Commit b7265c59ab ("kernel: backport a series of netfilter cleanup
patches to 4.14") added patch 302-netfilter-nf_tables_inet-don-t-use-
multihook-infrast.patch. That patch switches the netfilter core in the
kernel to use the new native NFPROTO_INET support. Unfortunately, the
new native NFPROTO_INET support does not exist in 4.14 and was not
backported along with this patchset. As such, nftables inet tables never
see any traffic.
As an example the following nft counter rule should increment for every
packet coming into the box, but never will:
nft add table inet foo
nft add chain inet foo bar { type filter hook input priority 0\; }
nft add rule inet foo bar counter
This commit pulls in the required backport patches to add the new
native NFPROTO_INET support, and thus restore nftables inet table
functionality.
Tested on Turris Omnia (mvebu)
Fixes: b7265c59ab ("kernel: backport a series of netfilter cleanup ...")
Signed-off-by: Brett Mastbergen <bmastbergen@untangle.com>
By default the RPS delegation will happen by masking the last few bits of
skb->hash. This patch adds an inermediate hash bucket that maps the masked
hash to a RPS core. This makes RPS results much more deterministic on SMP
systems.
Signed-off-by: John Crispin <john@phrozen.org>
Jonas Gorski commented on the previous patch:
|This is actually the wrong fix and papers over an issue in one of our
|local patches.
|
|We intentionally allow regmap to be built as a module, see
|
|/target/linux/generic/hack-4.14/259-regmap_dynamic.patch
|[...]
|[The regulator code] optionally supports regmap thanks to the stubs
|provided if regmap is disabled - which breaks if you compile regmap
|as a module.
In order to mitigate this issue, this patch reverts the previous patch
and replaces the existing IS_ENABLED(CONFIG_REGMAP) with
IS_REACHABLE(CONFIG_REGMAP). This solves this particular issue as the
regulator code will now automatically fallback to the regmap stubs in
case the kmod-regmap module is enabled, but nothing else sets
CONFIG_REGMAP=y.
Note: There's still a potential issue that this patch doesn't solve:
If someone ever wants to make a OpenWrt kernel package for a
regulator module that requires the REGMAP feature for a target that
doesn't set CONFIG_REGMAP=y but has CONFIG_REGULATOR=y, the resulting
kmod-regulator-xyz package will not work on the target.
Luckily, there aren't any in-tree OpenWrt kernel module packages for
regulators at the moment. On the bright side: regmap is a critical
part nowadays and all new and upcoming architectures require it by
default. This will likely only ever be a problem for legacy targets
and devices that cannot afford to enable REGMAP.
Cc: Jonas Gorski <jonas.gorski@gmail.com>
Cc: John Crispin <john@phrozen.org>
Fixes: d00913d121 ("kernel: modules: fix kmod-regmap")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Newer kernels have a patch that implements compatible functionality
directly. Adjust the attribute of our own patch in preparation for
dropping it later
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Rereshed all patches
Reworked patches to match upstream:
335-v4.16-netfilter-nf_tables-add-single-table-list-for-all-fa.patch
Compile-tested on: cns3xxx, imx6, x86_64
Runtime-tested on: cns3xxx, imx6, x86_64
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
The sender domain has a DMARC Reject/Quarantine policy which disallows
sending mailing list messages using the original "From" header.
To mitigate this problem, the original message has been wrapped
automatically by the mailing list software.
Refresh patches.
Remove patch that can be reverse applied:
mvebu/patches-4.14/530-ATA-ahci_mvebu-enable-stop_engine-override.patch
mvebu/patches-4.14/531-ATA-ahci_mvebu-pmp-stop-errata-226.patch
Update patch that no longer applied:
ipq806x/patches-4.14/0035-clk-mux-Split-out-register-accessors-for-reuse.patch
Compiled-tested-for: lantiq, ramips
Run-tested-on: lantiq BT hh5a, ramips MIR3g
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Tested-by: Michael Yartys <michael.yartys@protonmail.com>
Tested-by: Rosen Penev <rosenp@gmail.com>
- avoid using garbage stack values as dst pointer if lookup fails
- provide the source address for ipv6 dst lookup
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Right patch version this time, sorry!
* Patch 180-usb-xhci-add-support-for-performing-fake-doorbell.patch had to be adjusted slightly because of upstream adapted code.
* Refreshed patches.
Compile-tested: ramips/mt7621, x86/64
Run-tested: ramips/mt7621, x86/64
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Tested-by: Rosen Penev <rosenp@gmail.com>
Optimize the compiler output for larger cache blast cases that are
common for DMA-based networking.
On ar71xx, I measured a routing throughput increase of ~8%
Signed-off-by: Ben Menchaca <ben.menchaca@qca.qualcomm.com>
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch bumps the 4.14 kernel to .23.
- Refreshed patches.
- Deleted bcm53xx/patches-4.14/089-PCI-iproc-Fix-NULL-pointer-dereference-for-BCMA.patch. Has been accepted upstream.
- Deleted generic/pending-4.14/821-usb-Remove-annoying-warning-about-bogus-URB.patch. The upstream URB code was changed,
the patch no longer applies. I discussed this with the patch author and removed it for now, we'll see how it goes.
Compile-tested on: ramips/mt7621, x86/64
Run-tested on: ramips/mt7621, x86/64
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
This makes it possible to add an iptables rule that offloads routing/NAT
packet processing to a software fast path. This fast path is much
quicker than running packets through the regular tables/chains.
Requires Linux 4.14
Signed-off-by: Felix Fietkau <nbd@nbd.name>
- removed upstreamed patches
- 0901-spansion_nand_id_fix.patch is disabled, not clear if it's needed
Signed-off-by: Roman Yeryomin <roman@advem.lv>
Signed-off-by: John Crispin <john@phrozen.org>
Locally generated packets weren't forwarded to the isolated interfaces in a
bridge. Isolation should only prevent the flooding of incomming packets to
other interfaces in the bridge.
Signed-off-by: Daniel Danzberger <daniel@dd-wrt.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Rename unwinder config symbols to match upstream changes.
Refresh patches.
Update patch that no longer applies: 202-reduce_module_size.patch
Also enable CONFIG_PAGE_TABLE_ISOLATION. This feature was backported
from 4.15 to the 4.14 stable series. It is enabled by default, so enable
it in OpenWrt as well.
Compile-tested on x86/64.
Runtime-tested on x86/64.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Remove a stray -Wp left in host_c_flags causing build failures for newer
4.14 versions.
Reported-by: Michael Marley <michael@michaelmarley.com>
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
This adds initial support for kernel 4.14 based on the patches for
kernel 4.9.
In the configuration I deactivated some of the new possible security
features like:
CONFIG_REFCOUNT_FULL
CONFIG_SLAB_FREELIST_HARDENED
CONFIG_SOFTLOCKUP_DETECTOR
CONFIG_WARN_ALL_UNSEEDED_RANDOM
And these overlay FS options are also deactivated:
CONFIG_OVERLAY_FS_INDEX
CONFIG_OVERLAY_FS_REDIRECT_DIR
I activated this:
CONFIG_FORTIFY_SOURCE
CONFIG_POSIX_TIMERS
CONFIG_SLAB_MERGE_DEFAULT
CONFIG_WATCHDOG_HANDLE_BOOT_ENABLED
I am not sure if I did the porting correct for the following patches:
target/linux/generic/backport-4.14/020-backport_netfilter_rtcache.patch
target/linux/generic/hack-4.14/220-gc_sections.patch
target/linux/generic/hack-4.14/321-powerpc_crtsavres_prereq.patch
target/linux/generic/pending-4.14/305-mips_module_reloc.patch
target/linux/generic/pending-4.14/611-netfilter_match_bypass_default_table.patch
target/linux/generic/pending-4.14/680-NET-skip-GRO-for-foreign-MAC-addresses.patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>