Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.45 2021-06-03T07:00:37+00:00 2021-06-03T07:00:37+00:00 Roi Dayan roid@nvidia.com 2021-05-10T11:50:24+00:00 urn:sha1:6d6bc8c75290866e59ee25ab6bb0114eb166b980 commit c07531c01d8284aedaf95708ea90e76d11af0e21 upstream. Offloading conns could fail for multiple reasons and a hw refresh bit is set to try to reoffload it in next sw packet. But it could be in some cases and future points that the hw refresh bit is not set but a refresh could succeed. Remove the hw refresh bit and do offload refresh if requested. There won't be a new work entry if a work is already pending anyway as there is the hw pending bit. Fixes: 8b3646d6e0c4 ("net/sched: act_ct: Support refreshing the flow table entries") Signed-off-by: Roi Dayan <roid@nvidia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2021-05-14T07:50:40+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-04-12T12:20:15+00:00 urn:sha1:a7eb38aacc81623f338d6c6f19604ace2fe4ec15 [ Upstream commit ff4d90a89d3d4d9814e0a2696509a7d495be4163 ] The flow dissector representation expects the VLAN id in host byteorder. Add the NFT_OFFLOAD_F_NETWORK2HOST flag to swap the bytes from nft_cmp. Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-05-14T07:50:40+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-04-12T12:11:39+00:00 urn:sha1:cf2de861b2794f98363072e078ac9375d8e8f83e [ Upstream commit 14c20643ef9457679cc6934d77adc24296505214 ] - add another struct flow_dissector_key_vlan for C-VLAN - update layer 3 dependency to allow to match on IPv4/IPv6 Fixes: 89d8fd44abfb ("netfilter: nft_payload: add C-VLAN offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-03-30T12:32:01+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-03-17T11:54:57+00:00 urn:sha1:186d8dc40a65f0248df2ed34292f1296158d0be4 [ Upstream commit 7b35582cd04ace2fd1807c1b624934e465cc939d ] Honor flowtable flags from the control update path. Disallow disabling to toggle hardware offload support though. Fixes: 8bb69f3b2918 ("netfilter: nf_tables: add flowtable offload control plane") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-12-08T19:42:11+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-12-08T17:25:53+00:00 urn:sha1:917d80d376ffbaa9725fde9e3c0282f63643f278 Use nf_msecs_to_jiffies64 and nf_jiffies64_to_msecs as provided by 8e1102d5a159 ("netfilter: nf_tables: support timeouts larger than 23 days"), otherwise ruleset listing breaks. Fixes: a8b1e36d0d1d ("netfilter: nft_dynset: fix element timeout for HZ != 1000") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-11-27T11:10:47+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-11-25T22:50:17+00:00 urn:sha1:a5d45bc0dc50f9dd83703510e9804d813a9cac32 Userspace might match on prefix bytes of header fields if they are on the byte boundary, this requires that the mask is adjusted accordingly. Use NFT_OFFLOAD_MATCH_EXACT() for meta since prefix byte matching is not allowed for this type of selector. The bitwise expression might be optimized out by userspace, hence the kernel needs to infer the prefix from the number of payload bytes to match on. This patch adds nft_payload_offload_mask() to calculate the bitmask to match on the prefix. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-11-27T11:10:46+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-11-25T22:50:07+00:00 urn:sha1:3c78e9e0d33a27ab8050e4492c03c6a1f8d0ed6b This patch adds nft_flow_rule_set_addr_type() to set the address type from the nft_payload expression accordingly. If the address type is not set in the control dissector then a rule that matches either on source or destination IP address does not work. After this patch, nft hardware offload generates the flow dissector configuration as tc-flower does to match on an IP address. This patch has been also tested functionally to make sure packets are filtered out by the NIC. This is also getting the code aligned with the existing netfilter flow offload infrastructure which is also setting the control dissector. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-20T11:54:54+00:00 Saeed Mirzamohammadi saeed.mirzamohammadi@oracle.com 2020-10-20T11:41:36+00:00 urn:sha1:31cc578ae2de19c748af06d859019dced68e325d This patch fixes the issue due to: BUG: KASAN: slab-out-of-bounds in nft_flow_rule_create+0x622/0x6a2 net/netfilter/nf_tables_offload.c:40 Read of size 8 at addr ffff888103910b58 by task syz-executor227/16244 The error happens when expr->ops is accessed early on before performing the boundary check and after nft_expr_next() moves the expr to go out-of-bounds. This patch checks the boundary condition before expr->ops that fixes the slab-out-of-bounds Read issue. Add nft_expr_more() and use it to fix this problem. Signed-off-by: Saeed Mirzamohammadi <saeed.mirzamohammadi@oracle.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-15T19:43:21+00:00 Jakub Kicinski kuba@kernel.org 2020-10-15T19:43:21+00:00 urn:sha1:2295cddf99e3f7c2be2b1160e2f5e53cc35b09be Minor conflicts in net/mptcp/protocol.h and tools/testing/selftests/net/Makefile. In both cases code was added on both sides in the same place so just keep both. Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2020-10-15T03:28:05+00:00 Pablo Neira Ayuso pablo@netfilter.org 2020-10-14T19:34:32+00:00 urn:sha1:d25e2e9388eda61b6e298585024ee3355f50c493 This definition is used by the iptables legacy UAPI, restore it. Fixes: d3519cb89f6d ("netfilter: nf_tables: add inet ingress support") Reported-by: Jason A. Donenfeld <Jason@zx2c4.com> Tested-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>