1. 24 Jun, 2016 5 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: add generation mask to chains · 664b0f8c
      Pablo Neira Ayuso authored
      Similar to ("netfilter: nf_tables: add generation mask to tables").
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      664b0f8c
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: add generation mask to tables · f2a6d766
      Pablo Neira Ayuso authored
      This patch addresses two problems:
      
      1) The netlink dump is inconsistent when interfering with an ongoing
         transaction update for several reasons:
      
      1.a) We don't honor the internal NFT_TABLE_INACTIVE flag, and we should
           be skipping these inactive objects in the dump.
      
      1.b) We perform speculative deletion during the preparation phase, that
           may result in skipping active objects.
      
      1.c) The listing order changes, which generates noise when tracking
           incremental ruleset update via tools like git or our own
           testsuite.
      
      2) We don't allow to add and to update the object in the same batch,
         eg. add table x; add table x { flags dormant\; }.
      
      In order to resolve these problems:
      
      1) If the user requests a deletion, the object becomes inactive in the
         next generation. Then, ignore objects that scheduled to be deleted
         from the lookup path, as they will be effectively removed in the
         next generation.
      
      2) From the get/dump path, if the object is not currently active, we
         skip it.
      
      3) Support 'add X -> update X' sequence from a transaction.
      
      After this update, we obtain a consistent list as long as we stay
      in the same generation. The userspace side can detect interferences
      through the generation counter so it can restart the dumping.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f2a6d766
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: add generic macros to check for generation mask · 889f7ee7
      Pablo Neira Ayuso authored
      Thus, we can reuse these to check the genmask of any object type, not
      only rules. This is required now that tables, chain and sets will get a
      generation mask field too in follow up patches.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      889f7ee7
    • Vishwanath Pai's avatar
      netfilter: xt_NFLOG: nflog-range does not truncate packets · 7643507f
      Vishwanath Pai authored
      li->u.ulog.copy_len is currently ignored by the kernel, we should truncate
      the packet to either li->u.ulog.copy_len (if set) or copy_range before
      sending it to userspace. 0 is a valid input for copy_len, so add a new
      flag to indicate whether this was option was specified by the user or not.
      
      Add two flags to indicate whether nflog-size/copy_len was set or not.
      XT_NFLOG_F_COPY_LEN is for XT_NFLOG and NFLOG_F_COPY_LEN for nfnetlink_log
      
      On the userspace side, this was initially represented by the option
      nflog-range, this will be replaced by --nflog-size now. --nflog-range would
      still exist but does not do anything.
      Reported-by: default avatarJoe Dollard <jdollard@akamai.com>
      Reviewed-by: default avatarJosh Hunt <johunt@akamai.com>
      Signed-off-by: default avatarVishwanath Pai <vpai@akamai.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7643507f
    • Liping Zhang's avatar
      netfilter: nf_reject_ipv4: don't send tcp RST if the packet is non-TCP · e1dbbc59
      Liping Zhang authored
      In iptables, if the user add a rule to send tcp RST and specify the
      non-TCP protocol, such as UDP, kernel will reject this request. But
      in nftables, this validity check only occurs in nft tool, i.e. only
      in userspace.
      
      This means that user can add such a rule like follows via nfnetlink:
        "nft add rule filter forward ip protocol udp reject with tcp reset"
      
      This will generate some confusing tcp RST packets. So we should send
      tcp RST only when it is TCP packet.
      Signed-off-by: default avatarLiping Zhang <liping.zhang@spreadtrum.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e1dbbc59
  2. 23 Jun, 2016 8 commits
  3. 07 Jun, 2016 2 commits
  4. 06 Jun, 2016 11 commits
    • David S. Miller's avatar
      Merge branch 'vrf-local' · 2fb7ea45
      David S. Miller authored
      David Ahern says:
      
      ====================
      net: vrf: Add support for local traffic to local addresses
      
      Add support for locally originated traffic to VRF-local addresses,
      be it addresses on enslaved devices or addresses on the VRF device:
      
      $ ip addr show dev red
      33: red: <NOARP,MASTER,UP,LOWER_UP> mtu 65536 qdisc pfifo_fast state UP group default qlen 1000
          link/ether be:00:53:b5:e4:25 brd ff:ff:ff:ff:ff:ff
          inet 1.1.1.1/32 scope global red
             valid_lft forever preferred_lft forever
          inet6 1111:1::1/128 scope global
             valid_lft forever preferred_lft forever
      
      $ ip addr show dev eth1
      3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
          link/ether 02:e0:f9:79:34:bd brd ff:ff:ff:ff:ff:ff
          inet 10.100.1.1/24 brd 10.100.1.255 scope global eth1
             valid_lft forever preferred_lft forever
          inet6 2100:1::1/120 scope global
             valid_lft forever preferred_lft forever
          inet6 fe80::e0:f9ff:fe79:34bd/64 scope link
             valid_lft forever preferred_lft forever
      
      $ ping -c1 -I red 10.100.1.1
          ping: Warning: source address might be selected on device other than red.
          PING 10.100.1.1 (10.100.1.1) from 10.100.1.1 red: 56(84) bytes of data.
          64 bytes from 10.100.1.1: icmp_seq=1 ttl=64 time=0.057 ms
      
      $ ping -c1 -I red 1.1.1.1
      PING 1.1.1.1 (1.1.1.1) from 1.1.1.1 red: 56(84) bytes of data.
      64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.136 ms
      
      --- 1.1.1.1 ping statistics ---
      1 packets transmitted, 1 received, 0% packet loss, time 0ms
      rtt min/avg/max/mdev = 0.136/0.136/0.136/0.000 ms
      
      $ ping6 -c1 -I red  2100:1::1
      ping6: Warning: source address might be selected on device other than red.
      PING 2100:1::1(2100:1::1) from 2100:1::1 red: 56 data bytes
      64 bytes from 2100:1::1: icmp_seq=1 ttl=64 time=0.167 ms
      
      --- 2100:1::1 ping statistics ---
      1 packets transmitted, 1 received, 0% packet loss, time 0ms
      rtt min/avg/max/mdev = 0.167/0.167/0.167/0.000 ms
      
      $ ping6 -c1 -I red 1111::1
      PING 1111::1(1111::1) from 1111:1::1 red: 56 data bytes
      64 bytes from 1111::1: icmp_seq=1 ttl=64 time=0.187 ms
      
      --- 1111::1 ping statistics ---
      1 packets transmitted, 1 received, 0% packet loss, time 0ms
      rtt min/avg/max/mdev = 0.187/0.187/0.187/0.000 ms
      
      This change also enables use of loopback address on the VRF device:
      $ ip addr add dev red 127.0.0.1/8
      
      $ ping -c1 -I red 127.0.0.1
      PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 red: 56(84) bytes of data.
      64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.058 ms
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2fb7ea45
    • David Ahern's avatar
      net: vrf: ipv6 support for local traffic to local addresses · 625b47b5
      David Ahern authored
      Add support for locally originated traffic to VRF-local IPv6 addresses.
      Similar to IPv4 a local dst is set on the skb and the packet is
      reinserted with a call to netif_rx. With this patch, ping, tcp and udp
      packets to a local IPv6 address are successfully routed:
      
          $ ip addr show dev eth1
          4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
              link/ether 02:e0:f9:1c:b9:74 brd ff:ff:ff:ff:ff:ff
              inet 10.100.1.1/24 brd 10.100.1.255 scope global eth1
                 valid_lft forever preferred_lft forever
              inet6 2100:1::1/120 scope global
                 valid_lft forever preferred_lft forever
              inet6 fe80::e0:f9ff:fe1c:b974/64 scope link
                 valid_lft forever preferred_lft forever
      
          $ ping6 -c1 -I red 2100:1::1
          ping6: Warning: source address might be selected on device other than red.
          PING 2100:1::1(2100:1::1) from 2100:1::1 red: 56 data bytes
          64 bytes from 2100:1::1: icmp_seq=1 ttl=64 time=0.098 ms
      
      ip6_input is exported so the VRF driver can use it for the dst input
      function. The dst_alloc function for IPv4 defaults to setting the input and
      output functions; IPv6's does not. VRF does not need to duplicate the Rx path
      so just export the ipv6 input function.
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      625b47b5
    • David Ahern's avatar
      net: vrf: ipv4 support for local traffic to local addresses · 671cd19a
      David Ahern authored
      Add support for locally originated traffic to VRF-local addresses. If
      destination device for an skb is the loopback or VRF device then set
      its dst to a local version of the VRF cached dst_entry and call netif_rx
      to insert the packet onto the rx queue - similar to what is done for
      loopback. This patch handles IPv4 support; follow on patch handles IPv6.
      
      With this patch, ping, tcp and udp packets to a local IPv4 address are
      successfully routed:
      
          $ ip addr show dev eth1
          4: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master red state UP group default qlen 1000
              link/ether 02:e0:f9:1c:b9:74 brd ff:ff:ff:ff:ff:ff
              inet 10.100.1.1/24 brd 10.100.1.255 scope global eth1
                 valid_lft forever preferred_lft forever
              inet6 2100:1::1/120 scope global
                 valid_lft forever preferred_lft forever
              inet6 fe80::e0:f9ff:fe1c:b974/64 scope link
                 valid_lft forever preferred_lft forever
      
          $ ping -c1 -I red 10.100.1.1
          ping: Warning: source address might be selected on device other than red.
          PING 10.100.1.1 (10.100.1.1) from 10.100.1.1 red: 56(84) bytes of data.
          64 bytes from 10.100.1.1: icmp_seq=1 ttl=64 time=0.057 ms
      
      This patch also enables use of IPv4 loopback address on the VRF device:
          $ ip addr add dev red 127.0.0.1/8
      
          $ ping -c1 -I red 127.0.0.1
          PING 127.0.0.1 (127.0.0.1) from 127.0.0.1 red: 56(84) bytes of data.
          64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.058 ms
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      671cd19a
    • David Ahern's avatar
      net: vrf: Minor refactoring for local address patches · 09fcf916
      David Ahern authored
      Move the stripping of the ethernet header from is_ip_tx_frame into the
      ipv4 and ipv6 outbound functions. If the packet is destined to a local
      address the header is retained since the packet is sent back to netif_rx.
      
      Collapse vrf_send_v4_prep into vrf_process_v4_outbound.
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      09fcf916
    • David S. Miller's avatar
      Merge branch 'hv_netvsc-cleanups' · b94eb2ce
      David S. Miller authored
      Vitaly Kuznetsov says:
      
      ====================
      hv_netvsc: cleanup after untangling the pointer mess
      
      Changes since v1:
      - resend when net-next is open [David Miller]
      - rebased to current net-next.
      
      After we made traveling through our internal structures explicit it became
      obvious that some functions take arguments they don't need just to do
      redundant pointer travel and get to what they really need while their
      callers already have the required information.
      
      This is just a cleanup series with no functional changes intended. It
      doesn't pretend to be complete, additional cleanup of other functions may
      follow.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b94eb2ce
    • Vitaly Kuznetsov's avatar
      hv_netvsc: pass struct net_device to rndis_filter_set_offload_params() · 426d9541
      Vitaly Kuznetsov authored
      The only caller rndis_filter_device_add() has 'struct net_device' pointer
      already.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      426d9541
    • Vitaly Kuznetsov's avatar
      hv_netvsc: pass struct net_device to rndis_filter_set_device_mac() · e834da9a
      Vitaly Kuznetsov authored
      We unpack 'struct net_device' in netvsc_set_mac_addr() to get to
      'struct hv_device' pointer which we use in rndis_filter_set_device_mac()
      to get back to 'struct net_device'.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e834da9a
    • Vitaly Kuznetsov's avatar
      hv_netvsc: pass struct netvsc_device to rndis_filter_{open, close}() · 2f5fa6c8
      Vitaly Kuznetsov authored
      Both rndis_filter_open()/rndis_filter_close() use struct hv_device to
      reach to struct netvsc_device only and all callers have it already.
      While on it, rename net_device to nvdev in rndis_filter_open() as
      net_device is misleading.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f5fa6c8
    • Vitaly Kuznetsov's avatar
      hv_netvsc: introduce {net, hv}_device_to_netvsc_device() helpers · 2625466d
      Vitaly Kuznetsov authored
      Make it easier to get 'struct netvsc_device' from 'struct net_device' and
      'struct hv_device' by introducing inline helpers.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2625466d
    • Vitaly Kuznetsov's avatar
      hv_netvsc: remove redundant assignment in netvsc_recv_callback() · 4baa994d
      Vitaly Kuznetsov authored
      net_device_ctx is assigned in the very beginning of the function and 'net'
      pointer doesn't change.
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4baa994d
    • Michal Kubeček's avatar
      net: disable fragment reassembly if high_thresh is zero · 30759219
      Michal Kubeček authored
      Before commit 6d7b857d ("net: use lib/percpu_counter API for
      fragmentation mem accounting"), setting the reassembly high threshold
      to 0 prevented fragment reassembly as first fragment would be always
      evicted before second could be added to the queue. While inefficient,
      some users apparently relied on this method.
      
      Since the commit mentioned above, a percpu counter is used for
      reassembly memory accounting and high batch size avoids taking slow path
      in most common scenarios. As a result, a whole full sized packet can be
      reassembled without the percpu counter's main counter changing its value
      so that even with high_thresh set to 0, fragmented packets can be still
      reassembled and processed.
      
      Add explicit check preventing reassembly if high threshold is zero.
      Signed-off-by: default avatarMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30759219
  5. 05 Jun, 2016 14 commits