to get specific fields in the option.
Signed-off-by: Stephen Suryaputra
---
include/net/inet_sock.h | 2 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/ipv4/ip_options.c| 2 +
net/netfilter/nft_exthdr.c | 136
Get the ingress interface and increment ICMP counters based on that
instead of skb->dev when the the dev is a VRF device.
This is a follow up on the following message:
https://www.spinics.net/lists/netdev/msg560268.html
Signed-off-by: Stephen Suryaputra
---
net/ipv6/icmp.c |
On Fri, May 31, 2019 at 07:11:01PM +0200, Pablo Neira Ayuso wrote:
> > +/* find the offset to specified option or the header beyond the options
> > + * if target < 0.
> > + *
> > + * Note that *offset is used as input/output parameter, and if it is not
> > zero,
> > + * then it must be a valid off
On Sat, Jun 01, 2019 at 02:22:30AM +0200, Pablo Neira Ayuso wrote:
> > It is the same as the IPv6 one. The offset returned is the offset to the
> > specific option (target) or the byte beyond the options if the target
> > isn't specified (< 0).
>
> Thanks for explaining. So you are using ipv6_find
On Fri, May 31, 2019 at 05:06:16PM -0600, David Ahern wrote:
> On 5/29/19 11:08 PM, Stephen Suryaputra wrote:
> > diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
> > index 1a832f5e190b..9b365c345c34 100644
> > --- a/net/ipv6/reassembly.c
> > +++ b/net/ipv6
On Mon, Jun 03, 2019 at 02:30:06PM +0200, Pablo Neira Ayuso wrote:
> > I developed this patchset to suit my employer needs and there is no plan
> > for a follow up patchset, however I think non-zero offset might be useful
> > in the future for tunneled packets.
>
> For tunneled traffic, we can sto
local
delivery (David Ahern).
Signed-off-by: Stephen Suryaputra
---
include/net/addrconf.h | 16
net/ipv6/icmp.c| 17 +++--
net/ipv6/reassembly.c | 4 ++--
3 files changed, 29 insertions(+), 8 deletions(-)
diff --git a/include/net/addrconf.h b/include/net/addr
ned-off-by: Stephen Suryaputra
---
include/net/inet_sock.h | 2 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/ipv4/ip_options.c| 2 +
net/netfilter/nft_exthdr.c | 133 +++
4 files changed, 138 insertions(+)
On Mon, Jun 10, 2019 at 02:28:10PM -0700, David Miller wrote:
> From: Govindarajulu Varadarajan
> Date: Mon, 10 Jun 2019 07:27:02 -0700
>
> > When stack receives pkt: [802.1P vlan 0][802.1AD vlan 100][IPv4],
> > vlan_do_receive() returns false if it does not find vlan_dev. Later
> > __netif_recei
->rt_gw6;
+ new_rt->rt_gateway = rt->rt_gateway;
INIT_LIST_HEAD(&new_rt->rt_uncached);
new_rt->dst.flags |= DST_HOST;
Thanks.
- Forwarded message from Sasha Levin -
On Mon, Jul 29, 2019 at 05:56:27PM +0200, Greg KH wrote:
On Mon, Nov 30, 2020 at 06:15:06PM -0700, David Ahern wrote:
> On 11/23/20 5:23 PM, Stephen Suryaputra wrote:
> > Hi,
> >
> > I'm running into a problem with lladdr pinging all-host mcast all nodes
> > addr. The ping intially works but after cycling the interface
On Tue, Dec 01, 2020 at 06:06:53PM -0700, David Ahern wrote:
> >>
> >> With your patch does ping from both hosts work?
> >
> > Yes, it does.
> >
> >> What about all of the tests in
> >> tools/testing/selftests/net/fcnal-test.sh? specifically curious about
> >> the 'LLA to GUA' tests (link local t
addr indicates that it
is strict.
Add the reproducer as a use case in self test script fcnal-test.sh.
Signed-off-by: Stephen Suryaputra
---
drivers/net/vrf.c | 10 ++-
tools/testing/selftests/net/fcnal-test.sh | 95 +++
2 files changed, 103 insertions
On Fri, Dec 04, 2020 at 03:37:48PM -0800, Jakub Kicinski wrote:
> On Fri, 4 Dec 2020 09:32:04 -0700 David Ahern wrote:
> > On 12/3/20 8:06 PM, Stephen Suryaputra wrote:
> > > Depending on the order of the routes to fe80::/64 are installed on the
> > > VRF table, the N
Hi,
I'm running into a problem with lladdr pinging all-host mcast all nodes
addr. The ping intially works but after cycling the interface that
receives the ping, the echo request packet causes a neigh solicitation
being sent on a different interface.
To repro, I included the attached namespace sc
On Tue, Nov 24, 2020 at 01:43:54PM -0700, David Ahern wrote:
> On 11/23/20 5:23 PM, Stephen Suryaputra wrote:
> > Hi,
> >
> > I'm running into a problem with lladdr pinging all-host mcast all nodes
> > addr. The ping intially works but after cycling the interface
On Tue, Nov 24, 2020 at 03:57:48PM -0500, Stephen Suryaputra wrote:
> On Tue, Nov 24, 2020 at 01:43:54PM -0700, David Ahern wrote:
> > On 11/23/20 5:23 PM, Stephen Suryaputra wrote:
> > > Hi,
> > >
> > > I'm running into a problem with lladdr pinging all-
Greetings,
We noticed that the commit was reverted after upgrading to v4.14.200.
Any reason why it is reverted? We rely on it.
Thanks,
Stephen.
On Sun, Oct 18, 2020 at 09:27:16AM -0600, David Ahern wrote:
> On 10/18/20 7:24 AM, Stephen Suryaputra wrote:
> > Greetings,
> >
> > We noticed that the commit was reverted after upgrading to v4.14.200.
> > Any reason why it is reverted? We rely on it.
> >
On Mon, Oct 19, 2020 at 01:24:26PM +0100, Mike Manning wrote:
> To clarify, the regression in 4.14 only occurred when the commit was
> used in isolation, not when applied with the rest of the series.
>
> It may be worth mentioning that we had been extensively using the series
> in our local fork w
s already supported in some version. Please guide.
>
> I am not aware of anyone working on adding more stats for IPv6. Stephen
> Suryaputra attempted to add stats a few years back as I believe the
> resistance was around memory and cpu usage for stats in the hot path.
Sorry that
atsInFrags
> jnxIpv6StatsInEsps
> jnxIpv6StatsInAhs
> jnxIpv6StatsInIcmpv6s
> jnxIpv6StatsInNoNhs
> jnxIpv6StatsInDestOpts
> jnxIpv6StatsInIsoIps
> jnxIpv6StatsInOspfs
> jnxIpv6StatsInEths
> jnxIpv6StatsInPims
>
> Regards,
> Girish kumar S
>
>
>
> Juniper Busin
Hello,
Reading the RFC 4301, it seems that security association search can hit
based on the SPI alone. But, __xfrm_state_lookup() matches the dest IP
address as well:
static struct xfrm_state *__xfrm_state_lookup(struct net *net, u32 mark,
const xfrm_
DEMUX must
be compiled as built-in in the kernel.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 4 ++
net/ipv4/route.c | 75 ++
net/ipv4/sysctl_net_ipv4.c | 2 +-
3 files changed, 70 insertions(+), 11
ned-off-by: Stephen Suryaputra
---
include/net/inet_sock.h | 2 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/ipv4/ip_options.c| 2 +
net/netfilter/nft_exthdr.c | 133 +++
4 files changed, 138 insertions(+)
On Tue, Jun 11, 2019 at 10:29:56AM +0300, Nikolay Aleksandrov wrote:
>
> Have you considered using the flow dissector and doing something similar to
> the bonding ?
> It does a full flow dissect via skb_flow_dissect_flow_keys() and uses
> whatever headers
> it needs, but that will support any tu
that. But
anything else supported by flow dissection should work.
v2: Use skb_flow_dissect_flow_keys() directly so that other tunneling
can be supported through flow dissection (per Nikolay Aleksandrov).
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 1 +
net/ip
n (Nikolay Alexandrov).
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 1 +
net/ipv4/route.c | 17 +
net/ipv4/sysctl_net_ipv4.c | 2 +-
3 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/Documentation/net
On Mon, Jun 17, 2019 at 09:53:06AM -0600, David Ahern wrote:
> On 6/17/19 8:39 AM, Ido Schimmel wrote:
> >
> > Do you plan to add IPv6 support? Would be good to have the same features
> > in both stacks.
>
> we really should be mandating equal support for all new changes like this.
>
I will add
On Tue, Jun 18, 2019 at 05:31:12PM +0200, Pablo Neira Ayuso wrote:
> > +{
> > + unsigned char optbuf[sizeof(struct ip_options) + 41];
>
> In other parts of the kernel this is + 40:
>
> net/ipv4/cipso_ipv4.c: unsigned char optbuf[sizeof(struct ip_options) + 40];
>
> here it is + 41.
>
> ...
>
On Wed, Jun 19, 2019 at 07:18:32PM +0200, Pablo Neira Ayuso wrote:
>
> Rules with this options will load fine:
>
> ip option eol type 1
> ip option noop type 1
> ip option sec type 1
> ip option timestamp type 1
> ip option rr type 1
> ip option sid type 1
>
> However, they will not ever match I
low ipv6_find_hdr() and just do what are
needed to support source-route, record route and router alert (per
Pablo Neira Ayuso). Fix bugs that are introduced while addressing
review comments.
Signed-off-by: Stephen Suryaputra
---
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/i
ira Ayuso).
Signed-off-by: Stephen Suryaputra
---
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/ipv4/ip_options.c| 1 +
net/netfilter/nft_exthdr.c | 133 +++
3 files changed, 136 insertions(+)
diff --git a/include/uapi/linux/netfil
.
Signed-off-by: Stephen Suryaputra
---
net/ipv4/raw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c
index 0b8e06ca75d6..40a6abbc9cf6 100644
--- a/net/ipv4/raw.c
+++ b/net/ipv4/raw.c
@@ -197,7 +197,7 @@ static int raw_v4_input(struct sk_buff *s
rns rt_iif instead of skb_iif (the VRF netdev). Hence, the
socket lookup fails.
Signed-off-by: Stephen Suryaputra
---
include/net/route.h | 1 +
net/ipv4/ip_output.c | 25 -
net/ipv4/route.c | 33 +
3 files changed, 58 insertions(+)
On Tue, Jun 25, 2019 at 4:22 PM David Ahern wrote:
>
> On 6/25/19 4:33 AM, Stephen Suryaputra wrote:
> > @@ -363,10 +376,20 @@ int ip_mc_output(struct net *net, struct sock *sk,
> > struct sk_buff *skb)
> > #endif
> > ) {
> >
instead of skb_iif. Hence, the lookup fails.
v2: Make it non vrf specific (David Ahern). Reword the changelog to
reflect it.
Signed-off-by: Stephen Suryaputra
---
include/net/route.h | 1 +
net/ipv4/ip_output.c | 12
net/ipv4/route.c | 33 +
3
existing per interface IPv6 stats aren't affected
when the option isn't enabled.
- Restore the order of calling ipv4_proc_init().
Signed-off-by: Stephen Suryaputra
---
drivers/net/vrf.c | 2 +-
include/linux/inetdevice.h | 22 ++
include/net/icmp.h
a. It also includes kselftest scripts to test the use cases.
Stephen Suryaputra (3):
ipv4: Multipath hashing on inner L3 needs to consider inner IPv6 pkts
ipv6: Support multipath hashing on inner IP pkts
selftests: forwarding: Test multipath hashing on inner IP pkts for GRE
tunnel
Doc
Make the same support as commit 363887a2cdfe ("ipv4: Support multipath
hashing on inner IP pkts for GRE tunnel") for outer IPv6. The hashing
considers both IPv4 and IPv6 inner pkts.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 1 +
net/ip
addresses.
Fixes: 363887a2cdfe ("ipv4: Support multipath hashing on inner IP pkts for GRE
tunnel")
Signed-off-by: Stephen Suryaputra
---
net/ipv4/route.c | 21 +
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.
IPv6
- IPv6 over GRE over IPv6
Signed-off-by: Stephen Suryaputra
---
.../net/forwarding/gre_inner_v4_multipath.sh | 305 +
.../net/forwarding/gre_inner_v6_multipath.sh | 306 ++
.../forwarding/ip6gre_inner_v4_multipath.sh | 304
a. It also includes kselftest scripts to test the use cases.
v2: Clarify the commit messages in the commits in this series to use the
term tunneled by IPv4 GRE or by IPv6 GRE so that it's clear which
one is the inner and which one is the outer (per David Miller).
Stephen Suryaputra (3):
outer
- IPv6 inner, IPv6 outer
Reviewed-by: Ido Schimmel
Signed-off-by: Stephen Suryaputra
---
.../net/forwarding/gre_inner_v4_multipath.sh | 305 +
.../net/forwarding/gre_inner_v6_multipath.sh | 306 ++
.../forwarding/ip6gre_inner_v4_multipath.sh | 304
Make the same support as commit 363887a2cdfe ("ipv4: Support multipath
hashing on inner IP pkts for GRE tunnel") for outer IPv6. The hashing
considers both IPv4 and IPv6 pkts when they are tunneled by IPv6 GRE.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysct
inner IPv6 addresses.
Fixes: 363887a2cdfe ("ipv4: Support multipath hashing on inner IP pkts for GRE
tunnel")
Signed-off-by: Stephen Suryaputra
---
net/ipv4/route.c | 21 +
1 file changed, 17 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.
IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast pings.
IPv6 needs a similar mechanism.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 5 +
include/net/netns/ipv6.h | 1 +
include/uapi/linux/sysctl.h| 3
IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast pings.
IPv6 needs a similar mechanism.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 5 +
include/net/netns/ipv6.h | 1 +
include/uapi/linux/sysctl.h| 3
_RATELIMIT,"ratelimit" },
{}
};
I will fix that as well.
Thanks.
On Tue, Mar 19, 2019 at 9:10 AM Eric Dumazet wrote:
>
>
>
> On 03/19/2019 05:45 AM, Stephen Suryaputra wrote:
> > IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast
> &g
IPv4 has icmp_echo_ignore_broadcast to prevent responding to broadcast pings.
IPv6 needs a similar mechanism.
v1->v2:
- Remove NET_IPV6_ICMP_ECHO_IGNORE_MULTICAST.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 5 +
include/net/netns/ipv
In addition to icmp_echo_ignore_multicast, there is a need to also
prevent responding to pings to anycast addresses for security.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 5 +
include/net/netns/ipv6.h | 1 +
net/ipv6/af_inet6.c
Just a comment: on the system that I work on, the kernel closely
matches the hardware data plane, so the kernel has both roles as data
and control plane.
Whatever routes are installed on the hardware are installed also in the kernel.
On Sun, Mar 24, 2019 at 11:27 PM Alexei Starovoitov
wrote:
>
>
and reset the skb dst to
force a fresh lookup.
Signed-off-by: Stephen Suryaputra
---
net/ipv6/route.c | 22 --
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index e8c73b7782cd..3b026a310b3e 100644
--- a/net/ipv6/route.c
+++ b/
and reset the skb dst to
force a fresh lookup.
v2: Fix typo of destination address in the repro steps.
Signed-off-by: Stephen Suryaputra
---
net/ipv6/route.c | 22 --
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
in
and reset the skb dst to
force a fresh lookup.
v2: Fix typo of destination address in the repro steps.
v3: Simplify the loopback check (per David Ahern) and use reverse
Christmas tree format (per David Miller).
Signed-off-by: Stephen Suryaputra
Reviewed-by: David Ahern
Tested-by: David Ah
case.
Signed-off-by: Stephen Suryaputra
---
net/ipv6/sit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c
index b2109b74857d..971d60bf9640 100644
--- a/net/ipv6/sit.c
+++ b/net/ipv6/sit.c
@@ -1084,7 +1084,7 @@ static void ipip6_tunnel_bind_dev(s
On Mon, May 06, 2019 at 01:54:16PM -0600, David Ahern wrote:
> On 5/6/19 1:00 PM, Stephen Suryaputra wrote:
> > VRF netdev mtu isn't typically set and have an mtu of 65536. When the
> > link of a tunnel is set, the tunnel mtu is changed from 1480 to the link
> > mtu m
This is enhanced from the proposed patch by Igor Maravic in 2011 to
support per interface IPv4 stats. The enhancement is mainly adding a
kernel configuration option CONFIG_IP_IFSTATS_TABLE.
Signed-off-by: Stephen Suryaputra
---
drivers/net/vrf.c | 2 +-
include/linux
t 12:14 PM, Stephen Hemminger
wrote:
> On Tue, 10 Apr 2018 22:55:35 -0400
> Stephen Suryaputra wrote:
>
>> This is enhanced from the proposed patch by Igor Maravic in 2011 to
>> support per interface IPv4 stats. The enhancement is mainly adding a
>> kernel configu
Thanks for the feedbacks. Please see the detail below:
On Wed, Apr 11, 2018 at 3:37 PM, Julian Anastasov wrote:
[snip]
>> - __IP_INC_STATS(net, IPSTATS_MIB_INHDRERRORS);
>> + __IP_INC_STATS(net, skb_dst(skb)->dev, IPSTATS_MIB_INHDRERRORS);
>
> May be skb->dev if we want to account
The statistics such as InHdrErrors should be counted on the ingress
netdev rather than on the dev from the dst, which is the egress.
Signed-off-by: Stephen Suryaputra
---
include/net/addrconf.h | 14 +++
net/ipv6/exthdrs.c | 55
Greetings,
We found that ICMP destination unreachable isn't sent if VRF
forwarding isn't configured, i.e.
/proc/sys/net/ipv4/conf//forwarding isn't set. The
relevant code is:
static int ip_error(struct sk_buff *skb)
{
...
// in_dev is the vrf net_device
if (!IN_DEV_FORWARD(in_dev)
n.
On Fri, Feb 23, 2018 at 3:58 PM, David Ahern wrote:
> On 2/23/18 10:49 AM, Stephen Suryaputra wrote:
>> Greetings,
>>
>> We found that ICMP destination unreachable isn't sent if VRF
>> forwarding isn't configured, i.e.
>> /proc/sys/net/ipv4/conf//fo
When ip_error() is called the device is the l3mdev master instead of the
original device. So the forwarding check should be on the original one.
Signed-off-by: Stephen Suryaputra
---
net/ipv4/route.c | 9 -
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/route.c b
When ip_error() is called the device is the l3mdev master instead of the
original device. So the forwarding check should be on the original one.
Changes from v1:
- Only need to reset the device on which __in_dev_get_rcu() is done (per
David Ahern).
Signed-off-by: Stephen Suryaputra
---
net
is disabled. */
if (!in_dev)
goto out;
On Wed, Feb 28, 2018 at 10:49 AM, David Ahern wrote:
> On 2/28/18 7:46 AM, Stephen Suryaputra wrote:
>> When ip_error() is called the device is the l3mdev master instead of the
>> original device. So the forwarding check should be on the
the device on which __in_dev_get_rcu() is done (per
David Ahern).
Signed-off-by: Stephen Suryaputra
---
net/ipv4/route.c | 11 ++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index a4f44d8..9a29225 100644
--- a/net/ipv4/route.c
+++ b
Use the right device to determine if redirect should be sent especially
when using vrf. Same as well as when sending the redirect.
Signed-off-by: Stephen Suryaputra
---
net/ipv6/ip6_output.c | 3 ++-
net/ipv6/ndisc.c | 6 ++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a
Configuration check to accept source route IP options should be made on the
incoming netdevice when the skb->dev is an l3mdev master.
Signed-off-by: Stephen Suryaputra
---
net/ipv4/ip_input.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c
in
Hit send too soon. There is another related problem that I think needs fixing.
On Wed, Mar 27, 2019 at 3:55 PM Stephen Suryaputra wrote:
>
> Configuration check to accept source route IP options should be made on the
> incoming netdevice when the skb->dev is an l3mdev master.
>
Configuration check to accept source route IP options should be made on
the incoming netdevice when the skb->dev is an l3mdev master. The route
lookup for the source route next hop also needs the incoming netdev.
Signed-off-by: Stephen Suryaputra
---
net/ipv4/ip_input.c | 3 +++
net/i
Support use cases where source routing is allowed but only loose or
strict. Add source_router_filter netdev configuration to be used
when allow_source_router is set to control which types can be processed.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 7
David
Ahern).
Signed-off-by: Stephen Suryaputra
---
include/net/ip.h | 2 +-
net/ipv4/ip_input.c | 7 +++
net/ipv4/ip_options.c | 4 ++--
3 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/include/net/ip.h b/include/net/ip.h
index be3cad9c2e4c..583526aad1d0 100644
--- a/inclu
Recompile IP options since IPCB may not be valid anymore when
ipv4_link_failure is called from arp_error_report.
Refer to the commit 3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error")
and the commit before that (9ef6b42ad6fd) for a similar issue.
Signed-off-by: Stephen Suryaputra
0x1d0 kernel/softirq.c:414
> exiting_irq arch/x86/include/asm/apic.h:536 [inline]
> smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
> apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
>
> Fixes: ed0de45a1008 ("ipv4: recompile ip options in
rate limit informational messages. Thus,
I removed the current hard-coded behavior of icmpv6_mask_allow() that
doesn't rate limit informational messages.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 13 +-
include/net/netns/ipv6.h | 2 +
move
unnecessary conditional before kfree().
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 17 -
include/net/netns/ipv6.h | 2 ++
include/uapi/linux/icmpv6.h| 4
kernel/sysctl.c| 6 +
On Wed, Apr 17, 2019 at 10:46:47AM -0700, David Miller wrote:
> From: Stephen Suryaputra
> Date: Mon, 15 Apr 2019 20:31:57 -0400
>
> > @@ -850,6 +850,14 @@ static int __net_init inet6_net_init(struct net *net)
> > net->ipv6.sysctl.icmpv6_echo_ignore_al
move
unnecessary conditional before kfree().
v3: Inline the bitmap instead of dynamically allocated. Still is a
pointer to it is needed because of the way proc_do_large_bitmap work.
Signed-off-by: Stephen Suryaputra
---
Documentation/networking/ip-sysctl.txt | 17 +-
incl
lter: nf_tables: add support for matching IPv4
options")
Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Stephen Suryaputra
---
net/netfilter/nft_exthdr.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/net
lorian Westphal). Also to avoid the
warnings reported by kernel test robot.
Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4
options")
Fixes: c078ca3b0c5b ("netfilter: nft_exthdr: Add support for existence check")
Signed-off-by: Stephen Suryaputra
Hi,
We have a use case where there are multiple user VRFs being leak routed
to and from tunnels that are on the core VRF. Traffic from user VRF to a
tunnel can be done the normal way by specifying the netdev directly on
the route entry on the user VRF route table:
ip route add via dev
But tra
On Tue, Sep 22, 2020 at 09:39:36AM -0600, David Ahern wrote:
> >
> > We have a use case where there are multiple user VRFs being leak routed
> > to and from tunnels that are on the core VRF. Traffic from user VRF to a
> > tunnel can be done the normal way by specifying the netdev directly on
> > t
On Wed, Sep 23, 2020 at 07:47:16PM -0600, David Ahern wrote:
> If I remove the fib rules and add VRF route leaking from core to tenant
> it works. Why is that not an option? Overlapping tenant addresses?
Exactly.
> One thought to get around it is adding support for a new FIB rule type
> -- say l3
FLOW_LABEL_MAX;
> @@ -150,7 +151,7 @@ static struct ctl_table ipv6_table_template[] = {
> .mode = 0644,
> .proc_handler = proc_rt6_multipath_hash_policy,
> .extra1 = SYSCTL_ZERO,
> - .extra2 = SYSCTL_ONE,
> + .extra2 = &two,
> },
> {
> .procname = "seg6_flowlabel",
> --
> 2.26.2
>
Thanks for catching.
Reviewed-by: Stephen Suryaputra
On Thu, Sep 24, 2020 at 08:41:54AM -0600, David Ahern wrote:
> > We have multiple options on the table right now. One that can be done
> > without writing any code is to use an nft prerouting rule to mark
> > the packet with iif equals the tunnel and use ip rule fwmark to lookup
> > the right table
On Mon, Dec 10, 2018 at 11:20 AM Florian Westphal wrote:
> +#ifdef CONFIG_SKB_EXTENSIONS
> +enum skb_ext_id {
> +#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
> + SKB_EXT_BRIDGE_NF,
> +#endif
> + SKB_EXT_NUM, /* must be last */
> +};
How about when proprietary extensions is desired? There
Separate IPv6 ifstats into the ones that are hit on fast path and
the ones that aren't. The ones that are not can be removed as needed
using sysctls.
Signed-off-by: Stephen Suryaputra
---
include/linux/ipv6.h | 3 +
include/net/if_inet6.h| 3 +-
include/net/ipv6.h
h that but it enables all but 6 counters be optional.
Those optional counters however are still enabled by default to preserve the
current behavior.
Changes from v1:
- More elaborate changelog (per Eric Dumazet)
Signed-off-by: Stephen Suryaputra
---
include/linux/ipv6.h | 3 +
include/ne
On Thu, Oct 4, 2018 at 4:42 PM Eric Dumazet wrote:
>
> How have you decided some counters can be 'slow' and other 'fast' ?
>
> I can tell you I see many ultra-fast candidates in your 'slow' list :/
Based on what others have categorized based on what's in the code and
IMHO they make sense:
enum
{
Greetings,
I'm writing this to probe if there has been thoughts or efforts in
allowing sub-second TCP keep alive interval? One application is for TCP
connections between IP hosts connected by an internal backplane where a
faster detection is a necessity and the increased traffic can be
accommodate
Hi, All,
I noticed through code inspection that ICMP redirects behavior is
different after commit 5943634fc5592037db0693b261f7f4bea6bb9457.
In v2.6 kernel, it used to be that ip_rt_redirect() calls
arp_bind_neighbour() which returns 0 and then the state of the neigh for
the new_gw is checked. If
d
since the old_gw is the one that sends the ICMP redirect message. Then the
new_gw is assigned to fib_nh_exception. The problem is: the new_gw ARP may
never gets resolved and the traffic is blackholed.
Signed-off-by: Stephen Suryaputra Lin
---
net/ipv4/route.c | 2 ++
1 file changed, 2 insert
d
since the old_gw is the one that sends the ICMP redirect message. Then the
new_gw is assigned to fib_nh_exception. The problem is: the new_gw ARP may
never gets resolved and the traffic is blackholed.
Changes from v1:
- use __ipv4_neigh_lookup instead (per Eric Dumazet).
Signed-off-by: S
I did the temporary clearing/restoring rt_gateway following the deleted
function check_peer_redir(). But, looking again at the function the
assigning of peer->redirect_learned.a4 to rt_gateway can be permanent
because restoring to the old_gw only happens on errors.
I have updated the patch to use
eigh lookup.
Changes from v1:
- use __ipv4_neigh_lookup instead (per Eric Dumazet).
Fixes: 5943634fc559 ("ipv4: Maintain redirect and PMTU info in struct rtable
again.")
Signed-off-by: Stephen Suryaputra Lin
---
net/ipv4/route.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
96 matches
Mail list logo
