(resending since I forgot to sign the first one)
Hi Dave,
I didn't miss your "net-next is closed" email, but it did come as a bit
of a surprise, and due to time-zone differences I didn't have a chance
to react to it until now. We would have had a couple of patches in
bluetooth-next that we'd stil
Hi Dave,
I didn't miss your "net-next is closed" email, but it did come as a bit
of a surprise, and due to time-zone differences I didn't have a chance
to react to it until now. We would have had a couple of patches in
bluetooth-next that we'd still have wanted to get to 4.10.
Out of these the mo
Remove deprecated module parameters num_vf, dflt_msg_enable and
force_init.
Signed-off-by: Ganesh Goudar
---
drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c| 41 +-
.../net/ethernet/chelsio/cxgb4vf/cxgb4vf_main.c| 9 +
2 files changed, 2 insertions(+), 48 deletio
Add a new "global" (i.e. not per-rfkill device) LED trigger, rfkill-any,
which may be useful on laptops with a single "radio LED" and multiple
radio transmitters. The trigger is meant to turn a LED on whenever
there is at least one radio transmitter active and turn it off
otherwise.
Signed-off-by
Use a separate label per error condition in rfkill_init() to make it a
bit cleaner and easier to extend.
Signed-off-by: Michał Kępień
---
No changes from v1.
net/rfkill/core.c | 23 ---
1 file changed, 12 insertions(+), 11 deletions(-)
diff --git a/net/rfkill/core.c b/net/r
Hi Geert,
Thanks for testing and your feedback.
On 2016-12-07 19:14:40 +0100, Geert Uytterhoeven wrote:
> Hi Niklas,
>
> On Wed, Dec 7, 2016 at 5:28 PM, Niklas Söderlund
> wrote:
> > Signed-off-by: Niklas Söderlund
>
> Thanks, works fine on r8a7791/koelsch!
>
> Tested-by: Geert Uytterhoeven
Hello,
NB. This is a re-send. I've been advised to send again as I gather I'm
supposed to receive a URL back.
I am reporting this as requested below:
Anthony Buckley, the issue you are reporting is an upstream one. Could
you please report this problem following the instructions verbatim at
ht
This patch provides one way to set/unset IXGBE NIC TX and RX
relax ordering mode, which can be set by ethtool.
Relax ordering is one mode of 82599 NIC, to enable this mode
can enhance the performance for some cpu architecure.
example:
ethtool -s enp1s0f0 relaxorder off
ethtool -s enp1s0f0 relaxorde
This patch provides one way to set/unset IXGBE NIC TX and RX
relax ordering mode, which can be set by ethtool.
Relax ordering is one mode of 82599 NIC, to enable this mode
can enhance the performance for some cpu architecure.
example:
ethtool -s enp1s0f0 relaxorder off
ethtool -s enp1s0f0 relaxorde
On Wed, Dec 07, 2016 at 12:12:45PM -0800, John Fastabend wrote:
> This adds support for the XDP_TX action to virtio_net. When an XDP
> program is run and returns the XDP_TX action the virtio_net XDP
> implementation will transmit the packet on a TX queue that aligns
> with the current CPU that the
On Wed, Dec 07, 2016 at 12:12:23PM -0800, John Fastabend wrote:
> XDP requires using isolated transmit queues to avoid interference
> with normal networking stack (BQL, NETDEV_TX_BUSY, etc).
> This patch
> adds a XDP queue per cpu when a XDP program is loaded and does not
> expose the queues to the
On Wed, Dec 07, 2016 at 09:14:48PM -0800, John Fastabend wrote:
> On 16-12-07 08:48 PM, Michael S. Tsirkin wrote:
> > On Wed, Dec 07, 2016 at 12:11:57PM -0800, John Fastabend wrote:
> >> From: John Fastabend
> >>
> >> This adds XDP support to virtio_net. Some requirements must be
> >> met for XDP
On 12/07/16 18:29, Michael S. Tsirkin wrote:
> By now, linux is mostly endian-clean. Enabling endian-ness
> checks for everyone produces about 200 new sparse warnings for me -
> less than 10% over the 2000 sparse warnings already there.
>
> Not a big deal, OTOH enabling this helps people notice
> t
On Thu, Dec 08, 2016 at 05:21:47AM +, Bart Van Assche wrote:
> On 12/07/16 18:29, Michael S. Tsirkin wrote:
> > By now, linux is mostly endian-clean. Enabling endian-ness
> > checks for everyone produces about 200 new sparse warnings for me -
> > less than 10% over the 2000 sparse warnings alre
On 16-12-07 08:48 PM, Michael S. Tsirkin wrote:
> On Wed, Dec 07, 2016 at 12:11:57PM -0800, John Fastabend wrote:
>> From: John Fastabend
>>
>> This adds XDP support to virtio_net. Some requirements must be
>> met for XDP to be enabled depending on the mode. First it will
>> only be supported with
On Wed 2016-12-07 19:30:34 -0500, Hannes Frederic Sowa wrote:
> Your custom protocol should be designed in a way you get an aligned ip
> header. Most protocols of the IETF follow this mantra and it is always
> possible to e.g. pad options so you end up on aligned boundaries for the
> next header.
On Wed, Dec 07, 2016 at 12:11:57PM -0800, John Fastabend wrote:
> From: John Fastabend
>
> This adds XDP support to virtio_net. Some requirements must be
> met for XDP to be enabled depending on the mode. First it will
> only be supported with LRO disabled so that data is not pushed
> across mult
On Wed, 07 Dec 2016 16:28:45 -0500 (EST)
David Miller wrote:
> The merge window is about to open soon, and next week I will be
> having sporadic internet access while travelling around, therefore
> I am closing net-next up tonight.
>
> Therefore, please do not submit any new features or cleanups
On Wed, 7 Dec 2016 19:13:45 -0800
Stephen Hemminger wrote:
> On Wed, 07 Dec 2016 16:28:45 -0500 (EST)
> David Miller wrote:
>
> > The merge window is about to open soon, and next week I will be
> > having sporadic internet access while travelling around, therefore
> > I am closing net-next up t
From: Gao Feng
When netdev_upper_dev_unlink failed in ipvlan_link_new, need to
unlink the ipvlan dev with upper dev.
Signed-off-by: Gao Feng
---
v2: Rename the label to unlink_netdev, per Mahesh Bandewar
v1: Initial patch
drivers/net/ipvlan/ipvlan_main.c | 4 +++-
1 file changed, 3 insertio
On 08/12/16 01:43, Thomas Haller wrote:
On Tue, 2016-12-06 at 17:12 -0600, Dan Williams wrote:
libnl1 rejects the IFLA_INFO_DATA attribute because it expects it
to
contain a sub-attribute. Since the payload size is zero it doesn't
match the policy and parsing fails.
There's no problem with li
By now, linux is mostly endian-clean. Enabling endian-ness
checks for everyone produces about 200 new sparse warnings for me -
less than 10% over the 2000 sparse warnings already there.
Not a big deal, OTOH enabling this helps people notice
they are introducing new bugs.
So let's just drop __CHEC
On Thu, Dec 8, 2016 at 9:39 AM, Mahesh Bandewar (महेश बंडेवार)
wrote:
> On Wed, Dec 7, 2016 at 5:21 PM, wrote:
>> From: Gao Feng
>>
>> When netdev_upper_dev_unlink failed in ipvlan_link_new, need to
>> unlink the ipvlan dev with upper dev.
>>
>> Signed-off-by: Gao Feng
>> ---
>> drivers/net/i
On Wed, Dec 7, 2016 at 5:21 PM, wrote:
> From: Gao Feng
>
> When netdev_upper_dev_unlink failed in ipvlan_link_new, need to
> unlink the ipvlan dev with upper dev.
>
> Signed-off-by: Gao Feng
> ---
> drivers/net/ipvlan/ipvlan_main.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
Zhouyi Zhou wrote:
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index fee1f29..4926d48 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -2173,8 +2173,7 @@ static int
From: Gao Feng
When netdev_upper_dev_unlink failed in ipvlan_link_new, need to
unlink the ipvlan dev with upper dev.
Signed-off-by: Gao Feng
---
drivers/net/ipvlan/ipvlan_main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ipvlan/ipvlan_main.c b/drivers/ne
Thanks Jeff for your advice,
Sorry for the my innocence as a Linux kernel rookie.
Zhouyi
On Thu, Dec 8, 2016 at 1:30 AM, Jeff Kirsher
wrote:
> On Wed, 2016-12-07 at 15:43 +0800, Zhouyi Zhou wrote:
>> Signed-off-by: Zhouyi Zhou
>> Reviewed-by: Cong Wang
>> Reviewed-by: Yuval Shaia
>> Reviewed
> -Original Message-
> From: Eric Dumazet [mailto:eric.duma...@gmail.com]
> Sent: Wednesday, December 7, 2016 5:04 PM
> To: Duyck, Alexander H
> Cc: Kirsher, Jeffrey T ; da...@davemloft.net;
> Williams, Mitch A ; netdev@vger.kernel.org;
> nhor...@redhat.com; sassm...@redhat.com; jogre...@r
> -Original Message-
> From: Eric Dumazet [mailto:eric.duma...@gmail.com]
> Sent: Wednesday, December 07, 2016 10:18 PM
> To: Zhang Shengju
> Cc: netdev@vger.kernel.org
> Subject: Re: [net-next] icmp: correct return value of icmp_rcv()
>
> On Wed, 2016-12-07 at 14:52 +0800, Zhang Shengju
On Thu, 2016-12-08 at 00:35 +, Duyck, Alexander H wrote:
> Well there ends up being a few aspects to it. First we don't need the
> precision of a full 64b inverse multiplication, that is why we can get
> away with multiple by 85 and shift. The assumption is we should never
> see a buffer lar
Function orinoco_ioctl_commit() returns 0 (indicates success) when the
call to orinoco_lock() fails. Thus, the return value is inconsistent with
the execution status. It may be better to return "-EBUSY" when the call
to orinoco_lock() fails.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=1
From: Pablo Neira Ayuso
Date: Wed, 7 Dec 2016 22:52:06 +0100
> The following patchset contains a large Netfilter update for net-next,
> to summarise:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git
Pulled, thanks a lot Pablo.
From: "Jason A. Donenfeld"
Date: Thu, 8 Dec 2016 01:29:42 +0100
> On Wed, Dec 7, 2016 at 8:52 PM, David Miller wrote:
>> The only truly difficult case to handle is GRE encapsulation. Is
>> that the situation you are running into?
>>
>> If not, please figure out what the header configuration loo
On Wed, Dec 7, 2016 at 8:52 PM, David Miller wrote:
> The only truly difficult case to handle is GRE encapsulation. Is
> that the situation you are running into?
>
> If not, please figure out what the header configuration looks like
> in the case that hits for you, and what the originating device
> -Original Message-
> From: Eric Dumazet [mailto:eric.duma...@gmail.com]
> Sent: Wednesday, December 7, 2016 4:16 PM
> To: Kirsher, Jeffrey T
> Cc: da...@davemloft.net; Williams, Mitch A ;
> netdev@vger.kernel.org; nhor...@redhat.com; sassm...@redhat.com;
> jogre...@redhat.com; guru.anbal
Hi Jason,
On 07.12.2016 19:35, Jason A. Donenfeld wrote:
> I receive encrypted packets with a 13 byte header. I decrypt the
> ciphertext in place, and then discard the header. I then pass the
> plaintext to the rest of the networking stack. The plaintext is an IP
> packet. Due to the 13 byte heade
Hi Timur,
[auto build test ERROR on net-next/master]
[also build test ERROR on v4.9-rc8 next-20161207]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system]
url:
https://github.com/0day-ci/linux/commits/Timur-Tabi/net-qcom-emac-simplify-support
On Wed, 2016-12-07 at 14:19 -0800, Jeff Kirsher wrote:
> From: Mitch Williams
>
> The i40e_txd_use_count function was fast but confusing. In the comments,
> it even admits that it's ugly. So replace it with a new function that is
> (very) slightly faster and has extensive commenting to help the t
From: Jeff Kirsher
Date: Wed, 7 Dec 2016 14:18:59 -0800
> This series contains updates to i40e and i40evf only.
Pulled, thanks Jeff.
This series adds a helper to allow head adjusting in XDP prog. mlx4
driver has been modified to support this feature. An example is written
to encapsulate a packet with an IPv4/v6 header and then XDP_TX it
out.
v4:
1. Remove XDP_QUERY_FEATURES command. Instead, check
the prog->xdp_adjust_hea
The XDP prog checks if the incoming packet matches any VIP:PORT
combination in the BPF hashmap. If it is, it will encapsulate
the packet with a IPv4/v6 header as instructed by the value of
the BPF hashmap and then XDP_TX it out.
The VIP:PORT -> IP-Encap-Info can be specified by the cmd args
of th
When XDP is active in mlx4, mlx4 is using one page/pkt.
At the same time (i.e. when XDP is active), it is currently
limiting MTU to be FRAG_SZ0 - ETH_HLEN - (2 * VLAN_HLEN)
which is 1514 in x86. AFAICT, we can at least raise the MTU
limit up to PAGE_SIZE - ETH_HLEN - (2 * VLAN_HLEN) which this
pat
This patch allows XDP prog to extend/remove the packet
data at the head (like adding or removing header). It is
done by adding a new XDP helper bpf_xdp_adjust_head().
It also renames bpf_helper_changes_skb_data() to
bpf_helper_changes_pkt_data() to better reflect
that XDP prog does not work on sk
Reserve XDP_PACKET_HEADROOM for packet and enable bpf_xdp_adjust_head()
support. This patch only affects the code path when XDP is active.
After testing, the tx_dropped counter is incremented if the xdp_prog sends
more than wire MTU.
Signed-off-by: Martin KaFai Lau
---
drivers/net/ethernet/mel
From: Pavel Machek
Date: Wed, 7 Dec 2016 22:37:57 +0100
> diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
> b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
> index 982c952..7415bc2 100644
> --- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
> +++ b/drivers/net/ethernet/st
On Wed 2016-12-07 23:34:19, Lino Sanfilippo wrote:
> On 07.12.2016 22:43, Lino Sanfilippo wrote:
> > Hi Pavel,
> >
> > On 07.12.2016 22:37, Pavel Machek wrote:
> >> On Wed 2016-12-07 21:05:38, Lino Sanfilippo wrote:
> >>> The driver uses a private lock for synchronization between the xmit
> >>> fu
Lino Sanfilippo :
> The driver uses a private lock for synchronization between the xmit
> function and the xmit completion handler, but since the NETIF_F_LLTX flag
> is not set, the xmit function is also called with the xmit_lock held.
>
> On the other hand the xmit completion handler first takes
On 07.12.2016 22:43, Lino Sanfilippo wrote:
> Hi Pavel,
>
> On 07.12.2016 22:37, Pavel Machek wrote:
>> On Wed 2016-12-07 21:05:38, Lino Sanfilippo wrote:
>>> The driver uses a private lock for synchronization between the xmit
>>> function and the xmit completion handler, but since the NETIF_F_LLT
From: Bimmy Pujari
Signed-off-by: Bimmy Pujari
Tested-by: Andrew Bowers
Signed-off-by: Jeff Kirsher
---
drivers/net/ethernet/intel/i40e/i40e_main.c | 2 +-
drivers/net/ethernet/intel/i40evf/i40evf_main.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/et
From: Carolyn Wyborny
Add support for 25G devices - defines and data structures.
One tricky part here is that the firmware support for these
Devices introduces a mismatch between the PHY type enum and
the bitfields for the phy types.
This change creates a macro and uses it to increment the 25G
From: Jacob Keller
The netdev->dev_addr MAC filter already exists in the
MAC/VLAN hash table, as it is added when we configure
the netdev in i40e_configure_netdev. Because we already
know that this address will be updated in the
hash_for_each loops, we do not need to handle it
specially. This rem
From: Filip Sadowski
This patch makes the driver log link speed change. Before applying the
patch link messages were printed only on state change. Now message is
printed when link is brought up or down and when speed changes.
Change-ID: Ifbee14b4b16c24967450b3cecac6e8351dcc8f74
Signed-off-by: Fi
From: Alexander Duyck
Currently the function i40e_napi-poll() returns 0 when it clean completely
the Rx rings, but this foul budget accounting in core code.
Fix this by returning the actual work done, capped to budget - 1, since
the core doesn't allow to return the full budget when the driver mo
From: Carolyn Wyborny
This patch adds adminq support for Forward Error
Correction ("FEC")for 25g products.
Change-ID: Iaff4910737c239d2c730e5c22a313ce9c37d3964
Signed-off-by: Carolyn Wyborny
Signed-off-by: Mitch Williams
Signed-off-by: Jacek Naczyk
Tested-by: Andrew Bowers
Signed-off-by: Jef
From: Henry Tieman
Before this patch "ethtool -p" was not blinking the LEDs on boards
with 1G BaseT PHYs.
This commit identifies 1G BaseT boards as having the LEDs connected
to the MAC. Also, renamed the flag to be more descriptive of usage.
The flag is now I40E_FLAG_PHY_CONTROLS_LEDS.
Change-I
From: Jacob Keller
A previous commit 53cb6e9e8949 ("i40e: Removal of workaround for simple
MAC address filter deletion") removed a workaround for some
firmware versions which was reported to not be necessary in production
NICs. Unfortunately this workaround is necessary in some configurations,
sp
From: Mitch Williams
The service task lock was being set in the scheduling function, not the
actual service task. This would potentially leave the bit set for a long
time before the task actually ran. Furthermore, if the service task
takes too long, it calls the schedule function to reschedule it
From: Jacob Keller
A future refactor of how the PF assigns a PVID to a VF will want to be
able to add and remove a block of filters by VLAN without worrying about
accidentally triggering the accounting for I40E_VLAN_ANY. Additionally
the PVID assignment would like to be able to batch several chan
From: Jacob Keller
In a similar fashion to how we handled exiting VLAN mode, move the logic
in i40e_vsi_add_vlan into i40e_sync_vsi_filters. Extract this logic into
its own function for ease of understanding as it will become quite
complex.
The new function, i40e_correct_mac_vlan_filters() corre
From: Jacob Keller
Previous code refactors have accidentally caused issues with the
counting of active_filters. Avoid similar issues in the future by simply
re-counting the active filters every time after we handle add and delete
of all the filters. Additionally this allows us to simplify the che
From: Mitch Williams
The i40e_txd_use_count function was fast but confusing. In the comments,
it even admits that it's ugly. So replace it with a new function that is
(very) slightly faster and has extensive commenting to help the thicker
among us (including the author, who will forget in a week)
This series contains updates to i40e and i40evf only.
Filip modifies the i40e to log link speed change and when the link is
brought up and down.
Mitch replaces i40e_txd_use_count() with a new function which is slightly
faster and better documented so the dim witted can better follow the
code. Fi
From: Jacob Keller
Fix a subtle issue with the code for converting VID=-1 filters into VID=0
filters when adding a new VLAN. Previously the code deleted the VID=-1
filter, and then added a new VID=0 filter. In the rare case that the
addition fails due to -ENOMEM, we end up completely deleting the
From: Jacob Keller
A product decision has been made to defeature detection of PTP frames
over L4 (UDP) on the XL710 MAC. Do not advertise support for L4
timestamping.
Change-ID: I41fbb0f84ebb27c43e23098c08156f2625c6ee06
Signed-off-by: Jacob Keller
Tested-by: Andrew Bowers
Signed-off-by: Jeff K
From: Jacob Keller
The current flow for adding or updating the PVID for a VF uses
i40e_vsi_add_vlan and i40e_vsi_kill_vlan which each take, then release
the hash lock. In addition the two functions also must take special care
that they do not perform VLAN mode changes as this will make the code i
From: Michal Kosiarz
Depending on external PHY type, register access method should be
different. Clause22 or Clause45 can be chosen for different PHYs.
Implemented functions apply correct access method for used device.
Change-ID: If39d5f0da9c0b905a8cbdc1ab89885535e7d0426
Signed-off-by: Michal Ko
From: Jacob Keller
Replace the %d specifier used for printing vsi->active_filters and
vsi->promisc_threshold with an unsigned %u format specifier. While it is
unlikely in practice that these values will ever reach such a large
number they are unsigned values and thus should not be interpreted as
From: Jacob Keller
The current caller of i40e_update_filter_state incorrectly passes
aq_ret, an i40e_status variable, instead of the expected aq_err. This
happens to work because i40e_status is actually just a typedef integer,
and 0 is still the successful return. However i40e_update_filter_state
Hassan Naveed :
> Fix pch_gbe driver for ethernet operations for a big endian CPU.
> Values written to and read from transmit and receive descriptors
> in the pch_gbe driver are byte swapped from the perspective of a
> big endian CPU, since the ethernet controller always operates in
> little endia
Hi Paul,
Am 07.12.2016 um 22:08 schrieb Paul Bolle:
> On Wed, 2016-12-07 at 21:57 +0100, Tilman Schmidt wrote:
>> Not much of a mess, I reckon. Everything that has been allocated and
>> registered up to that point is properly deallocated and unregistered.
>> The code just fails to tell the kernel
From: Liping Zhang
Otherwise, if fib lookup fail, *dest will be filled with garbage value,
so reverse path filtering will not work properly:
# nft add rule x prerouting fib saddr oif eq 0 drop
Fixes: f6d0cbcf09c5 ("netfilter: nf_tables: add fib expression")
Signed-off-by: Liping Zhang
Acked-by
From: Arturo Borrero Gonzalez
The email address has changed, let's update the copyright statements.
Signed-off-by: Arturo Borrero Gonzalez
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nft_masq_ipv4.c | 4 ++--
net/ipv4/netfilter/nft_redir_ipv4.c | 4 ++--
net/ipv6/netfilter/nft_ma
From: Davide Caratti
CONFIG_NF_NAT_PROTO_UDPLITE is no more a tristate. When set to y, NAT
support for UDPlite protocol is built-in into nf_nat.ko.
footprint test:
(nf_nat_proto_) |udplite || nf_nat
--+++
no builtin| 408048 || 22
> -Original Message-
> From: Kirsher, Jeffrey T
> Sent: Wednesday, December 07, 2016 1:53 PM
> To: Keller, Jacob E ; Sergei Shtylyov
> ; da...@davemloft.net
> Cc: netdev@vger.kernel.org; nhor...@redhat.com; sassm...@redhat.com;
> jogre...@redhat.com; guru.anbalag...@oracle.com
> Subject:
This patch augments nf_tables to support stateful objects. This new
infrastructure allows you to create, dump and delete stateful objects,
that are identified by a user-defined name.
This patch adds the generic infrastructure, follow up patches add
support for two stateful objects: counters and qu
Hi David,
The following patchset contains a large Netfilter update for net-next,
to summarise:
1) Add support for stateful objects. This series provides a nf_tables
native alternative to the extended accounting infrastructure for
nf_tables. Two initial stateful objects are supported: counte
From: Liping Zhang
Acctually ntohl and htonl are identical, so this doesn't affect
anything, but it is conceptually wrong.
Signed-off-by: Liping Zhang
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nft_fib_ipv4.c | 2 +-
net/ipv6/netfilter/nft_fib_ipv6.c |
From: Florian Westphal
On SMP we overload the packet counter (unsigned long) to contain
percpu offset. Hide this from callers and pass xt_counters address
instead.
Preparation patch to allocate the percpu counters in page-sized batch
chunks.
Signed-off-by: Florian Westphal
Acked-by: Eric Duma
From: Davide Caratti
CONFIG_NF_NAT_PROTO_SCTP is no more a tristate. When set to y, NAT
support for SCTP protocol is built-in into nf_nat.ko.
footprint test:
(nf_nat_proto_) | sctp || nf_nat
--+++
no builtin| 428344 || 2241312
From: Florian Westphal
The caller assumes that < 0 means that skb was stolen (or free'd).
All other return values continue skb processing.
nf_hook_slow returns 3 different return value types:
A) a (negative) errno value: the skb was dropped (NF_DROP, e.g.
by iptables '-j DROP' rule).
B) 0. Th
From: Florian Westphal
MASQUERADE, S/DNAT and REDIRECT already call functions that depend on the
conntrack module.
However, since the conntrack hooks are now registered in a lazy fashion
(i.e., only when needed) a symbol reference is not enough.
Thus, when something is added to a nat table, mak
From: Florian Westphal
Keeps some noise away from a followup patch.
Signed-off-by: Florian Westphal
Acked-by: Eric Dumazet
Signed-off-by: Pablo Neira Ayuso
---
include/linux/netfilter/x_tables.h | 27 +--
net/ipv4/netfilter/arp_tables.c| 5 +
net/ipv4/netfilt
From: Florian Westphal
currently aliased to try_module_get/_put.
Will be changed in next patch when we add functions to make use of ->net
argument to store usercount per l3proto tracker.
This is needed to avoid registering the conntrack hooks in all netns and
later only enable connection trackin
From: Liping Zhang
Otherwise, DHCP Discover packets(0.0.0.0->255.255.255.255) may be
dropped incorrectly.
Signed-off-by: Liping Zhang
Acked-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/ipt_rpfilter.c | 8 +---
net/ipv4/netfilter/nft_fib_ipv4.c | 13 ++
From: Florian Westphal
instead of allocating each xt_counter individually, allocate 4k chunks
and then use these for counter allocation requests.
This should speed up rule evaluation by increasing data locality,
also speeds up ruleset loading because we reduce calls to the percpu
allocator.
As
From: Florian Westphal
... so we can use current skb instead of working with a clone.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_dup_netdev.h | 1 +
net/netfilter/nf_dup_netdev.c | 33 +
net/netfilter/
From: Gao Feng
I lost one test case in the last commit for xt_multiport.
For example, the rule is "-m multiport --dports 22,80,443".
When first port is unmatched and the second is matched, the curent codes
could not return the right result.
It would return false directly when the first port is un
Notify on depleted quota objects. The NFT_QUOTA_F_DEPLETED flag
indicates we have reached overquota.
Add pointer to table from nft_object, so we can use it when sending the
depletion notification to userspace.
Signed-off-by: Pablo Neira Ayuso
---
include/net/netfilter/nf_tables.h| 2 ++
From: Davide Caratti
To allow usage of enum ip_conntrack_dir in include/net/netns/conntrack.h,
this patch encloses #include in a #ifndef __KERNEL__
directive, so that compiler errors caused by unwanted inclusion of
include/linux/netfilter.h are avoided.
In addition, #include line has
been added
From: Davide Caratti
CONFIG_NF_NAT_PROTO_DCCP is no more a tristate. When set to y, NAT
support for DCCP protocol is built-in into nf_nat.ko.
footprint test:
(nf_nat_proto_) | dccp || nf_nat
--+++
no builtin| 409800 || 2241312
From: Florian Westphal
so that conntrack core will add the needed hooks in this namespace.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
---
net/ipv4/netfilter/nft_masq_ipv4.c | 7 +++
net/ipv4/netfilter/nft_redir_ipv4.c | 7 +++
net/ipv6/netfilter/nft_masq_ipv6.
This new expression allows us to refer to existing stateful objects from
rules.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 14
net/netfilter/Kconfig| 6 ++
net/netfilter/Makefile | 1 +
net/netfilter/nft_objref.
From: Davide Caratti
SCTP GSO and hardware can do CRC32c computation after netfilter processing,
so we can avoid calling sctp_compute_checksum() on skb if skb->ip_summed
is equal to CHECKSUM_PARTIAL. Moreover, set skb->ip_summed to CHECKSUM_NONE
when the NAT code computes the CRC, to prevent offl
On Wed, 2016-12-07 at 13:50 -0800, Keller, Jacob E wrote:
> > -Original Message-
> > From: Sergei Shtylyov [mailto:sergei.shtyl...@cogentembedded.com]
> > Sent: Wednesday, December 07, 2016 2:11 AM
> > To: Kirsher, Jeffrey T ; davem@davemloft.n
> > et
> > Cc: Keller, Jacob E ; netdev@vger.k
This patch allows you to refer to stateful objects from set elements.
This provides the infrastructure to create maps where the right hand
side of the mapping is a stateful object.
This allows us to build dictionaries of stateful objects, that you can
use to perform fast lookups using any arbitrar
This patch adds the netlink code to filter out dump of stateful objects,
through the NFTA_OBJ_TYPE netlink attribute.
Signed-off-by: Pablo Neira Ayuso
---
net/netfilter/nf_tables_api.c | 50 +++
1 file changed, 50 insertions(+)
diff --git a/net/netfilter/
Register a new quota stateful object type into the new stateful object
infrastructure.
Signed-off-by: Pablo Neira Ayuso
---
include/uapi/linux/netfilter/nf_tables.h | 1 +
net/netfilter/nft_quota.c| 96 +++-
2 files changed, 84 insertions(+), 13 delet
From: Aaron Conole
This is to facilitate converting from a singly-linked list to an array
of elements.
Signed-off-by: Aaron Conole
Signed-off-by: Pablo Neira Ayuso
---
net/bridge/br_netfilter_hooks.c | 8
net/netfilter/core.c| 6 ++
2 files changed, 6 insertions(+), 8
This patch allows us to refer to stateful object dictionaries, the
source register indicates the key data to be used to look up for the
corresponding state object. We can refer to these maps through names or,
alternatively, the map transaction id. This allows us to refer to both
anonymous and named
This patch adds a new flag that signals the kernel to update layer 4
checksum if the packet field belongs to the layer 4 pseudoheader. This
implicitly provides stateless NAT 1:1 that is useful under very specific
usecases.
Since rules mangling layer 3 fields that are part of the pseudoheader
may p
1 - 100 of 335 matches
Mail list logo
