- 15 Apr, 2019 1 commit
-
-
Stephen Rothwell authored
After merging the netfilter-next tree, today's linux-next build (powerpc ppc44x_defconfig) failed like this: In file included from net/bridge/br_input.c:19: include/net/netfilter/nf_queue.h:16:23: error: field 'state' has incomplete type struct nf_hook_state state; ^~~~~ Fixes: 971502d7 ("bridge: netfilter: unroll NF_HOOK helper in bridge input path") Signed-off-by:Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
-
- 11 Apr, 2019 7 commits
-
-
Florian Westphal authored
This makes broute a normal ebtables table, hooking at PREROUTING. The broute hook is removed. It uses skb->cb to signal to bridge rx handler that the skb should be routed instead of being bridged. This change is backwards compatible with ebtables as no userspace visible parts are changed. This means we can also remove the !ops test in ebt_register_table, it was only there for broute table sake. Signed-off-by:
Florian Westphal <fw@strlen.de> Acked-by:
David S. Miller <davem@davemloft.net> Acked-by:
Nikolay Aleksandrov <nikolay@cumulusnetworks.com> Signed-off-by:
-
Florian Westphal authored
Replace NF_HOOK() based invocation of the netfilter hooks with a private copy of nf_hook_slow(). This copy has one difference: it can return the rx handler value expected by the stack, i.e. RX_HANDLER_CONSUMED or RX_HANDLER_PASS. This is needed by the next patch to invoke the ebtables "broute" table via the standard netfilter hooks rather than the custom "br_should_route_hook" indirection that is used now. When the skb is to be "brouted", we must return RX_HANDLER_PASS from the bridge rx input handler, but there is no way to indicate this via NF_HOOK(), unless perhaps by some hack such as exposing bridge_cb in the netfilter core or a percpu flag. text data bss dec filename 3369 56 0 3425 net/bridge/br_input.o.before 3458 40 0 3498 net/bridge/br_input.o.after This allows removal of the "br_should_route_hook" in the next patch. Signed-off-by:
-
Florian Westphal authored
Reduce size of br_input_skb_cb from 24 to 16 bytes by using bitfield for those values that can only be 0 or 1. igmp is the igmp type value, so it needs to be at least u8. Furthermore, the bridge currently relies on step-by-step initialization of br_input_skb_cb fields as the skb passes through the stack. Explicitly zero out the bridge input cb instead, this avoids having to review/validate that no BR_INPUT_SKB_CB(skb)->foo test can see a 'random' value from previous protocol cb. AFAICS all current fields are always set up before they are read again, so this is not a bug fix. Signed-off-by:
-
Florian Westphal authored
ebtables -t broute allows to redirect packets in a way that they get pushed up the stack, even if the interface is part of a bridge. In case of IP packets to non-local address, this means those IP packets are routed instead of bridged-forwarded, just as if the bridge would not have existed. Expected test output is: PASS: netns connectivity: ns1 and ns2 can reach each other PASS: ns1/ns2 connectivity with active broute rule PASS: ns1/ns2 connectivity with active broute rule and bridge forward drop Signed-off-by:
-
Florian Westphal authored
Only reason for having two different register functions was because of ipt_MASQUERADE and ip6t_MASQUERADE being two different modules. Previous patch merged those into xt_MASQUERADE, so we can merge this too. Signed-off-by:
-
Florian Westphal authored
No need to have separate modules for this. before: text data bss dec filename 2038 1168 0 3206 net/ipv4/netfilter/ipt_MASQUERADE.ko 1526 1024 0 2550 net/ipv6/netfilter/ip6t_MASQUERADE.ko after: text data bss dec filename 2521 1296 0 3817 net/netfilter/xt_MASQUERADE.ko Signed-off-by:
-
Florian Westphal authored
Both are now implemented by nf_nat_masquerade.c, so no need to keep different headers. Signed-off-by:
-
- 08 Apr, 2019 24 commits
-
-
Florian Westphal authored
They have no external callers anymore. Signed-off-by:
-
Fernando Fernandez Mancera authored
Add version option support to the nftables "osf" expression. Signed-off-by:
Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by:
-
Florian Westphal authored
With older nft versions, this will cause: [..] PASS: ipv6 ping to ns1 was ip6 NATted to ns2 /dev/stdin:4:30-31: Error: syntax error, unexpected to, expecting newline or semicolon ip daddr 10.0.1.99 dnat ip to 10.0.2.99 ^^ SKIP: inet nat tests PASS: ip IP masquerade for ns2 [..] as there is currently no way to detect if nft will be able to parse the inet format. redirect and masquerade tests need to be skipped in this case for inet too because nft userspace has overzealous family check and rejects their use in the inet family. Signed-off-by: -
Florian Westphal authored
allows to redirect both ipv4 and ipv6 with a single rule in an inet nat table. Signed-off-by:
-
Florian Westphal authored
This allows use of a single masquerade rule in nat inet family to handle both ipv4 and ipv6. Signed-off-by:
-
Florian Westphal authored
NF_NAT_NEEDED is true whenever nat support for either ipv4 or ipv6 is enabled. Now that the af-specific nat configuration switches have been removed, IS_ENABLED(CONFIG_NF_NAT) has the same effect. Signed-off-by:
-
Florian Westphal authored
very little code, so it really doesn't make sense to have extra modules or even a kconfig knob for this. Merge them and make functionality available unconditionally. The merge makes inet family route support trivial, so add it as well here. Before: text data bss dec hex filename 835 832 0 1667 683 nft_chain_route_ipv4.ko 870 832 0 1702 6a6 nft_chain_route_ipv6.ko 111568 2556 529 114653 1bfdd nf_tables.ko After: text data bss dec hex filename 113133 2556 529 116218 1c5fa nf_tables.ko Signed-off-by: -
Florian Westphal authored
We need minimal support from the nat core for this, as we do not want to register additional base hooks. When an inet hook is registered, interally register ipv4 and ipv6 hooks for them and unregister those when inet hooks are removed. Signed-off-by:
-
Li RongQing authored
optimize nf_inet_addr_cmp by 64bit xor computation similar to ipv6_addr_equal() Signed-off-by:
Yuan Linsi <yuanlinsi01@baidu.com> Signed-off-by:
Li RongQing <lirongqing@baidu.com> Signed-off-by:
-
Jacky Hu authored
ipip packets are blocked in some public cloud environments, this patch allows gue encapsulation with the tunneling method, which would make tunneling working in those environments. Signed-off-by:
Jacky Hu <hengqing.hu@gmail.com> Acked-by:
Julian Anastasov <ja@ssi.bg> Signed-off-by:
Simon Horman <horms@verge.net.au> Signed-off-by:
-
Pablo Neira Ayuso authored
Use the output device from the route that we cache in the flowtable entry. Signed-off-by: -
YueHaibing authored
Fix sparse warning: net/netfilter/nft_redir.c:85:5: warning: symbol 'nft_redir_dump' was not declared. Should it be static? Signed-off-by:
YueHaibing <yuehaibing@huawei.com> Signed-off-by:
-
Colin Ian King authored
Function nf_tables_set_desc_parse parameter ctx is not being used so remove it as it is redundant. Signed-off-by:
Colin Ian King <colin.king@canonical.com> Signed-off-by:
-
Li RongQing authored
there is a similar helper in net/netfilter/nf_tables_api.c, this maybe become a common request someday, so move it to time.c Signed-off-by:
Zhang Yu <zhangyu31@baidu.com> Signed-off-by:
John Stultz <john.stultz@linaro.org> Signed-off-by:
-
Vishal Kulkarni authored
During hash filter programming, driver needs to return ENOSPC error intead of EAGAIN when TCAM is full. Signed-off-by:
Vishal Kulkarni <vishal@chelsio.com> Signed-off-by:
-
Alexandru Ardelean authored
This hook only implements a minimal set of ioctl hooks to be able to access MII regs by using phytool. When using this simple MAC controller, it's pretty difficult to do debugging of the PHY chip without checking MII regs. Signed-off-by:
Alexandru Ardelean <alexandru.ardelean@analog.com> Reviewed-by:
Radhey Shyam Pandey <radhey.shyam.pandey@xilinx.com> Signed-off-by:
-
Alexandru Ardelean authored
This set adds a minimal set of ethtool hooks to the driver, which provide a decent amount of link information via ethtool. With this change, running `ethtool ethX` in user-space provides all the neatly-formatted information about the link (what was negotiated, what is advertised, etc). Signed-off-by:
-
Paolo Abeni authored
After commit a297569f ("net/udp: do not touch skb->peeked unless really needed") the 'peeked' argument of __skb_try_recv_datagram() and friends is always equal to !!'flags & MSG_PEEK'. Since such argument is really a boolean info, and the callers have already 'flags & MSG_PEEK' handy, we can remove it and clean-up the code a bit. Signed-off-by:
Paolo Abeni <pabeni@redhat.com> Acked-by:
Willem de Bruijn <willemb@google.com> Signed-off-by:
-
Vlad Buslov authored
John reports: Recent refactoring of fl_change aims to use the classifier spinlock to avoid the need for rtnl lock. In doing so, the fl_hw_replace_filer() function was moved to before the lock is taken. This can create problems for drivers if duplicate filters are created (commmon in ovs tc offload due to filters being triggered by user-space matches). Drivers registered for such filters will now receive multiple copies of the same rule, each with a different cookie value. This means that the drivers would need to do a full match field lookup to determine duplicates, repeating work that will happen in flower __fl_lookup(). Currently, drivers do not expect to receive duplicate filters. To fix this, verify that filter with same key is not present in flower classifier hash table and insert the new filter to the flower hash table before offloading it to hardware. Implement helper function fl_ht_insert_unique() to atomically verify/insert a filter. This change makes filter visible to fast path at the beginning of fl_change() function, which means it can no longer be freed directly in case of error. Refactor fl_change() error handling code to deallocate the filter with rcu timeout. Fixes: 620da486 ("net: sched: flower: refactor fl_change") Reported-by:
John Hurley <john.hurley@netronome.com> Signed-off-by:
Vlad Buslov <vladbu@mellanox.com> Acked-by:
Jiri Pirko <jiri@mellanox.com> Signed-off-by:
-
David S. Miller authored
NeilBrown says: ==================== Convert rhashtable to use bitlocks This series converts rhashtable to use a per-bucket bitlock rather than a separate array of spinlocks. This: reduces memory usage results in slightly fewer memory accesses slightly improves parallelism makes a configuration option unnecessary The main change from previous version is to use a distinct type for the pointer in the bucket which has a bit-lock in it. This helped find two places where rht_ptr() was missed, one in rhashtable_free_and_destroy() in print_ht in the test code. ==================== Signed-off-by: -
NeilBrown authored
Native bit_spin_locks are not tracked by lockdep. The bit_spin_locks used for rhashtable buckets are local to the rhashtable implementation, so there is little opportunity for the sort of misuse that lockdep might detect. However locks are held while a hash function or compare function is called, and if one of these took a lock, a misbehaviour is possible. As it is quite easy to add lockdep support this unlikely possibility seems to be enough justification. So create a lockdep class for bucket bit_spin_lock and attach through a lockdep_map in each bucket_table. Without the 'nested' annotation in rhashtable_rehash_one(), lockdep correctly reports a possible problem as this lock is taken while another bucket lock (in another table) is held. This confirms that the added support works. With the correct nested annotation in place, lockdep reports no problems. Signed-off-by:
NeilBrown <neilb@suse.com> Signed-off-by:
-
NeilBrown authored
This patch changes rhashtables to use a bit_spin_lock on BIT(1) of the bucket pointer to lock the hash chain for that bucket. The benefits of a bit spin_lock are: - no need to allocate a separate array of locks. - no need to have a configuration option to guide the choice of the size of this array - locking cost is often a single test-and-set in a cache line that will have to be loaded anyway. When inserting at, or removing from, the head of the chain, the unlock is free - writing the new address in the bucket head implicitly clears the lock bit. For __rhashtable_insert_fast() we ensure this always happens when adding a new key. - even when lockings costs 2 updates (lock and unlock), they are in a cacheline that needs to be read anyway. The cost of using a bit spin_lock is a little bit of code complexity, which I think is quite manageable. Bit spin_locks are sometimes inappropriate because they are not fair - if multiple CPUs repeatedly contend of the same lock, one CPU can easily be starved. This is not a credible situation with rhashtable. Multiple CPUs may want to repeatedly add or remove objects, but they will typically do so at different buckets, so they will attempt to acquire different locks. As we have more bit-locks than we previously had spinlocks (by at least a factor of two) we can expect slightly less contention to go with the slightly better cache behavior and reduced memory consumption. To enhance type checking, a new struct is introduced to represent the pointer plus lock-bit that is stored in the bucket-table. This is "struct rhash_lock_head" and is empty. A pointer to this needs to be cast to either an unsigned lock, or a "struct rhash_head *" to be useful. Variables of this type are most often called "bkt". Previously "pprev" would sometimes point to a bucket, and sometimes a ->next pointer in an rhash_head. As these are now different types, pprev is NULL when it would have pointed to the bucket. In that case, 'blk' is used, together with correct locking protocol. Signed-off-by:
-
NeilBrown authored
Rather than returning a pointer to a static nulls, rht_bucket_var() now returns NULL if the bucket doesn't exist. This will make the next patch, which stores a bitlock in the bucket pointer, somewhat cleaner. This change involves introducing __rht_bucket_nested() which is like rht_bucket_nested(), but doesn't provide the static nulls, and changing rht_bucket_nested() to call this and possible provide a static nulls - as is still needed for the non-var case. Signed-off-by:
-
NeilBrown authored
nested_table_alloc() relies on the fact that there is at most one spinlock allocated for every slot in the top level nested table, so it is not possible for two threads to try to allocate the same table at the same time. This assumption is a little fragile (it is not explicit) and is unnecessary as cmpxchg() can be used instead. A future patch will replace the spinlocks by per-bucket bitlocks, and then we won't be able to protect the slot pointer with a spinlock. So replace rcu_assign_pointer() with cmpxchg() - which has equivalent barrier properties. If it the cmp fails, free the table that was just allocated. Signed-off-by:
-
- 07 Apr, 2019 8 commits
-
-
David S. Miller authored
Murali Karicheri says: ==================== net: hsr: improvements and bug fixes This series has some coding style fixes and other bug fixes. Patch 12/14, I have also done SPDX conversion. Not sure if that is the only thing needed and is correct. So please pay close attention to this patch before merge as I would like to avoid any issue related to licensing applicable for this code. ==================== Signed-off-by: -
Aaron Kramer authored
HSR should forget nodes after configured node forget time expiry based on HSR_NODE_FORGET_TIME. As part of hsr_prune_nodes(), code checks to see if entries are to be flushed out if not heard for longer than forget time. But currently hsr_prune_nodes() is called only once during device creation. Restart the timer at the end of hsr_prune_nodes() so that hsr_prune_nodes() gets called periodically and forgotten entries are removed from node table. Signed-off-by:
Aaron Kramer <a-kramer@ti.com> Signed-off-by:
Murali Karicheri <m-karicheri2@ti.com> Signed-off-by:
-
Murali Karicheri authored
This adds a debugfs interface to allow display the nodes learned by the hsr master. Signed-off-by:
-
Murali Karicheri authored
Use SPDX-License-Identifier instead of a verbose license text. Signed-off-by:
-
Murali Karicheri authored
Add a blank line after function declaration as suggested by checkpatch.pl -f Signed-off-by:
-
Murali Karicheri authored
Current driver code uses camel case in many places. This is seen when ran checkpatch.pl -f on files under net/hsr. This patch fixes the code to remove camel case usage. Signed-off-by:
-
Murali Karicheri authored
This patch add missing space around operator in code. This is seen when ran checkpatch.pl -f on files under net/hsr. Signed-off-by:
-
Murali Karicheri authored
In a multi-line statement exceeding 80 characters, logical operator should be at the end of a line instead of being at the start. This is seen when ran checkpatch.pl -f on files under net/hsr. The change is per suggestion from checkpatch. Signed-off-by:
-
