From d6b5ddb9787a9361273ead42d6eecfd696229c49 Mon Sep 17 00:00:00 2001 From: coolsnowwolf Date: Thu, 27 Sep 2018 11:44:58 +0800 Subject: [PATCH] fix port mapping slow performance when enable flow offload --- ...le-working-over-slow-can_sleep-GPIOs.patch | 84 ++++++++ ...add-defines-for-arp-decnet-max-hooks.patch | 67 ++++++ ...ake-nf_unregister_net_hooks-simple-w.patch | 91 ++++++++ ...emove-synchronize_net-call-if-nfqueu.patch | 116 ++++++++++ ...filter-core-free-hooks-with-call_rcu.patch | 132 ++++++++++++ ...e-size-of-hook-entry-point-locations.patch | 200 ++++++++++++++++++ ...e-hook-array-sizes-to-what-is-needed.patch | 95 +++++++++ ...allocate-space-for-decnet-hooks-unle.patch | 67 ++++++ ...allocate-space-for-arp-bridge-hooks-.patch | 165 +++++++++++++++ ...ass-hook-number-family-and-device-to.patch | 98 +++++++++ ...etfilter-core-add-nf_remove_net_hook.patch | 44 ++++ ...ass-family-as-parameter-to-nf_remove.patch | 51 +++++ ...upport-for-NFPROTO_INET-hook-registr.patch | 129 +++++++++++ ...nly-allow-one-nat-hook-per-hook-poin.patch | 2 +- ...hecksum-indirection-to-struct-nf_ipv.patch | 4 +- ...hecksum_partial-indirection-to-struc.patch | 4 +- ...-saveroute-indirection-in-struct-nf_.patch | 6 +- ...oute-indirection-to-struct-nf_ipv6_o.patch | 4 +- ...eroute-indirection-to-struct-nf_ipv6.patch | 8 +- ...-route_key_size-field-in-struct-nf_a.patch | 8 +- ...-struct-nf_afinfo-and-its-helper-fun.patch | 4 +- ...dd-generic-flow-table-infrastructure.patch | 2 +- ...etfilter-flow-table-support-for-IPv4.patch | 2 +- ...able-support-for-the-mixed-IPv4-IPv6.patch | 2 +- ...er-nf_tables-flow-offload-expression.patch | 2 +- ...rove-flow-table-Kconfig-dependencies.patch | 6 +- ...tfilter-exit_net-cleanup-check-added.patch | 2 +- ...ble-infrastructure-depends-on-NETFIL.patch | 6 +- ...w_table-relax-mixed-ipv4-ipv6-flowta.patch | 2 +- ...le-working-over-slow-can_sleep-GPIOs.patch | 84 ++++++++ ...3-0001-rtc-ds1307-add-ds1308-variant.patch | 51 +++++ target/linux/generic/config-4.9 | 12 +- .../hack-4.14/250-netfilter_depends.patch | 4 +- .../generic/hack-4.14/251-sound_kconfig.patch | 4 +- .../650-netfilter-add-xt_OFFLOAD-target.patch | 10 +- .../pending-4.14/206-mips-disable-vdso.patch | 23 -- ...w_table-add-hardware-offload-support.patch | 2 +- 37 files changed, 1521 insertions(+), 72 deletions(-) create mode 100644 target/linux/generic/backport-4.14/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch create mode 100644 target/linux/generic/backport-4.14/289-v4.16-netfilter-add-defines-for-arp-decnet-max-hooks.patch create mode 100644 target/linux/generic/backport-4.14/290-v4.16-netfilter-core-make-nf_unregister_net_hooks-simple-w.patch create mode 100644 target/linux/generic/backport-4.14/291-v4.16-netfilter-core-remove-synchronize_net-call-if-nfqueu.patch create mode 100644 target/linux/generic/backport-4.14/292-v4.16-netfilter-core-free-hooks-with-call_rcu.patch create mode 100644 target/linux/generic/backport-4.14/293-v4.16-netfilter-reduce-size-of-hook-entry-point-locations.patch create mode 100644 target/linux/generic/backport-4.14/294-v4.16-netfilter-reduce-hook-array-sizes-to-what-is-needed.patch create mode 100644 target/linux/generic/backport-4.14/295-v4.16-netfilter-don-t-allocate-space-for-decnet-hooks-unle.patch create mode 100644 target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch create mode 100644 target/linux/generic/backport-4.14/297-v4.16-netfilter-core-pass-hook-number-family-and-device-to.patch create mode 100644 target/linux/generic/backport-4.14/298-v4.16-netfilter-core-add-nf_remove_net_hook.patch create mode 100644 target/linux/generic/backport-4.14/298-v4.16-netfilter-core-pass-family-as-parameter-to-nf_remove.patch create mode 100644 target/linux/generic/backport-4.14/299-v4.16-netfilter-core-support-for-NFPROTO_INET-hook-registr.patch create mode 100644 target/linux/generic/backport-4.9/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch create mode 100644 target/linux/generic/backport-4.9/095-v4.13-0001-rtc-ds1307-add-ds1308-variant.patch delete mode 100644 target/linux/generic/pending-4.14/206-mips-disable-vdso.patch diff --git a/target/linux/generic/backport-4.14/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch b/target/linux/generic/backport-4.14/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch new file mode 100644 index 000000000..ead6675e0 --- /dev/null +++ b/target/linux/generic/backport-4.14/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch @@ -0,0 +1,84 @@ +From f11a04464ae57e8db1bb7634547842b43e36a898 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= +Date: Fri, 22 Dec 2017 22:47:16 +0100 +Subject: i2c: gpio: Enable working over slow can_sleep GPIOs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +"Slow" GPIOs (usually those connected over an SPI or an I2C bus) are, +well, slow in their operation. It is generally a good idea to avoid +using them for time-critical operation, but sometimes the hardware just +sucks, and the software has to cope. In addition to that, the I2C bus +itself does not actually define any strict timing limits; the bus is +free to go all the way down to DC. The timeouts (and therefore the +slowest acceptable frequency) are present only in SMBus. + +The `can_sleep` is IMHO a wrong concept to use here. My SPI-to-quad-UART +chip (MAX14830) is connected via a 26MHz SPI bus, and it happily drives +SCL at 200kHz (5µs pulses) during my benchmarks. That's faster than the +maximal allowed speed of the traditional I2C. + +The previous version of this code did not really block operation over +slow GPIO pins, anyway. Instead, it just resorted to printing a warning +with a backtrace each time a GPIO pin was accessed, thereby slowing +things down even more. + +Finally, it's not just me. A similar patch was originally submitted in +2015 [1]. + +[1] https://patchwork.ozlabs.org/patch/450956/ + +Signed-off-by: Jan Kundrát +Acked-by: Uwe Kleine-König +Signed-off-by: Wolfram Sang +--- + drivers/i2c/busses/i2c-gpio.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-gpio.c ++++ b/drivers/i2c/busses/i2c-gpio.c +@@ -44,7 +44,7 @@ static void i2c_gpio_setsda_val(void *da + { + struct i2c_gpio_platform_data *pdata = data; + +- gpio_set_value(pdata->sda_pin, state); ++ gpio_set_value_cansleep(pdata->sda_pin, state); + } + + /* Toggle SCL by changing the direction of the pin. */ +@@ -68,21 +68,21 @@ static void i2c_gpio_setscl_val(void *da + { + struct i2c_gpio_platform_data *pdata = data; + +- gpio_set_value(pdata->scl_pin, state); ++ gpio_set_value_cansleep(pdata->scl_pin, state); + } + + static int i2c_gpio_getsda(void *data) + { + struct i2c_gpio_platform_data *pdata = data; + +- return gpio_get_value(pdata->sda_pin); ++ return gpio_get_value_cansleep(pdata->sda_pin); + } + + static int i2c_gpio_getscl(void *data) + { + struct i2c_gpio_platform_data *pdata = data; + +- return gpio_get_value(pdata->scl_pin); ++ return gpio_get_value_cansleep(pdata->scl_pin); + } + + static int of_i2c_gpio_get_pins(struct device_node *np, +@@ -175,6 +175,9 @@ static int i2c_gpio_probe(struct platfor + memcpy(pdata, dev_get_platdata(&pdev->dev), sizeof(*pdata)); + } + ++ if (gpiod_cansleep(gpio_to_desc(pdata->sda_pin)) || gpiod_cansleep(gpio_to_desc(pdata->scl_pin))) ++ dev_warn(&pdev->dev, "Slow GPIO pins might wreak havoc into I2C/SMBus bus timing"); ++ + if (pdata->sda_is_open_drain) { + gpio_direction_output(pdata->sda_pin, 1); + bit_data->setsda = i2c_gpio_setsda_val; diff --git a/target/linux/generic/backport-4.14/289-v4.16-netfilter-add-defines-for-arp-decnet-max-hooks.patch b/target/linux/generic/backport-4.14/289-v4.16-netfilter-add-defines-for-arp-decnet-max-hooks.patch new file mode 100644 index 000000000..f7898d4f3 --- /dev/null +++ b/target/linux/generic/backport-4.14/289-v4.16-netfilter-add-defines-for-arp-decnet-max-hooks.patch @@ -0,0 +1,67 @@ +From e58f33cc84bc089c430ac955f3cad6380ae98591 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 7 Dec 2017 16:28:23 +0100 +Subject: [PATCH] netfilter: add defines for arp/decnet max hooks + +The kernel already has defines for this, but they are in uapi exposed +headers. + +Including these from netns.h causes build errors and also adds unneeded +dependencies on heads that we don't need. + +So move these defines to netfilter_defs.h and place the uapi ones +in ifndef __KERNEL__ to keep them for userspace. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter_defs.h | 6 ++++++ + include/uapi/linux/netfilter_arp.h | 3 +++ + include/uapi/linux/netfilter_decnet.h | 4 +++- + 3 files changed, 12 insertions(+), 1 deletion(-) + +--- a/include/linux/netfilter_defs.h ++++ b/include/linux/netfilter_defs.h +@@ -7,4 +7,10 @@ + /* Largest hook number + 1, see uapi/linux/netfilter_decnet.h */ + #define NF_MAX_HOOKS 8 + ++/* in/out/forward only */ ++#define NF_ARP_NUMHOOKS 3 ++ ++/* max hook is NF_DN_ROUTE (6), also see uapi/linux/netfilter_decnet.h */ ++#define NF_DN_NUMHOOKS 7 ++ + #endif +--- a/include/uapi/linux/netfilter_arp.h ++++ b/include/uapi/linux/netfilter_arp.h +@@ -15,6 +15,9 @@ + #define NF_ARP_IN 0 + #define NF_ARP_OUT 1 + #define NF_ARP_FORWARD 2 ++ ++#ifndef __KERNEL__ + #define NF_ARP_NUMHOOKS 3 ++#endif + + #endif /* __LINUX_ARP_NETFILTER_H */ +--- a/include/uapi/linux/netfilter_decnet.h ++++ b/include/uapi/linux/netfilter_decnet.h +@@ -24,6 +24,9 @@ + #define NFC_DN_IF_IN 0x0004 + /* Output device. */ + #define NFC_DN_IF_OUT 0x0008 ++ ++/* kernel define is in netfilter_defs.h */ ++#define NF_DN_NUMHOOKS 7 + #endif /* ! __KERNEL__ */ + + /* DECnet Hooks */ +@@ -41,7 +44,6 @@ + #define NF_DN_HELLO 5 + /* Input Routing Packets */ + #define NF_DN_ROUTE 6 +-#define NF_DN_NUMHOOKS 7 + + enum nf_dn_hook_priorities { + NF_DN_PRI_FIRST = INT_MIN, diff --git a/target/linux/generic/backport-4.14/290-v4.16-netfilter-core-make-nf_unregister_net_hooks-simple-w.patch b/target/linux/generic/backport-4.14/290-v4.16-netfilter-core-make-nf_unregister_net_hooks-simple-w.patch new file mode 100644 index 000000000..35800c4ac --- /dev/null +++ b/target/linux/generic/backport-4.14/290-v4.16-netfilter-core-make-nf_unregister_net_hooks-simple-w.patch @@ -0,0 +1,91 @@ +From 4e645b47c4f000a503b9c90163ad905786b9bc1d Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 1 Dec 2017 00:21:02 +0100 +Subject: [PATCH 02/11] netfilter: core: make nf_unregister_net_hooks simple + wrapper again + +This reverts commit d3ad2c17b4047 +("netfilter: core: batch nf_unregister_net_hooks synchronize_net calls"). + +Nothing wrong with it. However, followup patch will delay freeing of hooks +with call_rcu, so all synchronize_net() calls become obsolete and there +is no need anymore for this batching. + +This revert causes a temporary performance degradation when destroying +network namespace, but its resolved with the upcoming call_rcu conversion. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/core.c | 59 +++------------------------------------------------- + 1 file changed, 3 insertions(+), 56 deletions(-) + +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -395,63 +395,10 @@ EXPORT_SYMBOL(nf_register_net_hooks); + void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, + unsigned int hookcount) + { +- struct nf_hook_entries *to_free[16], *p; +- struct nf_hook_entries __rcu **pp; +- unsigned int i, j, n; ++ unsigned int i; + +- mutex_lock(&nf_hook_mutex); +- for (i = 0; i < hookcount; i++) { +- pp = nf_hook_entry_head(net, ®[i]); +- if (!pp) +- continue; +- +- p = nf_entry_dereference(*pp); +- if (WARN_ON_ONCE(!p)) +- continue; +- __nf_unregister_net_hook(p, ®[i]); +- } +- mutex_unlock(&nf_hook_mutex); +- +- do { +- n = min_t(unsigned int, hookcount, ARRAY_SIZE(to_free)); +- +- mutex_lock(&nf_hook_mutex); +- +- for (i = 0, j = 0; i < hookcount && j < n; i++) { +- pp = nf_hook_entry_head(net, ®[i]); +- if (!pp) +- continue; +- +- p = nf_entry_dereference(*pp); +- if (!p) +- continue; +- +- to_free[j] = __nf_hook_entries_try_shrink(pp); +- if (to_free[j]) +- ++j; +- } +- +- mutex_unlock(&nf_hook_mutex); +- +- if (j) { +- unsigned int nfq; +- +- synchronize_net(); +- +- /* need 2nd synchronize_net() if nfqueue is used, skb +- * can get reinjected right before nf_queue_hook_drop() +- */ +- nfq = nf_queue_nf_hook_drop(net); +- if (nfq) +- synchronize_net(); +- +- for (i = 0; i < j; i++) +- kvfree(to_free[i]); +- } +- +- reg += n; +- hookcount -= n; +- } while (hookcount > 0); ++ for (i = 0; i < hookcount; i++) ++ nf_unregister_net_hook(net, ®[i]); + } + EXPORT_SYMBOL(nf_unregister_net_hooks); + diff --git a/target/linux/generic/backport-4.14/291-v4.16-netfilter-core-remove-synchronize_net-call-if-nfqueu.patch b/target/linux/generic/backport-4.14/291-v4.16-netfilter-core-remove-synchronize_net-call-if-nfqueu.patch new file mode 100644 index 000000000..0ac578362 --- /dev/null +++ b/target/linux/generic/backport-4.14/291-v4.16-netfilter-core-remove-synchronize_net-call-if-nfqueu.patch @@ -0,0 +1,116 @@ +From 26888dfd7e7454686b8d3ea9ba5045d5f236e4d7 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 1 Dec 2017 00:21:03 +0100 +Subject: [PATCH 03/11] netfilter: core: remove synchronize_net call if nfqueue + is used + +since commit 960632ece6949b ("netfilter: convert hook list to an array") +nfqueue no longer stores a pointer to the hook that caused the packet +to be queued. Therefore no extra synchronize_net() call is needed after +dropping the packets enqueued by the old rule blob. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/net/netfilter/nf_queue.h | 2 +- + net/netfilter/core.c | 6 +----- + net/netfilter/nf_internals.h | 2 +- + net/netfilter/nf_queue.c | 7 ++----- + net/netfilter/nfnetlink_queue.c | 9 ++------- + 5 files changed, 7 insertions(+), 19 deletions(-) + +--- a/include/net/netfilter/nf_queue.h ++++ b/include/net/netfilter/nf_queue.h +@@ -25,7 +25,7 @@ struct nf_queue_entry { + struct nf_queue_handler { + int (*outfn)(struct nf_queue_entry *entry, + unsigned int queuenum); +- unsigned int (*nf_hook_drop)(struct net *net); ++ void (*nf_hook_drop)(struct net *net); + }; + + void nf_register_queue_handler(struct net *net, const struct nf_queue_handler *qh); +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -341,7 +341,6 @@ void nf_unregister_net_hook(struct net * + { + struct nf_hook_entries __rcu **pp; + struct nf_hook_entries *p; +- unsigned int nfq; + + pp = nf_hook_entry_head(net, reg); + if (!pp) +@@ -364,10 +363,7 @@ void nf_unregister_net_hook(struct net * + + synchronize_net(); + +- /* other cpu might still process nfqueue verdict that used reg */ +- nfq = nf_queue_nf_hook_drop(net); +- if (nfq) +- synchronize_net(); ++ nf_queue_nf_hook_drop(net); + kvfree(p); + } + EXPORT_SYMBOL(nf_unregister_net_hook); +--- a/net/netfilter/nf_internals.h ++++ b/net/netfilter/nf_internals.h +@@ -10,7 +10,7 @@ + int nf_queue(struct sk_buff *skb, struct nf_hook_state *state, + const struct nf_hook_entries *entries, unsigned int index, + unsigned int verdict); +-unsigned int nf_queue_nf_hook_drop(struct net *net); ++void nf_queue_nf_hook_drop(struct net *net); + + /* nf_log.c */ + int __init netfilter_log_init(void); +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -96,18 +96,15 @@ void nf_queue_entry_get_refs(struct nf_q + } + EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs); + +-unsigned int nf_queue_nf_hook_drop(struct net *net) ++void nf_queue_nf_hook_drop(struct net *net) + { + const struct nf_queue_handler *qh; +- unsigned int count = 0; + + rcu_read_lock(); + qh = rcu_dereference(net->nf.queue_handler); + if (qh) +- count = qh->nf_hook_drop(net); ++ qh->nf_hook_drop(net); + rcu_read_unlock(); +- +- return count; + } + EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop); + +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -941,23 +941,18 @@ static struct notifier_block nfqnl_dev_n + .notifier_call = nfqnl_rcv_dev_event, + }; + +-static unsigned int nfqnl_nf_hook_drop(struct net *net) ++static void nfqnl_nf_hook_drop(struct net *net) + { + struct nfnl_queue_net *q = nfnl_queue_pernet(net); +- unsigned int instances = 0; + int i; + + for (i = 0; i < INSTANCE_BUCKETS; i++) { + struct nfqnl_instance *inst; + struct hlist_head *head = &q->instance_table[i]; + +- hlist_for_each_entry_rcu(inst, head, hlist) { ++ hlist_for_each_entry_rcu(inst, head, hlist) + nfqnl_flush(inst, NULL, 0); +- instances++; +- } + } +- +- return instances; + } + + static int diff --git a/target/linux/generic/backport-4.14/292-v4.16-netfilter-core-free-hooks-with-call_rcu.patch b/target/linux/generic/backport-4.14/292-v4.16-netfilter-core-free-hooks-with-call_rcu.patch new file mode 100644 index 000000000..5eca73552 --- /dev/null +++ b/target/linux/generic/backport-4.14/292-v4.16-netfilter-core-free-hooks-with-call_rcu.patch @@ -0,0 +1,132 @@ +From 8c873e2199700c2de7dbd5eedb9d90d5f109462b Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Fri, 1 Dec 2017 00:21:04 +0100 +Subject: [PATCH 04/11] netfilter: core: free hooks with call_rcu + +Giuseppe Scrivano says: + "SELinux, if enabled, registers for each new network namespace 6 + netfilter hooks." + +Cost for this is high. With synchronize_net() removed: + "The net benefit on an SMP machine with two cores is that creating a + new network namespace takes -40% of the original time." + +This patch replaces synchronize_net+kvfree with call_rcu(). +We store rcu_head at the tail of a structure that has no fixed layout, +i.e. we cannot use offsetof() to compute the start of the original +allocation. Thus store this information right after the rcu head. + +We could simplify this by just placing the rcu_head at the start +of struct nf_hook_entries. However, this structure is used in +packet processing hotpath, so only place what is needed for that +at the beginning of the struct. + +Reported-by: Giuseppe Scrivano +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter.h | 19 +++++++++++++++---- + net/netfilter/core.c | 34 ++++++++++++++++++++++++++++------ + 2 files changed, 43 insertions(+), 10 deletions(-) + +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -77,17 +77,28 @@ struct nf_hook_entry { + void *priv; + }; + ++struct nf_hook_entries_rcu_head { ++ struct rcu_head head; ++ void *allocation; ++}; ++ + struct nf_hook_entries { + u16 num_hook_entries; + /* padding */ + struct nf_hook_entry hooks[]; + +- /* trailer: pointers to original orig_ops of each hook. +- * +- * This is not part of struct nf_hook_entry since its only +- * needed in slow path (hook register/unregister). ++ /* trailer: pointers to original orig_ops of each hook, ++ * followed by rcu_head and scratch space used for freeing ++ * the structure via call_rcu. + * ++ * This is not part of struct nf_hook_entry since its only ++ * needed in slow path (hook register/unregister): + * const struct nf_hook_ops *orig_ops[] ++ * ++ * For the same reason, we store this at end -- its ++ * only needed when a hook is deleted, not during ++ * packet path processing: ++ * struct nf_hook_entries_rcu_head head + */ + }; + +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -74,7 +74,8 @@ static struct nf_hook_entries *allocate_ + struct nf_hook_entries *e; + size_t alloc = sizeof(*e) + + sizeof(struct nf_hook_entry) * num + +- sizeof(struct nf_hook_ops *) * num; ++ sizeof(struct nf_hook_ops *) * num + ++ sizeof(struct nf_hook_entries_rcu_head); + + if (num == 0) + return NULL; +@@ -85,6 +86,30 @@ static struct nf_hook_entries *allocate_ + return e; + } + ++static void __nf_hook_entries_free(struct rcu_head *h) ++{ ++ struct nf_hook_entries_rcu_head *head; ++ ++ head = container_of(h, struct nf_hook_entries_rcu_head, head); ++ kvfree(head->allocation); ++} ++ ++static void nf_hook_entries_free(struct nf_hook_entries *e) ++{ ++ struct nf_hook_entries_rcu_head *head; ++ struct nf_hook_ops **ops; ++ unsigned int num; ++ ++ if (!e) ++ return; ++ ++ num = e->num_hook_entries; ++ ops = nf_hook_entries_get_hook_ops(e); ++ head = (void *)&ops[num]; ++ head->allocation = e; ++ call_rcu(&head->head, __nf_hook_entries_free); ++} ++ + static unsigned int accept_all(void *priv, + struct sk_buff *skb, + const struct nf_hook_state *state) +@@ -291,9 +316,8 @@ int nf_register_net_hook(struct net *net + #ifdef HAVE_JUMP_LABEL + static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); + #endif +- synchronize_net(); + BUG_ON(p == new_hooks); +- kvfree(p); ++ nf_hook_entries_free(p); + return 0; + } + EXPORT_SYMBOL(nf_register_net_hook); +@@ -361,10 +385,8 @@ void nf_unregister_net_hook(struct net * + if (!p) + return; + +- synchronize_net(); +- + nf_queue_nf_hook_drop(net); +- kvfree(p); ++ nf_hook_entries_free(p); + } + EXPORT_SYMBOL(nf_unregister_net_hook); + diff --git a/target/linux/generic/backport-4.14/293-v4.16-netfilter-reduce-size-of-hook-entry-point-locations.patch b/target/linux/generic/backport-4.14/293-v4.16-netfilter-reduce-size-of-hook-entry-point-locations.patch new file mode 100644 index 000000000..809dab377 --- /dev/null +++ b/target/linux/generic/backport-4.14/293-v4.16-netfilter-reduce-size-of-hook-entry-point-locations.patch @@ -0,0 +1,200 @@ +From b0f38338aef2dae5ade3c16acf713737e3b15a73 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sun, 3 Dec 2017 00:58:47 +0100 +Subject: [PATCH 05/11] netfilter: reduce size of hook entry point locations + +struct net contains: + +struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; + +which store the hook entry point locations for the various protocol +families and the hooks. + +Using array results in compact c code when doing accesses, i.e. + x = rcu_dereference(net->nf.hooks[pf][hook]); + +but its also wasting a lot of memory, as most families are +not used. + +So split the array into those families that are used, which +are only 5 (instead of 13). In most cases, the 'pf' argument is +constant, i.e. gcc removes switch statement. + +struct net before: + /* size: 5184, cachelines: 81, members: 46 */ +after: + /* size: 4672, cachelines: 73, members: 46 */ + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter.h | 24 ++++++++++++++++++++++-- + include/net/netns/netfilter.h | 6 +++++- + net/bridge/br_netfilter_hooks.c | 2 +- + net/netfilter/core.c | 38 ++++++++++++++++++++++++++++++-------- + net/netfilter/nf_queue.c | 21 +++++++++++++++++++-- + 5 files changed, 77 insertions(+), 14 deletions(-) + +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -195,7 +195,7 @@ static inline int nf_hook(u_int8_t pf, u + struct net_device *indev, struct net_device *outdev, + int (*okfn)(struct net *, struct sock *, struct sk_buff *)) + { +- struct nf_hook_entries *hook_head; ++ struct nf_hook_entries *hook_head = NULL; + int ret = 1; + + #ifdef HAVE_JUMP_LABEL +@@ -206,7 +206,27 @@ static inline int nf_hook(u_int8_t pf, u + #endif + + rcu_read_lock(); +- hook_head = rcu_dereference(net->nf.hooks[pf][hook]); ++ switch (pf) { ++ case NFPROTO_IPV4: ++ hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]); ++ break; ++ case NFPROTO_IPV6: ++ hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); ++ break; ++ case NFPROTO_ARP: ++ hook_head = rcu_dereference(net->nf.hooks_arp[hook]); ++ break; ++ case NFPROTO_BRIDGE: ++ hook_head = rcu_dereference(net->nf.hooks_bridge[hook]); ++ break; ++ case NFPROTO_DECNET: ++ hook_head = rcu_dereference(net->nf.hooks_decnet[hook]); ++ break; ++ default: ++ WARN_ON_ONCE(1); ++ break; ++ } ++ + if (hook_head) { + struct nf_hook_state state; + +--- a/include/net/netns/netfilter.h ++++ b/include/net/netns/netfilter.h +@@ -17,7 +17,11 @@ struct netns_nf { + #ifdef CONFIG_SYSCTL + struct ctl_table_header *nf_log_dir_header; + #endif +- struct nf_hook_entries __rcu *hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; ++ struct nf_hook_entries __rcu *hooks_ipv4[NF_MAX_HOOKS]; ++ struct nf_hook_entries __rcu *hooks_ipv6[NF_MAX_HOOKS]; ++ struct nf_hook_entries __rcu *hooks_arp[NF_MAX_HOOKS]; ++ struct nf_hook_entries __rcu *hooks_bridge[NF_MAX_HOOKS]; ++ struct nf_hook_entries __rcu *hooks_decnet[NF_MAX_HOOKS]; + #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) + bool defrag_ipv4; + #endif +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -991,7 +991,7 @@ int br_nf_hook_thresh(unsigned int hook, + unsigned int i; + int ret; + +- e = rcu_dereference(net->nf.hooks[NFPROTO_BRIDGE][hook]); ++ e = rcu_dereference(net->nf.hooks_bridge[hook]); + if (!e) + return okfn(net, sk, skb); + +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -264,8 +264,23 @@ out_assign: + + static struct nf_hook_entries __rcu **nf_hook_entry_head(struct net *net, const struct nf_hook_ops *reg) + { +- if (reg->pf != NFPROTO_NETDEV) +- return net->nf.hooks[reg->pf]+reg->hooknum; ++ switch (reg->pf) { ++ case NFPROTO_NETDEV: ++ break; ++ case NFPROTO_ARP: ++ return net->nf.hooks_arp + reg->hooknum; ++ case NFPROTO_BRIDGE: ++ return net->nf.hooks_bridge + reg->hooknum; ++ case NFPROTO_IPV4: ++ return net->nf.hooks_ipv4 + reg->hooknum; ++ case NFPROTO_IPV6: ++ return net->nf.hooks_ipv6 + reg->hooknum; ++ case NFPROTO_DECNET: ++ return net->nf.hooks_decnet + reg->hooknum; ++ default: ++ WARN_ON_ONCE(1); ++ return NULL; ++ } + + #ifdef CONFIG_NETFILTER_INGRESS + if (reg->hooknum == NF_NETDEV_INGRESS) { +@@ -534,14 +549,21 @@ void (*nf_nat_decode_session_hook)(struc + EXPORT_SYMBOL(nf_nat_decode_session_hook); + #endif + +-static int __net_init netfilter_net_init(struct net *net) ++static void __net_init __netfilter_net_init(struct nf_hook_entries *e[NF_MAX_HOOKS]) + { +- int i, h; ++ int h; + +- for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) { +- for (h = 0; h < NF_MAX_HOOKS; h++) +- RCU_INIT_POINTER(net->nf.hooks[i][h], NULL); +- } ++ for (h = 0; h < NF_MAX_HOOKS; h++) ++ RCU_INIT_POINTER(e[h], NULL); ++} ++ ++static int __net_init netfilter_net_init(struct net *net) ++{ ++ __netfilter_net_init(net->nf.hooks_ipv4); ++ __netfilter_net_init(net->nf.hooks_ipv6); ++ __netfilter_net_init(net->nf.hooks_arp); ++ __netfilter_net_init(net->nf.hooks_bridge); ++ __netfilter_net_init(net->nf.hooks_decnet); + + #ifdef CONFIG_PROC_FS + net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -201,6 +201,23 @@ repeat: + return NF_ACCEPT; + } + ++static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum) ++{ ++ switch (pf) { ++ case NFPROTO_BRIDGE: ++ return rcu_dereference(net->nf.hooks_bridge[hooknum]); ++ case NFPROTO_IPV4: ++ return rcu_dereference(net->nf.hooks_ipv4[hooknum]); ++ case NFPROTO_IPV6: ++ return rcu_dereference(net->nf.hooks_ipv6[hooknum]); ++ default: ++ WARN_ON_ONCE(1); ++ return NULL; ++ } ++ ++ return NULL; ++} ++ + /* Caller must hold rcu read-side lock */ + void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) + { +@@ -216,12 +233,12 @@ void nf_reinject(struct nf_queue_entry * + net = entry->state.net; + pf = entry->state.pf; + +- hooks = rcu_dereference(net->nf.hooks[pf][entry->state.hook]); ++ hooks = nf_hook_entries_head(net, pf, entry->state.hook); + + nf_queue_entry_release_refs(entry); + + i = entry->hook_index; +- if (WARN_ON_ONCE(i >= hooks->num_hook_entries)) { ++ if (WARN_ON_ONCE(!hooks || i >= hooks->num_hook_entries)) { + kfree_skb(skb); + kfree(entry); + return; diff --git a/target/linux/generic/backport-4.14/294-v4.16-netfilter-reduce-hook-array-sizes-to-what-is-needed.patch b/target/linux/generic/backport-4.14/294-v4.16-netfilter-reduce-hook-array-sizes-to-what-is-needed.patch new file mode 100644 index 000000000..d9009b8e1 --- /dev/null +++ b/target/linux/generic/backport-4.14/294-v4.16-netfilter-reduce-hook-array-sizes-to-what-is-needed.patch @@ -0,0 +1,95 @@ +From ef57170bbfdd6958281011332b1fd237712f69f0 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 7 Dec 2017 16:28:24 +0100 +Subject: [PATCH 06/11] netfilter: reduce hook array sizes to what is needed + +Not all families share the same hook count, adjust sizes to what is +needed. + +struct net before: +/* size: 6592, cachelines: 103, members: 46 */ +after: +/* size: 5952, cachelines: 93, members: 46 */ + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/net/netns/netfilter.h | 10 +++++----- + net/netfilter/core.c | 24 +++++++++++++++++------- + 2 files changed, 22 insertions(+), 12 deletions(-) + +--- a/include/net/netns/netfilter.h ++++ b/include/net/netns/netfilter.h +@@ -17,11 +17,11 @@ struct netns_nf { + #ifdef CONFIG_SYSCTL + struct ctl_table_header *nf_log_dir_header; + #endif +- struct nf_hook_entries __rcu *hooks_ipv4[NF_MAX_HOOKS]; +- struct nf_hook_entries __rcu *hooks_ipv6[NF_MAX_HOOKS]; +- struct nf_hook_entries __rcu *hooks_arp[NF_MAX_HOOKS]; +- struct nf_hook_entries __rcu *hooks_bridge[NF_MAX_HOOKS]; +- struct nf_hook_entries __rcu *hooks_decnet[NF_MAX_HOOKS]; ++ struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS]; ++ struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS]; ++ struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS]; ++ struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS]; ++ struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS]; + #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) + bool defrag_ipv4; + #endif +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -268,14 +268,24 @@ static struct nf_hook_entries __rcu **nf + case NFPROTO_NETDEV: + break; + case NFPROTO_ARP: ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum)) ++ return NULL; + return net->nf.hooks_arp + reg->hooknum; + case NFPROTO_BRIDGE: ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum)) ++ return NULL; + return net->nf.hooks_bridge + reg->hooknum; + case NFPROTO_IPV4: ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum)) ++ return NULL; + return net->nf.hooks_ipv4 + reg->hooknum; + case NFPROTO_IPV6: ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv6) <= reg->hooknum)) ++ return NULL; + return net->nf.hooks_ipv6 + reg->hooknum; + case NFPROTO_DECNET: ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_decnet) <= reg->hooknum)) ++ return NULL; + return net->nf.hooks_decnet + reg->hooknum; + default: + WARN_ON_ONCE(1); +@@ -549,21 +559,21 @@ void (*nf_nat_decode_session_hook)(struc + EXPORT_SYMBOL(nf_nat_decode_session_hook); + #endif + +-static void __net_init __netfilter_net_init(struct nf_hook_entries *e[NF_MAX_HOOKS]) ++static void __net_init __netfilter_net_init(struct nf_hook_entries **e, int max) + { + int h; + +- for (h = 0; h < NF_MAX_HOOKS; h++) ++ for (h = 0; h < max; h++) + RCU_INIT_POINTER(e[h], NULL); + } + + static int __net_init netfilter_net_init(struct net *net) + { +- __netfilter_net_init(net->nf.hooks_ipv4); +- __netfilter_net_init(net->nf.hooks_ipv6); +- __netfilter_net_init(net->nf.hooks_arp); +- __netfilter_net_init(net->nf.hooks_bridge); +- __netfilter_net_init(net->nf.hooks_decnet); ++ __netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4)); ++ __netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6)); ++ __netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp)); ++ __netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge)); ++ __netfilter_net_init(net->nf.hooks_decnet, ARRAY_SIZE(net->nf.hooks_decnet)); + + #ifdef CONFIG_PROC_FS + net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", diff --git a/target/linux/generic/backport-4.14/295-v4.16-netfilter-don-t-allocate-space-for-decnet-hooks-unle.patch b/target/linux/generic/backport-4.14/295-v4.16-netfilter-don-t-allocate-space-for-decnet-hooks-unle.patch new file mode 100644 index 000000000..26a93c40a --- /dev/null +++ b/target/linux/generic/backport-4.14/295-v4.16-netfilter-don-t-allocate-space-for-decnet-hooks-unle.patch @@ -0,0 +1,67 @@ +From bb4badf3a3dc81190f7c1c1fa063cdefb18df45f Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 7 Dec 2017 16:28:25 +0100 +Subject: [PATCH 07/11] netfilter: don't allocate space for decnet hooks unless + needed + +no need to define hook points if the family isn't supported. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter.h | 2 ++ + include/net/netns/netfilter.h | 2 ++ + net/netfilter/core.c | 4 ++++ + 3 files changed, 8 insertions(+) + +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -219,9 +219,11 @@ static inline int nf_hook(u_int8_t pf, u + case NFPROTO_BRIDGE: + hook_head = rcu_dereference(net->nf.hooks_bridge[hook]); + break; ++#if IS_ENABLED(CONFIG_DECNET) + case NFPROTO_DECNET: + hook_head = rcu_dereference(net->nf.hooks_decnet[hook]); + break; ++#endif + default: + WARN_ON_ONCE(1); + break; +--- a/include/net/netns/netfilter.h ++++ b/include/net/netns/netfilter.h +@@ -21,7 +21,9 @@ struct netns_nf { + struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS]; + struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS]; + struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS]; ++#if IS_ENABLED(CONFIG_DECNET) + struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS]; ++#endif + #if IS_ENABLED(CONFIG_NF_DEFRAG_IPV4) + bool defrag_ipv4; + #endif +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -283,10 +283,12 @@ static struct nf_hook_entries __rcu **nf + if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv6) <= reg->hooknum)) + return NULL; + return net->nf.hooks_ipv6 + reg->hooknum; ++#if IS_ENABLED(CONFIG_DECNET) + case NFPROTO_DECNET: + if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_decnet) <= reg->hooknum)) + return NULL; + return net->nf.hooks_decnet + reg->hooknum; ++#endif + default: + WARN_ON_ONCE(1); + return NULL; +@@ -573,7 +575,9 @@ static int __net_init netfilter_net_init + __netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6)); + __netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp)); + __netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge)); ++#if IS_ENABLED(CONFIG_DECNET) + __netfilter_net_init(net->nf.hooks_decnet, ARRAY_SIZE(net->nf.hooks_decnet)); ++#endif + + #ifdef CONFIG_PROC_FS + net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", diff --git a/target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch b/target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch new file mode 100644 index 000000000..9444f6bb4 --- /dev/null +++ b/target/linux/generic/backport-4.14/296-v4.16-netfilter-don-t-allocate-space-for-arp-bridge-hooks-.patch @@ -0,0 +1,165 @@ +From 2a95183a5e0375df756efb2ca37602d71e8455f9 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 7 Dec 2017 16:28:26 +0100 +Subject: [PATCH 08/11] netfilter: don't allocate space for arp/bridge hooks + unless needed + +no need to define hook points if the family isn't supported. +Because we need these hooks for either nftables, arp/ebtables +or the 'call-iptables' hack we have in the bridge layer add two +new dependencies, NETFILTER_FAMILY_{ARP,BRIDGE}, and have the +users select them. + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + include/linux/netfilter.h | 4 ++++ + include/net/netns/netfilter.h | 4 ++++ + net/Kconfig | 1 + + net/bridge/netfilter/Kconfig | 2 ++ + net/ipv4/netfilter/Kconfig | 2 ++ + net/netfilter/Kconfig | 6 ++++++ + net/netfilter/core.c | 8 ++++++++ + net/netfilter/nf_queue.c | 2 ++ + 8 files changed, 29 insertions(+) + +--- a/include/linux/netfilter.h ++++ b/include/linux/netfilter.h +@@ -214,10 +214,14 @@ static inline int nf_hook(u_int8_t pf, u + hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); + break; + case NFPROTO_ARP: ++#ifdef CONFIG_NETFILTER_FAMILY_ARP + hook_head = rcu_dereference(net->nf.hooks_arp[hook]); ++#endif + break; + case NFPROTO_BRIDGE: ++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE + hook_head = rcu_dereference(net->nf.hooks_bridge[hook]); ++#endif + break; + #if IS_ENABLED(CONFIG_DECNET) + case NFPROTO_DECNET: +--- a/include/net/netns/netfilter.h ++++ b/include/net/netns/netfilter.h +@@ -19,8 +19,12 @@ struct netns_nf { + #endif + struct nf_hook_entries __rcu *hooks_ipv4[NF_INET_NUMHOOKS]; + struct nf_hook_entries __rcu *hooks_ipv6[NF_INET_NUMHOOKS]; ++#ifdef CONFIG_NETFILTER_FAMILY_ARP + struct nf_hook_entries __rcu *hooks_arp[NF_ARP_NUMHOOKS]; ++#endif ++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE + struct nf_hook_entries __rcu *hooks_bridge[NF_INET_NUMHOOKS]; ++#endif + #if IS_ENABLED(CONFIG_DECNET) + struct nf_hook_entries __rcu *hooks_decnet[NF_DN_NUMHOOKS]; + #endif +--- a/net/Kconfig ++++ b/net/Kconfig +@@ -182,6 +182,7 @@ config BRIDGE_NETFILTER + depends on BRIDGE + depends on NETFILTER && INET + depends on NETFILTER_ADVANCED ++ select NETFILTER_FAMILY_BRIDGE + default m + ---help--- + Enabling this option will let arptables resp. iptables see bridged +--- a/net/bridge/netfilter/Kconfig ++++ b/net/bridge/netfilter/Kconfig +@@ -4,6 +4,7 @@ + # + menuconfig NF_TABLES_BRIDGE + depends on BRIDGE && NETFILTER && NF_TABLES ++ select NETFILTER_FAMILY_BRIDGE + tristate "Ethernet Bridge nf_tables support" + + if NF_TABLES_BRIDGE +@@ -29,6 +30,7 @@ endif # NF_TABLES_BRIDGE + menuconfig BRIDGE_NF_EBTABLES + tristate "Ethernet Bridge tables (ebtables) support" + depends on BRIDGE && NETFILTER && NETFILTER_XTABLES ++ select NETFILTER_FAMILY_BRIDGE + help + ebtables is a general, extensible frame/packet identification + framework. Say 'Y' or 'M' here if you want to do Ethernet +--- a/net/ipv4/netfilter/Kconfig ++++ b/net/ipv4/netfilter/Kconfig +@@ -72,6 +72,7 @@ endif # NF_TABLES_IPV4 + + config NF_TABLES_ARP + tristate "ARP nf_tables support" ++ select NETFILTER_FAMILY_ARP + help + This option enables the ARP support for nf_tables. + +@@ -392,6 +393,7 @@ endif # IP_NF_IPTABLES + config IP_NF_ARPTABLES + tristate "ARP tables support" + select NETFILTER_XTABLES ++ select NETFILTER_FAMILY_ARP + depends on NETFILTER_ADVANCED + help + arptables is a general, extensible packet identification framework. +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -12,6 +12,12 @@ config NETFILTER_INGRESS + config NETFILTER_NETLINK + tristate + ++config NETFILTER_FAMILY_BRIDGE ++ bool ++ ++config NETFILTER_FAMILY_ARP ++ bool ++ + config NETFILTER_NETLINK_ACCT + tristate "Netfilter NFACCT over NFNETLINK interface" + depends on NETFILTER_ADVANCED +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -267,14 +267,18 @@ static struct nf_hook_entries __rcu **nf + switch (reg->pf) { + case NFPROTO_NETDEV: + break; ++#ifdef CONFIG_NETFILTER_FAMILY_ARP + case NFPROTO_ARP: + if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum)) + return NULL; + return net->nf.hooks_arp + reg->hooknum; ++#endif ++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE + case NFPROTO_BRIDGE: + if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum)) + return NULL; + return net->nf.hooks_bridge + reg->hooknum; ++#endif + case NFPROTO_IPV4: + if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum)) + return NULL; +@@ -573,8 +577,12 @@ static int __net_init netfilter_net_init + { + __netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4)); + __netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6)); ++#ifdef CONFIG_NETFILTER_FAMILY_ARP + __netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp)); ++#endif ++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE + __netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge)); ++#endif + #if IS_ENABLED(CONFIG_DECNET) + __netfilter_net_init(net->nf.hooks_decnet, ARRAY_SIZE(net->nf.hooks_decnet)); + #endif +--- a/net/netfilter/nf_queue.c ++++ b/net/netfilter/nf_queue.c +@@ -204,8 +204,10 @@ repeat: + static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum) + { + switch (pf) { ++#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE + case NFPROTO_BRIDGE: + return rcu_dereference(net->nf.hooks_bridge[hooknum]); ++#endif + case NFPROTO_IPV4: + return rcu_dereference(net->nf.hooks_ipv4[hooknum]); + case NFPROTO_IPV6: diff --git a/target/linux/generic/backport-4.14/297-v4.16-netfilter-core-pass-hook-number-family-and-device-to.patch b/target/linux/generic/backport-4.14/297-v4.16-netfilter-core-pass-hook-number-family-and-device-to.patch new file mode 100644 index 000000000..7d450f95f --- /dev/null +++ b/target/linux/generic/backport-4.14/297-v4.16-netfilter-core-pass-hook-number-family-and-device-to.patch @@ -0,0 +1,98 @@ +From 62a0fe46e2aaba1812d3cbcae014a41539f9eb09 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 9 Dec 2017 15:23:51 +0100 +Subject: [PATCH 09/11] netfilter: core: pass hook number, family and device to + nf_find_hook_list() + +Instead of passing struct nf_hook_ops, this is needed by follow up +patches to handle NFPROTO_INET from the core. + +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/core.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -262,36 +262,38 @@ out_assign: + return old; + } + +-static struct nf_hook_entries __rcu **nf_hook_entry_head(struct net *net, const struct nf_hook_ops *reg) ++static struct nf_hook_entries __rcu ** ++nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum, ++ struct net_device *dev) + { +- switch (reg->pf) { ++ switch (pf) { + case NFPROTO_NETDEV: + break; + #ifdef CONFIG_NETFILTER_FAMILY_ARP + case NFPROTO_ARP: +- if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= reg->hooknum)) ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= hooknum)) + return NULL; +- return net->nf.hooks_arp + reg->hooknum; ++ return net->nf.hooks_arp + hooknum; + #endif + #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE + case NFPROTO_BRIDGE: +- if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= reg->hooknum)) ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= hooknum)) + return NULL; +- return net->nf.hooks_bridge + reg->hooknum; ++ return net->nf.hooks_bridge + hooknum; + #endif + case NFPROTO_IPV4: +- if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= reg->hooknum)) ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= hooknum)) + return NULL; +- return net->nf.hooks_ipv4 + reg->hooknum; ++ return net->nf.hooks_ipv4 + hooknum; + case NFPROTO_IPV6: +- if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv6) <= reg->hooknum)) ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv6) <= hooknum)) + return NULL; +- return net->nf.hooks_ipv6 + reg->hooknum; ++ return net->nf.hooks_ipv6 + hooknum; + #if IS_ENABLED(CONFIG_DECNET) + case NFPROTO_DECNET: +- if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_decnet) <= reg->hooknum)) ++ if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_decnet) <= hooknum)) + return NULL; +- return net->nf.hooks_decnet + reg->hooknum; ++ return net->nf.hooks_decnet + hooknum; + #endif + default: + WARN_ON_ONCE(1); +@@ -299,9 +301,9 @@ static struct nf_hook_entries __rcu **nf + } + + #ifdef CONFIG_NETFILTER_INGRESS +- if (reg->hooknum == NF_NETDEV_INGRESS) { +- if (reg->dev && dev_net(reg->dev) == net) +- return ®->dev->nf_hooks_ingress; ++ if (hooknum == NF_NETDEV_INGRESS) { ++ if (dev && dev_net(dev) == net) ++ return &dev->nf_hooks_ingress; + } + #endif + WARN_ON_ONCE(1); +@@ -323,7 +325,7 @@ int nf_register_net_hook(struct net *net + return -EINVAL; + } + +- pp = nf_hook_entry_head(net, reg); ++ pp = nf_hook_entry_head(net, reg->pf, reg->hooknum, reg->dev); + if (!pp) + return -EINVAL; + +@@ -397,7 +399,7 @@ void nf_unregister_net_hook(struct net * + struct nf_hook_entries __rcu **pp; + struct nf_hook_entries *p; + +- pp = nf_hook_entry_head(net, reg); ++ pp = nf_hook_entry_head(net, reg->pf, reg->hooknum, reg->dev); + if (!pp) + return; + diff --git a/target/linux/generic/backport-4.14/298-v4.16-netfilter-core-add-nf_remove_net_hook.patch b/target/linux/generic/backport-4.14/298-v4.16-netfilter-core-add-nf_remove_net_hook.patch new file mode 100644 index 000000000..8fea44b35 --- /dev/null +++ b/target/linux/generic/backport-4.14/298-v4.16-netfilter-core-add-nf_remove_net_hook.patch @@ -0,0 +1,44 @@ +From 3d3cdc38e8c265a9f9d3825e823e772872bca1b8 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 9 Dec 2017 15:19:14 +0100 +Subject: [PATCH 01/11] netfilter: core: add nf_remove_net_hook + +Just a cleanup, __nf_unregister_net_hook() is used by a follow up patch +when handling NFPROTO_INET as a real family from the core. + +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/core.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -356,7 +356,7 @@ int nf_register_net_hook(struct net *net + EXPORT_SYMBOL(nf_register_net_hook); + + /* +- * __nf_unregister_net_hook - remove a hook from blob ++ * nf_remove_net_hook - remove a hook from blob + * + * @oldp: current address of hook blob + * @unreg: hook to unregister +@@ -364,8 +364,8 @@ EXPORT_SYMBOL(nf_register_net_hook); + * This cannot fail, hook unregistration must always succeed. + * Therefore replace the to-be-removed hook with a dummy hook. + */ +-static void __nf_unregister_net_hook(struct nf_hook_entries *old, +- const struct nf_hook_ops *unreg) ++static void nf_remove_net_hook(struct nf_hook_entries *old, ++ const struct nf_hook_ops *unreg) + { + struct nf_hook_ops **orig_ops; + bool found = false; +@@ -411,7 +411,7 @@ void nf_unregister_net_hook(struct net * + return; + } + +- __nf_unregister_net_hook(p, reg); ++ nf_remove_net_hook(p, reg); + + p = __nf_hook_entries_try_shrink(pp); + mutex_unlock(&nf_hook_mutex); diff --git a/target/linux/generic/backport-4.14/298-v4.16-netfilter-core-pass-family-as-parameter-to-nf_remove.patch b/target/linux/generic/backport-4.14/298-v4.16-netfilter-core-pass-family-as-parameter-to-nf_remove.patch new file mode 100644 index 000000000..4c52635c1 --- /dev/null +++ b/target/linux/generic/backport-4.14/298-v4.16-netfilter-core-pass-family-as-parameter-to-nf_remove.patch @@ -0,0 +1,51 @@ +From 30259408118f550f5969fda19c0d67020d21eda8 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 9 Dec 2017 15:26:37 +0100 +Subject: [PATCH 10/11] netfilter: core: pass family as parameter to + nf_remove_net_hook() + +So static_key_slow_dec applies to the family behind NFPROTO_INET. + +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/core.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -365,7 +365,7 @@ EXPORT_SYMBOL(nf_register_net_hook); + * Therefore replace the to-be-removed hook with a dummy hook. + */ + static void nf_remove_net_hook(struct nf_hook_entries *old, +- const struct nf_hook_ops *unreg) ++ const struct nf_hook_ops *unreg, int pf) + { + struct nf_hook_ops **orig_ops; + bool found = false; +@@ -383,14 +383,14 @@ static void nf_remove_net_hook(struct nf + + if (found) { + #ifdef CONFIG_NETFILTER_INGRESS +- if (unreg->pf == NFPROTO_NETDEV && unreg->hooknum == NF_NETDEV_INGRESS) ++ if (pf == NFPROTO_NETDEV && unreg->hooknum == NF_NETDEV_INGRESS) + net_dec_ingress_queue(); + #endif + #ifdef HAVE_JUMP_LABEL +- static_key_slow_dec(&nf_hooks_needed[unreg->pf][unreg->hooknum]); ++ static_key_slow_dec(&nf_hooks_needed[pf][unreg->hooknum]); + #endif + } else { +- WARN_ONCE(1, "hook not found, pf %d num %d", unreg->pf, unreg->hooknum); ++ WARN_ONCE(1, "hook not found, pf %d num %d", pf, unreg->hooknum); + } + } + +@@ -411,7 +411,7 @@ void nf_unregister_net_hook(struct net * + return; + } + +- nf_remove_net_hook(p, reg); ++ nf_remove_net_hook(p, reg, reg->pf); + + p = __nf_hook_entries_try_shrink(pp); + mutex_unlock(&nf_hook_mutex); diff --git a/target/linux/generic/backport-4.14/299-v4.16-netfilter-core-support-for-NFPROTO_INET-hook-registr.patch b/target/linux/generic/backport-4.14/299-v4.16-netfilter-core-support-for-NFPROTO_INET-hook-registr.patch new file mode 100644 index 000000000..b11285513 --- /dev/null +++ b/target/linux/generic/backport-4.14/299-v4.16-netfilter-core-support-for-NFPROTO_INET-hook-registr.patch @@ -0,0 +1,129 @@ +From cb7ccd835ebb333669e400f99c650e4f3abf11c0 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sat, 9 Dec 2017 15:30:26 +0100 +Subject: [PATCH 11/11] netfilter: core: support for NFPROTO_INET hook + registration + +Expand NFPROTO_INET in two hook registrations, one for NFPROTO_IPV4 and +another for NFPROTO_IPV6. Hence, we handle NFPROTO_INET from the core. + +Signed-off-by: Pablo Neira Ayuso +--- + net/netfilter/core.c | 53 +++++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 44 insertions(+), 9 deletions(-) + +--- a/net/netfilter/core.c ++++ b/net/netfilter/core.c +@@ -310,12 +310,13 @@ nf_hook_entry_head(struct net *net, int + return NULL; + } + +-int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) ++static int __nf_register_net_hook(struct net *net, int pf, ++ const struct nf_hook_ops *reg) + { + struct nf_hook_entries *p, *new_hooks; + struct nf_hook_entries __rcu **pp; + +- if (reg->pf == NFPROTO_NETDEV) { ++ if (pf == NFPROTO_NETDEV) { + #ifndef CONFIG_NETFILTER_INGRESS + if (reg->hooknum == NF_NETDEV_INGRESS) + return -EOPNOTSUPP; +@@ -325,7 +326,7 @@ int nf_register_net_hook(struct net *net + return -EINVAL; + } + +- pp = nf_hook_entry_head(net, reg->pf, reg->hooknum, reg->dev); ++ pp = nf_hook_entry_head(net, pf, reg->hooknum, reg->dev); + if (!pp) + return -EINVAL; + +@@ -343,17 +344,16 @@ int nf_register_net_hook(struct net *net + + hooks_validate(new_hooks); + #ifdef CONFIG_NETFILTER_INGRESS +- if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) ++ if (pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) + net_inc_ingress_queue(); + #endif + #ifdef HAVE_JUMP_LABEL +- static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); ++ static_key_slow_inc(&nf_hooks_needed[pf][reg->hooknum]); + #endif + BUG_ON(p == new_hooks); + nf_hook_entries_free(p); + return 0; + } +-EXPORT_SYMBOL(nf_register_net_hook); + + /* + * nf_remove_net_hook - remove a hook from blob +@@ -394,12 +394,13 @@ static void nf_remove_net_hook(struct nf + } + } + +-void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) ++void __nf_unregister_net_hook(struct net *net, int pf, ++ const struct nf_hook_ops *reg) + { + struct nf_hook_entries __rcu **pp; + struct nf_hook_entries *p; + +- pp = nf_hook_entry_head(net, reg->pf, reg->hooknum, reg->dev); ++ pp = nf_hook_entry_head(net, pf, reg->hooknum, reg->dev); + if (!pp) + return; + +@@ -411,7 +412,7 @@ void nf_unregister_net_hook(struct net * + return; + } + +- nf_remove_net_hook(p, reg, reg->pf); ++ nf_remove_net_hook(p, reg, pf); + + p = __nf_hook_entries_try_shrink(pp); + mutex_unlock(&nf_hook_mutex); +@@ -421,8 +422,42 @@ void nf_unregister_net_hook(struct net * + nf_queue_nf_hook_drop(net); + nf_hook_entries_free(p); + } ++ ++void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) ++{ ++ if (reg->pf == NFPROTO_INET) { ++ __nf_unregister_net_hook(net, NFPROTO_IPV4, reg); ++ __nf_unregister_net_hook(net, NFPROTO_IPV6, reg); ++ } else { ++ __nf_unregister_net_hook(net, reg->pf, reg); ++ } ++} + EXPORT_SYMBOL(nf_unregister_net_hook); + ++int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) ++{ ++ int err; ++ ++ if (reg->pf == NFPROTO_INET) { ++ err = __nf_register_net_hook(net, NFPROTO_IPV4, reg); ++ if (err < 0) ++ return err; ++ ++ err = __nf_register_net_hook(net, NFPROTO_IPV6, reg); ++ if (err < 0) { ++ __nf_unregister_net_hook(net, NFPROTO_IPV4, reg); ++ return err; ++ } ++ } else { ++ err = __nf_register_net_hook(net, reg->pf, reg); ++ if (err < 0) ++ return err; ++ } ++ ++ return 0; ++} ++EXPORT_SYMBOL(nf_register_net_hook); ++ + int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, + unsigned int n) + { diff --git a/target/linux/generic/backport-4.14/301-v4.16-netfilter-core-only-allow-one-nat-hook-per-hook-poin.patch b/target/linux/generic/backport-4.14/301-v4.16-netfilter-core-only-allow-one-nat-hook-per-hook-poin.patch index 5ae8f8f1e..05888a070 100644 --- a/target/linux/generic/backport-4.14/301-v4.16-netfilter-core-only-allow-one-nat-hook-per-hook-poin.patch +++ b/target/linux/generic/backport-4.14/301-v4.16-netfilter-core-only-allow-one-nat-hook-per-hook-poin.patch @@ -120,7 +120,7 @@ Signed-off-by: Pablo Neira Ayuso .priority = NF_IP6_PRI_NAT_SRC, --- a/net/netfilter/core.c +++ b/net/netfilter/core.c -@@ -135,6 +135,12 @@ nf_hook_entries_grow(const struct nf_hoo +@@ -160,6 +160,12 @@ nf_hook_entries_grow(const struct nf_hoo ++i; continue; } diff --git a/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch b/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch index b122dd55d..458ddd417 100644 --- a/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch +++ b/target/linux/generic/backport-4.14/304-v4.16-netfilter-move-checksum-indirection-to-struct-nf_ipv.patch @@ -18,7 +18,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h -@@ -274,8 +274,6 @@ struct nf_queue_entry; +@@ -311,8 +311,6 @@ struct nf_queue_entry; struct nf_afinfo { unsigned short family; @@ -27,7 +27,7 @@ Signed-off-by: Pablo Neira Ayuso __sum16 (*checksum_partial)(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, -@@ -296,20 +294,9 @@ static inline const struct nf_afinfo *nf +@@ -333,20 +331,9 @@ static inline const struct nf_afinfo *nf return rcu_dereference(nf_afinfo[family]); } diff --git a/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch b/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch index 7c22312c6..19a0aacb4 100644 --- a/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch +++ b/target/linux/generic/backport-4.14/305-v4.16-netfilter-move-checksum_partial-indirection-to-struc.patch @@ -18,7 +18,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h -@@ -274,11 +274,6 @@ struct nf_queue_entry; +@@ -311,11 +311,6 @@ struct nf_queue_entry; struct nf_afinfo { unsigned short family; @@ -30,7 +30,7 @@ Signed-off-by: Pablo Neira Ayuso int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl, bool strict); void (*saveroute)(const struct sk_buff *skb, -@@ -298,22 +293,9 @@ __sum16 nf_checksum(struct sk_buff *skb, +@@ -335,22 +330,9 @@ __sum16 nf_checksum(struct sk_buff *skb, unsigned int dataoff, u_int8_t protocol, unsigned short family); diff --git a/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch b/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch index e52f81164..75de3c84f 100644 --- a/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch +++ b/target/linux/generic/backport-4.14/306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch @@ -11,7 +11,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h -@@ -276,8 +276,6 @@ struct nf_afinfo { +@@ -313,8 +313,6 @@ struct nf_afinfo { unsigned short family; int (*route)(struct net *net, struct dst_entry **dst, struct flowi *fl, bool strict); @@ -176,7 +176,7 @@ Signed-off-by: Pablo Neira Ayuso #include #include #include -@@ -111,6 +113,35 @@ unsigned int nf_queue_nf_hook_drop(struc +@@ -108,6 +110,35 @@ void nf_queue_nf_hook_drop(struct net *n } EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop); @@ -212,7 +212,7 @@ Signed-off-by: Pablo Neira Ayuso static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state, const struct nf_hook_entries *entries, unsigned int index, unsigned int queuenum) -@@ -147,7 +178,16 @@ static int __nf_queue(struct sk_buff *sk +@@ -144,7 +175,16 @@ static int __nf_queue(struct sk_buff *sk nf_queue_entry_get_refs(entry); skb_dst_force(skb); diff --git a/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch b/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch index fe60a7903..b98aac0ff 100644 --- a/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch +++ b/target/linux/generic/backport-4.14/307-v4.16-netfilter-move-route-indirection-to-struct-nf_ipv6_o.patch @@ -17,7 +17,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h -@@ -274,8 +274,6 @@ struct nf_queue_entry; +@@ -311,8 +311,6 @@ struct nf_queue_entry; struct nf_afinfo { unsigned short family; @@ -26,7 +26,7 @@ Signed-off-by: Pablo Neira Ayuso int (*reroute)(struct net *net, struct sk_buff *skb, const struct nf_queue_entry *entry); int route_key_size; -@@ -294,6 +292,8 @@ __sum16 nf_checksum(struct sk_buff *skb, +@@ -331,6 +329,8 @@ __sum16 nf_checksum(struct sk_buff *skb, __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, unsigned int len, u_int8_t protocol, unsigned short family); diff --git a/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch b/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch index 2ffb39d9a..5dbd1a4ce 100644 --- a/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch +++ b/target/linux/generic/backport-4.14/308-v4.16-netfilter-move-reroute-indirection-to-struct-nf_ipv6.patch @@ -17,7 +17,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h -@@ -274,8 +274,6 @@ struct nf_queue_entry; +@@ -311,8 +311,6 @@ struct nf_queue_entry; struct nf_afinfo { unsigned short family; @@ -26,7 +26,7 @@ Signed-off-by: Pablo Neira Ayuso int route_key_size; }; -@@ -294,6 +292,7 @@ __sum16 nf_checksum_partial(struct sk_bu +@@ -331,6 +329,7 @@ __sum16 nf_checksum_partial(struct sk_bu u_int8_t protocol, unsigned short family); int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl, bool strict, unsigned short family); @@ -171,7 +171,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/net/netfilter/nf_queue.c +++ b/net/netfilter/nf_queue.c -@@ -250,7 +250,6 @@ void nf_reinject(struct nf_queue_entry * +@@ -266,7 +266,6 @@ void nf_reinject(struct nf_queue_entry * const struct nf_hook_entry *hook_entry; const struct nf_hook_entries *hooks; struct sk_buff *skb = entry->skb; @@ -179,7 +179,7 @@ Signed-off-by: Pablo Neira Ayuso const struct net *net; unsigned int i; int err; -@@ -277,8 +276,7 @@ void nf_reinject(struct nf_queue_entry * +@@ -293,8 +292,7 @@ void nf_reinject(struct nf_queue_entry * verdict = nf_hook_entry_hookfn(hook_entry, skb, &entry->state); if (verdict == NF_ACCEPT) { diff --git a/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch b/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch index 1b571252b..21381b7e6 100644 --- a/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch +++ b/target/linux/generic/backport-4.14/309-v4.16-netfilter-remove-route_key_size-field-in-struct-nf_a.patch @@ -9,7 +9,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h -@@ -274,7 +274,6 @@ struct nf_queue_entry; +@@ -311,7 +311,6 @@ struct nf_queue_entry; struct nf_afinfo { unsigned short family; @@ -48,7 +48,7 @@ Signed-off-by: Pablo Neira Ayuso #include #include #include -@@ -148,9 +150,9 @@ static int __nf_queue(struct sk_buff *sk +@@ -145,9 +147,9 @@ static int __nf_queue(struct sk_buff *sk { int status = -ENOENT; struct nf_queue_entry *entry = NULL; @@ -59,7 +59,7 @@ Signed-off-by: Pablo Neira Ayuso /* QUEUE == DROP if no one is waiting, to be safe. */ qh = rcu_dereference(net->nf.queue_handler); -@@ -159,11 +161,19 @@ static int __nf_queue(struct sk_buff *sk +@@ -156,11 +158,19 @@ static int __nf_queue(struct sk_buff *sk goto err; } @@ -83,7 +83,7 @@ Signed-off-by: Pablo Neira Ayuso if (!entry) { status = -ENOMEM; goto err; -@@ -173,7 +183,7 @@ static int __nf_queue(struct sk_buff *sk +@@ -170,7 +180,7 @@ static int __nf_queue(struct sk_buff *sk .skb = skb, .state = *state, .hook_index = index, diff --git a/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch b/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch index 6d19743df..0ca58f998 100644 --- a/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch +++ b/target/linux/generic/backport-4.14/310-v4.16-netfilter-remove-struct-nf_afinfo-and-its-helper-fun.patch @@ -12,7 +12,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/include/linux/netfilter.h +++ b/include/linux/netfilter.h -@@ -272,16 +272,6 @@ int skb_make_writable(struct sk_buff *sk +@@ -309,16 +309,6 @@ int skb_make_writable(struct sk_buff *sk struct flowi; struct nf_queue_entry; @@ -29,7 +29,7 @@ Signed-off-by: Pablo Neira Ayuso __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, u_int8_t protocol, unsigned short family); -@@ -293,9 +283,6 @@ int nf_route(struct net *net, struct dst +@@ -330,9 +320,6 @@ int nf_route(struct net *net, struct dst bool strict, unsigned short family); int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry); diff --git a/target/linux/generic/backport-4.14/322-v4.16-netfilter-add-generic-flow-table-infrastructure.patch b/target/linux/generic/backport-4.14/322-v4.16-netfilter-add-generic-flow-table-infrastructure.patch index d811ef006..16de9571a 100644 --- a/target/linux/generic/backport-4.14/322-v4.16-netfilter-add-generic-flow-table-infrastructure.patch +++ b/target/linux/generic/backport-4.14/322-v4.16-netfilter-add-generic-flow-table-infrastructure.patch @@ -126,7 +126,7 @@ Signed-off-by: Pablo Neira Ayuso #endif /* _FLOW_OFFLOAD_H */ --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -661,6 +661,13 @@ endif # NF_TABLES_NETDEV +@@ -667,6 +667,13 @@ endif # NF_TABLES_NETDEV endif # NF_TABLES diff --git a/target/linux/generic/backport-4.14/323-v4.16-netfilter-flow-table-support-for-IPv4.patch b/target/linux/generic/backport-4.14/323-v4.16-netfilter-flow-table-support-for-IPv4.patch index 6f3617160..50d9039c1 100644 --- a/target/linux/generic/backport-4.14/323-v4.16-netfilter-flow-table-support-for-IPv4.patch +++ b/target/linux/generic/backport-4.14/323-v4.16-netfilter-flow-table-support-for-IPv4.patch @@ -19,7 +19,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig -@@ -77,6 +77,14 @@ config NF_TABLES_ARP +@@ -78,6 +78,14 @@ config NF_TABLES_ARP endif # NF_TABLES diff --git a/target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch b/target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch index 9fcb1be98..04948d88a 100644 --- a/target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch +++ b/target/linux/generic/backport-4.14/325-v4.16-netfilter-flow-table-support-for-the-mixed-IPv4-IPv6.patch @@ -63,7 +63,7 @@ Signed-off-by: Pablo Neira Ayuso .family = NFPROTO_IPV6, --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -661,6 +661,14 @@ endif # NF_TABLES_NETDEV +@@ -667,6 +667,14 @@ endif # NF_TABLES_NETDEV endif # NF_TABLES diff --git a/target/linux/generic/backport-4.14/326-v4.16-netfilter-nf_tables-flow-offload-expression.patch b/target/linux/generic/backport-4.14/326-v4.16-netfilter-nf_tables-flow-offload-expression.patch index 86f1f8a09..0decc3410 100644 --- a/target/linux/generic/backport-4.14/326-v4.16-netfilter-nf_tables-flow-offload-expression.patch +++ b/target/linux/generic/backport-4.14/326-v4.16-netfilter-nf_tables-flow-offload-expression.patch @@ -39,7 +39,7 @@ Signed-off-by: Pablo Neira Ayuso NFT_LIMIT_PKT_BYTES --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -509,6 +509,13 @@ config NFT_CT +@@ -515,6 +515,13 @@ config NFT_CT This option adds the "ct" expression that you can use to match connection tracking information such as the flow state. diff --git a/target/linux/generic/backport-4.14/329-v4.16-netfilter-improve-flow-table-Kconfig-dependencies.patch b/target/linux/generic/backport-4.14/329-v4.16-netfilter-improve-flow-table-Kconfig-dependencies.patch index 7174723fc..0d5cd3bb4 100644 --- a/target/linux/generic/backport-4.14/329-v4.16-netfilter-improve-flow-table-Kconfig-dependencies.patch +++ b/target/linux/generic/backport-4.14/329-v4.16-netfilter-improve-flow-table-Kconfig-dependencies.patch @@ -59,7 +59,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig -@@ -78,8 +78,9 @@ config NF_TABLES_ARP +@@ -79,8 +79,9 @@ config NF_TABLES_ARP endif # NF_TABLES config NF_FLOW_TABLE_IPV4 @@ -85,7 +85,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -669,8 +669,9 @@ endif # NF_TABLES_NETDEV +@@ -675,8 +675,9 @@ endif # NF_TABLES_NETDEV endif # NF_TABLES config NF_FLOW_TABLE_INET @@ -96,7 +96,7 @@ Signed-off-by: Pablo Neira Ayuso help This option adds the flow table mixed IPv4/IPv6 support. -@@ -678,6 +679,7 @@ config NF_FLOW_TABLE_INET +@@ -684,6 +685,7 @@ config NF_FLOW_TABLE_INET config NF_FLOW_TABLE tristate "Netfilter flow table module" diff --git a/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch b/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch index d71c8e0ab..e32943de0 100644 --- a/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch +++ b/target/linux/generic/backport-4.14/336-v4.15-netfilter-exit_net-cleanup-check-added.patch @@ -62,7 +62,7 @@ Signed-off-by: Pablo Neira Ayuso static struct pernet_operations nfnl_log_net_ops = { --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c -@@ -1515,10 +1515,15 @@ static int __net_init nfnl_queue_net_ini +@@ -1510,10 +1510,15 @@ static int __net_init nfnl_queue_net_ini static void __net_exit nfnl_queue_net_exit(struct net *net) { diff --git a/target/linux/generic/backport-4.14/346-v4.16-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch b/target/linux/generic/backport-4.14/346-v4.16-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch index 162086e34..bb8c2d3e5 100644 --- a/target/linux/generic/backport-4.14/346-v4.16-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch +++ b/target/linux/generic/backport-4.14/346-v4.16-netfilter-flowtable-infrastructure-depends-on-NETFIL.patch @@ -25,7 +25,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig -@@ -79,8 +79,7 @@ endif # NF_TABLES +@@ -80,8 +80,7 @@ endif # NF_TABLES config NF_FLOW_TABLE_IPV4 tristate "Netfilter flow table IPv4 module" @@ -49,7 +49,7 @@ Signed-off-by: Pablo Neira Ayuso --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -670,8 +670,8 @@ endif # NF_TABLES +@@ -676,8 +676,8 @@ endif # NF_TABLES config NF_FLOW_TABLE_INET tristate "Netfilter flow table mixed IPv4/IPv6 module" @@ -60,7 +60,7 @@ Signed-off-by: Pablo Neira Ayuso help This option adds the flow table mixed IPv4/IPv6 support. -@@ -679,7 +679,9 @@ config NF_FLOW_TABLE_INET +@@ -685,7 +685,9 @@ config NF_FLOW_TABLE_INET config NF_FLOW_TABLE tristate "Netfilter flow table module" diff --git a/target/linux/generic/backport-4.14/356-v4.18-netfilter-nf_flow_table-relax-mixed-ipv4-ipv6-flowta.patch b/target/linux/generic/backport-4.14/356-v4.18-netfilter-nf_flow_table-relax-mixed-ipv4-ipv6-flowta.patch index 7d4bdc6d8..b5fe25a1d 100644 --- a/target/linux/generic/backport-4.14/356-v4.18-netfilter-nf_flow_table-relax-mixed-ipv4-ipv6-flowta.patch +++ b/target/linux/generic/backport-4.14/356-v4.18-netfilter-nf_flow_table-relax-mixed-ipv4-ipv6-flowta.patch @@ -11,7 +11,7 @@ Signed-off-by: Felix Fietkau --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -670,8 +670,7 @@ endif # NF_TABLES +@@ -676,8 +676,7 @@ endif # NF_TABLES config NF_FLOW_TABLE_INET tristate "Netfilter flow table mixed IPv4/IPv6 module" diff --git a/target/linux/generic/backport-4.9/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch b/target/linux/generic/backport-4.9/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch new file mode 100644 index 000000000..ead6675e0 --- /dev/null +++ b/target/linux/generic/backport-4.9/085-v4.16-0001-i2c-gpio-Enable-working-over-slow-can_sleep-GPIOs.patch @@ -0,0 +1,84 @@ +From f11a04464ae57e8db1bb7634547842b43e36a898 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Kundr=C3=A1t?= +Date: Fri, 22 Dec 2017 22:47:16 +0100 +Subject: i2c: gpio: Enable working over slow can_sleep GPIOs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +"Slow" GPIOs (usually those connected over an SPI or an I2C bus) are, +well, slow in their operation. It is generally a good idea to avoid +using them for time-critical operation, but sometimes the hardware just +sucks, and the software has to cope. In addition to that, the I2C bus +itself does not actually define any strict timing limits; the bus is +free to go all the way down to DC. The timeouts (and therefore the +slowest acceptable frequency) are present only in SMBus. + +The `can_sleep` is IMHO a wrong concept to use here. My SPI-to-quad-UART +chip (MAX14830) is connected via a 26MHz SPI bus, and it happily drives +SCL at 200kHz (5µs pulses) during my benchmarks. That's faster than the +maximal allowed speed of the traditional I2C. + +The previous version of this code did not really block operation over +slow GPIO pins, anyway. Instead, it just resorted to printing a warning +with a backtrace each time a GPIO pin was accessed, thereby slowing +things down even more. + +Finally, it's not just me. A similar patch was originally submitted in +2015 [1]. + +[1] https://patchwork.ozlabs.org/patch/450956/ + +Signed-off-by: Jan Kundrát +Acked-by: Uwe Kleine-König +Signed-off-by: Wolfram Sang +--- + drivers/i2c/busses/i2c-gpio.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-gpio.c ++++ b/drivers/i2c/busses/i2c-gpio.c +@@ -44,7 +44,7 @@ static void i2c_gpio_setsda_val(void *da + { + struct i2c_gpio_platform_data *pdata = data; + +- gpio_set_value(pdata->sda_pin, state); ++ gpio_set_value_cansleep(pdata->sda_pin, state); + } + + /* Toggle SCL by changing the direction of the pin. */ +@@ -68,21 +68,21 @@ static void i2c_gpio_setscl_val(void *da + { + struct i2c_gpio_platform_data *pdata = data; + +- gpio_set_value(pdata->scl_pin, state); ++ gpio_set_value_cansleep(pdata->scl_pin, state); + } + + static int i2c_gpio_getsda(void *data) + { + struct i2c_gpio_platform_data *pdata = data; + +- return gpio_get_value(pdata->sda_pin); ++ return gpio_get_value_cansleep(pdata->sda_pin); + } + + static int i2c_gpio_getscl(void *data) + { + struct i2c_gpio_platform_data *pdata = data; + +- return gpio_get_value(pdata->scl_pin); ++ return gpio_get_value_cansleep(pdata->scl_pin); + } + + static int of_i2c_gpio_get_pins(struct device_node *np, +@@ -175,6 +175,9 @@ static int i2c_gpio_probe(struct platfor + memcpy(pdata, dev_get_platdata(&pdev->dev), sizeof(*pdata)); + } + ++ if (gpiod_cansleep(gpio_to_desc(pdata->sda_pin)) || gpiod_cansleep(gpio_to_desc(pdata->scl_pin))) ++ dev_warn(&pdev->dev, "Slow GPIO pins might wreak havoc into I2C/SMBus bus timing"); ++ + if (pdata->sda_is_open_drain) { + gpio_direction_output(pdata->sda_pin, 1); + bit_data->setsda = i2c_gpio_setsda_val; diff --git a/target/linux/generic/backport-4.9/095-v4.13-0001-rtc-ds1307-add-ds1308-variant.patch b/target/linux/generic/backport-4.9/095-v4.13-0001-rtc-ds1307-add-ds1308-variant.patch new file mode 100644 index 000000000..963466143 --- /dev/null +++ b/target/linux/generic/backport-4.9/095-v4.13-0001-rtc-ds1307-add-ds1308-variant.patch @@ -0,0 +1,51 @@ +From 300a7735becf55f7fd18f8cd3dc3b945a0cab712 Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Thu, 8 Jun 2017 12:36:54 +0200 +Subject: rtc: ds1307: add ds1308 variant + +The ds1308 variant is very similar to the already supported ds1338 +variant, it have more debug registers and a square wave clock output. + +Signed-off-by: Sean Nyekjaer +Signed-off-by: Alexandre Belloni +--- + drivers/rtc/rtc-ds1307.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -31,6 +31,7 @@ + */ + enum ds_type { + ds_1307, ++ ds_1308, + ds_1337, + ds_1338, + ds_1339, +@@ -144,6 +145,10 @@ static struct chip_desc chips[last_ds_ty + .nvram_offset = 8, + .nvram_size = 56, + }, ++ [ds_1308] = { ++ .nvram_offset = 8, ++ .nvram_size = 56, ++ }, + [ds_1337] = { + .alarm = 1, + }, +@@ -175,6 +180,7 @@ static struct chip_desc chips[last_ds_ty + + static const struct i2c_device_id ds1307_id[] = { + { "ds1307", ds_1307 }, ++ { "ds1308", ds_1308 }, + { "ds1337", ds_1337 }, + { "ds1338", ds_1338 }, + { "ds1339", ds_1339 }, +@@ -1488,6 +1494,7 @@ read_rtc: + goto read_rtc; + } + break; ++ case ds_1308: + case ds_1338: + /* clock halted? turn it on, so clock can tick. */ + if (tmp & DS1307_BIT_CH) diff --git a/target/linux/generic/config-4.9 b/target/linux/generic/config-4.9 index fe9310bd8..77cf3b5dc 100644 --- a/target/linux/generic/config-4.9 +++ b/target/linux/generic/config-4.9 @@ -1003,8 +1003,7 @@ CONFIG_DEBUG_KERNEL=y # CONFIG_DEBUG_WX is not set # CONFIG_DEBUG_ZBOOT is not set # CONFIG_DECNET is not set -CONFIG_DEFAULT_BBR=y -# CONFIG_DEFAULT_CUBIC is not set +CONFIG_DEFAULT_CUBIC=y CONFIG_DEFAULT_DEADLINE=y CONFIG_DEFAULT_HOSTNAME="(none)" CONFIG_DEFAULT_IOSCHED="deadline" @@ -1013,8 +1012,7 @@ CONFIG_DEFAULT_MMAP_MIN_ADDR=4096 # CONFIG_DEFAULT_RENO is not set CONFIG_DEFAULT_SECURITY="" CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_DEFAULT_TCP_CONG="bbr" -# CONFIG_DEFAULT_VEGAS is not set +CONFIG_DEFAULT_TCP_CONG="cubic" CONFIG_DEFCONFIG_LIST="/lib/modules/$UNAME_RELEASE/.config" # CONFIG_DELL_RBTN is not set # CONFIG_DELL_SMO8800 is not set @@ -4507,7 +4505,7 @@ CONFIG_SYSVIPC_SYSCTL=y # CONFIG_TCG_XEN is not set # CONFIG_TCIC is not set CONFIG_TCP_CONG_ADVANCED=y -CONFIG_TCP_CONG_BBR=y +# CONFIG_TCP_CONG_BBR is not set # CONFIG_TCP_CONG_BIC is not set # CONFIG_TCP_CONG_CDG is not set CONFIG_TCP_CONG_CUBIC=y @@ -4519,10 +4517,10 @@ CONFIG_TCP_CONG_CUBIC=y # CONFIG_TCP_CONG_LP is not set # CONFIG_TCP_CONG_NV is not set # CONFIG_TCP_CONG_SCALABLE is not set -CONFIG_TCP_CONG_VEGAS=y +# CONFIG_TCP_CONG_VEGAS is not set # CONFIG_TCP_CONG_VENO is not set # CONFIG_TCP_CONG_WESTWOOD is not set -CONFIG_TCP_CONG_YEAH=y +# CONFIG_TCP_CONG_YEAH is not set # CONFIG_TCP_MD5SIG is not set # CONFIG_TCS3414 is not set # CONFIG_TCS3472 is not set diff --git a/target/linux/generic/hack-4.14/250-netfilter_depends.patch b/target/linux/generic/hack-4.14/250-netfilter_depends.patch index 264d7661c..a8fe5d417 100644 --- a/target/linux/generic/hack-4.14/250-netfilter_depends.patch +++ b/target/linux/generic/hack-4.14/250-netfilter_depends.patch @@ -9,7 +9,7 @@ Signed-off-by: Felix Fietkau --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -223,7 +223,6 @@ config NF_CONNTRACK_FTP +@@ -229,7 +229,6 @@ config NF_CONNTRACK_FTP config NF_CONNTRACK_H323 tristate "H.323 protocol support" @@ -17,7 +17,7 @@ Signed-off-by: Felix Fietkau depends on NETFILTER_ADVANCED help H.323 is a VoIP signalling protocol from ITU-T. As one of the most -@@ -1046,7 +1045,6 @@ config NETFILTER_XT_TARGET_SECMARK +@@ -1052,7 +1051,6 @@ config NETFILTER_XT_TARGET_SECMARK config NETFILTER_XT_TARGET_TCPMSS tristate '"TCPMSS" target support' diff --git a/target/linux/generic/hack-4.14/251-sound_kconfig.patch b/target/linux/generic/hack-4.14/251-sound_kconfig.patch index e1e48ce5f..5bf5c01ad 100644 --- a/target/linux/generic/hack-4.14/251-sound_kconfig.patch +++ b/target/linux/generic/hack-4.14/251-sound_kconfig.patch @@ -122,8 +122,8 @@ Signed-off-by: John Crispin - tristate + tristate "Netfilter NFNETLINK interface" - config NETFILTER_NETLINK_ACCT - tristate "Netfilter NFACCT over NFNETLINK interface" + config NETFILTER_FAMILY_BRIDGE + bool --- a/net/wireless/Kconfig +++ b/net/wireless/Kconfig @@ -1,5 +1,5 @@ diff --git a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch index 308fe0974..2044bfaeb 100644 --- a/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch +++ b/target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch @@ -8,7 +8,7 @@ Signed-off-by: Felix Fietkau --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig -@@ -75,8 +75,6 @@ config NF_TABLES_ARP +@@ -76,8 +76,6 @@ config NF_TABLES_ARP help This option enables the ARP support for nf_tables. @@ -17,7 +17,7 @@ Signed-off-by: Felix Fietkau config NF_FLOW_TABLE_IPV4 tristate "Netfilter flow table IPv4 module" depends on NF_FLOW_TABLE -@@ -85,6 +83,8 @@ config NF_FLOW_TABLE_IPV4 +@@ -86,6 +84,8 @@ config NF_FLOW_TABLE_IPV4 To compile it as a module, choose M here. @@ -47,7 +47,7 @@ Signed-off-by: Felix Fietkau depends on !NF_CONNTRACK || NF_CONNTRACK --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -665,8 +665,6 @@ config NFT_FIB_NETDEV +@@ -671,8 +671,6 @@ config NFT_FIB_NETDEV endif # NF_TABLES_NETDEV @@ -56,7 +56,7 @@ Signed-off-by: Felix Fietkau config NF_FLOW_TABLE_INET tristate "Netfilter flow table mixed IPv4/IPv6 module" depends on NF_FLOW_TABLE -@@ -675,11 +673,12 @@ config NF_FLOW_TABLE_INET +@@ -681,11 +679,12 @@ config NF_FLOW_TABLE_INET To compile it as a module, choose M here. @@ -70,7 +70,7 @@ Signed-off-by: Felix Fietkau help This option adds the flow table core infrastructure. -@@ -968,6 +967,15 @@ config NETFILTER_XT_TARGET_NOTRACK +@@ -974,6 +973,15 @@ config NETFILTER_XT_TARGET_NOTRACK depends on NETFILTER_ADVANCED select NETFILTER_XT_TARGET_CT diff --git a/target/linux/generic/pending-4.14/206-mips-disable-vdso.patch b/target/linux/generic/pending-4.14/206-mips-disable-vdso.patch deleted file mode 100644 index f3c58dcd3..000000000 --- a/target/linux/generic/pending-4.14/206-mips-disable-vdso.patch +++ /dev/null @@ -1,23 +0,0 @@ -From: Felix Fietkau -Subject: kernel: disable MIPS VDSO by default until the cache issues have been resolved - -lede-commit: 1185e645a773c86aa88cf04d0e2911dc62eb43f5 -Signed-off-by: Felix Fietkau ---- - arch/mips/vdso/Makefile | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - ---- a/arch/mips/vdso/Makefile -+++ b/arch/mips/vdso/Makefile -@@ -30,9 +30,9 @@ aflags-vdso := $(ccflags-vdso) \ - ifndef CONFIG_CPU_MIPSR6 - ifeq ($(call ld-ifversion, -lt, 225000000, y),y) - $(warning MIPS VDSO requires binutils >= 2.25) -- obj-vdso-y := $(filter-out gettimeofday.o, $(obj-vdso-y)) -- ccflags-vdso += -DDISABLE_MIPS_VDSO - endif -+ obj-vdso-y := $(filter-out gettimeofday.o, $(obj-vdso-y)) -+ ccflags-vdso += -DDISABLE_MIPS_VDSO - endif - - # VDSO linker flags. diff --git a/target/linux/generic/pending-4.14/640-netfilter-nf_flow_table-add-hardware-offload-support.patch b/target/linux/generic/pending-4.14/640-netfilter-nf_flow_table-add-hardware-offload-support.patch index e6d339283..62ba52560 100644 --- a/target/linux/generic/pending-4.14/640-netfilter-nf_flow_table-add-hardware-offload-support.patch +++ b/target/linux/generic/pending-4.14/640-netfilter-nf_flow_table-add-hardware-offload-support.patch @@ -128,7 +128,7 @@ Signed-off-by: Pablo Neira Ayuso #define NFTA_FLOWTABLE_MAX (__NFTA_FLOWTABLE_MAX - 1) --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig -@@ -686,6 +686,15 @@ config NF_FLOW_TABLE +@@ -692,6 +692,15 @@ config NF_FLOW_TABLE To compile it as a module, choose M here.