- 09 Jan, 2022 20 commits
-
-
Pablo Neira Ayuso authored
The payload expression might mangle the packet, cancel register tracking since any payload data in the registers is stale. Finer grain register tracking cancellation by inspecting the payload base, offset and length on the register is also possible. Signed-off-by:Pablo Neira Ayuso <pablo@netfilter.org>
-
Pablo Neira Ayuso authored
Check if the destination register already contains the data that this bitwise expression performs. This allows to skip this redundant operation. If the destination contains a different bitwise operation, cancel the register tracking information. If the destination contains no bitwise operation, update the register tracking information. Update the payload and meta expression to check if this bitwise operation has been already performed on the register. Hence, both the payload/meta and the bitwise expressions are reduced. There is also a special case: If source register != destination register and source register is not updated by a previous bitwise operation, then transfer selector from the source register to the destination register. Signed-off-by: -
Pablo Neira Ayuso authored
Check if the destination register already contains the data that this meta store expression performs. This allows to skip this redundant operation. If the destination contains a different selector, update the register tracking information. Signed-off-by: -
Pablo Neira Ayuso authored
Check if the destination register already contains the data that this payload store expression performs. This allows to skip this redundant operation. If the destination contains a different selector, update the register tracking information. Signed-off-by: -
Pablo Neira Ayuso authored
This patch adds new infrastructure to skip redundant selector store operations on the same register to achieve a performance boost from the packet path. This is particularly noticeable in pure linear rulesets but it also helps in rulesets which are already heaving relying in maps to avoid ruleset linear inspection. The idea is to keep data of the most recurrent store operations on register to reuse them with cmp and lookup expressions. This infrastructure allows for dynamic ruleset updates since the ruleset blob reduction happens from the kernel. Userspace still needs to be updated to maximize register utilization to cooperate to improve register data reuse / reduce number of store on register operations. Signed-off-by: -
Pablo Neira Ayuso authored
Add a definition including the maximum number of 32-bits registers that are used a scratchpad memory area to store data. Signed-off-by: -
Pablo Neira Ayuso authored
This patch adds a blob layout per chain to represent the ruleset in the packet datapath. size (unsigned long) struct nft_rule_dp struct nft_expr ... struct nft_rule_dp struct nft_expr ... struct nft_rule_dp (is_last=1) The new structure nft_rule_dp represents the rule in a more compact way (smaller memory footprint) compared to the control-plane nft_rule structure. The ruleset blob is a read-only data structure. The first field contains the blob size, then the rules containing expressions. There is a trailing rule which is used by the tracing infrastructure which is equivalent to the NULL rule marker in the previous representation. The blob size field does not include the size of this trailing rule marker. The ruleset blob is generated from the commit path. This patch reuses the infrastructure available since 0cbc06b3 ("netfilter: nf_tables: remove synchronize_rcu in commit phase") to build the array of rules per chain. Signed-off-by: -
Pablo Neira Ayuso authored
In preparation for the rule blob representation. Signed-off-by: -
Pablo Neira Ayuso authored
From struct nft_limit to nft_limit_priv. Signed-off-by: -
Pablo Neira Ayuso authored
In preparation for the rule blob representation. Signed-off-by: -
Pablo Neira Ayuso authored
In preparation for the rule blob representation. Signed-off-by: -
Pablo Neira Ayuso authored
In preparation for the rule blob representation. Signed-off-by: -
Pablo Neira Ayuso authored
In preparation for the rule blob representation. Signed-off-by: -
Florian Westphal authored
include/linux/netfilter_netdev.h:97 suspicious rcu_dereference_check() usage! 2 locks held by sd-resolve/1100: 0: ..(rcu_read_lock_bh){1:3}, at: ip_finish_output2 1: ..(rcu_read_lock_bh){1:3}, at: __dev_queue_xmit __dev_queue_xmit+0 .. The helper has two callers, one uses rcu_read_lock, the other rcu_read_lock_bh(). Annotate the dereference to reflect this. Fixes: 42df6e1d ("netfilter: Introduce egress hook") Signed-off-by:Florian Westphal <fw@strlen.de> Signed-off-by:
-
Florian Westphal authored
Its the same as nf_conntrack_put(), but without the need for an indirect call. The downside is a module dependency on nf_conntrack, but all of these already depend on conntrack anyway. Cc: Paul Blakey <paulb@mellanox.com> Cc: dev@openvswitch.org Signed-off-by:
-
Florian Westphal authored
nf_ct_put() results in a usesless indirection: nf_ct_put -> nf_conntrack_put -> nf_conntrack_destroy -> rcu readlock + indirect call of ct_hooks->destroy(). There are two _put helpers: nf_ct_put and nf_conntrack_put. The latter is what should be used in code that MUST NOT cause a linker dependency on the conntrack module (e.g. calls from core network stack). Everyone else should call nf_ct_put() instead. A followup patch will convert a few nf_conntrack_put() calls to nf_ct_put(), in particular from modules that already have a conntrack dependency such as act_ct or even nf_conntrack itself. Signed-off-by:
-
Florian Westphal authored
No functional changes, these structures should be const. Signed-off-by:
-
Florian Westphal authored
ip_ct_attach predates struct nf_ct_hook, we can place it there and remove the exported symbol. Signed-off-by:
-
Florian Westphal authored
Convert nf_conn reference counting from atomic_t to refcount_t based api. refcount_t api provides more runtime sanity checks and will warn on certain constructs, e.g. refcount_inc() on a zero reference count, which usually indicates use-after-free. For this reason template allocation is changed to init the refcount to 1, the subsequenct add operations are removed. Likewise, init_conntrack() is changed to set the initial refcount to 1 instead refcount_inc(). This is safe because the new entry is not (yet) visible to other cpus. Signed-off-by:
-
Jiapeng Chong authored
Fix following coccicheck warning: ./include/net/netfilter/nf_conntrack.h:282:16-17: WARNING opportunity for max(). Reported-by:
Abaci Robot <abaci@linux.alibaba.com> Signed-off-by:
Jiapeng Chong <jiapeng.chong@linux.alibaba.com> Signed-off-by:
-
- 24 Dec, 2021 1 commit
-
-
Colin Ian King authored
The pointer lt is being assigned a value and then later updated but that value is never read. The pointer is redundant and can be removed. Signed-off-by:
Colin Ian King <colin.i.king@gmail.com> Signed-off-by:
-
- 23 Dec, 2021 8 commits
-
-
Florian Westphal authored
Just place the structs and registration in the inet module. nf_flow_table_ipv6, nf_flow_table_ipv4 and nf_flow_table_inet share same module dependencies: nf_flow_table, nf_tables. before: text data bss dec hex filename 2278 1480 0 3758 eae nf_flow_table_inet.ko 1159 1352 0 2511 9cf nf_flow_table_ipv6.ko 1154 1352 0 2506 9ca nf_flow_table_ipv4.ko after: 2369 1672 0 4041 fc9 nf_flow_table_inet.ko Signed-off-by:
-
Florian Westphal authored
If destination port is above 32k and source port below 16k assume this might cause 'port shadowing' where a 'new' inbound connection matches an existing one, e.g. inbound X:41234 -> Y:53 matches existing conntrack entry Z:53 -> X:4123, where Z got natted to X. In this case, new packet is natted to Z:53 which is likely unwanted. We avoid the rewrite for connections that originate from local host: port-shadowing is only possible with forwarded connections. Also adjust test case. v3: no need to call tuple_force_port_remap if already in random mode (Phil) Signed-off-by:Phil Sutter <phil@nwl.cc> Acked-by:
Eric Garver <eric@garver.life> Signed-off-by:
-
Florian Westphal authored
This allows to identify flows that originate from local machine in a followup patch. It would be possible to make this a ->status bit instead. For now I did not do that yet because I don't have a use-case for exposing this info to userspace. If one comes up the toggle can be replaced with a status bit. Signed-off-by:
-
Pablo Neira Ayuso authored
Make counter support built-in to allow for direct call in case of CONFIG_RETPOLINE. Signed-off-by: -
Pablo Neira Ayuso authored
Bug might trigger warning for each packet, call WARN_ON_ONCE instead. Signed-off-by: -
Pablo Neira Ayuso authored
Add function to consolidate verdict tracing. Signed-off-by: -
Pablo Neira Ayuso authored
BUG() is too harsh for unknown payload base, use WARN_ON_ONCE() instead. Signed-off-by: -
Pablo Neira Ayuso authored
Chain stats are updated from the Netfilter hook path which already run under rcu read-size lock section. Signed-off-by:
-
- 16 Dec, 2021 11 commits
-
-
Eric Dumazet authored
If compiled with CONFIG_NET_NS_REFCNT_TRACKER=y, using put_net_track() in iterate_cleanup_work() and netns_tracker_alloc() in nf_nat_masq_schedule() might help us finding netns refcount imbalances. Signed-off-by:
Eric Dumazet <edumazet@google.com> Signed-off-by:
-
Eric Dumazet authored
If compiled with CONFIG_NET_NS_REFCNT_TRACKER=y, using put_net_track() in nfulnl_instance_free_rcu() and get_net_track() in instance_create() might help us finding netns refcount imbalances. Signed-off-by:
-
Volodymyr Mytnyk authored
Add user template explicit support. At this moment, max TCAM rule size is utilized for all rules, doesn't matter which and how much flower matches are provided by user. It means that some of TCAM space is wasted, which impacts the number of filters that can be offloaded. Introducing the template, allows to have more HW offloaded filters by specifying the template explicitly. Example: tc qd add dev PORT clsact tc chain add dev PORT ingress protocol ip \ flower dst_ip 0.0.0.0/16 tc filter add dev PORT ingress protocol ip \ flower skip_sw dst_ip 1.2.3.4/16 action drop NOTE: chain 0 is the default chain id for "tc chain" & "tc filter" command, so it is omitted in the example above. This patch adds only template support for default chain 0 suppoerted by prestera driver at this moment. Chains are not supported yet, and will be added later. Signed-off-by:Volodymyr Mytnyk <vmytnyk@marvell.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
-
Luiz Angelo Daros de Luca authored
Recent net-next fails to initialize ports with: realtek-smi switch: phy mode gmii is unsupported on port 0 realtek-smi switch lan5 (uninitialized): validation of gmii with support 0000000,00000000,000062ef and advertisement 0000000,00000000,000062ef failed: -22 realtek-smi switch lan5 (uninitialized): failed to connect to PHY: -EINVAL realtek-smi switch lan5 (uninitialized): error -22 setting up PHY for tree 1, switch 0, port 0 Current net branch(3dd7d40b) is not affected. I also noticed the same issue before with older versions but using a MDIO interface driver, not realtek-smi. Tested-by:
Arınç ÜNAL <arinc.unal@arinc9.com> Signed-off-by:
Luiz Angelo Daros de Luca <luizluca@gmail.com> Signed-off-by:
-
David S. Miller authored
Jeroen de Borst says: ==================== gve improvements This patchset consists of unrelated changes: A bug fix for an issue that disabled jumbo-frame support, a few code improvements and minor funcitonal changes and 3 new features: Supporting tx|rx-coalesce-usec for DQO Suspend/resume/shutdown Optional metadata descriptors ==================== Signed-off-by: -
Tao Liu authored
Adding ethtool support for changing rx-coalesce-usec and tx-coalesce-usec when using the DQO queue format. Signed-off-by:
Tao Liu <xliutaox@google.com> Signed-off-by:
Jeroen de Borst <jeroendb@google.com> Signed-off-by:
-
Jordan Kim authored
Being able to see how many descriptors are in-use is helpful when diagnosing certain issues. Signed-off-by:
Jordan Kim <jrkim@google.com> Signed-off-by:
-
Catherine Sullivan authored
Add support for suspend, resume and shutdown. Signed-off-by:
Catherine Sullivan <csully@google.com> Signed-off-by:
David Awogbemila <awogbemila@google.com> Signed-off-by:
-
Willem de Bruijn authored
Allow drivers to pass metadata along with packet data to the device. Introduce a new metadata descriptor type * GVE_TXD_MTD This descriptor is optional. If present it immediate follows the packet descriptor and precedes the segment descriptor. This descriptor may be repeated. Multiple metadata descriptors may follow. There are no immediate uses for this, this is for future proofing. At present devices allow only 1 MTD descriptor. The lower four bits of the type_flags field encode GVE_TXD_MTD. The upper four bits of the type_flags field encodes a *sub*type. Introduce one such metadata descriptor subtype * GVE_MTD_SUBTYPE_PATH This shares path information with the device for network failure discovery and robust response: Linux derives ipv6 flowlabel and ECMP multipath from sk->sk_txhash, and updates this field on error with sk_rethink_txhash. Allow the host stack to do the same. Pass the tx_hash value if set. Also communicate whether the path hash is set, or more exactly, what its type is. Define two common types GVE_MTD_PATH_HASH_NONE GVE_MTD_PATH_HASH_L4 Concrete examples of error conditions that are resolved are mentioned in the commits that add sk_rethink_txhash calls. Such as commit 7788174e ("tcp: change IPv6 flow-label upon receiving spurious retransmission"). Experimental results mirror what the theory suggests: where IPv6 FlowLabel is included in path selection (e.g., LAG/ECMP), flowlabel rotation on TCP timeout avoids the vast majority of TCP disconnects that would otherwise have occurred during link failures in long-haul backbones, when an alternative path is available. Rotation can be applied to various bad connection signals, such as timeouts and spurious retransmissions. In aggregate, such flow level signals can help locate network issues. Define initial common states: GVE_MTD_PATH_STATE_DEFAULT GVE_MTD_PATH_STATE_TIMEOUT GVE_MTD_PATH_STATE_CONGESTION GVE_MTD_PATH_STATE_RETRANSMIT Signed-off-by:
Willem de Bruijn <willemb@google.com> Signed-off-by:
-
Catherine Sullivan authored
No longer needed after we introduced the barrier in gve_napi_poll. Signed-off-by:
-
Catherine Sullivan authored
The id field should be a u32 not a signed int. Signed-off-by:
-
