- 19 Jun, 2017 8 commits
-
-
Florian Westphal authored
text data bss dec hex filename old: 151590 2240 1152 154982 25d66 net/netfilter/nf_tables_api.o new: 151666 2240 416 154322 25ad2 net/netfilter/nf_tables_api.o Signed-off-by:
Florian Westphal <fw@strlen.de> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org>
-
Florian Westphal authored
We don't support anything larger than NFPROTO_MAX, so we can shrink this a bit: text data dec hex filename old: 8259 1096 9355 248b net/netfilter/nf_conntrack_proto.o new: 8259 624 8883 22b3 net/netfilter/nf_conntrack_proto.o Signed-off-by: -
Liping Zhang authored
amanda_helper, nf_conntrack_helper_ras and nf_conntrack_helper_q931 are all arrays, so we can use nf_conntrack_helpers_register to register the ct helper, this will help us to eliminate some "goto errX" statements. Also introduce h323_helper_init/exit helper function to register the ct helpers, this is prepared for the followup patch, which will add net namespace support for ct helper. Signed-off-by:
Liping Zhang <zlpnobody@gmail.com> Acked-by:
-
Jike Song authored
Should use ":=" instead of "+=". Signed-off-by:
Jike Song <jike.song@intel.com> Signed-off-by:
-
Gao Feng authored
Use the new helper function ebt_invalid_target instead of the old macro INVALID_TARGET and other duplicated codes to enhance the readability. Signed-off-by:
Gao Feng <gfree.wind@vip.163.com> Signed-off-by:
-
Florian Westphal authored
Quoting Joe Stringer: If a user loads nf_conntrack_ftp, sends FTP traffic through a network namespace, destroys that namespace then unloads the FTP helper module, then the kernel will crash. Events that lead to the crash: 1. conntrack is created with ftp helper in netns x 2. This netns is destroyed 3. netns destruction is scheduled 4. netns destruction wq starts, removes netns from global list 5. ftp helper is unloaded, which resets all helpers of the conntracks via for_each_net() but because netns is already gone from list the for_each_net() loop doesn't include it, therefore all of these conntracks are unaffected. 6. helper module unload finishes 7. netns wq invokes destructor for rmmod'ed helper CC: "Eric W. Biederman" <ebiederm@xmission.com> Reported-by:
Joe Stringer <joe@ovn.org> Signed-off-by:
David S. Miller <davem@davemloft.net> Acked-by:
"Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by:
-
Florian Westphal authored
We only need to iterate & remove in case of module removal; for netns destruction all conntracks will be removed anyway. Signed-off-by:
-
Xin Long authored
It's a terrible thing to hold dev in iptables target. When the dev is being removed, unregister_netdevice has to wait for the dev to become free. dmesg will keep logging the err: kernel:unregister_netdevice: waiting for veth0_in to become free. \ Usage count = 1 until iptables rules with this target are removed manually. The worse thing is when deleting a netns, a virtual nic will be deleted instead of reset to init_net in default_device_ops exit/exit_batch. As it is earlier than to flush the iptables rules in iptable_filter_net_ops exit, unregister_netdevice will block to wait for the nic to become free. As unregister_netdevice is actually waiting for iptables rules flushing while iptables rules have to be flushed after unregister_netdevice. This 'dead lock' will cause unregister_netdevice to block there forever. As the netns is not available to operate at that moment, iptables rules can not even be flushed manually either. The reproducer can be: # ip netns add test # ip link add veth0_in type veth peer name veth0_out # ip link set veth0_in netns test # ip netns exec test ip link set lo up # ip netns exec test ip link set veth0_in up # ip netns exec test iptables -I INPUT -d 1.2.3.4 -i veth0_in -j \ CLUSTERIP --new --clustermac 89:d4:47:eb:9a:fa --total-nodes 3 \ --local-node 1 --hashmode sourceip-sourceport # ip netns del test This issue can be triggered by all virtual nics with ipt_CLUSTERIP. This patch is to fix it by not holding dev in ipt_CLUSTERIP, but saving the dev->ifindex instead of the dev. As Pablo Neira Ayuso's suggestion, it will refresh c->ifindex and dev's mc by registering a netdevice notifier, just as what xt_TEE does. So it removes the old codes updating dev's mc, and also no need to initialize c->ifindex with dev->ifindex. But as one config can be shared by more than one targets, and the netdev notifier is per config, not per target. It couldn't get e->ip.iniface in the notifier handler. So e->ip.iniface has to be saved into config. Note that for backwards compatibility, this patch doesn't remove the codes checking if the dev exists before creating a config. v1->v2: - As Pablo Neira Ayuso's suggestion, register a netdevice notifier to manage c->ifindex and dev's mc. Reported-by:Jianlin Shi <jishi@redhat.com> Signed-off-by:
Xin Long <lucien.xin@gmail.com> Signed-off-by:
-
- 29 May, 2017 20 commits
-
-
Liping Zhang authored
Similar to nf_conntrack_helper, we can use nf_ct_iterare_cleanup_net to remove these copy & paste code. Signed-off-by:
-
Liping Zhang authored
When we unlink the helper objects, we will iterate the nf_conntrack_hash, iterate the unconfirmed list, handle the hash resize situation, etc. Actually this logic is same as the nf_ct_iterate_destroy, so we can use it to remove these copy & paste code. Signed-off-by:
-
Pablo Neira Ayuso authored
This patch provides a faster variant of the lookup function for 2 and 4 byte keys. Optimizing the one byte case is not worth, as the set backend selection will always select the bitmap set type for such case. Signed-off-by: -
Pablo Neira Ayuso authored
This patch adds a simple non-resizable hashtable implementation. If the user specifies the set size, then this new faster hashtable flavour is selected. Signed-off-by: -
Pablo Neira Ayuso authored
The new fixed size hashtable backend implementation may result in a large array of buckets that would spew splats from mm. Update this code to fall back on vmalloc in case the memory allocation order is too costly. Signed-off-by: -
Pablo Neira Ayuso authored
Add nft_hash_buckets() helper function to calculate the number of hashtable buckets based on the elements. This function can be reused from the follow up patch to add non-resizable hashtables. Signed-off-by: -
Pablo Neira Ayuso authored
The new non-resizable hashtable variant needs this to calculate the size of the bucket array. Signed-off-by: -
Pablo Neira Ayuso authored
This patch adds the infrastructure to support several implementations of the same set type. This selection will be based on the set description and the features available for this set. This allow us to select set backend implementation that will result in better performance numbers. Signed-off-by: -
Pablo Neira Ayuso authored
This patch prepares the introduction of a non-resizable hashtable implementation that is significantly faster. Signed-off-by: -
Pablo Neira Ayuso authored
This size estimation is ignored by the existing set backend selection logic, since this estimation structure is stack allocated, set this to ~0 to make it easier to catch bugs in future changes. Signed-off-by: -
Pablo Neira Ayuso authored
Replace struct rhashtable_params forward declaration by the structure definition itself. Signed-off-by: -
Florian Westphal authored
We don't need pernetns cleanup anymore. If the netns is being destroyed, conntrack netns exit will kill all entries in this namespace, and neither conntrack hash table nor bysource hash are per namespace. For the rmmod case, we have to make sure we remove all entries from the nat bysource table, so call the new nf_ct_iterate_destroy in module exit path. Signed-off-by:
-
Florian Westphal authored
We could some conntracks when a resize occurs in parallel. Avoid this by sampling generation seqcnt and doing a restart if needed. Signed-off-by:
-
Florian Westphal authored
sledgehammer to be used on module unload (to remove affected conntracks from all namespaces). It will also flag all unconfirmed conntracks as dying, i.e. they will not be committed to main table. Signed-off-by:
-
Florian Westphal authored
nf_ct_iterate_cleanup_net currently calls iter() callback also for conntracks on the unconfirmed list, but this is unsafe. Acesses to nf_conn are fine, but some users access the extension area in the iter() callback, but that does only work reliably for confirmed conntracks (ct->ext can be reallocated at any time for unconfirmed conntrack). The seond issue is that there is a short window where a conntrack entry is neither on the list nor in the table: To confirm an entry, it is first removed from the unconfirmed list, then insert into the table. Fix this by iterating the unconfirmed list first and marking all entries as dying, then wait for rcu grace period. This makes sure all entries that were about to be confirmed either are in the main table, or will be dropped soon. Signed-off-by:
-
Florian Westphal authored
There are several places where we needlesly call nf_ct_iterate_cleanup, we should instead iterate the full table at module unload time. This is a leftover from back when the conntrack table got duplicated per net namespace. So rename nf_ct_iterate_cleanup to nf_ct_iterate_cleanup_net. A later patch will then add a non-net variant. Signed-off-by:
-
stephen hemminger authored
Resolves warnings: net/netfilter/nft_rt.c:26:6: warning: no previous prototype for ‘nft_rt_get_eval’ [-Wmissing-prototypes] net/netfilter/nft_rt.c:75:5: warning: no previous prototype for ‘nft_rt_get_init’ [-Wmissing-prototypes] net/netfilter/nft_rt.c:106:5: warning: no previous prototype for ‘nft_rt_get_dump’ [-Wmissing-prototypes] Signed-off-by:
Stephen Hemminger <sthemmin@microsoft.com> Signed-off-by:
-
stephen hemminger authored
Missing include file causes: net/netfilter/nf_dup_netdev.c:26:6: warning: no previous prototype for ‘nf_fwd_netdev_egress’ [-Wmissing-prototypes] net/netfilter/nf_dup_netdev.c:40:6: warning: no previous prototype for ‘nf_dup_netdev_egress’ [-Wmissing-prototypes] Signed-off-by:
-
Florian Westphal authored
one of the last remaining users of the old api, hopefully followup commit can remove it soon. Signed-off-by:
-
linzhang authored
This patch cleans up extra spaces. Signed-off-by:
linzhang <xiaolou4617@gmail.com> Signed-off-by:
-
- 23 May, 2017 10 commits
-
-
Alexey Dobriyan authored
This field is sizeof of corresponding kmem_cache so it can't be negative. Space will be saved after 32-bit kmem_cache_create() patch. Signed-off-by:
Alexey Dobriyan <adobriyan@gmail.com> Signed-off-by:
-
Alexey Dobriyan authored
This field is sizeof of corresponding kmem_cache so it can't be negative. Prepare for 32-bit kmem_cache_create(). Signed-off-by:
-
Govindarajulu Varadarajan authored
In case of busy poll, napi_complete_done returns false and does not dequeue napi. In this case do not unmask the intr. We are guaranteed napi is called again. This reduces unnecessary iowrites. Signed-off-by:
Govindarajulu Varadarajan <gvaradar@cisco.com> Signed-off-by:
-
Jiri Pirko authored
When user instructs to remove all filters from chain, we cannot destroy the chain as other actions may hold a reference. Also the put in errout would try to destroy it again. So instead, just walk the chain and remove all existing filters. Fixes: 5bc17018 ("net: sched: introduce multichain support for filters") Signed-off-by:
Jiri Pirko <jiri@mellanox.com> Acked-by:
Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by:
-
Jiri Pirko authored
*p_filter_chain is rcu-dereferenced on reader path. So here in writer, property assign the pointer. Fixes: 2190d1d0 ("net: sched: introduce helpers to work with filter chains") Signed-off-by:
-
-
git://git.kernel.org/pub/scm/linux/kernel/git/kees/linuxLinus Torvalds authored
Pull pstore fix from Kees Cook: "Marta noticed another misbehavior in EFI pstore, which this fixes. Hopefully this is the last of the v4.12 fixes for pstore!" * tag 'pstore-v4.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux: efi-pstore: Fix write/erase id tracking
-
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull ACPI fixes from Rafael Wysocki: "These revert a 4.11 change that turned out to be problematic and add a .gitignore file. Specifics: - Revert a 4.11 commit related to the ACPI-based handling of laptop lids that made changes incompatible with existing user space stacks and broke things there (Lv Zheng). - Add .gitignore to the ACPI tools directory (Prarit Bhargava)" * tag 'acpi-4.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: Revert "ACPI / button: Remove lid_init_state=method mode" tools/power/acpi: Add .gitignore file -
git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pmLinus Torvalds authored
Pull power management fixes from Rafael Wysocki: "These fix RTC wakeup from suspend-to-idle broken recently, fix CPU idleness detection condition in the schedutil cpufreq governor, fix a cpufreq driver build failure, fix an error code path in the power capping framework, clean up the hibernate core and update the intel_pstate documentation. Specifics: - Fix RTC wakeup from suspend-to-idle broken by the recent rework of ACPI wakeup handling (Rafael Wysocki). - Update intel_pstate driver documentation to reflect the current code and explain how it works in more detail (Rafael Wysocki). - Fix an issue related to CPU idleness detection on systems with shared cpufreq policies in the schedutil governor (Juri Lelli). - Fix a possible build issue in the dbx500 cpufreq driver (Arnd Bergmann). - Fix a function in the power capping framework core to return an error code instead of 0 when there's an error (Dan Carpenter). - Clean up variable definition in the hibernation core (Pushkar Jambhlekar)" * tag 'pm-4.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm: cpufreq: dbx500: add a Kconfig symbol PM / hibernate: Declare variables as static PowerCap: Fix an error code in powercap_register_zone() RTC: rtc-cmos: Fix wakeup from suspend-to-idle PM / wakeup: Fix up wakeup_source_report_event() cpufreq: intel_pstate: Document the current behavior and user interface cpufreq: schedutil: use now as reference when aggregating shared policy requests -
Jan Kiszka authored
We need to initializes those variables to 0 for platforms that do not provide ACPI parameters. Otherwise, we set sda_hold_time to random values, breaking e.g. Galileo and IOT2000 boards. Reported-and-tested-by:
Linus Torvalds <torvalds@linux-foundation.org> Reported-by:
Tobias Klausmann <tobias.johannes.klausmann@mni.thm.de> Fixes: 9d640843 ("i2c: designware: don't infer timings described by ACPI from clock rate") Signed-off-by:
Jan Kiszka <jan.kiszka@siemens.com> Reviewed-by:
Ard Biesheuvel <ard.biesheuvel@linaro.org> Acked-by:
Jarkko Nikula <jarkko.nikula@linux.intel.com> Signed-off-by:
Wolfram Sang <wsa@the-dreams.de> Signed-off-by:
-
- 22 May, 2017 2 commits
-
-
Kees Cook authored
Prior to the pstore interface refactoring, the "id" generated during a backend pstore_write() was only retained by the internal pstore inode tracking list. Additionally the "part" was ignored, so EFI would encode this in the id. This corrects the misunderstandings and correctly sets "id" during pstore_write(), and uses "part" directly during pstore_erase(). Reported-by:
Marta Lofstedt <marta.lofstedt@intel.com> Fixes: 76cc9580 ("pstore: Replace arguments for write() API") Fixes: a61072aa ("pstore: Replace arguments for erase() API") Signed-off-by:
Kees Cook <keescook@chromium.org> Tested-by:
-
David S. Miller authored
Vivien Didelot says: ==================== net: dsa: distribute switch events DSA is by nature the support for a switch fabric, which can be composed of a single, or multiple interconnected Ethernet switch chips. The current DSA core behavior is to identify the slave port targeted by a request (e.g. adding a VLAN entry), and program the switch chip to which it belongs accordingly. This is problematic in a multi-chip environment, since all chips of a fabric must be aware of most configuration changes. Here are some concrete examples in a 3-chip environment: [CPU].................... (mdio) (eth0) | : : : _|_____ _______ _______ [__sw0__]--[__sw1__]--[__sw2__] | | | | | | | | | v v v v v v v v v p1 p2 p3 p4 p5 p6 p7 p8 p9 If you add a VLAN entry on p7, sw2 gets programmed, but frames won't reach the CPU interface in a VLAN filtered setup. sw0 and sw1 also need to be programmed. The same problem comes with MAC addresses (FDB, MDB), or ageing time changes for instance. This patch series uses the notification chain introduced for bridging, to notify not only bridge, but switchdev attributes and objects events to all switch chips of the fabric. An ugly debug message printing the ignored event and switch info in the code handling the switch VLAN events would give us: # bridge vlan add dev p7 vid 42 sw0: ignoring DSA_NOTIFIER_VLAN_ADD for sw2 (prepare phase) sw1: ignoring DSA_NOTIFIER_VLAN_ADD for sw2 (prepare phase) sw0: ignoring DSA_NOTIFIER_VLAN_ADD for sw2 (commit phase) sw1: ignoring DSA_NOTIFIER_VLAN_ADD for sw2 (commit phase) To achieve that, patches 1-8 change the scope of the bridge and switchdev callbacks from the DSA slave device to the generic DSA port, so that the port-wide API can be used later for switch ports not exposed to userspace, such as CPU and DSA links. Patches 9-15 move the DSA port specific functions in a new port.c file. Patches 16-20 introduce new events to notify the fabric about switchdev attributes and objects manipulation. This patch series only adds the plumbing to support a distributed configuration, but for the moment, each switch chip ignores events from other chips of the fabric, to keep the current behavior. The next patch series will add support for cross-chip configuration of bridge ageing time, VLAN and MAC address databases operations, etc. ==================== Tested-by:Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
