Hi,
On Wed, Oct 5, 2016 at 4:07 PM, Jiri Benc wrote:
> diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c
> index 4d67ea856067..c47b3da8ecf2 100644
> --- a/net/openvswitch/datapath.c
> +++ b/net/openvswitch/datapath.c
> @@ -594,6 +594,16 @@ static int
On Wed, Oct 5, 2016 at 8:23 PM, Jiri Benc <jb...@redhat.com> wrote:
> On Wed, 5 Oct 2016 17:18:08 +0300, Eyal Birger wrote:
>> I think at this point, 'eth' may point to a freed packet.
>
> It may but how does that matter? eth is not used beyond that point.
Definitely a nit.
Hi David,
On Wed, Oct 4, 2017 at 12:54 AM, David Miller wrote:
> From: Shmulik Ladkani
> Date: Sat, 30 Sep 2017 11:59:09 +0300
>
>> This leads to inconsistencies, depending on order of operations, e.g.:
>
> I don't see any inconsistency. When you insert
Hi Nathan,
On Wed, 9 May 2018 13:46:26 -0700
Nathan Harold wrote:
> Allow UPDSA to change output_mark to permit
> policy separation of packet routing decisions from
> SA keying in systems that use mark-based routing.
>
> In the output_mark, used as a routing and firewall
>
> On 14 Jun 2018, at 15:01, William Tu wrote:
>
> Make the printting of bpf xfrm tunnel better and
> cleanup xfrm state and policy when xfrm test finishes.
Yeah the ‘tee’ was useful when developing the test - I could see what’s going
on :)
Now that it’s in ‘selftests’ it’s definitely
When setting the skb->dst before doing the MTU check, the route PMTU
caching and reporting is done on the new dst which is about to be
released.
Instead, PMTU handling should be done using the original dst.
This is aligned with IPv4 VTI.
Signed-off-by: Eyal Birger
Fixes: ccd740cbc6 ("v
Hi Nathan,
On Fri, 29 Jun 2018 15:07:10 -0700
Nathan Harold wrote:
> Allow UPDSA to change "set mark" to permit
> policy separation of packet routing decisions from
> SA keying in systems that use mark-based routing.
>
> The set mark, used as a routing and firewall mark
> for outbound packets,
On Fri, Jan 12, 2018 at 4:00 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Fri, Jan 12, 2018 at 03:56:21PM +0200, Eyal Birger wrote:
>> On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso <pa...@netfilter.org>
>> wrote:
>> > On Fri, Jan 12, 2018 at
On Tue, Jan 16, 2018 at 8:30 AM, Cong Wang <xiyou.wangc...@gmail.com> wrote:
> On Fri, Jan 12, 2018 at 4:57 AM, Eyal Birger <eyal.bir...@gmail.com> wrote:
>> +static void em_policy_destroy(struct tcf_ematch *em)
>> +{
>> + const struct xt_policy_in
From: Eyal Birger <e...@metanetworks.com>
In order to allow ematches to create their internal state based on the
L3 protocol specified when creating the filter.
Signed-off-by: Eyal Birger <e...@metanetworks.com>
---
include/net/pkt_cls.h | 2 +-
net/sched/em_canid.c | 4 ++-
From: Eyal Birger <e...@metanetworks.com>
This module allows performing tc classification based on data structures
and implementations provided by netfilter extensions.
Example use case is classification based on the incoming IPSec policy used
during decpsulation using the 'policy' ip
From: Eyal Birger <e...@metanetworks.com>
The following patchset introduces a new tc ematch for matching using
netfilter matches.
This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.
Example use case is classifi
On Thu, Jan 25, 2018 at 2:00 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Wed, Jan 24, 2018 at 04:37:16PM -0500, David Miller wrote:
>> From: Eyal Birger <eyal.bir...@gmail.com>
>> Date: Tue, 23 Jan 2018 11:17:32 +0200
>>
>> > +
From: Eyal Birger <e...@metanetworks.com>
This module allows performing tc classification based on data structures
and implementations provided by netfilter extensions.
Example use case is classification based on the incoming IPSec policy used
during decpsulation using the 'policy' ip
From: Eyal Birger <e...@metanetworks.com>
In order to allow ematches to create their internal state based on the
L3 protocol specified when creating the filter.
Signed-off-by: Eyal Birger <e...@metanetworks.com>
---
include/net/pkt_cls.h | 2 +-
net/sched/em_canid.c | 4 ++-
From: Eyal Birger <e...@metanetworks.com>
The following patchset introduces a new tc ematch for matching using
netfilter matches.
This allows early classification as well as mirroning/redirecting traffic
based on logic implemented in netfilter extensions.
Example use case is classifi
On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Fri, Jan 26, 2018 at 06:48:53PM +0200, Eyal Birger wrote:
>> diff --git a/net/sched/em_ipt.c b/net/sched/em_ipt.c
>> new file mode 100644
>> index 000..2103b30
>> --- /dev
On Mon, Jan 15, 2018 at 12:57 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Sun, Jan 14, 2018 at 02:47:46PM +0200, Eyal Birger wrote:
>> On Fri, Jan 12, 2018 at 4:00 PM, Pablo Neira Ayuso <pa...@netfilter.org>
>> wrote:
>> > On Fri, Jan 12, 2018 at
On Sun, 4 Feb 2018 13:21:18 +0200
Eyal Birger <eyal.bir...@gmail.com> wrote:
> Hi,
>
> We've encountered a non released device reference upon device
> unregistration which seems to stem from xfrm policy code.
>
> The setup includes:
> - an underlay device (e.g. eth0)
On Sun, 28 Jan 2018 19:22:12 -0800
Cong Wang <xiyou.wangc...@gmail.com> wrote:
> On Fri, Jan 26, 2018 at 11:57 AM, Eyal Birger <eyal.bir...@gmail.com>
> wrote:
> > On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso
> > <pa...@netfilter.org> wrote:
>
e following rough sketch patch illustrates an approach overcoming this
issue:
-----
From e188dc5295e3500bc59e8780049840afa2eb3e24 Mon Sep 17 00:00:00 2001
From: Eyal Birger <e...@metanetworks.com>
Date: Sun, 4 Feb 2018 13:08:02 +0200
Subjec
Hi Steffen,
On Tue, 6 Feb 2018 09:53:38 +0100
Steffen Klassert <steffen.klass...@secunet.com> wrote:
> Cc Wei Wang
>
> On Sun, Feb 04, 2018 at 01:21:18PM +0200, Eyal Birger wrote:
> > Hi,
> >
> > We've encountered a non released device reference upon devi
On Tue, 6 Feb 2018 14:15:09 +0100
Florian Westphal wrote:
> Steffen Klassert wrote:
> > I gave the patch a quick try, but still I get this:
> >
> > unregister_netdevice: waiting for dummy1 to become free. Usage
> > count = 2
>
> Was that with
On Sun, 11 Feb 2018 16:46:48 +0100
Florian Westphal <f...@strlen.de> wrote:
> Eyal Birger <eyal.bir...@gmail.com> wrote:
>
> Sorry for taking so long to respond.
>
> > On Tue, 6 Feb 2018 14:15:09 +0100
> > Florian Westphal <f...@strlen.de> wrote:
&g
their device references on a netdev
unregister event.
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
[1] https://patchwork.ozlabs.org/patch/869025/
---
v2:
- call gc flush from existing netdev notifier per Shannon Nelson's
suggestion.
---
include/net/xfrm.h | 11 +++--
ne
their device references on a netdev
unregister event.
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
[1] https://patchwork.ozlabs.org/patch/869025/
---
include/net/xfrm.h | 10 ++-
net/xfrm/xfrm_policy.c | 81 ++
2 files changed, 84 inse
On Mon, 12 Feb 2018 09:55:48 -0800
Shannon Nelson <shannon.nel...@oracle.com> wrote:
> On 2/12/2018 9:21 AM, Eyal Birger wrote:
> > In setups like the following:
> >
> > Host A --Host B
> > tun0 -- ipsec -- eth0 -- eth0 -- ipsec -- tu
undle")
as part of an effort to remove routing garbage collection.
Several approaches for fixing this were discussed in [1]; this commit keeps
track of allocated xdsts and releases their device references on a netdev
unregister/down events.
Signed-off-by: Eyal Birger <eyal.bir...@gma
Hi Xin Long,
On Tue, 13 Feb 2018 23:18:14 +0800
Xin Long <lucien@gmail.com> wrote:
> On Tue, Feb 13, 2018 at 6:54 PM, Eyal Birger <eyal.bir...@gmail.com>
> wrote:
> > In setups like the following:
> >
> >Host A --Host B
> >
Hi Pablo,
On Mon, 15 Jan 2018 13:48:41 +0200
Eyal Birger <eyal.bir...@gmail.com> wrote:
> On Mon, Jan 15, 2018 at 12:57 PM, Pablo Neira Ayuso
> <pa...@netfilter.org> wrote:
> > On Sun, Jan 14, 2018 at 02:47:46PM +0200, Eyal Birger wrote:
> >> On Fri, Jan 12, 2
tch.
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
v3:
- limit supported match to xt_policy and validate parameters
- receive match protocol from userspace
v2:
- Remove skb push/pull and limit functionality to ingress
---
include/uapi/linux/pkt_cls.h | 3 +-
Hi Pablo,
On Wed, 14 Feb 2018 11:19:40 +0100
Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Wed, Feb 14, 2018 at 10:14:24AM +0200, Eyal Birger wrote:
> > Hi Pablo,
> >
> > On Mon, 15 Jan 2018 13:48:41 +0200
> > Eyal Birger <eyal.bir...@gmail.com> w
This patchset extends tc to support the ipt ematch.
The first patch adds the ability for ematch cmdline parsers
to receive argc,argv parameters.
The second patch adds the em_ipt module.
Eyal Birger (2):
tc: ematch: add parse_eopt_argv() method for providing ematches with
argv parameters
ipsec --reqid 1)' \
action drop
This is the user-space counter part of kernel commit ccc007e4a746
("net: sched: add em_ipt ematch for calling xtables matches")
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
etc/iproute2/ematch_map | 1 +
man/man8/tc-ematch.8
ematche uses YACC to parse ematch arguments and places them in struct bstr
linked lists.
It is useful to be able to receive parameters as argc,argv in order to use
getopt (and alike) argument parsers.
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
tc/m_ematch.
w your further thoughts
> on whether we need to bump the genid. FYI once this patch is settled,
> I plan to upload a patch to update the xfrm_if_id, which I planned to
> nestle in to this same logic (and with similar, albeit possibly
> more-straightforward rationale).
Thanks so much for the clarification. Indeed there are nuances here and
I appreciate you taking the time to describe them.
FWIW you can add my:
Reviewed-by: Eyal Birger
Thanks!
Eyal.
Hi,
On Mon, 16 Jul 2018 16:39:55 -0700
Cong Wang wrote:
> On Fri, Jul 13, 2018 at 2:55 AM Paolo Abeni wrote:
> >
> > When mirred is invoked from the ingress path, and it wants to
> > redirect the processed packet, it can now use the ACT_REDIRECT
> > action, filling the tcf_result accordingly.
From: Eyal Birger <e...@metanetworks.com>
Allows classification based on the incoming IPSec policy used during
decpsulation.
This allows similar matching capabilities to those provided by netfilter
xt_policy module, and uses the same data strcuture - but from a tc entry
point.
Sign
From: Eyal Birger <e...@metanetworks.com>
The following patchset introduces a new tc ematch for matching IPSec
traffic from a tc context.
This allows early classification as well as mirroning/redirecting IPSec
traffic based on decapsulation criteria.
The matching functionality is
From: Eyal Birger <e...@metanetworks.com>
Expose this functionality so it could be usable from a tc classifier.
The rename of match_policy_out() is done for consistency though it is not
exported.
Signed-off-by: Eyal Birger <e...@metanetworks.com>
---
include/net/netfilter/xt_p
On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote:
> On Fri, Jan 12, 2018 at 02:57:24PM +0200, Eyal Birger wrote:
>> @@ -51,9 +52,9 @@ match_xfrm_state(const struct xfrm_state *x, const struct
>> xt_policy_elem *e,
>>
Add a test for fetching xfrm state parameters from a tc program running
on ingress.
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
samples/bpf/tcbpf2_kern.c | 15 +++
samples/bpf/test_tunnel_bpf.sh| 71 +++
tools/includ
extended by adding elements to
its end - indicating the populated fields by the 'size' argument -
keeping backwards compatibility.
Typical usage:
struct bpf_xfrm_state x = {};
bpf_skb_get_xfrm_state(skb, 0, , sizeof(x), 0);
...
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
include/uapi
On Wed, 18 Apr 2018 22:59:27 +0200
Daniel Borkmann <dan...@iogearbox.net> wrote:
> On 04/17/2018 06:48 AM, Eyal Birger wrote:
> > This commit introduces a helper which allows fetching xfrm state
> > parameters by eBPF programs attached to TC.
> >
> > Prototyp
:
- disallow reserved flags in helper call
- avoid compiling in helper code when CONFIG_XFRM is off
Eyal Birger (2):
bpf: add helper for getting xfrm states
samples/bpf: extend test_tunnel_bpf.sh with xfrm state test
include/uapi/linux/bpf.h | 25 ++-
net/core
Hi,
On Wed, 18 Apr 2018 15:31:03 -0700
Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote:
> On Thu, Apr 19, 2018 at 12:58:22AM +0300, Eyal Birger wrote:
> > This commit introduces a helper which allows fetching xfrm state
> > parameters by eBPF programs attached to T
extended by adding elements to
its end - indicating the populated fields by the 'size' argument -
keeping backwards compatibility.
Typical usage:
struct bpf_xfrm_state x = {};
bpf_skb_get_xfrm_state(skb, 0, , sizeof(x), 0);
...
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
include/uapi
in network byte order
following suggestion from Alexei Starovoitov
v2:
- Fixed two comments by Daniel Borkmann:
- disallow reserved flags in helper call
- avoid compiling in helper code when CONFIG_XFRM is off
Eyal Birger (2):
bpf: add helper for getting xfrm states
samples/bpf: extend
Add a test for fetching xfrm state parameters from a tc program running
on ingress.
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
samples/bpf/tcbpf2_kern.c | 16 +++
samples/bpf/test_tunnel_bpf.sh| 71 +++
tools/includ
of the state; This struct
can be extended in the future to provide additional state information.
The second patch adds a test example in test_tunnel_bpf.sh. The sample
validates the correct extraction of state information by the eBPF program.
---
Eyal Birger (2):
bpf: add helper for getting xfrm
Add a test for fetching xfrm state parameters from a tc program running
on ingress.
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
samples/bpf/tcbpf2_kern.c | 15 +++
samples/bpf/test_tunnel_bpf.sh| 71 +++
tools/includ
extended by adding elements to
its end - indicating the populated fields by the 'size' argument -
keeping backwards compatibility.
Typical usage:
struct bpf_xfrm_state x = {};
bpf_skb_get_xfrm_state(skb, 0, , sizeof(x), 0);
...
Signed-off-by: Eyal Birger <eyal.bir...@gmail.com>
---
include/uapi
52 matches
Mail list logo