- 06 4月, 2021 9 次提交
-
-
由 Florian Westphal 提交于
No need to keep this in struct net, place it in the net_generic data. The sysctl pointer is removed from struct net in a followup patch. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Will reduce struct net size by 208 bytes. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
This moves all nf_tables pernet data from struct net to a net_generic extension, with the exception of the gencursor. The latter is used in the data path and also outside of the nf_tables core. All others are only used from the configuration plane. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
ebtables currently uses net->xt.tables[BRIDGE], but upcoming patch will move net->xt.tables away from struct net. To avoid exposing x_tables internals to ebtables, use a private list instead. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
This allows followup patch to remove the defrag_ipv4 member from struct net. It also allows to auto-remove the hooks later on by adding a _disable() function. This will be done later in a follow patch series. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
This allows followup patch to remove these members from struct net. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
reduce size of struct net and make this self-contained. The member in struct net is kept to minimize changes to struct net layout, it will be removed in a separate patch. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
No need to place it in struct net, nfnetlink is a module and usage doesn't occur in fastpath. Also remove rcu usage: Not a single reader of net->nfnl uses rcu accessors. When exit_batch callbacks are executed the net namespace is already dead so no calls to these functions are possible anymore (else we'd get NULL deref crash too). If the module is removed, then modules that call any of those functions have been removed too so no calls to nfnl functions are possible either. The nfnl and nfl_stash pointers in struct net are no longer used, they will be removed in a followup patch to minimize changes to struct net (causes rebuild for entire network stack). Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
This removes the only reference of net->nfnl outside of the nfnetlink module. This allows to move net->nfnl to net_generic infra. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 04 4月, 2021 3 次提交
-
-
由 Pablo Neira Ayuso 提交于
Since 4f16d25c ("netfilter: nftables: add nft_parse_register_load() and use it") and 345023b0 ("netfilter: nftables: add nft_parse_register_store() and use it"), the following functions are not exported symbols anymore: - nft_parse_register() - nft_validate_register_load() - nft_validate_register_store() Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Dan Carpenter 提交于
The first argument of a WARN_ONCE() is a condition. This WARN_ONCE() will only print the table name, and is potentially problematic if the table name has a %s in it. Fixes: c520292f ("audit: log nftables configuration change events once per table") Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com> Reviewed-by: NPaul Moore <paul@paul-moore.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
This causes dmesg spew during normal operation, so remove this. Signed-off-by: NFlorian Westphal <fw@strlen.de> Acked-by: NJulian Anastasov <ja@ssi.bg> Reviewed-by: NSimon Horman <horms@verge.net.au> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 01 4月, 2021 10 次提交
-
-
由 Pablo Neira Ayuso 提交于
This patch adds a helper function to set up the netlink and nfnetlink headers. Update existing codebase to use it. Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Pablo Neira Ayuso 提交于
This patch adds a helper function to calculate the base sequence number field that is stored in the nfnetlink header. Use the helper function whenever possible. Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Yang Yingliang 提交于
The spinlock nf_tables_destroy_list_lock is initialized statically. It is unnecessary to initialize by spin_lock_init(). Reported-by: NHulk Robot <hulkci@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Pablo Neira Ayuso 提交于
Move dst_check() to the garbage collector path. Stale routes trigger the flow entry teardown state which makes affected flows go back to the classic forwarding path to re-evaluate flow offloading. IPv6 requires the dst cookie to work, store it in the flow_tuple, otherwise dst_check() always fails. Fixes: e5075c0b ("netfilter: flowtable: call dst_check() to fall back to classic forwarding") Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Wan Jiabing 提交于
struct ip_set is declared twice. One is declared at 79th line, so remove the duplicate. Signed-off-by: NWan Jiabing <wanjiabing@vivo.com> Acked-by: NJozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Richard Guy Briggs 提交于
Reduce logging of nftables events to a level similar to iptables. Restore the table field to list the table, adding the generation. Indicate the op as the most significant operation in the event. A couple of sample events: type=PROCTITLE msg=audit(2021-03-18 09:30:49.801:143) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid type=SYSCALL msg=audit(2021-03-18 09:30:49.801:143) : arch=x86_64 syscall=sendmsg success=yes exit=172 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=roo t sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv6 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=ipv4 entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.801:143) : table=firewalld:2 family=inet entries=1 op=nft_register_table pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=PROCTITLE msg=audit(2021-03-18 09:30:49.839:144) : proctitle=/usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid type=SYSCALL msg=audit(2021-03-18 09:30:49.839:144) : arch=x86_64 syscall=sendmsg success=yes exit=22792 a0=0x6 a1=0x7ffdcfcbe650 a2=0x0 a3=0x7ffdcfcbd52c items=0 ppid=1 pid=367 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=r oot sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.9 subj=system_u:system_r:firewalld_t:s0 key=(null) type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv6 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=ipv4 entries=30 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld type=NETFILTER_CFG msg=audit(2021-03-18 09:30:49.839:144) : table=firewalld:3 family=inet entries=165 op=nft_register_chain pid=367 subj=system_u:system_r:firewalld_t:s0 comm=firewalld The issue was originally documented in https://github.com/linux-audit/audit-kernel/issues/124Signed-off-by: NRichard Guy Briggs <rgb@redhat.com> Acked-by: NPaul Moore <paul@paul-moore.com> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
modprobe calls from the nf_logger_find_get() API causes deadlock in very special cases because they occur with the nf_tables transaction mutex held. In the specific case of nf_log, deadlock is via: A nf_tables -> transaction mutex -> nft_log -> modprobe -> nf_log_syslog \ -> pernet_ops rwsem -> wait for C B netlink event -> rtnl_mutex -> nf_tables transaction mutex -> wait for A C close() -> ip6mr_sk_done -> rtnl_mutex -> wait for B Earlier patch added NFLOG/xt_LOG module softdeps to avoid the need to load the backend module during a transaction. For nft_log we would have to add a softdep for both nfnetlink_log or nf_log_syslog, since we do not know in advance which of the two backends are going to be configured. This defers the modprobe op until after the transaction mutex is released. Tested-by: NPhil Sutter <phil@nwl.cc> Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
xt_LOG has no direct dependency on the syslog-based logger, it relies on the nf_log core to probe the requested backend. Now that all syslog-based loggers reside in the same module, we can just add a soft dependency on nf_log_syslog and let modprobe take care of it. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Remove nf_log_common. Now that all per-af modules have been merged there is no longer a need to provide a helper module. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Provide bridge log support from nf_log_syslog. After the merge there is no need to load the "real packet loggers", all of them now reside in the same module. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
- 31 3月, 2021 18 次提交
-
-
由 Florian Westphal 提交于
Provide netdev family support from the nf_log_syslog module. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
This removes the nf_log_ipv6 module, the functionality is now provided by nf_log_syslog. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
similar to previous change: nf_log_syslog now covers ARP logging as well, the old nf_log_arp module is removed. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Florian Westphal 提交于
Netfilter has multiple log modules: nf_log_arp nf_log_bridge nf_log_ipv4 nf_log_ipv6 nf_log_netdev nfnetlink_log nf_log_common With the exception of nfnetlink_log (packet is sent to userspace for dissection/logging), all of them log to the kernel ringbuffer. This is the first part of a series to merge all modules except nfnetlink_log into a single module: nf_log_syslog. This allows to reduce code. After the series, only two log modules remain: nfnetlink_log and nf_log_syslog. The latter provides the same functionality as the old per-af log modules. This renames nf_log_ipv4 to nf_log_syslog. Signed-off-by: NFlorian Westphal <fw@strlen.de> Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
-
由 Yang Yingliang 提交于
It already has null pointer check in kfree_skb(), remove pointless pointer check before kfree_skb(). Reported-by: NHulk Robot <hulkci@huawei.com> Signed-off-by: NYang Yingliang <yangyingliang@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Wong Vee Khee 提交于
Cross time-stamping mechanism used in certain instance of Intel mGbE may run at different clock frequency in comparison to the clock frequency used by processor, so we introduce cross T/S frequency adjustment to ensure TSC calculation is correct when processor got the cross time-stamps. Signed-off-by: NWong Vee Khee <vee.khee.wong@linux.intel.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Shixin Liu 提交于
There's no need to declare a list and then init it manually, just use the LIST_HEAD() macro. Signed-off-by: NShixin Liu <liushixin2@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Shixin Liu 提交于
spinlock can be initialized automatically with DEFINE_SPINLOCK() rather than explicitly calling spin_lock_init(). Changelog: From v1: 1. fix the mistake reported by kernel test robot. Signed-off-by: NShixin Liu <liushixin2@huawei.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Andreas Roeseler says: ==================== add support for RFC 8335 PROBE The popular utility ping has several severe limitations, such as the inability to query specific interfaces on a node and requiring bidirectional connectivity between the probing and probed interfaces. RFC 8335 attempts to solve these limitations by creating the new utility PROBE which is a specialized ICMP message that makes use of the ICMP Extension Structure outlined in RFC 4884. This patchset adds definitions for the ICMP Extended Echo Request and Reply (PROBE) types for both IPV4 and IPV6, adds a sysctl to enable responses to PROBE messages, expands the list of supported ICMP messages to accommodate PROBE types, adds ipv6_dev_find into ipv6_stubs, and adds functionality to respond to PROBE requests. Changes: v1 -> v2: - Add AFI definitions - Switch to functions such as dev_get_by_name and ip_dev_find to lookup net devices v2 -> v3: Suggested by Willem de Bruijn <willemdebruijn.kernel@gmail.com> - Add verification of incoming messages before looking up netdev - Add prefix for PROBE specific defined variables - Use proc_dointvec_minmax with zero and one for sysctl - Create struct icmp_ext_echo_iio for parsing incoming packets Reported-by: Nkernel test robot <lkp@intel.com> Reported-by: NDan Carpenter <dan.carpenter@oracle.com> - Include net/addrconf.h library for ipv6_dev_find v3 -> v4: - Use in_addr instead of __be32 for storing IPV4 addresses - Use IFNAMSIZ to statically allocate space for name in icmp_ext_echo_iio Suggested by Willem de Bruijn <willemdebruijn.kernel@gmail.com> - Use skb_header_pointer to verify fields in incoming message - Add check to ensure that extobj_hdr.length is valid - Check to ensure object payload is padded with ASCII NULL characters when probing by name, as specified by RFC 8335 - Statically allocate buff using IFNAMSIZ - Add rcu blocking around ipv6_dev_find - Use __in_dev_get_rcu to access IPV4 addresses of identified net_device - Remove check for ICMPV6 PROBE types v4 -> v5: - Statically allocate buff to size IFNAMSIZ on declaration - Remove goto probe in favor of single branch - Remove strict check for incoming PROBE request padding to nearest 32-bit boundary Reported-by: Nkernel test robot <lkp@intel.com> v5 -> v6: - Add documentation for icmp_echo_enable_probe sysctl - Remove RCU locking around ipv6_dev_find() - Assign iio based on ctype ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andreas Roeseler 提交于
Modify the icmp_rcv function to check PROBE messages and call icmp_echo if a PROBE request is detected. Modify the existing icmp_echo function to respond ot both ping and PROBE requests. This was tested using a custom modification to the iputils package and wireshark. It supports IPV4 probing by name, ifindex, and probing by both IPV4 and IPV6 addresses. It currently does not support responding to probes off the proxy node (see RFC 8335 Section 2). The modification to the iputils package is still in development and can be found here: https://github.com/Juniper-Clinic-2020/iputils.git. It supports full sending functionality of PROBE requests, but currently does not parse the response messages, which is why Wireshark is required to verify the sent and recieved PROBE messages. The modification adds the ``-e'' flag to the command which allows the user to specify the interface identifier to query the probed host. An example usage would be <./ping -4 -e 1 [destination]> to send a PROBE request of ifindex 1 to the destination node. Signed-off-by: NAndreas Roeseler <andreas.a.roeseler@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andreas Roeseler 提交于
Add ipv6_dev_find to ipv6_stub to allow lookup of net_devices by IPV6 address in net/ipv4/icmp.c. Signed-off-by: NAndreas Roeseler <andreas.a.roeseler@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andreas Roeseler 提交于
Modify the ping_supported function to support PROBE message types. This allows tools such as the ping command in the iputils package to be modified to send PROBE requests through the existing framework for sending ping requests. Signed-off-by: NAndreas Roeseler <andreas.a.roeseler@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andreas Roeseler 提交于
Section 8 of RFC 8335 specifies potential security concerns of responding to PROBE requests, and states that nodes that support PROBE functionality MUST be able to enable/disable responses and that responses MUST be disabled by default Signed-off-by: NAndreas Roeseler <andreas.a.roeseler@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andreas Roeseler 提交于
Add definitions for the ICMPV6 type of Extended Echo Request and Extended Echo Reply, as defined by sections 2 and 3 of RFC 8335. Signed-off-by: NAndreas Roeseler <andreas.a.roeseler@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andreas Roeseler 提交于
Add definitions for PROBE ICMP types and codes. Add AFI definitions for IP and IPV6 as specified by IANA Add a struct to represent the additional header when probing by IP address (ctype == 3) for use in parsing incoming PROBE messages Add a struct to represent the entire Interface Identification Object (IIO) section of an incoming PROBE packet Signed-off-by: NAndreas Roeseler <andreas.a.roeseler@gmail.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 Andre Edich 提交于
The function lan87xx_config_aneg_ext was introduced to configure LAN95xxA but as well writes to undocumented register of LAN87xx. This fix prevents that access. The function lan87xx_config_aneg_ext gets more suitable for the new behavior name. Reported-by: NMåns Rullgård <mans@mansr.com> Fixes: 05b35e7e ("smsc95xx: add phylib support") Signed-off-by: NAndre Edich <andre.edich@microchip.com> Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
由 David S. Miller 提交于
Merge tag 'linux-can-next-for-5.13-20210330' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can-next Marc Kleine-Budde says: ==================== pull-request: can-next 2021-03-30 this is a pull request of 39 patches for net-next/master. The first two patches update the MAINTAINERS file. One is by me and removes Dan Murphy from the from m_can and tcan4x5x. The other one is by Pankaj Sharma and updates the maintainership of the m-can mmio driver. The next three patches are by me and update the CAN echo skb handling. Vincent Mailhol provides 5 patches where Transmitter Delay Compensation is added CAN bittiming calculation is cleaned up. The next patch is by me and adds a missing HAS_IOMEM to the grcan driver. Michal Simek's patch for the xilinx driver add dev_err_probe() support. Arnd Bergmann's patch for the ucan driver fixes a compiler warning. Stephane Grosjean provides 3 patches for the peak USB drivers, which add ethtool set_phys_id and CAN one-shot mode. Xulin Sun's patch removes a not needed return check in the m-can driver. Torin Cooper-Bennun provides 3 patches for the m-can driver that add rx-offload support to ensure that skbs are sent from softirq context. Wan Jiabing's patch for the tcan4x5x driver removes a duplicate include. The next 6 patches are by me and target the mcp251xfd driver. They add devcoredump support, simplify the UINC handling, and add HW timestamp support. The remaining 12 patches target the c_can driver. The first 6 are by me and do generic checkpatch related cleanup work. Dario Binacchi's patches bring some cleanups and increase the number of usable message objects from 16 to 64. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-
git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux由 David S. Miller 提交于
Saeed Mahameed says: ==================== mlx5-updates-2021-03-29 Coexistence of CQE compression and HW PTP time-stamp: From Aya this series improves mlx5 netdev driver to allow both mlx5 CQE compression (RX descriptor compression, that saves on PCI transaction) and HW time-stamp PTP to co-exists. Prior to this series both features were mutually exclusive due to the nature of CQE compression which reduces the size of RX descriptor for the price of trimming some data, such as the time-stamp. In order to allow CQE compression when PTP time stamping is enabled, We enable it on the regular performance critical RX queues which will service all the data path traffic that is not PTP. PTP traffic will be re-directed to dedicated RX queues on which we will not enable CQE compression and thus keep the time-stamp intact. Having both features is critical for systems with low PCI BW, e.g. Multi-Host. The series will be adding: 1) Infrastructure to create a dedicated RX queue to service the PTP traffic 2) Flow steering plumbing to capture PTP traffic both UDP packets with destination port 319 and L2 packets with ethertype 0x88F7 3) Steer PTP traffic to the dedicated RX queue. 4) The feature will be enabled when PTP is being configured via the already existing PTP IOCTL when CQE compression is active, otherwise no change to the driver flow. ==================== Signed-off-by: NDavid S. Miller <davem@davemloft.net>
-