git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

linux-yocto/6.6: nftables: ptest and cleanup tweaks

Integrating the following commit(s) to linux-yocto/.:

1/2 [
    Author: William Lyu
    Email: William.Lyu@windriver.com
    Subject: features/nf_tables: nft_objref is now builtin
    Date: Wed, 27 Mar 2024 08:52:14 -0700

    Starting from kernel v6.2 (including all rc versions),
    CONFIG_NFT_OBJREF has become builtin and cannot be disabled [1]. So,
    this configure option is removed from nf_tables.cfg.

    References
    [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d037abc2414b4539401e0e6aa278bedc4628ad69

Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
]

2/2 [
    Author: William Lyu
    Email: William.Lyu@windriver.com
    Subject: features/nf_tables: Add net_fib_* options for greater ptest coverage
    Date: Wed, 27 Mar 2024 08:52:15 -0700

    Several nftables ptest testcases failed due to missing features. The
    following kernel configuration options are added as part of the missing
    features:

    -   NFT_FIB_INET (tristate "Netfilter nf_tables fib inet support")
        This option allows using the FIB expression from the inet table.
        The lookup will be delegated to the IPv4 or IPv6 FIB depending
        on the protocol of the packet.

    -   NFT_FIB_IPV4 (tristate "nf_tables fib / ip route lookup support")
        This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
        It also allows query of the FIB for the route type, e.g. local, unicast,
        multicast or blackhole.

    -   NFT_FIB_IPV6 (tristate "nf_tables fib / ipv6 route lookup support")
        This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
        It also allows query of the FIB for the route type, e.g. local, unicast,
        multicast or blackhole.

    Adding those three kernel configuration options above pass the following
    ptest testcases:

    -   tests/shell/testcases/parsing/large_rule_pipe
        Previously failed due to using rule:
            meta nfproto ipv6 fib saddr . iif oif missing drop
    -   tests/shell/testcases/nft-f/sample-ruleset
        Previously failed due to using rules:
            fib saddr . iif oif eq 0 counter drop
            fib daddr type { broadcast, multicast, anycast } counter drop
            fib daddr type { broadcast, multicast, anycast } counter drop
            fib daddr type { broadcast, multicast, anycast } counter drop
    -   tests/shell/testcases/optimizations/ruleset
        Previously failed due to using rule:
            fib daddr type broadcast  drop

Signed-off-by: William Lyu <William.Lyu@windriver.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
]

Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

author	Bruce Ashfield <bruce.ashfield@gmail.com>
	Thu, 28 Mar 2024 18:43:02 +0000 (14:43 -0400)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Sat, 30 Mar 2024 22:18:39 +0000 (22:18 +0000)
commit	ee8e8b75fd9a3fb33de2c280f64ed0d38dd67cfb
tree	37655cac9e0956f4f736ffe773d8fd26b288adae	tree \| snapshot
parent	1334de8faf8de3c3be681586e4be27478875253a	commit \| diff

meta/recipes-kernel/linux/linux-yocto-rt_6.6.bb		diff \| blob \| blame \| history
meta/recipes-kernel/linux/linux-yocto-tiny_6.6.bb		diff \| blob \| blame \| history
meta/recipes-kernel/linux/linux-yocto_6.6.bb		diff \| blob \| blame \| history