[PATCH net] netlink: don't call ->netlink_bind with table lock held

2021-04-16 Thread Florian Westphal
332-8-mathew.j.martin...@linux.intel.com/T/#u Cc: Cong Wang Cc: Xin Long Cc: Johannes Berg Cc: Sean Tranchetti Cc: Paolo Abeni Cc: Pablo Neira Ayuso Signed-off-by: Florian Westphal --- net/netlink/af_netlink.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net

[PATCH iproute2] mptcp: add support for event monitoring

2021-04-16 Thread Florian Westphal
port=10011 [SF_ESTABLISHED] token=83f3a692 remid=0 locid=1 saddr4=10.0.2.2 daddr4=10.0.1.1 sport=40195 dport=10011 backup=0 [CLOSED] token=83f3a692 Signed-off-by: Florian Westphal --- include/libgenl.h | 1 + include/uapi/linux/mptcp.h | 2 + ip/ipmptcp.c

[PATCH ipsec-next 3/3] xfrm: avoid synchronize_rcu during netns destruction

2021-04-14 Thread Florian Westphal
Use the new exit_pre hook to NULL the netlink socket. The net namespace core will do a synchronize_rcu() between the exit_pre and exit/exit_batch handlers. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_user.c | 10 +++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/net

[PATCH ipsec-next 2/3] xfrm: remove stray synchronize_rcu from xfrm_init

2021-04-14 Thread Florian Westphal
This function is called during boot, from ipv4 stack, there is no need to set the pointer to NULL (static storage duration, so already NULL). No need for the synchronize_rcu either. Remove both. Signed-off-by: Florian Westphal --- net/xfrm/xfrm_policy.c | 3 --- 1 file changed, 3 deletions

[PATCH ipsec-next 1/3] flow: remove spi key from flowi struct

2021-04-14 Thread Florian Westphal
xfrm session decode ipv4 path (but not ipv6) sets this, but there are no consumers. Remove it. Signed-off-by: Florian Westphal --- include/net/flow.h | 3 --- net/xfrm/xfrm_policy.c | 39 --- 2 files changed, 42 deletions(-) diff --git a/include/net

[PATCH ipsec-next 0/3] xfrm: minor cleanup and synchronize_rcu removal

2021-04-14 Thread Florian Westphal
. Third patch avoids a synchronize_rcu during netns destruction. Florian Westphal (3): flow: remove spi key from flowi struct xfrm: remove stray synchronize_rcu from xfrm_init xfrm: avoid synchronize_rcu during netns destruction include/net/flow.h | 3 --- net/xfrm/xfrm_policy.c | 42

Re: [PATCH] netfilter: nf_conntrack: Add conntrack helper for ESP/IPsec

2021-04-14 Thread Florian Westphal
Cole Dishington wrote: > Introduce changes to add ESP connection tracking helper to netfilter > conntrack. The connection tracking of ESP is based on IPsec SPIs. The > underlying motivation for this patch was to allow multiple VPN ESP > clients to be distinguished when using NAT. > > Added config

Re: linux-next: build failure after merge of the net-next tree

2021-04-12 Thread Florian Westphal
Stephen Rothwell wrote: > net/bridge/netfilter/ebtables.c:1248:33: error: 'struct netns_xt' has no > member named 'tables' > 1248 | list_for_each_entry(t, &net->xt.tables[NFPROTO_BRIDGE], list) { > | ^ > include/linux/list.h:619:20: note: in definition of m

Re: [BUG / question] in routing rules, some options (e.g. ipproto, sport) cause rules to be ignored in presence of packet marks

2021-04-09 Thread Florian Westphal
Michal Soltys wrote: > On 3/29/21 10:52 PM, Ido Schimmel wrote: > > > > ip_route_me_harder() does not set source / destination port in the > > flow key, so it explains why fib rules that use them are not hit after > > mangling the packet. These keys were added in 4.17, but I > > don't think this

[PATCH net-next] net: dccp: use net_generic storage

2021-04-08 Thread Florian Westphal
DCCP is virtually never used, so no need to use space in struct net for it. Put the pernet ipv4/v6 socket in the dccp ipv4/ipv6 modules instead. Signed-off-by: Florian Westphal --- include/net/net_namespace.h | 4 include/net/netns/dccp.h| 12 net/dccp/ipv4.c

Re: [PATCH netfilter] netfilter: xt_IDLETIMER: fix idletimer_tg_helper non-kosher casts

2021-04-02 Thread Florian Westphal
Maciej Żenczykowski wrote: > From: Maciej Żenczykowski > > The code is relying on the identical layout of the beginning > of the v0 and v1 structs, but this can easily lead to code bugs > if one were to try to extend this further... What is the concern? These structs are part of ABI, they cann

Re: [PATCH net 2/2] mptcp: revert "mptcp: provide subflow aware release function"

2021-04-01 Thread Florian Westphal
subflow aware release function") > Signed-off-by: Paolo Abeni Paolo, thanks for passing this to -net. Acked-by: Florian Westphal

Re: [PATCH][next] netfilter: nf_log_bridge: Fix missing assignment of ret on a call to nf_log_register

2021-03-31 Thread Florian Westphal
Colin King wrote: > From: Colin Ian King > > Currently the call to nf_log_register is returning an error code that > is not being assigned to ret and yet ret is being checked. Fix this by > adding in the missing assignment. Thanks for catching this. Acked-by: Florian Westphal

Re: [PATCH 5.10 104/157] mptcp: put subflow sock on connect error

2021-03-24 Thread Florian Westphal
Naresh Kamboju wrote: > On Mon, 22 Mar 2021 at 18:15, Greg Kroah-Hartman > wrote: > > > > From: Florian Westphal > > > > [ Upstream commit f07157792c633b528de5fc1dbe2e4ea54f8e09d4 ] > > > > mptcp_add_pending_subflow() performs a sock_hold() on the subf

Re: [PATCH ipsec] xfrm: Provide private skb extensions for segmented and hw offloaded ESP packets

2021-03-23 Thread Florian Westphal
Steffen Klassert wrote: > Commit 94579ac3f6d0 ("xfrm: Fix double ESP trailer insertion in IPsec > crypto offload.") added a XFRM_XMIT flag to avoid duplicate ESP trailer > insertion on HW offload. This flag is set on the secpath that is shared > amongst segments. This lead to a situation where som

Re: [PATCH] net: bridge: fix error return code of do_update_counters()

2021-03-09 Thread Florian Westphal
Jia-Ju Bai wrote: > When find_table_lock() returns NULL to t, no error return code of > do_update_counters() is assigned. Its -ENOENT. > t = find_table_lock(net, name, &ret, &ebt_mutex); ^ ret is passed to find_table_lock, which passes it to find

Re: [PATCH resend] netlink.7: note not reliable if NETLINK_NO_ENOBUFS

2021-03-05 Thread Florian Westphal
Pablo Neira Ayuso wrote: > > If I understand correctly, the connection tracking netlink interface > > is an exception here because it has its own handling of dealing with > > congestion ("more reliable"?) so you need to disable the "default > > congestion control"? > > In conntrack, you have to c

Re: [PATCH] xfrm: Fix incorrect types in assignment

2021-02-19 Thread Florian Westphal
Yang Li wrote: > Fix the following sparse warnings: > net/xfrm/xfrm_policy.c:1303:22: warning: incorrect type in assignment > (different address spaces) > Reported-by: Abaci Robot > Signed-off-by: Yang Li > --- > net/xfrm/xfrm_policy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >

Re: WARNING in dst_release

2021-02-18 Thread Florian Westphal
syzbot wrote: > Hello, > > syzbot has tested the proposed patch and the reproducer did not trigger any > issue: > > Reported-and-tested-by: syzbot+b53bbea2ad64f9cf8...@syzkaller.appspotmail.com #syz-fix: mptcp: reset last_snd on subflow close [ This patch is currently in mptcp-next ]

Re: [v3 net-next 08/10] skbuff: reuse NAPI skb cache on allocation path (__build_skb())

2021-02-10 Thread Florian Westphal
Alexander Lobakin wrote: > we're in such context. This includes: build_skb() (called only > from NIC drivers in NAPI Rx context) and {,__}napi_alloc_skb() > (called from the same place or from kernel network softirq > functions). build_skb is called from sleepable context in drivers/net/tun.c . P

Re: [PATCH net 1/1] netfilter: conntrack: Check offload bit on table dump

2021-02-03 Thread Florian Westphal
Roi Dayan wrote: > > Do you think rhashtable_insert_fast() in flow_offload_add() blocks for > > dozens of seconds? > > I'm not sure. but its not only that but also the time to be in > established state as only then we offload. That makes it even more weird. Timeout for established is even large

Re: [PATCH net 1/1] netfilter: conntrack: Check offload bit on table dump

2021-02-01 Thread Florian Westphal
Roi Dayan wrote: > > TCP initial timeout is one minute, UDP 30 seconds. > > That should surely be enough to do flow_offload_add (which extends > > the timeout)? > > Yes, flow_offload_add() extends the timeout. but it needs to finish. > > > > > Maybe something is doing flow_offload_add() for unc

Re: [PATCH net 1/1] netfilter: conntrack: Check offload bit on table dump

2021-02-01 Thread Florian Westphal
Roi Dayan wrote: > > > There is a 3rd caller nf_ct_gc_expired() which being called by 3 > > > other callers: > > > nf_conntrack_find() > > > nf_conntrack_tuple_taken() > > > early_drop_list() > > > > Hm. I'm not sure yet what path is triggering this bug. > > > > Florian came up with the idea

Re: [PATCH net-next 3/3] net: core: Namespace-ify sysctl_rmem_max and sysctl_wmem_max

2021-01-20 Thread Florian Westphal
menglong8.d...@gmail.com wrote: > From: Menglong Dong > > For now, sysctl_wmem_max and sysctl_rmem_max are globally unified. > It's not convenient in some case. For example, when we use docker > and try to control the default udp socket receive buffer for each > container. > > For that reason,

Re: [PATCH] netfilter: Fix memleak in nf_nat_init

2021-01-09 Thread Florian Westphal
Dinghao Liu wrote: > When register_pernet_subsys() fails, nf_nat_bysource > should be freed just like when nf_ct_extend_register() > fails. Acked-by: Florian Westphal

Re: [PATCH net] netfilter: conntrack: fix reading nf_conntrack_buckets

2021-01-08 Thread Florian Westphal
esults in > sysctl net/netfilter/nf_conntrack_buckets shows the wrong value when users > update via the old way. Oh, right! Acked-by: Florian Westphal

Re: 5.10.4+ hang with 'rmmod nf_conntrack'

2021-01-07 Thread Florian Westphal
Ben Greear wrote: > I noticed my system has a hung process trying to 'rmmod nf_conntrack'. > > I've generally been doing the script that calls rmmod forever, > but only extensively tested on 5.4 kernel and earlier. > > If anyone has any ideas, please let me know. This is from 'sysrq t'. I > d

Re: [PATCH] tcp: remove obsolete paramter sysctl_tcp_low_latency

2021-01-07 Thread Florian Westphal
Jakub Kicinski wrote: > > Got it. But a question: why tcp_tw_recycle can be removed totally? > > it is also part of uAPI > > Good question, perhaps with tcp_tw_recycle we wanted to make sure users > who depended on it notice removal, since the feature was broken by > design? > > tcp_low_latency

[PATCH net 0/3] net: fix netfilter defrag/ip tunnel pmtu blackhole

2021-01-05 Thread Florian Westphal
Christian Perle reported a PMTU blackhole due to unexpected interaction between the ip defragmentation that comes with connection tracking and ip tunnels. Unfortunately setting 'nopmtudisc' on the tunnel breaks the test scenario even without netfilter. Christinas setup looks like this: +

[PATCH net 3/3] net: ip: always refragment ip defragmented packets

2021-01-05 Thread Florian Westphal
t") Reported-by: Christian Perle Signed-off-by: Florian Westphal --- net/ipv4/ip_output.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c index 89fff5f59eea..2ed0b01f72f0 100644 --- a/net/ipv4/ip_output.c +++ b/net/ipv4/ip_outpu

[PATCH net 1/3] selftests: netfilter: add selftest for ipip pmtu discovery with enabled connection tracking

2021-01-05 Thread Florian Westphal
Convert Christians bug description into a reproducer. Cc: Shuah Khan Cc: Pablo Neira Ayuso Reported-by: Christian Perle Signed-off-by: Florian Westphal --- tools/testing/selftests/netfilter/Makefile| 3 +- .../selftests/netfilter/ipip-conntrack-mtu.sh | 206 ++ 2 files

[PATCH net 2/3] net: fix pmtu check in nopmtudisc mode

2021-01-05 Thread Florian Westphal
stack then sends an error to itself because the packet exceeds the device MTU. Fixes: 23a3647bc4f93 ("ip_tunnels: Use skb-len to PMTU check.") Cc: Stefano Brivio Signed-off-by: Florian Westphal --- net/ipv4/ip_tunnel.c | 11 +-- 1 file changed, 5 insertions(+), 6 deletions(-) dif

Re: [PATCH v2] xfrm: Fix wraparound in xfrm_policy_addr_delta()

2020-12-30 Thread Florian Westphal
0. > Prefix /0 has only one equivalence class. Acked-by: Florian Westphal

Re: [PATCH] selftests: xfrm: fix test return value override issue in xfrm_policy.sh

2020-12-30 Thread Florian Westphal
o $? > 0 > > This is because the $lret in check_xfrm() is not a local variable. Acked-by: Florian Westphal

Re: [PATCH] xfrm: Fix wraparound in xfrm_policy_addr_delta()

2020-12-30 Thread Florian Westphal
Visa Hankala wrote: > On Tue, Dec 29, 2020 at 05:01:27PM +0100, Florian Westphal wrote: > > This is suspicious. Is prefixlen == 0 impossible? > > > > If not, then after patch > > mask = ~0U << 32; > > > > ... and function returns 0. > > With

Re: [PATCH] xfrm: Fix wraparound in xfrm_policy_addr_delta()

2020-12-29 Thread Florian Westphal
Visa Hankala wrote: > Use three-way comparison for address elements to avoid integer > wraparound in the result of xfrm_policy_addr_delta(). > > This ensures that the search trees are built and traversed correctly > when the difference between compared address elements is larger > than INT_MAX.

Re: [PATCH nf] netfilter: xt_RATEEST: reject non-null terminated string from userspace

2020-12-22 Thread Florian Westphal
Linus Torvalds wrote: > On Tue, Dec 22, 2020 at 2:24 PM Florian Westphal wrote: > > > > strlcpy assumes src is a c-string. Check info->name before its used. > > If strlcpy is the only problem, then the fix is to use strscpy(), > which doesn't have the design mis

[PATCH nf] netfilter: xt_RATEEST: reject non-null terminated string from userspace

2020-12-22 Thread Florian Westphal
sed. Reported-by: syzbot+e86f7c428c8c50db6...@syzkaller.appspotmail.com Fixes: 5859034d7eb8793 ("[NETFILTER]: x_tables: add RATEEST target") Signed-off-by: Florian Westphal --- RATEEST test in iptables.git still passes, syzbot repro setsockopt fails with -ENAMETOOLONG. diff --git a/

Re: kernel BUG at lib/string.c:LINE! (6)

2020-12-22 Thread Florian Westphal
Linus Torvalds wrote: > On Tue, Dec 22, 2020 at 6:44 AM syzbot > wrote: > > > > The issue was bisected to: > > > > commit 2f78788b55ba ("ilog2: improve ilog2 for constant arguments") > > That looks unlikely, although possibly some constant folding > improvement might make the fortify code notice

Re: [PATCH] mptcp: print new line in mptcp_seq_show() if mptcp isn't in use

2020-12-04 Thread Florian Westphal
Jianguo Wu wrote: > From: Jianguo Wu A brief explanation would have helped. This is for net tree. > Signed-off-by: Jianguo Wu Fixes: fc518953bc9c8d7d ("mptcp: add and use MIB counter infrastructure") Acked-by: Florian Westphal

Re: [Race] data race between eth_heder_cache_update() and neigh_hh_output()

2020-11-30 Thread Florian Westphal
Gong, Sishuai wrote: > Hi, > > We found a data race in linux kernel 5.3.11 that we are able to reproduce in > x86 under specific interleavings. We are not sure about the consequence of > this race now but it seems that the two memcpy() can lead to some > inconsistency. We also noticed that bot

[PATCH net-next 3/3] mptcp: emit tcp reset when a join request fails

2020-11-30 Thread Florian Westphal
) with an "MPTCP specific error" reason code. mptcp-next doesn't support MP_TCPRST yet, this can be added in another change. Signed-off-by: Florian Westphal --- net/mptcp/subflow.c | 47 ++--- 1 file changed, 36 insertions(+), 11 deletions(-

[PATCH net-next 1/3] security: add const qualifier to struct sock in various places

2020-11-30 Thread Florian Westphal
lso possible to add a const qualifier to security_inet_conn_request instead. Signed-off-by: Florian Westphal --- The code churn is unfortunate. Alternative would be to change the function signature of ->route_req: struct dst_entry *(*route_req)(struct sock *sk, ... [ i.e., drop 'const'

[PATCH net-next 2/3] tcp: merge 'init_req' and 'route_req' functions

2020-11-30 Thread Florian Westphal
b to the merged function at the same time. 'send reset on unknown mptcp join token' is added in next patch. Suggested-by: Paolo Abeni Cc: Eric Dumazet Signed-off-by: Florian Westphal --- include/net/tcp.h| 9 - net/ipv4/tcp_input.c | 9 ++--- net/ipv4/tcp_ipv4.c |

[PATCH net-next 0/3] mptcp: reject invalid mp_join requests right away

2020-11-30 Thread Florian Westphal
At the moment MPTCP can detect an invalid join request (invalid token, max number of subflows reached, and so on) right away but cannot reject the connection until the 3WHS has completed. Instead the connection will complete and the subflow is reset afterwards. To send the reset most information i

Re: [PATCH net-next] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal

2020-11-28 Thread Florian Westphal
Jakub Kicinski wrote: > On Mon, 23 Nov 2020 19:32:53 +0100 Florian Westphal wrote: > > That comment is 18 years old, safe bet noone thought of > > ipv6-in-tunnel-interface-added-as-bridge-port back then. > > > > Reviewed-by: Florian Westphal > > Sounds like

Re: [PATCH v6 0/3] net, mac80211, kernel: enable KCOV remote coverage collection for 802.11 frame handling

2020-11-25 Thread Florian Westphal
Marco Elver wrote: [..] > v6: > * Revert usage of skb extensions due to potential memory leak. Patch 2/3 is > now > idential to that in v2. > * Patches 1/3 and 3/3 are otherwise identical to v5. The earlier series was already applied to net-next, so you need to rebase on top of net-next and i

[PATCH net-next] mptcp: put reference in mptcp timeout timer

2020-11-24 Thread Florian Westphal
mptcp_sk_clone+0x33/0x1a0 [..] subflow_syn_recv_sock+0x2b1/0x690 [..] Fixes: e16163b6e2b7 ("mptcp: refactor shutdown and close") Cc: Paolo Abeni Cc: Davide Caratti Signed-off-by: Florian Westphal --- net/mptcp/protocol.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ne

Re: [PATCH net-next] netfilter: bridge: reset skb->pkt_type after NF_INET_POST_ROUTING traversal

2020-11-23 Thread Florian Westphal
PACKET_HOST > and returns early). > > If the comment is right and no one cares about the value of > skb->pkt_type after br_dev_queue_push_xmit (which isn't true), resetting > it to its original value should be safe. That comment is 18 years old, safe bet noone thought of ipv6-in-tunnel-interface-added-as-bridge-port back then. Reviewed-by: Florian Westphal

Re: [Patch stable] netfilter: clear skb->next in NF_HOOK_LIST()

2020-11-21 Thread Florian Westphal
Cong Wang wrote: > From: Cong Wang > > NF_HOOK_LIST() uses list_del() to remove skb from the linked list, > however, it is not sufficient as skb->next still points to other > skb. We should just call skb_list_del_init() to clear skb->next, > like the rest places which using skb list. > > This h

Re: [PATCH v5 2/3] net: add kcov handle to skb extensions

2020-11-21 Thread Florian Westphal
Ido Schimmel wrote: > On Thu, Oct 29, 2020 at 05:36:19PM +, Aleksandr Nogikh wrote: > > From: Aleksandr Nogikh > > > > Remote KCOV coverage collection enables coverage-guided fuzzing of the > > code that is not reachable during normal system call execution. It is > > especially helpful for f

Re: [PATCH 108/141] netfilter: ipt_REJECT: Fix fall-through warnings for Clang

2020-11-20 Thread Florian Westphal
Gustavo A. R. Silva wrote: > In preparation to enable -Wimplicit-fallthrough for Clang, fix a warning > by explicitly adding a break statement instead of letting the code fall > through to the next case. Acked-by: Florian Westphal

Re: [PATCH 015/141] netfilter: Fix fall-through warnings for Clang

2020-11-20 Thread Florian Westphal
Gustavo A. R. Silva wrote: > In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple > warnings by explicitly adding multiple break statements instead of just > letting the code fall through to the next case. Acked-by: Florian Westphal Feel free to carry this in next

Re: [PATCH net-next v2] net: openvswitch: Be liberal in tcp conntrack.

2020-11-19 Thread Florian Westphal
hich > > sets this flag for both the directions of the nf_conn. > > > > Suggested-by: Florian Westphal > > Signed-off-by: Numan Siddique > > Florian, LGTY? Sorry, this one sailed past me. Acked-by: Florian Westphal

Re: [PATCH v4] aquantia: Remove the build_skb path

2020-11-19 Thread Florian Westphal
Ramsay, Lincoln wrote: [ patch looks good to me, I have no further comments ] > > For build_skb path to work the buffer scheme would need to be changed > > to reserve headroom, so yes, I think that the proposed patch is the > > most convenient solution. > > I don't know about benefits/feasibili

Re: [PATCH v3] aquantia: Remove the build_skb path

2020-11-19 Thread Florian Westphal
Ramsay, Lincoln wrote: > When performing IPv6 forwarding, there is an expectation that SKBs > will have some headroom. When forwarding a packet from the aquantia > driver, this does not always happen, triggering a kernel warning. > > The build_skb path fails to allow for an SKB header, but the ha

Re: [PATCH v2] aquantia: Remove the build_skb path

2020-11-19 Thread Florian Westphal
Ramsay, Lincoln wrote: > > Ramsay, Lincoln wrote: > > > The build_skb path fails to allow for an SKB header, but the hardware > > > buffer it is built around won't allow for this anyway. > > > > What problem is being resolved here? > > Sorry... Do I need to re-post the context? (I thought the r

Re: [PATCH v2] aquantia: Remove the build_skb path

2020-11-19 Thread Florian Westphal
Ramsay, Lincoln wrote: > The build_skb path fails to allow for an SKB header, but the hardware > buffer it is built around won't allow for this anyway. What problem is being resolved here?

Re: [PATCH net] netfilter: ipset: prevent uninit-value in hash_ip6_add

2020-11-19 Thread Florian Westphal
Eric Dumazet wrote: > From: Eric Dumazet > > syzbot found that we are not validating user input properly > before copying 16 bytes [1]. > Using NLA_BINARY in ipaddr_policy[] for IPv6 address is not correct, > since it ensures at most 16 bytes were provided. Thanks Eric. Looks like this is the o

Re: [PATCH net-next,v4 2/9] netfilter: flowtable: add xmit path types

2020-11-18 Thread Florian Westphal
Pablo Neira Ayuso wrote: > - if (unlikely(dst_xfrm(&rt->dst))) { > + rt = (struct rtable *)tuplehash->tuple.dst_cache; > + > + if (unlikely(tuplehash->tuple.xmit_type == FLOW_OFFLOAD_XMIT_XFRM)) { > memset(skb->cb, 0, sizeof(struct inet_skb_parm)); > IPCB(sk

Re: [PATCH net-next,v4 3/9] net: resolve forwarding path from virtual netdevice and HW destination address

2020-11-18 Thread Florian Westphal
Pablo Neira Ayuso wrote: > +#define NET_DEVICE_PATH_STACK_MAX5 > + > +struct net_device_path_stack { > + int num_paths; > + struct net_device_path path[NET_DEVICE_PATH_STACK_MAX]; > +}; [..] > +int dev_fill_forward_path(const struct net_device *dev, const u8 *dad

Re: [PATCH net-next v5] net: linux/skbuff.h: combine SKB_EXTENSIONS + KCOV handling

2020-11-16 Thread Florian Westphal
in the header file. Thanks Randy. Acked-by: Florian Westphal

Re: [PATCH net-next v4] net: linux/skbuff.h: combine SKB_EXTENSIONS + KCOV handling

2020-11-16 Thread Florian Westphal
Randy Dunlap wrote: > On 11/16/20 7:30 AM, Jakub Kicinski wrote: > > On Mon, 16 Nov 2020 15:31:21 +0100 Florian Westphal wrote: > >>>> @@ -4151,12 +4150,11 @@ enum skb_ext_id { > >>>> #if IS_ENABLED(CONFIG_MPTCP) > >>>> SKB_EXT_MPT

Re: [PATCH net-next v4] net: linux/skbuff.h: combine SKB_EXTENSIONS + KCOV handling

2020-11-16 Thread Florian Westphal
Matthieu Baerts wrote: > > --- linux-next-20201113.orig/include/linux/skbuff.h > > +++ linux-next-20201113/include/linux/skbuff.h > > @@ -4137,7 +4137,6 @@ static inline void skb_set_nfct(struct s > > #endif > > } > > -#ifdef CONFIG_SKB_EXTENSIONS > > enum skb_ext_id { > > #if IS_ENABLED(C

Re: [net-next] netfiler: conntrack: Add the option to set ct tcp flag - BE_LIBERAL per-ct basis.

2020-11-10 Thread Florian Westphal
Numan Siddique wrote: > On Tue, Nov 10, 2020 at 5:55 PM Florian Westphal wrote: > > > > Numan Siddique wrote: > > > On Tue, Nov 10, 2020 at 3:06 AM Florian Westphal wrote: > > > Thanks for the comments. I actually tried this approach first, but it > >

Re: [net-next] netfiler: conntrack: Add the option to set ct tcp flag - BE_LIBERAL per-ct basis.

2020-11-10 Thread Florian Westphal
Numan Siddique wrote: > On Tue, Nov 10, 2020 at 3:06 AM Florian Westphal wrote: > Thanks for the comments. I actually tried this approach first, but it > doesn't seem to work. > I noticed that for the committed connections, the ct tcp flag - > IP_CT_TCP_FLAG_BE_LIBER

Re: [net-next] netfiler: conntrack: Add the option to set ct tcp flag - BE_LIBERAL per-ct basis.

2020-11-09 Thread Florian Westphal
of > tcp_in_window() check error or because it doesn't belong to an > existing connection. > > An earlier attempt (see the link) tried to solve this problem for > openvswitch in a different way. Florian Westphal instead suggested > to be liberal in openvswitch for tcp packets

Re: [PATCH nf 2/2] netfilter: use actual socket sk rather than skb sk when routing harder

2020-10-29 Thread Florian Westphal
ceives the sk as part of its normal > functionality. So we make sure to plumb state->sk through the various > route_me_harder functions, and then make correct use of it following the > example of __ip_queue_xmit(). Reviewed-by: Florian Westphal

Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register

2020-10-14 Thread Florian Westphal
Francesco Ruggeri wrote: > On Wed, Oct 14, 2020 at 1:23 AM Florian Westphal wrote: > > > > Pablo Neira Ayuso wrote: > > > Legacy would still be flawed though. > > > > Its fine too, new rule blob gets handled (and match/target checkentry > > called) bef

Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register

2020-10-14 Thread Florian Westphal
Pablo Neira Ayuso wrote: > > Yes, we iterate table on re-register and modify the existing entries. > > For iptables-nft, it might be possible to avoid this deregister + > register ct hooks in the same transaction: Maybe add something like > nf_ct_netns_get_all() to bump refcounters by one _iff_ t

Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register

2020-10-09 Thread Florian Westphal
Jozsef Kadlecsik wrote: > > The "delay unregister" remark was wrt. the "all rules were deleted" > > case, i.e. add a "grace period" rather than acting right away when > > conntrack use count did hit 0. > > Now I understand it, thanks really. The hooks are removed, so conntrack > cannot "see" the

Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register

2020-10-09 Thread Florian Westphal
Jozsef Kadlecsik wrote: > > The repro clears all rules, waits 4 seconds, then restores the ruleset. > > using iptables-restore < FOO; sleep 4; iptables-restore < FOO will not > > result in any unregister ops. > > > > We could make kernel defer unregister via some work queue but i don't > > see w

Re: [PATCH nf v2] netfilter: conntrack: connection timeout after re-register

2020-10-09 Thread Florian Westphal
Jozsef Kadlecsik wrote: > > Any comments? > > Here is a simple reproducer. The idea is to show that keepalive packets > > in an idle tcp connection will be dropped (and the connection will time > > out) if conntrack hooks are de-registered and then re-registered. The > > reproducer has two file

Re: [PATCH net-next] net: openvswitch: Add support to lookup invalid packet in ct action.

2020-10-06 Thread Florian Westphal
Numan Siddique wrote: > On Tue, Oct 6, 2020 at 4:46 PM Florian Westphal wrote: > > > > nusid...@redhat.com wrote: > > > From: Numan Siddique > > > > > > For a tcp packet which is part of an existing committed connection, > > > nf_conntrack_in

Re: [PATCH net-next] net: openvswitch: Add support to lookup invalid packet in ct action.

2020-10-06 Thread Florian Westphal
nusid...@redhat.com wrote: > From: Numan Siddique > > For a tcp packet which is part of an existing committed connection, > nf_conntrack_in() will return err and set skb->_nfct to NULL if it is > out of tcp window. ct action for this packet will set the ct_state > to +inv which is as expected.

[PATCH net-next] net: tcp: drop unused function argument from mptcp_incoming_options

2020-09-24 Thread Florian Westphal
Since commit cfde141ea3faa30e ("mptcp: move option parsing into mptcp_incoming_options()"), the 3rd function argument is no longer used. Signed-off-by: Florian Westphal --- include/net/mptcp.h | 6 ++ net/ipv4/tcp_input.c | 4 ++-- net/mptcp/options.c | 3 +-- 3 files

Re: [PATCH 1/3 nf] selftests: netfilter: add cpu counter check

2020-09-09 Thread Florian Westphal
Fabian Frederick wrote: > run task on first CPU with netfilter counters reset and check > cpu meta after another ping Thanks! Acked-by: Florian Westphal

Re: [PATCH v3 1/1] netfilter: nat: add a range check for l3/l4 protonum

2020-08-28 Thread Florian Westphal
Pablo Neira Ayuso wrote: > Hi Will, > > Given this is for -stable maintainers only, I'd suggest: > > 1) Specify what -stable kernel versions this patch applies to. >Explain that this problem is gone since what kernel version. > > 2) Maybe clarify that this is only for stable in the patch su

[PATCH net] mptcp: free acked data before waiting for more memory

2020-08-25 Thread Florian Westphal
_clean_una(sk) which will free pages that have been acked completely in the mean time. Fixes: fb529e62d3f3 ("mptcp: break and restart in case mptcp sndbuf is full") Signed-off-by: Florian Westphal --- net/mptcp/protocol.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --gi

Re: [PATCH] net: netfilter: delete repeated words

2020-08-22 Thread Florian Westphal
Randy Dunlap wrote: > Drop duplicated words in net/netfilter/ and net/ipv4/netfilter/. Reviewed-by: Florian Westphal

[PATCH net] mptcp: sendmsg: reset iter on error redux

2020-08-16 Thread Florian Westphal
r on error)" Signed-off-by: Florian Westphal --- Brown paper bag patch. I will see if having distinct functions for the mtcp_sendmsg and retransmit wq case is feasible/more appropriate. net/mptcp/protocol.c | 8 +--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/net/mpt

Re: [PATCH] netfilter: nf_conntrack_sip: fix parsing error

2020-08-15 Thread Florian Westphal
Tong Zhang wrote: > ct_sip_parse_numerical_param can only return 0 or 1, but the caller is > checking parsing error using < 0 Reviewed-by: Florian Westphal

[PATCH net] mptcp: sendmsg: reset iter on error

2020-08-14 Thread Florian Westphal
s triggers. Receiver ends up with less data than it should get. Fixes: 72511aab95c94d ("mptcp: avoid blocking in tcp_sendpages") Signed-off-by: Florian Westphal --- net/mptcp/protocol.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/mptcp/protocol.

[PATCH nf] netfilter/ebtables: reject bogus getopt len value

2020-08-13 Thread Florian Westphal
y: syzbot+5accb5c62faa1d346...@syzkaller.appspotmail.com Signed-off-by: Florian Westphal --- net/bridge/netfilter/ebtables.c | 4 1 file changed, 4 insertions(+) diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 1641f414d1ba..ebe33b60efd6 100644 --- a/ne

Re: [PATCH] net: eliminate meaningless memcpy to data in pskb_carve_inside_nonlinear()

2020-08-10 Thread Florian Westphal
Miaohe Lin wrote: > The skb_shared_info part of the data is assigned in the following loop. Where?

Re: [DRAFT PATCH] random32: make prandom_u32() output unpredictable

2020-08-10 Thread Florian Westphal
Willy Tarreau wrote: > On Sun, Aug 09, 2020 at 06:30:17PM +, George Spelvin wrote: > > Even something simple like buffering 8 TSC samples, and adding them > > at 32-bit offsets across the state every 8th call, would make a huge > > difference. > > Doing testing on real hardware showed that re

Re: Flaw in "random32: update the net random state on interrupt and activity"

2020-08-08 Thread Florian Westphal
Willy Tarreau wrote: > diff --git a/include/linux/random.h b/include/linux/random.h > index 9ab7443bd91b..9e22973b207c 100644 > --- a/include/linux/random.h > +++ b/include/linux/random.h > @@ -12,6 +12,7 @@ > #include > #include > #include > +#include > > #include > > @@ -117,7 +118,

Re: [PATCH net-next 0/6] Support PMTU discovery with bridged UDP tunnels

2020-08-03 Thread Florian Westphal
ally need to reply to > IP and IPv6 packets ourselves and send these ICMP or ICMPv6 errors > back, using the same encapsulating device. Patch 2/6, based on an > original idea by Florian Westphal, adds the needed functionality, > while patches 3/6 and 4/6 add matching support for VXLAN

Re: [PATCH nf] netfilter: nf_tables: nft_exthdr: the presence return value should be little-endian

2020-08-03 Thread Florian Westphal
Stephen Suryaputra wrote: > On big-endian machine, the returned register data when the exthdr is > present is not being compared correctly because little-endian is > assumed. The function nft_cmp_fast_mask(), called by nft_cmp_fast_eval() > and nft_cmp_fast_init(), calls cpu_to_le32(). > > The fo

[PATCH net-next] mptcp: fix syncookie build error on UP

2020-08-01 Thread Florian Westphal
ARRAY_SIZE cannot be used. Fixes: 9466a1ccebbe54 ("mptcp: enable JOIN requests even if cookies are in use") Reported-by: kernel test robot Signed-off-by: Florian Westphal --- net/mptcp/syncookies.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/mptcp/sync

Re: [PATCH net-next] tcp: fix build fong CONFIG_MPTCP=n

2020-08-01 Thread Florian Westphal
Florian Westphal wrote: > Eric Dumazet wrote: > > Fixes these errors: > > > > net/ipv4/syncookies.c: In function 'tcp_get_cookie_sock': > > net/ipv4/syncookies.c:216:19: error: 'struct tcp_request_sock' has no > > member name

Re: [PATCH net-next] tcp: fix build fong CONFIG_MPTCP=n

2020-08-01 Thread Florian Westphal
^~~~ Ugh, sorry about this. > make[3]: *** [scripts/Makefile.build:280: net/ipv4/syncookies.o] Error 1 > make[3]: *** Waiting for unfinished jobs > > Fixes: 9466a1ccebbe ("mptcp: enable JOIN requests even if cookies are in use") > Signed-off-by: Eric Dumazet > Cc: Fl

[PATCH v2 net-next 8/9] selftests: mptcp: make 2nd net namespace use tcp syn cookies unconditionally

2020-07-30 Thread Florian Westphal
check we can establish connections also when syn cookies are in use. Check that MPTcpExtMPCapableSYNRX and MPTcpExtMPCapableACKRX increase for each MPTCP test. Check TcpExtSyncookiesSent and TcpExtSyncookiesRecv increase in netns2. Signed-off-by: Florian Westphal --- .../selftests/net/mptcp

[PATCH v2 net-next 4/9] mptcp: rename and export mptcp_subflow_request_sock_ops

2020-07-30 Thread Florian Westphal
syncookie code path needs to create an mptcp request sock. Prepare for this and add mptcp prefix plus needed export of ops struct. Signed-off-by: Florian Westphal --- include/net/mptcp.h | 1 + net/mptcp/subflow.c | 11 ++- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git

[PATCH v2 net-next 5/9] mptcp: subflow: add mptcp_subflow_init_cookie_req helper

2020-07-30 Thread Florian Westphal
back, we check that the token has not been registered in the mean time. If it was, the connection needs to fall back to TCP. Changes in v2: - use req->syncookie instead of passing 'want_cookie' arg to ->init_req() (Eric Dumazet) Signed-off-by: Florian Westphal --- include/n

[PATCH v2 net-next 2/9] mptcp: token: move retry to caller

2020-07-30 Thread Florian Westphal
when the token is already taken in the syncookie case. Therefore, move the retry logic to the caller to prepare for syncookie support in mptcp. Signed-off-by: Florian Westphal --- net/mptcp/subflow.c | 9 - net/mptcp/token.c | 12 2 files changed, 12 insertions(+), 9 dele

[PATCH v2 net-next 9/9] selftests: mptcp: add test cases for mptcp join tests with syn cookies

2020-07-30 Thread Florian Westphal
Also add test cases with MP_JOIN when tcp_syncookies sysctl is 2 (i.e., syncookies are always-on). While at it, also print the test number and add the test number to the pcap files that can be generated optionally. This makes it easier to match the pcap to the test case. Signed-off-by: Florian

[PATCH v2 net-next 6/9] tcp: syncookies: create mptcp request socket for ACK cookies with MPTCP option

2020-07-30 Thread Florian Westphal
request socket. Suggested-by: Paolo Abeni Signed-off-by: Florian Westphal --- include/net/tcp.h | 2 ++ net/ipv4/syncookies.c | 38 ++ net/ipv4/tcp_input.c | 3 --- net/ipv6/syncookies.c | 5 + 4 files changed, 37 insertions(+), 11 deletions

[PATCH v2 net-next 7/9] mptcp: enable JOIN requests even if cookies are in use

2020-07-30 Thread Florian Westphal
rg Suggested-by: Paolo Abeni Signed-off-by: Florian Westphal --- net/ipv4/syncookies.c | 6 ++ net/mptcp/Makefile | 1 + net/mptcp/ctrl.c | 1 + net/mptcp/protocol.h | 20 +++ net/mptcp/subflow.c| 14 + net/mptcp/syncookies.c | 132 +++

[PATCH v2 net-next 3/9] mptcp: subflow: split subflow_init_req

2020-07-30 Thread Florian Westphal
lper, __subflow_init_req, that can then be re-used from the 'no insert' function added in a followup change. Signed-off-by: Florian Westphal --- net/mptcp/subflow.c | 32 ++-- 1 file changed, 22 insertions(+), 10 deletions(-) diff --git a/net/mptcp/subflow.c b/net/mptcp/s

  1   2   3   4   5   6   7   8   9   10   >