Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.15.209 2024-04-27T15:05:24+00:00 2024-04-27T15:05:24+00:00 Vlad Buslov vladbu@nvidia.com 2022-06-15T10:43:55+00:00 urn:sha1:5345d78ae64d5a760c211cd2da995dc71c5b29e4 [ Upstream commit b038177636f83bbf87c2b238706474145dd2cd04 ] To improve hardware offload debuggability count pending 'add', 'del' and 'stats' flow_table offload workqueue tasks. Counters are incremented before scheduling new task and decremented when workqueue handler finishes executing. These counters allow user to diagnose congestion on hardware offload workqueues that can happen when either CPU is starved and workqueue jobs are executed at lower rate than new ones are added or when hardware/driver can't keep up with the rate. Implement the described counters as percpu counters inside new struct netns_ft which is stored inside struct net. Expose them via new procfs file '/proc/net/stats/nf_flowtable' that is similar to existing 'nf_conntrack' file. Signed-off-by: Vlad Buslov <vladbu@nvidia.com> Signed-off-by: Oz Shlomo <ozsh@nvidia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Stable-dep-of: 87b3593bed18 ("netfilter: flowtable: validate pppoe header") Signed-off-by: Sasha Levin <sashal@kernel.org> 2021-08-29T23:51:36+00:00 Ryoga Saito contact@proelbtn.com 2021-08-17T08:39:37+00:00 urn:sha1:7a3f5b0de3647c854e34269c3332d7a1e902901a This patch introduces netfilter hooks for solving the problem that conntrack couldn't record both inner flows and outer flows. This patch also introduces a new sysctl toggle for enabling lightweight tunnel netfilter hooks. Signed-off-by: Ryoga Saito <contact@proelbtn.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-17T01:23:00+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-06-16T20:25:05+00:00 urn:sha1:836382dc24717af203ce06703530528827086955 Add a new optional expression that tells you when last matching on a given rule / set element element has happened. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-07T10:41:10+00:00 Florian Westphal fw@strlen.de 2021-06-04T10:27:07+00:00 urn:sha1:e2cf17d3774c323ef6dab6e9f7c0cfc5e742afd9 This nfnl subsystem allows to dump the list of all active netfiler hooks, e.g. defrag, conntrack, nf/ip/arp/ip6tables and so on. This helps to see what kind of features are currently enabled in the network stack. Sample output from nft tool using this infra: $ nft list hook ip input family ip hook input { +0000000010 nft_do_chain_inet [nf_tables] # nft table firewalld INPUT +0000000100 nf_nat_ipv4_local_in [nf_nat] +2147483647 ipv4_confirm [nf_conntrack] } Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-03-31T20:34:10+00:00 Florian Westphal fw@strlen.de 2021-03-25T17:25:10+00:00 urn:sha1:e465cccd0b9de113a81280bd52ee717bf5e3d1a2 Remove nf_log_common. Now that all per-af modules have been merged there is no longer a need to provide a helper module. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-03-30T22:37:27+00:00 Florian Westphal fw@strlen.de 2021-03-25T17:25:08+00:00 urn:sha1:1510618e45cb9fb77aede5544f8309b64f8b7400 Provide netdev family support from the nf_log_syslog module. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-03-30T22:37:27+00:00 Florian Westphal fw@strlen.de 2021-03-25T17:25:05+00:00 urn:sha1:db3187ae21bb0cff44430a7510cf2d2b23e41cd8 Netfilter has multiple log modules: nf_log_arp nf_log_bridge nf_log_ipv4 nf_log_ipv6 nf_log_netdev nfnetlink_log nf_log_common With the exception of nfnetlink_log (packet is sent to userspace for dissection/logging), all of them log to the kernel ringbuffer. This is the first part of a series to merge all modules except nfnetlink_log into a single module: nf_log_syslog. This allows to reduce code. After the series, only two log modules remain: nfnetlink_log and nf_log_syslog. The latter provides the same functionality as the old per-af log modules. This renames nf_log_ipv4 to nf_log_syslog. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-10-31T09:41:00+00:00 Jose M. Guisado Gomez guigom@riseup.net 2020-10-22T19:43:53+00:00 urn:sha1:6bbb9ad36c93d3a422de862b78bd5330b44b3fa4 Adds support for reject from ingress hook in netdev family. Both stacks ipv4 and ipv6. With reject packets supporting ICMP and TCP RST. This ability is required in devices that need to REJECT legitimate clients which traffic is forwarded from the ingress hook. Joint work with Laura Garcia. Signed-off-by: Jose M. Guisado Gomez <guigom@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2020-04-08T15:12:48+00:00 Jason A. Donenfeld Jason@zx2c4.com 2020-03-26T20:26:00+00:00 urn:sha1:e6abef610c7363cbd25205674b962031ef3bc790 Now that the kernel specifies binutils 2.23 as the minimum version, we can remove ifdefs for AVX2 and ADX throughout. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Ingo Molnar <mingo@kernel.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> 2020-04-08T15:01:59+00:00 Jason A. Donenfeld Jason@zx2c4.com 2020-03-26T08:00:58+00:00 urn:sha1:5e8ebd841a44b895e2bab5e874ff7d333ca31135 Doing this probing inside of the Makefiles means we have a maze of ifdefs inside the source code and child Makefiles that need to make proper decisions on this too. Instead, we do it at Kconfig time, like many other compiler and assembler options, which allows us to set up the dependencies normally for full compilation units. In the process, the ADX test changes to use %eax instead of %r10 so that it's valid in both 32-bit and 64-bit mode. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Acked-by: Ingo Molnar <mingo@kernel.org> Reviewed-by: Nick Desaulniers <ndesaulniers@google.com> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>