1. 12 8月, 2018 15 次提交
  2. 11 8月, 2018 1 次提交
  3. 10 8月, 2018 5 次提交
    • A
      Bluetooth: Add definitions for LE set address resolution · aa12af77
      Ankit Navik 提交于
      Add the definitions for LE address resolution enable HCI commands.
      When the LE address resolution enable gets changed via HCI commands
      make sure that flag gets updated.
      Signed-off-by: NAnkit Navik <ankit.p.navik@intel.com>
      Signed-off-by: NMarcel Holtmann <marcel@holtmann.org>
      aa12af77
    • A
      net: allow to call netif_reset_xps_queues() under cpus_read_lock · 4d99f660
      Andrei Vagin 提交于
      The definition of static_key_slow_inc() has cpus_read_lock in place. In the
      virtio_net driver, XPS queues are initialized after setting the queue:cpu
      affinity in virtnet_set_affinity() which is already protected within
      cpus_read_lock. Lockdep prints a warning when we are trying to acquire
      cpus_read_lock when it is already held.
      
      This patch adds an ability to call __netif_set_xps_queue under
      cpus_read_lock().
      Acked-by: NJason Wang <jasowang@redhat.com>
      
      ============================================
      WARNING: possible recursive locking detected
      4.18.0-rc3-next-20180703+ #1 Not tainted
      --------------------------------------------
      swapper/0/1 is trying to acquire lock:
      00000000cf973d46 (cpu_hotplug_lock.rw_sem){++++}, at: static_key_slow_inc+0xe/0x20
      
      but task is already holding lock:
      00000000cf973d46 (cpu_hotplug_lock.rw_sem){++++}, at: init_vqs+0x513/0x5a0
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(cpu_hotplug_lock.rw_sem);
        lock(cpu_hotplug_lock.rw_sem);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      3 locks held by swapper/0/1:
       #0: 00000000244bc7da (&dev->mutex){....}, at: __driver_attach+0x5a/0x110
       #1: 00000000cf973d46 (cpu_hotplug_lock.rw_sem){++++}, at: init_vqs+0x513/0x5a0
       #2: 000000005cd8463f (xps_map_mutex){+.+.}, at: __netif_set_xps_queue+0x8d/0xc60
      
      v2: move cpus_read_lock() out of __netif_set_xps_queue()
      
      Cc: "Nambiar, Amritha" <amritha.nambiar@intel.com>
      Cc: "Michael S. Tsirkin" <mst@redhat.com>
      Cc: Jason Wang <jasowang@redhat.com>
      Fixes: 8af2c06f ("net-sysfs: Add interface for Rx queue(s) map per Tx queue")
      Signed-off-by: NAndrei Vagin <avagin@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4d99f660
    • J
      net: sched: fix block->refcnt decrement · 63cc5bcc
      Jiri Pirko 提交于
      Currently the refcnt is never decremented in case the value is not 1.
      Fix it by adding decrement in case the refcnt is not 1.
      Reported-by: NVlad Buslov <vladbu@mellanox.com>
      Fixes: f71e0ca4 ("net: sched: Avoid implicit chain 0 creation")
      Signed-off-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      63cc5bcc
    • Y
      decnet: fix using plain integer as NULL warning · 0bab1cdc
      YueHaibing 提交于
      Fixes the following sparse warning:
      net/decnet/dn_route.c:407:30: warning: Using plain integer as NULL pointer
      net/decnet/dn_route.c:1923:22: warning: Using plain integer as NULL pointer
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0bab1cdc
    • M
      net: ipv6_gre: Fix GRO to work on IPv6 over GRE tap · eb95f52f
      Maria Pasechnik 提交于
      IPv6 GRO over GRE tap is not working while GRO is not set
      over the native interface.
      
      gro_list_prepare function updates the same_flow variable
      of existing sessions to 1 if their mac headers match the one
      of the incoming packet.
      same_flow is used to filter out non-matching sessions and keep
      potential ones for aggregation.
      
      The number of bytes to compare should be the number of bytes
      in the mac headers. In gro_list_prepare this number is set to
      be skb->dev->hard_header_len. For GRE interfaces this hard_header_len
      should be as it is set in the initialization process (when GRE is
      created), it should not be overridden. But currently it is being overridden
      by the value that is actually supposed to represent the needed_headroom.
      Therefore, the number of bytes compared in order to decide whether the
      the mac headers are the same is greater than the length of the headers.
      
      As it's documented in netdevice.h, hard_header_len is the maximum
      hardware header length, and needed_headroom is the extra headroom
      the hardware may need.
      hard_header_len is basically all the bytes received by the physical
      till layer 3 header of the packet received by the interface.
      For example, if the interface is a GRE tap then the needed_headroom
      should be the total length of the following headers:
      IP header of the physical, GRE header, mac header of GRE.
      It is often used to calculate the MTU of the created interface.
      
      This patch removes the override of the hard_header_len, and
      assigns the calculated value to needed_headroom.
      This way, the comparison in gro_list_prepare is really of
      the mac headers, and if the packets have the same mac headers
      the same_flow will be set to 1.
      
      Performance testing: 45% higher bandwidth.
      Measuring bandwidth of single-stream IPv4 TCP traffic over IPv6
      GRE tap while GRO is not set on the native.
      NIC: ConnectX-4LX
      Before (GRO not working) : 7.2 Gbits/sec
      After (GRO working): 10.5 Gbits/sec
      Signed-off-by: NMaria Pasechnik <mariap@mellanox.com>
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      eb95f52f
  4. 09 8月, 2018 8 次提交
    • A
      dsa: slave: eee: Allow ports to use phylink · 1be52e97
      Andrew Lunn 提交于
      For a port to be able to use EEE, both the MAC and the PHY must
      support EEE. A phy can be provided by both a phydev or phylink. Verify
      at least one of these exist, not just phydev.
      
      Fixes: aab9c406 ("net: dsa: Plug in PHYLINK support")
      Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1be52e97
    • U
      net/smc: move sock lock in smc_ioctl() · 7311d665
      Ursula Braun 提交于
      When an SMC socket is connecting it is decided whether fallback to
      TCP is needed. To avoid races between connect and ioctl move the
      sock lock before the use_fallback check.
      
      Reported-by: syzbot+5b2cece1a8ecb2ca77d8@syzkaller.appspotmail.com
      Reported-by: syzbot+19557374321ca3710990@syzkaller.appspotmail.com
      Fixes: 1992d998 ("net/smc: take sock lock in smc_ioctl()")
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7311d665
    • U
      net/smc: allow sysctl rmem and wmem defaults for servers · bd58c7e0
      Ursula Braun 提交于
      Without setsockopt SO_SNDBUF and SO_RCVBUF settings, the sysctl
      defaults net.ipv4.tcp_wmem and net.ipv4.tcp_rmem should be the base
      for the sizes of the SMC sndbuf and rcvbuf. Any TCP buffer size
      optimizations for servers should be ignored.
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bd58c7e0
    • U
      net/smc: no shutdown in state SMC_LISTEN · caa21e19
      Ursula Braun 提交于
      Invoking shutdown for a socket in state SMC_LISTEN does not make
      sense. Nevertheless programs like syzbot fuzzing the kernel may
      try to do this. For SMC this means a socket refcounting problem.
      This patch makes sure a shutdown call for an SMC socket in state
      SMC_LISTEN simply returns with -ENOTCONN.
      Signed-off-by: NUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      caa21e19
    • D
      rxrpc: Fix the keepalive generator [ver #2] · 330bdcfa
      David Howells 提交于
      AF_RXRPC has a keepalive message generator that generates a message for a
      peer ~20s after the last transmission to that peer to keep firewall ports
      open.  The implementation is incorrect in the following ways:
      
       (1) It mixes up ktime_t and time64_t types.
      
       (2) It uses ktime_get_real(), the output of which may jump forward or
           backward due to adjustments to the time of day.
      
       (3) If the current time jumps forward too much or jumps backwards, the
           generator function will crank the base of the time ring round one slot
           at a time (ie. a 1s period) until it catches up, spewing out VERSION
           packets as it goes.
      
      Fix the problem by:
      
       (1) Only using time64_t.  There's no need for sub-second resolution.
      
       (2) Use ktime_get_seconds() rather than ktime_get_real() so that time
           isn't perceived to go backwards.
      
       (3) Simplifying rxrpc_peer_keepalive_worker() by splitting it into two
           parts:
      
           (a) The "worker" function that manages the buckets and the timer.
      
           (b) The "dispatch" function that takes the pending peers and
           	 potentially transmits a keepalive packet before putting them back
           	 in the ring into the slot appropriate to the revised last-Tx time.
      
       (4) Taking everything that's pending out of the ring and splicing it into
           a temporary collector list for processing.
      
           In the case that there's been a significant jump forward, the ring
           gets entirely emptied and then the time base can be warped forward
           before the peers are processed.
      
           The warping can't happen if the ring isn't empty because the slot a
           peer is in is keepalive-time dependent, relative to the base time.
      
       (5) Limit the number of iterations of the bucket array when scanning it.
      
       (6) Set the timer to skip any empty slots as there's no point waking up if
           there's nothing to do yet.
      
      This can be triggered by an incoming call from a server after a reboot with
      AF_RXRPC and AFS built into the kernel causing a peer record to be set up
      before userspace is started.  The system clock is then adjusted by
      userspace, thereby potentially causing the keepalive generator to have a
      meltdown - which leads to a message like:
      
      	watchdog: BUG: soft lockup - CPU#0 stuck for 23s! [kworker/0:1:23]
      	...
      	Workqueue: krxrpcd rxrpc_peer_keepalive_worker
      	EIP: lock_acquire+0x69/0x80
      	...
      	Call Trace:
      	 ? rxrpc_peer_keepalive_worker+0x5e/0x350
      	 ? _raw_spin_lock_bh+0x29/0x60
      	 ? rxrpc_peer_keepalive_worker+0x5e/0x350
      	 ? rxrpc_peer_keepalive_worker+0x5e/0x350
      	 ? __lock_acquire+0x3d3/0x870
      	 ? process_one_work+0x110/0x340
      	 ? process_one_work+0x166/0x340
      	 ? process_one_work+0x110/0x340
      	 ? worker_thread+0x39/0x3c0
      	 ? kthread+0xdb/0x110
      	 ? cancel_delayed_work+0x90/0x90
      	 ? kthread_stop+0x70/0x70
      	 ? ret_from_fork+0x19/0x24
      
      Fixes: ace45bec ("rxrpc: Fix firewall route keepalive")
      Reported-by: Nkernel test robot <lkp@intel.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      330bdcfa
    • W
      netfilter: nfnetlink_osf: fix using plain integer as NULL warning · e7ea2a52
      Wei Yongjun 提交于
      Fixes the following sparse warning:
      
      net/netfilter/nfnetlink_osf.c:274:24: warning:
       Using plain integer as NULL pointer
      Signed-off-by: NWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      e7ea2a52
    • Z
      net:mod: remove unneeded variable 'ret' in init_p9 · 5a0c6cee
      zhong jiang 提交于
      The ret is modified after initalization, so just remove it and
      return 0.
      Signed-off-by: Nzhong jiang <zhongjiang@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a0c6cee
    • Z
      net:af_iucv: get rid of the unneeded variable 'err' in afiucv_pm_freeze · fb3b467e
      zhong jiang 提交于
      We will not use the variable 'err' after initalization, So remove it and
      return 0.
      Signed-off-by: Nzhong jiang <zhongjiang@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      fb3b467e
  5. 08 8月, 2018 9 次提交
    • C
      llc: use refcount_inc_not_zero() for llc_sap_find() · 0dcb8225
      Cong Wang 提交于
      llc_sap_put() decreases the refcnt before deleting sap
      from the global list. Therefore, there is a chance
      llc_sap_find() could find a sap with zero refcnt
      in this global list.
      
      Close this race condition by checking if refcnt is zero
      or not in llc_sap_find(), if it is zero then it is being
      removed so we can just treat it as gone.
      
      Reported-by: <syzbot+278893f3f7803871f7ce@syzkaller.appspotmail.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0dcb8225
    • A
      dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() · 61ef4b07
      Alexey Kodanev 提交于
      The shift of 'cwnd' with '(now - hc->tx_lsndtime) / hc->tx_rto' value
      can lead to undefined behavior [1].
      
      In order to fix this use a gradual shift of the window with a 'while'
      loop, similar to what tcp_cwnd_restart() is doing.
      
      When comparing delta and RTO there is a minor difference between TCP
      and DCCP, the last one also invokes dccp_cwnd_restart() and reduces
      'cwnd' if delta equals RTO. That case is preserved in this change.
      
      [1]:
      [40850.963623] UBSAN: Undefined behaviour in net/dccp/ccids/ccid2.c:237:7
      [40851.043858] shift exponent 67 is too large for 32-bit type 'unsigned int'
      [40851.127163] CPU: 3 PID: 15940 Comm: netstress Tainted: G        W   E     4.18.0-rc7.x86_64 #1
      ...
      [40851.377176] Call Trace:
      [40851.408503]  dump_stack+0xf1/0x17b
      [40851.451331]  ? show_regs_print_info+0x5/0x5
      [40851.503555]  ubsan_epilogue+0x9/0x7c
      [40851.548363]  __ubsan_handle_shift_out_of_bounds+0x25b/0x2b4
      [40851.617109]  ? __ubsan_handle_load_invalid_value+0x18f/0x18f
      [40851.686796]  ? xfrm4_output_finish+0x80/0x80
      [40851.739827]  ? lock_downgrade+0x6d0/0x6d0
      [40851.789744]  ? xfrm4_prepare_output+0x160/0x160
      [40851.845912]  ? ip_queue_xmit+0x810/0x1db0
      [40851.895845]  ? ccid2_hc_tx_packet_sent+0xd36/0x10a0 [dccp]
      [40851.963530]  ccid2_hc_tx_packet_sent+0xd36/0x10a0 [dccp]
      [40852.029063]  dccp_xmit_packet+0x1d3/0x720 [dccp]
      [40852.086254]  dccp_write_xmit+0x116/0x1d0 [dccp]
      [40852.142412]  dccp_sendmsg+0x428/0xb20 [dccp]
      [40852.195454]  ? inet_dccp_listen+0x200/0x200 [dccp]
      [40852.254833]  ? sched_clock+0x5/0x10
      [40852.298508]  ? sched_clock+0x5/0x10
      [40852.342194]  ? inet_create+0xdf0/0xdf0
      [40852.388988]  sock_sendmsg+0xd9/0x160
      ...
      
      Fixes: 113ced1f ("dccp ccid-2: Perform congestion-window validation")
      Signed-off-by: NAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      61ef4b07
    • Y
      RDS: IB: fix 'passing zero to ERR_PTR()' warning · 5941923d
      YueHaibing 提交于
      Fix a static code checker warning:
       net/rds/ib_frmr.c:82 rds_ib_alloc_frmr() warn: passing zero to 'ERR_PTR'
      
      The error path for ib_alloc_mr failure should set err to PTR_ERR.
      
      Fixes: 1659185f ("RDS: IB: Support Fastreg MR (FRMR) memory registration mode")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Acked-by: NSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5941923d
    • Y
      tipc: fix an interrupt unsafe locking scenario · 37436d9c
      Ying Xue 提交于
      Commit 9faa89d4 ("tipc: make function tipc_net_finalize() thread
      safe") tries to make it thread safe to set node address, so it uses
      node_list_lock lock to serialize the whole process of setting node
      address in tipc_net_finalize(). But it causes the following interrupt
      unsafe locking scenario:
      
             CPU0                    CPU1
             ----                    ----
        rht_deferred_worker()
        rhashtable_rehash_table()
        lock(&(&ht->lock)->rlock)
      			       tipc_nl_compat_doit()
                                     tipc_net_finalize()
                                     local_irq_disable();
                                     lock(&(&tn->node_list_lock)->rlock);
                                     tipc_sk_reinit()
                                     rhashtable_walk_enter()
                                     lock(&(&ht->lock)->rlock);
        <Interrupt>
        tipc_disc_rcv()
        tipc_node_check_dest()
        tipc_node_create()
        lock(&(&tn->node_list_lock)->rlock);
      
       *** DEADLOCK ***
      
      When rhashtable_rehash_table() holds ht->lock on CPU0, it doesn't
      disable BH. So if an interrupt happens after the lock, it can create
      an inverse lock ordering between ht->lock and tn->node_list_lock. As
      a consequence, deadlock might happen.
      
      The reason causing the inverse lock ordering scenario above is because
      the initial purpose of node_list_lock is not designed to do the
      serialization of node address setting.
      
      As cmpxchg() can guarantee CAS (compare-and-swap) process is atomic,
      we use it to replace node_list_lock to ensure setting node address can
      be atomically finished. It turns out the potential deadlock can be
      avoided as well.
      
      Fixes: 9faa89d4 ("tipc: make function tipc_net_finalize() thread safe")
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Acked-by: NJon Maloy <maloy@donjonn.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37436d9c
    • C
      vsock: split dwork to avoid reinitializations · 455f05ec
      Cong Wang 提交于
      syzbot reported that we reinitialize an active delayed
      work in vsock_stream_connect():
      
      	ODEBUG: init active (active state 0) object type: timer_list hint:
      	delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:1414
      	WARNING: CPU: 1 PID: 11518 at lib/debugobjects.c:329
      	debug_print_object+0x16a/0x210 lib/debugobjects.c:326
      
      The pattern is apparently wrong, we should only initialize
      the dealyed work once and could repeatly schedule it. So we
      have to move out the initializations to allocation side.
      And to avoid confusion, we can split the shared dwork
      into two, instead of re-using the same one.
      
      Fixes: d021c344 ("VSOCK: Introduce VM Sockets")
      Reported-by: <syzbot+8a9b1bd330476a4f3db6@syzkaller.appspotmail.com>
      Cc: Andy king <acking@vmware.com>
      Cc: Stefan Hajnoczi <stefanha@redhat.com>
      Cc: Jorgen Hansen <jhansen@vmware.com>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      455f05ec
    • S
      ip6_tunnel: collect_md xmit: Use ip_tunnel_key's provided src address · 3789caba
      Shmulik Ladkani 提交于
      When using an ip6tnl device in collect_md mode, the xmit methods ignore
      the ipv6.src field present in skb_tunnel_info's key, both for route
      calculation purposes (flowi6 construction) and for assigning the
      packet's final ipv6h->saddr.
      
      This makes it impossible specifying a desired ipv6 local address in the
      encapsulating header (for example, when using tc action tunnel_key).
      
      This is also not aligned with behavior of ipip (ipv4) in collect_md
      mode, where the key->u.ipv4.src gets used.
      
      Fix, by assigning fl6.saddr with given key->u.ipv6.src.
      In case ipv6.src is not specified, ip6_tnl_xmit uses existing saddr
      selection code.
      
      Fixes: 8d79266b ("ip6_tunnel: add collect_md mode to IPv6 tunnels")
      Signed-off-by: NShmulik Ladkani <shmulik.ladkani@gmail.com>
      Reviewed-by: NEyal Birger <eyal.birger@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3789caba
    • V
      net: sched: cls_flower: set correct offload data in fl_reoffload · 9ca61630
      Vlad Buslov 提交于
      fl_reoffload implementation sets following members of struct
      tc_cls_flower_offload incorrectly:
       - masked key instead of mask
       - key instead of masked key
      
      Fix fl_reoffload to provide correct data to offload callback.
      
      Fixes: 31533cba ("net: sched: cls_flower: implement offload tcf_proto_op")
      Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      9ca61630
    • P
      net/sched: allow flower to match tunnel options · 0a6e7778
      Pieter Jansen van Vuuren 提交于
      Allow matching on options in Geneve tunnel headers.
      This makes use of existing tunnel metadata support.
      
      The options can be described in the form
      CLASS:TYPE:DATA/CLASS_MASK:TYPE_MASK:DATA_MASK, where CLASS is
      represented as a 16bit hexadecimal value, TYPE as an 8bit
      hexadecimal value and DATA as a variable length hexadecimal value.
      
      e.g.
       # ip link add name geneve0 type geneve dstport 0 external
       # tc qdisc add dev geneve0 ingress
       # tc filter add dev geneve0 protocol ip parent ffff: \
           flower \
             enc_src_ip 10.0.99.192 \
             enc_dst_ip 10.0.99.193 \
             enc_key_id 11 \
             geneve_opts 0102:80:1122334421314151/ffff:ff:ffffffffffffffff \
             ip_proto udp \
             action mirred egress redirect dev eth1
      
      This patch adds support for matching Geneve options in the order
      supplied by the user. This leads to an efficient implementation in
      the software datapath (and in our opinion hardware datapaths that
      offload this feature). It is also compatible with Geneve options
      matching provided by the Open vSwitch kernel datapath which is
      relevant here as the Flower classifier may be used as a mechanism
      to program flows into hardware as a form of Open vSwitch datapath
      offload (sometimes referred to as OVS-TC). The netlink
      Kernel/Userspace API may be extended, for example by adding a flag,
      if other matching options are desired, for example matching given
      options in any order. This would require an implementation in the
      TC software datapath. And be done in a way that drivers that
      facilitate offload of the Flower classifier can reject or accept
      such flows based on hardware datapath capabilities.
      
      This approach was discussed and agreed on at Netconf 2017 in Seoul.
      Signed-off-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NPieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
      Acked-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      0a6e7778
    • S
      flow_dissector: allow dissection of tunnel options from metadata · 92e2c405
      Simon Horman 提交于
      Allow the existing 'dissection' of tunnel metadata to 'dissect'
      options already present in tunnel metadata. This dissection is
      controlled by a new dissector key, FLOW_DISSECTOR_KEY_ENC_OPTS.
      
      This dissection only occurs when skb_flow_dissect_tunnel_info()
      is called, currently only the Flower classifier makes that call.
      So there should be no impact on other users of the flow dissector.
      
      This is in preparation for allowing the flower classifier to
      match on Geneve options.
      Signed-off-by: NSimon Horman <simon.horman@netronome.com>
      Signed-off-by: NPieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      92e2c405
  6. 07 8月, 2018 2 次提交
    • P
      netfilter: nft_ct: enable conntrack for helpers · f699edb1
      Pablo Neira Ayuso 提交于
      Enable conntrack if the user defines a helper to be used from the
      ruleset policy.
      
      Fixes: 1a64edf5 ("netfilter: nft_ct: add helper set support")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      f699edb1
    • H
      netfilter: nft_ct: add ct timeout support · 7e0b2b57
      Harsha Sharma 提交于
      This patch allows to add, list and delete connection tracking timeout
      policies via nft objref infrastructure and assigning these timeout
      via nft rule.
      
      %./libnftnl/examples/nft-ct-timeout-add ip raw cttime tcp
      
      Ruleset:
      
      table ip raw {
         ct timeout cttime {
             protocol tcp;
             policy = {established: 111, close: 13 }
         }
      
         chain output {
             type filter hook output priority -300; policy accept;
             ct timeout set "cttime"
         }
      }
      
      %./libnftnl/examples/nft-rule-ct-timeout-add ip raw output cttime
      
      %conntrack -E
      [NEW] tcp      6 111 ESTABLISHED src=172.16.19.128 dst=172.16.19.1
      sport=22 dport=41360 [UNREPLIED] src=172.16.19.1 dst=172.16.19.128
      sport=41360 dport=22
      
      %nft delete rule ip raw output handle <handle>
      %./libnftnl/examples/nft-ct-timeout-del ip raw cttime
      
      Joint work with Pablo Neira.
      Signed-off-by: NHarsha Sharma <harshasharmaiitr@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      7e0b2b57