_mtchk_param mtpar;
 	struct xt_entry_match *ematch;
-	unsigned long pcnt;
 
-	pcnt = xt_percpu_counter_alloc();
-	if (IS_ERR_VALUE(pcnt))
+	if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
 		return -ENOMEM;
-	e->counters.pcnt = pcnt;
 
 	j = 0;
 	mtpar.net	= net;
@@ -612,7 +610,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
 		cleanup_match(ematch, net);
 	}
 
-	xt_percpu_counter_free(e->counters.pcnt);
+	xt_percpu_counter_free(&e->counters);
 
 	return ret;
 }
@@ -699,8 +697,7 @@ static void cleanup_entry(struct ip6t_entry *e, struct net *net)
 	if (par.target->destroy != NULL)
 		par.target->destroy(&par);
 	module_put(par.target->me);
-
-	xt_percpu_counter_free(e->counters.pcnt);
+	xt_percpu_counter_free(&e->counters);
 }
 
 /* Checks and translates the user-supplied table segment (held in
@@ -709,6 +706,7 @@ static int
 translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
 		const struct ip6t_replace *repl)
 {
+	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
 	struct ip6t_entry *iter;
 	unsigned int *offsets;
 	unsigned int i;
@@ -768,7 +766,7 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
 	/* Finally, each sanity check must pass */
 	i = 0;
 	xt_entry_foreach(iter, entry0, newinfo->size) {
-		ret = find_check_entry(iter, net, repl->name, repl->size);
+		ret = find_check_entry(iter, net, repl->name, repl->size, &alloc_state);
 		if (ret != 0)
 			break;
 		++i;
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index ad818e52859b..a4d1084b163f 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -1615,6 +1615,59 @@ void xt_proto_fini(struct net *net, u_int8_t af)
 }
 EXPORT_SYMBOL_GPL(xt_proto_fini);
 
+/**
+ * xt_percpu_counter_alloc - allocate x_tables rule counter
+ *
+ * @state: pointer to xt_percpu allocation state
+ * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct
+ *
+ * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then
+ * contain the address of the real (percpu) counter.
+ *
+ * Rule evaluation needs to use xt_get_this_cpu_counter() helper
+ * to fetch the real percpu counter.
+ *
+ * To speed up allocation and improve data locality, an entire
+ * page is allocated.
+ *
+ * xt_percpu_counter_alloc_state contains the base address of the
+ * allocated page and the current sub-offset.
+ *
+ * returns false on error.
+ */
+bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
+			     struct xt_counters *counter)
+{
+	BUILD_BUG_ON(PAGE_SIZE < (sizeof(*counter) * 2));
+
+	if (nr_cpu_ids <= 1)
+		return true;
+
+	if (state->mem == NULL) {
+		state->mem = __alloc_percpu(PAGE_SIZE, PAGE_SIZE);
+		if (!state->mem)
+			return false;
+	}
+	counter->pcnt = (__force unsigned long)(state->mem + state->off);
+	state->off += sizeof(*counter);
+	if (state->off > (PAGE_SIZE - sizeof(*counter))) {
+		state->mem = NULL;
+		state->off = 0;
+	}
+
+	return true;
+}
+EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc);
+
+void xt_percpu_counter_free(struct xt_counters *counters)
+{
+	unsigned long pcnt = counters->pcnt;
+
+	if (nr_cpu_ids > 1 && (pcnt & (PAGE_SIZE - 1)) == 0)
+		free_percpu((void __percpu *) (unsigned long)pcnt);
+}
+EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
+
 static int __net_init xt_net_init(struct net *net)
 {
 	int i;

Re: netfilter question

[Eric Dumazet]

On Thu, 2016-11-17 at 01:07 +0100, Florian Westphal wrote:

Seems very nice !

> +
> +void xt_percpu_counter_free(struct xt_counters *counters)
> +{
> +	unsigned long pcnt = counters->pcnt;
> +
> +	if (nr_cpu_ids > 1 && (pcnt & (PAGE_SIZE - 1)) == 0)
> +		free_percpu((void __percpu *) (unsigned long)pcnt);
> +}


pcnt is already an "unsigned long"

This packing might also speed up "iptables -nvL" dumps ;)

Re: netfilter question

[Eric Desrochers]

Hi Florian,

thanks for quick response, will give it a try and get back to you with the outcome of my test.

On 2016-11-17 01:07 AM, Florian Westphal wrote:
> Eric Dumazet <eric.dumazet@gmail.com> wrote:
>>>> On Wed, Nov 16, 2016 at 2:22 AM, Eric Desrochers <ericd@miromedia.ca> wrote:
>>>>> Hi Eric,
>>>>>
>>>>> My name is Eric and I'm reaching you today as I found your name in multiple netfilter kernel commits, and was hoping we can discuss about a potential regression.
>>>>>
>>>>> I identified (git bisect) this commit [https://github.com/torvalds/linux/commit/71ae0dff02d756e4d2ca710b79f2ff5390029a5f] as the one introducing a serious performance slowdown when using the binary ip/ip6tables with a large number of policies.
>>>>>
>>>>> I also tried with the latest and greatest v4.9-rc4 mainline kernel, and the slowdown is still present.
>>>>>
>>>>> So even commit [https://github.com/torvalds/linux/commit/a1a56aaa0735c7821e85c37268a7c12e132415cb] which introduce a 16 bytes alignment on xt_counter percpu allocations so that bytes and packets sit in same cache line, doesn't have impact too.
>>>>>
>>>>>
>>>>> Everything I found is detailed in the following bug : https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1640786
>>>>>
>>>>> Of course, I'm totally aware that "iptables-restore" should be the favorite choice as it is way more efficient (note that using iptables-restore doesn't exhibit the problem) but some folks still rely on ip/ip6tables and might face this performance slowdown.
>>>>>
>>>>> I found the problem today, I will continue to investigate on my side, but I was wondering if we could have a discussion about this subject.
>>>>>
>>>>> Thanks in advance.
>>> [..]
>>>
>>>> Key point is that we really care about fast path : packet processing.
>>>> And cited commit helps this a lot by lowering the memory foot print on
>>>> hosts with many cores.
>>>> This is a step into right direction.
>>>>
>>>> Now we probably should batch the percpu allocations one page at a
>>>> time, or ask Tejun if percpu allocations could be really really fast
>>>> (probably much harder)
>>>>
>>>> But really you should not use iptables one rule at a time...
>>>> This will never compete with iptables-restore. ;)
>>>>
>>>> Florian, would you have time to work on a patch trying to group the
>>>> percpu allocations one page at a time ?
>>> You mean something like this ? :
>>>         xt_entry_foreach(iter, entry0, newinfo->size) {
>>> -               ret = find_check_entry(iter, net, repl->name, repl->size);
>>> -               if (ret != 0)
>>> +               if (pcpu_alloc == 0) {
>>> +                       pcnt = __alloc_percpu(PAGE_SIZE, sizeof(struct xt_counters));
>> alignment should be a page.
> [..]
>
>>> Error unwind will also be a mess (we can abuse .bcnt to tell if pcpu offset should be free'd or not).
>> Free if the address is aligned to a page boundary ?
> Good idea.  This seems to work for me.  Eric (Desrochers), does this
> improve the situation for you as well?
>
> diff --git a/include/linux/netfilter/x_tables.h b/include/linux/netfilter/x_tables.h
> --- a/include/linux/netfilter/x_tables.h
> +++ b/include/linux/netfilter/x_tables.h
> @@ -403,38 +403,14 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
>  	return ret;
>  }
>  
> +struct xt_percpu_counter_alloc_state {
> +	unsigned int off;
> +	const char *mem;
> +};
>  
> -/* On SMP, ip(6)t_entry->counters.pcnt holds address of the
> - * real (percpu) counter.  On !SMP, its just the packet count,
> - * so nothing needs to be done there.
> - *
> - * xt_percpu_counter_alloc returns the address of the percpu
> - * counter, or 0 on !SMP. We force an alignment of 16 bytes
> - * so that bytes/packets share a common cache line.
> - *
> - * Hence caller must use IS_ERR_VALUE to check for error, this
> - * allows us to return 0 for single core systems without forcing
> - * callers to deal with SMP vs. NONSMP issues.
> - */
> -static inline unsigned long xt_percpu_counter_alloc(void)
> -{
> -	if (nr_cpu_ids > 1) {
> -		void __percpu *res = __alloc_percpu(sizeof(struct xt_counters),
> -						    sizeof(struct xt_counters));
> -
> -		if (res == NULL)
> -			return -ENOMEM;
> -
> -		return (__force unsigned long) res;
> -	}
> -
> -	return 0;
> -}
> -static inline void xt_percpu_counter_free(u64 pcnt)
> -{
> -	if (nr_cpu_ids > 1)
> -		free_percpu((void __percpu *) (unsigned long) pcnt);
> -}
> +bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
> +			     struct xt_counters *counter);
> +void xt_percpu_counter_free(struct xt_counters *cnt);
>  
>  static inline struct xt_counters *
>  xt_get_this_cpu_counter(struct xt_counters *cnt)
> diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c
> index 39004da318e2..cbea0cb030da 100644
> --- a/net/ipv4/netfilter/arp_tables.c
> +++ b/net/ipv4/netfilter/arp_tables.c
> @@ -411,17 +411,15 @@ static inline int check_target(struct arpt_entry *e, const char *name)
>  }
>  
>  static inline int
> -find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
> +find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
> +		 struct xt_percpu_counter_alloc_state *alloc_state)
>  {
>  	struct xt_entry_target *t;
>  	struct xt_target *target;
> -	unsigned long pcnt;
>  	int ret;
>  
> -	pcnt = xt_percpu_counter_alloc();
> -	if (IS_ERR_VALUE(pcnt))
> +	if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
>  		return -ENOMEM;
> -	e->counters.pcnt = pcnt;
>  
>  	t = arpt_get_target(e);
>  	target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
> @@ -439,7 +437,7 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size)
>  err:
>  	module_put(t->u.kernel.target->me);
>  out:
> -	xt_percpu_counter_free(e->counters.pcnt);
> +	xt_percpu_counter_free(&e->counters);
>  
>  	return ret;
>  }
> @@ -519,7 +517,7 @@ static inline void cleanup_entry(struct arpt_entry *e)
>  	if (par.target->destroy != NULL)
>  		par.target->destroy(&par);
>  	module_put(par.target->me);
> -	xt_percpu_counter_free(e->counters.pcnt);
> +	xt_percpu_counter_free(&e->counters);
>  }
>  
>  /* Checks and translates the user-supplied table segment (held in
> @@ -528,6 +526,7 @@ static inline void cleanup_entry(struct arpt_entry *e)
>  static int translate_table(struct xt_table_info *newinfo, void *entry0,
>  			   const struct arpt_replace *repl)
>  {
> +	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
>  	struct arpt_entry *iter;
>  	unsigned int *offsets;
>  	unsigned int i;
> @@ -590,7 +589,7 @@ static int translate_table(struct xt_table_info *newinfo, void *entry0,
>  	/* Finally, each sanity check must pass */
>  	i = 0;
>  	xt_entry_foreach(iter, entry0, newinfo->size) {
> -		ret = find_check_entry(iter, repl->name, repl->size);
> +		ret = find_check_entry(iter, repl->name, repl->size, &alloc_state);
>  		if (ret != 0)
>  			break;
>  		++i;
> diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c
> index 46815c8a60d7..0024550516d1 100644
> --- a/net/ipv4/netfilter/ip_tables.c
> +++ b/net/ipv4/netfilter/ip_tables.c
> @@ -531,7 +531,8 @@ static int check_target(struct ipt_entry *e, struct net *net, const char *name)
>  
>  static int
>  find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
> -		 unsigned int size)
> +		 unsigned int size,
> +		 struct xt_percpu_counter_alloc_state *alloc_state)
>  {
>  	struct xt_entry_target *t;
>  	struct xt_target *target;
> @@ -539,12 +540,9 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
>  	unsigned int j;
>  	struct xt_mtchk_param mtpar;
>  	struct xt_entry_match *ematch;
> -	unsigned long pcnt;
>  
> -	pcnt = xt_percpu_counter_alloc();
> -	if (IS_ERR_VALUE(pcnt))
> +	if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
>  		return -ENOMEM;
> -	e->counters.pcnt = pcnt;
>  
>  	j = 0;
>  	mtpar.net	= net;
> @@ -582,7 +580,7 @@ find_check_entry(struct ipt_entry *e, struct net *net, const char *name,
>  		cleanup_match(ematch, net);
>  	}
>  
> -	xt_percpu_counter_free(e->counters.pcnt);
> +	xt_percpu_counter_free(&e->counters);
>  
>  	return ret;
>  }
> @@ -670,7 +668,7 @@ cleanup_entry(struct ipt_entry *e, struct net *net)
>  	if (par.target->destroy != NULL)
>  		par.target->destroy(&par);
>  	module_put(par.target->me);
> -	xt_percpu_counter_free(e->counters.pcnt);
> +	xt_percpu_counter_free(&e->counters);
>  }
>  
>  /* Checks and translates the user-supplied table segment (held in
> @@ -679,6 +677,7 @@ static int
>  translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
>  		const struct ipt_replace *repl)
>  {
> +	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
>  	struct ipt_entry *iter;
>  	unsigned int *offsets;
>  	unsigned int i;
> @@ -738,7 +737,7 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
>  	/* Finally, each sanity check must pass */
>  	i = 0;
>  	xt_entry_foreach(iter, entry0, newinfo->size) {
> -		ret = find_check_entry(iter, net, repl->name, repl->size);
> +		ret = find_check_entry(iter, net, repl->name, repl->size, &alloc_state);
>  		if (ret != 0)
>  			break;
>  		++i;
> diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c
> index 6ff42b8301cc..123d9af6742e 100644
> --- a/net/ipv6/netfilter/ip6_tables.c
> +++ b/net/ipv6/netfilter/ip6_tables.c
> @@ -562,7 +562,8 @@ static int check_target(struct ip6t_entry *e, struct net *net, const char *name)
>  
>  static int
>  find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
> -		 unsigned int size)
> +		 unsigned int size,
> +		 struct xt_percpu_counter_alloc_state *alloc_state)
>  {
>  	struct xt_entry_target *t;
>  	struct xt_target *target;
> @@ -570,12 +571,9 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
>  	unsigned int j;
>  	struct xt_mtchk_param mtpar;
>  	struct xt_entry_match *ematch;
> -	unsigned long pcnt;
>  
> -	pcnt = xt_percpu_counter_alloc();
> -	if (IS_ERR_VALUE(pcnt))
> +	if (!xt_percpu_counter_alloc(alloc_state, &e->counters))
>  		return -ENOMEM;
> -	e->counters.pcnt = pcnt;
>  
>  	j = 0;
>  	mtpar.net	= net;
> @@ -612,7 +610,7 @@ find_check_entry(struct ip6t_entry *e, struct net *net, const char *name,
>  		cleanup_match(ematch, net);
>  	}
>  
> -	xt_percpu_counter_free(e->counters.pcnt);
> +	xt_percpu_counter_free(&e->counters);
>  
>  	return ret;
>  }
> @@ -699,8 +697,7 @@ static void cleanup_entry(struct ip6t_entry *e, struct net *net)
>  	if (par.target->destroy != NULL)
>  		par.target->destroy(&par);
>  	module_put(par.target->me);
> -
> -	xt_percpu_counter_free(e->counters.pcnt);
> +	xt_percpu_counter_free(&e->counters);
>  }
>  
>  /* Checks and translates the user-supplied table segment (held in
> @@ -709,6 +706,7 @@ static int
>  translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
>  		const struct ip6t_replace *repl)
>  {
> +	struct xt_percpu_counter_alloc_state alloc_state = { 0 };
>  	struct ip6t_entry *iter;
>  	unsigned int *offsets;
>  	unsigned int i;
> @@ -768,7 +766,7 @@ translate_table(struct net *net, struct xt_table_info *newinfo, void *entry0,
>  	/* Finally, each sanity check must pass */
>  	i = 0;
>  	xt_entry_foreach(iter, entry0, newinfo->size) {
> -		ret = find_check_entry(iter, net, repl->name, repl->size);
> +		ret = find_check_entry(iter, net, repl->name, repl->size, &alloc_state);
>  		if (ret != 0)
>  			break;
>  		++i;
> diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
> index ad818e52859b..a4d1084b163f 100644
> --- a/net/netfilter/x_tables.c
> +++ b/net/netfilter/x_tables.c
> @@ -1615,6 +1615,59 @@ void xt_proto_fini(struct net *net, u_int8_t af)
>  }
>  EXPORT_SYMBOL_GPL(xt_proto_fini);
>  
> +/**
> + * xt_percpu_counter_alloc - allocate x_tables rule counter
> + *
> + * @state: pointer to xt_percpu allocation state
> + * @counter: pointer to counter struct inside the ip(6)/arpt_entry struct
> + *
> + * On SMP, the packet counter [ ip(6)t_entry->counters.pcnt ] will then
> + * contain the address of the real (percpu) counter.
> + *
> + * Rule evaluation needs to use xt_get_this_cpu_counter() helper
> + * to fetch the real percpu counter.
> + *
> + * To speed up allocation and improve data locality, an entire
> + * page is allocated.
> + *
> + * xt_percpu_counter_alloc_state contains the base address of the
> + * allocated page and the current sub-offset.
> + *
> + * returns false on error.
> + */
> +bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
> +			     struct xt_counters *counter)
> +{
> +	BUILD_BUG_ON(PAGE_SIZE < (sizeof(*counter) * 2));
> +
> +	if (nr_cpu_ids <= 1)
> +		return true;
> +
> +	if (state->mem == NULL) {
> +		state->mem = __alloc_percpu(PAGE_SIZE, PAGE_SIZE);
> +		if (!state->mem)
> +			return false;
> +	}
> +	counter->pcnt = (__force unsigned long)(state->mem + state->off);
> +	state->off += sizeof(*counter);
> +	if (state->off > (PAGE_SIZE - sizeof(*counter))) {
> +		state->mem = NULL;
> +		state->off = 0;
> +	}
> +
> +	return true;
> +}
> +EXPORT_SYMBOL_GPL(xt_percpu_counter_alloc);
> +
> +void xt_percpu_counter_free(struct xt_counters *counters)
> +{
> +	unsigned long pcnt = counters->pcnt;
> +
> +	if (nr_cpu_ids > 1 && (pcnt & (PAGE_SIZE - 1)) == 0)
> +		free_percpu((void __percpu *) (unsigned long)pcnt);
> +}
> +EXPORT_SYMBOL_GPL(xt_percpu_counter_free);
> +
>  static int __net_init xt_net_init(struct net *net)
>  {
>  	int i;

Re: netfilter question

[Eric Dumazet]

On Thu, 2016-11-17 at 01:07 +0100, Florian Westphal wrote:

> +	if (state->mem == NULL) {
> +		state->mem = __alloc_percpu(PAGE_SIZE, PAGE_SIZE);
> +		if (!state->mem)
> +			return false;
> +	}

This will fail on arches where PAGE_SIZE=65536

percpu allocator limit is PCPU_MIN_UNIT_SIZE  ( 32 KB )

So maybe use a smaller value like 4096 ?

#define XT_PCPU_BLOC_SIZE 4096

Re: netfilter question

[Eric Dumazet]

On Sun, 2016-11-20 at 12:22 -0500, Eric D wrote:
> I'm currently abroad for work and will come back home soon. I will
> test the solution and provide feedback to Florian by end of week.
> 
> Thanks for jumping on this quickly.
> 
> Eric
> 
> 
> On Nov 20, 2016 7:33 AM, "Eric Dumazet" <eric.dumazet@gmail.com>
> wrote:
>         On Thu, 2016-11-17 at 01:07 +0100, Florian Westphal wrote:
>         
>         > +     if (state->mem == NULL) {
>         > +             state->mem = __alloc_percpu(PAGE_SIZE,
>         PAGE_SIZE);
>         > +             if (!state->mem)
>         > +                     return false;
>         > +     }
>         
>         This will fail on arches where PAGE_SIZE=65536
>         
>         percpu allocator limit is PCPU_MIN_UNIT_SIZE  ( 32 KB )
>         
>         So maybe use a smaller value like 4096 ?
>         
>         #define XT_PCPU_BLOC_SIZE 4096
>         
Thanks Eric, I will test the patch myself, because I believe we need it
asap ;)

Re: netfilter question

[Eric Dumazet]

On Sun, 2016-11-20 at 09:31 -0800, Eric Dumazet wrote:

> Thanks Eric, I will test the patch myself, because I believe we need it
> asap ;)


Current net-next without Florian patch :

lpaa24:~# time for f in `seq 1 2000` ; do iptables -A FORWARD ; done

real	0m12.856s
user	0m0.590s
sys	0m11.131s


perf report ...; perf report ->

    47.45%  iptables  [kernel.kallsyms]  [k] pcpu_alloc_area                      
     8.49%  iptables  [kernel.kallsyms]  [k] memset_erms                          
     7.35%  iptables  [kernel.kallsyms]  [k] get_counters                         
     2.87%  iptables  [kernel.kallsyms]  [k] __memmove                            
     2.33%  iptables  [kernel.kallsyms]  [k] pcpu_alloc                           
     2.07%  iptables  [kernel.kallsyms]  [k] _find_next_bit.part.0                
     1.62%  iptables  xtables-multi      [.] 0x000000000001bb9d                   
     1.25%  iptables  [kernel.kallsyms]  [k] page_fault                           
     1.01%  iptables  [kernel.kallsyms]  [k] memcmp                               
     0.94%  iptables  [kernel.kallsyms]  [k] translate_table                      
     0.76%  iptables  [kernel.kallsyms]  [k] find_next_bit                        
     0.73%  iptables  [kernel.kallsyms]  [k] filemap_map_pages                    
     0.68%  iptables  [kernel.kallsyms]  [k] copy_user_enhanced_fast_string       
     0.54%  iptables  [kernel.kallsyms]  [k] __get_user_8                         
     0.54%  iptables  [kernel.kallsyms]  [k] clear_page_c_e                

After patch :

lpaa24:~# time for f in `seq 1 2000` ; do iptables -A FORWARD ; done

real	0m3.867s
user	0m0.559s
sys	0m2.216s

    22.15%  iptables  [kernel.kallsyms]  [k] get_counters                           
     5.85%  iptables  xtables-multi      [.] 0x000000000001bbac                     
     3.99%  iptables  [kernel.kallsyms]  [k] page_fault                             
     2.37%  iptables  [kernel.kallsyms]  [k] memcmp                                 
     2.19%  iptables  [kernel.kallsyms]  [k] copy_user_enhanced_fast_string         
     1.89%  iptables  [kernel.kallsyms]  [k] translate_table                        
     1.78%  iptables  [kernel.kallsyms]  [k] memset_erms                            
     1.74%  iptables  [kernel.kallsyms]  [k] clear_page_c_e                         
     1.73%  iptables  [kernel.kallsyms]  [k] __get_user_8                           
     1.72%  iptables  [kernel.kallsyms]  [k] perf_iterate_ctx                       
     1.21%  iptables  [kernel.kallsyms]  [k] handle_mm_fault                        
     0.98%  iptables  [kernel.kallsyms]  [k] unmap_page_range          

So this is a huge win. And I suspect data path will also gain from all
pcpu counters being in the same area of memory (this is where I am very interested)