Re: [PATCH net-next 2/3] net: ethernet: mtk_eth_soc: missing mutex

On Tue, Apr 20, 2021 at 01:51:07PM +0200, Frank Wunderlich wrote: > Am 18. April 2021 23:11:44 MESZ schrieb Pablo Neira Ayuso > : > >Patch 2ed37183abb7 ("netfilter: flowtable: separate replace, destroy > >and > >stats to different workqueues") splits the wor

Re: [PATCH net-next 2/3] net: ethernet: mtk_eth_soc: missing mutex

On Mon, Apr 19, 2021 at 02:43:41PM -0700, Jakub Kicinski wrote: > On Mon, 19 Apr 2021 23:40:19 +0200 Pablo Neira Ayuso wrote: > > On Mon, Apr 19, 2021 at 02:16:01PM -0700, Jakub Kicinski wrote: > > > On Sun, 18 Apr 2021 23:11:44 +0200 Pablo Neira Ayuso wrote: > >

Re: [PATCH net-next 2/3] net: ethernet: mtk_eth_soc: missing mutex

On Mon, Apr 19, 2021 at 02:16:01PM -0700, Jakub Kicinski wrote: > On Sun, 18 Apr 2021 23:11:44 +0200 Pablo Neira Ayuso wrote: > > Patch 2ed37183abb7 ("netfilter: flowtable: separate replace, destroy and > > stats to different workqueues") splits the workqueue per event

Re: drivers/net/ethernet/mediatek/mtk_ppe_offload.c - suspicious code?

On Sun, Apr 18, 2021 at 09:02:12PM -0400, Valdis Klētnieks wrote: > While doing some code auditing for -Woverride_init, I spotted some > questionable code > > commit 502e84e2382d92654a2ecbc52cdbdb5a11cdcec7 > Author: Felix Fietkau > Date: Wed Mar 24 02:30:54 2021 +0100 > > net: ethernet:

[PATCH net-next 3/3] net: ethernet: mtk_eth_soc: handle VLAN pop action

Do not hit EOPNOTSUPP when flowtable offload provides a VLAN pop action. Fixes: efce49dfe6a8 ("netfilter: flowtable: add vlan pop action offload support") Signed-off-by: Pablo Neira Ayuso --- efce49dfe6a8 is coming in the nf-next PR for net-next. drivers/net/etherne

[PATCH net-next 2/3] net: ethernet: mtk_eth_soc: missing mutex

nderlich Signed-off-by: Pablo Neira Ayuso --- .../net/ethernet/mediatek/mtk_ppe_offload.c | 19 ++- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/drivers/net/ethernet/mediatek/mtk_ppe_offload.c b/drivers/net/ethernet/mediatek/mtk_ppe_offload.c index 497510

[PATCH net-next 0/3] mtk_ppe_offload fixes

andle FLOW_ACTION_VLAN_POP tag action. Please apply, thanks! Pablo Neira Ayuso (3): net: ethernet: mtk_eth_soc: fix undefined reference to `dsa_port_from_netdev' net: ethernet: mtk_eth_soc: missing mutex net: ethernet: mtk_eth_soc: handle VLAN pop action drivers/net/ethernet/mediat

[PATCH net-next 1/3] net: ethernet: mtk_eth_soc: fix undefined reference to `dsa_port_from_netdev'

Caused by: CONFIG_NET_DSA=m CONFIG_NET_MEDIATEK_SOC=y mtk_ppe_offload.c:undefined reference to `dsa_port_from_netdev' Fixes: 502e84e2382d ("net: ethernet: mtk_eth_soc: add flow offloading support") Reported-by: kernel test robot Signed-off-by: Pablo Neira Ayuso --- drive

[PATCH net-next 14/14] netfilter: nftables: counter hardware offload support

This patch adds the .offload_stats operation to synchronize hardware stats with the expression data. Update the counter expression to use this new interface. The hardware stats are retrieved from the netlink dump path via FLOW_CLS_STATS command to the driver. Signed-off-by: Pablo Neira Ayuso

[PATCH net-next 13/14] selftests: fib_tests: Add test cases for interaction with mangling

passed: 5 Tests failed: 0 Signed-off-by: Ido Schimmel Reviewed-by: David Ahern Signed-off-by: Pablo Neira Ayuso --- tools/testing/selftests/net/fib_tests.sh | 152 ++- 1 file changed, 151 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/net

[PATCH net-next 11/14] netfilter: nftables_offload: special ethertype handling for VLAN

field. Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_offload.c | 44 +++ 1 file changed, 44 insertions(+) diff --git a/net/netfilter/nf_tables_offload.c b/net

[PATCH net-next 09/14] netfilter: nft_payload: fix C-VLAN offload support

- add another struct flow_dissector_key_vlan for C-VLAN - update layer 3 dependency to allow to match on IPv4/IPv6 Fixes: 89d8fd44abfb ("netfilter: nft_payload: add C-VLAN offload support") Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables_offload.h | 1 + net

[PATCH net-next 10/14] netfilter: nftables_offload: VLAN id needs host byteorder in flow dissector

The flow dissector representation expects the VLAN id in host byteorder. Add the NFT_OFFLOAD_F_NETWORK2HOST flag to swap the bytes from nft_cmp. Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso --- include/net

[PATCH net-next 12/14] netfilter: Dissect flow after packet mangling

. Reported-by: Michal Soltys Signed-off-by: Ido Schimmel Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter.c | 2 ++ net/ipv6/netfilter.c | 2 ++ 2 files changed, 4 insertions(+) diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c index 7c841037c533..aff707988e23 100644 --- a/net/ipv4

[PATCH net-next 04/14] netfilter: conntrack: move autoassign_helper sysctl to net_generic data

From: Florian Westphal While at it, make it an u8, no need to use an integer for a boolean. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack.h| 1 + net/netfilter/nf_conntrack_helper.c | 6 -- net/netfilter

[PATCH net-next 02/14] netfilter: flowtable: add vlan pop action offload support

From: wenxu This patch adds vlan pop action offload in the flowtable offload. Signed-off-by: wenxu Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_flow_table_offload.c | 15 +++ 1 file changed, 15 insertions(+) diff --git a/net/netfilter/nf_flow_table_offload.c b/net

[PATCH net-next 07/14] netfilter: conntrack: convert sysctls to u8

line. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netns/conntrack.h | 23 ++ net/netfilter/nf_conntrack_proto_tcp.c | 34 ++-- net/netfilter/nf_conntrack_standalone.c | 42 +++-- 3 files changed, 45

[PATCH net-next 01/14] netfilter: flowtable: add vlan match offload support

From: wenxu This patch adds support for vlan_id, vlan_priority and vlan_proto match for flowtable offload. Signed-off-by: wenxu Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_flow_table.h | 2 ++ net/netfilter/nf_flow_table_offload.c | 37 +++ 2 files

[PATCH net-next 08/14] netfilter: flowtable: Add FLOW_OFFLOAD_XMIT_UNSPEC xmit type

ector path") Signed-off-by: Roi Dayan Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_flow_table.h | 3 ++- net/netfilter/nf_flow_table_core.c| 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/include/net/netfilter/nf_flow_table.h b/include/net

[PATCH net-next 06/14] netfilter: conntrack: move ct counter to net_generic data

makes struct netns_ct read-mostly. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack.h| 2 ++ net/netfilter/nf_conntrack_core.c | 40 + net/netfilter/nf_conntrack_netlink.c| 5 ++-- net/netfilter

[PATCH net-next 05/14] netfilter: conntrack: move expect counter to net_generic data

l also move the conntrack count -- this will make netns_ct a read-mostly structure. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack.h | 1 + net/netfilter/nf_conntrack_core.c| 6 +- net/netfilter/nf_conntrack_expect.c | 22 ++

[PATCH net-next 03/14] netfilter: conntrack: move autoassign warning member to net_generic data

From: Florian Westphal Not accessed in fast path, place this is generic_net data instead. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack.h | 4 net/netfilter/nf_conntrack_helper.c | 9 ++--- 2 files changed, 10 insertions

[PATCH net-next 00/14] Netfilter updates for net-next

netfilter: conntrack: move ct counter to net_generic data netfilter: conntrack: convert sysctls to u8 Ido Schimmel (2): netfilter: Dissect flow after packet mangling selftests: fib_tests: Add test cases for interaction with mangling Pablo Neira Ayuso (4): netfilter

Re: [PATCH net-next v2 1/1] netfilter: flowtable: Add FLOW_OFFLOAD_XMIT_UNSPEC xmit type

On Tue, Apr 13, 2021 at 11:06:05AM +0300, Roi Dayan wrote: > It could be xmit type was not set and would default to FLOW_OFFLOAD_XMIT_NEIGH > and in this type the gc expect to have a route info. > Fix that by adding FLOW_OFFLOAD_XMIT_UNSPEC which defaults to 0. Applied, thanks. diff --git a/net/n

[PATCH net 1/7] netfilter: flowtable: fix NAT IPv6 offload mangling

Fix out-of-bound access in the address array. Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_flow_table_offload.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net

[PATCH net 0/7] Netfilter fixes for net

nft_limit_init Florian Westphal (3): netfilter: bridge: add pre_exit hooks for ebtable unregistration netfilter: arp_tables: add pre_exit hook for table unregister netfilter: x_tables: fix compat match/target pad out-of-bound write Pablo Neira Ayuso (3): netfilter: flowtable

[PATCH net 6/7] netfilter: x_tables: fix compat match/target pad out-of-bound write

eported-by: Andy Nguyen Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/arp_tables.c | 2 ++ net/ipv4/netfilter/ip_tables.c | 2 ++ net/ipv6/netfilter/ip6_tables.c |

[PATCH net 7/7] netfilter: nftables: clone set element expression template

dd elements with stateful expressions") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 46 ++- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f57f1a6ba9

[PATCH net 5/7] netfilter: arp_tables: add pre_exit hook for table unregister

cause the old nf_hook_unregister API did unconditional synchronize_net. The per-net hook unregister function uses call_rcu instead. Fixes: b9e69e127397 ("netfilter: xtables: don't hook tables by default") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include

[PATCH net 2/7] netfilter: conntrack: do not print icmpv6 as unknown via /proc

/proc/net/nf_conntrack shows icmpv6 as unknown. Fixes: 09ec82f5af99 ("netfilter: conntrack: remove protocol name from l4proto struct") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_conntrack_standalone.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net

[PATCH net 3/7] netfilter: nft_limit: avoid possible divide error in nft_limit_init

Fixes: c26844eda9d4 ("netfilter: nf_tables: Fix nft limit burst handling") Fixes: 3e0f64b7dd31 ("netfilter: nft_limit: fix packet ratelimiting") Signed-off-by: Eric Dumazet Diagnosed-by: Luigi Rizzo Reported-by: syzbot Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf

[PATCH net 4/7] netfilter: bridge: add pre_exit hooks for ebtable unregistration

off-by: Pablo Neira Ayuso --- include/linux/netfilter_bridge/ebtables.h | 5 ++-- net/bridge/netfilter/ebtable_broute.c | 8 +- net/bridge/netfilter/ebtable_filter.c | 8 +- net/bridge/netfilter/ebtable_nat.c| 8 +- net/bridge/netfilter/ebtables.c

Re: linux-next: build failure after merge of the net-next tree

On Mon, Apr 12, 2021 at 03:04:16PM +1000, Stephen Rothwell wrote: > Hi all, > > After merging the net-next tree, today's linux-next build (x86_64 > allmodconfig) failed like this: > > In file included from include/asm-generic/bug.h:20, > from arch/x86/include/asm/bug.h:93, >

Re: [PATCH net-next 1/1] netfilter: flowtable: Make sure dst_cache is valid before using it

On Mon, Apr 12, 2021 at 11:26:35AM +0300, Roi Dayan wrote: > > > On 2021-04-11 1:58 PM, Pablo Neira Ayuso wrote: > > Hi Roi, > > > > On Sun, Apr 11, 2021 at 11:13:34AM +0300, Roi Dayan wrote: > > > It could be dst_cache was not set so check it's not n

Re: [PATCH net-next 1/1] netfilter: flowtable: Make sure dst_cache is valid before using it

Hi Roi, On Sun, Apr 11, 2021 at 11:13:34AM +0300, Roi Dayan wrote: > It could be dst_cache was not set so check it's not null before using > it. Could you give a try to this fix? net/sched/act_ct.c leaves the xmit_type as FLOW_OFFLOAD_XMIT_UNSPEC since it does not cache a route. Thanks. > Fixe

Re: [PATCH] net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta

meta check should be bypass. > > Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse_meta support") > Signed-off-by: wenxu Acked-by: Pablo Neira Ayuso > --- > drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 +++ > 1 file changed, 3 insertions(+) > >

Re: [PATCH net] netfilter: nft_limit: avoid possible divide error in nft_limit_init

On Fri, Apr 09, 2021 at 08:49:39AM -0700, Eric Dumazet wrote: > From: Eric Dumazet > > div_u64() divides u64 by u32. > > nft_limit_init() wants to divide u64 by u64, use the appropriate > math function (div64_u64) > > divide error: [#1] PREEMPT SMP KASAN > CPU: 1 PID: 8390 Comm: syz-execut

[PATCH net-next 27/28] netfilter: conntrack: move ecache dwork to net_generic infra

From: Florian Westphal dwork struct is large (>128 byte) and not needed when conntrack module is not loaded. Place it in net_generic data instead. The struct net dwork member is now obsolete and will be removed in a followup patch. Signed-off-by: Florian Westphal Signed-off-by: Pablo Ne

[PATCH net-next 28/28] net: remove obsolete members from struct net

From: Florian Westphal all have been moved to generic_net infra. On x86_64, this reduces struct net size from 70 to 63 cache lines (4480 to 4032 byte). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/net_namespace.h | 9 - include/net/netns

[PATCH net-next 26/28] netfilter: conntrack: move sysctl pointer to net_generic infra

From: Florian Westphal No need to keep this in struct net, place it in the net_generic data. The sysctl pointer is removed from struct net in a followup patch. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack.h| 3 +++ net/netfilter

[PATCH net-next 25/28] netfilter: x_tables: move known table lists to net_generic infra

From: Florian Westphal Will reduce struct net size by 208 bytes. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/x_tables.c | 46 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/net/netfilter

[PATCH net-next 21/28] netfilter: nf_defrag_ipv6: use net_generic infra

From: Florian Westphal This allows followup patch to remove these members from struct net. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/ipv6/nf_defrag_ipv6.h | 6 ++ net/ipv6/netfilter/nf_conntrack_reasm.c | 68 +++-- net

[PATCH net-next 24/28] netfilter: nf_tables: use net_generic infra for transaction data

Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 11 ++ net/netfilter/nf_tables_api.c | 313 +++--- net/netfilter/nf_tables_offload.c | 30 +-- net/netfilter/nft_chain_filter.c | 11 +- net/netfilter/nft_dynset.c| 6 +- 5

[PATCH net-next 19/28] netfilter: nfnetlink: use net_generic infra

be removed in a followup patch to minimize changes to struct net (causes rebuild for entire network stack). Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nfnetlink.c | 62 +++ 1 file changed, 44 insertions(+), 18 deletions(-

[PATCH net-next 23/28] netfilter: ebtables: use net_generic infra

From: Florian Westphal ebtables currently uses net->xt.tables[BRIDGE], but upcoming patch will move net->xt.tables away from struct net. To avoid exposing x_tables internals to ebtables, use a private list instead. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --

[PATCH net-next 15/28] netfilter: ipvs: do not printk on netns creation

From: Florian Westphal This causes dmesg spew during normal operation, so remove this. Signed-off-by: Florian Westphal Acked-by: Julian Anastasov Reviewed-by: Simon Horman Signed-off-by: Pablo Neira Ayuso --- net/netfilter/ipvs/ip_vs_ftp.c | 2 -- 1 file changed, 2 deletions(-) diff --git

[PATCH net-next 11/28] netfilter: flowtable: dst_check() from garbage collector path

. Fixes: e5075c0badaa ("netfilter: flowtable: call dst_check() to fall back to classic forwarding") Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_flow_table.h | 5 +++- net/netfilter/nf_flow_table_core.c| 37 ++- net/netfilter/nf_flow_

[PATCH net-next 14/28] netfilter: add helper function to set up the nfnetlink header and use it

This patch adds a helper function to set up the netlink and nfnetlink headers. Update existing codebase to use it. Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nfnetlink.h | 27 +++ net/netfilter/ipset/ip_set_core.c| 17 + net/netfilter/nf_conntrack_netlink.c

[PATCH net-next 17/28] netfilter: nftables: remove documentation on static functions

lidate_register_load() - nft_validate_register_store() Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 32 1 file changed, 32 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index edb51c9ebab0..a24de59e6c69 100644

[PATCH net-next 18/28] netfilter: nfnetlink: add and use nfnetlink_broadcast

From: Florian Westphal This removes the only reference of net->nfnl outside of the nfnetlink module. This allows to move net->nfnl to net_generic infra. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/nfnetlink.h | 2 ++ net/netfilter/nfnet

[PATCH net-next 22/28] netfilter: nf_defrag_ipv4: use net_generic infra

From: Florian Westphal This allows followup patch to remove the defrag_ipv4 member from struct net. It also allows to auto-remove the hooks later on by adding a _disable() function. This will be done later in a follow patch series. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira

[PATCH net-next 20/28] netfilter: cttimeout: use net_generic infra

From: Florian Westphal reduce size of struct net and make this self-contained. The member in struct net is kept to minimize changes to struct net layout, it will be removed in a separate patch. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter

[PATCH net-next 16/28] netfilter: nftables: fix a warning message in nf_tables_commit_audit_collect()

ff-by: Dan Carpenter Reviewed-by: Paul Moore Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 005f1c620fc0..edb51c9ebab0 100644 --- a/net

[PATCH net-next 13/28] netfilter: nftables: add helper function to set the base sequence number

This patch adds a helper function to calculate the base sequence number field that is stored in the nfnetlink header. Use the helper function whenever possible. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 23 ++- 1 file changed, 14 insertions(+), 9

[PATCH net-next 09/28] audit: log nftables configuration change events once per table

originally documented in https://github.com/linux-audit/audit-kernel/issues/124 Signed-off-by: Richard Guy Briggs Acked-by: Paul Moore Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 186 +++--- 1 file changed, 103 insertions(+), 83 deletions(-) diff

[PATCH net-next 10/28] netfilter: ipset: Remove duplicate declaration

From: Wan Jiabing struct ip_set is declared twice. One is declared at 79th line, so remove the duplicate. Signed-off-by: Wan Jiabing Acked-by: Jozsef Kadlecsik Signed-off-by: Pablo Neira Ayuso --- include/linux/netfilter/ipset/ip_set.h | 2 -- 1 file changed, 2 deletions(-) diff --git a

[PATCH net-next 08/28] netfilter: nft_log: perform module load from nf_tables

Phil Sutter Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 5 + net/netfilter/nf_log.c| 3 --- net/netfilter/nf_tables_api.c | 5 +++-- net/netfilter/nft_log.c | 20 +++- 4 files changed, 27 inser

[PATCH net-next 12/28] netfilter: nftables: remove unnecessary spin_lock_init()

From: Yang Yingliang The spinlock nf_tables_destroy_list_lock is initialized statically. It is unnecessary to initialize by spin_lock_init(). Reported-by: Hulk Robot Signed-off-by: Yang Yingliang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 1 - 1 file changed, 1

[PATCH net-next 06/28] netfilter: nf_log_common: merge with nf_log_syslog

From: Florian Westphal Remove nf_log_common. Now that all per-af modules have been merged there is no longer a need to provide a helper module. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_log.h | 24 net/netfilter/Kconfig

[PATCH net-next 07/28] netfilter: nf_log: add module softdeps

. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_LOG.c | 1 + net/netfilter/xt_NFLOG.c | 1 + net/netfilter/xt_TRACE.c | 1 + 3 files changed, 3 insertions(+) diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c index a1e79b517c01..2ff75f7637b0 100644

[PATCH net-next 05/28] netfilter: nf_log_bridge: merge with nf_log_syslog

From: Florian Westphal Provide bridge log support from nf_log_syslog. After the merge there is no need to load the "real packet loggers", all of them now reside in the same module. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_log.h

[PATCH net-next 03/28] netfilter: nf_log_ipv6: merge with nf_log_syslog

From: Florian Westphal This removes the nf_log_ipv6 module, the functionality is now provided by nf_log_syslog. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/ipv6/netfilter/Kconfig | 5 +- net/ipv6/netfilter/Makefile | 3 - net/ipv6/netfilter

[PATCH net-next 02/28] netfilter: nf_log_arp: merge with nf_log_syslog

From: Florian Westphal similar to previous change: nf_log_syslog now covers ARP logging as well, the old nf_log_arp module is removed. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/Kconfig | 5 +- net/ipv4/netfilter/Makefile | 3 - net

[PATCH net-next 04/28] netfilter: nf_log_netdev: merge with nf_log_syslog

From: Florian Westphal Provide netdev family support from the nf_log_syslog module. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/Kconfig | 4 -- net/netfilter/Makefile| 3 -- net/netfilter/nf_log_netdev.c | 78

[PATCH net-next 01/28] netfilter: nf_log_ipv4: rename to nf_log_syslog

renames nf_log_ipv4 to nf_log_syslog. Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/Kconfig | 5 +- net/ipv4/netfilter/Makefile | 1 - net/ipv4/netfilter/nf_log_ipv4.c | 395 --- net/netfilter/Kconfig

[PATCH net-next 00/28] Netfilter updates for net-next

known table lists to net_generic infra netfilter: conntrack: move sysctl pointer to net_generic infra netfilter: conntrack: move ecache dwork to net_generic infra net: remove obsolete members from struct net Pablo Neira Ayuso (4): netfilter: flowtable: dst_check() from

Re: [PATCH][next] netfilter: nf_log_bridge: Fix missing assignment of ret on a call to nf_log_register

On Wed, Mar 31, 2021 at 03:26:06PM +0100, Colin King wrote: > From: Colin Ian King > > Currently the call to nf_log_register is returning an error code that > is not being assigned to ret and yet ret is being checked. Fix this by > adding in the missing assignment. Applied, thanks.

Re: [PATCH -next] netfilter: nftables: remove unnecessary spin_lock_init()

On Mon, Mar 29, 2021 at 09:55:41PM +0800, Yang Yingliang wrote: > The spinlock nf_tables_destroy_list_lock is initialized statically. > It is unnecessary to initialize by spin_lock_init(). Applied, thanks.

[PATCH net-next] docs: nf_flowtable: fix compilation and warnings

pdate documentation with enhancements") Reported-by: Stephen Rothwell Signed-off-by: Pablo Neira Ayuso --- Documentation/networking/nf_flowtable.rst | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/Documentation/networking/nf_flowtable.rst b/Documentation/

Re: [PATCH net-next,v2 01/24] net: resolve forwarding path from virtual netdevice and HW destination address

Hi, On Thu, Mar 25, 2021 at 12:07:02AM +0800, DENG Qingfang wrote: > On Wed, Mar 24, 2021 at 11:03:54AM +0100, Pablo Neira Ayuso wrote: > > > > For this scenario specifically, it should be possible extend the > > existing flowtable netlink API to allow hostapd to flu

Re: [PATCH net-next,v2 01/24] net: resolve forwarding path from virtual netdevice and HW destination address

On Wed, Mar 24, 2021 at 03:27:11PM +0800, DENG Qingfang wrote: > On Wed, Mar 24, 2021 at 02:30:32AM +0100, Pablo Neira Ayuso wrote: > > This patch adds dev_fill_forward_path() which resolves the path to reach > > the real netdevice from the IP forwarding side. This function takes a

Re: [PATCH nf-next] netfilter: flowtable: separate replace, destroy and stats to different workqueues

Hi Marcelo, On Mon, Mar 22, 2021 at 03:09:51PM -0300, Marcelo Ricardo Leitner wrote: > On Wed, Mar 03, 2021 at 05:11:47PM +0100, Pablo Neira Ayuso wrote: [...] > > Or probably make the cookie unique is sufficient? The cookie refers to > > the memory address but memory can be recycl

[PATCH net-next,v2 24/24] docs: nf_flowtable: update documentation with enhancements

rulesets (preferred syntax). - Describe existing cache limitations. Signed-off-by: Pablo Neira Ayuso --- v2: not coming in v1. Update documentation including existing limitations. Documentation/networking/nf_flowtable.rst | 170 ++ 1 file changed, 143 insertions(+), 27 deleti

[PATCH net-next,v2 22/24] net: ethernet: mtk_eth_soc: add support for initializing the PPE

-by: Pablo Neira Ayuso --- v2: formerly patch #21, now patch #22. drivers/net/ethernet/mediatek/Makefile| 2 +- drivers/net/ethernet/mediatek/mtk_eth_soc.c | 21 +- drivers/net/ethernet/mediatek/mtk_eth_soc.h | 11 + drivers/net/ethernet/mediatek/mtk_ppe.c | 511

[PATCH net-next,v2 23/24] net: ethernet: mtk_eth_soc: add flow offloading support

From: Felix Fietkau This adds support for offloading IPv4 routed flows, including SNAT/DNAT, one VLAN, PPPoE and DSA. Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- v2: formerly, patch #22 now patch #23. drivers/net/ethernet/mediatek/Makefile| 2 +- drivers/net

[PATCH net-next,v2 20/24] dsa: slave: add support for TC_SETUP_FT

flowtable definition in the ruleset refers to the dsa slave port devices. This patch adds the glue code to call ndo_setup_tc with TC_SETUP_FT with the master device via the dsa slave devices. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. net/dsa/slave.c | 20 +++- 1 file

[PATCH net-next,v2 21/24] net: ethernet: mtk_eth_soc: fix parsing packets in GDM

From: Felix Fietkau When using DSA, set the special tag in GDM ingress control to allow the MAC to parse packets properly earlier. This affects rx DMA source port reporting. Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- v2: formely patch #23, now patch #21. drivers/net

[PATCH net-next,v2 13/24] netfilter: flowtable: add dsa support

Replace the master ethernet device by the dsa slave port. Packets coming in from the software ingress path use the dsa slave port as input device. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. net/netfilter/nft_flow_offload.c | 5 + 1 file changed, 5 insertions(+) diff --git a/net

[PATCH net-next,v2 15/24] netfilter: flowtable: add offload support for xmit path types

When the flow tuple xmit_type is set to FLOW_OFFLOAD_XMIT_DIRECT, the dst_cache pointer is not valid, and the h_source/h_dest/ifidx out fields need to be used. This patch also adds the FLOW_ACTION_VLAN_PUSH action to pass the VLAN tag to the driver. Signed-off-by: Pablo Neira Ayuso --- v2: no

[PATCH net-next,v2 12/24] netfilter: flowtable: add pppoe support

Add the PPPoE protocol and session id to the flow tuple using the encap fields to uniquely identify flows from the receive path. For the transmit path, dev_hard_header() on the vlan device push the headers. Signed-off-by: Pablo Neira Ayuso --- v2: rebase on top of net-next. Calculate offset to

[PATCH net-next,v2 17/24] netfilter: flowtable: bridge vlan hardware offload and switchdev

From: Felix Fietkau The switch might have already added the VLAN tag through PVID hardware offload. Keep this extra VLAN in the flowtable but skip it on egress. Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/linux/netdevice.h | 1

[PATCH net-next,v2 16/24] netfilter: nft_flow_offload: use direct xmit if hardware offload is enabled

to the real device. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/net/netfilter/nf_flow_table.h | 2 ++ net/netfilter/nf_flow_table_core.c| 1 + net/netfilter/nf_flow_table_offload.c | 2 +- net/netfilter/nft_flow_offload.c | 21 +++-- 4 files changed

[PATCH net-next,v2 07/24] netfilter: flowtable: add xmit path types

Add the xmit_type field that defines the two supported xmit paths in the flowtable data plane, which are the neighbour and the xfrm xmit paths. This patch prepares for new flowtable xmit path types to come. Signed-off-by: Pablo Neira Ayuso --- v2: resolve conflicts from rebasing on top of net

[PATCH net-next,v2 18/24] net: flow_offload: add FLOW_ACTION_PPPOE_PUSH

Add an action to represent the PPPoE hardware offload support that includes the session ID. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/net/flow_offload.h | 4 1 file changed, 4 insertions(+) diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h index

[PATCH net-next,v2 19/24] netfilter: flowtable: support for FLOW_ACTION_PPPOE_PUSH

Add a PPPoE push action if layer 2 protocol is ETH_P_PPP_SES to add PPPoE flowtable hardware offload support. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. net/netfilter/nf_flow_table_offload.c | 15 --- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/net

[PATCH net-next,v2 14/24] selftests: netfilter: flowtable bridge and vlan support

device in the Router1 and one of the sender containers (ns1). Signed-off-by: Pablo Neira Ayuso --- v2: no changes. .../selftests/netfilter/nft_flowtable.sh | 82 +++ 1 file changed, 82 insertions(+) diff --git a/tools/testing/selftests/netfilter/nft_flowtable.sh b/tools

[PATCH net-next,v2 09/24] netfilter: flowtable: use dev_fill_forward_path() to obtain egress device

in a new entry with the correct path. Snooping fdb updates would allow for cleaning up stale flowtable entries. Signed-off-by: Pablo Neira Ayuso --- v2: resolve conflicts from rebasing on top of net-next: dst_check() call for neigh and xfrm xmit types. include/net/netfilter/nf_flow_table.h

[PATCH net-next,v2 08/24] netfilter: flowtable: use dev_fill_forward_path() to obtain ingress device

. - the ingress device that is obtained is not part of the flowtable devices. - this route has a xfrm policy. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/net/netfilter/nf_flow_table.h | 3 + net/netfilter/nf_flow_table_core.c| 3 +- net/netfilter/nft_flow_offload.c

[PATCH net-next,v2 11/24] netfilter: flowtable: add bridge vlan filtering support

Add the vlan tag based when PVID is set on. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. net/netfilter/nft_flow_offload.c | 12 1 file changed, 12 insertions(+) diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index 8392b1a8108b

[PATCH net-next,v2 03/24] net: bridge: resolve forwarding path for bridge devices

Add .ndo_fill_forward_path for bridge devices. Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/linux/netdevice.h | 1 + net/bridge/br_device.c| 27 +++ 2 files changed, 28 insertions(+) diff --git a/include/linux/netdevice.h b/include/linux

[PATCH net-next,v2 06/24] net: dsa: resolve forwarding path for dsa slave ports

From: Felix Fietkau Add .ndo_fill_forward_path for dsa slave port devices Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/linux/netdevice.h | 5 + net/dsa/slave.c | 16 2 files changed, 21 insertions(+) diff --git a

[PATCH net-next,v2 10/24] netfilter: flowtable: add vlan support

entry which stores the protocol and the tag id. This allows to reuse these fields in the PPPoE support coming in a later patch. Signed-off-by: Pablo Neira Ayuso --- v2: rebase on top of net-next. Calculate offset to layer 3 header from nf_flow_skb_encap_protocol(). Pass offset to build_tuple

[PATCH net-next,v2 01/24] net: resolve forwarding path from virtual netdevice and HW destination address

:cd:ef Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/linux/netdevice.h | 27 +++ net/core/dev.c| 46 +++ 2 files changed, 73 insertions(+) diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h

[PATCH net-next,v2 05/24] net: ppp: resolve forwarding path for bridge pppoe devices

From: Felix Fietkau Pass on the PPPoE session ID, destination hardware address and the real device. Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- v2: no changes. drivers/net/ppp/ppp_generic.c | 22 ++ drivers/net/ppp/pppoe.c | 23

[PATCH net-next,v2 02/24] net: 8021q: resolve forwarding path for vlan devices

ab:cd:ef:ab:cd:ef For packets going through IP forwarding to eth0.100 whose destination MAC address is ab:cd:ef:ab:cd:ef, dev_fill_forward_path() provides the following path: eth0.100 -> eth0 Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/linux/netdevice.h | 7 +++

[PATCH net-next,v2 04/24] net: bridge: resolve forwarding path for VLAN tag actions in bridge devices

path in the lookup context Signed-off-by: Felix Fietkau Signed-off-by: Pablo Neira Ayuso --- v2: no changes. include/linux/netdevice.h | 16 net/8021q/vlan_dev.c | 6 + net/bridge/br_device.c| 23 - net/bridge/br_private.h | 20 +++ net

[PATCH net-next,v2 00/24] netfilter: flowtable enhancements

ng the PPE net: ethernet: mtk_eth_soc: add flow offloading support Pablo Neira Ayuso (17): net: resolve forwarding path from virtual netdevice and HW destination address net: 8021q: resolve forwarding path for vlan devices net: bridge: resolve forwarding path for bridge devices netfilter

[PATCH net-next 10/10] netfilter: nftables: update table flags from the commit phase

Do not update table flags from the preparation phase. Store the flags update into the transaction, then update the flags from the commit phase. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 9 ++--- net/netfilter/nf_tables_api.c | 31

[PATCH net-next 08/10] netfilter: flowtable: call dst_check() to fall back to classic forwarding

In case the route is stale, pass up the packet to the classic forwarding path for re-evaluation and schedule this flow entry for removal. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_flow_table_ip.c | 12 ++-- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/net

[PATCH net-next 07/10] netfilter: flowtable: fast NAT functions never fail

Simplify existing fast NAT routines by returning void. After the skb_try_make_writable() call consolidation, these routines cannot ever fail. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_flow_table.h | 12 +-- net/netfilter/nf_flow_table_core.c| 41 +++ net/netfilter

  1   2   3   4   5   6   7   8   9   10   >