aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch
Commit message (Collapse)AuthorAgeFilesLines
* kernel: fix dst reference leak in flow offloadFelix Fietkau2020-01-281-11/+12
| | | | | | | | | | | Fixes a significant amount of leaked memory with lots of connections Ref: PR#2721 Tested-by: Jerome Benoit <jerome.benoit@sap.com> [WRT1900AC v1] Signed-off-by: Felix Fietkau <nbd@nbd.name> [removed 4.19 patch during cherry-pick] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit c6c4701def07cd01a1b077cee93f64a9b2e3b5be)
* kernel: port upstream nft_flow_offload changes to xt_FLOWOFFLOAD and fix ↵Felix Fietkau2019-09-261-18/+31
| | | | | | | | | | | routing issues Replace an old cleanup patch that never made it upstream with the proper upstream fix. This patch was incompatible with the recent changes that affected the way that the flow tuple dst entry was used. Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commits 442ecce76169d and c8933ce533656)
* netfilter: fix crash in flow offload by adding netns supportHsiuWen Yen2019-09-261-2/+7
| | | | | | | | | | | | | | | | | | | | | Commit fcb41decf6c6 ("config: enable some useful features on !SMALL_FLASH devices") enabled netns, which in turn lead to the crash in the flow offload target. When the flow offloading framework intends to delete a flow from the hardware table, it is necessary to retrieve the namespace from nf_flowtable->ft_net. However, no one ever wrote the namespace into nf_flowtable->ft_net in advance. So the framework will mistakenly use a NULL namespace to execute dev_get_by_index_rcu(net, ifindex), leading to the kernel panic. Ref: FS#2321 Fixes: fcb41decf6c6 ("config: enable some useful features on !SMALL_FLASH devices") Tested-by: Simon Tretter <simon@mediaarchitectu.re> Signed-off-by: HsiuWen Yen <y.hsiuwen@gmail.com> [merged patch into offload patch, fix for 4.19, SOB fix, commit subj/msg touches] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry-picked from commit d344591e72e5ca96a2bf70a2df38961553185ce8)
* kernel: fold xt_FLOWOFFLOAD fixes into the main patchFelix Fietkau2019-02-091-2/+37
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: generic: Fix nftables inet table breakageBrett Mastbergen2018-09-221-5/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | Commit b7265c59ab7d ("kernel: backport a series of netfilter cleanup patches to 4.14") added patch 302-netfilter-nf_tables_inet-don-t-use- multihook-infrast.patch. That patch switches the netfilter core in the kernel to use the new native NFPROTO_INET support. Unfortunately, the new native NFPROTO_INET support does not exist in 4.14 and was not backported along with this patchset. As such, nftables inet tables never see any traffic. As an example the following nft counter rule should increment for every packet coming into the box, but never will: nft add table inet foo nft add chain inet foo bar { type filter hook input priority 0\; } nft add rule inet foo bar counter This commit pulls in the required backport patches to add the new native NFPROTO_INET support, and thus restore nftables inet table functionality. Tested on Turris Omnia (mvebu) Fixes: b7265c59ab7d ("kernel: backport a series of netfilter cleanup ...") Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
* kernel: bump 4.14 to 4.14.51Kevin Darbyshire-Bryant2018-06-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | The sender domain has a DMARC Reject/Quarantine policy which disallows sending mailing list messages using the original "From" header. To mitigate this problem, the original message has been wrapped automatically by the mailing list software. Refresh patches. Remove patch that can be reverse applied: mvebu/patches-4.14/530-ATA-ahci_mvebu-enable-stop_engine-override.patch mvebu/patches-4.14/531-ATA-ahci_mvebu-pmp-stop-errata-226.patch Update patch that no longer applied: ipq806x/patches-4.14/0035-clk-mux-Split-out-register-accessors-for-reuse.patch Compiled-tested-for: lantiq, ramips Run-tested-on: lantiq BT hh5a, ramips MIR3g Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> Tested-by: Michael Yartys <michael.yartys@protonmail.com> Tested-by: Rosen Penev <rosenp@gmail.com>
* kernel: avoid flow offload for connections with xfrm on the dst entry ↵Felix Fietkau2018-06-131-1/+4
| | | | | | (should fix IPSec) Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: fix xtables flow offload issuesFelix Fietkau2018-04-051-4/+5
| | | | | | | - avoid using garbage stack values as dst pointer if lookup fails - provide the source address for ipv6 dst lookup Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: add support for enabling hardware flow offload via iptablesFelix Fietkau2018-04-051-1/+34
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: netfilter: fix dst entries in flowtable offloadFelix Fietkau2018-03-231-11/+22
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: fix crash in flow offload when removing net devicesFelix Fietkau2018-03-231-3/+5
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: flow-offload: only offload connections that have been fully establishedFelix Fietkau2018-03-231-1/+4
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: fix crash in flow offload code when cleaning up unregistered hooksFelix Fietkau2018-02-251-1/+1
| | | | Signed-off-by: Felix Fietkau <nbd@nbd.name>
* kernel: remove nf_flow_table hardware offload patch (it is not ready yet)Felix Fietkau2018-02-251-2/+2
| | | | | | | It also does not have any users yet. It will be addde back when the core API issues have been sorted out Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netfilter: add a xt_FLOWOFFLOAD target for NAT/routing offload supportFelix Fietkau2018-02-211-0/+446
This makes it possible to add an iptables rule that offloads routing/NAT packet processing to a software fast path. This fast path is much quicker than running packets through the regular tables/chains. Requires Linux 4.14 Signed-off-by: Felix Fietkau <nbd@nbd.name>
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-11 18:36:18 +0000