| Message ID | 20210802113433.6099-2-contact@proelbtn.com |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | netfilter: add netfilter hooks to track SRv6-encapsulated flows | expand |
Hi proelbtn,
Thank you for the patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
[also build test ERROR on nf/master ipvs/master linus/master v5.14-rc4 next-20210803]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/proelbtn/netfilter-add-new-sysctl-toggle-for-lightweight-tunnel-netfilter-hooks/20210802-203525
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: openrisc-randconfig-m031-20210803 (attached as .config)
compiler: or1k-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/8aee83c8f63e733d949a05f5669243fedfb0f48b
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review proelbtn/netfilter-add-new-sysctl-toggle-for-lightweight-tunnel-netfilter-hooks/20210802-203525
git checkout 8aee83c8f63e733d949a05f5669243fedfb0f48b
# save the attached .config to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross O=build_dir ARCH=openrisc SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
or1k-linux-ld: net/netfilter/nf_conntrack_lwtunnel.o: in function `nf_conntrack_lwtunnel_sysctl_handler':
>> (.text+0x1c): undefined reference to `sysctl_vals'
>> or1k-linux-ld: (.text+0x20): undefined reference to `sysctl_vals'
or1k-linux-ld: (.text+0x2c): undefined reference to `sysctl_vals'
or1k-linux-ld: (.text+0x30): undefined reference to `sysctl_vals'
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Hi, On Mon, Aug 02, 2021 at 11:34:32AM +0000, proelbtn wrote: > This patch introduces new sysctl toggle for enabling lightweight tunnel > netfilter hooks. > > Signed-off-by: proelbtn <contact@proelbtn.com> > --- > .../networking/nf_conntrack-sysctl.rst | 7 +++ > include/net/lwtunnel.h | 3 ++ > include/net/netfilter/nf_conntrack_lwtunnel.h | 15 ++++++ > net/core/lwtunnel.c | 3 ++ > net/netfilter/Makefile | 3 ++ > net/netfilter/nf_conntrack_lwtunnel.c | 52 +++++++++++++++++++ > net/netfilter/nf_conntrack_standalone.c | 13 +++++ > 7 files changed, 96 insertions(+) > create mode 100644 include/net/netfilter/nf_conntrack_lwtunnel.h > create mode 100644 net/netfilter/nf_conntrack_lwtunnel.c > > diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst > index d31ed6c1cb0d..5afa4603aa4b 100644 > --- a/Documentation/networking/nf_conntrack-sysctl.rst > +++ b/Documentation/networking/nf_conntrack-sysctl.rst > @@ -30,6 +30,13 @@ nf_conntrack_checksum - BOOLEAN > in INVALID state. If this is enabled, such packets will not be > considered for connection tracking. > > +nf_conntrack_lwtunnel - BOOLEAN > + - 0 - disabled (default) > + - not 0 - enabled > + > + If this option is enabled, the lightweight tunnel netfilter hooks are > + enabled. This option cannot be disabled once it is enabled. > + Rename this to nf_hooks_lwtunnel? > nf_conntrack_count - INTEGER (read-only) > Number of currently allocated flow entries. > > diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h > index 05cfd6ff6528..11a2e3ce50b3 100644 > --- a/include/net/lwtunnel.h > +++ b/include/net/lwtunnel.h > @@ -51,6 +51,9 @@ struct lwtunnel_encap_ops { > }; > > #ifdef CONFIG_LWTUNNEL > + > +DECLARE_STATIC_KEY_FALSE(nf_ct_lwtunnel_enabled); > + > void lwtstate_free(struct lwtunnel_state *lws); > > static inline struct lwtunnel_state * > diff --git a/include/net/netfilter/nf_conntrack_lwtunnel.h b/include/net/netfilter/nf_conntrack_lwtunnel.h > new file mode 100644 > index 000000000000..230206d035b7 > --- /dev/null > +++ b/include/net/netfilter/nf_conntrack_lwtunnel.h > @@ -0,0 +1,15 @@ > +#include <linux/sysctl.h> > +#include <linux/types.h> > + > +#ifdef CONFIG_LWTUNNEL > +int nf_conntrack_lwtunnel_sysctl_handler(struct ctl_table *table, int write, > + void *buffer, size_t *lenp, > + loff_t *ppos); > +#else // CONFIG_LWTUNNEL > +int nf_conntrack_lwtunnel_sysctl_handler(struct ctl_table *table, int write, > + void *buffer, size_t *lenp, > + loff_t *ppos) > +{ > + return 0; > +} > +#endif > \ No newline at end of file > diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c > index 8ec7d13d2860..8be3274e30ec 100644 > --- a/net/core/lwtunnel.c > +++ b/net/core/lwtunnel.c > @@ -23,6 +23,9 @@ > #include <net/ip6_fib.h> > #include <net/rtnh.h> > > +DEFINE_STATIC_KEY_FALSE(nf_ct_lwtunnel_enabled); > +EXPORT_SYMBOL_GPL(nf_ct_lwtunnel_enabled); > + > #ifdef CONFIG_MODULES > > static const char *lwtunnel_encap_str(enum lwtunnel_encap_types encap_type) > diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile > index 049890e00a3d..07209930b5e4 100644 > --- a/net/netfilter/Makefile > +++ b/net/netfilter/Makefile > @@ -212,3 +212,6 @@ obj-$(CONFIG_IP_SET) += ipset/ > > # IPVS > obj-$(CONFIG_IP_VS) += ipvs/ > + > +# lwtunnel > +obj-$(CONFIG_LWTUNNEL) += nf_conntrack_lwtunnel.o > diff --git a/net/netfilter/nf_conntrack_lwtunnel.c b/net/netfilter/nf_conntrack_lwtunnel.c > new file mode 100644 > index 000000000000..cddbf8c5883a > --- /dev/null > +++ b/net/netfilter/nf_conntrack_lwtunnel.c > @@ -0,0 +1,52 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +#include <linux/sysctl.h> > +#include <net/lwtunnel.h> > +#include <net/netfilter/nf_conntrack.h> > + > +static inline int nf_conntrack_lwtunnel_get(void) > +{ > + if (static_branch_unlikely(&nf_ct_lwtunnel_enabled)) > + return 1; > + else > + return 0; > +} > + > +static inline int nf_conntrack_lwtunnel_set(int enable) > +{ > + if (static_branch_unlikely(&nf_ct_lwtunnel_enabled)) { > + if (!enable) > + return -EPERM; EBUSY instead.
Hi, Pablo Thanks for your review. I’ll fix them in v5. Ryoga Saito
diff --git a/Documentation/networking/nf_conntrack-sysctl.rst b/Documentation/networking/nf_conntrack-sysctl.rst index d31ed6c1cb0d..5afa4603aa4b 100644 --- a/Documentation/networking/nf_conntrack-sysctl.rst +++ b/Documentation/networking/nf_conntrack-sysctl.rst @@ -30,6 +30,13 @@ nf_conntrack_checksum - BOOLEAN in INVALID state. If this is enabled, such packets will not be considered for connection tracking. +nf_conntrack_lwtunnel - BOOLEAN + - 0 - disabled (default) + - not 0 - enabled + + If this option is enabled, the lightweight tunnel netfilter hooks are + enabled. This option cannot be disabled once it is enabled. + nf_conntrack_count - INTEGER (read-only) Number of currently allocated flow entries. diff --git a/include/net/lwtunnel.h b/include/net/lwtunnel.h index 05cfd6ff6528..11a2e3ce50b3 100644 --- a/include/net/lwtunnel.h +++ b/include/net/lwtunnel.h @@ -51,6 +51,9 @@ struct lwtunnel_encap_ops { }; #ifdef CONFIG_LWTUNNEL + +DECLARE_STATIC_KEY_FALSE(nf_ct_lwtunnel_enabled); + void lwtstate_free(struct lwtunnel_state *lws); static inline struct lwtunnel_state * diff --git a/include/net/netfilter/nf_conntrack_lwtunnel.h b/include/net/netfilter/nf_conntrack_lwtunnel.h new file mode 100644 index 000000000000..230206d035b7 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_lwtunnel.h @@ -0,0 +1,15 @@ +#include <linux/sysctl.h> +#include <linux/types.h> + +#ifdef CONFIG_LWTUNNEL +int nf_conntrack_lwtunnel_sysctl_handler(struct ctl_table *table, int write, + void *buffer, size_t *lenp, + loff_t *ppos); +#else // CONFIG_LWTUNNEL +int nf_conntrack_lwtunnel_sysctl_handler(struct ctl_table *table, int write, + void *buffer, size_t *lenp, + loff_t *ppos) +{ + return 0; +} +#endif \ No newline at end of file diff --git a/net/core/lwtunnel.c b/net/core/lwtunnel.c index 8ec7d13d2860..8be3274e30ec 100644 --- a/net/core/lwtunnel.c +++ b/net/core/lwtunnel.c @@ -23,6 +23,9 @@ #include <net/ip6_fib.h> #include <net/rtnh.h> +DEFINE_STATIC_KEY_FALSE(nf_ct_lwtunnel_enabled); +EXPORT_SYMBOL_GPL(nf_ct_lwtunnel_enabled); + #ifdef CONFIG_MODULES static const char *lwtunnel_encap_str(enum lwtunnel_encap_types encap_type) diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 049890e00a3d..07209930b5e4 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -212,3 +212,6 @@ obj-$(CONFIG_IP_SET) += ipset/ # IPVS obj-$(CONFIG_IP_VS) += ipvs/ + +# lwtunnel +obj-$(CONFIG_LWTUNNEL) += nf_conntrack_lwtunnel.o diff --git a/net/netfilter/nf_conntrack_lwtunnel.c b/net/netfilter/nf_conntrack_lwtunnel.c new file mode 100644 index 000000000000..cddbf8c5883a --- /dev/null +++ b/net/netfilter/nf_conntrack_lwtunnel.c @@ -0,0 +1,52 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include <linux/sysctl.h> +#include <net/lwtunnel.h> +#include <net/netfilter/nf_conntrack.h> + +static inline int nf_conntrack_lwtunnel_get(void) +{ + if (static_branch_unlikely(&nf_ct_lwtunnel_enabled)) + return 1; + else + return 0; +} + +static inline int nf_conntrack_lwtunnel_set(int enable) +{ + if (static_branch_unlikely(&nf_ct_lwtunnel_enabled)) { + if (!enable) + return -EPERM; + } else if (enable) { + static_branch_enable(&nf_ct_lwtunnel_enabled); + } + + return 0; +} + +int nf_conntrack_lwtunnel_sysctl_handler(struct ctl_table *table, int write, + void *buffer, size_t *lenp, + loff_t *ppos) +{ + int proc_nf_ct_lwtunnel_enabled = 0; + struct ctl_table tmp = { + .procname = table->procname, + .data = &proc_nf_ct_lwtunnel_enabled, + .maxlen = sizeof(int), + .mode = table->mode, + .extra1 = SYSCTL_ZERO, + .extra2 = SYSCTL_ONE, + }; + int ret; + + if (!write) + proc_nf_ct_lwtunnel_enabled = nf_conntrack_lwtunnel_get(); + + ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); + + if (write && ret == 0) + ret = nf_conntrack_lwtunnel_set(proc_nf_ct_lwtunnel_enabled); + + return ret; +} +EXPORT_SYMBOL_GPL(nf_conntrack_lwtunnel_sysctl_handler); \ No newline at end of file diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 214d9f9e499b..bb00c8f131e8 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -22,6 +22,9 @@ #include <net/netfilter/nf_conntrack_acct.h> #include <net/netfilter/nf_conntrack_zones.h> #include <net/netfilter/nf_conntrack_timestamp.h> +#ifdef CONFIG_LWTUNNEL +#include <net/netfilter/nf_conntrack_lwtunnel.h> +#endif #include <linux/rculist_nulls.h> static bool enable_hooks __read_mostly; @@ -552,6 +555,7 @@ enum nf_ct_sysctl_index { NF_SYSCTL_CT_COUNT, NF_SYSCTL_CT_BUCKETS, NF_SYSCTL_CT_CHECKSUM, + NF_SYSCTL_CT_LWTUNNEL, NF_SYSCTL_CT_LOG_INVALID, NF_SYSCTL_CT_EXPECT_MAX, NF_SYSCTL_CT_ACCT, @@ -650,6 +654,15 @@ static struct ctl_table nf_ct_sysctl_table[] = { .extra1 = SYSCTL_ZERO, .extra2 = SYSCTL_ONE, }, +#ifdef CONFIG_LWTUNNEL + [NF_SYSCTL_CT_LWTUNNEL] = { + .procname = "nf_conntrack_lwtunnel", + .data = NULL, + .maxlen = sizeof(int), + .mode = 0644, + .proc_handler = nf_conntrack_lwtunnel_sysctl_handler, + }, +#endif [NF_SYSCTL_CT_LOG_INVALID] = { .procname = "nf_conntrack_log_invalid", .data = &init_net.ct.sysctl_log_invalid,
This patch introduces new sysctl toggle for enabling lightweight tunnel netfilter hooks. Signed-off-by: proelbtn <contact@proelbtn.com> --- .../networking/nf_conntrack-sysctl.rst | 7 +++ include/net/lwtunnel.h | 3 ++ include/net/netfilter/nf_conntrack_lwtunnel.h | 15 ++++++ net/core/lwtunnel.c | 3 ++ net/netfilter/Makefile | 3 ++ net/netfilter/nf_conntrack_lwtunnel.c | 52 +++++++++++++++++++ net/netfilter/nf_conntrack_standalone.c | 13 +++++ 7 files changed, 96 insertions(+) create mode 100644 include/net/netfilter/nf_conntrack_lwtunnel.h create mode 100644 net/netfilter/nf_conntrack_lwtunnel.c