Re: [PATCH] xfrm: Fix oops in xfrm_replay_advance_bmp

On Fri, 18 Dec 2020 16:16:12 +0100 Steffen Klassert wrote: > Applied, thanks a lot Shmulik! Thanks Steffen, please make sure this hits -stable

[PATCH] xfrm: Fix oops in xfrm_replay_advance_bmp

fix, by *always* calling 'recheck()' - irrespective if we're using async crypto. Fixes: 0ebea8ef3559 ("[IPSEC]: Move state lock into x->type->input") Signed-off-by: Shmulik Ladkani --- net/xfrm/xfrm_input.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff

Re: [PATCH net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list

> > Reviewed-by: Alexander Duyck > > Reviewed-by: Willem de Bruijn Thank you Alexander and Willem. Care to reply with you Reviewed-by tags on the v2 thread? Best, Shmulik

Re: [PATCH net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list

On Fri, 6 Sep 2019 10:49:55 -0400 Willem de Bruijn wrote: > But I wonder whether it is a given that head_skb has headlen. This is what I observed for GRO packets that do have headlen frag_list members: the 'head_skb' itself had a headlen too, and its head was built using the original gso_size (s

[PATCH v2 net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list

ore.kernel.org/netdev/9265b93f-253d-6b8c-f2b8-4b54eff18...@fb.com/ [1] https://lore.kernel.org/netdev/CA+FuTSfVsgNDi7c=guu8nmg2hwxf2sjcnlxethevpdnxaw5...@mail.gmail.com/ Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") Suggested-by: Willem de Bruijn Cc: Daniel Borkmann Cc: Eric

Re: [PATCH net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list

On Thu, 5 Sep 2019 17:51:20 -0400 Willem de Bruijn wrote: > On Thu, Sep 5, 2019 at 2:36 PM Shmulik Ladkani > wrote: > > > > + if (mss != GSO_BY_FRAGS && > > + (skb_shinfo(head_skb)->gso_type & SKB_GSO_DODGY)) { >

Re: [PATCH net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list

On Thu, 5 Sep 2019 14:49:44 -0700 Alexander Duyck wrote: > I would change the order of the tests you use here so that we can > eliminate the possibility of needing to perform many tests for the > more common cases. You could probably swap "list_skb" and "mss != > GSO_BY_FRAGS" since list_skb is m

[PATCH net] net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list

ore.kernel.org/netdev/9265b93f-253d-6b8c-f2b8-4b54eff18...@fb.com/ [1] https://lore.kernel.org/netdev/CA+FuTSfVsgNDi7c=guu8nmg2hwxf2sjcnlxethevpdnxaw5...@mail.gmail.com/ Fixes: 6578171a7ff0 ("bpf: add bpf_skb_change_proto helper") Suggested-by: Willem de Bruijn Cc: Daniel Borkmann Cc: Eric D

Re: BUG_ON in skb_segment, after bpf_skb_change_proto was applied

On Tue, 3 Sep 2019 12:23:54 -0400 Willem de Bruijn wrote: > This is a lot more code change. Especially for stable fixes that need > to be backported, a smaller patch is preferable. Indeed. Thanks for the feedback. > My suggestion only tested the first frag_skb length. If a list can be > created

Re: BUG_ON in skb_segment, after bpf_skb_change_proto was applied

On Sun, 1 Sep 2019 16:05:48 -0400 Willem de Bruijn wrote: > One quick fix is to disable sg and thus revert to copying in this > case. Not ideal, but better than a kernel splat: > > @@ -3714,6 +3714,9 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, > sg = !!(features & NETIF_F_SG

Re: BUG_ON in skb_segment, after bpf_skb_change_proto was applied

On Sun, 1 Sep 2019 16:05:48 -0400 Willem de Bruijn wrote: > One quick fix is to disable sg and thus revert to copying in this > case. Not ideal, but better than a kernel splat: > > @@ -3714,6 +3714,9 @@ struct sk_buff *skb_segment(struct sk_buff *head_skb, > sg = !!(features & NETIF_F_SG

Re: BUG_ON in skb_segment, after bpf_skb_change_proto was applied

On Tue, 27 Aug 2019 14:10:35 +0200 Daniel Borkmann wrote: > Given first point above wrt hitting rarely, it would be good to first get a > better understanding for writing a reproducer. Back then Yonghong added one > to the BPF kernel test suite [0], so it would be desirable to extend it for > the

[RFC PATCH bpf-next 2/2] test_bpf: Introduce 'gso_linear_no_head_frag' skb_segment test

/110 Signed-off-by: Shmulik Ladkani --- lib/test_bpf.c | 63 ++ 1 file changed, 63 insertions(+) diff --git a/lib/test_bpf.c b/lib/test_bpf.c index 5e80cb3d3ca0..2fe1e3ab3c89 100644 --- a/lib/test_bpf.c +++ b/lib/test_bpf.c @@ -6859,6 +6859,60

[PATCH bpf-next 1/2] test_bpf: Refactor test_skb_segment() to allow testing skb_segment() on numerous different skbs

Currently, test_skb_segment() builds a single test skb and runs skb_segment() on it. Extend test_skb_segment() so it processes an array of numerous skb/feature pairs to test. Signed-off-by: Shmulik Ladkani --- lib/test_bpf.c | 51 -- 1 file

[RFC PATCH bpf-next 0/2] test_bpf: Add an skb_segment test for a linear head_frag=0 skb whose gso_size was mangled

Song Shmulik Ladkani (2): test_bpf: Refactor test_skb_segment() to allow testing skb_segment() on numerous different skbs test_bpf: Introduce 'gso_linear_no_head_frag' skb_segment test lib/test_bpf.c | 112 + 1 file changed, 103

Re: BUG_ON in skb_segment, after bpf_skb_change_proto was applied

On Tue, 27 Aug 2019 14:10:35 +0200 Daniel Borkmann wrote: > Given first point above wrt hitting rarely, it would be good to first get a > better understanding for writing a reproducer. Back then Yonghong added one > to the BPF kernel test suite [0], so it would be desirable to extend it for > the

Re: BUG_ON in skb_segment, after bpf_skb_change_proto was applied

On Mon, 26 Aug 2019 19:47:40 +0200 Eric Dumazet wrote: > On 8/26/19 4:07 PM, Shmulik Ladkani wrote: > > - ipv4 forwarding to dummy1, where eBPF nat4-to-6 program is attached > > at TC Egress (calls 'bpf_skb_change_proto()'), then redirect to ingress > >

[REGRESSION] netfilter: conntrack: Unable to change conntrack accounting of a net namespace via 'nf_conntrack_acct' sysfs

Hi, Prior d912dec12428 ("netfilter: conntrack: merge acct and helper sysctl table with main one") one was able to enable extended accounting within a (non-init) net-namespace by setting: 'net.netfilter.nf_conntrack_acct=1' However since d912dec12428, doing so results in changing init_net's sysct

BUG_ON in skb_segment, after bpf_skb_change_proto was applied

Hi, In our production systems, running v4.19.y longterm kernels, we hit a BUG_ON in 'skb_segment()'. It occurs rarely and although tried, couldn't synthetically reproduce. In v4.19.41 it crashes at net/core/skbuff.c:3711 while (pos < offset + len) { if (i

[PATCH net] ipv4: ip_do_fragment: Preserve skb_iif during fragmentation

m Fix, by preserving skb_iif during 'ip_copy_metadata'. Signed-off-by: Shmulik Ladkani --- net/ipv4/ip_output.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 4e42c1974ba2..ac880beda8a7 100644 --- a/net/ipv4/ip_output.c +++ b/net/ip

[PATCH net] ipv6: sr: properly initialize flowi6 prior passing to ip6_route_output

In 'seg6_output', stack variable 'struct flowi6 fl6' was missing initialization. Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") Signed-off-by: Shmulik Ladkani --- Suggeting this fix, spotted during code review

Re: [PATCH iproute2-next] iproute_lwtunnel: allow specifying 'src' for 'encap ip' / 'encap ip6'

Hi, On Fri, 17 Aug 2018 08:00:22 -0700 Stephen Hemminger wrote: > If you accept an attribute on input you need to parse it and display it the > same way in the show command. Note print_encap_ip and print_encap_ip6 already handle LWTUNNEL_IP_SRC and LWTUNNEL_IP6_SRC (since long ago, 1e5293056 an

[PATCH iproute2-next] iproute_lwtunnel: allow specifying 'src' for 'encap ip' / 'encap ip6'

This allows the user to specify the LWTUNNEL_IP_SRC/LWTUNNEL_IP6_SRC when setting an lwtunnel encapsulation route. Signed-off-by: Shmulik Ladkani --- ip/iproute_lwtunnel.c | 22 -- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/ip/iproute_lwtunnel.c b/ip

[PATCH net-next] ip6_tunnel: collect_md xmit: Use ip_tunnel_key's provided src address

, ip6_tnl_xmit uses existing saddr selection code. Signed-off-by: Shmulik Ladkani Reviewed-by: Eyal Birger Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnels") --- net/ipv6/ip6_tunnel.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net

Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns

On Thu, 15 Mar 2018 09:35:51 -0700 (PDT) Liran Alon wrote: > - shmulik.ladk...@gmail.com wrote: > > > On Thu, 15 Mar 2018 08:01:03 -0700 (PDT) Liran Alon > > wrote: > > > > > > I still think that default behavior should be to zero skb->mark only > > when skb > > > cross netdevs in di

Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns

On Thu, 15 Mar 2018 08:01:03 -0700 (PDT) Liran Alon wrote: > > I still think that default behavior should be to zero skb->mark only when skb > cross netdevs in different netns. But the previous default was scrub the mark in *both* xnet and non-xnet situations. Therefore, there might be users w

Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns

On Thu, 15 Mar 2018 16:13:39 +0100 Daniel Borkmann wrote: > On 03/15/2018 01:50 PM, Shmulik Ladkani wrote: > > > > It would be beneficial to have the mark preserved when skb is injected > > to the slave device's rx path (especially when it's on the same netns).

Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns

Hi, On Thu, 15 Mar 2018 12:56:13 +0100 Daniel Borkmann wrote: > On 03/15/2018 10:21 AM, Shmulik Ladkani wrote: > > > > Regarding veth xmit, it does makes sense to preserve the fields if not > > crossing netns. This is also the case when one uses tc mirred. > > >

Re: [PATCH] net: dev_forward_skb(): Scrub packet's per-netns info only when crossing netns

Hi, On Tue, 13 Mar 2018 17:07:22 +0200 Liran Alon wrote: > Before this commit, dev_forward_skb() always cleared packet's > per-network-namespace info. Even if the packet doesn't cross > network namespaces. > > The comment above dev_forward_skb() describes that this is done > because the receivin

Re: [Q] Unable to load SCHED_CLS/SCHED_ACT bpf programs from outside init_user_ns

Hi, On Sat, 10 Feb 2018 14:08:58 +0100 Daniel Borkmann wrote: > Hi Shmulik, > > On 02/10/2018 08:46 AM, Shmulik Ladkani wrote: > > Hi, > > > > Apparently one cannot use TC cls_bpf/act_bpf if running from a user ns > > other than the init_user_ns, as bpf_

[Q] Unable to load SCHED_CLS/SCHED_ACT bpf programs from outside init_user_ns

Hi, Apparently one cannot use TC cls_bpf/act_bpf if running from a user ns other than the init_user_ns, as bpf_prog_load does not permit loading these type of progs, snip: if (type != BPF_PROG_TYPE_SOCKET_FILTER && type != BPF_PROG_TYPE_CGROUP_SKB && !capable(CAP_S

[PATCH iproute2 net-next] ip: link_ip6tnl.c/ip6tunnel.c: Support IP6_TNL_F_ALLOW_LOCAL_REMOTE flag

From: Shmulik Ladkani IP6_TNL_F_ALLOW_LOCAL_REMOTE allows tunnel traffic on ip6tnl devices where the remote endpoint is a local host address. Specifying "[no]allow-localremote" controls the IP6_TNL_F_ALLOW_LOCAL_REMOTE flag on ip6tnl interfaces. This is the user-space counterpart

[PATCH net-next] ip6_tunnel: Allow rcv/xmit even if remote address is a local address

From: Shmulik Ladkani Currently, ip6_tnl_xmit_ctl drops tunneled packets if the remote address (outer v6 destination) is one of host's locally configured addresses. Same applies to ip6_tnl_rcv_ctl: it drops packets if the remote address (outer v6 source) is a local address. This prevents

[PATCH v2] netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'

From: Shmulik Ladkani Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced support for attaching an eBPF object by an fd, with the 'bpf_mt_check_v1' ABI expecting the '.fd' to be specified upon each IPT_SO_SET_REPLACE call. However this br

Re: [PATCH net] net: fib_rules: Fix fib_rules_ops->compare implementations to support exact match

Hi David, On Tue, 03 Oct 2017 14:54:18 -0700 (PDT) David Miller wrote: > From: Shmulik Ladkani > Date: Sat, 30 Sep 2017 11:59:09 +0300 > > > This leads to inconsistencies, depending on order of operations, e.g.: > > I don't see any inconsistency. When you i

[PATCH] netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'

From: Shmulik Ladkani Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced support for attaching an eBPF object by an fd, with the 'bpf_mt_check_v1' ABI expecting the '.fd' to be specified upon each IPT_SO_SET_REPLACE call. However this br

Re: [PATCH net] net: fib_rules: Fix fib_rules_ops->compare implementations to support exact match

Hi David, On Tue, 03 Oct 2017 14:54:18 -0700 (PDT) David Miller wrote: > I don't see any inconsistency. When you insert using NLM_F_EXCL the > insertion fails if any existing rule matches or overlaps in any way > with the keys in the new rule. Please note that current situation is as follows:

[PATCH net] net: fib_rules: Fix fib_rules_ops->compare implementations to support exact match

From: Shmulik Ladkani Commit 153380ec4b9b ("fib_rules: Added NLM_F_EXCL support to fib_nl_newrule") added a check to 'fib_nl_newrule' that tests whether the suggested rule already exists (i.e. has same properties). The check uses fib_rules_ops->compare() method to compar

netfilter: xt_bpf: ABI issue in xt_bpf_info_v1?

Hi, Commit 2c16d60 'netfilter: xt_bpf: support ebpf' introduced 'xt_bpf_info_v1', to support attaching an eBPF object by fd. Alas, seems this ABI is problematic, as the 'fd', which is local to the process attaching the ebpf object (namely iptables) is stored in the matchinfo structure. This lead

Re: [PATCH net] ipv4: update comment to document GSO fragmentation cases.

ets. > > Suggested-by: Shmulik Ladkani > Signed-off-by: Lance Richardson Thanks Lance. Reviewed-by: Shmulik Ladkani

Re: [PATCH net v3] ipv4: allow local fragmentation in ip_finish_output_gso()

On Thu, 3 Nov 2016 22:34:34 +0100 Hannes Frederic Sowa wrote: > Correct, but we should maybe redefine the code a bit. From my > understanding we can now create an ICMP storm in case every fragment gets. Yes, you are right. Each segment gets into ip_fragment, and due to outer DF being set, ICMP_

Re: [PATCH net v3] ipv4: allow local fragmentation in ip_finish_output_gso()

Hi, On Thu, 3 Nov 2016 09:06:27 -0400 (EDT) Lance Richardson wrote: > I'm not sure what could be added that would help, was there something > specific you had in mind? How about something like this (preliminary, feel free to massage): @@ -248,10 +248,16 @@ static int ip_finish_output_gso(struc

Re: [PATCH net v3] ipv4: allow local fragmentation in ip_finish_output_gso()

Hi, On Thu, 3 Nov 2016 17:05:54 -0400 (EDT) Lance Richardson wrote: > > I'm still digesting the patchwork history, but it seems to me: > >1) If we call skb_gso_validate_mtu() and it returns true, > ip_finish_output2() will > be called, just as before, so nothing changes. > >2)

Re: [PATCH net v3] ipv4: allow local fragmentation in ip_finish_output_gso()

On Thu, 03 Nov 2016 16:12:44 -0400 (EDT) David Miller wrote: > Applied and queued up for -stable. Dave, my response lagged your "Applied" by few minutes ;) This seems to deserve some more thought to make sure nothing got broken, as expressed last in https://patchwork.ozlabs.org/patch/690594/ B

Re: [PATCH net v3] ipv4: allow local fragmentation in ip_finish_output_gso()

Hi Hannes, Lance, On Wed, 2 Nov 2016 16:36:17 -0400 Lance Richardson wrote: > > - if (skb_iif && !(df & htons(IP_DF))) { > - /* Arrived from an ingress interface, got encapsulated, with > - * fragmentation of encapulating frames allowed. > - * If skb i

Re: [PATCH net v3] ipv4: allow local fragmentation in ip_finish_output_gso()

On Wed, 2 Nov 2016 16:36:17 -0400 Lance Richardson wrote: > - /* common case: fragmentation of segments is not allowed, > - * or seglen is <= mtu > + /* common case: seglen is <= mtu >*/ > - if (((IPCB(skb)->flags & IPSKB_FRAG_SEGS) == 0) || > - skb_gso_validat

Re: [PATCH v2] ip6_tunnel: Clear IP6CB in ip6_tnl_xmit() after encapsulation

Hi, On Fri, 28 Oct 2016 13:13:45 +0800 Eli Cooper wrote: > So I think it is best that all the > IP6CB gets cleared before it is pushed to the next layer. Just a comparison to the ipv4 world: All tunnels (udp/ip based) end up calling iptunnel_xmit(), which: - scrubs the skb - clears any IPCB r

Re: [PATCHv2 iproute2 net-next] tc: m_mirred: Fix parsing of 'index' optional argument

Hi, On Thu, 27 Oct 2016 16:56:43 +0200 Phil Sutter wrote: > > Actual code, since first committed, attempts to parse "index" as 1st > > argument (without success), see parse_mirred(): > > > > if (matches(*argv, "egress") == 0 || matches(*argv, "index") == 0) { > > int ret = parse_

Re: [PATCHv2 iproute2 net-next] tc: m_mirred: Fix parsing of 'index' optional argument

Hi Phil, On Thu, 27 Oct 2016 11:46:33 +0200, p...@nwl.cc wrote: > According to the action's help text (and the man page which is based > upon that), this behaviour is perfectly fine: > > | Usage: mirred [index INDEX] > > So first argument *must* be the direction, second one *must* be the > ac

[PATCHv2 iproute2 net-next] tc: m_mirred: Fix parsing of 'index' optional argument

ws: - continue parsing after valid "index" is seen - don't issue the RTNETLINK unless valid "egress"/"ingress" is seen Signed-off-by: Shmulik Ladkani --- v2: rebased to recent tip of net-next, amended log message An alternative solution: banning "index&q

[PATCH iproute2 net-next] tc: m_mirred: Fix parsing of 'index' optional argument

s: - continue parsing after valid "index" is seen - don't issue the RTNETLINK unless valid "egress" is seen Signed-off-by: Shmulik Ladkani --- Well, both man and usage suggest "index" comes after the egress clause: tc ... action mirred DIRECTION ACTION [

[PATCH net-next] net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames

value. Fixes: 05423b2413 ("vlan: allow null VLAN ID to be used") Fixes: 1a31f2042e ("netsched: Allow meta match on vlan tag on receive") Signed-off-by: Shmulik Ladkani Cc: Eric Dumazet Cc: Stephen Hemminger --- net/sched/em_meta.c | 9 + 1 file changed, 5 insertions

[PATCH iproute2 net-next] tc: m_mirred: Add support for ingress redirect/mirror

ef 1 protocol 802.1q basic \ action mirred ingress redirect dev dummy0 Signed-off-by: Shmulik Ladkani --- man/man8/tc-mirred.8 | 4 +--- tc/m_mirred.c| 40 2 files changed, 29 insertions(+), 15 deletions(-) diff --git a/man/man8/tc-mirred.8

[PATCH v4 net-next 3/4] net/sched: tc_mirred: Rename public predicates 'is_tcf_mirred_redirect' and 'is_tcf_mirred_mirror'

wards supporting INGRESS redir/mirror, rename these predicates to reflect their true meaning: s/is_tcf_mirred_redirect/is_tcf_mirred_egress_redirect/ s/is_tcf_mirred_mirror/is_tcf_mirred_egress_mirror/ Signed-off-by: Shmulik Ladkani Cc: Hariprasad S Cc: Jeff Kirsher Cc: Saeed Mahameed Cc: Ji

[PATCH v4 net-next 2/4] net/sched: act_mirred: Refactor detection whether dev needs xmit at mac header

Move detection logic that tests whether device expects skb data to point at mac_header upon xmit into a function. Signed-off-by: Shmulik Ladkani --- net/sched/act_mirred.c | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/net/sched/act_mirred.c b

[PATCH v4 net-next 0/4] act_mirred: Ingress actions support

ng Wang v3: in 4/4, addressed non coherency due to reading m->tcfm_eaction multiple times, as spotted by Eric Dumazet v2: in 1/4, declare tcfm_mac_header_xmit as bool instead of int Shmulik Ladkani (4): net/sched: act_mirred: Rename tcfm_ok_push to tcfm_mac_header_xmit and make it

[PATCH v4 net-next 1/4] net/sched: act_mirred: Rename tcfm_ok_push to tcfm_mac_header_xmit and make it a bool

couple the attribute from the action to be taken. Signed-off-by: Shmulik Ladkani --- v2: declare tcfm_mac_header_xmit as bool instead of int include/net/tc_act/tc_mirred.h | 2 +- net/sched/act_mirred.c | 11 ++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git

[PATCH v4 net-next 4/4] net/sched: act_mirred: Implement ingress actions

processing of a specified device. Signed-off-by: Shmulik Ladkani Cc: Jamal Hadi Salim Cc: Eric Dumazet Cc: Cong Wang --- v4: check ret code of netif_receive_skb, as suggested by Cong Wang v3: Addressed non coherency due to reading m->tcfm_eaction multiple times, as spotted by Eric

Re: [PATCH v3 net-next 4/4] net/sched: act_mirred: Implement ingress actions

Hi, On Mon, Oct 3, 2016 at 12:45 PM, Cong Wang wrote: > On Thu, Sep 29, 2016 at 4:03 AM, Shmulik Ladkani > wrote: >> skb2->skb_iif = skb->dev->ifindex; >> skb2->dev = dev; >> - err = dev_queue_xmit(skb2); >> + if (tcf_m

[PATCH v3 net-next 4/4] net/sched: act_mirred: Implement ingress actions

processing of a specified device. Signed-off-by: Shmulik Ladkani Cc: Jamal Hadi Salim Cc: Eric Dumazet --- v3: Addressed non coherency due to reading m->tcfm_eaction multiple times, as spotted by Eric Dumazet net/sched/act_mirred.c | 51 -

[PATCH v3 net-next 0/4] act_mirred: Ingress actions support

tion multiple times, as spotted by Eric Dumazet v2: in 1/4, declare tcfm_mac_header_xmit as bool instead of int Shmulik Ladkani (4): net/sched: act_mirred: Rename tcfm_ok_push to tcfm_mac_header_xmit and make it a bool net/sched: act_mirred: Refactor detection whether dev needs xmit at

[PATCH v3 net-next 1/4] net/sched: act_mirred: Rename tcfm_ok_push to tcfm_mac_header_xmit and make it a bool

couple the attribute from the action to be taken. Signed-off-by: Shmulik Ladkani --- v2: declare tcfm_mac_header_xmit as bool instead of int include/net/tc_act/tc_mirred.h | 2 +- net/sched/act_mirred.c | 11 ++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git

[PATCH v3 net-next 3/4] net/sched: tc_mirred: Rename public predicates 'is_tcf_mirred_redirect' and 'is_tcf_mirred_mirror'

wards supporting INGRESS redir/mirror, rename these predicates to reflect their true meaning: s/is_tcf_mirred_redirect/is_tcf_mirred_egress_redirect/ s/is_tcf_mirred_mirror/is_tcf_mirred_egress_mirror/ Signed-off-by: Shmulik Ladkani Cc: Hariprasad S Cc: Jeff Kirsher Cc: Saeed Mahameed Cc: Ji

[PATCH v3 net-next 2/4] net/sched: act_mirred: Refactor detection whether dev needs xmit at mac header

Move detection logic that tests whether device expects skb data to point at mac_header upon xmit into a function. Signed-off-by: Shmulik Ladkani --- net/sched/act_mirred.c | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/net/sched/act_mirred.c b

Re: [PATCH v2 net-next 4/4] net/sched: act_mirred: Implement ingress actions

Hi Eric, On Tue, 27 Sep 2016 14:27:13 -0700 Eric Dumazet wrote: > > Since this runs lockless, another cpu might change m->tcfm_eaction in > the middle, and you could call dev_queue_xmit(skb2) while the skb2 was > prepared for the opposite action. Well, seem members of 'struct tcf_mirred' are ou

Re: [PATCH v3 net 1/2] net/sched: act_vlan: Push skb->data to mac_header prior calling skb_vlan_*() functions

David, On Thu, 29 Sep 2016 12:10:40 +0300 Shmulik Ladkani wrote: > This patch fixes act_vlan to point to the mac_header prior calling > skb_vlan_*() functions, as other callers do. > This 1/2 patch fixes the problem detailed in [1] for act_vlan, last known caller of skb_vlan_*()

[PATCH v3 net 1/2] net/sched: act_vlan: Push skb->data to mac_header prior calling skb_vlan_*() functions

ader. This patch fixes act_vlan to point to the mac_header prior calling skb_vlan_*() functions, as other callers do. Signed-off-by: Shmulik Ladkani Cc: Daniel Borkmann Cc: Pravin Shelar Cc: Jiri Pirko --- net/sched/act_vlan.c | 9 + 1 file changed, 9 insertions(+) diff --git

[PATCH v3 net 2/2] net: skbuff: Limit skb_vlan_pop/push() to expect skb->data at mac header

longer support arbitrary skb->data inputs for skb_vlan_pop/push(). skb->data is expected to be exactly at mac_header; WARN otherwise. Signed-off-by: Shmulik Ladkani Cc: Daniel Borkmann Cc: Pravin Shelar Cc: Jiri Pirko --- v3: Instead of correcting unwinding of skb->data in skb_vlan_

Re: [PATCH v2 net] net: skbuff: skb_vlan_push: Fix wrong unwinding of skb->data after __vlan_insert_tag call

On Wed, 28 Sep 2016 16:43:38 +0200 Daniel Borkmann wrote: > Couldn't we end up with 1) for the act_vlan case when we'd have the > offset-adjusted skb_vlan_push() fix from here, where we'd then redirect > to ingress where skb_vlan_pop() would be called? If I'm not missing > something, skb_vlan_push

Re: [PATCH v2 net] net: skbuff: skb_vlan_push: Fix wrong unwinding of skb->data after __vlan_insert_tag call

On Wed, 28 Sep 2016 16:43:38 +0200 Daniel Borkmann wrote: > > (1) suppose upon entry we have > > > > DA,SA,0x8100,TCI,0x0800, > > ^^ > > mac_hdr data > > > > initial offset is 18, and after current unwinding code we'll get > > You mean data points after t

Re: [PATCH v2 net] net: skbuff: skb_vlan_push: Fix wrong unwinding of skb->data after __vlan_insert_tag call

Hi, On Wed, 28 Sep 2016 12:30:56 +0200, dan...@iogearbox.net wrote: > > @@ -4608,6 +4608,8 @@ int skb_vlan_push(struct sk_buff *skb, __be16 > > vlan_proto, u16 vlan_tci) > > > > skb->protocol = skb->vlan_proto; > > skb->mac_len += VLAN_HLEN; > > + if (offset) > >

[PATCH v2 net] net: skbuff: skb_vlan_push: Fix wrong unwinding of skb->data after __vlan_insert_tag call

From: Shmulik Ladkani In case 'skb_vlan_push' is called on an skb with a hw-accel vlan tag present, the existing hw-accel tag is inserted into the payload, and the new given tag is placed as new hw-accel tag. In order to insert the existing hw-accel tag, 'skb_vlan_push

Re: [PATCH net] net: skbuff: Fix incorrect skb->mac_len adjustment in skb_vlan_push()

Hi, On Tue, 27 Sep 2016 13:04:35 -0700, pshe...@ovn.org wrote: > > OVS MPLS does depends on mac-len to track MPLS header (ref > skb_mpls_header()). Therefore vlan header changes needs to update > mac-len. Thanks for the explanation. I'm working on a better fix. Regards, Shmulik

Re: [PATCH v2 net-next 4/4] net/sched: act_mirred: Implement ingress actions

Hi, On Tue, 27 Sep 2016 14:27:13 -0700 Eric Dumazet wrote: > On Tue, 2016-09-27 at 23:59 +0300, Shmulik Ladkani wrote: > > Up until now, 'action mirred' supported only egress actions (either > > TCA_EGRESS_REDIR or TCA_EGRESS_MIRROR). > > > > This patch

[PATCH v2 net-next 1/4] net/sched: act_mirred: Rename tcfm_ok_push to tcfm_mac_header_xmit and make it a bool

couple the attribute from the action to be taken. Signed-off-by: Shmulik Ladkani --- v2: declare tcfm_mac_header_xmit as bool instead of int include/net/tc_act/tc_mirred.h | 2 +- net/sched/act_mirred.c | 11 ++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git

[PATCH v2 net-next 4/4] net/sched: act_mirred: Implement ingress actions

processing of a specified device. Signed-off-by: Shmulik Ladkani Cc: Jamal Hadi Salim --- net/sched/act_mirred.c | 48 ++-- 1 file changed, 42 insertions(+), 6 deletions(-) diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c index

[PATCH v2 net-next 3/4] net/sched: tc_mirred: Rename public predicates 'is_tcf_mirred_redirect' and 'is_tcf_mirred_mirror'

wards supporting INGRESS redir/mirror, rename these predicates to reflect their true meaning: s/is_tcf_mirred_redirect/is_tcf_mirred_egress_redirect/ s/is_tcf_mirred_mirror/is_tcf_mirred_egress_mirror/ Signed-off-by: Shmulik Ladkani Cc: Hariprasad S Cc: Jeff Kirsher Cc: Saeed Mahameed Cc: Ji

[PATCH v2 net-next 2/4] net/sched: act_mirred: Refactor detection whether dev needs xmit at mac header

Move detection logic that tests whether device expects skb data to point at mac_header upon xmit into a function. Signed-off-by: Shmulik Ladkani --- net/sched/act_mirred.c | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/net/sched/act_mirred.c b

[PATCH v2 net-next 0/4] act_mirred: Ingress actions support

This patch series implements action mirred 'ingress' actions TCA_INGRESS_REDIR and TCA_INGRESS_MIRROR. This allows attaching filters whose target is to hand matching skbs into the rx processing of a specified device. v2: in 1/4, declare tcfm_mac_header_xmit as bool instead of in

Re: [PATCH net-next 1/4] net/sched: act_mirred: Rename tcfm_ok_push to tcfm_mac_header_xmit

Hi, On Tue, 27 Sep 2016 12:30:20 +0200 Daniel Borkmann wrote: > On 09/22/2016 03:21 PM, Shmulik Ladkani wrote: > > From: Shmulik Ladkani > > > > 'tcfm_ok_push' specifies whether a mac_len sized push is needed upon > > egress to the target devi

[PATCH net] net: skbuff: Fix incorrect skb->mac_len adjustment in skb_vlan_push()

th0 are xmitted as bogus frames on d0; whereas the expected behavior is having QinQ frames. Fix, removing the unnecessary VLAN_HLEN adjustment of mac_len. Fixes: 93515d53b1 ("net: move vlan pop/push functions into common code") Signed-off-by: Shmulik Ladkani Cc: Pravin Shelar Cc

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

On Tue, 27 Sep 2016 09:44:41 -0400 (EDT), da...@davemloft.net wrote: > From: Daniel Borkmann > Date: Tue, 27 Sep 2016 12:39:34 +0200 > > > Any reason why dev_forward_skb() is not preferred over direct > > netif_receive_skb() you're using? It would, for example, implicitly > > assure that pkt_type

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

Hi David, On Tue, 27 Sep 2016 01:56:06 -0400 (EDT), da...@davemloft.net wrote: > The discussion on this patch has ventured off into what to do about > recursion. > > But it unclear to me where this specific patch, and this series, > stands right now. Someone please clear this up for me. Status:

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

Hi, On Mon, 26 Sep 2016 16:43:16 +0200 Hannes Frederic Sowa wrote: > On 26.09.2016 03:35, Florian Westphal wrote: > > > > Yes, but I think we get same issue when we deal with stacked > > interfaces, and redirect is to e.g. vlan on top of physical device. > > We do have the adjacent upper lis

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

Hi, On Sat, 24 Sep 2016 17:07:12 -0700 Cong Wang wrote: > One problem to use your code for us is that, the RX side of veth > is inside containers, not visible to outside, perhaps we need some > more parameter to tell the netns before the device name/index? > Thoughts? Well, this is way trickier.

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

On Sun, 25 Sep 2016 09:05:08 -0400 Jamal Hadi Salim wrote: > On 16-09-23 11:40 AM, Shmulik Ladkani wrote: > > > > [off topic] > > I think this is still on topic! Sorry, wasn't too clear on that. What I meant is that _existing_ "egress redirect" already

Re: [PATCH net] ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()

On Fri, 23 Sep 2016 15:52:24 -0400 (EDT) Lance Richardson wrote: > > From: "Shmulik Ladkani" > > Suggesting to add: > > > > Up until now, 'ip6gre_xmit_other' has set flowi6_proto to a bogus value. > > This affects output route lookup upon xmit

Re: [PATCH net] ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()

6_proto as IPPROTO_GRE in xmit > path."), simply delete the line setting the incorrect flowi6_proto value. > > Suggested-by: Jiri Benc > Fixes: commit c12b395a4664 ("gre: Support GRE over IPv6") > Signed-off-by: Lance Richardson Reviewed-by: Shmulik Ladkani

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

On Fri, 23 Sep 2016 08:48:33 -0400 Jamal Hadi Salim wrote: > > Even today, one may create loops using existing 'egress redirect', > > e.g. this rediculously errorneous construct: > > > > # ip l add v0 type veth peer name v0p > > # tc filter add dev v0p parent : basic \ > > action mirred

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

Hi, On Thu, 22 Sep 2016 19:40:15 -0400 Jamal Hadi Salim wrote: > On 16-09-22 09:21 AM, Shmulik Ladkani wrote: > > From: Shmulik Ladkani > > > > Up until now, 'action mirred' supported only egress actions (either > > TCA_EGRESS_REDIR or TCA_EGRESS_MIRRO

Re: [PATCH iproute2 net-next] tc: m_vlan: Add vlan modify action

On Thu, 22 Sep 2016 09:05:04 -0700 Stephen Hemminger wrote: > On Thu, 22 Sep 2016 12:31:10 +0300 > Shmulik Ladkani wrote: > > > + > > +static const char *action_name(int action) > > +{ > > + static const char * const names[] = { > >

Re: [PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

On Thu, 22 Sep 2016 07:54:13 -0700 Eric Dumazet wrote: > Hmm... we probably need to apply the full rcu protection before this > patch. > > https://patchwork.ozlabs.org/patch/667680/ Are you referring to order of application into net-next? This patch seems to present no new tcf_mirred_params mem

[PATCH v2 iproute2 net-next] tc: m_vlan: Add vlan modify action

sic match 'meta(vlan mask 0xfff eq 6)' \ action vlan modify id 5 continue Signed-off-by: Shmulik Ladkani --- v2: Coding. No need to encapsule action_names[] access into a function include/linux/tc_act/tc_vlan.h | 1 + man/man8/tc-vlan.8 | 25

[PATCH net-next 4/4] net/sched: act_mirred: Implement ingress actions

From: Shmulik Ladkani Up until now, 'action mirred' supported only egress actions (either TCA_EGRESS_REDIR or TCA_EGRESS_MIRROR). This patch implements the corresponding ingress actions TCA_INGRESS_REDIR and TCA_INGRESS_MIRROR. This allows attaching filters whose target is to han

[PATCH net-next 3/4] net/sched: tc_mirred: Rename public predicates 'is_tcf_mirred_redirect' and 'is_tcf_mirred_mirror'

From: Shmulik Ladkani These accessors are used in various drivers that support tc offloading, to detect properties of a given 'tc_action'. 'is_tcf_mirred_redirect' tests that the action is TCA_EGRESS_REDIR. 'is_tcf_mirred_mirror' tests that the action is TCA_EGR

[PATCH net-next 0/4] act_mirred: Ingress actions support

This patch series implements action mirred 'ingress' actions TCA_INGRESS_REDIR and TCA_INGRESS_MIRROR. This allows attaching filters whose target is to hand matching skbs into the rx processing of a specified device. Shmulik Ladkani (4): net/sched: act_mirred: Rename tcfm_

[PATCH net-next 1/4] net/sched: act_mirred: Rename tcfm_ok_push to tcfm_mac_header_xmit

From: Shmulik Ladkani 'tcfm_ok_push' specifies whether a mac_len sized push is needed upon egress to the target device (if action is performed at ingress). Rename it to 'tcfm_mac_header_xmit' as this is actually an attribute of the target device. This allows to decouple th

[PATCH net-next 2/4] net/sched: act_mirred: Refactor detection whether dev needs xmit at mac header

From: Shmulik Ladkani Move detection logic that tests whether device expects skb data to point to mac_header upon xmit into a function. Signed-off-by: Shmulik Ladkani --- net/sched/act_mirred.c | 28 +++- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a

[PATCH iproute2 net-next] tc: m_vlan: Add vlan modify action

sic match 'meta(vlan mask 0xfff eq 6)' \ action vlan modify id 5 continue Signed-off-by: Shmulik Ladkani --- include/linux/tc_act/tc_vlan.h | 1 + man/man8/tc-vlan.8 | 25 ++-- tc/m_vlan.c| 44 +

[PATCH v3 net-next 2/2] net: skbuff: Coding: Use eth_type_vlan() instead of open coding it

Fix 'skb_vlan_pop' to use eth_type_vlan instead of directly comparing skb->protocol to ETH_P_8021Q or ETH_P_8021AD. Signed-off-by: Shmulik Ladkani --- net/core/skbuff.c | 6 ++ 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c

  1   2   >