1. 18 Apr, 2021 6 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nftables: counter hardware offload support · b72920f6
      Pablo Neira Ayuso authored
      This patch adds the .offload_stats operation to synchronize hardware
      stats with the expression data. Update the counter expression to use
      this new interface. The hardware stats are retrieved from the netlink
      dump path via FLOW_CLS_STATS command to the driver.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b72920f6
    • Ido Schimmel's avatar
      selftests: fib_tests: Add test cases for interaction with mangling · 88262182
      Ido Schimmel authored
      Test that packets are correctly routed when netfilter mangling rules are
      present.
      
      Without previous patch:
      
       # ./fib_tests.sh -t ipv4_mangle
      
       IPv4 mangling tests
           TEST:     Connection with correct parameters                        [ OK ]
           TEST:     Connection with incorrect parameters                      [ OK ]
           TEST:     Connection with correct parameters - mangling             [FAIL]
           TEST:     Connection with correct parameters - no mangling          [ OK ]
           TEST:     Connection check - server side                            [FAIL]
      
       Tests passed:   3
       Tests failed:   2
      
       # ./fib_tests.sh -t ipv6_mangle
      
       IPv6 mangling tests
           TEST:     Connection with correct parameters                        [ OK ]
           TEST:     Connection with incorrect parameters                      [ OK ]
           TEST:     Connection with correct parameters - mangling             [FAIL]
           TEST:     Connection with correct parameters - no mangling          [ OK ]
           TEST:     Connection check - server side                            [FAIL]
      
       Tests passed:   3
       Tests failed:   2
      
      With previous patch:
      
       # ./fib_tests.sh -t ipv4_mangle
      
       IPv4 mangling tests
           TEST:     Connection with correct parameters                        [ OK ]
           TEST:     Connection with incorrect parameters                      [ OK ]
           TEST:     Connection with correct parameters - mangling             [ OK ]
           TEST:     Connection with correct parameters - no mangling          [ OK ]
           TEST:     Connection check - server side                            [ OK ]
      
       Tests passed:   5
       Tests failed:   0
      
       # ./fib_tests.sh -t ipv6_mangle
      
       IPv6 mangling tests
           TEST:     Connection with correct parameters                        [ OK ]
           TEST:     Connection with incorrect parameters                      [ OK ]
           TEST:     Connection with correct parameters - mangling             [ OK ]
           TEST:     Connection with correct parameters - no mangling          [ OK ]
           TEST:     Connection check - server side                            [ OK ]
      
       Tests passed:   5
       Tests failed:   0
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      88262182
    • Ido Schimmel's avatar
      netfilter: Dissect flow after packet mangling · 812fa71f
      Ido Schimmel authored
      Netfilter tries to reroute mangled packets as a different route might
      need to be used following the mangling. When this happens, netfilter
      does not populate the IP protocol, the source port and the destination
      port in the flow key. Therefore, FIB rules that match on these fields
      are ignored and packets can be misrouted.
      
      Solve this by dissecting the outer flow and populating the flow key
      before rerouting the packet. Note that flow dissection only happens when
      FIB rules that match on these fields are installed, so in the common
      case there should not be a penalty.
      Reported-by: default avatarMichal Soltys <msoltyspl@yandex.pl>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      812fa71f
    • Pablo Neira Ayuso's avatar
      netfilter: nftables_offload: special ethertype handling for VLAN · 783003f3
      Pablo Neira Ayuso authored
      The nftables offload parser sets FLOW_DISSECTOR_KEY_BASIC .n_proto to the
      ethertype field in the ethertype frame. However:
      
      - FLOW_DISSECTOR_KEY_BASIC .n_proto field always stores either IPv4 or IPv6
        ethertypes.
      - FLOW_DISSECTOR_KEY_VLAN .vlan_tpid stores either the 802.1q and 802.1ad
        ethertypes. Same as for FLOW_DISSECTOR_KEY_CVLAN.
      
      This function adjusts the flow dissector to handle two scenarios:
      
      1) FLOW_DISSECTOR_KEY_VLAN .vlan_tpid is set to 802.1q or 802.1ad.
         Then, transfer:
         - the .n_proto field to FLOW_DISSECTOR_KEY_VLAN .tpid.
         - the original FLOW_DISSECTOR_KEY_VLAN .tpid to the
           FLOW_DISSECTOR_KEY_CVLAN .tpid
         - the original FLOW_DISSECTOR_KEY_CVLAN .tpid to the .n_proto field.
      
      2) .n_proto is set to 802.1q or 802.1ad. Then, transfer:
         - the .n_proto field to FLOW_DISSECTOR_KEY_VLAN .tpid.
         - the original FLOW_DISSECTOR_KEY_VLAN .tpid to the .n_proto field.
      
      Fixes: a82055af ("netfilter: nft_payload: add VLAN offload support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      783003f3
    • Pablo Neira Ayuso's avatar
      netfilter: nftables_offload: VLAN id needs host byteorder in flow dissector · ff4d90a8
      Pablo Neira Ayuso authored
      The flow dissector representation expects the VLAN id in host byteorder.
      Add the NFT_OFFLOAD_F_NETWORK2HOST flag to swap the bytes from nft_cmp.
      
      Fixes: a82055af ("netfilter: nft_payload: add VLAN offload support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ff4d90a8
    • Pablo Neira Ayuso's avatar
      netfilter: nft_payload: fix C-VLAN offload support · 14c20643
      Pablo Neira Ayuso authored
      - add another struct flow_dissector_key_vlan for C-VLAN
      - update layer 3 dependency to allow to match on IPv4/IPv6
      
      Fixes: 89d8fd44 ("netfilter: nft_payload: add C-VLAN offload support")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      14c20643
  2. 13 Apr, 2021 8 commits
  3. 12 Apr, 2021 23 commits
  4. 11 Apr, 2021 3 commits
    • David S. Miller's avatar
      Merge branch 'ipa-next' · 5b489fea
      David S. Miller authored
      Alex Elder says:
      
      ====================
      net: ipa: support two more platforms
      
      This series adds IPA support for two more Qualcomm SoCs.
      
      The first patch updates the DT binding to add compatible strings.
      
      The second temporarily disables checksum offload support for IPA
      version 4.5 and above.  Changes are required to the RMNet driver
      to support the "inline" checksum offload used for IPA v4.5+, and
      once those are present this capability will be enabled for IPA.
      
      The third and fourth patches add configuration data for IPA versions
      4.5 (used for the SDX55 SoC) and 4.11 (used for the SD7280 SoC).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b489fea
    • Alex Elder's avatar
      net: ipa: add IPA v4.11 configuration data · 927c5043
      Alex Elder authored
      Add support for the SC7280 SoC, which includes IPA version 4.11.
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      927c5043
    • Alex Elder's avatar
      net: ipa: add IPA v4.5 configuration data · fbb763e7
      Alex Elder authored
      Add support for the SDX55 SoC, which includes IPA version 4.5.
      
      Starting with IPA v4.5, a few of the memory regions have a different
      number of "canary" values; update comments in the where the region
      identifers are defined to accurately reflect that.
      
      I'll note three differences in SDX55 versus the other two existing
      platforms (SDM845 and SC7180):
        - SDX55 uses a 32-bit Linux kernel
        - SDX55 has four interconnects rather than three
        - SDX55 uses IPA v4.5, which uses inline checksum offload
      Signed-off-by: default avatarAlex Elder <elder@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fbb763e7