1. 01 Nov, 2021 6 commits
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · 894d0844
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter updates for net-next
      
      The following patchset contains Netfilter updates for net-next:
      
      1) Use array_size() in ebtables, from Gustavo A. R. Silva.
      
      2) Attach IPS_ASSURED to internal UDP stream state, reported by
         Maciej Zenczykowski.
      
      3) Add NFT_META_IFTYPE to match on the interface type either
         from ingress or egress.
      
      4) Generalize pktinfo->tprot_set to flags field.
      
      5) Allow to match on inner headers / payload data.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      894d0844
    • David S. Miller's avatar
      Merge tag 'mlx5-updates-2021-10-29' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · 2aec919f
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5-updates-2021-10-29
      
      1) Minor trivial refactoring and improvements
      2) Check for unsupported parameters fields in SW steering
      3) Support TC offload for OVS internal port, from Ariel, see below.
      
      Ariel Levkovich says:
      
      =====================
      
      Support HW offload of TC rules involving OVS internal port
      device type as the filter device or the destination
      device.
      
      The support is for flows which explicitly use the internal
      port as source or destination device as well as indirect offload
      for flows performing tunnel set or unset via a tunnel device
      and the internal port is the tunnel overlay device.
      
      Since flows with internal port as source port are added
      as egress rules while redirecting to internal port is done
      as an ingress redirect, the series introduces the necessary
      changes in mlx5_core driver to support the new types of flows
      and actions.
      
      =====================
      
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2aec919f
    • Pablo Neira Ayuso's avatar
      netfilter: nft_payload: support for inner header matching / mangling · c46b38dc
      Pablo Neira Ayuso authored
      Allow to match and mangle on inner headers / payload data after the
      transport header. There is a new field in the pktinfo structure that
      stores the inner header offset which is calculated only when requested.
      Only TCP and UDP supported at this stage.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c46b38dc
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: convert pktinfo->tprot_set to flags field · b5bdc6f9
      Pablo Neira Ayuso authored
      Generalize boolean field to store more flags on the pktinfo structure.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b5bdc6f9
    • Pablo Neira Ayuso's avatar
      netfilter: nft_meta: add NFT_META_IFTYPE · 56fa9501
      Pablo Neira Ayuso authored
      Generalize NFT_META_IIFTYPE to NFT_META_IFTYPE which allows you to match
      on the interface type of the skb->dev field. This field is used by the
      netdev family to add an implicit dependency to skip non-ethernet packets
      when matching on layer 3 and 4 TCP/IP header fields.
      
      For backward compatibility, add the NFT_META_IIFTYPE alias to
      NFT_META_IFTYPE.
      
      Add __NFT_META_IIFTYPE, to be used by userspace in the future to match
      specifically on the iiftype.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      56fa9501
    • Pablo Neira Ayuso's avatar
      netfilter: conntrack: set on IPS_ASSURED if flows enters internal stream state · b7b1d02f
      Pablo Neira Ayuso authored
      The internal stream state sets the timeout to 120 seconds 2 seconds
      after the creation of the flow, attach this internal stream state to the
      IPS_ASSURED flag for consistent event reporting.
      
      Before this patch:
      
            [NEW] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
         [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
         [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
        [DESTROY] udp      17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
      
      Note IPS_ASSURED for the flow not yet in the internal stream state.
      
      after this update:
      
            [NEW] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 [UNREPLIED] src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
         [UPDATE] udp      17 30 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282
         [UPDATE] udp      17 120 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
        [DESTROY] udp      17 src=10.246.11.13 dst=216.239.35.0 sport=37282 dport=123 src=216.239.35.0 dst=10.246.11.13 sport=123 dport=37282 [ASSURED]
      
      Before this patch, short-lived UDP flows never entered IPS_ASSURED, so
      they were already candidate flow to be deleted by early_drop under
      stress.
      
      Before this patch, IPS_ASSURED is set on regardless the internal stream
      state, attach this internal stream state to IPS_ASSURED.
      
      packet #1 (original direction) enters NEW state
      packet #2 (reply direction) enters ESTABLISHED state, sets on IPS_SEEN_REPLY
      paclet #3 (any direction) sets on IPS_ASSURED (if 2 seconds since the
                creation has passed by).
      Reported-by: default avatarMaciej Żenczykowski <zenczykowski@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      b7b1d02f
  2. 30 Oct, 2021 5 commits
  3. 29 Oct, 2021 29 commits