- 19 May, 2014 5 commits
-
-
Pablo Neira Ayuso authored
This patch reworks the nf_tables API so set updates are included in the same batch that contains rule updates. This speeds up rule-set updates since we skip a dialog of four messages between kernel and user-space (two on each direction), from: 1) create the set and send netlink message to the kernel 2) process the response from the kernel that contains the allocated name. 3) add the set elements and send netlink message to the kernel. 4) process the response from the kernel (to check for errors). To: 1) add the set to the batch. 2) add the set elements to the batch. 3) add the rule that points to the set. 4) send batch to the kernel. This also introduces an internal set ID (NFTA_SET_ID) that is unique in the batch so set elements and rules can refer to new sets. Backward compatibility has been only retained in userspace, this means that new nft versions can talk to the kernel both in the new and the old fashion. Signed-off-by:Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
The patch adds message type to the transaction to simplify the commit the and abort routines. Yet another step forward in the generalisation of the transaction infrastructure. Signed-off-by: -
Pablo Neira Ayuso authored
Move the commit and abort routines to the bottom of the source code file. This change is required by the follow up patches that add the set, chain and table transaction support. This patch is just a cleanup to access several functions without having to declare their prototypes. Signed-off-by: -
Pablo Neira Ayuso authored
This patch generalises the existing rule transaction infrastructure so it can be used to handle set, table and chain object transactions as well. The transaction provides a data area that stores private information depending on the transaction type. Signed-off-by: -
Pablo Neira Ayuso authored
The new transaction infrastructure updates the family, table and chain objects in the context structure, so let's deconstify them. While at it, move the context structure initialization routine to the top of the source file as it will be also used from the table and chain routines. Signed-off-by:
-
- 28 Apr, 2014 1 commit
-
-
Pablo Neira authored
Use NLA_STRING for consistency with other string attributes in nf_tables. Signed-off-by:
-
- 24 Apr, 2014 1 commit
-
-
Tomasz Bursztyka authored
NFT_META_BRI_IIFNAME to get packet input bridge interface name NFT_META_BRI_OIFNAME to get packet output bridge interface name Such meta key are accessible only through NFPROTO_BRIDGE family, on a dedicated nft meta module: nft_meta_bridge. Suggested-by:
Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> Signed-off-by:
-
- 23 Apr, 2014 2 commits
-
-
Tomasz Bursztyka authored
This will be useful to create network family dedicated META expression as for NFPROTO_BRIDGE for instance. Signed-off-by:
-
Tomasz Bursztyka authored
To ensure family tight expression gets selected in priority to family agnostic ones. Signed-off-by:
-
- 14 Apr, 2014 1 commit
-
-
Patrick McHardy authored
We currently have a limit of 8 * PAGE_SIZE anonymous sets. Lift that limit by continuing the scan if the entire page is exhausted. Signed-off-by:
Patrick McHardy <kaber@trash.net> Signed-off-by:
-
- 03 Apr, 2014 1 commit
-
-
Arturo Borrero authored
This patch adds set_elems notifications. When a set_elem is added/deleted, all listening peers in userspace will receive the corresponding notification. Signed-off-by:
Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Acked-by:
Pablo Neira Ayuso <pablo@gnumonks.org>
-
- 02 Apr, 2014 5 commits
-
-
Patrick McHardy authored
Now that nf_tables performs global accounting of set elements, it is not needed in the hash type anymore. Signed-off-by:
-
Patrick McHardy authored
The current set selection simply choses the first set type that provides the requested features, which always results in the rbtree being chosen by virtue of being the first set in the list. What we actually want to do is choose the implementation that can provide the requested features and is optimal from either a performance or memory perspective depending on the characteristics of the elements and the preferences specified by the user. The elements are not known when creating a set. Even if we would provide them for anonymous (literal) sets, we'd still have standalone sets where the elements are not known in advance. We therefore need an abstract description of the data charcteristics. The kernel already knows the size of the key, this patch starts by introducing a nested set description which so far contains only the maximum amount of elements. Based on this the set implementations are changed to provide an estimate of the required amount of memory and the lookup complexity class. The set ops have a new callback ->estimate() that is invoked during set selection. It receives a structure containing the attributes known to the kernel and is supposed to populate a struct nft_set_estimate with the complexity class and, in case the size is known, the complete amount of memory required, or the amount of memory required per element otherwise. Based on the policy specified by the user (performance/memory, defaulting to performance) the kernel will then select the best suited implementation. Even if the set implementation would allow to add more than the specified maximum amount of elements, they are enforced since new implementations might not be able to add more than maximum based on which they were selected. Signed-off-by:
-
Patrick McHardy authored
For value spanning multiple registers, we need to validate the length of data loads. In order to add this to nft_ct, we need the length from key validation. Split the nft_ct_init() function into two functions for the get and set operations as preparation for that. Signed-off-by:
-
Patrick McHardy authored
For value spanning multiple registers, we need to validate the length of data loads. In order to add this to nft_meta, we need the length from key validation. Split the nft_meta_init() function into two functions for the get and set operations as preparation for that. Signed-off-by:
-
Patrick McHardy authored
The set operation for ct mark is only valid if CONFIG_NF_CONNTRACK_MARK is enabled. Signed-off-by:
-
- 01 Apr, 2014 24 commits
-
-
Eric W. Biederman authored
Replace the test in zap_completion_queue to test when it is safe to free skbs in hard irq context with skb_irq_freeable ensuring we only free skbs when it is safe, and removing the possibility of subtle problems. Signed-off-by:
"Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Eric W. Biederman authored
Currently netpoll and skb_release_head_state assume that a skb is freeable in hard irq context except when skb->destructor is set. The reality is far from this. So add a function skb_irq_freeable to compute the full test and in the process be the living documentation of what the requirements are of actually freeing a skb in hard irq context. Signed-off-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
git://gitorious.org/linux-can/linux-canDavid S. Miller authored
linux-can-fixes-for-3.15-20140401 Marc Kleine-Budde says: ==================== this is a pull request of 16 patches for the 3.15 release cycle. Bjorn Van Tilt contributes a patch which fixes a memory leak in usb_8dev's usb_8dev_start_xmit()s error path. A patch by Robert Schwebel fixes a typo in the can documentation. The remaining patches all target the c_can driver. Two of them are by me; they add a missing netif_napi_del() and return value checking. Thomas Gleixner contributes 12 patches, which address several shortcomings in the driver like hardware initialisation, concurrency, message ordering and poor performance. ==================== Signed-off-by: -
Shahed Shaikh authored
Commit 2b3d7b75("qlcnic: Add VXLAN Rx offload support") uses vxlan_get_rx_port() which caused build failure when VXLAN=m. This patch fixes the build failure by adding dependency on VXLAN in Kconfig of qlcnic module and use vxlan_get_rx_port() and support code accordingly. Signed-off-by:
Shahed Shaikh <shahed.shaikh@qlogic.com> Signed-off-by:
-
Daniel Borkmann authored
This commit fixes a build error reported by Fengguang, that is triggered when CONFIG_NETWORK_PHY_TIMESTAMPING is not set: ERROR: "ptp_classify_raw" [drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe.ko] undefined! The fix is to introduce its own file for the PTP BPF classifier, so that PTP_1588_CLOCK and/or NETWORK_PHY_TIMESTAMPING can select it independently from each other. IXP4xx driver on ARM needs to select it as well since it does not seem to select PTP_1588_CLOCK or similar that would pull it in automatically. This also allows for hiding all of the internals of the BPF PTP program inside that file, and only exporting relevant API bits to drivers. This patch also adds a kdoc documentation of ptp_classify_raw() API to make it clear that it can return PTP_CLASS_* defines. Also, the BPF program has been translated into bpf_asm code, so that it can be more easily read and altered (extensively documented in [1]). In the kernel tree under tools/net/ we have bpf_asm and bpf_dbg tools, so the commented program can simply be translated via `./bpf_asm -c prog` where prog is a file that contains the commented code. This makes it easily readable/verifiable and when there's a need to change something, jump offsets etc do not need to be replaced manually which can be very error prone. Instead, a newly translated version via bpf_asm can simply replace the old code. I have checked opcode diffs before/after and it's the very same filter. [1] Documentation/networking/filter.txt Fixes: 164d8c66 ("net: ptp: do not reimplement PTP/BPF classifier") Reported-by:
Fengguang Wu <fengguang.wu@intel.com> Signed-off-by:
Daniel Borkmann <dborkman@redhat.com> Signed-off-by:
Alexei Starovoitov <ast@plumgrid.com> Cc: Richard Cochran <richardcochran@gmail.com> Cc: Jiri Benc <jbenc@redhat.com> Acked-by:
Richard Cochran <richardcochran@gmail.com> Signed-off-by:
-
Dan Carpenter authored
The "core_ops" variable isn't referenced outside this file and Sparse complains about it: drivers/net/ethernet/samsung/sxgbe/sxgbe_core.c:239:29: warning: symbol 'core_ops' was not declared. Should it be static? Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Dan Carpenter authored
Bitwise '|' was intended here instead of logical '||'. Fixes: 1edb9ca6 ('net: sxgbe: add basic framework for Samsung 10Gb ethernet driver') Signed-off-by:
-
Dan Carpenter authored
"err" is always zero at this point so we always unregister and free the mdio_bus before returning success. This seems like left over code and I have deleted it. Fixes: 1edb9ca6 ('net: sxgbe: add basic framework for Samsung 10Gb ethernet driver') Signed-off-by:
-
Daniel Pieczko authored
When using the "separate_tx_channels=1" module parameter, the TX queues are initially numbered starting from the first TX-only channel number (after all the RX-only channels). efx_set_channels() renumbers the queues so that they are indexed from zero. On EF10, the TX queues need to be relabelled in this way before calling the dimension_resources NIC type operation, otherwise the TX queue PIO buffers can be linked to the wrong VIs when using "separate_tx_channels=1". Added comments to explain UC/WC mappings for PIO buffers Signed-off-by:
Shradha Shah <sshah@solarflare.com> Signed-off-by:
-
Wei Liu authored
When netback discovers frontend is sending malformed packet it will disables the interface which serves that frontend. However disabling a network interface involving taking a mutex which cannot be done in softirq context, so we need to defer this process to kthread context. This patch does the following: 1. introduce a flag to indicate the interface is disabled. 2. check that flag in TX path, don't do any work if it's true. 3. check that flag in RX path, turn off that interface if it's true. The reason to disable it in RX path is because RX uses kthread. After this change the behavior of netback is still consistent -- it won't do any TX work for a rogue frontend, and the interface will be eventually turned off. Also change a "continue" to "break" after xenvif_fatal_tx_err, as it doesn't make sense to continue processing packets if frontend is rogue. This is a fix for XSA-90. Reported-by:
Török Edwin <edwin@etorok.net> Signed-off-by:
Wei Liu <wei.liu2@citrix.com> Cc: Ian Campbell <ian.campbell@citrix.com> Reviewed-by:
David Vrabel <david.vrabel@citrix.com> Acked-by:
Ian Campbell <ian.campbell@citrix.com> Signed-off-by:
-
Or Gerlitz authored
Make sure that vxlan_get_rx_port() is present in the kernel build in a manner consistent with mlx4, else mlx4 can be made built-in where vxlan a module and the phase of the build linking fails. Add CONFIG_MLX4_EN_VXLAN for that. Also, #ifdef the advertizement and implementation of the mlx4 vxlan ndo calls and related code under this config directive. Signed-off-by:
Or Gerlitz <ogerlitz@mellanox.com> Signed-off-by:
-
Sathya Perla authored
Introduce a CONFIG_BE2NET_VXLAN define to control be2net's build dependency on the VXLAN driver. Without this fix, the kernel build fails when VxLAN driver is selected to be built as a module while be2net is built-in. fixes: c9c47142 ("be2net: csum, tso and rss steering offload support for VxLAN") Signed-off-by:
Sathya Perla <sathya.perla@emulex.com> Signed-off-by:
-
Phoebe Buckheister authored
Commit 9b2777d6 (ieee802154: add TX power control to wpan_phy) and following erroneously added CSMA and CCA parameters for 802.15.4 devices as PHY parameters, while they are actually MAC parameters and can differ for any two WPAN instances. Since it is now sensible to have multiple WPAN devices with differing CSMA/CCA parameters, make these parameters MAC parameters instead. Signed-off-by:
Phoebe Buckheister <phoebe.buckheister@itwm.fraunhofer.de> Signed-off-by:
-
Phoebe Buckheister authored
All 802.15.4 PHY devices with drivers in tree can support only one WPAN at any given time, yet the stack allows arbitrarily many WPAN devices to be created and up at the same time. This cannot work with what the hardware provides, and in the current implementation, provides an easy DoS vector to any process on the system that may call socket() and sendmsg(). Thus, allow only one WPAN per PHY to be up at once, just like mac80211 does for managed devices. Signed-off-by:
-
Daniel Borkmann authored
This minor patch fixes the following warning when doing a `make htmldocs`: DOCPROC Documentation/DocBook/networking.xml Warning(.../net/core/filter.c:135): No description found for parameter 'insn' Warning(.../net/core/filter.c:135): Excess function parameter 'fentry' description in '__sk_run_filter' HTML Documentation/DocBook/networking.html Reported-by:
-
Pablo Neira authored
nla_strcmp compares the string length plus one, so it's implicitly including the nul-termination in the comparison. int nla_strcmp(const struct nlattr *nla, const char *str) { int len = strlen(str) + 1; ... d = memcmp(nla_data(nla), str, len); However, if NLA_STRING is used, userspace can send us a string without the nul-termination. This is a problem since the string comparison will not match as the last byte may be not the nul-termination. Fix this by skipping the comparison of the nul-termination if the attribute data is nul-terminated. Suggested by Thomas Graf. Cc: Florian Westphal <fw@strlen.de> Cc: Thomas Graf <tgraf@suug.ch> Signed-off-by: -
Thomas Gleixner authored
There is no point to toggle the RX led for every packet. Especially if we have a full FIFO we want to avoid everything we can. Signed-off-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Marc Kleine-Budde <mkl@pengutronix.de>
-
Thomas Gleixner authored
The function loads the message object from the hardware to get the payload length. The previous patch stores that information in an array, so we can avoid the hardware access. Remove the hardware access and move the led toggle outside of the spinlocked region. Toggle the led only once when at least one packet has been received. Binary size shrinks along with the code Signed-off-by:
-
Thomas Gleixner authored
We can avoid the HW access in TX cleanup path for retrieving the DLC of the sent package if we store the DLC in a private array. Ideally this should be handled in the can_echo_skb functions, but I leave that exercise to the CAN folks. Signed-off-by:
-
Thomas Gleixner authored
commit 4ce78a83 (can: c_can: Speed up rx_poll function) hyped a performance improvement by reducing the access to the interrupt pending register from a dual 16 bit to a single 16 bit access. Wow! Thereby it crippled the driver to cast the 16 msg objects in stone, which is completly braindead as contemporary hardware has up to 128 message objects. Supporting larger object buffers is a major surgery, but it'd be definitely worth it especially as the driver does not support HW message filtering .... The logic of the "FIFO" implementation is to split the FIFO in half. For the lower half we read the buffers and clear the interrupt pending bit, but keep the newdat bit set, so the HW will queue above those buffers. When we read out the last low buffer then we reenable all the low half buffers by clearing the newdat bit. The upper half buffers clear the newdat and the interrupt pending bit right away as we know that the lower half bits are clear and give us a headstart against the hardware. Now the implementation is: transfer_message_object() read_object_and_put_into_skb(); if (obj < END_OF_LOW_BUF) clear_intpending(obj) else if (obj > END_OF_LOW_BUF) clear_intpending_and_newdat(obj) else if (obj == END_OF_LOW_BUF) clear_newdat_of_all_low_objects() The hardware allows to avoid most of the mess simply because we can tell the transfer_message_object() function to clear bits right away. So we can be clever and do: if (obj <= END_OF_LOW_BUF) ctrl = TRANSFER_MSG | CLEAR_INTPND; else ctrl = TRANSFER_MSG | CLEAR_INTPND | CLEAR_NEWDAT; transfer_message_object(ctrl) read_object_and_put_into_skb(); if (obj == END_OF_LOW_BUF) clear_newdat_of_all_low_objects() So we save a complete control operation on all message objects except the one which is the end of the low buffer. That's a few micro seconds per object. I'm not adding a boasting profile to that, simply because it's self explaining. Signed-off-by:
-
Thomas Gleixner authored
If every other line contains line breaks, that's a clear sign for indentation level madness. Split out the inner loop and move the code to a separate function. gcc creates slightly worse code for that, but we'll fix that in the next step. Signed-off-by:
-
Thomas Gleixner authored
The network core does not serialize the access to the hardware. The xmit related code lets the following happen: CPU0 CPU1 interrupt() do_poll() c_can_do_tx() Fiddle with HW and xmit() internal data Fiddle with HW and internal data due the complete lack of serialization. Add proper locking. Signed-off-by: -
Thomas Gleixner authored
The rx_poll code has the following gem: if (msg_ctrl_save & IF_MCONT_EOB) return num_rx_pkts; The EOB bit is the indicator for the hardware that this is the last configured FIFO object. But this object can contain valid data, if we manage to free up objects before the overrun case hits. Now if the code exits due to the EOB bit set, then this buffer is stale and the interrupt bit and NewDat bit of the buffer are still set. Results in a nice interrupt storm unless we come into an overrun situation where the MSGLST bit gets set. ksoftirqd/0-3 [000] ..s. 79.124101: c_can_poll: rx_poll: val: 00008001 pend 00008001 ksoftirqd/0-3 [000] ..s. 79.124176: c_can_poll: rx_poll: val: 00008000 pend 00008000 ksoftirqd/0-3 [000] ..s. 79.124187: c_can_poll: rx_poll: val: 00008002 pend 00008002 ksoftirqd/0-3 [000] ..s. 79.124256: c_can_poll: rx_poll: val: 00008000 pend 00008000 ksoftirqd/0-3 [000] ..s. 79.124267: c_can_poll: rx_poll: val: 00008000 pend 00008000 The amazing thing is that the check of the MSGLST (aka overrun bit) used to be after the check of the EOB bit. That was "fixed" in commit 5d0f801a(can: c_can: Fix RX message handling, handle lost message before EOB). But the author of this "fix" did not even understand that the EOB check is broken as well. Again a simple solution: Remove Signed-off-by: -
Thomas Gleixner authored
The lost message handling is broken in several ways. 1) Clearing the message lost flag is done by writing 0 to the message control register of the object. #define IF_MCONT_CLR_MSGLST (0 << 14) That clears the object buffer configuration in the worst case, which results in a loss of the EOB flag. That leaves the FIFO chain without a limit and causes a complete lockup of the HW 2) In case that the error skb allocation fails, the code happily claims that it handed down a packet. Just an accounting bug, but .... 3) The code adds a lot of pointless overhead to that error case, where we need to get stuff done as fast as possible to avoid more packet loss. - printk an annoying error message - reread the object buffer for nothing Fix is simple again: - Use the already known MSGCTRL content and only clear the MSGLST bit - Fix the buffer accounting by adding a proper return code - Remove the pointless operations Signed-off-by:
-
