Unnamed repository; edit this file 'description' to name the repository. https://git.kobert.dev/pm24.git/atom?h=master 2024-11-15T11:07:04Z 2024-11-15T11:07:04Z Jeremy Sowden jeremy@azazel.net 2024-11-14T21:08:13Z urn:sha1:b0ccf4f53d968e794a4ea579d5135cc1aaf1a53f Hitherto, these operations have been converted in user space to mask-and-xor operations on one register and two immediate values, and it is the latter which have been evaluated by the kernel. We add support for evaluating these operations directly in kernel space on one register and either an immediate value or a second register. Pablo made a few changes to the original patch: - EINVAL if NFTA_BITWISE_SREG2 is used with fast version. - Allow _AND,_OR,_XOR with _DATA != sizeof(u32) - Dump _SREG2 or _DATA with _AND,_OR,_XOR Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2024-11-15T10:00:29Z Jeremy Sowden jeremy@azazel.net 2024-11-14T21:07:51Z urn:sha1:a12143e6084c502fc3cfaa8b717bffc8c14cf806 In the next patch we add support for doing AND, OR and XOR operations directly in the kernel, so rename some functions and an enum constant related to mask-and-xor boolean operations. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2024-09-26T15:14:35Z Phil Sutter phil@nwl.cc 2024-09-25T18:01:20Z urn:sha1:76f1ed087b562a469f2153076f179854b749c09a Fix the comment which incorrectly defines it as NLA_U32. Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2024-09-03T16:19:40Z Pablo Neira Ayuso pablo@netfilter.org 2024-09-02T23:09:27Z urn:sha1:8bfb74ae12fa4cd3c9b49bb5913610b5709bffd7 This patch uses zero as timeout marker for those elements that never expire when the element is created. If userspace provides no timeout for an element, then the default set timeout applies. However, if no default set timeout is specified and timeout flag is set on, then timeout extension is allocated and timeout is set to zero to allow for future updates. Use of zero a never timeout marker has been suggested by Phil Sutter. Note that, in older kernels, it is already possible to define elements that never expire by declaring a set with the set timeout flag set on and no global set timeout, in this case, new element with no explicit timeout never expire do not allocate the timeout extension, hence, they never expire. This approach makes it complicated to accomodate element timeout update, because element extensions do not support reallocations. Therefore, allocate the timeout extension and use the new marker for this case, but do not expose it to userspace to retain backward compatibility in the set listing. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2024-06-25T22:54:53Z Pablo Neira Ayuso pablo@netfilter.org 2024-06-03T18:16:59Z urn:sha1:e29630247be24c3987e2b048f8e152771b32d38b secmark context is artificially limited 256 bytes, rise it to 4Kbytes. Fixes: fb961945457f ("netfilter: nf_tables: add SECMARK support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2024-02-08T23:30:33Z Jakub Kicinski kuba@kernel.org 2024-02-08T23:20:37Z urn:sha1:3be042cf46feeedf664152d063376b5c17026d1d Cross-merge networking fixes after downstream PR. No conflicts. Adjacent changes: drivers/net/ethernet/stmicro/stmmac/common.h 38cc3c6dcc09 ("net: stmmac: protect updates of 64-bit statistics counters") fd5a6a71313e ("net: stmmac: est: Per Tx-queue error count for HLBF") c5c3e1bfc9e0 ("net: stmmac: Offload queueMaxSDU from tc-taprio") drivers/net/wireless/microchip/wilc1000/netdev.c c9013880284d ("wifi: fill in MODULE_DESCRIPTION()s for wilc1000") 328efda22af8 ("wifi: wilc1000: do not realloc workqueue everytime an interface is added") net/unix/garbage.c 11498715f266 ("af_unix: Remove io_uring code for GC.") 1279f9d9dec2 ("af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC.") Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2024-02-07T21:02:51Z Pablo Neira Ayuso pablo@netfilter.org 2024-02-01T22:33:29Z urn:sha1:292781c3c5485ce33bd22b2ef1b2bed709b4d672 Flag (1 << 0) is ignored is set, never used, reject it it with EINVAL instead. Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2024-01-29T14:43:20Z Phil Sutter phil@nwl.cc 2023-12-21T13:31:58Z urn:sha1:da5141bbe0c2693d85f14a89ee991921904f4d0c This companion flag to NFT_TABLE_F_OWNER requests the kernel to keep the table around after the process has exited. It marks such table as orphaned (by dropping OWNER flag but keeping PERSIST flag in place), which opens it for other processes to manipulate. For the sake of simplicity, PERSIST flag may not be altered though. Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> 2024-01-29T14:43:20Z Phil Sutter phil@nwl.cc 2023-12-21T13:31:57Z urn:sha1:941988af572434e4aa93fb0f2f509f92adfd691a Add at least this one-liner describing the obvious. Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de> 2023-09-06T16:09:12Z Phil Sutter phil@nwl.cc 2023-09-01T12:15:16Z urn:sha1:fdc04cc2d5fd0bb9c17f36d0a895cf3e151109e6 Add a brief description to the enum's comment. Fixes: 837830a4b439 ("netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Florian Westphal <fw@strlen.de>