1. 15 May, 2015 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: x_tables: add context to know if extension runs from nft_compat · 55917a21
      Pablo Neira Ayuso authored
      Currently, we have four xtables extensions that cannot be used from the
      xt over nft compat layer. The problem is that they need real access to
      the full blown xt_entry to validate that the rule comes with the right
      dependencies. This check was introduced to overcome the lack of
      sufficient userspace dependency validation in iptables.
      
      To resolve this problem, this patch introduces a new field to the
      xt_tgchk_param structure that tell us if the extension is run from
      nft_compat context.
      
      The three affected extensions are:
      
      1) CLUSTERIP, this target has been superseded by xt_cluster. So just
         bail out by returning -EINVAL.
      
      2) TCPMSS. Relax the checking when used from nft_compat. If used with
         the wrong configuration, it will corrupt !syn packets by adding TCP
         MSS option.
      
      3) ebt_stp. Relax the check to make sure it uses the reserved
         destination MAC address for STP.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Tested-by: default avatarArturo Borrero Gonzalez <arturo.borrero.glez@gmail.com>
      55917a21
  2. 14 May, 2015 4 commits
  3. 13 May, 2015 26 commits
  4. 12 May, 2015 9 commits
    • David S. Miller's avatar
      Merge branch 'switchdev_spring_cleanup' · a62b70dd
      David S. Miller authored
      Scott Feldman says:
      
      ====================
      switchdev: spring cleanup
      
      v7:
      
      Address review comments:
      
       - [Jiri] split the br_setlink and br_dellink reverts into their own patches
       - [Jiri] some parameter cleanup of rocker's memory allocators
       - [Jiri] pass trans mode as formal parameter rather than hanging off of
           rocker_port.
      
      v6:
      
      Address review comments:
      
       - [Jiri] split a couple of patches into one-logical-change per patch
       - [Joe Perches] revert checkpatch -f changes for wrapped lines with long
           symbols.
      
      v5:
      
      Address review comments:
      
       - [Jiri] include Jiri's s/swdev/switchdev rename patches up front.
       - [Jiri] squash some patches.  Now setlink/dellink/getlink patches are in
           three parts: new implementation, convert drivers to new, delete old impl.
       - [Jiri] some minor variable renames
       - [Jiri] use BUG_ON rather than WARN when COMMIT phase fails when PREPARE
           phase said it was safe to come into the water.
       - [Simon] rocker: fix a few transaction prepare-commit cases that were wrong.
           This was the bulk of the changes in v5.
      
      v4:
      
      Well, it was a lot of work, but now prepare-commit transaction model is how
      davem advises: if prepare fails, abort the transaction.  The driver must do
      resource reservations up front in prepare phase and return those resources if
      aborting.  Commit phase would use reserved resources.  The good news is the
      driver code (for rocker) now handles resource allocation failures better by not
      leaving partially device or driver states.  This is a side-effect of the
      prepare phase where state isn't modified; only validation of inputs and
      resource reservations happen in the prepare phase.  Since we're supporting
      setting attrs and add objs across lower devs in the stacked case, we need to
      hold rtnl_lock (or ensure rtnl_lock is held) so lower devs don't move on us
      during the prepare-commit transaction.  DSA driver code skips the prepare phase
      and goes straight for the commit phase since no up-front allocations are done
      and no device failures (that could be detected in the prepare phase) can
      happen.
      
      Remove NETIF_F_HW_SWITCH_OFFLOAD from rocker and the swdev_attr_set/get
      wrappers.  DSA doesn't set NETIF_F_HW_SWITCH_OFFLOAD, so it can't be in
      swdev_attr_set/get.  rocker doesn't need it; or rather can't support
      NETIF_F_HW_SWITCH_OFFLOAD being set/cleared at run-time after the device
      port is already up and offloading L2/L3.  NETIF_F_HW_SWITCH_OFFLOAD is still
      left as a feature flag for drivers that can use it.
      
      Drop the renaming patch for netdev_switch_notifier.  Other renames are a
      result of moving to the attr get/set or obj add/del model.  Everything
      but the netdev_switch_notifier is still prefixed with "swdev_".
      
      v3:
      
      Move to two-phase prepare-commit transaction model for attr set and obj add.
      Driver gets a change in prepare phase to NACK transaction if lack of resources
      or support in device.
      
      v2:
      
      Address review comments:
      
       - [Jiri] squash a few related patches
       - [Roopa] don't remove NETIF_F_HW_SWITCH_OFFLOAD
       - [Roopa] address VLAN setlink/dellink
       - [Ronen] print warning is attr set revert fails
      
      Not address:
      
       - Using something other than "swdev_" prefix
       - Vendor extentions
      
      The patch set grew a bit to not only support port attr get/set but also add
      support for port obj add/del.  Example of port objs are VLAN, FDB entries, and
      FIB entries.  The VLAN support now allows the swdev driver to get VLAN ranges
      and flags like PVID and "untagged".  Sridhar will be adding FDB obj support
      in follow-on patch.
      
      v1:
      
      The main theme of this patch set is to cleanup swdev in preparation for
      new features or fixes to be added soon.  We have a pretty good idea now how
      to handle stacked drivers in swdev, but there where some loose ends.  For
      example, if a set failed in the middle of walking the lower devs, we would
      leave the system in an undefined state...there was no way to recover back to
      the previous state.  Speaking of sets, also recognize a pattern that most
      swdev API accesses are gets or sets of port attributes, so go ahead and make
      port attr get/set the central swdev API, and convert everything that is
      set-ish/get-ish to this new API.
      
      Features/fixes that should follow from this cleanup:
      
       - solve the duplicate pkt forwarding issue
       - get/set bridge attrs, like ageing_time, from/to device
       - get/set more bridge port attrs from/to device
      
      There are some rename cleanups tagging along at the end, to give swdev
      consistent naming.
      
      And finally, some much needed updates to the switchdev.txt documentation to
      hopefully capture the state-of-the-art of swdev.  Hopefully, we can do a better
      job keeping this document up-to-date.
      
      Tested with rocker, of course, to make sure nothing functional broke.  There
      are a couple minor tweaks to DSA code for getting switch ID and setting STP
      updates to use new API, but not expecting amy breakage there.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a62b70dd
    • Scott Feldman's avatar
      switchdev: bring documentation up-to-date · 4ceec22d
      Scott Feldman authored
      Much need updated of switchdev documentation to cover what's been
      implmented to-date.  There are some XXX comments in the text for
      unimplemented or broken items.  I'd like to keep these in there (poor-man's
      TODO list) and update the document once each issue is resolved.
      Signed-off-by: default avatarScott Feldman <sfeldma@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4ceec22d
    • Scott Feldman's avatar
      rocker: make checkpatch -f clean · 4725ceb9
      Scott Feldman authored
      Well almost clean: ignore the CHECKs for space after cast operator and some
      longer-than-80 char cases where for readability it's better to keep as-is.
      Signed-off-by: default avatarScott Feldman <sfeldma@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4725ceb9
    • Scott Feldman's avatar
      switchdev: remove NETIF_F_HW_SWITCH_OFFLOAD feature flag · 7889cbee
      Scott Feldman authored
      Roopa said remove the feature flag for this series and she'll work on
      bringing it back if needed at a later date.
      Signed-off-by: default avatarScott Feldman <sfeldma@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7889cbee
    • Scott Feldman's avatar
      switchdev: convert fib_ipv4_add/del over to switchdev_port_obj_add/del · 58c2cb16
      Scott Feldman authored
      The IPv4 FIB ops convert nicely to the switchdev objs and we're left with
      only four switchdev ops: port get/set and port add/del.  Other objs will
      follow, such as FDB.  So go ahead and convert IPv4 FIB over to switchdev
      obj for consistency, anticipating more objs to come.
      Signed-off-by: default avatarScott Feldman <sfeldma@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58c2cb16
    • Scott Feldman's avatar
    • Scott Feldman's avatar
      switchdev: add new switchdev_port_bridge_getlink · 8793d0a6
      Scott Feldman authored
      Like bridge_setlink, add switchdev wrapper to handle bridge_getlink and
      call into port driver to get port attrs.  For now, only BR_LEARNING and
      BR_LEARNING_SYNC are returned.  To add more, we'll probably want to break
      away from ndo_dflt_bridge_getlink() and build the netlink skb directly in
      the switchdev code.
      Signed-off-by: default avatarScott Feldman <sfeldma@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8793d0a6
    • Scott Feldman's avatar
      bridge: revert br_dellink change back to original · 8508025c
      Scott Feldman authored
      This is revert of:
      
      commit 68e331c7 ("bridge: offload bridge port attributes to switch asic
      if feature flag set")
      
      Restore br_dellink back to original and don't call into SELF port driver.
      rtnetlink.c:bridge_dellink() already does a call into port driver for SELF.
      
      bridge vlan add/del cmd defaults to MASTER.  From man page for bridge vlan
      add/del cmd:
      
             self   the vlan is configured on the specified physical device.
                    Required if the device is the bridge device.
      
             master the vlan is configured on the software bridge (default).
      Signed-off-by: default avatarScott Feldman <sfeldma@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8508025c
    • Scott Feldman's avatar
      switchdev: remove unused switchdev_port_bridge_dellink · 87a5dae5
      Scott Feldman authored
      Now we can remove old wrappers for dellink.
      Signed-off-by: default avatarScott Feldman <sfeldma@gmail.com>
      Acked-by: default avatarJiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      87a5dae5