1. 26 Apr, 2023 12 commits
  2. 25 Apr, 2023 26 commits
  3. 24 Apr, 2023 2 commits
    • Jakub Kicinski's avatar
      Merge tag 'nf-next-23-04-22' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next · ffcddcae
      Jakub Kicinski authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS updates for net-next
      
      1) Reduce jumpstack footprint: Stash chain in last rule marker in blob for
         tracing. Remove last rule and chain from jumpstack. From Florian Westphal.
      
      2) nf_tables validates all tables before committing the new rules.
         Unfortunately, this has two drawbacks:
      
         - Since addition of the transaction mutex pernet state gets written to
           outside of the locked section from the cleanup callback, this is
           wrong so do this cleanup directly after table has passed all checks.
      
         - Revalidate tables that saw no changes. This can be avoided by
           keeping the validation state per table, not per netns.
      
         From Florian Westphal.
      
      3) Get rid of a few redundant pointers in the traceinfo structure.
         The three removed pointers are used in the expression evaluation loop,
         so gcc keeps them in registers. Passing them to the (inlined) helpers
         thus doesn't increase nft_do_chain text size, while stack is reduced
         by another 24 bytes on 64bit arches. From Florian Westphal.
      
      4) IPVS cleanups in several ways without implementing any functional
         changes, aside from removing some debugging output:
      
         - Update width of source for ip_vs_sync_conn_options
           The operation is safe, use an annotation to describe it properly.
      
         - Consistently use array_size() in ip_vs_conn_init()
           It seems better to use helpers consistently.
      
         - Remove {Enter,Leave}Function. These seem to be well past their
           use-by date.
      
         - Correct spelling in comments.
      
         From Simon Horman.
      
      5) Extended netlink error report for netdevice in flowtables and
         netdev/chains. Allow for incrementally add/delete devices to netdev
         basechain. Allow to create netdev chain without device.
      
      * tag 'nf-next-23-04-22' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
        netfilter: nf_tables: allow to create netdev chain without device
        netfilter: nf_tables: support for deleting devices in an existing netdev chain
        netfilter: nf_tables: support for adding new devices to an existing netdev chain
        netfilter: nf_tables: rename function to destroy hook list
        netfilter: nf_tables: do not send complete notification of deletions
        netfilter: nf_tables: extended netlink error reporting for netdevice
        ipvs: Correct spelling in comments
        ipvs: Remove {Enter,Leave}Function
        ipvs: Consistently use array_size() in ip_vs_conn_init()
        ipvs: Update width of source for ip_vs_sync_conn_options
        netfilter: nf_tables: do not store rule in traceinfo structure
        netfilter: nf_tables: do not store verdict in traceinfo structure
        netfilter: nf_tables: do not store pktinfo in traceinfo structure
        netfilter: nf_tables: remove unneeded conditional
        netfilter: nf_tables: make validation state per table
        netfilter: nf_tables: don't write table validation state without mutex
        netfilter: nf_tables: don't store chain address on jump
        netfilter: nf_tables: don't store address of last rule on jump
        netfilter: nf_tables: merge nft_rules_old structure and end of ruleblob marker
      ====================
      
      Link: https://lore.kernel.org/r/20230421235021.216950-1-pablo@netfilter.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ffcddcae
    • Yafang Shao's avatar
      bpf: Add __rcu_read_{lock,unlock} into btf id deny list · a0c109dc
      Yafang Shao authored
      The tracing recursion prevention mechanism must be protected by rcu, that
      leaves __rcu_read_{lock,unlock} unprotected by this mechanism. If we trace
      them, the recursion will happen. Let's add them into the btf id deny list.
      
      When CONFIG_PREEMPT_RCU is enabled, it can be reproduced with a simple bpf
      program as such:
        SEC("fentry/__rcu_read_lock")
        int fentry_run()
        {
            return 0;
        }
      Signed-off-by: default avatarYafang Shao <laoar.shao@gmail.com>
      Link: https://lore.kernel.org/r/20230424161104.3737-2-laoar.shao@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a0c109dc