- 10 Dec, 2018 1 commit
-
-
Colin Ian King authored
Trivial fix to clean up indentation issue, remove an extraneous space. Signed-off-by:
Colin Ian King <colin.king@canonical.com> Signed-off-by:
Steffen Klassert <steffen.klassert@secunet.com>
-
- 28 Nov, 2018 1 commit
-
-
Florian Westphal authored
Dan Carpenter reports following static checker warning: net/xfrm/xfrm_policy.c:1316 xfrm_hash_rebuild() warn: 'dir' is out of bounds '3' vs '2' | 1280 /* reset the bydst and inexact table in all directions */ | 1281 xfrm_hash_reset_inexact_table(net); | 1282 | 1283 for (dir = 0; dir < XFRM_POLICY_MAX; dir++) { | ^^^^^^^^^^^^^^^^^^^^^ |dir == XFRM_POLICY_MAX at the end of this loop. | 1304 /* re-insert all policies by order of creation */ | 1305 list_for_each_entry_reverse(policy, &net->xfrm.policy_all, walk.all) { [..] | 1314 xfrm_policy_id2dir(policy->index)); | 1315 if (!chain) { | 1316 void *p = xfrm_policy_inexact_insert(policy, dir, 0); Fix this by updating 'dir' based on current policy. Otherwise, the inexact policies won't be found anymore during lookup, as they get hashed to a bogus bin. Reported-by:Dan Carpenter <dan.carpenter@oracle.com> Fixes: cc1bb845 ("xfrm: policy: return NULL when inexact search needed") Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
-
- 22 Nov, 2018 1 commit
-
-
Li RongQing authored
if loopback_idev is NULL pointer, and the following access of loopback_idev will trigger panic, which is same as BUG_ON Signed-off-by:
Li RongQing <lirongqing@baidu.com> Signed-off-by:
-
- 15 Nov, 2018 3 commits
-
-
Florian Westphal authored
Colin Ian King says: Static analysis with CoverityScan found a potential issue [..] It seems that pointer pol is set to NULL and then a check to see if it is non-null is used to set pol to tmp; howeverm this check is always going to be false because pol is always NULL. Fix this and update test script to catch this. Updated script only: ./xfrm_policy.sh ; echo $? RTNETLINK answers: No such file or directory FAIL: ip -net ns3 xfrm policy get src 10.0.1.0/24 dst 10.0.2.0/24 dir out RTNETLINK answers: No such file or directory [..] PASS: policy before exception matches PASS: ping to .254 bypassed ipsec tunnel PASS: direct policy matches PASS: policy matches 1 Fixes: 6be3b0db ("xfrm: policy: add inexact policy search tree infrastructure") Reported-by:
-
Colin Ian King authored
There is a missing indentation before the goto statement. Add it. Signed-off-by:
-
Colin Ian King authored
There is an indentation issue before the declaration of xfrm_ctx. Remove spaces and replace with a tab. Signed-off-by:
-
- 09 Nov, 2018 34 commits
-
-
Florian Westphal authored
This adds the fourth and final search class, containing policies where both saddr and daddr have prefix lengths (i.e., not wildcards). Inexact policies now end up in one of the following four search classes: 1. "Any:Any" list, containing policies where both saddr and daddr are wildcards or have very coarse prefixes, e.g. 10.0.0.0/8 and the like. 2. "saddr:any" list, containing policies with a fixed saddr/prefixlen, but without destination restrictions. These lists are stored in rbtree nodes; each node contains those policies matching saddr/prefixlen. 3. "Any:daddr" list. Similar to 2), except for policies where only the destinations are specified. 4. "saddr:daddr" lists, containing only those policies that match the given source/destination network. The root of the saddr/daddr nodes gets stored in the nodes of the 'daddr' tree. This diagram illustrates the list classes, and their placement in the lookup hierarchy: xfrm_pol_inexact_bin = hash(dir,type,family,if_id); | +---- root_d: sorted by daddr:prefix | | | xfrm_pol_inexact_node | | | +- root: sorted by saddr/prefix | | | | | xfrm_pol_inexact_node | | | | | + root: unused | | | | | + hhead: saddr:daddr policies | | | +- coarse policies and all any:daddr policies | +---- root_s: sorted by saddr:prefix | | | xfrm_pol_inexact_node | | | + root: unused | | | + hhead: saddr:any policies | +---- coarse policies and all any:any policies lookup for an inexact policy returns pointers to the four relevant list classes, after which each of the lists needs to be searched for the policy with the higher priority. This will only speed up lookups in case we have many policies and a sizeable portion of these have disjunct saddr/daddr addresses. Signed-off-by:David S. Miller <davem@davemloft.net> Signed-off-by:
-
Florian Westphal authored
This adds the 'saddr:any' search class. It contains all policies that have a fixed saddr/prefixlen, but 'any' destination. Signed-off-by:
-
Florian Westphal authored
validate the re-inserted policies match the lookup node. Policies that fail this test won't be returned in the candidate set. This is enabled by default for now, it should not cause noticeable reinsert slow down. Such reinserts are needed when we have to merge an existing node (e.g. for 10.0.0.0/28 because a overlapping subnet was added (e.g. 10.0.0.0/24), so whenever this happens existing policies have to be placed on the list of the new node. Signed-off-by:
-
Florian Westphal authored
This adds inexact lists per destination network, stored in a search tree. Inexact lookups now return two 'candidate lists', the 'any' policies ('any' destionations), and a list of policies that share same daddr/prefix. Next patch will add a second search tree for 'saddr:any' policies so we can avoid placing those on the 'any:any' list too. Signed-off-by: -
Florian Westphal authored
At this time inexact policies are all searched in-order until the first match is found. After removal of the flow cache, this resolution has to be performed for every packetm resulting in major slowdown when number of inexact policies is high. This adds infrastructure to later sort inexact policies into a tree. This only introduces a single class: any:any. Next patch will add a search tree to pre-sort policies that have a fixed daddr/prefixlen, so in this patch the any:any class will still be used for all policies. Signed-off-by:
-
Florian Westphal authored
This avoids searches of polices that cannot match in the first place due to different interface id by placing them in different bins. Signed-off-by:
-
Florian Westphal authored
Switch packet-path lookups for inexact policies to rhashtable. In this initial version, we now no longer need to search policies with non-matching address family and type. Next patch will add the if_id as well so lookups from the xfrm interface driver only need to search inexact policies for that device. Future patches will augment the hlist in each rhash bucket with a tree and pre-sort policies according to daddr/prefix. A single rhashtable is used. In order to avoid a full rhashtable walk on netns exit, the bins get placed on a pernet list, i.e. we add almost no cost for network namespaces that had no xfrm policies. The inexact lists are kept in place, and policies are added to both the per-rhash-inexact list and a pernet one. The latter is needed for the control plane to handle migrate -- these requests do not consider the if_id, so if we'd remove the inexact_list now we would have to search all hash buckets and then figure out which matching policy candidate is the most recent one -- this appears a bit harder than just keeping the 'old' inexact list for this purpose. Signed-off-by:
-
Florian Westphal authored
currently policy_hash_bysel() returns the hash bucket list (for exact policies), or the inexact list (when policy uses a prefix). Searching this inexact list is slow, so it might be better to pre-sort inexact lists into a tree or another data structure for faster searching. However, due to 'any' policies, that need to be searched in any case, doing so will require that 'inexact' policies need to be handled specially to decide the best search strategy. So change hash_bysel() and return NULL if the policy can't be handled via the policy hash table. Right now, we simply use the inexact list when this happens, but future patch can then implement a different strategy. Signed-off-by:
-
Florian Westphal authored
... so we can reuse this later without code duplication when we add policy to a second inexact list. Signed-off-by:
-
Florian Westphal authored
currently all non-socket policies are either hashed in the dst table, or placed on the 'inexact list'. When flushing, we first walk the table, then the (per-direction) inexact lists. When we try and get rid of the inexact lists to having "n" inexact lists (e.g. per-af inexact lists, or sorted into a tree), this walk would become more complicated. Simplify this: walk the 'all' list and skip socket policies during traversal so we don't need to handle exact and inexact policies separately anymore. Signed-off-by:
-
Florian Westphal authored
add a script that adds a ipsec tunnel between two network namespaces plus following policies: .0/24 -> ipsec tunnel .240/28 -> bypass .253/32 -> ipsec tunnel Then check that .254 bypasses tunnel (match /28 exception), and .2 (match /24) and .253 (match direct policy) pass through the tunnel. Abuses iptables to check if ping did resolve an ipsec policy or not. Also adds a bunch of 'block' rules that are not supposed to match. Signed-off-by:
-
Edward Cree authored
As added in 3e59020a ("net: bql: add __netdev_tx_sent_queue()"), which see for performance rationale. Signed-off-by:
Edward Cree <ecree@solarflare.com> Reviewed-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
David S. Miller authored
Michał Mirosław says: ==================== net: Remove VLAN_TAG_PRESENT from drivers This series removes VLAN_TAG_PRESENT use from network drivers in preparation to removing its special meaning. ==================== Signed-off-by: -
Michał Mirosław authored
Reviewed-by:
Claudiu Manoil <claudiu.manoil@nxp.com> Signed-off-by:
Michał Mirosław <mirq-linux@rere.qmqm.pl> Signed-off-by:
-
Michał Mirosław authored
This is a minimal change to allow removing of VLAN_TAG_PRESENT. It leaves OVS unable to use CFI bit, as fixing this would need a deeper surgery involving userspace interface. Signed-off-by:
-
Michał Mirosław authored
This just removes VLAN_TAG_PRESENT use. VLAN TCI=0 special meaning is deeply embedded in the driver code and so is left as is. Signed-off-by:
-
Michał Mirosław authored
Signed-off-by:
-
Ilias Apalodimas authored
return -ENOMEM directly instead of assigning it in a variable Signed-off-by:
Ilias Apalodimas <ilias.apalodimas@linaro.org> Signed-off-by:
-
Ilias Apalodimas authored
Current driver dynamically allocates an skb and maps it as DMA Rx buffer. In order to prepare for upcoming XDP changes, let's introduce a different allocation scheme. Buffers are allocated dynamically and mapped into hardware. During the Rx operation the driver uses build_skb() to produce the necessary buffers for the network stack. This change increases performance ~15% on 64b packets with smmu disabled and ~5% with smmu enabled Signed-off-by:
-
Stefan Wahren authored
Interferences on the SPI line could distort the response of available buffer space. So at least we should check that the response doesn't exceed the maximum available buffer space. In error case increase a new error counter and retry it later. This behavior avoids buffer errors in the QCA7000, which results in an unnecessary chip reset including packet loss. Signed-off-by:
Stefan Wahren <stefan.wahren@i2se.com> Signed-off-by:
-
David Barmann authored
When setting the SO_MARK socket option, if the mark changes, the dst needs to be reset so that a new route lookup is performed. This fixes the case where an application wants to change routing by setting a new sk_mark. If this is done after some packets have already been sent, the dst is cached and has no effect. Signed-off-by:
David Barmann <david.barmann@stackpath.com> Reviewed-by:
-
David S. Miller authored
Julian Wiedmann says: ==================== s390/qeth: updates 2018-11-08 please apply the following qeth patches to net-next. The first patch allows one more device type to query the FW for a MAC address, the others are all basically just removal of duplicated or unused code. ==================== Signed-off-by: -
Julian Wiedmann authored
qeth_l3_setup_netdev() checks if the hsuid attribute is set on the qeth device, and propagates it to the net_device. In the past this was needed to pick up any hsuid that was set before allocation of the net_device. With commit d3d1b205 ("s390/qeth: allocate netdevice early") this is no longer necessary, qeth_l3_dev_hsuid_store() always stores the hsuid straight into dev->perm_addr. Signed-off-by:
Julian Wiedmann <jwi@linux.ibm.com> Signed-off-by:
-
Julian Wiedmann authored
If the CREATE ADDR sent by qeth_l3_iqd_read_initial_mac() fails, its callback sets a random MAC address on the net_device. The error then propagates back, and qeth_l3_setup_netdev() bails out without registering the net_device. Any subsequent call to qeth_l3_setup_netdev() will then attempt a fresh CREATE ADDR which either 1) also fails, or 2) sets a proper MAC address on the net_device. Consequently, the net_device will never be registered with a random MAC and we can drop the fallback code. Signed-off-by:
-
Julian Wiedmann authored
qeth_l3_send_ipa_arp_cmd() is merely a wrapper around qeth_send_control_data() now. So push the length adjustment into QETH_SETASS_BASE_LEN, and remove the wrapper. While at it, also remove some redundant 0-initializations. qeth_send_setassparms() requires that callers prepare their command parameters, so that they can be copied into the parameter area in one go. Skip the indirection, and just let callers set up the command themselves. Signed-off-by:
-
Julian Wiedmann authored
Call qeth_prepare_ipa_cmd() during setup of a new IPA cmd buffer, so that it is used for all commands. Thus ARP and SNMP requests don't have to do their own initialization. This will now also set the proper MPC protocol version for SNMP requests on L2 devices. Signed-off-by:
-
Julian Wiedmann authored
Re-implement the card-by-RDEV lookup by using device model concepts, and remove the now redundant list of all qeth card instances in the system. Signed-off-by:
-
Julian Wiedmann authored
Since commit 82bf5c08 ("s390/qeth: add support for IPv6 TSO"), qeth_xmit() also knows how to build TSO packets and is practically identical to qeth_l3_xmit(). Convert qeth_l3_xmit() into a thin wrapper that merely strips the L2 header off a packet, and calls qeth_xmit() for the actual TX processing. Signed-off-by:
-
Julian Wiedmann authored
Filling the HW header from one single function will make it easier to rip out all the duplicated transmit code in qeth_l3_xmit(). On top, this saves one conditional branch in the TSO path. Signed-off-by:
-
Julian Wiedmann authored
By default, READ MAC on a Layer2 OSD device returns the adapter's burnt-in MAC address. Given the default scenario of many virtual devices on the same adapter, qeth can't make any use of this address and therefore skips the READ MAC call for this device type. But in some configurations, the READ MAC command for a Layer2 OSD device actually returns a pre-provisioned, virtual MAC address. So enable the READ MAC code to detect this situation, and let the L2 subdriver call READ MAC for OSD devices. This also removes the QETH_LAYER2_MAC_READ flag, which protects L2 devices against calling READ MAC multiple times. Instead protect the whole call to qeth_l2_request_initial_mac(). Signed-off-by:
-
Li RongQing authored
if local is NULL pointer, and the following access of local's dev will trigger panic, which is same as BUG_ON Signed-off-by:
-
David S. Miller authored
Stefano Brivio says: ==================== ICMP error handling for UDP tunnels This series introduces ICMP error handling for UDP tunnels and encapsulations and related selftests. We need to handle ICMP errors to support PMTU discovery and route redirection -- this support is entirely missing right now: - patch 1/11 adds a socket lookup for UDP tunnels that use, by design, the same destination port on both endpoints -- i.e. VXLAN and GENEVE - patches 2/11 to 7/11 are specific to VxLAN and GENEVE - patches 8/11 and 9/11 add infrastructure for lookup of encapsulations where sent packets cannot be matched via receiving socket lookup, i.e. FoU and GUE - patches 10/11 and 11/11 are specific to FoU and GUE v2: changes are listed in the single patches ==================== Signed-off-by: -
Stefano Brivio authored
Introduce eight tests, for FoU and GUE, with IPv4 and IPv6 payload, on IPv4 and IPv6 transport, that check that PMTU exceptions are created with the right value when exceeding the MTU on a link of the path. Signed-off-by:
Stefano Brivio <sbrivio@redhat.com> Reviewed-by:
Sabrina Dubroca <sd@queasysnail.net> Signed-off-by:
-
Stefano Brivio authored
As the destination port in FoU and GUE receiving sockets doesn't necessarily match the remote destination port, we can't associate errors to the encapsulating tunnels with a socket lookup -- we need to blindly try them instead. This means we don't even know if we are handling errors for FoU or GUE without digging into the packets. Hence, implement a single handler for both, one for IPv4 and one for IPv6, that will check whether the packet that generated the ICMP error used a direct IP encapsulation or if it had a GUE header, and send the error to the matching protocol handler, if any. Signed-off-by:
-
