This series aligns vti(6) handling of non-df IPv4 packets exceeding
the size of the tunnel MTU to avoid sending "Frag needed" and instead
fragment the packets after encapsulation.
Eyal Birger (2):
vti: fix ipv4 pmtu check to honor ip header df
vti6: fix ipv4 pmtu check to honor ip
Frag needed should only be sent if the header enables DF.
This fix allows packets larger than MTU to pass the vti interface
and be fragmented after encapsulation, aligning behavior with
non-vti xfrm.
Fixes: d6af1a31cc72 ("vti: Add pmtu handling to vti_xmit.")
Signed-off-by: Eyal Birger
Frag needed should only be sent if the header enables DF.
This fix allows IPv4 packets larger than MTU to pass the vti6 interface
and be fragmented after encapsulation, aligning behavior with
non-vti6 xfrm.
Fixes: ccd740cbc6e0 ("vti6: Add pmtu handling to vti6_xmit.")
Signed-off-by: E
Hi Vinš,
On Tue, Feb 23, 2021 at 9:52 PM Vinš Karel wrote:
>
> Hello,
>
> I would like to ask you for help or advise.
>
> I'm testing setup with higher number of XFRM interfaces and I'm facing
> throughput degradation with a growing number of created XFRM interfaces - not
> concurrent tunnels e
Hi,
On Tue, Feb 23, 2021 at 5:18 PM Sabrina Dubroca wrote:
>
> 2021-02-20, 15:01:15 +0200, Eyal Birger wrote:
> > Frag needed should only be sent if the header enables DF.
> >
> > This fix allows packets larger than MTU to pass the xfrm interface
> > and be
Frag needed should only be sent if the header enables DF.
This fix allows packets larger than MTU to pass the xfrm interface
and be fragmented after encapsulation, aligning behavior with
non-interface xfrm.
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: E
Frag needed should only be sent if the header enables DF.
This fix allows packets larger than MTU to pass the xfrm interface
and be fragmented after encapsulation, aligning behavior with
non-interface xfrm.
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: E
Hi,
On Sat, Feb 6, 2021 at 4:52 AM Willem de Bruijn
wrote:
>
> On Fri, Feb 5, 2021 at 5:42 PM Xie He wrote:
> >
> > The "dev_has_header" function, recently added in
> > commit d549699048b4 ("net/packet: fix packet receive on L3 devices
> > without visible hard header"),
> > is more accurate as c
Underlying xfrm output supports gso packets.
Declare support in hw_features and adapt the xmit MTU check to pass GSO
packets.
Signed-off-by: Eyal Birger
---
net/xfrm/xfrm_interface.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_interface.c b/net
Hi Steffen,
On Mon, Jan 4, 2021 at 10:44 AM Steffen Klassert
wrote:
>
> On Wed, Dec 23, 2020 at 09:15:38AM +0200, Eyal Birger wrote:
> > Underlying xfrm output supports gso packets.
> > Declare support in hw_features and adapt the xmit MTU check to pass GSO
> > packet
Hi Steffen,
On Mon, Dec 7, 2020 at 11:55 AM Steffen Klassert
wrote:
>
> On Fri, Nov 27, 2020 at 02:32:44PM +0200, Eyal Birger wrote:
> > Hi Steffen,
> >
> > On Fri, Nov 27, 2020 at 11:44 AM Steffen Klassert
> > wrote:
> > >
> > > On Sat, Nov
as if_id != 0.
Similarly it's unlikely for the 'no policy exists on net' check to yield
any performance benefits when invoked from xfrmi.
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Eyal Birger
---
net/xfrm/xfrm_policy.c | 4 ++--
1 file ch
Underlying xfrm output supports gso packets.
Declare support in hw_features and adapt the xmit MTU check to pass GSO
packets.
Signed-off-by: Eyal Birger
---
net/xfrm/xfrm_interface.c | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/net/xfrm/xfrm_interface.c b/net
Hi Nicolas,
On Thu, Dec 10, 2020 at 1:10 PM Nicolas Dichtel
wrote:
>
> Le 09/12/2020 à 15:40, Eyal Birger a écrit :
> > Hi Phil,
> >
> > On Tue, Dec 8, 2020 at 8:51 PM Phil Sutter wrote:
> >>
> >> Hi Eyal,
> >>
> >> On Tue, Dec 08, 20
Hi Phil,
On Tue, Dec 8, 2020 at 8:51 PM Phil Sutter wrote:
>
> Hi Eyal,
>
> On Tue, Dec 08, 2020 at 04:47:02PM +0200, Eyal Birger wrote:
> > On Mon, Dec 7, 2020 at 4:07 PM Phil Sutter wrote:
> > >
> > > With an IPsec tunnel without dedicated interface, ne
Hi Phil,
On Mon, Dec 7, 2020 at 4:07 PM Phil Sutter wrote:
>
> With an IPsec tunnel without dedicated interface, netfilter sees locally
> generated packets twice as they exit the physical interface: Once as "the
> inner packet" with IPsec context attached and once as the encrypted
> (ESP) packet.
Hi Steffen,
On Fri, Nov 27, 2020 at 11:44 AM Steffen Klassert
wrote:
>
> On Sat, Nov 21, 2020 at 04:28:23PM +0200, Eyal Birger wrote:
> > This commit adds support for 'collect_md' mode on xfrm interfaces.
> >
> > Each net can have one collect_m
by xfrmi_decode_session()
is changed to keep the details of the if_id extraction tucked away
in xfrm_interface.c.
Signed-off-by: Eyal Birger
---
include/net/xfrm.h | 11 +++-
include/uapi/linux/if_link.h | 1 +
net/xfrm/xfrm_input.c| 7 ++-
net/xf
device hard header - via dev_hard_header() - by upper layers, and does
not exist in these L3 devices.
As this predicate may be useful in other situations, add it as a common
dev_has_header() helper in netdevice.h.
Fixes: b9fcf0a0d826 ("Merge branch 'support-AF_PACKET-for-layer-3-devic
device hard header - via dev_hard_header() - by upper layers, and does
not exist in these L3 devices.
As this predicate may be useful in other situations, add it as a common
dev_has_header() helper in netdevice.h.
Fixes: b9fcf0a0d826 ("Merge branch 'support-AF_PACKET-for-layer-3-devic
device hard header - via dev_hard_header() - by upper layers, and does
not exist in these L3 devices.
Fixes: b9fcf0a0d826 ("Merge branch 'support-AF_PACKET-for-layer-3-devices'")
Signed-off-by: Eyal Birger
---
net/packet/af_packet.c | 28
1 file chang
Used for tracking neighbour table overflows.
Signed-off-by: Eyal Birger
---
ip/ipntable.c | 5 +
1 file changed, 5 insertions(+)
diff --git a/ip/ipntable.c b/ip/ipntable.c
index ddee4905..b5b06a3b 100644
--- a/ip/ipntable.c
+++ b/ip/ipntable.c
@@ -517,6 +517,11 @@ static void
On Mon, Sep 21, 2020 at 7:30 PM Jesper Dangaard Brouer
wrote:
>
> On Mon, 21 Sep 2020 17:08:17 +0200
> Daniel Borkmann wrote:
>
> > On 9/21/20 2:49 PM, Jesper Dangaard Brouer wrote:
> > > On Mon, 21 Sep 2020 11:37:18 +0100
> > > Lorenz Bauer wrote:
> > >> On Sat, 19 Sep 2020 at 00:06, Maciej Żen
The xfrmi context exists in the netdevice priv context.
Avoid looking for it in a separate list.
Signed-off-by: Eyal Birger
---
net/xfrm/xfrm_interface.c | 23 +--
1 file changed, 13 insertions(+), 10 deletions(-)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm
16384 163848.00 221.77
After this patchset there was no observed change after adding the
xfrmi interfaces.
Eyal Birger (2):
xfrm interface: avoid xi lookup in xfrmi_decode_session()
xfrm interface: store xfrmi contexts in a hash by if_id
net/xfrm/xfrm_interface.c | 52
xfrmi_lookup() is called on every packet. Using a single list for
looking up if_id becomes a bottleneck when having many xfrm interfaces.
Signed-off-by: Eyal Birger
---
net/xfrm/xfrm_interface.c | 29 -
1 file changed, 20 insertions(+), 9 deletions(-)
diff --git a
licies")
Signed-off-by: Eyal Birger
---
man/man8/ip-xfrm.8 | 8
1 file changed, 8 insertions(+)
diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8
index f99f30bb..d717205d 100644
--- a/man/man8/ip-xfrm.8
+++ b/man/man8/ip-xfrm.8
@@ -61,6 +61,8 @@ ip-xfrm \- transform configuration
The XFRMA_IF_ID attribute is set in policies for them to be
associated with an XFRM interface (4.19+).
Add support for getting/deleting policies with this attribute.
For supporting 'deleteall' the XFRMA_IF_ID attribute needs to be
explicitly copied.
Signed-off-by: Eyal Birge
Allow getting/deleting policies which contain an xfrm interface ID.
First patch fixes the man page with regards to the original addition
of IF-ID in ip xfrm operations.
---
v1 -> v2: update man page
Eyal Birger (2):
ip xfrm: update man page on setting/printing XFRMA_IF_ID in
sta
The XFRMA_IF_ID attribute is set in policies for them to be
associated with an XFRM interface (4.19+).
Add support for getting/deleting policies with this attribute.
For supporting 'deleteall' the XFRMA_IF_ID attribute needs to be
explicitly copied.
Signed-off-by: Eyal Birge
Hi Nik,
On Thu, 27 Jun 2019 11:10:44 +0300
Nikolay Aleksandrov wrote:
> Restrict matching only to ip/ipv6 traffic and make sure we can use the
> headers, otherwise matches will be attempted on any protocol which can
> be unexpected by the xt matches. Currently policy supports only
> ipv4/6.
>
>
y for dumping, more
> information is available in the commit message in patch 03
> v2: change patch 02 to set the nfproto only when unspecified and drop
> patch 04 from v1 (Eyal Birger)
>
> Thank you,
> Nikolay Aleksandrov
>
>
> Nikolay Aleksandrov (4):
>
On Wed, 26 Jun 2019 16:45:28 +0300
Nikolay Aleksandrov wrote:
> On 26/06/2019 16:33, Eyal Birger wrote:
> > Hi Nikolay,
> >
> > On Wed, 26 Jun 2019 14:58:52 +0300
> > Nikolay Aleksandrov wrote:
> >
> >> Set the family based on the protocol ot
Hi Nik,
On Wed, 26 Jun 2019 18:56:14 +0300
Nikolay Aleksandrov wrote:
> For NFPROTO_UNSPEC xt_matches there's no way to restrict the matching
> to a specific family, in order to do so we record the user-specified
> family and later enforce it while doing the match.
>
> v2: adjust changes to mis
Hi Nikolay,
On Wed, 26 Jun 2019 14:58:52 +0300
Nikolay Aleksandrov wrote:
> Set the family based on the protocol otherwise protocol-neutral
> matches will have wrong information (e.g. NFPROTO_UNSPEC). In
> preparation for using NFPROTO_UNSPEC xt matches.
>
> Signed-off-by: Nikolay Aleksandro
Hi Jamal, John,
On Tue, 25 Jun 2019 07:24:37 -0400
Jamal Hadi Salim wrote:
> On 2019-06-25 5:06 a.m., John Hurley wrote:
> > On Tue, Jun 25, 2019 at 9:30 AM Eyal Birger
> > wrote:
>
> > I'm not sure on the history of why a value of 4 was selected here
> >
Hi John,
On Mon, 24 Jun 2019 23:13:36 +0100
John Hurley wrote:
> TC hooks allow the application of filters and actions to packets at
> both ingress and egress of the network stack. It is possible, with
> poor configuration, that this can produce loops whereby an ingress
> hook calls a mirred egr
and older versions.
Fixes: dd29621578d2 ("tc: add em_ipt ematch for calling xtables matches from tc
matching context")
Signed-off-by: Eyal Birger
---
include/xtables.h | 30 ++
1 file changed, 30 insertions(+)
diff --git a/include/xtables.h b/include/xtab
Hi Stephen,
On Thu, 4 Apr 2019 10:13:36 -0700
Stephen Hemminger wrote:
> On Thu, 4 Apr 2019 19:07:38 +0300
> Eyal Birger wrote:
>
> > The XFRMA_IF_ID attribute is set in policies/states for them to be
> > associated with an XFRM interface (4.19+).
> >
-off-by: Eyal Birger
---
ip/ipxfrm.c | 8
ip/xfrm_policy.c | 12 +++-
ip/xfrm_state.c | 11 +++
3 files changed, 30 insertions(+), 1 deletion(-)
diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index b153b863..32f56093 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -891,6
Hi Florian,
On Wed, Mar 27, 2019 at 7:31 PM Florian Westphal wrote:
>
> No need for any indirection or abstraction here, both functions
> are pretty much the same and quite small, they also have no external
> dependencies.
>.
> diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
> index ea
Hi Benedict,
On Mon, 14 Jan 2019 11:24:38 -0800
Benedict Wong wrote:
> Fixes 9b42c1f179a6, which changed the default route lookup behavior
> for tunnel mode SAs in the outbound direction to use the skb mark,
> whereas previously mark=0 was used if the output mark was
> unspecified. In mark-based
g context")
>
> Signed-off-by: Syrone Wong
Thanks!
So iiuc there's some other LDFLAG coming after -lxtables on some
platform? sorry about that..
You can add my:
Acked-by: Eyal Birger
Eyal.
Hi,
On Mon, 16 Jul 2018 16:39:55 -0700
Cong Wang wrote:
> On Fri, Jul 13, 2018 at 2:55 AM Paolo Abeni wrote:
> >
> > When mirred is invoked from the ingress path, and it wants to
> > redirect the processed packet, it can now use the ACT_REDIRECT
> > action, filling the tcf_result accordingly.
>
at I'm being
> overly cautious in this case. Please let me know your further thoughts
> on whether we need to bump the genid. FYI once this patch is settled,
> I plan to upload a patch to update the xfrm_if_id, which I planned to
> nestle in to this same logic (and with similar, albeit possibly
> more-straightforward rationale).
Thanks so much for the clarification. Indeed there are nuances here and
I appreciate you taking the time to describe them.
FWIW you can add my:
Reviewed-by: Eyal Birger
Thanks!
Eyal.
Hi Nathan,
On Fri, 29 Jun 2018 15:07:10 -0700
Nathan Harold wrote:
> Allow UPDSA to change "set mark" to permit
> policy separation of packet routing decisions from
> SA keying in systems that use mark-based routing.
>
> The set mark, used as a routing and firewall mark
> for outbound packets,
> On 14 Jun 2018, at 15:01, William Tu wrote:
>
> Make the printting of bpf xfrm tunnel better and
> cleanup xfrm state and policy when xfrm test finishes.
Yeah the ‘tee’ was useful when developing the test - I could see what’s going
on :)
Now that it’s in ‘selftests’ it’s definitely better
When setting the skb->dst before doing the MTU check, the route PMTU
caching and reporting is done on the new dst which is about to be
released.
Instead, PMTU handling should be done using the original dst.
This is aligned with IPv4 VTI.
Signed-off-by: Eyal Birger
Fixes: ccd740cbc6 ("v
Hi Nathan,
On Wed, 9 May 2018 13:46:26 -0700
Nathan Harold wrote:
> Allow UPDSA to change output_mark to permit
> policy separation of packet routing decisions from
> SA keying in systems that use mark-based routing.
>
> In the output_mark, used as a routing and firewall
> mark for outbound pa
d; it can be further extended by adding elements to
its end - indicating the populated fields by the 'size' argument -
keeping backwards compatibility.
Typical usage:
struct bpf_xfrm_state x = {};
bpf_skb_get_xfrm_state(skb, 0, &x, sizeof(x), 0);
...
Signed-off-by: Eyal Birger
Add a test for fetching xfrm state parameters from a tc program running
on ingress.
Signed-off-by: Eyal Birger
---
samples/bpf/tcbpf2_kern.c | 16 +++
samples/bpf/test_tunnel_bpf.sh| 71 +++
tools/include/uapi/linux/bpf.h
te in network byte order
following suggestion from Alexei Starovoitov
v2:
- Fixed two comments by Daniel Borkmann:
- disallow reserved flags in helper call
- avoid compiling in helper code when CONFIG_XFRM is off
Eyal Birger (2):
bpf: add helper for getting xfrm states
samples/bpf: e
Hi,
On Wed, 18 Apr 2018 15:31:03 -0700
Alexei Starovoitov wrote:
> On Thu, Apr 19, 2018 at 12:58:22AM +0300, Eyal Birger wrote:
> > This commit introduces a helper which allows fetching xfrm state
> > parameters by eBPF programs attached to TC.
> >
> > Prototype:
>
On Wed, 18 Apr 2018 22:59:27 +0200
Daniel Borkmann wrote:
> On 04/17/2018 06:48 AM, Eyal Birger wrote:
> > This commit introduces a helper which allows fetching xfrm state
> > parameters by eBPF programs attached to TC.
> >
> > Prototype:
> > bpf_skb_get_xfrm_s
d; it can be further extended by adding elements to
its end - indicating the populated fields by the 'size' argument -
keeping backwards compatibility.
Typical usage:
struct bpf_xfrm_state x = {};
bpf_skb_get_xfrm_state(skb, 0, &x, sizeof(x), 0);
...
Signed-off-by: Eyal Birger
Add a test for fetching xfrm state parameters from a tc program running
on ingress.
Signed-off-by: Eyal Birger
---
samples/bpf/tcbpf2_kern.c | 15 +++
samples/bpf/test_tunnel_bpf.sh| 71 +++
tools/include/uapi/linux/bpf.h
kmann:
- disallow reserved flags in helper call
- avoid compiling in helper code when CONFIG_XFRM is off
Eyal Birger (2):
bpf: add helper for getting xfrm states
samples/bpf: extend test_tunnel_bpf.sh with xfrm state test
include/uapi/linux/bpf.h | 25 ++-
net
d; it can be further extended by adding elements to
its end - indicating the populated fields by the 'size' argument -
keeping backwards compatibility.
Typical usage:
struct bpf_xfrm_state x = {};
bpf_skb_get_xfrm_state(skb, 0, &x, sizeof(x), 0);
...
Signed-off-by: Eyal Birger
Add a test for fetching xfrm state parameters from a tc program running
on ingress.
Signed-off-by: Eyal Birger
---
samples/bpf/tcbpf2_kern.c | 15 +++
samples/bpf/test_tunnel_bpf.sh| 71 +++
tools/include/uapi/linux/bpf.h
es of the state; This struct
can be extended in the future to provide additional state information.
The second patch adds a test example in test_tunnel_bpf.sh. The sample
validates the correct extraction of state information by the eBPF program.
---
Eyal Birger (2):
bpf: add helper for getting
This patchset extends tc to support the ipt ematch.
The first patch adds the ability for ematch cmdline parsers
to receive argc,argv parameters.
The second patch adds the em_ipt module.
Eyal Birger (2):
tc: ematch: add parse_eopt_argv() method for providing ematches with
argv parameters
ematche uses YACC to parse ematch arguments and places them in struct bstr
linked lists.
It is useful to be able to receive parameters as argc,argv in order to use
getopt (and alike) argument parsers.
Signed-off-by: Eyal Birger
---
tc/m_ematch.c | 27 ++-
tc/m_ematch.h
--dir in --pol ipsec --reqid 1)' \
action drop
This is the user-space counter part of kernel commit ccc007e4a746
("net: sched: add em_ipt ematch for calling xtables matches")
Signed-off-by: Eyal Birger
---
etc/iproute2/ematch_map | 1 +
man/man8/tc-ematch.8| 15
Hi Pablo,
On Wed, 14 Feb 2018 11:19:40 +0100
Pablo Neira Ayuso wrote:
> On Wed, Feb 14, 2018 at 10:14:24AM +0200, Eyal Birger wrote:
> > Hi Pablo,
> >
> > On Mon, 15 Jan 2018 13:48:41 +0200
> > Eyal Birger wrote:
> >
> > > On Mon, Jan 15, 2018 a
eded on match.
Signed-off-by: Eyal Birger
---
v3:
- limit supported match to xt_policy and validate parameters
- receive match protocol from userspace
v2:
- Remove skb push/pull and limit functionality to ingress
---
include/uapi/linux/pkt_cls.h | 3 +-
include/uapi/li
Hi Pablo,
On Mon, 15 Jan 2018 13:48:41 +0200
Eyal Birger wrote:
> On Mon, Jan 15, 2018 at 12:57 PM, Pablo Neira Ayuso
> wrote:
> > On Sun, Jan 14, 2018 at 02:47:46PM +0200, Eyal Birger wrote:
> >> On Fri, Jan 12, 2018 at 4:00 PM, Pablo Neira Ayuso
> >> wrote:
Hi Xin Long,
On Tue, 13 Feb 2018 23:18:14 +0800
Xin Long wrote:
> On Tue, Feb 13, 2018 at 6:54 PM, Eyal Birger
> wrote:
> > In setups like the following:
> >
> >Host A --Host B
> > tun0 -- ipsec -- eth0 -- eth0 -- ipsec -- tun0
> &g
undle")
as part of an effort to remove routing garbage collection.
Several approaches for fixing this were discussed in [1]; this commit keeps
track of allocated xdsts and releases their device references on a netdev
unregister/down events.
Signed-off-by: Eyal Birger
Fixes: 52df157f17e5 (&
device references on a netdev
unregister event.
Signed-off-by: Eyal Birger
[1] https://patchwork.ozlabs.org/patch/869025/
---
v2:
- call gc flush from existing netdev notifier per Shannon Nelson's
suggestion.
---
include/net/xfrm.h | 11 +++--
net/xfrm/xfrm_device.c | 2 ++
On Mon, 12 Feb 2018 09:55:48 -0800
Shannon Nelson wrote:
> On 2/12/2018 9:21 AM, Eyal Birger wrote:
> > In setups like the following:
> >
> > Host A --Host B
> > tun0 -- ipsec -- eth0 -- eth0 -- ipsec -- tun0
> >
> > where
device references on a netdev
unregister event.
Signed-off-by: Eyal Birger
[1] https://patchwork.ozlabs.org/patch/869025/
---
include/net/xfrm.h | 10 ++-
net/xfrm/xfrm_policy.c | 81 ++
2 files changed, 84 insertions(+), 7 deletions(-)
diff
On Sun, 11 Feb 2018 16:46:48 +0100
Florian Westphal wrote:
> Eyal Birger wrote:
>
> Sorry for taking so long to respond.
>
> > On Tue, 6 Feb 2018 14:15:09 +0100
> > Florian Westphal wrote:
> >
> > > Steffen Klassert wrote:
> > > >
On Tue, 6 Feb 2018 14:15:09 +0100
Florian Westphal wrote:
> Steffen Klassert wrote:
> > I gave the patch a quick try, but still I get this:
> >
> > unregister_netdevice: waiting for dummy1 to become free. Usage
> > count = 2
>
> Was that with Eyals setup or the bridge one I posted?
>
> If i
Hi Steffen,
On Tue, 6 Feb 2018 09:53:38 +0100
Steffen Klassert wrote:
> Cc Wei Wang
>
> On Sun, Feb 04, 2018 at 01:21:18PM +0200, Eyal Birger wrote:
> > Hi,
> >
> > We've encountered a non released device reference upon device
> > unregistration whi
On Sun, 4 Feb 2018 13:21:18 +0200
Eyal Birger wrote:
> Hi,
>
> We've encountered a non released device reference upon device
> unregistration which seems to stem from xfrm policy code.
>
> The setup includes:
> - an underlay device (e.g. eth0) using IPv4
> -
upon unregistration.
The following rough sketch patch illustrates an approach overcoming this
issue:
-
From e188dc5295e3500bc59e8780049840afa2eb3e24 Mon Sep 17 00:00:00 2001
From: Eyal Birger
Date: Sun, 4 Feb 2018 13
On Sun, 28 Jan 2018 19:22:12 -0800
Cong Wang wrote:
> On Fri, Jan 26, 2018 at 11:57 AM, Eyal Birger
> wrote:
> > On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso
> > wrote:
> >> Isn't there a way to reject the use of this from ->change()? ie.
&g
On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso wrote:
> On Fri, Jan 26, 2018 at 06:48:53PM +0200, Eyal Birger wrote:
>> diff --git a/net/sched/em_ipt.c b/net/sched/em_ipt.c
>> new file mode 100644
>> index 000..2103b30
>> --- /dev/null
>> +++ b/net/sche
From: Eyal Birger
In order to allow ematches to create their internal state based on the
L3 protocol specified when creating the filter.
Signed-off-by: Eyal Birger
---
include/net/pkt_cls.h | 2 +-
net/sched/em_canid.c | 4 ++--
net/sched/em_ipset.c | 4 ++--
net/sched/em_meta.c | 2
From: Eyal Birger
This module allows performing tc classification based on data structures
and implementations provided by netfilter extensions.
Example use case is classification based on the incoming IPSec policy used
during decpsulation using the 'policy' iptables extension
From: Eyal Birger
The following patchset introduces a new tc ematch for matching using
netfilter matches.
This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.
Example use case is classification based on the incoming IPSec
On Thu, Jan 25, 2018 at 2:00 AM, Pablo Neira Ayuso wrote:
> On Wed, Jan 24, 2018 at 04:37:16PM -0500, David Miller wrote:
>> From: Eyal Birger
>> Date: Tue, 23 Jan 2018 11:17:32 +0200
>>
>> > + network_offset = skb_network_offset(skb);
>>
From: Eyal Birger
This module allows performing tc classification based on data structures
and implementations provided by netfilter extensions.
Example use case is classification based on the incoming IPSec policy used
during decpsulation using the 'policy' iptables extension
From: Eyal Birger
In order to allow ematches to create their internal state based on the
L3 protocol specified when creating the filter.
Signed-off-by: Eyal Birger
---
include/net/pkt_cls.h | 2 +-
net/sched/em_canid.c | 4 ++--
net/sched/em_ipset.c | 4 ++--
net/sched/em_meta.c | 2
From: Eyal Birger
The following patchset introduces a new tc ematch for matching using
netfilter matches.
This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.
Example use case is classification based on the incoming IPSec
On Tue, Jan 16, 2018 at 8:30 AM, Cong Wang wrote:
> On Fri, Jan 12, 2018 at 4:57 AM, Eyal Birger wrote:
>> +static void em_policy_destroy(struct tcf_ematch *em)
>> +{
>> + const struct xt_policy_info *info = (const void *)em->data;
>> +
>> +
On Mon, Jan 15, 2018 at 12:57 PM, Pablo Neira Ayuso wrote:
> On Sun, Jan 14, 2018 at 02:47:46PM +0200, Eyal Birger wrote:
>> On Fri, Jan 12, 2018 at 4:00 PM, Pablo Neira Ayuso
>> wrote:
>> > On Fri, Jan 12, 2018 at 03:56:21PM +0200, Eyal Birger wrote:
>> >
On Fri, Jan 12, 2018 at 4:00 PM, Pablo Neira Ayuso wrote:
> On Fri, Jan 12, 2018 at 03:56:21PM +0200, Eyal Birger wrote:
>> On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso
>> wrote:
>> > On Fri, Jan 12, 2018 at 02:57:24PM +0200, Eyal Birger wrote:
>> >>
On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso wrote:
> On Fri, Jan 12, 2018 at 02:57:24PM +0200, Eyal Birger wrote:
>> @@ -51,9 +52,9 @@ match_xfrm_state(const struct xfrm_state *x, const struct
>> xt_policy_elem *e,
>> MATCH(reqid, x->props.reqid);
From: Eyal Birger
Allows classification based on the incoming IPSec policy used during
decpsulation.
This allows similar matching capabilities to those provided by netfilter
xt_policy module, and uses the same data strcuture - but from a tc entry
point.
Signed-off-by: Eyal Birger
---
include
From: Eyal Birger
The following patchset introduces a new tc ematch for matching IPSec
traffic from a tc context.
This allows early classification as well as mirroning/redirecting IPSec
traffic based on decapsulation criteria.
The matching functionality is based on the netfilter xt_policy
From: Eyal Birger
Expose this functionality so it could be usable from a tc classifier.
The rename of match_policy_out() is done for consistency though it is not
exported.
Signed-off-by: Eyal Birger
---
include/net/netfilter/xt_policy.h | 12
net/netfilter/xt_policy.c
Hi David,
On Wed, Oct 4, 2017 at 12:54 AM, David Miller wrote:
> From: Shmulik Ladkani
> Date: Sat, 30 Sep 2017 11:59:09 +0300
>
>> This leads to inconsistencies, depending on order of operations, e.g.:
>
> I don't see any inconsistency. When you insert using NLM_F_EXCL the
> insertion fails if
On Wed, Oct 5, 2016 at 8:23 PM, Jiri Benc wrote:
> On Wed, 5 Oct 2016 17:18:08 +0300, Eyal Birger wrote:
>> I think at this point, 'eth' may point to a freed packet.
>
> It may but how does that matter? eth is not used beyond that point.
Definitely a nit. For sure not cr
Hi,
On Wed, Oct 5, 2016 at 4:07 PM, Jiri Benc wrote:
> diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
> index 4d67ea856067..c47b3da8ecf2 100644
> --- a/net/openvswitch/datapath.c
> +++ b/net/openvswitch/datapath.c
> @@ -594,6 +594,16 @@ static int ovs_packet_cmd_execute(stru
95 matches
Mail list logo
