Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v6.7 2023-10-19T20:29:01Z 2023-10-19T20:29:01Z Jakub Kicinski kuba@kernel.org 2023-10-19T20:13:03Z urn:sha1:041c3466f39d7073bbc7fb91c4e5d14170d5eb08 Cross-merge networking fixes after downstream PR. net/mac80211/key.c 02e0e426a2fb ("wifi: mac80211: fix error path key leak") 2a8b665e6bcc ("wifi: mac80211: remove key_mtx") 7d6904bf26b9 ("Merge wireless into wireless-next") https://lore.kernel.org/all/20231012113648.46eea5ec@canb.auug.org.au/ Adjacent changes: drivers/net/ethernet/ti/Kconfig a602ee3176a8 ("net: ethernet: ti: Fix mixed module-builtin object") 98bdeae9502b ("net: cpmac: remove driver to prepare for platform removal") Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-10-18T11:47:08Z Phil Sutter phil@nwl.cc 2023-10-13T20:02:24Z urn:sha1:2e2d9c7d4d37d74873583d7b0c94eac8b6869486 Don't mess with the host's firewall ruleset. Since audit logging is not per-netns, add an initial delay of a second so other selftests' netns cleanups have a chance to finish. Fixes: e8dbde59ca3f ("selftests: netfilter: Test nf_tables audit logging") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> 2023-10-18T11:43:40Z Phil Sutter phil@nwl.cc 2023-10-11T15:06:59Z urn:sha1:1baf0152f7707c6c7e4ea815dcc1f431c0e603f9 When resetting multiple objects at once (via dump request), emit a log message per table (or filled skb) and resurrect the 'entries' parameter to contain the number of objects being logged for. To test the skb exhaustion path, perform some bulk counter and quota adds in the kselftest. Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Paul Moore <paul@paul-moore.com> (Audit) Signed-off-by: Florian Westphal <fw@strlen.de> 2023-10-18T10:09:55Z Phil Sutter phil@nwl.cc 2023-10-17T09:39:06Z urn:sha1:c4eee56e14fe001e1cff54f0b438a5e2d0dd7454 Assume that caller's 'to' offset really represents an upper boundary for the pattern search, so patterns extending past this offset are to be rejected. The old behaviour also was kind of inconsistent when it comes to fragmentation (or otherwise non-linear skbs): If the pattern started in between 'to' and 'from' offsets but extended to the next fragment, it was not found if 'to' offset was still within the current fragment. Test the new behaviour in a kselftest using iptables' string match. Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org> Fixes: f72b948dcbb8 ("[NET]: skb_find_text ignores to argument") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Florian Westphal <fw@strlen.de> Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net> 2023-10-05T20:16:47Z Jakub Kicinski kuba@kernel.org 2023-10-05T20:16:31Z urn:sha1:2606cf059c56bfb86d5d6bd0f41bd7eedefc8b0a Cross-merge networking fixes after downstream PR. No conflicts (or adjacent changes of note). Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2023-10-04T13:57:06Z Phil Sutter phil@nwl.cc 2023-09-23T01:53:50Z urn:sha1:0d880dc6f032e0b541520e9926f398a77d3d433c When adding/updating an object, the transaction handler emits suitable audit log entries already, the one in nft_obj_notify() is redundant. To fix that (and retain the audit logging from objects' 'update' callback), Introduce an "audit log free" variant for internal use. Fixes: c520292f29b8 ("audit: log nftables configuration change events once per table") Signed-off-by: Phil Sutter <phil@nwl.cc> Reviewed-by: Richard Guy Briggs <rgb@redhat.com> Acked-by: Paul Moore <paul@paul-moore.com> (Audit) Signed-off-by: Florian Westphal <fw@strlen.de> 2023-10-04T12:12:01Z Phil Sutter phil@nwl.cc 2023-09-23T01:53:49Z urn:sha1:203bb9d39866d3c5a8135433ce3742fe4f9d5741 Add tests for sets and elements and deletion of all kinds. Also reorder rule reset tests: By moving the bulk rule add command up, the two 'reset rules' tests become identical. While at it, fix for a failing bulk rule add test's error status getting lost due to its use in a pipe. Avoid this by using a temporary file. Headings in diff output for failing tests contain no useful data, strip them. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> 2023-10-04T12:12:01Z Xin Long lucien.xin@gmail.com 2023-10-03T17:17:54Z urn:sha1:cf791b22bef7d9352ff730a8727d3871942d6001 This patch adds a test case to reproduce the SCTP DATA chunk retransmission timeout issue caused by the improper SCTP collision processing in netfilter nf_conntrack_proto_sctp. In this test, client sends a INIT chunk, but the INIT_ACK replied from server is delayed until the server sends a INIT chunk to start a new connection from its side. After the connection is complete from server side, the delayed INIT_ACK arrives in nf_conntrack_proto_sctp. The delayed INIT_ACK should be dropped in nf_conntrack_proto_sctp instead of updating the vtag with the out-of-date init_tag, otherwise, the vtag in DATA chunks later sent by client don't match the vtag in the conntrack entry and the DATA chunks get dropped. Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> 2023-09-28T14:25:42Z Florian Westphal fw@strlen.de 2023-08-15T09:52:41Z urn:sha1:117e149e26d193467a3a136aa4393d32a3e7046f Test that nat engine resolves the source port clash and tcp packet is passed to the correct socket. While at it, get rid of the iperf3 dependency, just use socat for listener side too. Signed-off-by: Florian Westphal <fw@strlen.de> 2023-09-13T19:57:50Z Phil Sutter phil@nwl.cc 2023-09-13T13:51:37Z urn:sha1:e8dbde59ca3fe925d0105bfb380e8429928b16dd Compare NETFILTER_CFG type audit logs emitted from kernel upon ruleset modifications against expected output. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>