12 Oct, 2020
1 commit
-
Make two unfront calls to pskb_may_pull() to linearize the network and
transport header.Signed-off-by: Pablo Neira Ayuso
03 Aug, 2020
1 commit
-
On heavily loaded systems the GC can take time to go over all existing
conns and reset their timeout. At that time other calls like from
nf_conntrack_in() can call of nf_ct_is_expired() and see the conn as
expired. To fix this when we set the offload bit we should also reset
the timeout instead of counting on GC to finish first iteration over
all conns before the initial timeout.Fixes: 90964016e5d3 ("netfilter: nf_conntrack: add IPS_OFFLOAD status bit")
Signed-off-by: Roi Dayan
Signed-off-by: Pablo Neira Ayuso
25 Jun, 2020
1 commit
-
The user tool modinfo is used to get information on kernel modules, including a
description where it is available.This patch adds a brief MODULE_DESCRIPTION to netfilter kernel modules
(descriptions taken from Kconfig file or code comments)Signed-off-by: Rob Gill
Signed-off-by: Pablo Neira Ayuso
16 Jun, 2020
1 commit
-
Currently, nf_flow_table_offload_add/del_cb are exported by nf_flow_table
module, therefore modules using them will have hard-dependency
on nf_flow_table and will require loading it all the time.This can lead to an unnecessary overhead on systems that do not
use this API.To relax the hard-dependency between the modules, we unexport these
functions and make them static inline.Fixes: 978703f42549 ("netfilter: flowtable: Add API for registering to flow table events")
Signed-off-by: Alaa Hleihel
Reviewed-by: Roi Dayan
Reviewed-by: Marcelo Ricardo Leitner
Signed-off-by: David S. Miller
02 Jun, 2020
1 commit
-
This function schedules the flow teardown state and it forces a gc run.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
12 May, 2020
1 commit
-
If the flow timer expires, the gc sets on the NF_FLOW_TEARDOWN flag.
Otherwise, the flowtable software path might race to refresh the
timeout, leaving the state machine in inconsistent state.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Reported-by: Paul Blakey
Reviewed-by: Roi Dayan
Signed-off-by: Pablo Neira Ayuso
15 Apr, 2020
1 commit
-
Free block_cb memory when asked to be deleted.
Fixes: 978703f42549 ("netfilter: flowtable: Add API for registering to flow table events")
Signed-off-by: Roi Dayan
Reviewed-by: Paul Blakey
Reviewed-by: Oz Shlomo
Signed-off-by: Pablo Neira Ayuso
31 Mar, 2020
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-nextThe following patchset contains Netfilter/IPVS updates for net-next:
1) Add support to specify a stateful expression in set definitions,
this allows users to specify e.g. counters per set elements.2) Flowtable software counter support.
3) Flowtable hardware offload counter support, from wenxu.
3) Parallelize flowtable hardware offload requests, from Paul Blakey.
This includes a patch to add one work entry per offload command.4) Several patches to rework nf_queue refcount handling, from Florian
Westphal.4) A few fixes for the flowtable tunnel offload: Fix crash if tunneling
information is missing and set up indirect flow block as TC_SETUP_FT,
patch from wenxu.5) Stricter netlink attribute sanity check on filters, from Romain Bellan
and Florent Fourcot.5) Annotations to make sparse happy, from Jules Irenge.
6) Improve icmp errors in debugging information, from Haishuang Yan.
7) Fix warning in IPVS icmp error debugging, from Haishuang Yan.
8) Fix endianess issue in tcp extension header, from Sergey Marinkevich.
====================Signed-off-by: David S. Miller
28 Mar, 2020
1 commit
-
Currently flow offload threads are synchronized by the flow block mutex.
Use rw lock instead to increase flow insertion (read) concurrency.Signed-off-by: Paul Blakey
Reviewed-by: Oz Shlomo
Signed-off-by: Pablo Neira Ayuso
26 Mar, 2020
1 commit
-
Overlapping header include additions in macsec.c
A bug fix in 'net' overlapping with the removal of 'version'
string in ena_netdev.cOverlapping test additions in selftests Makefile
Overlapping PCI ID table adjustments in iwlwifi driver.
Signed-off-by: David S. Miller
20 Mar, 2020
1 commit
-
Freeing a flowtable with offloaded flows, the flow are deleted from
hardware but are not deleted from the flow table, leaking them,
and leaving their offload bit on.Add a second pass of the disabled gc to delete the these flows from
the flow table before freeing it.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Paul Blakey
Signed-off-by: Pablo Neira Ayuso
13 Mar, 2020
2 commits
-
If driver deleted an FT entry, a FT failed to offload, or registered to the
flow table after flows were already added, we still get packets in
software.For those packets, while restoring the ct state from the flow table
entry, refresh it's hardware offload.Signed-off-by: Paul Blakey
Reviewed-by: Jiri Pirko
Signed-off-by: David S. Miller -
Let drivers to add their cb allowing them to receive flow offload events
of type TC_SETUP_CLSFLOWER (REPLACE/DEL/STATS) for flows managed by the
flow table.Signed-off-by: Paul Blakey
Reviewed-by: Jiri Pirko
Signed-off-by: David S. Miller
01 Feb, 2020
2 commits
-
If entries exist when freeing a hardware offload enabled table,
we queue work for hardware while running the gc iteration.Execute it (flush) after queueing.
Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Paul Blakey
Signed-off-by: Pablo Neira Ayuso -
On netdev down event, nf_flow_table_cleanup() is called for the relevant
device and it cleans all the tables that are on that device.
If one of those tables has hardware offload flag,
nf_flow_table_iterate_cleanup flushes hardware and then runs the gc.
But the gc can queue more hardware work, which will take time to execute.Instead first add the work, then flush it, to execute it now.
Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Paul Blakey
Signed-off-by: Pablo Neira Ayuso
16 Jan, 2020
5 commits
-
If nf_flow_offload_add() fails to add the flow to hardware, then the
NF_FLOW_HW_REFRESH flag bit is set and the flow remains in the flowtable
software path.If flowtable hardware offload is enabled, this patch enqueues a new
request to offload this flow to hardware.Signed-off-by: Pablo Neira Ayuso
-
This function checks for the NF_FLOWTABLE_HW_OFFLOAD flag, meaning that
the flowtable hardware offload is enabled.Signed-off-by: Pablo Neira Ayuso
-
Originally, all flow flag bits were set on only from the workqueue. With
the introduction of the flow teardown state and hardware offload this is
no longer true. Let's be safe and use atomic bitwise operation to
operation with flow flags.Fixes: 59c466dd68e7 ("netfilter: nf_flow_table: add a new flow state for tearing down offloading")
Signed-off-by: Pablo Neira Ayuso -
The dying bit removes the conntrack entry if the netdev that owns this
flow is going down. Instead, use the teardown mechanism to push back the
flow to conntrack to let the classic software path decide what to do
with it.Signed-off-by: Pablo Neira Ayuso
-
Do not fetch statistics if flow has expired since it might not in
hardware anymore. After this update, remove the FLOW_OFFLOAD_HW_DYING
check from nf_flow_offload_stats() since this flag is never set on.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso
Acked-by: wenxu
06 Jan, 2020
1 commit
-
This patch adds nf_flowtable_time_stamp and updates the existing code to
use it.This patch is also implicitly fixing up hardware statistic fetching via
nf_flow_offload_stats() where casting to u32 is missing. Use
nf_flow_timeout_delta() to fix this.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso
Acked-by: wenxu
16 Nov, 2019
1 commit
-
The ct object is already in the flow_offload structure, remove it.
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
13 Nov, 2019
4 commits
-
This patch adds the dataplane hardware offload to the flowtable
infrastructure. Three new flags represent the hardware state of this
flow:* FLOW_OFFLOAD_HW: This flow entry resides in the hardware.
* FLOW_OFFLOAD_HW_DYING: This flow entry has been scheduled to be remove
from hardware. This might be triggered by either packet path (via TCP
RST/FIN packet) or via aging.
* FLOW_OFFLOAD_HW_DEAD: This flow entry has been already removed from
the hardware, the software garbage collector can remove it from the
software flowtable.This patch supports for:
* IPv4 only.
* Aging via FLOW_CLS_STATS, no packet and byte counter synchronization
at this stage.This patch also adds the action callback that specifies how to convert
the flow entry into the flow_rule object that is passed to the driver.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
This patch adds the infrastructure to support for flow entry types.
The initial type is NF_FLOW_OFFLOAD_ROUTE that stores the routing
information into the flow entry to define a fastpath for the classic
forwarding path.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
Move rcu_head to struct flow_offload, then remove the flow_offload_entry
structure definition.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
Simplify this code by storing the pointer to conntrack object in the
flow_offload structure.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
23 Oct, 2019
1 commit
-
Other garbage collector might remove an entry not fully set up yet.
[570953.958293] RIP: 0010:memcmp+0x9/0x50
[...]
[570953.958567] flow_offload_hash_cmp+0x1e/0x30 [nf_flow_table]
[570953.958585] flow_offload_lookup+0x8c/0x110 [nf_flow_table]
[570953.958606] nf_flow_offload_ip_hook+0x135/0xb30 [nf_flow_table]
[570953.958624] nf_flow_offload_inet_hook+0x35/0x37 [nf_flow_table_inet]
[570953.958646] nf_hook_slow+0x3c/0xb0
[570953.958664] __netif_receive_skb_core+0x90f/0xb10
[570953.958678] ? ip_rcv_finish+0x82/0xa0
[570953.958692] __netif_receive_skb_one_core+0x3b/0x80
[570953.958711] __netif_receive_skb+0x18/0x60
[570953.958727] netif_receive_skb_internal+0x45/0xf0
[570953.958741] napi_gro_receive+0xcd/0xf0
[570953.958764] ixgbe_clean_rx_irq+0x432/0xe00 [ixgbe]
[570953.958782] ixgbe_poll+0x27b/0x700 [ixgbe]
[570953.958796] net_rx_action+0x284/0x3c0
[570953.958817] __do_softirq+0xcc/0x27c
[570953.959464] irq_exit+0xe8/0x100
[570953.960097] do_IRQ+0x59/0xe0
[570953.960734] common_interrupt+0xf/0xfFixes: 43c8f131184f ("netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast")
Signed-off-by: Pablo Neira Ayuso
15 Sep, 2019
1 commit
-
Minor overlapping changes in the btusb and ixgbe drivers.
Signed-off-by: David S. Miller
13 Sep, 2019
1 commit
-
Include some headers in files which require them, and remove others
which are not required.Signed-off-by: Jeremy Sowden
Signed-off-by: Pablo Neira Ayuso
04 Sep, 2019
1 commit
-
Set up the default timeout for this new entry otherwise the garbage
collector might quickly remove it right after the flowtable insertion.Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Pablo Neira Ayuso
09 Aug, 2019
2 commits
-
Flows that are in teardown state (due to RST / FIN TCP packet) still
have their offload flag set on. Hence, the conntrack garbage collector
may race to undo the timeout adjustment that the fixup routine performs,
leaving the conntrack entry in place with the internal offload timeout
(one day).Update teardown flow state to ESTABLISHED and set tracking to liberal,
then once the offload bit is cleared, adjust timeout if it is more than
the default fixup timeout (conntrack might already have set a lower
timeout from the packet path).Fixes: da5984e51063 ("netfilter: nf_flow_table: add support for sending flows back to the slow path")
Signed-off-by: Pablo Neira Ayuso -
Update conntrack entry to pick up expired flows, otherwise the conntrack
entry gets stuck with the internal offload timeout (one day). The TCP
state also needs to be adjusted to ESTABLISHED state and tracking is set
to liberal mode in order to give conntrack a chance to pick up the
expired flow.Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Pablo Neira Ayuso
01 Jun, 2019
1 commit
-
The oifidx in the struct flow_offload_tuple is not used anymore.
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
21 May, 2019
1 commit
-
Add SPDX license identifiers to all files which:
- Have no license information of any form
- Have MODULE_LICENCE("GPL*") inside which was used in the initial
scan/conversion to ignore the fileThese files fall under the project license, GPL v2 only. The resulting SPDX
license identifier is:GPL-2.0-only
Signed-off-by: Thomas Gleixner
Signed-off-by: Greg Kroah-Hartman
06 May, 2019
2 commits
-
Conntrack entries can be deleted by the masquerade module. In that case,
flow offload should be deleted too, but GC and data-path of flow offload
do not check for conntrack status bits, hence flow offload entries will
be removed only by the timeout.Update garbage collector and data-path to check for ct->status. If
IPS_DYING_BIT is set, garbage collector removes flow offload entries and
data-path routine ignores them.Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso -
rhashtable_insert_fast() may return an error value when memory
allocation fails, but flow_offload_add() does not check for errors.
This patch just adds missing error checking.Fixes: ac2a66665e23 ("netfilter: add generic flow table infrastructure")
Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso
29 Jan, 2019
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-nextThe following patchset contains Netfilter/IPVS updates for your net-next tree:
1) Introduce a hashtable to speed up object lookups, from Florian Westphal.
2) Make direct calls to built-in extension, also from Florian.
3) Call helper before confirming the conntrack as it used to be originally,
from Florian.4) Call request_module() to autoload br_netfilter when physdev is used
to relax the dependency, also from Florian.5) Allow to insert rules at a given position ID that is internal to the
batch, from Phil Sutter.6) Several patches to replace conntrack indirections by direct calls,
and to reduce modularization, from Florian. This also includes
several follow up patches to deal with minor fallout from this
rework.7) Use RCU from conntrack gre helper, from Florian.
8) GRE conntrack module becomes built-in into nf_conntrack, from Florian.
9) Replace nf_ct_invert_tuplepr() by calls to nf_ct_invert_tuple(),
from Florian.10) Unify sysctl handling at the core of nf_conntrack, from Florian.
11) Provide modparam to register conntrack hooks.
12) Allow to match on the interface kind string, from wenxu.
13) Remove several exported symbols, not required anymore now after
a bit of de-modulatization work has been done, from Florian.14) Remove built-in map support in the hash extension, this can be
done with the existing userspace infrastructure, from laura.15) Remove indirection to calculate checksums in IPVS, from Matteo Croce.
16) Use call wrappers for indirection in IPVS, also from Matteo.
17) Remove superfluous __percpu parameter in nft_counter, patch from
Luc Van Oostenryck.
====================Signed-off-by: David S. Miller
18 Jan, 2019
1 commit
-
Its now same as __nf_ct_l4proto_find(), so rename that to
nf_ct_l4proto_find and use it everywhere.It never returns NULL and doesn't need locks or reference counts.
Before this series:
302824 net/netfilter/nf_conntrack.ko
21504 net/netfilter/nf_conntrack_proto_gre.kotext data bss dec hex filename
6281 1732 4 8017 1f51 nf_conntrack_proto_gre.ko
108356 20613 236 129205 1f8b5 nf_conntrack.koAfter:
294864 net/netfilter/nf_conntrack.ko
text data bss dec hex filename
106979 19557 240 126776 1ef38 nf_conntrack.koso, even with builtin gre, total size got reduced.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
11 Jan, 2019
1 commit
-
In the forward chain, the iif is changed from slave device to master vrf
device. Thus, flow offload does not find a match on the lower slave
device.This patch uses the cached route, ie. dst->dev, to update the iif and
oif fields in the flow entry.After this patch, the following example works fine:
# ip addr add dev eth0 1.1.1.1/24
# ip addr add dev eth1 10.0.0.1/24
# ip link add user1 type vrf table 1
# ip l set user1 up
# ip l set dev eth0 master user1
# ip l set dev eth1 master user1# nft add table firewall
# nft add flowtable f fb1 { hook ingress priority 0 \; devices = { eth0, eth1 } \; }
# nft add chain f ftb-all {type filter hook forward priority 0 \; policy accept \; }
# nft add rule f ftb-all ct zone 1 ip protocol tcp flow offload @fb1
# nft add rule f ftb-all ct zone 1 ip protocol udp flow offload @fb1Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
12 Nov, 2018
1 commit
-
nf_flow_offload_gc_step() and nf_flow_table_iterate() are very similar.
so that many duplicate code can be removed.
After this patch, nf_flow_offload_gc_step() is simple callback function of
nf_flow_table_iterate() like nf_flow_table_do_cleanup().Signed-off-by: Taehee Yoo
Signed-off-by: Pablo Neira Ayuso