1. 13 May, 2024 6 commits
  2. 11 May, 2024 28 commits
  3. 10 May, 2024 6 commits
    • David S. Miller's avatar
      Merge tag 'gtp-24-05-07' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/gtp · f8beae07
      David S. Miller authored
      Pablo neira Ayuso says:
      
      ====================
      gtp pull request 24-05-07
      
      This v3 includes:
      - fix for clang uninitialized variable per Jakub.
      - address Smatch and Coccinelle reports per Simon
      - remove inline in new IPv6 support per Simon
      - fix memleaks in netlink control plane per Simon
      -o-
      
      The following patchset contains IPv6 GTP driver support for net-next,
      this also includes IPv6 over IPv4 and vice-versa:
      
      Patch #1 removes a unnecessary stack variable initialization in the
               socket routine.
      
      Patch #2 deals with GTP extension headers. This variable length extension
               header to decapsulate packets accordingly. Otherwise, packets are
               dropped when these extension headers are present which breaks
               interoperation with other non-Linux based GTP implementations.
      
      Patch #3 prepares for IPv6 support by moving IPv4 specific fields in PDP
               context objects to a union.
      
      Patch #4 adds IPv6 support while retaining backward compatibility.
               Three new attributes allows to declare an IPv6 GTP tunnel
               GTPA_FAMILY, GTPA_PEER_ADDR6 and GTPA_MS_ADDR6 as well as
               IFLA_GTP_LOCAL6 to declare the IPv6 GTP UDP socket. Up to this
               patch, only IPv6 outer in IPv6 inner is supported.
      
      Patch #5 uses IPv6 address /64 prefix for UE/MS in the inner headers.
               Unlike IPv4, which provides a 1:1 mapping between UE/MS,
               IPv6 tunnel encapsulates traffic for /64 address as specified
               by 3GPP TS. Patch has been split from Patch #4 to highlight
               this behaviour.
      
      Patch #6 passes up IPv6 link-local traffic, such as IPv6 SLAAC, for
               handling to userspace so they are handled as control packets.
      
      Patch #7 prepares to allow for GTP IPv4 over IPv6 and vice-versa by
               moving IP specific debugging out of the function to build
               IPv4 and IPv6 GTP packets.
      
      Patch #8 generalizes TOS/DSCP handling following similar approach as
               in the existing iptunnel infrastructure.
      
      Patch #9 adds a helper function to build an IPv4 GTP packet in the outer
               header.
      
      Patch #10 adds a helper function to build an IPv6 GTP packet in the outer
                header.
      
      Patch #11 adds support for GTP IPv4-over-IPv6 and vice-versa.
      
      Patch #12 allows to use the same TID/TEID (tunnel identifier) for inner
                IPv4 and IPv6 packets for better UE/MS dual stack integration.
      
      This series integrates with the osmocom.org project CI and TTCN-3 test
      infrastructure (Oliver Smith) as well as the userspace libgtpnl library.
      
      Thanks to Harald Welte, Oliver Smith and Pau Espin for reviewing and
      providing feedback through the osmocom.org redmine platform to make this
      happen.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f8beae07
    • Florian Westphal's avatar
      netfilter: nf_tables: allow clone callbacks to sleep · fa23e0d4
      Florian Westphal authored
      Sven Auhagen reports transaction failures with following error:
        ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory
        percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left
      
      This points to failing pcpu allocation with GFP_ATOMIC flag.
      However, transactions happen from user context and are allowed to sleep.
      
      One case where we can call into percpu allocator with GFP_ATOMIC is
      nft_counter expression.
      
      Normally this happens from control plane, so this could use GFP_KERNEL
      instead.  But one use case, element insertion from packet path,
      needs to use GFP_ATOMIC allocations (nft_dynset expression).
      
      At this time, .clone callbacks always use GFP_ATOMIC for this reason.
      
      Add gfp_t argument to the .clone function and pass GFP_KERNEL or
      GFP_ATOMIC flag depending on context, this allows all clone memory
      allocations to sleep for the normal (transaction) case.
      
      Cc: Sven Auhagen <sven.auhagen@voleatech.de>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      fa23e0d4
    • Florian Westphal's avatar
      selftests: netfilter: add packetdrill based conntrack tests · a8a388c2
      Florian Westphal authored
      Add a new test script that uses packetdrill tool to exercise conntrack
      state machine.
      
      Needs ip/ip6tables and conntrack tool (to check if we have an entry in
      the expected state).
      
      Test cases added here cover following scenarios:
      1. already-acked (retransmitted) packets are not tagged as INVALID
      2. RST packet coming when conntrack is already closing (FIN/CLOSE_WAIT)
        transitions conntrack to CLOSE even if the RST is not an exact match
      3. RST packets with out-of-window sequence numbers are marked as INVALID
      4. SYN+Challenge ACK: check that challenge ack is allowed to pass
      5. Old SYN/ACK: check conntrack handles the case where SYN is answered
        with SYN/ACK for an old, previous connection attempt
      6. Check SYN reception while in ESTABLISHED state generates a challenge
         ack, RST response clears 'outdated' state + next SYN retransmit gets
         us into 'SYN_RECV' conntrack state.
      
      Tests get run twice, once with ipv4 and once with ipv6.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a8a388c2
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: remove dirty flag · 532aec7e
      Florian Westphal authored
      After previous change:
       ->clone exists: ->dirty is always true
       ->clone == NULL ->dirty is always false
      
      So remove this flag.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      532aec7e
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: move cloning of match info to insert/removal path · 3f1d886c
      Florian Westphal authored
      This set type keeps two copies of the sets' content,
         priv->match (live version, used to match from packet path)
         priv->clone (work-in-progress version of the 'future' priv->match).
      
      All additions and removals are done on priv->clone.  When transaction
      completes, priv->clone becomes priv->match and a new clone is allocated
      for use by next transaction.
      
      Problem is that the cloning requires GFP_KERNEL allocations but we
      cannot fail at either commit or abort time.
      
      This patch defers the clone until we get an insertion or removal
      request.  This allows us to handle OOM situations correctly.
      
      This also allows to remove ->dirty in a followup change:
      
      If ->clone exists, ->dirty is always true
      If ->clone is NULL, ->dirty is always false, no elements were added
      or removed (except catchall elements which are external to the specific
      set backend).
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      3f1d886c
    • Florian Westphal's avatar
      netfilter: nft_set_pipapo: prepare pipapo_get helper for on-demand clone · a2381067
      Florian Westphal authored
      The helper uses priv->clone unconditionally which will fail once we do
      the clone conditionally on first insert or removal.
      
      'nft get element' from userspace needs to use priv->match since this
      runs from rcu read side lock section.
      
      Prepare for this by passing the match backend data as argument.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a2381067