Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.5 2019-12-20T01:12:27Z 2019-12-20T01:12:27Z Florian Westphal fw@strlen.de 2019-12-13T00:19:58Z urn:sha1:d05d5db815d56a0ce203ed297153d9794dfdcb68 NAT test currently covers snat (masquerade) only. Also add a dnat rule and then check that a connecting to the to-be-dnated address will work. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-12-07T18:50:39Z Florian Westphal fw@strlen.de 2019-12-02T17:35:40Z urn:sha1:5a2e6af81807d4616f9839ad0ae7d1313b45c64d Using ns0, ns1, etc. isn't a good idea, they might exist already. Use a random suffix. Also, older nft versions don't support "-" as alias for stdin, so use /dev/stdin instead. Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-10-11T08:05:27Z Haishuang Yan yanhaishuang@cmss.chinamobile.com 2019-10-10T14:50:55Z urn:sha1:176a52043ab853f1db7581ed02e1096aba78b4d1 Test virtual server via ipip tunnel. Tested: # selftests: netfilter: ipvs.sh # Testing DR mode... # Testing NAT mode... # Testing Tunnel mode... # ipvs.sh: PASS ok 6 selftests: netfilter: ipvs.sh Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com> Signed-off-by: Simon Horman <horms@verge.net.au> 2019-10-11T08:05:24Z Haishuang Yan yanhaishuang@cmss.chinamobile.com 2019-10-10T14:50:54Z urn:sha1:0ed15462069082f12bf89d0d2d2edfe0374b6059 Test virtual server via NAT. Tested: # selftests: netfilter: ipvs.sh # Testing DR mode... # Testing NAT mode... # ipvs.sh: PASS Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com> Signed-off-by: Simon Horman <horms@verge.net.au> 2019-10-11T08:05:20Z Haishuang Yan yanhaishuang@cmss.chinamobile.com 2019-10-10T14:50:53Z urn:sha1:867d2190799ab088479dfeb19d9fa92568be0a19 Test virutal server via directing routing for IPv4. Tested: # selftests: netfilter: ipvs.sh # Testing DR mode... # ipvs.sh: PASS ok 6 selftests: netfilter: ipvs.sh Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com> Signed-off-by: Simon Horman <horms@verge.net.au> 2019-08-05T09:29:50Z Florian Westphal fw@strlen.de 2019-07-30T12:57:18Z urn:sha1:0ca1bbb7f4212aeef83a67a8aed9da1d84567fcc 'flow offload' expression should not offload flows that will be subject to ipsec, but it does. This results in a connectivity blackhole for the affected flows -- first packets will go through (offload happens after established state is reached), but all remaining ones bypass ipsec encryption and are thus discarded by the peer. This can be worked around by adding "rt ipsec exists accept" before the 'flow offload' rule matches. This test case will fail, support for such flows is added in next patch. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-05-23T21:45:36Z David S. Miller davem@davemloft.net 2019-05-23T21:45:36Z urn:sha1:71e15f76f8df7ca01cfa87ed895b194feee90dd4 Pablo Neira Ayuso says: ==================== Netfilter/IPVS fixes for net The following patchset contains Netfilter/IPVS fixes for your net tree: 1) Fix crash when dumping rules after conversion to RCU, from Florian Westphal. 2) Fix incorrect hook reinjection from nf_queue in case NF_REPEAT, from Jagdish Motwani. 3) Fix check for route existence in fib extension, from Phil Sutter. 4) Fix use after free in ip_vs_in() hook, from YueHaibing. 5) Check for veth existence from netfilter selftests, from Jeffrin Jose T. 6) Checksum corruption in UDP NAT helpers due to typo, from Florian Westphal. 7) Pass up packets to classic forwarding path regardless of IPv4 DF bit, patch for the flowtable infrastructure from Florian. 8) Set liberal TCP tracking for flows that are placed in the flowtable, in case they need to go back to classic forwarding path, also from Florian. 9) Don't add flow with sequence adjustment to flowtable, from Florian. 10) Skip IPv4 options from IPv6 datapath in flowtable, from Florian. 11) Add selftest for the flowtable infrastructure, from Florian. ==================== Signed-off-by: David S. Miller <davem@davemloft.net> 2019-05-22T08:56:11Z Florian Westphal fw@strlen.de 2019-05-21T11:24:34Z urn:sha1:2de03b45236f3af1800755614fd434d347adf046 Exercises 3 cases: 1. no pmtu discovery (need to frag) 2. no PMTUd + NAT (don't flag packets as invalid from conntrack) 3. PMTU + NAT (need to send icmp error) The first two cases make sure we handle fragments correctly, i.e. pass them to classic forwarding path. Third case checks we offload everything (in the test case, PMTUd will kick in so all packets should be within link mtu). Nftables rules will filter packets that are supposed to be handled by the fast-path. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-05-21T18:12:20Z Jeffrin Jose T jeffrin@rajagiritech.edu.in 2019-05-15T06:44:04Z urn:sha1:82ce6eb1dd13fd12e449b2ee2c2ec051e6f52c43 A test for the basic NAT functionality uses ip command which needs veth device. There is a condition where the kernel support for veth is not compiled into the kernel and the test script breaks. This patch contains code for reasonable error display and correct code exit. Signed-off-by: Jeffrin Jose T <jeffrin@rajagiritech.edu.in> Acked-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-05-19T01:15:13Z Florian Westphal fw@strlen.de 2019-05-18T21:33:35Z urn:sha1:c50a42b8f61f3492a0d3a1c7fb4932e19cf3e626 In nf-next, I had extended this script to also cover NAT support for the inet family. In nf, I extended it to cover a regression with 'fully-random' masquerade. Make this script work again by resolving the conflicts as needed. Fixes: 8b4483658364f0 ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net>