linux/include/net/netfilter, branch v5.7 Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.7 2020-05-11T14:26:33Z netfilter: flowtable: Add pending bit for offload work 2020-05-11T14:26:33Z Paul Blakey paulb@mellanox.com 2020-05-06T11:24:39Z urn:sha1:2c8897953f3b2ff5498f3f275708a742bfcdbc24 Gc step can queue offloaded flow del work or stats work. Those work items can race each other and a flow could be freed before the stats work is executed and querying it. To avoid that, add a pending bit that if a work exists for a flow don't queue another work for it. This will also avoid adding multiple stats works in case stats work didn't complete but gc step started again. Signed-off-by: Paul Blakey <paulb@mellanox.com> Reviewed-by: Roi Dayan <roid@mellanox.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: avoid gcc-10 zero-length-bounds warning 2020-05-10T21:20:24Z Arnd Bergmann arnd@arndb.de 2020-04-30T21:30:48Z urn:sha1:2c407aca64977ede9b9f35158e919773cae2082f gcc-10 warns around a suspicious access to an empty struct member: net/netfilter/nf_conntrack_core.c: In function '__nf_conntrack_alloc': net/netfilter/nf_conntrack_core.c:1522:9: warning: array subscript 0 is outside the bounds of an interior zero-length array 'u8[0]' {aka 'unsigned char[0]'} [-Wzero-length-bounds] 1522 | memset(&ct->__nfct_init_offset[0], 0, | ^~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from net/netfilter/nf_conntrack_core.c:37: include/net/netfilter/nf_conntrack.h:90:5: note: while referencing '__nfct_init_offset' 90 | u8 __nfct_init_offset[0]; | ^~~~~~~~~~~~~~~~~~ The code is correct but a bit unusual. Rework it slightly in a way that does not trigger the warning, using an empty struct instead of an empty array. There are probably more elegant ways to do this, but this is the smallest change. Fixes: c41884ce0562 ("netfilter: conntrack: avoid zeroing timer") Signed-off-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: do not update stateful expressions if lookup is inverted 2020-04-05T21:26:36Z Pablo Neira Ayuso pablo@netfilter.org 2020-03-31T21:02:59Z urn:sha1:a26c1e49c8e97922edc8d7e23683384729d09f77 Initialize set lookup matching element to NULL. Otherwise, the NFT_LOOKUP_F_INV flag reverses the matching logic and it leads to deference an uninitialized pointer to the matching element. Make sure element data area and stateful expression are accessed if there is a matching set element. This patch undoes 24791b9aa1ab ("netfilter: nft_set_bitmap: initialize set element extension in lookups") which is not required anymore. Fixes: 339706bc21c1 ("netfilter: nft_lookup: update element stateful expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: conntrack: add nf_ct_acct_add() 2020-03-30T00:05:39Z wenxu wenxu@ucloud.cn 2020-03-28T00:57:53Z urn:sha1:9312eabab4a68348af5b4482cc7cc6f151ff1c3f Add nf_ct_acct_add function to update the conntrack counter with packets and bytes. Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: skip set types that do not support for expressions 2020-03-30T00:05:39Z Pablo Neira Ayuso pablo@netfilter.org 2020-03-27T16:43:06Z urn:sha1:d56aab2625f7bee79686566d3f6ad639d694b8cd The bitmap set does not support for expressions, skip it from the estimation step. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_queue: place bridge physports into queue_entry struct 2020-03-29T14:28:29Z Florian Westphal fw@strlen.de 2020-03-27T02:24:47Z urn:sha1:119e52e664c57d5f7c0174dc2b3a296b1e40591d The refcount is done via entry->skb, which does work fine. Major problem: When putting the refcount of the bridge ports, we must always put the references while the skb is still around. However, we will need to put the references after okfn() to avoid a possible 1 -> 0 -> 1 refcount transition, so we cannot use the skb pointer anymore. Place the physports in the queue entry structure instead to allow for refcounting changes in the next patch. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_queue: make nf_queue_entry_release_refs static 2020-03-29T14:28:29Z Florian Westphal fw@strlen.de 2020-03-27T02:24:46Z urn:sha1:dd3cc111f2e3220ddc9c4ab17f13dc97759b5163 This is a preparation patch, no logical changes. Move free_entry into core and rename it to something more sensible. Will ease followup patches which will complicate the refcount handling. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: flowtable: Use rw sem as flow block lock 2020-03-27T17:42:20Z Paul Blakey paulb@mellanox.com 2020-03-27T09:12:29Z urn:sha1:422c032afcf57d5e8109a54912e22ffc53d99068 Currently flow offload threads are synchronized by the flow block mutex. Use rw lock instead to increase flow insertion (read) concurrency. Signed-off-by: Paul Blakey <paulb@mellanox.com> Reviewed-by: Oz Shlomo <ozsh@mellanox.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: flowtable: add counter support 2020-03-27T17:32:37Z Pablo Neira Ayuso pablo@netfilter.org 2020-03-24T11:50:02Z urn:sha1:53c2b2899af7e6a29c0cf8bfa8a554721398a4b0 Add a new flag to turn on flowtable counters which are stored in the conntrack entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> netfilter: nf_tables: add enum nft_flowtable_flags to uapi 2020-03-27T17:32:36Z Pablo Neira Ayuso pablo@netfilter.org 2020-03-24T11:23:57Z urn:sha1:cfbd1125fc8778913d0956a757438bbb2c35f031 Expose the NFT_FLOWTABLE_HW_OFFLOAD flag through uapi. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>