GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/809410/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 809410,
    "url": "http://patchwork.ozlabs.org/api/patches/809410/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/1504477763-12205-1-git-send-email-pablo@netfilter.org/",
    "project": {
        "id": 7,
        "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api",
        "name": "Linux network development",
        "link_name": "netdev",
        "list_id": "netdev.vger.kernel.org",
        "list_email": "netdev@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<1504477763-12205-1-git-send-email-pablo@netfilter.org>",
    "list_archive_url": null,
    "date": "2017-09-03T22:28:56",
    "name": "[20/47] netfilter: conntrack: do not enable connection tracking unless needed",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": true,
    "hash": "0f5ba3f6285cee76fb5dcc494b8c69df9b02b2e6",
    "submitter": {
        "id": 1315,
        "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api",
        "name": "Pablo Neira Ayuso",
        "email": "pablo@netfilter.org"
    },
    "delegate": {
        "id": 34,
        "url": "http://patchwork.ozlabs.org/api/users/34/?format=api",
        "username": "davem",
        "first_name": "David",
        "last_name": "Miller",
        "email": "davem@davemloft.net"
    },
    "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/1504477763-12205-1-git-send-email-pablo@netfilter.org/mbox/",
    "series": [
        {
            "id": 1281,
            "url": "http://patchwork.ozlabs.org/api/series/1281/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=1281",
            "date": "2017-09-03T22:25:42",
            "name": "[01/47] netfilter: expect: add to hash table after expect init",
            "version": 1,
            "mbox": "http://patchwork.ozlabs.org/series/1281/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/809410/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/809410/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<netdev-owner@vger.kernel.org>",
        "X-Original-To": "patchwork-incoming@ozlabs.org",
        "Delivered-To": "patchwork-incoming@ozlabs.org",
        "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)",
        "Received": [
            "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xlnj02kQ3z9s8J\n\tfor <patchwork-incoming@ozlabs.org>;\n\tMon,  4 Sep 2017 08:29:40 +1000 (AEST)",
            "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1753020AbdICW3g (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tSun, 3 Sep 2017 18:29:36 -0400",
            "from mail.us.es ([193.147.175.20]:51456 \"EHLO mail.us.es\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1753005AbdICW3f (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tSun, 3 Sep 2017 18:29:35 -0400",
            "from antivirus1-rhel7.int (unknown [192.168.2.11])\n\tby mail.us.es (Postfix) with ESMTP id 6F08A190F60\n\tfor <netdev@vger.kernel.org>; Mon,  4 Sep 2017 00:29:08 +0200 (CEST)",
            "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 59354B502A\n\tfor <netdev@vger.kernel.org>; Mon,  4 Sep 2017 00:29:08 +0200 (CEST)",
            "by antivirus1-rhel7.int (Postfix, from userid 99)\n\tid 4EB90B5026; Mon,  4 Sep 2017 00:29:08 +0200 (CEST)",
            "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 11EB1B502C;\n\tMon,  4 Sep 2017 00:29:06 +0200 (CEST)",
            "from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int\n\t(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); \n\tMon, 04 Sep 2017 00:29:06 +0200 (CEST)",
            "from salvia.here (unknown [31.4.193.113])\n\t(Authenticated sender: pneira@us.es)\n\tby entrada.int (Postfix) with ESMTPA id D95144265A25;\n\tMon,  4 Sep 2017 00:29:03 +0200 (CEST)"
        ],
        "X-Spam-Checker-Version": "SpamAssassin 3.4.1 (2015-04-28) on\n\tantivirus1-rhel7.int",
        "X-Spam-Level": "",
        "X-Spam-Status": "No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,\n\tSMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1",
        "X-Virus-Status": "clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)",
        "X-SMTPAUTHUS": "auth mail.us.es",
        "From": "Pablo Neira Ayuso <pablo@netfilter.org>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "davem@davemloft.net, netdev@vger.kernel.org",
        "Subject": "[PATCH 20/47] netfilter: conntrack: do not enable connection\n\ttracking unless needed",
        "Date": "Mon,  4 Sep 2017 00:28:56 +0200",
        "Message-Id": "<1504477763-12205-1-git-send-email-pablo@netfilter.org>",
        "X-Mailer": "git-send-email 2.1.4",
        "X-Virus-Scanned": "ClamAV using ClamSMTP",
        "Sender": "netdev-owner@vger.kernel.org",
        "Precedence": "bulk",
        "List-ID": "<netdev.vger.kernel.org>",
        "X-Mailing-List": "netdev@vger.kernel.org"
    },
    "content": "From: Florian Westphal <fw@strlen.de>\n\nDiscussion during NFWS 2017 in Faro has shown that the current\nconntrack behaviour is unreasonable.\n\nEven if conntrack module is loaded on behalf of a single net namespace,\nits turned on for all namespaces, which is expensive.  Commit\n481fa373476 (\"netfilter: conntrack: add nf_conntrack_default_on sysctl\")\nattempted to provide an alternative to the 'default on' behaviour by\nadding a sysctl to change it.\n\nHowever, as Eric points out, the sysctl only becomes available\nonce the module is loaded, and then its too late.\n\nSo we either have to move the sysctl to the core, or, alternatively,\nchange conntrack to become active only once the rule set requires this.\n\nThis does the latter, conntrack is only enabled when a rule needs it.\n\nReported-by: Eric Dumazet <edumazet@google.com>\nSigned-off-by: Florian Westphal <fw@strlen.de>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n Documentation/networking/nf_conntrack-sysctl.txt | 11 ---------\n include/net/netfilter/nf_conntrack_l3proto.h     | 15 ------------\n net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c   | 16 ++-----------\n net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c   | 17 ++------------\n net/netfilter/nf_conntrack_proto.c               | 29 ------------------------\n net/netfilter/nf_conntrack_standalone.c          | 10 --------\n 6 files changed, 4 insertions(+), 94 deletions(-)",
    "diff": "diff --git a/Documentation/networking/nf_conntrack-sysctl.txt b/Documentation/networking/nf_conntrack-sysctl.txt\nindex 497d668288f9..433b6724797a 100644\n--- a/Documentation/networking/nf_conntrack-sysctl.txt\n+++ b/Documentation/networking/nf_conntrack-sysctl.txt\n@@ -96,17 +96,6 @@ nf_conntrack_max - INTEGER\n \tSize of connection tracking table.  Default value is\n \tnf_conntrack_buckets value * 4.\n \n-nf_conntrack_default_on - BOOLEAN\n-\t0 - don't register conntrack in new net namespaces\n-\t1 - register conntrack in new net namespaces (default)\n-\n-\tThis controls wheter newly created network namespaces have connection\n-\ttracking enabled by default.  It will be enabled automatically\n-\tregardless of this setting if the new net namespace requires\n-\tconnection tracking, e.g. when NAT rules are created.\n-\tThis setting is only visible in initial user namespace, it has no\n-\teffect on existing namespaces.\n-\n nf_conntrack_tcp_be_liberal - BOOLEAN\n \t0 - disabled (default)\n \tnot 0 - enabled\ndiff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h\nindex 6d14b36e3a49..1b8de164d744 100644\n--- a/include/net/netfilter/nf_conntrack_l3proto.h\n+++ b/include/net/netfilter/nf_conntrack_l3proto.h\n@@ -73,21 +73,6 @@ struct nf_conntrack_l3proto {\n \n extern struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[NFPROTO_NUMPROTO];\n \n-#ifdef CONFIG_SYSCTL\n-/* Protocol pernet registration. */\n-int nf_ct_l3proto_pernet_register(struct net *net,\n-\t\t\t\t  struct nf_conntrack_l3proto *proto);\n-#else\n-static inline int nf_ct_l3proto_pernet_register(struct net *n,\n-\t\t\t\t\t\tstruct nf_conntrack_l3proto *p)\n-{\n-\treturn 0;\n-}\n-#endif\n-\n-void nf_ct_l3proto_pernet_unregister(struct net *net,\n-\t\t\t\t     struct nf_conntrack_l3proto *proto);\n-\n /* Protocol global registration. */\n int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto);\n void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto);\ndiff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c\nindex 63e4ea0e01f8..de5f0e6ddd1b 100644\n--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c\n+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c\n@@ -398,24 +398,12 @@ static struct nf_conntrack_l4proto *builtin_l4proto4[] = {\n \n static int ipv4_net_init(struct net *net)\n {\n-\tint ret = 0;\n-\n-\tret = nf_ct_l4proto_pernet_register(net, builtin_l4proto4,\n-\t\t\t\t\t    ARRAY_SIZE(builtin_l4proto4));\n-\tif (ret < 0)\n-\t\treturn ret;\n-\tret = nf_ct_l3proto_pernet_register(net, &nf_conntrack_l3proto_ipv4);\n-\tif (ret < 0) {\n-\t\tpr_err(\"nf_conntrack_ipv4: pernet registration failed\\n\");\n-\t\tnf_ct_l4proto_pernet_unregister(net, builtin_l4proto4,\n-\t\t\t\t\t\tARRAY_SIZE(builtin_l4proto4));\n-\t}\n-\treturn ret;\n+\treturn nf_ct_l4proto_pernet_register(net, builtin_l4proto4,\n+\t\t\t\t\t     ARRAY_SIZE(builtin_l4proto4));\n }\n \n static void ipv4_net_exit(struct net *net)\n {\n-\tnf_ct_l3proto_pernet_unregister(net, &nf_conntrack_l3proto_ipv4);\n \tnf_ct_l4proto_pernet_unregister(net, builtin_l4proto4,\n \t\t\t\t\tARRAY_SIZE(builtin_l4proto4));\n }\ndiff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c\nindex f2d2f4a9294b..ddef5ee9e0a8 100644\n--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c\n+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c\n@@ -398,25 +398,12 @@ static struct nf_conntrack_l4proto *builtin_l4proto6[] = {\n \n static int ipv6_net_init(struct net *net)\n {\n-\tint ret = 0;\n-\n-\tret = nf_ct_l4proto_pernet_register(net, builtin_l4proto6,\n-\t\t\t\t\t    ARRAY_SIZE(builtin_l4proto6));\n-\tif (ret < 0)\n-\t\treturn ret;\n-\n-\tret = nf_ct_l3proto_pernet_register(net, &nf_conntrack_l3proto_ipv6);\n-\tif (ret < 0) {\n-\t\tpr_err(\"nf_conntrack_ipv6: pernet registration failed.\\n\");\n-\t\tnf_ct_l4proto_pernet_unregister(net, builtin_l4proto6,\n-\t\t\t\t\t\tARRAY_SIZE(builtin_l4proto6));\n-\t}\n-\treturn ret;\n+\treturn nf_ct_l4proto_pernet_register(net, builtin_l4proto6,\n+\t\t\t\t\t     ARRAY_SIZE(builtin_l4proto6));\n }\n \n static void ipv6_net_exit(struct net *net)\n {\n-\tnf_ct_l3proto_pernet_unregister(net, &nf_conntrack_l3proto_ipv6);\n \tnf_ct_l4proto_pernet_unregister(net, builtin_l4proto6,\n \t\t\t\t\tARRAY_SIZE(builtin_l4proto6));\n }\ndiff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c\nindex 1dcad229c3cc..7c89dade6fd3 100644\n--- a/net/netfilter/nf_conntrack_proto.c\n+++ b/net/netfilter/nf_conntrack_proto.c\n@@ -238,20 +238,6 @@ int nf_ct_l3proto_register(struct nf_conntrack_l3proto *proto)\n }\n EXPORT_SYMBOL_GPL(nf_ct_l3proto_register);\n \n-#ifdef CONFIG_SYSCTL\n-extern unsigned int nf_conntrack_default_on;\n-\n-int nf_ct_l3proto_pernet_register(struct net *net,\n-\t\t\t\t  struct nf_conntrack_l3proto *proto)\n-{\n-\tif (nf_conntrack_default_on == 0)\n-\t\treturn 0;\n-\n-\treturn proto->net_ns_get ? proto->net_ns_get(net) : 0;\n-}\n-EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_register);\n-#endif\n-\n void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto)\n {\n \tBUG_ON(proto->l3proto >= NFPROTO_NUMPROTO);\n@@ -270,21 +256,6 @@ void nf_ct_l3proto_unregister(struct nf_conntrack_l3proto *proto)\n }\n EXPORT_SYMBOL_GPL(nf_ct_l3proto_unregister);\n \n-void nf_ct_l3proto_pernet_unregister(struct net *net,\n-\t\t\t\t     struct nf_conntrack_l3proto *proto)\n-{\n-\t/*\n-\t * nf_conntrack_default_on *might* have registered hooks.\n-\t * ->net_ns_put must cope with more puts() than get(), i.e.\n-\t * if nf_conntrack_default_on was 0 at time of\n-\t * nf_ct_l3proto_pernet_register invocation this net_ns_put()\n-\t * should be a noop.\n-\t */\n-\tif (proto->net_ns_put)\n-\t\tproto->net_ns_put(net);\n-}\n-EXPORT_SYMBOL_GPL(nf_ct_l3proto_pernet_unregister);\n-\n static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,\n \t\t\t\t\t      struct nf_conntrack_l4proto *l4proto)\n {\ndiff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c\nindex ccb5cb9043e0..5b6c675d55b1 100644\n--- a/net/netfilter/nf_conntrack_standalone.c\n+++ b/net/netfilter/nf_conntrack_standalone.c\n@@ -452,9 +452,6 @@ static int log_invalid_proto_max __read_mostly = 255;\n /* size the user *wants to set */\n static unsigned int nf_conntrack_htable_size_user __read_mostly;\n \n-extern unsigned int nf_conntrack_default_on;\n-unsigned int nf_conntrack_default_on __read_mostly = 1;\n-\n static int\n nf_conntrack_hash_sysctl(struct ctl_table *table, int write,\n \t\t\t void __user *buffer, size_t *lenp, loff_t *ppos)\n@@ -520,13 +517,6 @@ static struct ctl_table nf_ct_sysctl_table[] = {\n \t\t.mode\t\t= 0644,\n \t\t.proc_handler\t= proc_dointvec,\n \t},\n-\t{\n-\t\t.procname\t= \"nf_conntrack_default_on\",\n-\t\t.data\t\t= &nf_conntrack_default_on,\n-\t\t.maxlen\t\t= sizeof(unsigned int),\n-\t\t.mode\t\t= 0644,\n-\t\t.proc_handler\t= proc_dointvec,\n-\t},\n \t{ }\n };\n \n",
    "prefixes": [
        "20/47"
    ]
}