- 18 Apr, 2021 6 commits
-
-
Pablo Neira Ayuso authored
This patch adds the .offload_stats operation to synchronize hardware stats with the expression data. Update the counter expression to use this new interface. The hardware stats are retrieved from the netlink dump path via FLOW_CLS_STATS command to the driver. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Ido Schimmel authored
Test that packets are correctly routed when netfilter mangling rules are present. Without previous patch: # ./fib_tests.sh -t ipv4_mangle IPv4 mangling tests TEST: Connection with correct parameters [ OK ] TEST: Connection with incorrect parameters [ OK ] TEST: Connection with correct parameters - mangling [FAIL] TEST: Connection with correct parameters - no mangling [ OK ] TEST: Connection check - server side [FAIL] Tests passed: 3 Tests failed: 2 # ./fib_tests.sh -t ipv6_mangle IPv6 mangling tests TEST: Connection with correct parameters [ OK ] TEST: Connection with incorrect parameters [ OK ] TEST: Connection with correct parameters - mangling [FAIL] TEST: Connection with correct parameters - no mangling [ OK ] TEST: Connection check - server side [FAIL] Tests passed: 3 Tests failed: 2 With previous patch: # ./fib_tests.sh -t ipv4_mangle IPv4 mangling tests TEST: Connection with correct parameters [ OK ] TEST: Connection with incorrect parameters [ OK ] TEST: Connection with correct parameters - mangling [ OK ] TEST: Connection with correct parameters - no mangling [ OK ] TEST: Connection check - server side [ OK ] Tests passed: 5 Tests failed: 0 # ./fib_tests.sh -t ipv6_mangle IPv6 mangling tests TEST: Connection with correct parameters [ OK ] TEST: Connection with incorrect parameters [ OK ] TEST: Connection with correct parameters - mangling [ OK ] TEST: Connection with correct parameters - no mangling [ OK ] TEST: Connection check - server side [ OK ] Tests passed: 5 Tests failed: 0 Signed-off-by: Ido Schimmel <idosch@nvidia.com> Reviewed-by: David Ahern <dsahern@kernel.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Ido Schimmel authored
Netfilter tries to reroute mangled packets as a different route might need to be used following the mangling. When this happens, netfilter does not populate the IP protocol, the source port and the destination port in the flow key. Therefore, FIB rules that match on these fields are ignored and packets can be misrouted. Solve this by dissecting the outer flow and populating the flow key before rerouting the packet. Note that flow dissection only happens when FIB rules that match on these fields are installed, so in the common case there should not be a penalty. Reported-by: Michal Soltys <msoltyspl@yandex.pl> Signed-off-by: Ido Schimmel <idosch@nvidia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
The nftables offload parser sets FLOW_DISSECTOR_KEY_BASIC .n_proto to the ethertype field in the ethertype frame. However: - FLOW_DISSECTOR_KEY_BASIC .n_proto field always stores either IPv4 or IPv6 ethertypes. - FLOW_DISSECTOR_KEY_VLAN .vlan_tpid stores either the 802.1q and 802.1ad ethertypes. Same as for FLOW_DISSECTOR_KEY_CVLAN. This function adjusts the flow dissector to handle two scenarios: 1) FLOW_DISSECTOR_KEY_VLAN .vlan_tpid is set to 802.1q or 802.1ad. Then, transfer: - the .n_proto field to FLOW_DISSECTOR_KEY_VLAN .tpid. - the original FLOW_DISSECTOR_KEY_VLAN .tpid to the FLOW_DISSECTOR_KEY_CVLAN .tpid - the original FLOW_DISSECTOR_KEY_CVLAN .tpid to the .n_proto field. 2) .n_proto is set to 802.1q or 802.1ad. Then, transfer: - the .n_proto field to FLOW_DISSECTOR_KEY_VLAN .tpid. - the original FLOW_DISSECTOR_KEY_VLAN .tpid to the .n_proto field. Fixes: a82055af ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
The flow dissector representation expects the VLAN id in host byteorder. Add the NFT_OFFLOAD_F_NETWORK2HOST flag to swap the bytes from nft_cmp. Fixes: a82055af ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
- add another struct flow_dissector_key_vlan for C-VLAN - update layer 3 dependency to allow to match on IPv4/IPv6 Fixes: 89d8fd44 ("netfilter: nft_payload: add C-VLAN offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
- 13 Apr, 2021 8 commits
-
-
Roi Dayan authored
It could be xmit type was not set and would default to FLOW_OFFLOAD_XMIT_NEIGH and in this type the gc expect to have a route info. Fix that by adding FLOW_OFFLOAD_XMIT_UNSPEC which defaults to 0. Fixes: 8b9229d1 ("netfilter: flowtable: dst_check() from garbage collector path") Signed-off-by: Roi Dayan <roid@nvidia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Florian Westphal authored
log_invalid sysctl allows values of 0 to 255 inclusive so we no longer need a range check: the min/max values can be removed. This also removes all member variables that were moved to net_generic data in previous patches. This reduces size of netns_ct struct by one cache line. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Florian Westphal authored
Its only needed from slowpath (sysctl, ctnetlink, gc worker) and when a new conntrack object is allocated. Furthermore, each write dirties the otherwise read-mostly pernet data in struct net.ct, which are accessed from packet path. Move it to the net_generic data. This makes struct netns_ct read-mostly. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Florian Westphal authored
Creation of a new conntrack entry isn't a frequent operation (compared to 'ct entry already exists'). Creation of a new entry that is also an expected (related) connection even less so. Place this counter in net_generic data. A followup patch will also move the conntrack count -- this will make netns_ct a read-mostly structure. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Florian Westphal authored
While at it, make it an u8, no need to use an integer for a boolean. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
Florian Westphal authored
Not accessed in fast path, place this is generic_net data instead. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
wenxu authored
This patch adds vlan pop action offload in the flowtable offload. Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
wenxu authored
This patch adds support for vlan_id, vlan_priority and vlan_proto match for flowtable offload. Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-
- 12 Apr, 2021 23 commits
-
-
Adam Ford authored
For devices that use a programmable clock for the AVB reference clock, the driver may need to enable them. Add code to find the optional clock and enable it when available. Signed-off-by: Adam Ford <aford173@gmail.com> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Adam Ford authored
The AVB driver assumes there is an external crystal, but it could be clocked by other means. In order to enable a programmable clock, it needs to be added to the clocks list and enabled in the driver. Since there currently only one clock, there is no clock-names list either. Update bindings to add the additional optional clock, and explicitly name both of them. Signed-off-by: Adam Ford <aford173@gmail.com> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Acked-by: Rob Herring <robh@kernel.org> Reviewed-by: Sergei Shtylyov <sergei.shtylyov@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Yangbo Lu says: ==================== enetc: support PTP Sync packet one-step timestamping This patch-set is to add support for PTP Sync packet one-step timestamping. Since ENETC single-step register has to be configured dynamically per packet for correctionField offeset and UDP checksum update, current one-step timestamping packet has to be sent only when the last one completes transmitting on hardware. So, on the TX, this patch handles one-step timestamping packet as below: - Trasmit packet immediately if no other one in transfer, or queue to skb queue if there is already one in transfer. The test_and_set_bit_lock() is used here to lock and check state. - Start a work when complete transfer on hardware, to release the bit lock and to send one skb in skb queue if has. Changes for v2: - Rebased. - Fixed issues from patchwork checks. - netif_tx_lock for one-step timestamping packet sending. Changes for v3: - Used system workqueue. - Set bit lock when transmitted one-step packet, and scheduled work when completed. The worker cleared the bit lock, and transmitted one skb in skb queue if has, instead of a loop. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yangbo Lu authored
This patch is to add support for PTP Sync packet one-step timestamping. Since ENETC single-step register has to be configured dynamically per packet for correctionField offeset and UDP checksum update, current one-step timestamping packet has to be sent only when the last one completes transmitting on hardware. So, on the TX, this patch handles one-step timestamping packet as below: - Trasmit packet immediately if no other one in transfer, or queue to skb queue if there is already one in transfer. The test_and_set_bit_lock() is used here to lock and check state. - Start a work when complete transfer on hardware, to release the bit lock and to send one skb in skb queue if has. And the configuration for one-step timestamping on ENETC before transmitting is, - Set one-step timestamping flag in extension BD. - Write 30 bits current timestamp in tstamp field of extension BD. - Update PTP Sync packet originTimestamp field with current timestamp. - Configure single-step register for correctionField offeset and UDP checksum update. Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com> Reviewed-by: Claudiu Manoil <claudiu.manoil@nxp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Yangbo Lu authored
Mark TX timestamp type per skb on skb->cb[0], instead of global variable for all skbs. This is a preparation for one step timestamp support. For one-step timestamping enablement, there will be both one-step and two-step PTP messages to transfer. And a skb queue is needed for one-step PTP messages making sure start to send current message only after the last one completed on hardware. (ENETC single-step register has to be dynamically configured per message.) So, marking TX timestamp type per skb is required. Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com> Reviewed-by: Claudiu Manoil <claudiu.manoil@nxp.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Lijun Pan says: ==================== ibmvnic: improve error printing Patch 1 prints reset reason as a string. Patch 2 prints adapter state as a string. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Lijun Pan authored
The adapter state can be added or deleted over different versions of the source code. Print a string instead of a number. Signed-off-by: Lijun Pan <lijunp213@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Lijun Pan authored
The reset reason can be added or deleted over different versions of the source code. Print a string instead of a number. Signed-off-by: Lijun Pan <lijunp213@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Lijun Pan authored
Commit e704f043 ("ibmvnic: Remove debugfs support") did not clean up everything. Remove the remaining code. Signed-off-by: Lijun Pan <lijunp213@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Jonathon Reinhart says: ==================== Ensuring net sysctl isolation This patchset is the result of an audit of /proc/sys/net to prove that it is safe to be mouted read-write in a container when a net namespace is in use. See [1]. The first commit adds code to detect sysctls which are not netns-safe, and can "leak" changes to other net namespaces. My manual audit found, and the above feature confirmed, that there are two nf_conntrack sysctls which are in fact not netns-safe. I considered sending the latter to netfilter-devel, but I think it's better to have both together on net-next: Adding only the former causes undesirable warnings in the kernel log. [1]: https://github.com/opencontainers/runc/issues/2826 ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jonathon Reinhart authored
These sysctls point to global variables: - NF_SYSCTL_CT_MAX (&nf_conntrack_max) - NF_SYSCTL_CT_EXPECT_MAX (&nf_ct_expect_max) - NF_SYSCTL_CT_BUCKETS (&nf_conntrack_htable_size_user) Because their data pointers are not updated to point to per-netns structures, they must be marked read-only in a non-init_net ns. Otherwise, changes in any net namespace are reflected in (leaked into) all other net namespaces. This problem has existed since the introduction of net namespaces. The current logic marks them read-only only if the net namespace is owned by an unprivileged user (other than init_user_ns). Commit d0febd81 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") "exposes all sysctls even if the namespace is unpriviliged." Since we need to mark them readonly in any case, we can forego the unprivileged user check altogether. Fixes: d0febd81 ("netfilter: conntrack: re-visit sysctls in unprivileged namespaces") Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Jonathon Reinhart authored
This adds an ensure_safe_net_sysctl() check during register_net_sysctl() to validate that sysctl table entries for a non-init_net netns are sufficiently isolated. To be netns-safe, an entry must adhere to at least (and usually exactly) one of these rules: 1. It is marked read-only inside the netns. 2. Its data pointer does not point to kernel/module global data. An entry which fails both of these checks is indicative of a bug, whereby a child netns can affect global net sysctl values. If such an entry is found, this code will issue a warning to the kernel log, and force the entry to be read-only to prevent a leak. To test, simply create a new netns: $ sudo ip netns add dummy As it sits now, this patch will WARN for two sysctls which will be addressed in a subsequent patch: - /proc/sys/net/netfilter/nf_conntrack_max - /proc/sys/net/netfilter/nf_conntrack_expect_max Signed-off-by: Jonathon Reinhart <Jonathon.Reinhart@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
wengjianfeng authored
In many places,first assign a value to a variable and then return the variable. which is redundant, we should directly return the value. in pn533_rf_field funciton,return rc also in the if statement, so we use return 0 to replace the last return rc. Signed-off-by: wengjianfeng <wengjianfeng@yulong.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
David S. Miller authored
Michael Chan says: ==================== bnxt_en: Error recovery fixes. This series adds some fixes and enhancements to the error recovery logic. The health register logic is improved and we also add missing code to free and re-create VF representors in the firmware after error recovery. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Sriharsha Basavapatna authored
During firmware recovery, VF-Rep configuration in the firmware is lost. Fix it by freeing and (re)allocating VF-Reps in FW at relevant points during the error recovery process. Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Michael Chan authored
Add a new helper function __bnxt_free_one_vf_rep() to free one VF rep. We also reintialize the VF rep fields to proper initial values so that the function can be used without freeing the VF rep data structure. This will be used in subsequent patches to free and recreate VF reps after error recovery. Reviewed-by: Edwin Peer <edwin.peer@broadcom.com> Reviewed-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Sriharsha Basavapatna authored
Add a new function bnxt_alloc_vf_rep() to allocate a VF representor. This function will be needed in subsequent patches to recreate the VF reps after error recovery. Signed-off-by: Sriharsha Basavapatna <sriharsha.basavapatna@broadcom.com> Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Vasundhara Volam authored
After probe is successful, interface may not be bought up in all the cases and health register mapping could be invalid if firmware undergoes reset. Fix it by invalidating the health register at the end of probe. It will be remapped during ifup. Fixes: 43a440c4 ("bnxt_en: Improve the status_reliable flag in bp->fw_health.") Signed-off-by: Vasundhara Volam <vasundhara-v.volam@broadcom.com> Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Michael Chan authored
The retry loop in bnxt_try_recover_fw() should not abort when the health register value is 0. It is a valid value that indicates the firmware is booting up. Fixes: 861aae78 ("bnxt_en: Enhance retry of the first message to the firmware.") Reviewed-by: Edwin Peer <edwin.peer@broadcom.com> Signed-off-by: Michael Chan <michael.chan@broadcom.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Andrea Mayer authored
There is a comment spelling mistake "interfarence" -> "interference" in function parse_nla_action(). Fix it. Signed-off-by: Andrea Mayer <andrea.mayer@uniroma2.it> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Colin Ian King authored
The reset_prepare and reset_done calls have a null pointer check on ae_dev however ae_dev is being dereferenced via the call to ns3_is_phys_func with the ae->pdev argument. Fix this by performing a null pointer check on ae_dev and hence short-circuiting the dereference to ae_dev on the call to ns3_is_phys_func. Addresses-Coverity: ("Dereference before null check") Fixes: 715c58e9 ("net: hns3: add suspend and resume pm_ops") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Colin Ian King authored
The shifting of the u8 integers rq->caching by 26 bits to the left will be promoted to a 32 bit signed int and then sign-extended to a u64. In the event that rq->caching is greater than 0x1f then all then all the upper 32 bits of the u64 end up as also being set because of the int sign-extension. Fix this by casting the u8 values to a u64 before the 26 bit left shift. Addresses-Coverity: ("Unintended sign extension") Fixes: 4863dea3 ("net: Adding support for Cavium ThunderX network controller") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Colin Ian King authored
The shifting of the u8 integers f->fs.nat_lip[] by 24 bits to the left will be promoted to a 32 bit signed int and then sign-extended to a u64. In the event that the top bit of the u8 is set then all then all the upper 32 bits of the u64 end up as also being set because of the sign-extension. Fix this by casting the u8 values to a u64 before the 24 bit left shift. Addresses-Coverity: ("Unintended sign extension") Fixes: 12b276fb ("cxgb4: add support to create hash filters") Signed-off-by: Colin Ian King <colin.king@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-
- 11 Apr, 2021 3 commits
-
-
David S. Miller authored
Alex Elder says: ==================== net: ipa: support two more platforms This series adds IPA support for two more Qualcomm SoCs. The first patch updates the DT binding to add compatible strings. The second temporarily disables checksum offload support for IPA version 4.5 and above. Changes are required to the RMNet driver to support the "inline" checksum offload used for IPA v4.5+, and once those are present this capability will be enabled for IPA. The third and fourth patches add configuration data for IPA versions 4.5 (used for the SDX55 SoC) and 4.11 (used for the SD7280 SoC). ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Add support for the SC7280 SoC, which includes IPA version 4.11. Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-
Alex Elder authored
Add support for the SDX55 SoC, which includes IPA version 4.5. Starting with IPA v4.5, a few of the memory regions have a different number of "canary" values; update comments in the where the region identifers are defined to accurately reflect that. I'll note three differences in SDX55 versus the other two existing platforms (SDM845 and SC7180): - SDX55 uses a 32-bit Linux kernel - SDX55 has four interconnects rather than three - SDX55 uses IPA v4.5, which uses inline checksum offload Signed-off-by: Alex Elder <elder@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-