* [PATCH net-next 0/9] Netfilter updates for net-next
@ 2023-03-08 19:30 Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 1/9] netfilter: bridge: introduce broute meta statement Florian Westphal
` (8 more replies)
0 siblings, 9 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel
Hi,
The following set contains updates for the *net-next* tree:
1. nf_tables 'brouting' support, from Sriram Yagnaraman.
2. Update bridge netfilter and ovs conntrack helpers to handle
IPv6 Jumbo packets properly, i.e. fetch the packet length
from hop-by-hop extension header, from Xin Long.
This comes with a test BIG TCP test case, added to
tools/testing/selftests/net/.
3. Fix spelling and indentation in conntrack, from Jeremy Sowden.
Please consider pulling from
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git
----------------------------------------------------------------
The following changes since commit 7d8c48917a9576b5fc8871aa4946149b0e4a4927:
dt-bindings: net: dsa: mediatek,mt7530: change some descriptions to literal (2023-03-08 13:05:37 +0000)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git main
for you to fetch changes up to b0ca200077b3872056e6a8291c9a50f803658c2a:
netfilter: nat: fix indentation of function arguments (2023-03-08 14:25:44 +0100)
----------------------------------------------------------------
Jeremy Sowden (2):
netfilter: conntrack: fix typo
netfilter: nat: fix indentation of function arguments
Sriram Yagnaraman (1):
netfilter: bridge: introduce broute meta statement
Xin Long (6):
netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len
netfilter: bridge: check len before accessing more nh data
netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len
netfilter: move br_nf_check_hbh_len to utils
netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim
selftests: add a selftest for big tcp
include/linux/netfilter_ipv6.h | 2 +
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/bridge/br_netfilter_ipv6.c | 79 ++--------
net/bridge/netfilter/nft_meta_bridge.c | 71 ++++++++-
net/netfilter/nf_conntrack_core.c | 2 +-
net/netfilter/nf_conntrack_ovs.c | 11 +-
net/netfilter/nf_nat_core.c | 4 +-
net/netfilter/utils.c | 52 +++++++
tools/testing/selftests/net/Makefile | 1 +
tools/testing/selftests/net/big_tcp.sh | 180 +++++++++++++++++++++++
10 files changed, 327 insertions(+), 77 deletions(-)
create mode 100755 tools/testing/selftests/net/big_tcp.sh
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH net-next 1/9] netfilter: bridge: introduce broute meta statement
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-10 7:40 ` patchwork-bot+netdevbpf
2023-03-08 19:30 ` [PATCH net-next 2/9] netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len Florian Westphal
` (7 subsequent siblings)
8 siblings, 1 reply; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Sriram Yagnaraman
From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
nftables equivalent for ebtables -t broute.
Implement broute meta statement to set br_netfilter_broute flag
in skb to force a packet to be routed instead of being bridged.
Signed-off-by: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/bridge/netfilter/nft_meta_bridge.c | 71 +++++++++++++++++++++++-
2 files changed, 70 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index ff677f3a6cad..9c6f02c26054 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -931,6 +931,7 @@ enum nft_exthdr_attributes {
* @NFT_META_TIME_HOUR: hour of day (in seconds)
* @NFT_META_SDIF: slave device interface index
* @NFT_META_SDIFNAME: slave device interface name
+ * @NFT_META_BRI_BROUTE: packet br_netfilter_broute bit
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -969,6 +970,7 @@ enum nft_meta_keys {
NFT_META_TIME_HOUR,
NFT_META_SDIF,
NFT_META_SDIFNAME,
+ NFT_META_BRI_BROUTE,
__NFT_META_IIFTYPE,
};
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index c3ecd77e25cb..bd4d1b4d745f 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -8,6 +8,9 @@
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nft_meta.h>
#include <linux/if_bridge.h>
+#include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */
+
+#include "../br_private.h"
static const struct net_device *
nft_meta_get_bridge(const struct net_device *dev)
@@ -102,6 +105,50 @@ static const struct nft_expr_ops nft_meta_bridge_get_ops = {
.reduce = nft_meta_get_reduce,
};
+static void nft_meta_bridge_set_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ const struct nft_meta *meta = nft_expr_priv(expr);
+ u32 *sreg = ®s->data[meta->sreg];
+ struct sk_buff *skb = pkt->skb;
+ u8 value8;
+
+ switch (meta->key) {
+ case NFT_META_BRI_BROUTE:
+ value8 = nft_reg_load8(sreg);
+ BR_INPUT_SKB_CB(skb)->br_netfilter_broute = !!value8;
+ break;
+ default:
+ nft_meta_set_eval(expr, regs, pkt);
+ }
+}
+
+static int nft_meta_bridge_set_init(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nlattr * const tb[])
+{
+ struct nft_meta *priv = nft_expr_priv(expr);
+ unsigned int len;
+ int err;
+
+ priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
+ switch (priv->key) {
+ case NFT_META_BRI_BROUTE:
+ len = sizeof(u8);
+ break;
+ default:
+ return nft_meta_set_init(ctx, expr, tb);
+ }
+
+ priv->len = len;
+ err = nft_parse_register_load(tb[NFTA_META_SREG], &priv->sreg, len);
+ if (err < 0)
+ return err;
+
+ return 0;
+}
+
static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track,
const struct nft_expr *expr)
{
@@ -120,15 +167,33 @@ static bool nft_meta_bridge_set_reduce(struct nft_regs_track *track,
return false;
}
+static int nft_meta_bridge_set_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data)
+{
+ struct nft_meta *priv = nft_expr_priv(expr);
+ unsigned int hooks;
+
+ switch (priv->key) {
+ case NFT_META_BRI_BROUTE:
+ hooks = 1 << NF_BR_PRE_ROUTING;
+ break;
+ default:
+ return nft_meta_set_validate(ctx, expr, data);
+ }
+
+ return nft_chain_validate_hooks(ctx->chain, hooks);
+}
+
static const struct nft_expr_ops nft_meta_bridge_set_ops = {
.type = &nft_meta_bridge_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
- .eval = nft_meta_set_eval,
- .init = nft_meta_set_init,
+ .eval = nft_meta_bridge_set_eval,
+ .init = nft_meta_bridge_set_init,
.destroy = nft_meta_set_destroy,
.dump = nft_meta_set_dump,
.reduce = nft_meta_bridge_set_reduce,
- .validate = nft_meta_set_validate,
+ .validate = nft_meta_bridge_set_validate,
};
static const struct nft_expr_ops *
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 2/9] netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 1/9] netfilter: bridge: introduce broute meta statement Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 3/9] netfilter: bridge: check len before accessing more nh data Florian Westphal
` (6 subsequent siblings)
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Xin Long, Simon Horman, Nikolay Aleksandrov,
Aaron Conole
From: Xin Long <lucien.xin@gmail.com>
When checking Hop-by-hop option header, if the option data is in
nonlinear area, it should do pskb_may_pull instead of discarding
the skb as a bad IPv6 packet.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/bridge/br_netfilter_ipv6.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index 6b07f30675bb..afd1c718b683 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -45,14 +45,18 @@
*/
static int br_nf_check_hbh_len(struct sk_buff *skb)
{
- unsigned char *raw = (u8 *)(ipv6_hdr(skb) + 1);
+ int len, off = sizeof(struct ipv6hdr);
+ unsigned char *nh;
u32 pkt_len;
- const unsigned char *nh = skb_network_header(skb);
- int off = raw - nh;
- int len = (raw[1] + 1) << 3;
- if ((raw + len) - skb->data > skb_headlen(skb))
+ if (!pskb_may_pull(skb, off + 8))
goto bad;
+ nh = (unsigned char *)(ipv6_hdr(skb) + 1);
+ len = (nh[1] + 1) << 3;
+
+ if (!pskb_may_pull(skb, off + len))
+ goto bad;
+ nh = skb_network_header(skb);
off += 2;
len -= 2;
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 3/9] netfilter: bridge: check len before accessing more nh data
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 1/9] netfilter: bridge: introduce broute meta statement Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 2/9] netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 4/9] netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len Florian Westphal
` (5 subsequent siblings)
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Xin Long, Simon Horman, Nikolay Aleksandrov,
Aaron Conole
From: Xin Long <lucien.xin@gmail.com>
In the while loop of br_nf_check_hbh_len(), similar to ip6_parse_tlv(),
before accessing 'nh[off + 1]', it should add a check 'len < 2'; and
before parsing IPV6_TLV_JUMBO, it should add a check 'optlen > len',
in case of overflows.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/bridge/br_netfilter_ipv6.c | 45 +++++++++++++++-------------------
1 file changed, 20 insertions(+), 25 deletions(-)
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index afd1c718b683..8be3c5c8b925 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -50,54 +50,49 @@ static int br_nf_check_hbh_len(struct sk_buff *skb)
u32 pkt_len;
if (!pskb_may_pull(skb, off + 8))
- goto bad;
+ return -1;
nh = (unsigned char *)(ipv6_hdr(skb) + 1);
len = (nh[1] + 1) << 3;
if (!pskb_may_pull(skb, off + len))
- goto bad;
+ return -1;
nh = skb_network_header(skb);
off += 2;
len -= 2;
-
while (len > 0) {
- int optlen = nh[off + 1] + 2;
-
- switch (nh[off]) {
- case IPV6_TLV_PAD1:
- optlen = 1;
- break;
+ int optlen;
- case IPV6_TLV_PADN:
- break;
+ if (nh[off] == IPV6_TLV_PAD1) {
+ off++;
+ len--;
+ continue;
+ }
+ if (len < 2)
+ return -1;
+ optlen = nh[off + 1] + 2;
+ if (optlen > len)
+ return -1;
- case IPV6_TLV_JUMBO:
+ if (nh[off] == IPV6_TLV_JUMBO) {
if (nh[off + 1] != 4 || (off & 3) != 2)
- goto bad;
+ return -1;
pkt_len = ntohl(*(__be32 *)(nh + off + 2));
if (pkt_len <= IPV6_MAXPLEN ||
ipv6_hdr(skb)->payload_len)
- goto bad;
+ return -1;
if (pkt_len > skb->len - sizeof(struct ipv6hdr))
- goto bad;
+ return -1;
if (pskb_trim_rcsum(skb,
pkt_len + sizeof(struct ipv6hdr)))
- goto bad;
+ return -1;
nh = skb_network_header(skb);
- break;
- default:
- if (optlen > len)
- goto bad;
- break;
}
off += optlen;
len -= optlen;
}
- if (len == 0)
- return 0;
-bad:
- return -1;
+
+ return len ? -1 : 0;
}
int br_validate_ipv6(struct net *net, struct sk_buff *skb)
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 4/9] netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
` (2 preceding siblings ...)
2023-03-08 19:30 ` [PATCH net-next 3/9] netfilter: bridge: check len before accessing more nh data Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 5/9] netfilter: move br_nf_check_hbh_len to utils Florian Westphal
` (4 subsequent siblings)
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Xin Long, Simon Horman, Nikolay Aleksandrov,
Aaron Conole
From: Xin Long <lucien.xin@gmail.com>
br_nf_check_hbh_len() is a function to check the Hop-by-hop option
header, and shouldn't do pskb_trim_rcsum() there. This patch is to
pass pkt_len out to br_validate_ipv6() and do pskb_trim_rcsum()
after calling br_validate_ipv6() instead.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/bridge/br_netfilter_ipv6.c | 33 ++++++++++++++-------------------
1 file changed, 14 insertions(+), 19 deletions(-)
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index 8be3c5c8b925..a0d6dfb3e255 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -43,11 +43,10 @@
/* We only check the length. A bridge shouldn't do any hop-by-hop stuff
* anyway
*/
-static int br_nf_check_hbh_len(struct sk_buff *skb)
+static int br_nf_check_hbh_len(struct sk_buff *skb, u32 *plen)
{
int len, off = sizeof(struct ipv6hdr);
unsigned char *nh;
- u32 pkt_len;
if (!pskb_may_pull(skb, off + 8))
return -1;
@@ -75,6 +74,8 @@ static int br_nf_check_hbh_len(struct sk_buff *skb)
return -1;
if (nh[off] == IPV6_TLV_JUMBO) {
+ u32 pkt_len;
+
if (nh[off + 1] != 4 || (off & 3) != 2)
return -1;
pkt_len = ntohl(*(__be32 *)(nh + off + 2));
@@ -83,10 +84,7 @@ static int br_nf_check_hbh_len(struct sk_buff *skb)
return -1;
if (pkt_len > skb->len - sizeof(struct ipv6hdr))
return -1;
- if (pskb_trim_rcsum(skb,
- pkt_len + sizeof(struct ipv6hdr)))
- return -1;
- nh = skb_network_header(skb);
+ *plen = pkt_len;
}
off += optlen;
len -= optlen;
@@ -114,22 +112,19 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb)
goto inhdr_error;
pkt_len = ntohs(hdr->payload_len);
+ if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb, &pkt_len))
+ goto drop;
- if (pkt_len || hdr->nexthdr != NEXTHDR_HOP) {
- if (pkt_len + ip6h_len > skb->len) {
- __IP6_INC_STATS(net, idev,
- IPSTATS_MIB_INTRUNCATEDPKTS);
- goto drop;
- }
- if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
- __IP6_INC_STATS(net, idev,
- IPSTATS_MIB_INDISCARDS);
- goto drop;
- }
- hdr = ipv6_hdr(skb);
+ if (pkt_len + ip6h_len > skb->len) {
+ __IP6_INC_STATS(net, idev,
+ IPSTATS_MIB_INTRUNCATEDPKTS);
+ goto drop;
}
- if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb))
+ if (pskb_trim_rcsum(skb, pkt_len + ip6h_len)) {
+ __IP6_INC_STATS(net, idev,
+ IPSTATS_MIB_INDISCARDS);
goto drop;
+ }
memset(IP6CB(skb), 0, sizeof(struct inet6_skb_parm));
/* No IP options in IPv6 header; however it should be
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 5/9] netfilter: move br_nf_check_hbh_len to utils
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
` (3 preceding siblings ...)
2023-03-08 19:30 ` [PATCH net-next 4/9] netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 6/9] netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim Florian Westphal
` (3 subsequent siblings)
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Xin Long, Simon Horman, Nikolay Aleksandrov,
Aaron Conole
From: Xin Long <lucien.xin@gmail.com>
Rename br_nf_check_hbh_len() to nf_ip6_check_hbh_len() and move it
to netfilter utils, so that it can be used by other modules, like
ovs and tc.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/linux/netfilter_ipv6.h | 2 ++
net/bridge/br_netfilter_ipv6.c | 55 +---------------------------------
net/netfilter/utils.c | 52 ++++++++++++++++++++++++++++++++
3 files changed, 55 insertions(+), 54 deletions(-)
diff --git a/include/linux/netfilter_ipv6.h b/include/linux/netfilter_ipv6.h
index 48314ade1506..7834c0be2831 100644
--- a/include/linux/netfilter_ipv6.h
+++ b/include/linux/netfilter_ipv6.h
@@ -197,6 +197,8 @@ static inline int nf_cookie_v6_check(const struct ipv6hdr *iph,
__sum16 nf_ip6_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol);
+int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen);
+
int ipv6_netfilter_init(void);
void ipv6_netfilter_fini(void);
diff --git a/net/bridge/br_netfilter_ipv6.c b/net/bridge/br_netfilter_ipv6.c
index a0d6dfb3e255..550039dfc31a 100644
--- a/net/bridge/br_netfilter_ipv6.c
+++ b/net/bridge/br_netfilter_ipv6.c
@@ -40,59 +40,6 @@
#include <linux/sysctl.h>
#endif
-/* We only check the length. A bridge shouldn't do any hop-by-hop stuff
- * anyway
- */
-static int br_nf_check_hbh_len(struct sk_buff *skb, u32 *plen)
-{
- int len, off = sizeof(struct ipv6hdr);
- unsigned char *nh;
-
- if (!pskb_may_pull(skb, off + 8))
- return -1;
- nh = (unsigned char *)(ipv6_hdr(skb) + 1);
- len = (nh[1] + 1) << 3;
-
- if (!pskb_may_pull(skb, off + len))
- return -1;
- nh = skb_network_header(skb);
-
- off += 2;
- len -= 2;
- while (len > 0) {
- int optlen;
-
- if (nh[off] == IPV6_TLV_PAD1) {
- off++;
- len--;
- continue;
- }
- if (len < 2)
- return -1;
- optlen = nh[off + 1] + 2;
- if (optlen > len)
- return -1;
-
- if (nh[off] == IPV6_TLV_JUMBO) {
- u32 pkt_len;
-
- if (nh[off + 1] != 4 || (off & 3) != 2)
- return -1;
- pkt_len = ntohl(*(__be32 *)(nh + off + 2));
- if (pkt_len <= IPV6_MAXPLEN ||
- ipv6_hdr(skb)->payload_len)
- return -1;
- if (pkt_len > skb->len - sizeof(struct ipv6hdr))
- return -1;
- *plen = pkt_len;
- }
- off += optlen;
- len -= optlen;
- }
-
- return len ? -1 : 0;
-}
-
int br_validate_ipv6(struct net *net, struct sk_buff *skb)
{
const struct ipv6hdr *hdr;
@@ -112,7 +59,7 @@ int br_validate_ipv6(struct net *net, struct sk_buff *skb)
goto inhdr_error;
pkt_len = ntohs(hdr->payload_len);
- if (hdr->nexthdr == NEXTHDR_HOP && br_nf_check_hbh_len(skb, &pkt_len))
+ if (hdr->nexthdr == NEXTHDR_HOP && nf_ip6_check_hbh_len(skb, &pkt_len))
goto drop;
if (pkt_len + ip6h_len > skb->len) {
diff --git a/net/netfilter/utils.c b/net/netfilter/utils.c
index 2182d361e273..acef4155f0da 100644
--- a/net/netfilter/utils.c
+++ b/net/netfilter/utils.c
@@ -215,3 +215,55 @@ int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry)
}
return ret;
}
+
+/* Only get and check the lengths, not do any hop-by-hop stuff. */
+int nf_ip6_check_hbh_len(struct sk_buff *skb, u32 *plen)
+{
+ int len, off = sizeof(struct ipv6hdr);
+ unsigned char *nh;
+
+ if (!pskb_may_pull(skb, off + 8))
+ return -ENOMEM;
+ nh = (unsigned char *)(ipv6_hdr(skb) + 1);
+ len = (nh[1] + 1) << 3;
+
+ if (!pskb_may_pull(skb, off + len))
+ return -ENOMEM;
+ nh = skb_network_header(skb);
+
+ off += 2;
+ len -= 2;
+ while (len > 0) {
+ int optlen;
+
+ if (nh[off] == IPV6_TLV_PAD1) {
+ off++;
+ len--;
+ continue;
+ }
+ if (len < 2)
+ return -EBADMSG;
+ optlen = nh[off + 1] + 2;
+ if (optlen > len)
+ return -EBADMSG;
+
+ if (nh[off] == IPV6_TLV_JUMBO) {
+ u32 pkt_len;
+
+ if (nh[off + 1] != 4 || (off & 3) != 2)
+ return -EBADMSG;
+ pkt_len = ntohl(*(__be32 *)(nh + off + 2));
+ if (pkt_len <= IPV6_MAXPLEN ||
+ ipv6_hdr(skb)->payload_len)
+ return -EBADMSG;
+ if (pkt_len > skb->len - sizeof(struct ipv6hdr))
+ return -EBADMSG;
+ *plen = pkt_len;
+ }
+ off += optlen;
+ len -= optlen;
+ }
+
+ return len ? -EBADMSG : 0;
+}
+EXPORT_SYMBOL_GPL(nf_ip6_check_hbh_len);
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 6/9] netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
` (4 preceding siblings ...)
2023-03-08 19:30 ` [PATCH net-next 5/9] netfilter: move br_nf_check_hbh_len to utils Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 7/9] selftests: add a selftest for big tcp Florian Westphal
` (2 subsequent siblings)
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Xin Long, Simon Horman, Nikolay Aleksandrov,
Aaron Conole
From: Xin Long <lucien.xin@gmail.com>
For IPv6 Jumbo packets, the ipv6_hdr(skb)->payload_len is always 0,
and its real payload_len ( > 65535) is saved in hbh exthdr. With 0
length for the jumbo packets, all data and exthdr will be trimmed
in nf_ct_skb_network_trim().
This patch is to call nf_ip6_check_hbh_len() to get real pkt_len
of the IPv6 packet, similar to br_validate_ipv6().
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_ovs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_conntrack_ovs.c b/net/netfilter/nf_conntrack_ovs.c
index 52b776bdf526..068e9489e1c2 100644
--- a/net/netfilter/nf_conntrack_ovs.c
+++ b/net/netfilter/nf_conntrack_ovs.c
@@ -6,6 +6,7 @@
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
#include <net/ipv6_frag.h>
#include <net/ip.h>
+#include <linux/netfilter_ipv6.h>
/* 'skb' should already be pulled to nh_ofs. */
int nf_ct_helper(struct sk_buff *skb, struct nf_conn *ct,
@@ -120,8 +121,14 @@ int nf_ct_skb_network_trim(struct sk_buff *skb, int family)
len = skb_ip_totlen(skb);
break;
case NFPROTO_IPV6:
- len = sizeof(struct ipv6hdr)
- + ntohs(ipv6_hdr(skb)->payload_len);
+ len = ntohs(ipv6_hdr(skb)->payload_len);
+ if (ipv6_hdr(skb)->nexthdr == NEXTHDR_HOP) {
+ int err = nf_ip6_check_hbh_len(skb, &len);
+
+ if (err)
+ return err;
+ }
+ len += sizeof(struct ipv6hdr);
break;
default:
len = skb->len;
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 7/9] selftests: add a selftest for big tcp
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
` (5 preceding siblings ...)
2023-03-08 19:30 ` [PATCH net-next 6/9] netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 8/9] netfilter: conntrack: fix typo Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 9/9] netfilter: nat: fix indentation of function arguments Florian Westphal
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Xin Long, Aaron Conole, Nikolay Aleksandrov
From: Xin Long <lucien.xin@gmail.com>
This test runs on the client-router-server topo, and monitors the traffic
on the RX devices of router and server while sending BIG TCP packets with
netperf from client to server. Meanwhile, it changes 'tso' on the TX devs
and 'gro' on the RX devs. Then it checks if any BIG TCP packets appears
on the RX devs with 'ip/ip6tables -m length ! --length 0:65535' for each
case.
Note that we also add tc action ct in link1 ingress to cover the ipv6
jumbo packets process in nf_ct_skb_network_trim() of nf_conntrack_ovs.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Aaron Conole <aconole@redhat.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
tools/testing/selftests/net/Makefile | 1 +
tools/testing/selftests/net/big_tcp.sh | 180 +++++++++++++++++++++++++
2 files changed, 181 insertions(+)
create mode 100755 tools/testing/selftests/net/big_tcp.sh
diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile
index 6cd8993454d7..099741290184 100644
--- a/tools/testing/selftests/net/Makefile
+++ b/tools/testing/selftests/net/Makefile
@@ -48,6 +48,7 @@ TEST_PROGS += l2_tos_ttl_inherit.sh
TEST_PROGS += bind_bhash.sh
TEST_PROGS += ip_local_port_range.sh
TEST_PROGS += rps_default_mask.sh
+TEST_PROGS += big_tcp.sh
TEST_PROGS_EXTENDED := in_netns.sh setup_loopback.sh setup_veth.sh
TEST_PROGS_EXTENDED += toeplitz_client.sh toeplitz.sh
TEST_GEN_FILES = socket nettest
diff --git a/tools/testing/selftests/net/big_tcp.sh b/tools/testing/selftests/net/big_tcp.sh
new file mode 100755
index 000000000000..cde9a91c4797
--- /dev/null
+++ b/tools/testing/selftests/net/big_tcp.sh
@@ -0,0 +1,180 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Testing For IPv4 and IPv6 BIG TCP.
+# TOPO: CLIENT_NS (link0)<--->(link1) ROUTER_NS (link2)<--->(link3) SERVER_NS
+
+CLIENT_NS=$(mktemp -u client-XXXXXXXX)
+CLIENT_IP4="198.51.100.1"
+CLIENT_IP6="2001:db8:1::1"
+
+SERVER_NS=$(mktemp -u server-XXXXXXXX)
+SERVER_IP4="203.0.113.1"
+SERVER_IP6="2001:db8:2::1"
+
+ROUTER_NS=$(mktemp -u router-XXXXXXXX)
+SERVER_GW4="203.0.113.2"
+CLIENT_GW4="198.51.100.2"
+SERVER_GW6="2001:db8:2::2"
+CLIENT_GW6="2001:db8:1::2"
+
+MAX_SIZE=128000
+CHK_SIZE=65535
+
+# Kselftest framework requirement - SKIP code is 4.
+ksft_skip=4
+
+setup() {
+ ip netns add $CLIENT_NS
+ ip netns add $SERVER_NS
+ ip netns add $ROUTER_NS
+ ip -net $ROUTER_NS link add link1 type veth peer name link0 netns $CLIENT_NS
+ ip -net $ROUTER_NS link add link2 type veth peer name link3 netns $SERVER_NS
+
+ ip -net $CLIENT_NS link set link0 up
+ ip -net $CLIENT_NS link set link0 mtu 1442
+ ip -net $CLIENT_NS addr add $CLIENT_IP4/24 dev link0
+ ip -net $CLIENT_NS addr add $CLIENT_IP6/64 dev link0 nodad
+ ip -net $CLIENT_NS route add $SERVER_IP4 dev link0 via $CLIENT_GW4
+ ip -net $CLIENT_NS route add $SERVER_IP6 dev link0 via $CLIENT_GW6
+ ip -net $CLIENT_NS link set dev link0 \
+ gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE
+ ip -net $CLIENT_NS link set dev link0 \
+ gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE
+ ip net exec $CLIENT_NS sysctl -wq net.ipv4.tcp_window_scaling=10
+
+ ip -net $ROUTER_NS link set link1 up
+ ip -net $ROUTER_NS link set link2 up
+ ip -net $ROUTER_NS addr add $CLIENT_GW4/24 dev link1
+ ip -net $ROUTER_NS addr add $CLIENT_GW6/64 dev link1 nodad
+ ip -net $ROUTER_NS addr add $SERVER_GW4/24 dev link2
+ ip -net $ROUTER_NS addr add $SERVER_GW6/64 dev link2 nodad
+ ip -net $ROUTER_NS link set dev link1 \
+ gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE
+ ip -net $ROUTER_NS link set dev link2 \
+ gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE
+ ip -net $ROUTER_NS link set dev link1 \
+ gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE
+ ip -net $ROUTER_NS link set dev link2 \
+ gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE
+ # test for nf_ct_skb_network_trim in nf_conntrack_ovs used by TC ct action.
+ ip net exec $ROUTER_NS tc qdisc add dev link1 ingress
+ ip net exec $ROUTER_NS tc filter add dev link1 ingress \
+ proto ip flower ip_proto tcp action ct
+ ip net exec $ROUTER_NS tc filter add dev link1 ingress \
+ proto ipv6 flower ip_proto tcp action ct
+ ip net exec $ROUTER_NS sysctl -wq net.ipv4.ip_forward=1
+ ip net exec $ROUTER_NS sysctl -wq net.ipv6.conf.all.forwarding=1
+
+ ip -net $SERVER_NS link set link3 up
+ ip -net $SERVER_NS addr add $SERVER_IP4/24 dev link3
+ ip -net $SERVER_NS addr add $SERVER_IP6/64 dev link3 nodad
+ ip -net $SERVER_NS route add $CLIENT_IP4 dev link3 via $SERVER_GW4
+ ip -net $SERVER_NS route add $CLIENT_IP6 dev link3 via $SERVER_GW6
+ ip -net $SERVER_NS link set dev link3 \
+ gro_ipv4_max_size $MAX_SIZE gso_ipv4_max_size $MAX_SIZE
+ ip -net $SERVER_NS link set dev link3 \
+ gro_max_size $MAX_SIZE gso_max_size $MAX_SIZE
+ ip net exec $SERVER_NS sysctl -wq net.ipv4.tcp_window_scaling=10
+ ip net exec $SERVER_NS netserver 2>&1 >/dev/null
+}
+
+cleanup() {
+ ip net exec $SERVER_NS pkill netserver
+ ip -net $ROUTER_NS link del link1
+ ip -net $ROUTER_NS link del link2
+ ip netns del "$CLIENT_NS"
+ ip netns del "$SERVER_NS"
+ ip netns del "$ROUTER_NS"
+}
+
+start_counter() {
+ local ipt="iptables"
+ local iface=$1
+ local netns=$2
+
+ [ "$NF" = "6" ] && ipt="ip6tables"
+ ip net exec $netns $ipt -t raw -A PREROUTING -i $iface \
+ -m length ! --length 0:$CHK_SIZE -j ACCEPT
+}
+
+check_counter() {
+ local ipt="iptables"
+ local iface=$1
+ local netns=$2
+
+ [ "$NF" = "6" ] && ipt="ip6tables"
+ test `ip net exec $netns $ipt -t raw -L -v |grep $iface | awk '{print $1}'` != "0"
+}
+
+stop_counter() {
+ local ipt="iptables"
+ local iface=$1
+ local netns=$2
+
+ [ "$NF" = "6" ] && ipt="ip6tables"
+ ip net exec $netns $ipt -t raw -D PREROUTING -i $iface \
+ -m length ! --length 0:$CHK_SIZE -j ACCEPT
+}
+
+do_netperf() {
+ local serip=$SERVER_IP4
+ local netns=$1
+
+ [ "$NF" = "6" ] && serip=$SERVER_IP6
+ ip net exec $netns netperf -$NF -t TCP_STREAM -H $serip 2>&1 >/dev/null
+}
+
+do_test() {
+ local cli_tso=$1
+ local gw_gro=$2
+ local gw_tso=$3
+ local ser_gro=$4
+ local ret="PASS"
+
+ ip net exec $CLIENT_NS ethtool -K link0 tso $cli_tso
+ ip net exec $ROUTER_NS ethtool -K link1 gro $gw_gro
+ ip net exec $ROUTER_NS ethtool -K link2 tso $gw_tso
+ ip net exec $SERVER_NS ethtool -K link3 gro $ser_gro
+
+ start_counter link1 $ROUTER_NS
+ start_counter link3 $SERVER_NS
+ do_netperf $CLIENT_NS
+
+ if check_counter link1 $ROUTER_NS; then
+ check_counter link3 $SERVER_NS || ret="FAIL_on_link3"
+ else
+ ret="FAIL_on_link1"
+ fi
+
+ stop_counter link1 $ROUTER_NS
+ stop_counter link3 $SERVER_NS
+ printf "%-9s %-8s %-8s %-8s: [%s]\n" \
+ $cli_tso $gw_gro $gw_tso $ser_gro $ret
+ test $ret = "PASS"
+}
+
+testup() {
+ echo "CLI GSO | GW GRO | GW GSO | SER GRO" && \
+ do_test "on" "on" "on" "on" && \
+ do_test "on" "off" "on" "off" && \
+ do_test "off" "on" "on" "on" && \
+ do_test "on" "on" "off" "on" && \
+ do_test "off" "on" "off" "on"
+}
+
+if ! netperf -V &> /dev/null; then
+ echo "SKIP: Could not run test without netperf tool"
+ exit $ksft_skip
+fi
+
+if ! ip link help 2>&1 | grep gso_ipv4_max_size &> /dev/null; then
+ echo "SKIP: Could not run test without gso/gro_ipv4_max_size supported in ip-link"
+ exit $ksft_skip
+fi
+
+trap cleanup EXIT
+setup && echo "Testing for BIG TCP:" && \
+NF=4 testup && echo "***v4 Tests Done***" && \
+NF=6 testup && echo "***v6 Tests Done***"
+exit $?
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 8/9] netfilter: conntrack: fix typo
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
` (6 preceding siblings ...)
2023-03-08 19:30 ` [PATCH net-next 7/9] selftests: add a selftest for big tcp Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 9/9] netfilter: nat: fix indentation of function arguments Florian Westphal
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Jeremy Sowden
From: Jeremy Sowden <jeremy@azazel.net>
There's a spelling mistake in a comment. Fix it.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 7250082e7de5..004c54132a3b 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1294,7 +1294,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
}
EXPORT_SYMBOL_GPL(__nf_conntrack_confirm);
-/* Returns true if a connection correspondings to the tuple (required
+/* Returns true if a connection corresponds to the tuple (required
for NAT). */
int
nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* [PATCH net-next 9/9] netfilter: nat: fix indentation of function arguments
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
` (7 preceding siblings ...)
2023-03-08 19:30 ` [PATCH net-next 8/9] netfilter: conntrack: fix typo Florian Westphal
@ 2023-03-08 19:30 ` Florian Westphal
8 siblings, 0 replies; 11+ messages in thread
From: Florian Westphal @ 2023-03-08 19:30 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel, Jeremy Sowden
From: Jeremy Sowden <jeremy@azazel.net>
A couple of arguments to a function call are incorrectly indented.
Fix them.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_nat_core.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index e29e4ccb5c5a..ce829d434f13 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -549,8 +549,8 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
l4proto_in_range(tuple, maniptype,
- &range->min_proto,
- &range->max_proto) &&
+ &range->min_proto,
+ &range->max_proto) &&
(range->min_proto.all == range->max_proto.all ||
!nf_nat_used_tuple(tuple, ct)))
return;
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH net-next 1/9] netfilter: bridge: introduce broute meta statement
2023-03-08 19:30 ` [PATCH net-next 1/9] netfilter: bridge: introduce broute meta statement Florian Westphal
@ 2023-03-10 7:40 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 11+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-03-10 7:40 UTC (permalink / raw)
To: Florian Westphal
Cc: netdev, pabeni, davem, edumazet, kuba, netfilter-devel,
sriram.yagnaraman
Hello:
This series was applied to netdev/net-next.git (main)
by Florian Westphal <fw@strlen.de>:
On Wed, 8 Mar 2023 20:30:25 +0100 you wrote:
> From: Sriram Yagnaraman <sriram.yagnaraman@est.tech>
>
> nftables equivalent for ebtables -t broute.
>
> Implement broute meta statement to set br_netfilter_broute flag
> in skb to force a packet to be routed instead of being bridged.
>
> [...]
Here is the summary with links:
- [net-next,1/9] netfilter: bridge: introduce broute meta statement
https://git.kernel.org/netdev/net-next/c/4386b9218577
- [net-next,2/9] netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len
https://git.kernel.org/netdev/net-next/c/9ccff83b1322
- [net-next,3/9] netfilter: bridge: check len before accessing more nh data
https://git.kernel.org/netdev/net-next/c/a7f1a2f43e68
- [net-next,4/9] netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len
https://git.kernel.org/netdev/net-next/c/0b24bd71a6c0
- [net-next,5/9] netfilter: move br_nf_check_hbh_len to utils
https://git.kernel.org/netdev/net-next/c/28e144cf5f72
- [net-next,6/9] netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim
https://git.kernel.org/netdev/net-next/c/eaafdaa3e922
- [net-next,7/9] selftests: add a selftest for big tcp
https://git.kernel.org/netdev/net-next/c/6bb382bcf742
- [net-next,8/9] netfilter: conntrack: fix typo
https://git.kernel.org/netdev/net-next/c/e5d015a114da
- [net-next,9/9] netfilter: nat: fix indentation of function arguments
https://git.kernel.org/netdev/net-next/c/b0ca200077b3
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-03-10 7:41 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-08 19:30 [PATCH net-next 0/9] Netfilter updates for net-next Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 1/9] netfilter: bridge: introduce broute meta statement Florian Westphal
2023-03-10 7:40 ` patchwork-bot+netdevbpf
2023-03-08 19:30 ` [PATCH net-next 2/9] netfilter: bridge: call pskb_may_pull in br_nf_check_hbh_len Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 3/9] netfilter: bridge: check len before accessing more nh data Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 4/9] netfilter: bridge: move pskb_trim_rcsum out of br_nf_check_hbh_len Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 5/9] netfilter: move br_nf_check_hbh_len to utils Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 6/9] netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 7/9] selftests: add a selftest for big tcp Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 8/9] netfilter: conntrack: fix typo Florian Westphal
2023-03-08 19:30 ` [PATCH net-next 9/9] netfilter: nat: fix indentation of function arguments Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).