linux/net/openvswitch, branch v4.6

openvswitch: Fix cached ct with helper.

2016-05-11T19:14:56Z

When using conntrack helpers from OVS, a common configuration is to perform a lookup without specifying a helper, then go through a firewalling policy, only to decide to attach a helper afterwards. In this case, the initial lookup will cause a ct entry to be attached to the skb, then the later commit with helper should attach the helper and confirm the connection. However, the helper attachment has been missing. If the user has enabled automatic helper attachment, then this issue will be masked as it will be applied in init_conntrack(). It is also masked if the action is executed from ovs_packet_cmd_execute() as that will construct a fresh skb. This patch fixes the issue by making an explicit call to try to assign the helper if there is a discrepancy between the action's helper and the current skb->nfct. Fixes: cae3a2627520 ("openvswitch: Allow attaching helpers to ct action") Signed-off-by: Joe Stringer Signed-off-by: David S. Miller

openvswitch: use flow protocol when recalculating ipv6 checksums

2016-04-21T19:28:47Z

When using masked actions the ipv6_proto field of an action to set IPv6 fields may be zero rather than the prevailing protocol which will result in skipping checksum recalculation. This patch resolves the problem by relying on the protocol in the flow key rather than that in the set field action. Fixes: 83d2b9ba1abc ("net: openvswitch: Support masked set actions.") Cc: Jarno Rajahalme Signed-off-by: Simon Horman Signed-off-by: David S. Miller

openvswitch: Orphan skbs before IPv6 defrag

2016-04-21T17:42:05Z

This is the IPv6 counterpart to commit 8282f27449bf ("inet: frag: Always orphan skbs inside ip_defrag()"). Prior to commit 029f7f3b8701 ("netfilter: ipv6: nf_defrag: avoid/free clone operations"), ipv6 fragments sent to nf_ct_frag6_gather() would be cloned (implicitly orphaning) prior to queueing for reassembly. As such, when the IPv6 message is eventually reassembled, the skb->sk for all fragments would be NULL. After that commit was introduced, rather than cloning, the original skbs were queued directly without orphaning. The end result is that all frags except for the first and last may have a socket attached. This commit explicitly orphans such skbs during nf_ct_frag6_gather() to prevent BUG_ON(skb->sk) during a later call to ip6_fragment(). kernel BUG at net/ipv6/ip6_output.c:631! [...] Call Trace: [] ? __lock_acquire+0x927/0x20a0 [] ? do_output.isra.28+0x1b0/0x1b0 [openvswitch] [] ? __lock_is_held+0x52/0x70 [] ovs_fragment+0x1f7/0x280 [openvswitch] [] ? mark_held_locks+0x75/0xa0 [] ? _raw_spin_unlock_irqrestore+0x36/0x50 [] ? dst_discard_out+0x20/0x20 [] ? dst_ifdown+0x80/0x80 [] do_output.isra.28+0xf3/0x1b0 [openvswitch] [] do_execute_actions+0x709/0x12c0 [openvswitch] [] ? ovs_flow_stats_update+0x74/0x1e0 [openvswitch] [] ? ovs_flow_stats_update+0xa1/0x1e0 [openvswitch] [] ? _raw_spin_unlock+0x27/0x40 [] ovs_execute_actions+0x45/0x120 [openvswitch] [] ovs_dp_process_packet+0x85/0x150 [openvswitch] [] ? _raw_spin_unlock+0x27/0x40 [] ovs_execute_actions+0xc4/0x120 [openvswitch] [] ovs_dp_process_packet+0x85/0x150 [openvswitch] [] ? key_extract+0x442/0xc10 [openvswitch] [] ovs_vport_receive+0x5d/0xb0 [openvswitch] [] ? __lock_acquire+0x927/0x20a0 [] ? __lock_acquire+0x927/0x20a0 [] ? __lock_acquire+0x927/0x20a0 [] ? _raw_spin_unlock_irqrestore+0x36/0x50 [] internal_dev_xmit+0x6d/0x150 [openvswitch] [] ? internal_dev_xmit+0x5/0x150 [openvswitch] [] dev_hard_start_xmit+0x2df/0x660 [] ? validate_xmit_skb.isra.105.part.106+0x1a/0x2b0 [] __dev_queue_xmit+0x8f5/0x950 [] ? __dev_queue_xmit+0x50/0x950 [] ? mark_held_locks+0x75/0xa0 [] dev_queue_xmit+0x10/0x20 [] neigh_resolve_output+0x178/0x220 [] ? ip6_finish_output2+0x219/0x7b0 [] ip6_finish_output2+0x219/0x7b0 [] ? ip6_finish_output2+0x65/0x7b0 [] ? ip_idents_reserve+0x6b/0x80 [] ? ip6_fragment+0x93f/0xc50 [] ip6_fragment+0xba1/0xc50 [] ? ip6_flush_pending_frames+0x40/0x40 [] ip6_finish_output+0xcb/0x1d0 [] ip6_output+0x5f/0x1a0 [] ? ip6_fragment+0xc50/0xc50 [] ip6_local_out+0x3d/0x80 [] ip6_send_skb+0x2f/0xc0 [] ip6_push_pending_frames+0x4d/0x50 [] icmpv6_push_pending_frames+0xac/0xe0 [] icmpv6_echo_reply+0x42e/0x500 [] icmpv6_rcv+0x4cf/0x580 [] ip6_input_finish+0x1a7/0x690 [] ? ip6_input_finish+0x5/0x690 [] ip6_input+0x30/0xa0 [] ? ip6_rcv_finish+0x1a0/0x1a0 [] ip6_rcv_finish+0x4e/0x1a0 [] ipv6_rcv+0x45f/0x7c0 [] ? ipv6_rcv+0x36/0x7c0 [] ? ip6_make_skb+0x1c0/0x1c0 [] __netif_receive_skb_core+0x229/0xb80 [] ? mark_held_locks+0x75/0xa0 [] ? process_backlog+0x6f/0x230 [] __netif_receive_skb+0x16/0x70 [] process_backlog+0x78/0x230 [] ? process_backlog+0xdd/0x230 [] net_rx_action+0x203/0x480 [] ? mark_held_locks+0x75/0xa0 [] __do_softirq+0xde/0x49f [] ? ip6_finish_output2+0x228/0x7b0 [] do_softirq_own_stack+0x1c/0x30 [] do_softirq.part.18+0x3b/0x40 [] __local_bh_enable_ip+0xb6/0xc0 [] ip6_finish_output2+0x251/0x7b0 [] ? ip6_fragment+0xba1/0xc50 [] ? ip_idents_reserve+0x6b/0x80 [] ? ip6_fragment+0x93f/0xc50 [] ip6_fragment+0xba1/0xc50 [] ? ip6_flush_pending_frames+0x40/0x40 [] ip6_finish_output+0xcb/0x1d0 [] ip6_output+0x5f/0x1a0 [] ? ip6_fragment+0xc50/0xc50 [] ip6_local_out+0x3d/0x80 [] ip6_send_skb+0x2f/0xc0 [] ip6_push_pending_frames+0x4d/0x50 [] rawv6_sendmsg+0xa28/0xe30 [] ? inet_sendmsg+0xc7/0x1d0 [] inet_sendmsg+0x106/0x1d0 [] ? inet_sendmsg+0x5/0x1d0 [] sock_sendmsg+0x38/0x50 [] SYSC_sendto+0xf6/0x170 [] ? trace_hardirqs_on_thunk+0x1b/0x1d [] SyS_sendto+0xe/0x10 [] entry_SYSCALL_64_fastpath+0x18/0xa8 Code: 06 48 83 3f 00 75 26 48 8b 87 d8 00 00 00 2b 87 d0 00 00 00 48 39 d0 72 14 8b 87 e4 00 00 00 83 f8 01 75 09 48 83 7f 18 00 74 9a <0f> 0b 41 8b 86 cc 00 00 00 49 8# RIP [] ip6_fragment+0x73a/0xc50 RSP Fixes: 029f7f3b8701 ("netfilter: ipv6: nf_defrag: avoid/free clone operations") Reported-by: Daniele Di Proietto Signed-off-by: Joe Stringer Signed-off-by: David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

2016-03-28T19:38:59Z

Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for you net tree, they are: 1) There was a race condition between parallel save/swap and delete, which resulted a kernel crash due to the increase ref for save, swap, wrong ref decrease operations. Reported and fixed by Vishwanath Pai. 2) OVS should call into CT NAT for packets of new expected connections only when the conntrack state is persisted with the 'commit' option to the OVS CT action. From Jarno Rajahalme. 3) Resolve kconfig dependencies with new OVS NAT support. From Arnd Bergmann. 4) Early validation of entry->target_offset to make sure it doesn't take us out from the blob, from Florian Westphal. 5) Again early validation of entry->next_offset to make sure it doesn't take out from the blob, also from Florian. 6) Check that entry->target_offset is always of of sizeof(struct xt_entry) for unconditional entries, when checking both from check_underflow() and when checking for loops in mark_source_chains(), again from Florian. 7) Fix inconsistent behaviour in nfnetlink_queue when NFQA_CFG_F_FAIL_OPEN is set and netlink_unicast() fails due to buffer overrun, we have to reinject the packet as the user expects. 8) Enforce nul-terminated table names from getsockopt GET_ENTRIES requests. 9) Don't assume skb->sk is set from nft_bridge_reject and synproxy, this fixes a recent update of the code to namespaceify ip_default_ttl, patch from Liping Zhang. This batch comes with four patches to validate x_tables blobs coming from userspace. CONFIG_USERNS exposes the x_tables interface to unpriviledged users and to be honest this interface never received the attention for this move away from the CAP_NET_ADMIN domain. Florian is working on another round with more patches with more sanity checks, so expect a bit more Netfilter fixes in this development cycle than usual. ==================== Signed-off-by: David S. Miller

openvswitch: call only into reachable nf-nat code

2016-03-28T15:58:59Z

The openvswitch code has gained support for calling into the nf-nat-ipv4/ipv6 modules, however those can be loadable modules in a configuration in which openvswitch is built-in, leading to link errors: net/built-in.o: In function `__ovs_ct_lookup': :(.text+0x2cc2c8): undefined reference to `nf_nat_icmp_reply_translation' :(.text+0x2cc66c): undefined reference to `nf_nat_icmpv6_reply_translation' The dependency on (!NF_NAT || NF_NAT) prevents similar issues, but NF_NAT is set to 'y' if any of the symbols selecting it are built-in, but the link error happens when any of them are modular. A second issue is that even if CONFIG_NF_NAT_IPV6 is built-in, CONFIG_NF_NAT_IPV4 might be completely disabled. This is unlikely to be useful in practice, but the driver currently only handles IPv6 being optional. This patch improves the Kconfig dependency so that openvswitch cannot be built-in if either of the two other symbols are set to 'm', and it replaces the incorrect #ifdef in ovs_ct_nat_execute() with two "if (IS_ENABLED())" checks that should catch all corner cases also make the code more readable. The same #ifdef exists ovs_ct_nat_to_attr(), where it does not cause a link error, but for consistency I'm changing it the same way. Signed-off-by: Arnd Bergmann Fixes: 05752523e565 ("openvswitch: Interface with NAT.") Acked-by: Joe Stringer Signed-off-by: Pablo Neira Ayuso

openvswitch: Fix checking for new expected connections.

2016-03-28T15:58:51Z

OVS should call into CT NAT for packets of new expected connections only when the conntrack state is persisted with the 'commit' option to the OVS CT action. The test for this condition is doubly wrong, as the CT status field is ANDed with the bit number (IPS_EXPECTED_BIT) rather than the mask (IPS_EXPECTED), and due to the wrong assumption that the expected bit would apply only for the first (i.e., 'new') packet of a connection, while in fact the expected bit remains on for the lifetime of an expected connection. The 'ctinfo' value IP_CT_RELATED derived from the ct status can be used instead, as it is only ever applicable to the 'new' packets of the expected connection. Fixes: 05752523e565 ('openvswitch: Interface with NAT.') Reported-by: Dan Carpenter Signed-off-by: Jarno Rajahalme Signed-off-by: Pablo Neira Ayuso

openvswitch: Use proper buffer size in nla_memcpy

2016-03-28T15:37:14Z

For the input parameter count, it's better to use the size of destination buffer size, as nla_memcpy would take into account the length of the source netlink attribute when a data is copied from an attribute. Signed-off-by: Haishuang Yan Signed-off-by: David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next

2016-03-19T17:05:34Z

Pull networking updates from David Miller: "Highlights: 1) Support more Realtek wireless chips, from Jes Sorenson. 2) New BPF types for per-cpu hash and arrap maps, from Alexei Starovoitov. 3) Make several TCP sysctls per-namespace, from Nikolay Borisov. 4) Allow the use of SO_REUSEPORT in order to do per-thread processing of incoming TCP/UDP connections. The muxing can be done using a BPF program which hashes the incoming packet. From Craig Gallek. 5) Add a multiplexer for TCP streams, to provide a messaged based interface. BPF programs can be used to determine the message boundaries. From Tom Herbert. 6) Add 802.1AE MACSEC support, from Sabrina Dubroca. 7) Avoid factorial complexity when taking down an inetdev interface with lots of configured addresses. We were doing things like traversing the entire address less for each address removed, and flushing the entire netfilter conntrack table for every address as well. 8) Add and use SKB bulk free infrastructure, from Jesper Brouer. 9) Allow offloading u32 classifiers to hardware, and implement for ixgbe, from John Fastabend. 10) Allow configuring IRQ coalescing parameters on a per-queue basis, from Kan Liang. 11) Extend ethtool so that larger link mode masks can be supported. From David Decotigny. 12) Introduce devlink, which can be used to configure port link types (ethernet vs Infiniband, etc.), port splitting, and switch device level attributes as a whole. From Jiri Pirko. 13) Hardware offload support for flower classifiers, from Amir Vadai. 14) Add "Local Checksum Offload". Basically, for a tunneled packet the checksum of the outer header is 'constant' (because with the checksum field filled into the inner protocol header, the payload of the outer frame checksums to 'zero'), and we can take advantage of that in various ways. From Edward Cree" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1548 commits) bonding: fix bond_get_stats() net: bcmgenet: fix dma api length mismatch net/mlx4_core: Fix backward compatibility on VFs phy: mdio-thunder: Fix some Kconfig typos lan78xx: add ndo_get_stats64 lan78xx: handle statistics counter rollover RDS: TCP: Remove unused constant RDS: TCP: Add sysctl tunables for sndbuf/rcvbuf on rds-tcp socket net: smc911x: convert pxa dma to dmaengine team: remove duplicate set of flag IFF_MULTICAST bonding: remove duplicate set of flag IFF_MULTICAST net: fix a comment typo ethernet: micrel: fix some error codes ip_tunnels, bpf: define IP_TUNNEL_OPTS_MAX and use it bpf, dst: add and use dst_tclassid helper bpf: make skb->tc_classid also readable net: mvneta: bm: clarify dependencies cls_bpf: reset class and reuse major in da ldmvsw: Checkpatch sunvnet.c and sunvnet_common.c ldmvsw: Add ldmvsw.c driver code ...

ip_tunnels, bpf: define IP_TUNNEL_OPTS_MAX and use it

2016-03-18T23:38:46Z

eBPF defines this as BPF_TUNLEN_MAX and OVS just uses the hard-coded value inside struct sw_flow_key. Thus, add and use IP_TUNNEL_OPTS_MAX for this, which makes the code a bit more generic and allows to remove BPF_TUNLEN_MAX from eBPF code. Signed-off-by: Daniel Borkmann Signed-off-by: David S. Miller

openvswitch: allow output of MPLS packets on tunnel vports

2016-03-18T22:26:38Z

Currently output of MPLS packets on tunnel vports is not allowed by Open vSwitch. This is because historically encapsulation was done in such a way that the inner_protocol field of the skb needed to hold the inner protocol for both MPLS and tunnel encapsulation in order for GSO segmentation to be performed correctly. Since b2acd1dc3949 ("openvswitch: Use regular GRE net_device instead of vport") Open vSwitch makes use of lwt to output to tunnel netdevs which perform encapsulation. As no drivers expose support for MPLS offloads this means that GSO packets are segmented in software by validate_xmit_skb(), which is called from __dev_queue_xmit(), before tunnel encapsulation occurs. This means that the inner protocol of MPLS is no longer needed by the time encapsulation occurs and the contention on the inner_protocol field of the skb no longer occurs. Thus it is now safe to output MPLS to tunnel vports. Signed-off-by: Simon Horman Reviewed-by: Jesse Gross Signed-off-by: David S. Miller