Before:
   text	   data	    bss	    dec	    hex	filename
  13916	   1412	   4128	  19456	   4c00	nf_nat.ko
   4510	    968	      4	   5482	   156a	nf_nat_ipv4.ko
   5146	    944	      8	   6098	   17d2	nf_nat_ipv6.ko

After:
   text	   data	    bss	    dec	    hex	filename
  16566	   1576	   4136	  22278	   5706	nf_nat.ko
   3187	    844	      0	   4031	    fbf	nf_nat_ipv4.ko
   3598	    844	      0	   4442	   115a	nf_nat_ipv6.ko

... so no drastic changes in combined size.
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>

They are however frequently triggered by syzkaller, so remove them.

ebtables userspace should never trigger any of these, so there is little
value in making them pr_debug (or ratelimited).
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>

The Amanda CONNECT command has been updated to establish an optional
fourth connection [0]. Previously, a CONNECT command would look like:

    CONNECT DATA port0 MESG port1 INDEX port2

nf_conntrack_amanda analyses the CONNECT command string in order to
learn the port numbers of the related DATA, MESG and INDEX streams. As
of amanda v3.4, the CONNECT command can advertise an additional port:

    CONNECT DATA port0 MESG port1 INDEX port2 STATE port3

The new STATE stream is not handled, thus the connection on the STATE
port cannot be established.

The patch adds support for STATE streams to the amanda conntrack helper.

I tested with max_expected = 3, leaving the other patch hunks
unmodified. Amanda reports "connection refused" and aborts. After I set
max_expected to 4, the backup completes successfully.

[0] https://github.com/zmanda/amanda/commit/3b8384fc9f2941e2427f44c3aee29f561ed67894#diff-711e502fc81a65182c0954765b42919eR456Signed-off-by: NFlorian Tham <tham@fidion.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>

Add .release_ops, that is called in case of error at a later stage in
the expression initialization path, ie. .select_ops() has been already
set up operations and that needs to be undone. This allows us to unwind
.select_ops from the error path, ie. release the dynamic operations for
this extension.

Moreover, allocate one single operation instead of recycling them, this
comes at the cost of consuming a bit more memory per rule, but it
simplifies the infrastructure.
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>

Use div_u64() to resolve build failures on 32-bit platforms.

Fixes: 3f7ae5f3 ("net: sched: pie: add more cases to auto-tune alpha and beta")
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Reported-by: NRandy Dunlap <rdunlap@infradead.org>
Tested-by: NRandy Dunlap <rdunlap@infradead.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This pointer is RCU protected, so proper primitives should be used.
Signed-off-by: NZhang Yu <zhangyu31@baidu.com>
Signed-off-by: NLi RongQing <lirongqing@baidu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

tso_fragment() is only called for packets still in write queue.

Remove the tcp_queue parameter to make this more obvious,
even if the comment clearly states this.
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This might speedup tcp_twsk_destructor() a bit,
avoiding a cache line miss.
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

We prefer static_branch_unlikely() over static_key_false() these days.
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This helper is used only once, and its name is no longer relevant.
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Function walker_check_empty() incorrectly verifies that tp pointer is not
NULL, instead of actual filter pointer. Fix conditional to check the right
pointer. Adjust filter pointer naming accordingly to other cls API
functions.

Fixes: 6676d5e4 ("net: sched: set dedicated tcf_walker flag when tp is empty")
Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
Reported-by: NCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Fix the incorrect reference link to RFC 8033
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Commit 76726ccb ("devlink: add flash update command") and
commit 2d8dc5bb ("devlink: Add support for reload")
access devlink ops without NULL-checking. There is, however, no
driver which would pass in NULL ops, so let's just make that
a requirement. Remove the now unnecessary NULL-checking.
Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
Acked-by: NJiri Pirko <jiri@mellanox.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

When ethtool is calling into devlink compat code make sure we have
a reference on the netdevice on which the operation was invoked.

v3: move the hold/lock logic into devlink_compat_* functions (Florian)
Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
Acked-by: NJiri Pirko <jiri@mellanox.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Instead of iterating over all devlink ports add a NDO which
will return the devlink instance from the driver.

v2: add the netdev_to_devlink() helper (Michal)
v3: check that devlink has ops (Florian)
v4: hold devlink_mutex (Jiri)
Suggested-by: NJiri Pirko <jiri@resnulli.us>
Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
Acked-by: NJiri Pirko <jiri@mellanox.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Being able to build devlink as a module causes growing pains.
First all drivers had to add a meta dependency to make sure
they are not built in when devlink is built as a module.  Now
we are struggling to invoke ethtool compat code reliably.

Make devlink code built-in, users can still not build it at
all but the dynamically loadable module option is removed.
Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: NFlorian Fainelli <f.fainelli@gmail.com>
Acked-by: NJiri Pirko <jiri@mellanox.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Now that all users of struct inet_frag_queue have been converted
to use 'rb_fragments', remove the unused 'fragments' field.

Build with `make allyesconfig` succeeded. ip_defrag selftest passed.
Signed-off-by: NPeter Oskolkov <posk@google.com>
Acked-by: NStefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

RFC 8033 replaces the IETF draft for PIE
Signed-off-by: NMohit P. Tahiliani <tahiliani@nitk.edu.in>
Signed-off-by: NDhaval Khandla <dhavaljkhandla26@gmail.com>
Signed-off-by: NHrishikesh Hiraskar <hrishihiraskar@gmail.com>
Signed-off-by: NManish Kumar B <bmanish15597@gmail.com>
Signed-off-by: NSachin D. Patil <sdp.sachin@gmail.com>
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Acked-by: NDave Taht <dave.taht@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Random dropping of packets to achieve latency control may
introduce outlier situations where packets are dropped too
close to each other or too far from each other. This can
cause the real drop percentage to temporarily deviate from
the intended drop probability. In certain scenarios, such
as a small number of simultaneous TCP flows, these
deviations can cause significant deviations in link
utilization and queuing latency.

RFC 8033 suggests using a derandomization mechanism to avoid
these deviations.
Signed-off-by: NMohit P. Tahiliani <tahiliani@nitk.edu.in>
Signed-off-by: NDhaval Khandla <dhavaljkhandla26@gmail.com>
Signed-off-by: NHrishikesh Hiraskar <hrishihiraskar@gmail.com>
Signed-off-by: NManish Kumar B <bmanish15597@gmail.com>
Signed-off-by: NSachin D. Patil <sdp.sachin@gmail.com>
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Acked-by: NDave Taht <dave.taht@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The current implementation scales the local alpha and beta
variables in the calculate_probability function by the same
amount for all values of drop probability below 1%.

RFC 8033 suggests using additional cases for auto-tuning
alpha and beta when the drop probability is less than 1%.

In order to add more auto-tuning cases, MAX_PROB must be
scaled by u64 instead of u32 to prevent underflow when
scaling the local alpha and beta variables in the
calculate_probability function.
Signed-off-by: NMohit P. Tahiliani <tahiliani@nitk.edu.in>
Signed-off-by: NDhaval Khandla <dhavaljkhandla26@gmail.com>
Signed-off-by: NHrishikesh Hiraskar <hrishihiraskar@gmail.com>
Signed-off-by: NManish Kumar B <bmanish15597@gmail.com>
Signed-off-by: NSachin D. Patil <sdp.sachin@gmail.com>
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Acked-by: NDave Taht <dave.taht@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

RFC 8033 suggests an initial value of 150 milliseconds for
the maximum time allowed for a burst of packets.
Signed-off-by: NMohit P. Tahiliani <tahiliani@nitk.edu.in>
Signed-off-by: NDhaval Khandla <dhavaljkhandla26@gmail.com>
Signed-off-by: NHrishikesh Hiraskar <hrishihiraskar@gmail.com>
Signed-off-by: NManish Kumar B <bmanish15597@gmail.com>
Signed-off-by: NSachin D. Patil <sdp.sachin@gmail.com>
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Acked-by: NDave Taht <dave.taht@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

RFC 8033 suggests a default value of 15 milliseconds for the
update interval.
Signed-off-by: NMohit P. Tahiliani <tahiliani@nitk.edu.in>
Signed-off-by: NDhaval Khandla <dhavaljkhandla26@gmail.com>
Signed-off-by: NHrishikesh Hiraskar <hrishihiraskar@gmail.com>
Signed-off-by: NManish Kumar B <bmanish15597@gmail.com>
Signed-off-by: NSachin D. Patil <sdp.sachin@gmail.com>
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Acked-by: NDave Taht <dave.taht@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

RFC 8033 suggests a default value of 15 milliseconds for the
target queue delay.
Signed-off-by: NMohit P. Tahiliani <tahiliani@nitk.edu.in>
Signed-off-by: NDhaval Khandla <dhavaljkhandla26@gmail.com>
Signed-off-by: NHrishikesh Hiraskar <hrishihiraskar@gmail.com>
Signed-off-by: NManish Kumar B <bmanish15597@gmail.com>
Signed-off-by: NSachin D. Patil <sdp.sachin@gmail.com>
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Acked-by: NDave Taht <dave.taht@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

RFC 8033 recommends a value of 16384 bytes for the queue
threshold.
Signed-off-by: NMohit P. Tahiliani <tahiliani@nitk.edu.in>
Signed-off-by: NDhaval Khandla <dhavaljkhandla26@gmail.com>
Signed-off-by: NHrishikesh Hiraskar <hrishihiraskar@gmail.com>
Signed-off-by: NManish Kumar B <bmanish15597@gmail.com>
Signed-off-by: NSachin D. Patil <sdp.sachin@gmail.com>
Signed-off-by: NLeslie Monis <lesliemonis@gmail.com>
Acked-by: NDave Taht <dave.taht@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Function tc_dump_chain() obtains and releases block->lock on each iteration
of its inner loop that dumps all chains on block. Outputting chain template
info is fast operation so locking/unlocking mutex multiple times is an
overhead when lock is highly contested. Modify tc_dump_chain() to only
obtain block->lock once and dump all chains without releasing it.
Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
Suggested-by: NCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Using tcf_walker->stop flag to determine when tcf_walker->fn() was called
at least once is unreliable. Some classifiers set 'stop' flag on error
before calling walker callback, other classifiers used to call it with NULL
filter pointer when empty. In order to prevent further regressions, extend
tcf_walker structure with dedicated 'nonempty' flag. Set this flag in
tcf_walker->fn() implementation that is used to check if classifier has
filters configured.

Fixes: 8b64678e ("net: sched: refactor tp insert/delete for concurrent execution")
Signed-off-by: NVlad Buslov <vladbu@mellanox.com>
Suggested-by: NCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Per discussion with Daniel[1] and Eric[2], these SOCK_DEBUG() calles in
TCP are not needed now.
We'd better clean up it.

[1] https://patchwork.ozlabs.org/patch/1035573/
[2] https://patchwork.ozlabs.org/patch/1040533/Signed-off-by: NYafang Shao <laoar.shao@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

parameter state in the tcp_sacktag_bsearch() is not used.
So, it can be removed.
Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
Signed-off-by: NEric Dumazet <edumazet@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

We have no more in tree users of switchdev_port_attr_get() after
d0e698d5 ("Merge branch 'net-Get-rid-of-switchdev_port_attr_get'")
so completely remove the function signature and body.
Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

No current DSA driver makes use of the phydev parameter passed to the
disable_port call. Remove it.
Signed-off-by: NAndrew Lunn <andrew@lunn.ch>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

dst_output() frees skb when it fails (see, for example,
ip_finish_output2), so it must not be freed in this case.

Fixes: 3bd0b152 ("bpf: add handling of BPF_LWT_REROUTE to lwt_bpf.c")
Signed-off-by: NPeter Oskolkov <posk@google.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

ip l add dev tun type gretap key 1000

Non-tunnel-dst ip tunnel device can send packet through lwtunnel
This patch provide the tun_inf dst cache support for this mode.
Signed-off-by: Nwenxu <wenxu@ucloud.cn>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The lwtunnel_state is not init the dst_cache Which make the
ip_md_tunnel_xmit can't use the dst_cache. It will lookup
route table every packets.
Signed-off-by: Nwenxu <wenxu@ucloud.cn>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The patch enables returning 'type' in msghdr for records that are
retrieved with MSG_PEEK in recvmsg. Further it prevents records peeked
from socket from getting clubbed with any other record of different
type when records are subsequently dequeued from strparser.

For each record, we now retain its type in sk_buff's control buffer
cb[]. Inside control buffer, record's full length and offset are already
stored by strparser in 'struct strp_msg'. We store record type after
'struct strp_msg' inside 'struct tls_msg'. For tls1.2, the type is
stored just after record dequeue. For tls1.3, the type is stored after
record has been decrypted.

Inside process_rx_list(), before processing a non-data record, we check
that we must be able to return back the record type to the user
application. If not, the decrypted records in tls context's rx_list is
left there without consuming any data.

Fixes: 692d7b5d ("tls: Fix recvmsg() to be able to peek across multiple records")
Signed-off-by: NVakul Garg <vakul.garg@nxp.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Use percpu allocation for the ipv6.icmp_sk.
Signed-off-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Simply use icmpv6_sk_exit() when inet_ctl_sock_create() fail
in icmpv6_sk_init().
Signed-off-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

Simply use icmp_sk_exit() when inet_ctl_sock_create() fail in icmp_sk_init().
Signed-off-by: NKefeng Wang <wangkefeng.wang@huawei.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This patch fixes an uninitialised return value error in
ila_xlat_nl_cmd_flush.
Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
Fixes: 6c4128f6 ("rhashtable: Remove obsolete...")
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

The metadata_dst is not init the dst_cache which make the
ip_md_tunnel_xmit can't use the dst_cache. It will lookup
route table every packets.
Signed-off-by: Nwenxu <wenxu@ucloud.cn>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>

This is no longer necessary after eca59f69 ("net: Remove support for bridge bypass ndos from stacked devices")
Suggested-by: NIdo Schimmel <idosch@mellanox.com>
Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
Reviewed-by: NAndy Gospodarek <andy@greyhouse.net>
Acked-by: NJiri Pirko <jiri@mellanox.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>