linux.git/include/net/netfilter, branch v5.7-rc2 Linux kernel source tree netfilter: nf_tables: do not update stateful expressions if lookup is inverted 2020-04-05T21:26:36+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-03-31T21:02:59+00:00 a26c1e49c8e97922edc8d7e23683384729d09f77 Initialize set lookup matching element to NULL. Otherwise, the NFT_LOOKUP_F_INV flag reverses the matching logic and it leads to deference an uninitialized pointer to the matching element. Make sure element data area and stateful expression are accessed if there is a matching set element. This patch undoes 24791b9aa1ab ("netfilter: nft_set_bitmap: initialize set element extension in lookups") which is not required anymore. Fixes: 339706bc21c1 ("netfilter: nft_lookup: update element stateful expression") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Initialize set lookup matching element to NULL. Otherwise, the
NFT_LOOKUP_F_INV flag reverses the matching logic and it leads to
deference an uninitialized pointer to the matching element. Make sure
element data area and stateful expression are accessed if there is a
matching set element.

This patch undoes 24791b9aa1ab ("netfilter: nft_set_bitmap: initialize set
element extension in lookups") which is not required anymore.

Fixes: 339706bc21c1 ("netfilter: nft_lookup: update element stateful expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: conntrack: add nf_ct_acct_add() 2020-03-30T00:05:39+00:00 wenxu wenxu@ucloud.cn 2020-03-28T00:57:53+00:00 9312eabab4a68348af5b4482cc7cc6f151ff1c3f Add nf_ct_acct_add function to update the conntrack counter with packets and bytes. Signed-off-by: wenxu <wenxu@ucloud.cn> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Add nf_ct_acct_add function to update the conntrack counter
with packets and bytes.

Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: skip set types that do not support for expressions 2020-03-30T00:05:39+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-03-27T16:43:06+00:00 d56aab2625f7bee79686566d3f6ad639d694b8cd The bitmap set does not support for expressions, skip it from the estimation step. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The bitmap set does not support for expressions, skip it from the
estimation step.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_queue: place bridge physports into queue_entry struct 2020-03-29T14:28:29+00:00 Florian Westphal fw@strlen.de 2020-03-27T02:24:47+00:00 119e52e664c57d5f7c0174dc2b3a296b1e40591d The refcount is done via entry->skb, which does work fine. Major problem: When putting the refcount of the bridge ports, we must always put the references while the skb is still around. However, we will need to put the references after okfn() to avoid a possible 1 -> 0 -> 1 refcount transition, so we cannot use the skb pointer anymore. Place the physports in the queue entry structure instead to allow for refcounting changes in the next patch. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
The refcount is done via entry->skb, which does work fine.
Major problem: When putting the refcount of the bridge ports, we
must always put the references while the skb is still around.

However, we will need to put the references after okfn() to avoid
a possible 1 -> 0 -> 1 refcount transition, so we cannot use the
skb pointer anymore.

Place the physports in the queue entry structure instead to allow
for refcounting changes in the next patch.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_queue: make nf_queue_entry_release_refs static 2020-03-29T14:28:29+00:00 Florian Westphal fw@strlen.de 2020-03-27T02:24:46+00:00 dd3cc111f2e3220ddc9c4ab17f13dc97759b5163 This is a preparation patch, no logical changes. Move free_entry into core and rename it to something more sensible. Will ease followup patches which will complicate the refcount handling. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This is a preparation patch, no logical changes.
Move free_entry into core and rename it to something more sensible.

Will ease followup patches which will complicate the refcount handling.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: Use rw sem as flow block lock 2020-03-27T17:42:20+00:00 Paul Blakey paulb@mellanox.com 2020-03-27T09:12:29+00:00 422c032afcf57d5e8109a54912e22ffc53d99068 Currently flow offload threads are synchronized by the flow block mutex. Use rw lock instead to increase flow insertion (read) concurrency. Signed-off-by: Paul Blakey <paulb@mellanox.com> Reviewed-by: Oz Shlomo <ozsh@mellanox.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Currently flow offload threads are synchronized by the flow block mutex.
Use rw lock instead to increase flow insertion (read) concurrency.

Signed-off-by: Paul Blakey <paulb@mellanox.com>
Reviewed-by: Oz Shlomo <ozsh@mellanox.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: flowtable: add counter support 2020-03-27T17:32:37+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-03-24T11:50:02+00:00 53c2b2899af7e6a29c0cf8bfa8a554721398a4b0 Add a new flag to turn on flowtable counters which are stored in the conntrack entry. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Add a new flag to turn on flowtable counters which are stored in the
conntrack entry.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: add enum nft_flowtable_flags to uapi 2020-03-27T17:32:36+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-03-24T11:23:57+00:00 cfbd1125fc8778913d0956a757438bbb2c35f031 Expose the NFT_FLOWTABLE_HW_OFFLOAD flag through uapi. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
Expose the NFT_FLOWTABLE_HW_OFFLOAD flag through uapi.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: conntrack: export nf_ct_acct_update() 2020-03-27T17:32:36+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-03-24T11:34:33+00:00 8ac2bd357775b3abf838110833279ea1a3b035e4 This function allows you to update the conntrack counters. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This function allows you to update the conntrack counters.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: allow to specify stateful expression in set definition 2020-03-19T10:37:31+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-03-17T13:13:46+00:00 65038428b2c6c5be79d3f78a6b79c0cdc3a58a41 This patch allows users to specify the stateful expression for the elements in this set via NFTA_SET_EXPR. This new feature allows you to turn on counters for all of the elements in this set. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 
This patch allows users to specify the stateful expression for the
elements in this set via NFTA_SET_EXPR. This new feature allows you to
turn on counters for all of the elements in this set.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>