Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.1.168 2022-10-03T16:17:32+00:00 2022-10-03T16:17:32+00:00 Lorenzo Bianconi lorenzo@kernel.org 2022-09-29T22:38:43+00:00 urn:sha1:820dc0523e05c12810bb6bf4e56ce26e4c1948a2 Remove circular dependency between nf_nat module and nf_conntrack one moving bpf_ct_set_nat_info kfunc in nf_nat_bpf.c Fixes: 0fabd2aa199f ("net: netfilter: add bpf_ct_set_nat_info kfunc helper") Suggested-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Tested-by: Nathan Chancellor <nathan@kernel.org> Tested-by: Yauheni Kaliuta <ykaliuta@redhat.com> Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Acked-by: John Fastabend <john.fastabend@gmail.com> Link: https://lore.kernel.org/r/51a65513d2cda3eeb0754842e8025ab3966068d8.1664490511.git.lorenzo@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2022-07-11T14:25:14+00:00 Vlad Buslov vladbu@nvidia.com 2022-06-15T10:43:55+00:00 urn:sha1:b038177636f83bbf87c2b238706474145dd2cd04 To improve hardware offload debuggability count pending 'add', 'del' and 'stats' flow_table offload workqueue tasks. Counters are incremented before scheduling new task and decremented when workqueue handler finishes executing. These counters allow user to diagnose congestion on hardware offload workqueues that can happen when either CPU is starved and workqueue jobs are executed at lower rate than new ones are added or when hardware/driver can't keep up with the rate. Implement the described counters as percpu counters inside new struct netns_ft which is stored inside struct net. Expose them via new procfs file '/proc/net/stats/nf_flowtable' that is similar to existing 'nf_conntrack' file. Signed-off-by: Vlad Buslov <vladbu@nvidia.com> Signed-off-by: Oz Shlomo <ozsh@nvidia.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-01-18T22:26:42+00:00 Kumar Kartikeya Dwivedi memxor@gmail.com 2022-01-14T16:39:49+00:00 urn:sha1:b4c2b9593a1c4c3a718370e34af28e817fd5e5c6 This change adds conntrack lookup helpers using the unstable kfunc call interface for the XDP and TC-BPF hooks. The primary usecase is implementing a synproxy in XDP, see Maxim's patchset [0]. Export get_net_ns_by_id as nf_conntrack_bpf.c needs to call it. This object is only built when CONFIG_DEBUG_INFO_BTF_MODULES is enabled. [0]: https://lore.kernel.org/bpf/20211019144655.3483197-1-maximmi@nvidia.com Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20220114163953.1455836-7-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> 2021-12-23T00:07:35+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-12-17T19:37:34+00:00 urn:sha1:023223dfbfb34fcc9b7dd41e21fbf9a5d5237989 Make counter support built-in to allow for direct call in case of CONFIG_RETPOLINE. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-08-29T23:51:36+00:00 Ryoga Saito contact@proelbtn.com 2021-08-17T08:39:37+00:00 urn:sha1:7a3f5b0de3647c854e34269c3332d7a1e902901a This patch introduces netfilter hooks for solving the problem that conntrack couldn't record both inner flows and outer flows. This patch also introduces a new sysctl toggle for enabling lightweight tunnel netfilter hooks. Signed-off-by: Ryoga Saito <contact@proelbtn.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-17T01:23:00+00:00 Pablo Neira Ayuso pablo@netfilter.org 2021-06-16T20:25:05+00:00 urn:sha1:836382dc24717af203ce06703530528827086955 Add a new optional expression that tells you when last matching on a given rule / set element element has happened. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-06-07T10:41:10+00:00 Florian Westphal fw@strlen.de 2021-06-04T10:27:07+00:00 urn:sha1:e2cf17d3774c323ef6dab6e9f7c0cfc5e742afd9 This nfnl subsystem allows to dump the list of all active netfiler hooks, e.g. defrag, conntrack, nf/ip/arp/ip6tables and so on. This helps to see what kind of features are currently enabled in the network stack. Sample output from nft tool using this infra: $ nft list hook ip input family ip hook input { +0000000010 nft_do_chain_inet [nf_tables] # nft table firewalld INPUT +0000000100 nf_nat_ipv4_local_in [nf_nat] +2147483647 ipv4_confirm [nf_conntrack] } Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-03-31T20:34:10+00:00 Florian Westphal fw@strlen.de 2021-03-25T17:25:10+00:00 urn:sha1:e465cccd0b9de113a81280bd52ee717bf5e3d1a2 Remove nf_log_common. Now that all per-af modules have been merged there is no longer a need to provide a helper module. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-03-30T22:37:27+00:00 Florian Westphal fw@strlen.de 2021-03-25T17:25:08+00:00 urn:sha1:1510618e45cb9fb77aede5544f8309b64f8b7400 Provide netdev family support from the nf_log_syslog module. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2021-03-30T22:37:27+00:00 Florian Westphal fw@strlen.de 2021-03-25T17:25:05+00:00 urn:sha1:db3187ae21bb0cff44430a7510cf2d2b23e41cd8 Netfilter has multiple log modules: nf_log_arp nf_log_bridge nf_log_ipv4 nf_log_ipv6 nf_log_netdev nfnetlink_log nf_log_common With the exception of nfnetlink_log (packet is sent to userspace for dissection/logging), all of them log to the kernel ringbuffer. This is the first part of a series to merge all modules except nfnetlink_log into a single module: nf_log_syslog. This allows to reduce code. After the series, only two log modules remain: nfnetlink_log and nf_log_syslog. The latter provides the same functionality as the old per-af log modules. This renames nf_log_ipv4 to nf_log_syslog. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>