Re: [PATCH net-next v2 1/3] openvswitch: normalize vlan rx path

Hi, On Wed, Oct 5, 2016 at 4:07 PM, Jiri Benc wrote: > diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c > index 4d67ea856067..c47b3da8ecf2 100644 > --- a/net/openvswitch/datapath.c > +++ b/net/openvswitch/datapath.c > @@ -594,6 +594,16 @@ static int

Re: [PATCH net-next v2 1/3] openvswitch: normalize vlan rx path

On Wed, Oct 5, 2016 at 8:23 PM, Jiri Benc <jb...@redhat.com> wrote: > On Wed, 5 Oct 2016 17:18:08 +0300, Eyal Birger wrote: >> I think at this point, 'eth' may point to a freed packet. > > It may but how does that matter? eth is not used beyond that point. Definitely a nit.

Re: [PATCH net] net: fib_rules: Fix fib_rules_ops->compare implementations to support exact match

Hi David, On Wed, Oct 4, 2017 at 12:54 AM, David Miller wrote: > From: Shmulik Ladkani > Date: Sat, 30 Sep 2017 11:59:09 +0300 > >> This leads to inconsistencies, depending on order of operations, e.g.: > > I don't see any inconsistency. When you insert

Re: [PATCH ipsec-next] xfrm: Allow Output Mark to be Updated Using UPDSA

Hi Nathan, On Wed, 9 May 2018 13:46:26 -0700 Nathan Harold wrote: > Allow UPDSA to change output_mark to permit > policy separation of packet routing decisions from > SA keying in systems that use mark-based routing. > > In the output_mark, used as a routing and firewall >

Re: [PATCH bpf-net] selftests/bpf: delete xfrm tunnel when test exits.

> On 14 Jun 2018, at 15:01, William Tu wrote: > > Make the printting of bpf xfrm tunnel better and > cleanup xfrm state and policy when xfrm test finishes. Yeah the ‘tee’ was useful when developing the test - I could see what’s going on :) Now that it’s in ‘selftests’ it’s definitely

[PATCH ipsec] vti6: fix PMTU caching and reporting on xmit

When setting the skb->dst before doing the MTU check, the route PMTU caching and reporting is done on the new dst which is about to be released. Instead, PMTU handling should be done using the original dst. This is aligned with IPv4 VTI. Signed-off-by: Eyal Birger Fixes: ccd740cbc6 ("v

Re: [PATCH ipsec-next] xfrm: Allow Set Mark to be Updated Using UPDSA

Hi Nathan, On Fri, 29 Jun 2018 15:07:10 -0700 Nathan Harold wrote: > Allow UPDSA to change "set mark" to permit > policy separation of packet routing decisions from > SA keying in systems that use mark-based routing. > > The set mark, used as a routing and firewall mark > for outbound packets,

Re: [PATCH net-next 1/2] net: netfilter: export xt_policy match_policy_in() as xt_policy_match_policy_in()

On Fri, Jan 12, 2018 at 4:00 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Fri, Jan 12, 2018 at 03:56:21PM +0200, Eyal Birger wrote: >> On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso <pa...@netfilter.org> >> wrote: >> > On Fri, Jan 12, 2018 at

Re: [PATCH net-next 2/2] net: sched: add xfrm policy ematch

On Tue, Jan 16, 2018 at 8:30 AM, Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Fri, Jan 12, 2018 at 4:57 AM, Eyal Birger <eyal.bir...@gmail.com> wrote: >> +static void em_policy_destroy(struct tcf_ematch *em) >> +{ >> + const struct xt_policy_in

[PATCH net-next 1/2] net: sched: ematch: pass protocol to ematch 'change()' handlers

From: Eyal Birger <e...@metanetworks.com> In order to allow ematches to create their internal state based on the L3 protocol specified when creating the filter. Signed-off-by: Eyal Birger <e...@metanetworks.com> --- include/net/pkt_cls.h | 2 +- net/sched/em_canid.c | 4 ++-

[PATCH net-next 2/2] net: sched: add em_ipt ematch for calling xtables matches

From: Eyal Birger <e...@metanetworks.com> This module allows performing tc classification based on data structures and implementations provided by netfilter extensions. Example use case is classification based on the incoming IPSec policy used during decpsulation using the 'policy' ip

[PATCH net-next 0/2] net: sched: introduce em_ipt ematch

From: Eyal Birger <e...@metanetworks.com> The following patchset introduces a new tc ematch for matching using netfilter matches. This allows early classification as well as mirroning/redirecting traffic based on logic implemented in netfilter extensions. Example use case is classifi

Re: [PATCH net-next 2/2] net: sched: add em_ipt ematch for calling xtables matches

On Thu, Jan 25, 2018 at 2:00 AM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Jan 24, 2018 at 04:37:16PM -0500, David Miller wrote: >> From: Eyal Birger <eyal.bir...@gmail.com> >> Date: Tue, 23 Jan 2018 11:17:32 +0200 >> >> > +

[PATCH net-next,v2 2/2] net: sched: add em_ipt ematch for calling xtables matches

From: Eyal Birger <e...@metanetworks.com> This module allows performing tc classification based on data structures and implementations provided by netfilter extensions. Example use case is classification based on the incoming IPSec policy used during decpsulation using the 'policy' ip

[PATCH net-next,v2 1/2] net: sched: ematch: pass protocol to ematch 'change()' handlers

From: Eyal Birger <e...@metanetworks.com> In order to allow ematches to create their internal state based on the L3 protocol specified when creating the filter. Signed-off-by: Eyal Birger <e...@metanetworks.com> --- include/net/pkt_cls.h | 2 +- net/sched/em_canid.c | 4 ++-

[PATCH net-next,v2 0/2] net: sched: introduce em_ipt ematch

From: Eyal Birger <e...@metanetworks.com> The following patchset introduces a new tc ematch for matching using netfilter matches. This allows early classification as well as mirroning/redirecting traffic based on logic implemented in netfilter extensions. Example use case is classifi

Re: [PATCH net-next,v2 2/2] net: sched: add em_ipt ematch for calling xtables matches

On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Fri, Jan 26, 2018 at 06:48:53PM +0200, Eyal Birger wrote: >> diff --git a/net/sched/em_ipt.c b/net/sched/em_ipt.c >> new file mode 100644 >> index 000..2103b30 >> --- /dev

Re: [PATCH net-next 1/2] net: netfilter: export xt_policy match_policy_in() as xt_policy_match_policy_in()

On Mon, Jan 15, 2018 at 12:57 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Sun, Jan 14, 2018 at 02:47:46PM +0200, Eyal Birger wrote: >> On Fri, Jan 12, 2018 at 4:00 PM, Pablo Neira Ayuso <pa...@netfilter.org> >> wrote: >> > On Fri, Jan 12, 2018 at

Re: xfrm, ip tunnel: non released device reference upon device unregistration

On Sun, 4 Feb 2018 13:21:18 +0200 Eyal Birger <eyal.bir...@gmail.com> wrote: > Hi, > > We've encountered a non released device reference upon device > unregistration which seems to stem from xfrm policy code. > > The setup includes: > - an underlay device (e.g. eth0)

Re: [PATCH net-next,v2 2/2] net: sched: add em_ipt ematch for calling xtables matches

On Sun, 28 Jan 2018 19:22:12 -0800 Cong Wang <xiyou.wangc...@gmail.com> wrote: > On Fri, Jan 26, 2018 at 11:57 AM, Eyal Birger <eyal.bir...@gmail.com> > wrote: > > On Fri, Jan 26, 2018 at 8:50 PM, Pablo Neira Ayuso > > <pa...@netfilter.org> wrote: >

xfrm, ip tunnel: non released device reference upon device unregistration

e following rough sketch patch illustrates an approach overcoming this issue: ----- From e188dc5295e3500bc59e8780049840afa2eb3e24 Mon Sep 17 00:00:00 2001 From: Eyal Birger <e...@metanetworks.com> Date: Sun, 4 Feb 2018 13:08:02 +0200 Subjec

Re: xfrm, ip tunnel: non released device reference upon device unregistration

Hi Steffen, On Tue, 6 Feb 2018 09:53:38 +0100 Steffen Klassert <steffen.klass...@secunet.com> wrote: > Cc Wei Wang > > On Sun, Feb 04, 2018 at 01:21:18PM +0200, Eyal Birger wrote: > > Hi, > > > > We've encountered a non released device reference upon devi

Re: xfrm, ip tunnel: non released device reference upon device unregistration

On Tue, 6 Feb 2018 14:15:09 +0100 Florian Westphal wrote: > Steffen Klassert wrote: > > I gave the patch a quick try, but still I get this: > > > > unregister_netdevice: waiting for dummy1 to become free. Usage > > count = 2 > > Was that with

Re: xfrm, ip tunnel: non released device reference upon device unregistration

On Sun, 11 Feb 2018 16:46:48 +0100 Florian Westphal <f...@strlen.de> wrote: > Eyal Birger <eyal.bir...@gmail.com> wrote: > > Sorry for taking so long to respond. > > > On Tue, 6 Feb 2018 14:15:09 +0100 > > Florian Westphal <f...@strlen.de> wrote: &g

[PATCH ipsec,v2] net: xfrm_policy: fix device unregistration hang

their device references on a netdev unregister event. Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> [1] https://patchwork.ozlabs.org/patch/869025/ --- v2: - call gc flush from existing netdev notifier per Shannon Nelson's suggestion. --- include/net/xfrm.h | 11 +++-- ne

[PATCH ipsec] net: xfrm_policy: fix device unregistration hang

their device references on a netdev unregister event. Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> [1] https://patchwork.ozlabs.org/patch/869025/ --- include/net/xfrm.h | 10 ++- net/xfrm/xfrm_policy.c | 81 ++ 2 files changed, 84 inse

Re: [PATCH ipsec] net: xfrm_policy: fix device unregistration hang

On Mon, 12 Feb 2018 09:55:48 -0800 Shannon Nelson <shannon.nel...@oracle.com> wrote: > On 2/12/2018 9:21 AM, Eyal Birger wrote: > > In setups like the following: > > > > Host A --Host B > > tun0 -- ipsec -- eth0 -- eth0 -- ipsec -- tu

[PATCH ipsec,v3] net: xfrm_policy: fix device unregistration hang

undle") as part of an effort to remove routing garbage collection. Several approaches for fixing this were discussed in [1]; this commit keeps track of allocated xdsts and releases their device references on a netdev unregister/down events. Signed-off-by: Eyal Birger <eyal.bir...@gma

Re: [PATCH ipsec,v3] net: xfrm_policy: fix device unregistration hang

Hi Xin Long, On Tue, 13 Feb 2018 23:18:14 +0800 Xin Long <lucien@gmail.com> wrote: > On Tue, Feb 13, 2018 at 6:54 PM, Eyal Birger <eyal.bir...@gmail.com> > wrote: > > In setups like the following: > > > >Host A --Host B > >

Re: [PATCH net-next 1/2] net: netfilter: export xt_policy match_policy_in() as xt_policy_match_policy_in()

Hi Pablo, On Mon, 15 Jan 2018 13:48:41 +0200 Eyal Birger <eyal.bir...@gmail.com> wrote: > On Mon, Jan 15, 2018 at 12:57 PM, Pablo Neira Ayuso > <pa...@netfilter.org> wrote: > > On Sun, Jan 14, 2018 at 02:47:46PM +0200, Eyal Birger wrote: > >> On Fri, Jan 12, 2

[PATCH net-next,v3] net: sched: add em_ipt ematch for calling xtables matches

tch. Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- v3: - limit supported match to xt_policy and validate parameters - receive match protocol from userspace v2: - Remove skb push/pull and limit functionality to ingress --- include/uapi/linux/pkt_cls.h | 3 +-

Re: [PATCH net-next 1/2] net: netfilter: export xt_policy match_policy_in() as xt_policy_match_policy_in()

Hi Pablo, On Wed, 14 Feb 2018 11:19:40 +0100 Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Wed, Feb 14, 2018 at 10:14:24AM +0200, Eyal Birger wrote: > > Hi Pablo, > > > > On Mon, 15 Jan 2018 13:48:41 +0200 > > Eyal Birger <eyal.bir...@gmail.com> w

[PATCH iproute2-next 0/2] tc: add ipt ematch

This patchset extends tc to support the ipt ematch. The first patch adds the ability for ematch cmdline parsers to receive argc,argv parameters. The second patch adds the em_ipt module. Eyal Birger (2): tc: ematch: add parse_eopt_argv() method for providing ematches with argv parameters

[PATCH iproute2-next 2/2] tc: add em_ipt ematch for calling xtables matches from tc matching context

ipsec --reqid 1)' \ action drop This is the user-space counter part of kernel commit ccc007e4a746 ("net: sched: add em_ipt ematch for calling xtables matches") Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- etc/iproute2/ematch_map | 1 + man/man8/tc-ematch.8

[PATCH iproute2-next 1/2] tc: ematch: add parse_eopt_argv() method for providing ematches with argv parameters

ematche uses YACC to parse ematch arguments and places them in struct bstr linked lists. It is useful to be able to receive parameters as argc,argv in order to use getopt (and alike) argument parsers. Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- tc/m_ematch.

Re: [PATCH ipsec-next] xfrm: Allow Set Mark to be Updated Using UPDSA

w your further thoughts > on whether we need to bump the genid. FYI once this patch is settled, > I plan to upload a patch to update the xfrm_if_id, which I planned to > nestle in to this same logic (and with similar, albeit possibly > more-straightforward rationale). Thanks so much for the clarification. Indeed there are nuances here and I appreciate you taking the time to describe them. FWIW you can add my: Reviewed-by: Eyal Birger Thanks! Eyal.

Re: [PATCH net-next 4/4] act_mirred: use ACT_REDIRECT when possible

Hi, On Mon, 16 Jul 2018 16:39:55 -0700 Cong Wang wrote: > On Fri, Jul 13, 2018 at 2:55 AM Paolo Abeni wrote: > > > > When mirred is invoked from the ingress path, and it wants to > > redirect the processed packet, it can now use the ACT_REDIRECT > > action, filling the tcf_result accordingly.

[PATCH net-next 2/2] net: sched: add xfrm policy ematch

From: Eyal Birger <e...@metanetworks.com> Allows classification based on the incoming IPSec policy used during decpsulation. This allows similar matching capabilities to those provided by netfilter xt_policy module, and uses the same data strcuture - but from a tc entry point. Sign

[PATCH net-next 0/2] net: sched: Introduce em_policy ematch

From: Eyal Birger <e...@metanetworks.com> The following patchset introduces a new tc ematch for matching IPSec traffic from a tc context. This allows early classification as well as mirroning/redirecting IPSec traffic based on decapsulation criteria. The matching functionality is

[PATCH net-next 1/2] net: netfilter: export xt_policy match_policy_in() as xt_policy_match_policy_in()

From: Eyal Birger <e...@metanetworks.com> Expose this functionality so it could be usable from a tc classifier. The rename of match_policy_out() is done for consistency though it is not exported. Signed-off-by: Eyal Birger <e...@metanetworks.com> --- include/net/netfilter/xt_p

Re: [PATCH net-next 1/2] net: netfilter: export xt_policy match_policy_in() as xt_policy_match_policy_in()

On Fri, Jan 12, 2018 at 3:41 PM, Pablo Neira Ayuso <pa...@netfilter.org> wrote: > On Fri, Jan 12, 2018 at 02:57:24PM +0200, Eyal Birger wrote: >> @@ -51,9 +52,9 @@ match_xfrm_state(const struct xfrm_state *x, const struct >> xt_policy_elem *e, >>

[PATCH bpf-next,v2 2/2] samples/bpf: extend test_tunnel_bpf.sh with xfrm state test

Add a test for fetching xfrm state parameters from a tc program running on ingress. Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- samples/bpf/tcbpf2_kern.c | 15 +++ samples/bpf/test_tunnel_bpf.sh| 71 +++ tools/includ

[PATCH bpf-next,v2 1/2] bpf: add helper for getting xfrm states

extended by adding elements to its end - indicating the populated fields by the 'size' argument - keeping backwards compatibility. Typical usage: struct bpf_xfrm_state x = {}; bpf_skb_get_xfrm_state(skb, 0, , sizeof(x), 0); ... Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- include/uapi

Re: [PATCH bpf-next 1/2] bpf: add helper for getting xfrm states

On Wed, 18 Apr 2018 22:59:27 +0200 Daniel Borkmann <dan...@iogearbox.net> wrote: > On 04/17/2018 06:48 AM, Eyal Birger wrote: > > This commit introduces a helper which allows fetching xfrm state > > parameters by eBPF programs attached to TC. > > > > Prototyp

[PATCH bpf-next,v2 0/2] bpf: add helper for getting xfrm states

: - disallow reserved flags in helper call - avoid compiling in helper code when CONFIG_XFRM is off Eyal Birger (2): bpf: add helper for getting xfrm states samples/bpf: extend test_tunnel_bpf.sh with xfrm state test include/uapi/linux/bpf.h | 25 ++- net/core

Re: [PATCH bpf-next,v2 1/2] bpf: add helper for getting xfrm states

Hi, On Wed, 18 Apr 2018 15:31:03 -0700 Alexei Starovoitov <alexei.starovoi...@gmail.com> wrote: > On Thu, Apr 19, 2018 at 12:58:22AM +0300, Eyal Birger wrote: > > This commit introduces a helper which allows fetching xfrm state > > parameters by eBPF programs attached to T

[PATCH bpf-next,v3 1/2] bpf: add helper for getting xfrm states

extended by adding elements to its end - indicating the populated fields by the 'size' argument - keeping backwards compatibility. Typical usage: struct bpf_xfrm_state x = {}; bpf_skb_get_xfrm_state(skb, 0, , sizeof(x), 0); ... Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- include/uapi

[PATCH bpf-next,v3 0/2] bpf: add helper for getting xfrm states

in network byte order following suggestion from Alexei Starovoitov v2: - Fixed two comments by Daniel Borkmann: - disallow reserved flags in helper call - avoid compiling in helper code when CONFIG_XFRM is off Eyal Birger (2): bpf: add helper for getting xfrm states samples/bpf: extend

[PATCH bpf-next,v3 2/2] samples/bpf: extend test_tunnel_bpf.sh with xfrm state test

Add a test for fetching xfrm state parameters from a tc program running on ingress. Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- samples/bpf/tcbpf2_kern.c | 16 +++ samples/bpf/test_tunnel_bpf.sh| 71 +++ tools/includ

[PATCH bpf-next 0/2] bpf: add helper for getting xfrm states

of the state; This struct can be extended in the future to provide additional state information. The second patch adds a test example in test_tunnel_bpf.sh. The sample validates the correct extraction of state information by the eBPF program. --- Eyal Birger (2): bpf: add helper for getting xfrm

[PATCH bpf-next 2/2] samples/bpf: extend test_tunnel_bpf.sh with xfrm state test

Add a test for fetching xfrm state parameters from a tc program running on ingress. Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- samples/bpf/tcbpf2_kern.c | 15 +++ samples/bpf/test_tunnel_bpf.sh| 71 +++ tools/includ

[PATCH bpf-next 1/2] bpf: add helper for getting xfrm states

extended by adding elements to its end - indicating the populated fields by the 'size' argument - keeping backwards compatibility. Typical usage: struct bpf_xfrm_state x = {}; bpf_skb_get_xfrm_state(skb, 0, , sizeof(x), 0); ... Signed-off-by: Eyal Birger <eyal.bir...@gmail.com> --- include/uapi