- 10 Jan, 2014 1 commit
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nftablesDavid S. Miller authored
Pablo Neira Ayuso says: ==================== nf_tables updates for net-next The following patchset contains the following nf_tables updates, mostly updates from Patrick McHardy, they are: * Add the "inet" table and filter chain type for this new netfilter family: NFPROTO_INET. This special table/chain allows IPv4 and IPv6 rules, this should help to simplify the burden in the administration of dual stack firewalls. This also includes several patches to prepare the infrastructure for this new table and a new meta extension to match the layer 3 and 4 protocol numbers, from Patrick McHardy. * Load both IPv4 and IPv6 conntrack modules in nft_ct if the rule is used in NFPROTO_INET, as we don't certainly know which one would be used, also from Patrick McHardy. * Do not allow to delete a table that contains sets, otherwise these sets become orphan, from Patrick McHardy. * Hold a reference to the corresponding nf_tables family module when creating a table of that family type, to avoid the module deletion when in use, from Patrick McHardy. * Update chain counters before setting the chain policy to ensure that we don't leave the chain in inconsistent state in case of errors (aka. restore chain atomicity). This also fixes a possible leak if it fails to allocate the chain counters if no counters are passed to be restored, from Patrick McHardy. * Don't check for overflows in the table counter if we are just renaming a chain, from Patrick McHardy. * Replay the netlink request after dropping the nfnl lock to load the module that supports provides a chain type, from Patrick. * Fix chain type module references, from Patrick. * Several cleanups, function renames, constification and code refactorizations also from Patrick McHardy. * Add support to set the connmark, this can be used to set it based on the meta mark (similar feature to -j CONNMARK --restore), from Kristian Evensen. * A couple of fixes to the recently added meta/set support and nft_reject, and fix missing chain type unregistration if we fail to register our the family table/filter chain type, from myself. ==================== Signed-off-by:David S. Miller <davem@davemloft.net>
-
- 09 Jan, 2014 33 commits
-
-
Pablo Neira Ayuso authored
We have to unregister chain type if this fails to register netns. Signed-off-by:Pablo Neira Ayuso <pablo@netfilter.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-nextDavid S. Miller authored
Jeff Kirsher says: ==================== Intel Wired LAN Driver Updates This series contains updates to i40e only. Anjali provides a fix where interrupts were not being re-enabled on ICR0 even though they were auto masked by hardware. Then provides a fix to cleanup RSS initialization because it was doing some extra work, so remove the extra work and any bugs it created when managing number of queues. Since hardware requires a full packet template to be pointed to when adding hardware flow filters, add the template and use it for programming filters. Jesse provides a fix to replace the use of driver specific defines with kernel ETH_ALEN defines. Then disables packet split because with the use of GRO, we do not need the extra bus overhead. Fixes spelling error in code comment. Kamil provides a fix for the driver where the hardware expects the MAC address in a very specific format and the driver was filing the data incorrectly. Mitch provides a fix to resolve a panic on reset by adding checks to VSI->rx_rings. Then shortens alloc_rx_buff_failed and alloc_rx_page_failed variables since both part of an RX specific structure so just remove the _rx part of the name. Then fixes badly formatted lines, long lines and mis-formatted lines. Shannon provides a fix to call AQ to release any reservation held by this PF on the NVM resource lock on startup, in order to clear anything that might have been left over from a previous run. Then removes interrupt on AQ error since nearly everything we do is synchronous, using the interrupt-on-error bit is unnecessary and causing unneeded interrupts. Adds code to handle the ability to send messages among the physical function interfaces by the admin queue. Catherine sets the MFP flag earlier in software init and uses that flag to decide if other hardware work-arounds are required which turns off flow director in MFP mode. ==================== Signed-off-by: -
Wei Yongjun authored
Fixes the following sparse warning: net/ipv4/ip_tunnel.c:116:18: warning: symbol 'tunnel_dst_check' was not declared. Should it be static? Signed-off-by:
Wei Yongjun <yongjun_wei@trendmicro.com.cn> Signed-off-by:
-
Wei Yongjun authored
memory allocated by kmem_cache_alloc() should be freed using kmem_cache_free(), not kfree(). Fixes: e298e505 ('openvswitch: Per cpu flow stats.') Signed-off-by:
Jesse Gross <jesse@nicira.com> Signed-off-by:
-
Patrick McHardy authored
We don't encode argument types into function names and since besides nft_do_chain() there are only AF-specific versions, there is no risk of confusion. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
Patrick McHardy authored
We currently leak the set memory when deleting a table that still has sets in it. Return EBUSY when attempting to delete a table with sets. Signed-off-by:
-
Patrick McHardy authored
The table refers to data of the AF module, so we need to make sure the module isn't unloaded while the table exists. Signed-off-by:
-
Patrick McHardy authored
Simplifies error handling. Additionally use the correct type u32 for the host byte order flags value. Signed-off-by:
-
Patrick McHardy authored
Minor nf_chain_type cleanups: - reorder struct to plug a hoe - rename struct module member to "owner" for consistency - rename nf_hookfn array to "hooks" for consistency - reorder initializers for better readability Signed-off-by:
-
Patrick McHardy authored
Signed-off-by:
-
Patrick McHardy authored
To avoid races, we need to replay to request after dropping the nfnl_mutex to auto-load the chain type module. Signed-off-by:
-
Patrick McHardy authored
In some cases we neither take a reference to the AF info nor to the chain type, allowing the module to be unloaded while in use. Signed-off-by:
-
Patrick McHardy authored
The chain type module reference handling makes no sense at all: we take a reference immediately when the module is registered, preventing the module from ever being unloaded. Fix by taking a reference when we're actually creating a chain of the chain type and release the reference when destroying the chain. Signed-off-by:
-
Patrick McHardy authored
The table use counter is only increased for new chains, so move the check to the correct position. Signed-off-by:
-
Patrick McHardy authored
Chain counter validation is performed after the chain policy has potentially been changed. Move counter validation/setting before changing of the chain policy to fix this. Additionally fix a memory leak if chain counter allocation fails for new chains, remove an unnecessary free_percpu() and move counter allocation for new chains Signed-off-by:
-
Patrick McHardy authored
Currently nf_tables_newchain() atomicity is broken because of having validation of some netlink attributes performed after changing attributes of the chain. The chain policy is (currently) fine, but split it up as preparation for the following fixes and to avoid future mistakes. Signed-off-by:
-
Pablo Neira Ayuso authored
We have to validate that the input register is in the range of allowed registers, otherwise we can take a incorrect register value as input that may lead us to a crash. Signed-off-by: -
Kristian Evensen authored
This patch adds kernel support for setting properties of tracked connections. Currently, only connmark is supported. One use-case for this feature is to provide the same functionality as -j CONNMARK --save-mark in iptables. Some restructuring was needed to implement the set op. The new structure follows that of nft_meta. Signed-off-by:
Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by:
-
Catherine Sullivan authored
The driver needs to set the MFP flag earlier in i40e_sw_init and then can use that flag to decide if other hardware work-arouds are required. Change-ID: Ib17ad1e3485f57b28845ab4722294a99f203bd48 Signed-off-by:
Catherine Sullivan <catherine.sullivan@intel.com> Signed-off-by:
Jesse Brandeburg <jesse.brandeburg@intel.com> Signed-off-by:
Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Jesse Brandeburg authored
The hardware requires a full packet template to be pointed to when adding hardware flow filters. This patch adds the template and uses it for programming filters. Change-ID: I09db9f4ab0207ca9c520ae36596d74e1a0663ae5 Signed-off-by:
Anjali Singhai Jain <anjali.singhai@intel.com> Signed-off-by:
-
Jesse Brandeburg authored
This patch does s/rebuid/rebuild/. Change-ID: I77ff0c26db3d23ca5dc971b82d71b4ed8c6bcc14 Signed-off-by:
Kavindya Deegala <kavindya.s.deegala@intel.com> Signed-off-by:
-
Mitch Williams authored
Fix some badly formatted lines, long lines and a mis-formatted else. Change-ID: Iac2eef064ae27c55a0c3d9c15c525bf8fed8ab6f Signed-off-by:
Mitch Williams <mitch.a.williams@intel.com> Signed-off-by:
-
Mitch Williams authored
The alloc_rx_buff_failed and alloc_rx_page_failed variables are both part of an rx specific structure so just remove the _rx part of the name. No functional changes. Change-ID: Icffa2f5d13c6f2b1e09cf45b9472b83c9dae8fc6 Signed-off-by:
-
Shannon Nelson authored
The admin queue can be used to send messages among the physical function interfaces. This adds the code to handle that case. Change-ID: I0700fcc47e41433131a381f0eb72fc7b01b6bd87 Signed-off-by:
Shannon Nelson <shannon.nelson@intel.com> Signed-off-by:
-
Shannon Nelson authored
Since nearly everything we do is synchronous, using the interrupt-on-error bit is unnecessary and causing unneeded interrupts. If anyone wants to use the bit they can turn it on in individual AQ requests using the cmd_details parameter. Change-ID: I4690a9c561d3e0836aeadb4f88f8a8702b1d1366 Signed-off-by:
-
Shannon Nelson authored
Call AQ to release any reservation held by this PF on the NVM resource lock on startup, in order to clear anything that might have been left over from a previous run. The lock is only cleared by the requestor calling for it to be cleared, on power-on, or firmware reset. This should help limit the need for rebooting a customer machine if something goes wrong on a firmware update or some other action. Change-ID: I8c8473e601d4ef512dda7baa77a6e75f2e5fea49 Signed-off-by:
-
Anjali Singhai Jain authored
RSS initialization was doing some extra work, remove the extra work and any bugs it created when managing number of queues. Change-ID: Iea75b04a70d73ce76947b6a177ce89ab4899d4c6 Signed-off-by:
-
Jesse Brandeburg authored
The driver and hardware support splitting packets on headers but with the use of GRO we don't need the extra bus overhead, so make this driver more like igb and ixgbe and disable packet split. Change-ID: Id42f2c3736baa9d5bdfe1f72d64226e7d8ebd737 Signed-off-by:
-
Greg Rose authored
The memory barrier used in maybe_stop_tx can use a comment. Also add checks to VSI->rx_rings to ensure a kernel panic is not induced. Change-ID: I48cc1bf1d6cf301818155b737edeef77c0d790c7 Change-ID: I1363a8445fbf521a26267849966296ed55f43ad8 Signed-off-by:
Greg Rose <gregory.v.rose@intel.com> Signed-off-by:
-
Kamil Krawczyk authored
The MAC address format expected by the hardware is in a very specific format, and the driver was filling in the data incorrectly. Change-ID: I7bc66505ef459ee347dd3bda68051004c141c689 Signed-off-by:
Kamil Krawczyk <kamil.krawczyk@intel.com> Signed-off-by:
-
Greg Rose authored
The GPL header included in each file in the i40e driver doesn't need to include the "this program" text since this driver is already part of the larger kernel. Signed-off-by:
-
Jesse Brandeburg authored
Replace uses of I40E_LENGTH_OF_ADDRESS with ETH_ALEN. Signed-off-by:
-
Anjali Singhai Jain authored
The hardware can occasionally give an interrupt on the misc queue for which there is no driver work to do. In that case the driver was not re-enabling interrupts even though they were auto masked by hardware. This left interrupts disabled on this queue. Re-enable the interrupt whenever leaving this function. Signed-off-by:
-
- 08 Jan, 2014 6 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-nextDavid S. Miller authored
Pablo Neira Ayuso says: ==================== Netfilter updates for net-next The following patchset contains three Netfilter updates, they are: * Fix wrong usage of skb_header_pointer in the DCCP protocol helper that has been there for quite some time. It was resulting in copying the dccp header to a pointer allocated in the stack. Fortunately, this pointer provides room for the dccp header is 4 bytes long, so no crashes have been reported so far. From Daniel Borkmann. * Use format string to print in the invocation of nf_log_packet(), again in the DCCP helper. Also from Daniel Borkmann. * Revert "netfilter: avoid get_random_bytes call" as prandom32 does not guarantee enough entropy when being calling this at boot time, that may happen when reloading the rule. ==================== Signed-off-by: -
git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-nextDavid S. Miller authored
Jeff Kirsher says: ==================== Intel Wired LAN Driver Updates This series contains updates to i40e only. Anjali adds more functionality to debugfs to assist development and testing of admin queue commands. Greg makes sure broadcast promiscuous is disabled by default, otherwise VLAN tagged packets out of the assigned VLAN domain are received. Also provides a fix when the 8021q driver is loaded, so that VLAN 0 tagged packets are accepted so that upper layers can interpret the priority bits. Then provides a fix to let the VF to request the PF to set its already assigned MAC address without generating an error. Greg also adds helper functions to enable or disable internal switch loopback when VFs are created or destroyed via the sysfs interface. Shannon provides most of the changes, where he adds code to ensure that the hardware waits to make sure that the firmware is ready as well after reset. Also updates the code to use the new features in the firmware. Provides a fix while in MFP mode where resources are reduced, so use a smaller range of test registers than when in SFP mode. Moves the PF ID initialization code to earlier in the driver initialization function since a few operations need the information before the first PF reset is called. Shannon adds a check for MAC type before reading anything from the registers to ensure we dealing with the correct MAC type. Then reworks Shadow RAM read word/buffer functions as to not block whole NVM resources for SR read operations. Mitch lastly provides a fix to correctly setup ARQ descriptors in the cleanup code. Catherine bumps the driver version due to all the recent changes. v2: - Added blank lines after local variable declarations to patch 01 as suggested by David Miller - Used the suggested memset() line in patch 15 as suggested by David Miller ==================== Signed-off-by: -
Mitch Williams authored
When cleaning descriptors, we must set up ALL fields, not just the DMA address. The initial setup does this correctly, but not the cleanup code, so the firmware would process the ring exactly once and then fail. Change-ID: I2930b83c76194b3016a8ac0fa693f9a573995640 Signed-off-by:
-
Kamil Krawczyk authored
The admin queue length register is updated in config_a<sq|rq>_regs functions. We should not update it again, as we will trigger firmware to init the AQ again. In this case firmware will lose the information about the AQ Rx tail position and will see Rx queue as full (no free desc for FW to use). Signed-off-by:
-
Greg Rose authored
The PF VSI was never updated to enable or disable internal switch loopback when VFs were created or destroyed via the sysfs interface. Add some helper functions to take care of that. Signed-off-by:
Sibai Li <sibai.li@intel.com> Signed-off-by:
-
Shannon Nelson authored
Addresses a few code format issues that have crept in over time. Change-Id: I1a62cbd16b29a218a933b0f7176abe748f9615e8 Signed-off-by:
-
