Commit 414ed7fe authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net:

1) Remove the flowtable hardware refresh state, fall back to the
   existing hardware pending state instead, from Roi Dayan.

2) Fix crash in pipapo avx2 lookup when FPU is in used from user
   context, from Stefano Brivio.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents e4df1b0c f0b3d338

include/net/netfilter/nf_flow_table.h

+0 −1
Original line number Diff line number Diff line
@@ -157,7 +157,6 @@ enum nf_flow_flags { 
	NF_FLOW_HW,

	NF_FLOW_HW_DYING,

	NF_FLOW_HW_DEAD,

	NF_FLOW_HW_REFRESH,

	NF_FLOW_HW_PENDING,

};

net/netfilter/nf_flow_table_core.c

+1 −2
Original line number Diff line number Diff line
@@ -306,8 +306,7 @@ void flow_offload_refresh(struct nf_flowtable *flow_table, 
{

	flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;



	if (likely(!nf_flowtable_hw_offload(flow_table) ||

		   !test_and_clear_bit(NF_FLOW_HW_REFRESH, &flow->flags)))

	if (likely(!nf_flowtable_hw_offload(flow_table)))

		return;



	nf_flow_offload_add(flow_table, flow);

net/netfilter/nf_flow_table_offload.c

+4 −3
Original line number Diff line number Diff line
@@ -902,10 +902,11 @@ static void flow_offload_work_add(struct flow_offload_work *offload) 


	err = flow_offload_rule_add(offload, flow_rule);

	if (err < 0)

		set_bit(NF_FLOW_HW_REFRESH, &offload->flow->flags);

	else

		goto out;



	set_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status);



out:

	nf_flow_offload_destroy(flow_rule);

}

net/netfilter/nft_set_pipapo.c

+2 −2
Original line number Diff line number Diff line
@@ -408,7 +408,7 @@ int pipapo_refill(unsigned long *map, int len, int rules, unsigned long *dst, 
 *

 * Return: true on match, false otherwise.

 */

static bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,

bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext)

{

	struct nft_pipapo *priv = nft_set_priv(set);

net/netfilter/nft_set_pipapo.h

+2 −0
Original line number Diff line number Diff line
@@ -178,6 +178,8 @@ struct nft_pipapo_elem { 


int pipapo_refill(unsigned long *map, int len, int rules, unsigned long *dst,

		  union nft_pipapo_map_bucket *mt, bool match_only);

bool nft_pipapo_lookup(const struct net *net, const struct nft_set *set,

		       const u32 *key, const struct nft_set_ext **ext);



/**

 * pipapo_and_field_buckets_4bit() - Intersect 4-bit buckets