- 31 May, 2019 9 commits
-
-
Alice Michael authored
rename the flags inside of iavf_status from I40E_* to IAVF_* Signed-off-by: Alice Michael <alice.michael@intel.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Alice Michael authored
Update the old variables and flags marked as i40e to match the iavf name of the driver. Signed-off-by: Alice Michael <alice.michael@intel.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Alice Michael authored
Update the old i40e function names to be iavf Signed-off-by: Alice Michael <alice.michael@intel.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Sergey Nemov authored
Instead of typedefing the enum iavf_status_code with iavf_status, just shorten the enum itself and get rid of typedef. Signed-off-by: Sergey Nemov <sergey.nemov@intel.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Alice Michael authored
With the rename of the iavf driver, there were some files that were missed in renaming. Update these to be iavf as well. Signed-off-by: Alice Michael <alice.michael@intel.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Gustavo A. R. Silva authored
One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example: struct foo { int stuff; struct boo entry[]; }; size = sizeof(struct foo) + count * sizeof(struct boo); Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper: size = struct_size(instance, entry, count); This code was detected with the help of Coccinelle. Signed-off-by: "Gustavo A. R. Silva" <gustavo@embeddedor.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Gustavo A. R. Silva authored
One of the more common cases of allocation size calculations is finding the size of a structure that has a zero-sized array at the end, along with memory for some number of elements for that array. For example: struct foo { int stuff; struct boo entry[]; }; size = sizeof(struct foo) + count * sizeof(struct boo); instance = kzalloc(size, GFP_KERNEL) Instead of leaving these open-coded and prone to type mistakes, we can now use the new struct_size() helper: instance = kzalloc(struct_size(instance, entry, count), GFP_KERNEL) Notice that, in this case, variable bufsz is not necessary, hence it is removed. This code was detected with the help of Coccinelle. Signed-off-by: "Gustavo A. R. Silva" <gustavo@embeddedor.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Aleksandr Loktionov authored
Limiting RSS queues number to online CPUs number in order to avoid issues with creating misconfigured RSS queues. Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
Nathan Chancellor authored
Clang warns: In file included from drivers/net/ethernet/intel/iavf/iavf_main.c:4: In file included from drivers/net/ethernet/intel/iavf/iavf.h:37: In file included from drivers/net/ethernet/intel/iavf/iavf_type.h:8: drivers/net/ethernet/intel/iavf/iavf_osdep.h:49:18: warning: 'format' attribute argument not supported: gnu_printf [-Wignored-attributes] __attribute__ ((format(gnu_printf, 3, 4))); ^ 1 warning generated. We can convert from gnu_printf to printf without any side effects for two reasons: 1. All iavf_debug instances use standard printf formats, as pointed out by Miguel Ojeda at the below link, meaning gnu_printf is not strictly required. 2. However, GCC has aliased printf to gnu_printf on Linux since at least 2010 based on git history. From gcc/c-family/c-format.c: /* Attributes such as "printf" are equivalent to those such as "gnu_printf" unless this is overridden by a target. */ static const target_ovr_attr gnu_target_overrides_format_attributes[] = { { "gnu_printf", "printf" }, { "gnu_scanf", "scanf" }, { "gnu_strftime", "strftime" }, { "gnu_strfmon", "strfmon" }, { NULL, NULL } }; The mentioned override only happens on Windows (mingw32). Changing from gnu_printf to printf is a no-op for GCC and stops Clang from warning. Link: https://github.com/ClangBuiltLinux/linux/issues/111Suggested-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com> Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
-
- 30 May, 2019 31 commits
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queueDavid S. Miller authored
Jeff Kirsher says: ==================== 100GbE Intel Wired LAN Driver Updates 2019-05-30 This series contains updates to ice driver only. Brett continues his work with interrupt handling by fixing an issue where were writing to the incorrect register to disable all VF interrupts. Tony consolidates the unicast and multicast MAC filters into a single new function. Anirudh adds support for virtual channel vector mapping to receive and transmit queues. This uses a bitmap to associate indicated queues with the specified vector. Makes several cosmetic code cleanups, as well as update the driver to align with the current specification for managing MAC operation codes (opcodes). Paul adds support for Forward Error Correction (FEC) and also adds the ethtool get and set handlers to modify FEC parameters. Bruce cleans up the driver code to fix a number of issues, such as, reducing the scope of some local variables, reduce the number of de-references by changing a local variable and reorder the code to remove unnecessary "goto's". Dave adds switch rules to be able to handle LLDP packets and in the process, fix a couple of issues found, like stop treating DCBx state of "not started" as an error and stop hard coding the filter information flag to transmit. Jacob updates the driver to allow for more granular debugging by developers by using a distinct separate bit for dumping firmware logs. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Kevin 'ldir' Darbyshire-Bryant authored
Since the new parameter block is initialised to 0 by kzmalloc we don't need to mask & clear unused operational mode bits, they are already unset. Drop the pointless code. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Heiner Kallweit says: ==================== net: phy: improve handling of more complex C45 PHY's This series tries to address few problematic aspects raised by Russell. Concrete example is the Marvell 88x3310, the changes should be helpful for other complex C45 PHY's too. v2: - added patch enabling interrupts also if phylib state machine isn't started - removed patch dealing with the double link status read This one needs little bit more thinking and will go separately. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
We face the issue that link change interrupt and link status may be reported by different PHY layers. As a result the link change interrupt may occur before the link status changes. Export phy_queue_state_machine to allow PHY drivers to specify a delay between link status change interrupt and link status check. v2: - change jiffies parameter type to unsigned long Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Suggested-by: Russell King <rmk+kernel@armlinux.org.uk> Acked-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
The phylib interrupt handler handles link change events only currently. However PHY drivers may want to use other interrupt sources too, e.g. to report temperature monitoring events. Therefore add a callback to struct phy_driver allowing PHY drivers to implement a custom interrupt handler. Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Suggested-by: Russell King - ARM Linux admin <linux@armlinux.org.uk> Acked-by: Russell King <rmk+kernel@armlinux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
This patch is a step towards allowing PHY drivers to handle more interrupt sources than just link change. E.g. several PHY's have built-in temperature monitoring and can raise an interrupt if a temperature threshold is exceeded. We may be interested in such interrupts also if the phylib state machine isn't started. Therefore move enabling interrupts to phy_request_interrupt(). v2: - patch added to series Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Michal Kalderon authored
In some cases abs_ppfid could be printed without being initialized. Fixes: 79284ade ("qed: Add llh ppfid interface and 100g support for offload protocols") Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Michal Kalderon <michal.kalderon@marvell.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Ioana Ciornei authored
In case a call to dsa_tree_setup() fails, an attempt to cleanup is made by calling dsa_tree_remove_switch(), which should take care of removing/unregistering any resources previously allocated. This does not happen because it is conditioned by dst->setup being true, which is set only after _all_ setup steps were performed successfully. This is especially interesting when the internal MDIO bus is registered but afterwards, a port setup fails and the mdiobus_unregister() is never called. This leads to a BUG_ON() complaining about the fact that it's trying to free an MDIO bus that's still registered. Add proper error handling in all functions branching from dsa_tree_setup(). Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com> Reported-by: kernel test robot <rong.a.chen@intel.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Heiner Kallweit says: ==================== r8169: decouple firmware handling code from actual driver code These two patches are a step towards eventually factoring out firmware handling code to a separate source file. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
This patch is a further step towards decoupling firmware handling from the actual driver code. Firmware can be for PHY and/or MAC, and two pairs of read/write functions are needed for handling PHY firmware and MAC firmware respectively. Pass these functions via struct rtl_fw and avoid the ugly switching of mdio_ops behind the back of rtl_writephy(). Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
Simplify the function a little bit and use strscpy() where appropriate. Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Heiner Kallweit authored
Call the pll power down function also for chip versions 02..06 and 13..15. The MAC can't be powered down on these chip versions, but at least they benefit from the speed-down power-saving if WoL is enabled. Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matteo Croce authored
The same skb_checksum_ops struct is defined twice in two different places, leading to code duplication. Declare it as a global variable into a common header instead of allocating it on the stack on each function call. bloat-o-meter reports a slight code shrink. add/remove: 1/1 grow/shrink: 0/10 up/down: 128/-1282 (-1154) Function old new delta sctp_csum_ops - 128 +128 crc32c_csum_ops 16 - -16 sctp_rcv 6616 6583 -33 sctp_packet_pack 4542 4504 -38 nf_conntrack_sctp_packet 4980 4926 -54 execute_masked_set_action 6453 6389 -64 tcf_csum_sctp 575 428 -147 sctp_gso_segment 1292 1126 -166 sctp_csum_check 579 412 -167 sctp_snat_handler 957 772 -185 sctp_dnat_handler 1321 1132 -189 l4proto_manip_pkt 2536 2313 -223 Total: Before=359297613, After=359296459, chg -0.00% Reviewed-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Matteo Croce <mcroce@redhat.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Matteo Croce authored
Commit 283c16a2 ("indirect call wrappers: helpers to speed-up indirect calls of builtin") introduces some macros to avoid doing indirect calls. Use these helpers to remove two indirect calls in the L4 checksum calculation for devices which don't have hardware support for it. As a test I generate packets with pktgen out to a dummy interface with HW checksumming disabled, to have the checksum calculated in every sent packet. The packet rate measured with an i7-6700K CPU and a single pktgen thread raised from 6143 to 6608 Kpps, an increase by 7.5% Suggested-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: Matteo Croce <mcroce@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
YueHaibing authored
Fix sparse warning: drivers/net/dsa/sja1105/sja1105_static_config.c:446:1: warning: symbol 'static_config_check_memory_size' was not declared. Should it be static? Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Acked-by: Vladimir Oltean <olteanv@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Pablo Neira Ayuso says: ==================== connection tracking support for bridge This patchset adds native connection tracking support for the bridge. Patch #1 and #2 extract code from IPv4/IPv6 fragmentation core and introduce the fraglist splitter. That splits a skbuff fraglist into independent fragments. Patch #3 and #4 also extract code from IPv4/IPv6 fragmentation core and introduce the skbuff into fragments transformer. This can be used by linearized skbuffs (eg. coming from nfqueue and ct helpers) as well as cloned skbuffs (that are either seen either with taps or with bridge port flooding). Patch #5 moves the specific IPCB() code from these new fragment splitter/transformer APIs into the IPv4 stack. The bridge has a different control buffer layout and it starts using this new APIs in this patchset. Patch #6 adds basic infrastructure that allows to register bridge conntrack support. Patch #7 adds bridge conntrack support (only for IPv4 in this patch). Patch #8 adds IPv6 support for the bridge conntrack support. Patch #9 registers the IPv4/IPv6 conntrack hooks in case the bridge conntrack is used to deal with local traffic, ie. prerouting -> input bridge hook path. This cover the bridge interface has a IP address scenario. Before this patchset, only chance for people to do stateful filtering is to use the `br_netfilter` emulation layer, that turns bridge frame into IPv4/IPv6 packets and inject them into the IPv4/IPv6 hooks. Apparently, this module allows users to use iptables and all of its feature-set from the bridge, including stateful filtering. However, this approach is flawed in many aspects that have been discussed many times. This is a step forward to deprecate `br_netfilter'. v2: Fix English typo in commit message. v3: Fix another English typo in commit message. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
This patch enables IPv4 and IPv6 conntrack from the bridge to deal with local traffic. Hence, packets that are passed up to the local input path are confirmed later on from the {ipv4,ipv6}_confirm() hooks. For packets leaving the IP stack (ie. output path), fragmentation occurs after the inet postrouting hook. Therefore, the bridge local out and postrouting bridge hooks see fragments with conntrack objects, which is inconsistent. In this case, we could defragment again from the bridge output hook, but this is expensive. The recommended filtering spot for outgoing locally generated traffic leaving through the bridge interface is to use the classic IPv4/IPv6 output hook, which comes earlier. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
br_defrag() and br_fragment() indirections are added in case that IPv6 support comes as a module, to avoid pulling innecessary dependencies in. The new fraglist iterator and fragment transformer APIs are used to implement the refragmentation code. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
This patch adds basic connection tracking support for the bridge, including initial IPv4 support. This patch register two hooks to deal with the bridge forwarding path, one from the bridge prerouting hook to call nf_conntrack_in(); and another from the bridge postrouting hook to confirm the entry. The conntrack bridge prerouting hook defragments packets before passing them to nf_conntrack_in() to look up for an existing entry, otherwise a new entry is allocated and it is attached to the skbuff. The conntrack bridge postrouting hook confirms new conntrack entries, ie. if this is the first packet seen, then it adds the entry to the hashtable and (if needed) it refragments the skbuff into the original fragments, leaving the geometry as is if possible. Exceptions are linearized skbuffs, eg. skbuffs that are passed up to nfqueue and conntrack helpers, as well as cloned skbuff for the local delivery (eg. tcpdump), also in case of bridge port flooding (cloned skbuff too). The packet defragmentation is done through the ip_defrag() call. This forces us to save the bridge control buffer, reset the IP control buffer area and then restore it after call. This function also bumps the IP fragmentation statistics, it would be probably desiderable to have independent statistics for the bridge defragmentation/refragmentation. The maximum fragment length is stored in the control buffer and it is used to refragment the skbuff from the postrouting path. The new fraglist splitter and fragment transformer APIs are used to implement the bridge refragmentation code. The br_ip_fragment() function drops the packet in case the maximum fragment size seen is larger than the output port MTU. This patchset follows the principle that conntrack should not drop packets, so users can do it through policy via invalid state matching. Like br_netfilter, there is no refragmentation for packets that are passed up for local delivery, ie. prerouting -> input path. There are calls to nf_reset() already in several spots in the stack since time ago already, eg. af_packet, that show that skbuff fraglist handling from the netif_rx path is supported already. The helpers are called from the postrouting hook, before confirmation, from there we may see packet floods to bridge ports. Then, although unlikely, this may result in exercising the helpers many times for each clone. It would be good to explore how to pass all the packets in a list to the conntrack hook to do this handle only once for this case. Thanks to Florian Westphal for handing me over an initial patchset version to add support for conntrack bridge. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
This patch adds infrastructure to register and to unregister bridge support for the conntrack module via nf_ct_bridge_register() and nf_ct_bridge_unregister(). Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
Deal with the IPCB() area away from the iterators. The bridge codebase has its own control buffer layout, move specific IP control buffer handling into the IPv4 codepath. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
This patch exposes a new API to refragment a skbuff. This allows you to split either a linear skbuff or to force the refragmentation of an existing fraglist using a different mtu. The API consists of: * ip6_frag_init(), that initializes the internal state of the transformer. * ip6_frag_next(), that allows you to fetch the next fragment. This function internally allocates the skbuff that represents the fragment, it pushes the IPv6 header, and it also copies the payload for each fragment. The ip6_frag_state object stores the internal state of the splitter. This code has been extracted from ip6_fragment(). Symbols are also exported to allow to reuse this iterator from the bridge codepath to build its own refragmentation routine by reusing the existing codebase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
This patch exposes a new API to refragment a skbuff. This allows you to split either a linear skbuff or to force the refragmentation of an existing fraglist using a different mtu. The API consists of: * ip_frag_init(), that initializes the internal state of the transformer. * ip_frag_next(), that allows you to fetch the next fragment. This function internally allocates the skbuff that represents the fragment, it pushes the IPv4 header, and it also copies the payload for each fragment. The ip_frag_state object stores the internal state of the splitter. This code has been extracted from ip_do_fragment(). Symbols are also exported to allow to reuse this iterator from the bridge codepath to build its own refragmentation routine by reusing the existing codebase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
This patch adds the skbuff fraglist split iterator. This API provides an iterator to transform the fraglist into single skbuff objects, it consists of: * ip6_fraglist_init(), that initializes the internal state of the fraglist iterator. * ip6_fraglist_prepare(), that restores the IPv6 header on the fragment. * ip6_fraglist_next(), that retrieves the fragment from the fraglist and updates the internal state of the iterator to point to the next fragment in the fraglist. The ip6_fraglist_iter object stores the internal state of the iterator. This code has been extracted from ip6_fragment(). Symbols are also exported to allow to reuse this iterator from the bridge codepath to build its own refragmentation routine by reusing the existing codebase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Pablo Neira Ayuso authored
This patch adds the skbuff fraglist splitter. This API provides an iterator to transform the fraglist into single skbuff objects, it consists of: * ip_fraglist_init(), that initializes the internal state of the fraglist splitter. * ip_fraglist_prepare(), that restores the IPv4 header on the fragments. * ip_fraglist_next(), that retrieves the fragment from the fraglist and it updates the internal state of the splitter to point to the next fragment skbuff in the fraglist. The ip_fraglist_iter object stores the internal state of the iterator. This code has been extracted from ip_do_fragment(). Symbols are also exported to allow to reuse this iterator from the bridge codepath to build its own refragmentation routine by reusing the existing codebase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Jason Baron says: ==================== add TFO backup key Christoph, Igor, and I have worked on an API that facilitates TFO key rotation. This is a follow up to the series that Christoph previously posted, with an API that meets both of our use-cases. Here's a link to the previous work: https://patchwork.ozlabs.org/cover/1013753/ Changes in v2: -spelling fixes in ip-sysctl.txt (Jeremy Sowden) -re-base to latest net-next ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jason Baron authored
Demonstrate how the primary and backup TFO keys can be rotated while minimizing the number of client cookies that are rejected. Signed-off-by: Jason Baron <jbaron@akamai.com> Signed-off-by: Christoph Paasch <cpaasch@apple.com> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jason Baron authored
Add docs for /proc/sys/net/ipv4/tcp_fastopen_key Signed-off-by: Jason Baron <jbaron@akamai.com> Signed-off-by: Christoph Paasch <cpaasch@apple.com> Cc: Jeremy Sowden <jeremy@azazel.net> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jason Baron authored
Add the ability to add a backup TFO key as: # echo "x-x-x-x,x-x-x-x" > /proc/sys/net/ipv4/tcp_fastopen_key The key before the comma acks as the primary TFO key and the key after the comma is the backup TFO key. This change is intended to be backwards compatible since if only one key is set, userspace will simply read back that single key as follows: # echo "x-x-x-x" > /proc/sys/net/ipv4/tcp_fastopen_key # cat /proc/sys/net/ipv4/tcp_fastopen_key x-x-x-x Signed-off-by: Jason Baron <jbaron@akamai.com> Signed-off-by: Christoph Paasch <cpaasch@apple.com> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jason Baron authored
Add support for get/set of an optional backup key via TCP_FASTOPEN_KEY, in addition to the current 'primary' key. The primary key is used to encrypt and decrypt TFO cookies, while the backup is only used to decrypt TFO cookies. The backup key is used to maximize successful TFO connections when TFO keys are rotated. Currently, TCP_FASTOPEN_KEY allows a single 16-byte primary key to be set. This patch now allows a 32-byte value to be set, where the first 16 bytes are used as the primary key and the second 16 bytes are used for the backup key. Similarly, for getsockopt(), we can receive a 32-byte value as output if requested. If a 16-byte value is used to set the primary key via TCP_FASTOPEN_KEY, then any previously set backup key will be removed. Signed-off-by: Jason Baron <jbaron@akamai.com> Signed-off-by: Christoph Paasch <cpaasch@apple.com> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jason Baron authored
We would like to be able to rotate TFO keys while minimizing the number of client cookies that are rejected. Currently, we have only one key which can be used to generate and validate cookies, thus if we simply replace this key clients can easily have cookies rejected upon rotation. We propose having the ability to have both a primary key and a backup key. The primary key is used to generate as well as to validate cookies. The backup is only used to validate cookies. Thus, keys can be rotated as: 1) generate new key 2) add new key as the backup key 3) swap the primary and backup key, thus setting the new key as the primary We don't simply set the new key as the primary key and move the old key to the backup slot because the ip may be behind a load balancer and we further allow for the fact that all machines behind the load balancer will not be updated simultaneously. We make use of this infrastructure in subsequent patches. Suggested-by: Igor Lubashev <ilubashe@akamai.com> Signed-off-by: Jason Baron <jbaron@akamai.com> Signed-off-by: Christoph Paasch <cpaasch@apple.com> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-