1. 30 Mar, 2018 39 commits
    • Jisheng Zhang's avatar
      net: mvneta: remove duplicate *_coal assignment · 02281a35
      Jisheng Zhang authored
      The style of the rx/tx queue's *_coal member assignment is:
      
      static void foo_coal_set(...)
      {
      	set the coal in hw;
      	update queue's foo_coal member; [1]
      }
      
      In other place, we call foo_coal_set(pp, queue->foo_coal), so the above [1]
      is duplicated and could be removed.
      Signed-off-by: default avatarJisheng Zhang <Jisheng.Zhang@synaptics.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      02281a35
    • David S. Miller's avatar
      Merge branch 'do-not-allow-adding-routes-if-disable_ipv6-is-enabled' · e7696042
      David S. Miller authored
      Lorenzo Bianconi says:
      
      ====================
      do not allow adding routes if disable_ipv6 is enabled
      
      Do not allow userspace to add static ipv6 routes if disable_ipv6 is enabled.
      Update disable_ipv6 documentation according to that change
      
      Changes since v1:
      - added an extack message telling the user that IPv6 is disabled on the nexthop
        device
      - rebased on-top of net-next
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e7696042
    • Lorenzo Bianconi's avatar
      Documentation: ip-sysctl.txt: clarify disable_ipv6 · 2f0aaf7f
      Lorenzo Bianconi authored
      Clarify that when disable_ipv6 is enabled even the ipv6 routes
      are deleted for the selected interface and from now it will not
      be possible to add addresses/routes to that interface
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2f0aaf7f
    • Lorenzo Bianconi's avatar
      ipv6: do not set routes if disable_ipv6 has been enabled · 428604fb
      Lorenzo Bianconi authored
      Do not allow setting ipv6 routes from userspace if disable_ipv6 has been
      enabled. The issue can be triggered using the following reproducer:
      
      - sysctl net.ipv6.conf.all.disable_ipv6=1
      - ip -6 route add a:b:c:d::/64 dev em1
      - ip -6 route show
        a:b:c:d::/64 dev em1 metric 1024 pref medium
      
      Fix it checking disable_ipv6 value in ip6_route_info_create routine
      Signed-off-by: default avatarLorenzo Bianconi <lorenzo.bianconi@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      428604fb
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next · d162190b
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS updates for net-next
      
      The following patchset contains Netfilter/IPVS updates for your net-next
      tree. This batch comes with more input sanitization for xtables to
      address bug reports from fuzzers, preparation works to the flowtable
      infrastructure and assorted updates. In no particular order, they are:
      
      1) Make sure userspace provides a valid standard target verdict, from
         Florian Westphal.
      
      2) Sanitize error target size, also from Florian.
      
      3) Validate that last rule in basechain matches underflow/policy since
         userspace assumes this when decoding the ruleset blob that comes
         from the kernel, from Florian.
      
      4) Consolidate hook entry checks through xt_check_table_hooks(),
         patch from Florian.
      
      5) Cap ruleset allocations at 512 mbytes, 134217728 rules and reject
         very large compat offset arrays, so we have a reasonable upper limit
         and fuzzers don't exercise the oom-killer. Patches from Florian.
      
      6) Several WARN_ON checks on xtables mutex helper, from Florian.
      
      7) xt_rateest now has a hashtable per net, from Cong Wang.
      
      8) Consolidate counter allocation in xt_counters_alloc(), from Florian.
      
      9) Earlier xt_table_unlock() call in {ip,ip6,arp,eb}tables, patch
         from Xin Long.
      
      10) Set FLOW_OFFLOAD_DIR_* to IP_CT_DIR_* definitions, patch from
          Felix Fietkau.
      
      11) Consolidate code through flow_offload_fill_dir(), also from Felix.
      
      12) Inline ip6_dst_mtu_forward() just like ip_dst_mtu_maybe_forward()
          to remove a dependency with flowtable and ipv6.ko, from Felix.
      
      13) Cache mtu size in flow_offload_tuple object, this is safe for
          forwarding as f87c10a8 describes, from Felix.
      
      14) Rename nf_flow_table.c to nf_flow_table_core.o, to simplify too
          modular infrastructure, from Felix.
      
      15) Add rt0, rt2 and rt4 IPv6 routing extension support, patch from
          Ahmed Abdelsalam.
      
      16) Remove unused parameter in nf_conncount_count(), from Yi-Hung Wei.
      
      17) Support for counting only to nf_conncount infrastructure, patch
          from Yi-Hung Wei.
      
      18) Add strict NFT_CT_{SRC_IP,DST_IP,SRC_IP6,DST_IP6} key datatypes
          to nft_ct.
      
      19) Use boolean as return value from ipt_ah and from IPVS too, patch
          from Gustavo A. R. Silva.
      
      20) Remove useless parameters in nfnl_acct_overquota() and
          nf_conntrack_broadcast_help(), from Taehee Yoo.
      
      21) Use ipv6_addr_is_multicast() from xt_cluster, also from Taehee Yoo.
      
      22) Statify nf_tables_obj_lookup_byhandle, patch from Fengguang Wu.
      
      23) Fix typo in xt_limit, from Geert Uytterhoeven.
      
      24) Do no use VLAs in Netfilter code, again from Gustavo.
      
      25) Use ADD_COUNTER from ebtables, from Taehee Yoo.
      
      26) Bitshift support for CONNMARK and MARK targets, from Jack Ma.
      
      27) Use pr_*() and add pr_fmt(), from Arushi Singhal.
      
      28) Add synproxy support to ctnetlink.
      
      29) ICMP type and IGMP matching support for ebtables, patches from
          Matthias Schiffer.
      
      30) Support for the revision infrastructure to ebtables, from
          Bernie Harris.
      
      31) String match support for ebtables, also from Bernie.
      
      32) Documentation for the new flowtable infrastructure.
      
      33) Use generic comparison functions in ebt_stp, from Joe Perches.
      
      34) Demodularize filter chains in nftables.
      
      35) Register conntrack hooks in case nftables NAT chain is added.
      
      36) Merge assignments with return in a couple of spots in the
          Netfilter codebase, also from Arushi.
      
      37) Document that xtables percpu counters are stored in the same
          memory area, from Ben Hutchings.
      
      38) Revert mark_source_chains() sanity checks that break existing
          rulesets, from Florian Westphal.
      
      39) Use is_zero_ether_addr() in the ipset codebase, from Joe Perches.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d162190b
    • David S. Miller's avatar
      Merge branch 'Close-race-between-un-register_netdevice_notifier-and-pernet_operations' · b9a12601
      David S. Miller authored
      Kirill Tkhai says:
      
      ====================
      Close race between {un, }register_netdevice_notifier and pernet_operations
      
      the problem is {,un}register_netdevice_notifier() do not take
      pernet_ops_rwsem, and they don't see network namespaces, being
      initialized in setup_net() and cleanup_net(), since at this
      time net is not hashed to net_namespace_list.
      
      This may lead to imbalance, when a notifier is called at time of
      setup_net()/net is alive, but it's not called at time of cleanup_net(),
      for the devices, hashed to the net, and vise versa. See (3/3) for
      the scheme of imbalance.
      
      This patchset fixes the problem by acquiring pernet_ops_rwsem
      at the time of {,un}register_netdevice_notifier() (3/3).
      (1-2/3) are preparations in xfrm and netfilter subsystems.
      
      The problem was introduced a long ago, but backporting won't be easy,
      since every previous kernel version may have changes in netdevice
      notifiers, and they all need review and testing. Otherwise, there
      may be more pernet_operations, which register or unregister
      netdevice notifiers, and that leads to deadlock (which is was fixed
      in 1-2/3). This patchset is for net-next.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b9a12601
    • Kirill Tkhai's avatar
      net: Close race between {un, }register_netdevice_notifier() and setup_net()/cleanup_net() · 328fbe74
      Kirill Tkhai authored
      {un,}register_netdevice_notifier() iterate over all net namespaces
      hashed to net_namespace_list. But pernet_operations register and
      unregister netdevices in unhashed net namespace, and they are not
      seen for netdevice notifiers. This results in asymmetry:
      
      1)Race with register_netdevice_notifier()
        pernet_operations::init(net)	...
         register_netdevice()		...
          call_netdevice_notifiers()  ...
            ... nb is not called ...
        ...				register_netdevice_notifier(nb) -> net skipped
        ...				...
        list_add_tail(&net->list, ..) ...
      
        Then, userspace stops using net, and it's destructed:
      
        pernet_operations::exit(net)
         unregister_netdevice()
          call_netdevice_notifiers()
            ... nb is called ...
      
      This always happens with net::loopback_dev, but it may be not the only device.
      
      2)Race with unregister_netdevice_notifier()
        pernet_operations::init(net)
         register_netdevice()
          call_netdevice_notifiers()
            ... nb is called ...
      
        Then, userspace stops using net, and it's destructed:
      
        list_del_rcu(&net->list)	...
        pernet_operations::exit(net)  unregister_netdevice_notifier(nb) -> net skipped
         dev_change_net_namespace()	...
          call_netdevice_notifiers()
            ... nb is not called ...
         unregister_netdevice()
          call_netdevice_notifiers()
            ... nb is not called ...
      
      This race is more danger, since dev_change_net_namespace() moves real
      network devices, which use not trivial netdevice notifiers, and if this
      will happen, the system will be left in unpredictable state.
      
      The patch closes the race. During the testing I found two places,
      where register_netdevice_notifier() is called from pernet init/exit
      methods (which led to deadlock) and fixed them (see previous patches).
      
      The review moved me to one more unusual registration place:
      raw_init() (can driver). It may be a reason of problems,
      if someone creates in-kernel CAN_RAW sockets, since they
      will be destroyed in exit method and raw_release()
      will call unregister_netdevice_notifier(). But grep over
      kernel tree does not show, someone creates such sockets
      from kernel space.
      
      Theoretically, there can be more places like this, and which are
      hidden from review, but we found them on the first bumping there
      (since there is no a race, it will be 100% reproducible).
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      328fbe74
    • Kirill Tkhai's avatar
      netfilter: Rework xt_TEE netdevice notifier · 9e2f6c5d
      Kirill Tkhai authored
      Register netdevice notifier for every iptable entry
      is not good, since this breaks modularity, and
      the hidden synchronization is based on rtnl_lock().
      
      This patch reworks the synchronization via new lock,
      while the rest of logic remains as it was before.
      This is required for the next patch.
      
      Tested via:
      
      while :; do
      	unshare -n iptables -t mangle -A OUTPUT -j TEE --gateway 1.1.1.2 --oif lo;
      done
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Acked-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9e2f6c5d
    • Kirill Tkhai's avatar
      xfrm: Register xfrm_dev_notifier in appropriate place · e9a441b6
      Kirill Tkhai authored
      Currently, driver registers it from pernet_operations::init method,
      and this breaks modularity, because initialization of net namespace
      and netdevice notifiers are orthogonal actions. We don't have
      per-namespace netdevice notifiers; all of them are global for all
      devices in all namespaces.
      Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e9a441b6
    • David S. Miller's avatar
      Merge branch 'Implement-of_get_nvmem_mac_address-helper' · caeeeda3
      David S. Miller authored
      Mike Looijmans says:
      
      ====================
      of_net: Implement of_get_nvmem_mac_address helper
      
      Posted this as a small set now, with an (optional) second patch that shows
      how the changes work and what I've used to test the code on a Topic Miami board.
      I've taken the liberty to add appropriate "Acked" and "Review" tags.
      
      v4: Replaced "6" with ETH_ALEN
      
      v3: Add patch that implements mac in nvmem for the Cadence MACB controller
          Remove the integrated of_get_mac_address call
      
      v2: Use of_nvmem_cell_get to avoid needing the assiciated device
          Use void* instead of char*
          Add devicetree binding doc
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      caeeeda3
    • Mike Looijmans's avatar
      net: macb: Try to retrieve MAC addess from nvmem provider · aa076e3d
      Mike Looijmans authored
      Call of_get_nvmem_mac_address() to fetch the MAC address from an nvmem
      cell, if one is provided in the device tree. This allows the address to
      be stored in an I2C EEPROM device for example.
      Signed-off-by: default avatarMike Looijmans <mike.looijmans@topic.nl>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa076e3d
    • Mike Looijmans's avatar
      of_net: Implement of_get_nvmem_mac_address helper · 9217e566
      Mike Looijmans authored
      It's common practice to store MAC addresses for network interfaces into
      nvmem devices. However the code to actually do this in the kernel lacks,
      so this patch adds of_get_nvmem_mac_address() for drivers to obtain the
      address from an nvmem cell provider.
      
      This is particulary useful on devices where the ethernet interface cannot
      be configured by the bootloader, for example because it's in an FPGA.
      Signed-off-by: default avatarMike Looijmans <mike.looijmans@topic.nl>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9217e566
    • David S. Miller's avatar
      Merge branch 'nfp-flower-handle-MTU-changes' · 64e828df
      David S. Miller authored
      Jakub Kicinski says:
      
      ====================
      nfp: flower: handle MTU changes
      
      This set improves MTU handling for flower offload.  The max MTU is
      correctly capped and physical port MTU is communicated to the FW
      (and indirectly HW).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      64e828df
    • John Hurley's avatar
      nfp: flower: offload phys port MTU change · 29a5dcae
      John Hurley authored
      Trigger a port mod message to request an MTU change on the NIC when any
      physical port representor is assigned a new MTU value. The driver waits
      10 msec for an ack that the FW has set the MTU. If no ack is received the
      request is rejected and an appropriate warning flagged.
      
      Rather than maintain an MTU queue per repr, one is maintained per app.
      Because the MTU ndo is protected by the rtnl lock, there can never be
      contention here. Portmod messages from the NIC are also protected by
      rtnl so we first check if the portmod is an ack and, if so, handle outside
      rtnl and the cmsg work queue.
      
      Acks are detected by the marking of a bit in a portmod response. They are
      then verfied by checking the port number and MTU value expected by the
      app. If the expected MTU is 0 then no acks are currently expected.
      
      Also, ensure that the packet headroom reserved by the flower firmware is
      considered when accepting an MTU change on any repr.
      Signed-off-by: default avatarJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      29a5dcae
    • John Hurley's avatar
      nfp: modify app MTU setting callbacks · 167cebef
      John Hurley authored
      Rename the 'change_mtu' app callback to 'check_mtu'. This is called
      whenever an MTU change is requested on a netdev. It can reject the
      change but is not responsible for implementing it.
      
      Introduce a new 'repr_change_mtu' app callback that is hit when the MTU
      of a repr is to be changed. This is responsible for performing the MTU
      change and verifying it.
      Signed-off-by: default avatarJohn Hurley <john.hurley@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      167cebef
    • David S. Miller's avatar
      Merge branch 'phylink-API-changes' · 44465c47
      David S. Miller authored
      Florian Fainelli says:
      
      ====================
      phylink: API changes
      
      This patch series contains two API changes to PHYLINK which will later be used
      by DSA to migrate to PHYLINK. Because these are API changes that impact other
      outstanding work (e.g: MVPP2) I would rather get them included sooner to minimize
      conflicts.
      
      Thank you!
      
      Changes in v2:
      
      - added missing documentation to mac_link_{up,down} that the interface
        must be configured in mac_config()
      
      - added Russell's, Andrew's and my tags
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      44465c47
    • Russell King's avatar
      sfp/phylink: move module EEPROM ethtool access into netdev core ethtool · e679c9c1
      Russell King authored
      Provide a pointer to the SFP bus in struct net_device, so that the
      ethtool module EEPROM methods can access the SFP directly, rather
      than needing every user to provide a hook for it.
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e679c9c1
    • Florian Fainelli's avatar
      net: phy: phylink: Provide PHY interface to mac_link_{up, down} · c6ab3008
      Florian Fainelli authored
      In preparation for having DSA transition entirely to PHYLINK, we need to pass a
      PHY interface type to the mac_link_{up,down} callbacks because we may have to
      make decisions on that (e.g: turn on/off RGMII interfaces etc.). We do not pass
      an entire phylink_link_state because not all parameters (pause, duplex etc.) are
      defined when the link is down, only link and interface are.
      
      Update mvneta accordingly since it currently implements phylink_mac_ops.
      Acked-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c6ab3008
    • Ronak Doshi's avatar
      MAINTAINERS: update vmxnet3 driver maintainer · 2166dc95
      Ronak Doshi authored
      Shrikrishna Khare would no longer maintain the vmxnet3 driver. Taking
      over the role of vmxnet3 maintainer.
      Signed-off-by: default avatarRonak Doshi <doshir@vmware.com>
      Signed-off-by: default avatarShrikrishna Khare <skhare@vmware.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2166dc95
    • David S. Miller's avatar
      Merge branch 'net-Broadcom-drivers-coalescing-fixes' · 95e623fd
      David S. Miller authored
      Florian Fainelli says:
      
      ====================
      net: Broadcom drivers coalescing fixes
      
      Following Tal's review of the adaptive RX/TX coalescing feature added to the
      SYSTEMPORT and GENET driver a number of things showed up:
      
      - adaptive TX coalescing is not actually a good idea with the current way
        the estimator will program the ring, this results in a higher CPU load, NAPI
        on TX already does a reasonably good job at maintaining the interrupt count low
      
      - both SYSTEMPORT and GENET would suffer from the same issues while configuring
        coalescing parameters where the values would just not be applied correctly
        based on user settings, so we fix that too
      
      Tal, thanks again for your feedback, I would appreciate if you could review that
      the new behavior appears to be implemented correctly.
      
      Thanks!
      
      Changes in v2:
      
      - added Tal's reviewed-by to the first patch
      - split DIM initialization from coalescing parameters initialization
      - avoid duplicating the same code in bcmgenet_set_coalesce() when configuring RX rings
      - fixed the condition where default DIM parameters would be applied when
        adaptive RX coalescing would be enabled, do this only if it was disabled before
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      95e623fd
    • Florian Fainelli's avatar
      net: bcmgenet: Fix coalescing settings handling · 5e6ce1f1
      Florian Fainelli authored
      There were a number of issues with setting the RX coalescing parameters:
      
      - we would not be preserving values that would have been configured
        across close/open calls, instead we would always reset to no timeout
        and 1 interrupt per packet, this would also prevent DIM from setting its
        default usec/pkts values
      
      - when adaptive RX would be turned on, we woud not be fetching the
        default parameters, we would stay with no timeout/1 packet per interrupt
        until the estimator kicks in and changes that
      
      - finally disabling adaptive RX coalescing while providing parameters
        would not be honored, and we would stay with whatever DIM had previously
        determined instead of the user requested parameters
      
      Fixes: 9f4ca058 ("net: bcmgenet: Add support for adaptive RX coalescing")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarTal Gilboa <talgi@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5e6ce1f1
    • Florian Fainelli's avatar
      net: systemport: Fix coalescing settings handling · a8cdfbdf
      Florian Fainelli authored
      There were a number of issues with setting the RX coalescing parameters:
      
      - we would not be preserving values that would have been configured
        across close/open calls, instead we would always reset to no timeout
        and 1 interrupt per packet, this would also prevent DIM from setting its
        default usec/pkts values
      
      - when adaptive RX would be turned on, we woud not be fetching the
        default parameters, we would stay with no timeout/1 packet per
        interrupt until the estimator kicks in and changes that
      
      - finally disabling adaptive RX coalescing while providing parameters
        would not be honored, and we would stay with whatever DIM had
        previously determined instead of the user requested parameters
      
      Fixes: b6e0e875 ("net: systemport: Implement adaptive interrupt coalescing")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Reviewed-by: default avatarTal Gilboa <talgi@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8cdfbdf
    • Florian Fainelli's avatar
      net: systemport: Remove adaptive TX coalescing · fd41f2bf
      Florian Fainelli authored
      Adaptive TX coalescing is not currently giving us any advantages and
      ends up making the CPU spin more frequently until TX completion. Deny
      and disable adaptive TX coalescing for now and rely on static
      configuration, we can always add it back later.
      Reviewed-by: default avatarTal Gilboa <talgi@mellanox.com>
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fd41f2bf
    • Gal Pressman's avatar
      net: Call add/kill vid ndo on vlan filter feature toggling · 9daae9bd
      Gal Pressman authored
      NETIF_F_HW_VLAN_[CS]TAG_FILTER features require more than just a bit
      flip in dev->features in order to keep the driver in a consistent state.
      These features notify the driver of each added/removed vlan, but toggling
      of vlan-filter does not notify the driver accordingly for each of the
      existing vlans.
      
      This patch implements a similar solution to NETIF_F_RX_UDP_TUNNEL_PORT
      behavior (which notifies the driver about UDP ports in the same manner
      that vids are reported).
      
      Each toggling of the features propagates to the 8021q module, which
      iterates over the vlans and call add/kill ndo accordingly.
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9daae9bd
    • Wei Yongjun's avatar
      cxgb4: fix error return code in adap_init0() · 004c3cf1
      Wei Yongjun authored
      Fix to return a negative error code from the hash filter init error
      handling case instead of 0, as done elsewhere in this function.
      
      Fixes: 5c31254e ("cxgb4: initialize hash-filter configuration")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      004c3cf1
    • Joe Perches's avatar
      netfilter: ipset: Use is_zero_ether_addr instead of static and memcmp · 26c97c5d
      Joe Perches authored
      To make the test a bit clearer and to reduce object size a little.
      
      Miscellanea:
      
      o remove now unnecessary static const array
      
      $ size ip_set_hash_mac.o*
         text	   data	    bss	    dec	    hex	filename
        22822	   4619	     64	  27505	   6b71	ip_set_hash_mac.o.allyesconfig.new
        22932	   4683	     64	  27679	   6c1f	ip_set_hash_mac.o.allyesconfig.old
        10443	   1040	      0	  11483	   2cdb	ip_set_hash_mac.o.defconfig.new
        10507	   1040	      0	  11547	   2d1b	ip_set_hash_mac.o.defconfig.old
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      26c97c5d
    • Florian Westphal's avatar
      Revert "netfilter: x_tables: ensure last rule in base chain matches underflow/policy" · e3b5e1ec
      Florian Westphal authored
      This reverts commit 0d7df906.
      
      Valdis Kletnieks reported that xtables is broken in linux-next since
      0d7df906  ("netfilter: x_tables: ensure last rule in base chain
      matches underflow/policy"), as kernel rejects the (well-formed) ruleset:
      
      [   64.402790] ip6_tables: last base chain position 1136 doesn't match underflow 1344 (hook 1)
      
      mark_source_chains is not the correct place for such a check, as it
      terminates evaluation of a chain once it sees an unconditional verdict
      (following rules are known to be unreachable). It seems preferrable to
      fix libiptc instead, so remove this check again.
      
      Fixes: 0d7df906 ("netfilter: x_tables: ensure last rule in base chain matches underflow/policy")
      Reported-by: default avatarValdis Kletnieks <valdis.kletnieks@vt.edu>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e3b5e1ec
    • Ben Hutchings's avatar
      netfilter: x_tables: Add note about how to free percpu counters · 9ba5c404
      Ben Hutchings authored
      Due to the way percpu counters are allocated and freed in blocks,
      it is not safe to free counters individually.  Currently all callers
      do the right thing, but let's note this restriction.
      
      Fixes: ae0ac0ed ("netfilter: x_tables: pack percpu counter allocations")
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9ba5c404
    • Arushi Singhal's avatar
      netfilter: Merge assignment with return · c47d36b3
      Arushi Singhal authored
      Merge assignment with return statement to directly return the value.
      Signed-off-by: default avatarArushi Singhal <arushisinghal19971997@gmail.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      c47d36b3
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: use nft_set_lookup_global from nf_tables_newsetelem() · a3073c17
      Pablo Neira Ayuso authored
      Replace opencoded implementation of nft_set_lookup_global() by call to
      this function.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      a3073c17
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: rename to nft_set_lookup_global() · 10659cba
      Pablo Neira Ayuso authored
      To prepare shorter introduction of shorter function prefix.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      10659cba
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: enable conntrack if NAT chain is registered · 43a605f2
      Pablo Neira Ayuso authored
      Register conntrack hooks if the user adds NAT chains. Users get confused
      with the existing behaviour since they will see no packets hitting this
      chain until they add the first rule that refers to conntrack.
      
      This patch adds new ->init() and ->free() indirections to chain types
      that can be used by NAT chains to invoke the conntrack dependency.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      43a605f2
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: build-in filter chain type · 02c7b25e
      Pablo Neira Ayuso authored
      One module per supported filter chain family type takes too much memory
      for very little code - too much modularization - place all chain filter
      definitions in one single file.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      02c7b25e
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: nft_register_chain_type() returns void · cc07eeb0
      Pablo Neira Ayuso authored
      Use WARN_ON() instead since it should not happen that neither family
      goes over NFPROTO_NUMPROTO nor there is already a chain of this type
      already registered.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cc07eeb0
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: rename struct nf_chain_type · 32537e91
      Pablo Neira Ayuso authored
      Use nft_ prefix. By when I added chain types, I forgot to use the
      nftables prefix. Rename enum nft_chain_type to enum nft_chain_types too,
      otherwise there is an overlap.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      32537e91
    • Joe Perches's avatar
      netfilter: ebt_stp: Use generic functions for comparisons · 9124a20d
      Joe Perches authored
      Instead of unnecessary const declarations, use the generic functions to
      save a little object space.
      
      $ size net/bridge/netfilter/ebt_stp.o*
         text	   data	    bss	    dec	    hex	filename
         1250	    144	      0	   1394	    572	net/bridge/netfilter/ebt_stp.o.new
         1344	    144	      0	   1488	    5d0	net/bridge/netfilter/ebt_stp.o.old
      Signed-off-by: default avatarJoe Perches <joe@perches.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9124a20d
    • Pablo Neira Ayuso's avatar
      netfilter: add flowtable documentation · 19b351f1
      Pablo Neira Ayuso authored
      This patch adds initial documentation for the Netfilter flowtable
      infrastructure.
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      19b351f1
    • Bernie Harris's avatar
      netfilter: ebtables: Add string filter · 1be3ac98
      Bernie Harris authored
      This patch is part of a proposal to add a string filter to
      ebtables, which would be similar to the string filter in
      iptables. Like iptables, the ebtables filter uses the xt_string
      module.
      Signed-off-by: default avatarBernie Harris <bernie.harris@alliedtelesis.co.nz>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1be3ac98
    • Bernie Harris's avatar
      netfilter: ebtables: Add support for specifying match revision · 39c202d2
      Bernie Harris authored
      Currently ebtables assumes that the revision number of all match
      modules is 0, which is an issue when trying to use existing
      xtables matches with ebtables. The solution is to modify ebtables
      to allow extensions to specify a revision number, similar to
      iptables. This gets passed down to the kernel, which is then able
      to find the match module correctly.
      
      To main binary backwards compatibility, the size of the ebt_entry
      structures is not changed, only the size of the name field is
      decreased by 1 byte to make room for the revision field.
      Signed-off-by: default avatarBernie Harris <bernie.harris@alliedtelesis.co.nz>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      39c202d2
  2. 29 Mar, 2018 1 commit
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-next-for-davem-2018-03-29' of... · 18845557
      David S. Miller authored
      Merge tag 'wireless-drivers-next-for-davem-2018-03-29' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next
      
      Kalle Valo says:
      
      ====================
      wireless-drivers-next patches for 4.17
      
      Smaller new features to various drivers but nothing really out of
      ordinary.
      
      Major changes:
      
      ath10k
      
      * enable chip temperature measurement for QCA6174/QCA9377
      
      * add firmware memory dump for QCA9984
      
      * enable buffer STA on TDLS link for QCA6174
      
      * support different beacon internals in multiple interface scenario
        for QCA988X/QCA99X0/QCA9984/QCA4019
      
      iwlwifi
      
      * support for new PCI IDs for the 9000 family
      
      * support for a new firmware API version
      
      * support for advanced dwell and Optimized Connectivity Experience
        (OCE) in scanning
      
      btrsi
      
      * fix kconfig dependencies
      
      wil6210
      
      * support multiple virtual interfaces
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      18845557