commit r30917 ("kernel: bypass all netfilter hooks if the sysctls for that
functionality have been disabled - eliminates the overhead of enabling
CONFIG_BRIDGE_NETFILTER in the kernel config") introduced an optimization
which should reduce/eliminate the overhead for traffic send over bridges on
kernels compiled with CONFIG_BRIDGE_NETFILTER=y. But this optimization
breaks the nf_call_iptables per bridge setting which is more fine grained
than the global sysctl net.bridge.bridge-nf-call-iptables setting.
A test reflecting a real world setup was created to identify if this really
eliminates the overhead and if per-bridge nf_call_iptables could be used in
some setups to increase the throughput. A Qualcomm Atheros QCA9558 based
system with one ethernet and an ath9k wifi 3x3 in HT40 mode was used.
Cables from the AP to the wifi station were used to reduce interference
problems during the tests.
The wlan interface was put in one bridge interface called br-wlan. This
bridge usually contains some more wlan interfaces. The eth0 was put in a
second bridge called br-lan. This usually contains some other privileged
wlan or mesh interfaces. Routing was added between br-lan and br-wlan.
Three kernels were tested:
* (default) OpenWrt kernel for this device
* (brfilter-global) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y
* (brfilter-local) OpenWrt kernel with CONFIG_BRIDGE_NETFILTER=y and
without 644-bridge_optimize_netfilter_hooks.patch
The changes to the the netfilter settings of the bridge were done via:
* (brfilter-global) /sbin/sysctl -w net.bridge.bridge-nf-call-iptables=1
* (brfilter-lobal) echo 1 > /sys/class/net/br-lan/bridge/nf_call_iptables
and/or echo 1 > /sys/class/net/br-wan/bridge/nf_call_iptables
A station connected to the wlan0 (AP) interface was used to send traffic to
a PC connected via ethernet. iperf with 3 concurrent transmissions was used
to generate the traffic.
| kernel | br-nf-* global | nf-call* iface | download | upload |
|-----------------|----------------|----------------|----------|----------|
| default | 0 | - | 209 | 268 |
| brfilter-global | 0 | - | 185 | 243 |
| brfilter-local | 0 | - | 187 | 243 |
| brfilter-local | 0 | br-lan | 157 | 226 |
| brfilter-local | 0 | br-lan br-wlan | 139 | 161 |
| brfilter-global | 1 | - | 136 | 162 |
Download/upload results in Mibit/s
It can be seen that the patch doesn't eliminate the overhead. It can also
be seen that the throughput of brfilter-global and brfilter-local with
disabled filtering is the roughly the same. Also the throughput for
brfilter-global and brfilter-local for enabled filtering on all bridges is
roughly the same.
But also the brfilter-local throughput is higher when only br-lan requires
the filtering. This setting would not be possible with
644-bridge_optimize_netfilter_hooks.patch applied and thus can only be
compared with brfilter-global and filtering enabled for all interfaces.
Signed-off-by: Sven Eckelmann <sven@open-mesh.com>
SVN-Revision: 46835
It was corrupted in r38528. The most obvious symptom is repeated messages like this:
Tue Sep 8 08:25:18 2015 kern.warn kernel: [77141.972226] br-lan: received packet on wlan0 with own address as source address
Signed-off-by: Dmitry Ivanov <dima@ubnt.com>
SVN-Revision: 46821
Everything except for blkcipher was already built-in, so make blkcipher
built-in as well.
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46820
Currently, multicast packets from an STA are sent to any according
multicast listener directly through the bridge multicast-to-unicast
feature. Unfortunately, so far this includes the originating STA, too,
resulting in multicast packets being echo'ed back to the originating STA
if it itself is a multicast listener for that group.
This behaviour breaks IPv6 duplicate address detection: An IPv6 Neighbor
Solicitation for IPv6 Duplicate Address Detection is being echo'ed back,
resulting in the host falsely detecting an address collision, which
makes the node unable to claim an IPv6 address and use IPv6 in general.
Mac80211 unfortunately only prevents the echoes for us for multicast
frames. For the multicast frames cast to a unicast destination we'll
need to take care of excluding the originator ourselves.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
SVN-Revision: 46765
Add an upstream fix for /proc/net/route causing missing routes doing
several continued reads from it.
Only 4.1+ is affected.
Closes#20403.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46726
A call to pskb_may_pull() might reallocate skb->data. Therefore we
should only assign the src-pointer after any potential reallocations.
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46721
This reverts commit a080e8e1943156168913d0353a2e99d1151102aa.
It did not fix the problem but just hid some symptom. The real issue was
that IGMP/MLD report suppression was not considered for the
multicast-to-unicast feature. A recent netifd which isolates IGMP/MLD
reports between STAs by utilizing AP-isolation and bridge-hairpinning
should have fixed this.
It is perfectly fine to apply multicast-to-unicast to IPv6 Neighbor
Solicitations, too (once that feature is configured correctly).
Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Felix Fietkau <nbd@openwrt.org>
SVN-Revision: 46720
Remove 131-MIPS-export-get_c0_perfcount_int.patch which was already applied
in 4.1.6. This fixes the following build error:
arch/mips/ath79/setup.c:217:77: error: redefinition of '__kstrtab_get_c0_perfcount_int'
arch/mips/ath79/setup.c:211:77: note: previous definition of '__kstrtab_get_c0_perfcount_int' was here
arch/mips/ath79/setup.c:217:350: error: redefinition of '__ksymtab_get_c0_perfcount_int'
arch/mips/ath79/setup.c:211:350: note: previous definition of '__ksymtab_get_c0_perfcount_int' was here
scripts/Makefile.build:258: recipe for target 'arch/mips/ath79/setup.o' failed
Reported-by: swalker
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46715
Properly treat -ENOSYS as no PHY, else ehci-orion won't work without
generic phy support.
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46711
This also clears any bootloader-set FDB defaults. This had
caused issues creating port-based VLANs when mappings
overlapped previous VLANs. Packets destined to a port
not in the default port group flooded all ports.
Tested on a 88E6171 (Linksys EA4500) and 88E6172 ('1900AC)
Signed-off-by: Claudio Leite <leitec@staticky.com>
Signed-off-by: Imre Kaloz <kaloz@openwrt.org>
SVN-Revision: 46699
no-op since 2.6.35
removed in Kernel 4.1
see https://lwn.net/Articles/380931/
Signed-off-by: Dirk Neukirchen <dirkneukirchen@web.de>
SVN-Revision: 46671
The "linux,part-probe" dts parsing is a pretty neat generic feature.
It has been posted to kernel.org and could easily be reused by all
targets.
This change moves the patch to the 3.18 and 4.1 generic folders, and
makes the feature available to all platforms who may want to use it.
Signed-off-by: Mathieu Olivari <mathieu@codeaurora.org>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46654
In addition to the update this also fixes compile problems with kernel 4.1.
This closes#20323.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46609
This patch was missing for kernel 4.0 and 4.1 in r46464. I also
replaced the version in OpenWrt with the version which went upstream
into the Linux mainline kernel.
This closes#20193 and #20192
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 46493
REGMAP_MMIO is a hidden symbol, so it cannot be directly selected. If nothing
selects it, it will fail the build with:
ERROR: module '/store/buildbot/slave/slave/rb532/build/build_dir/target-mipsel_mips32_musl-1.1.10/linux-rb532/linux-3.18.19/drivers/base/regmap/regmap-mmio.ko' is missing.
make[2]: *** [/store/buildbot/slave/slave/rb532/build/bin/rb532/packages/base/kmod-regmap_3.18.19-1_rb532.ipk] Error 1
Fix this by adding a description to allow selecting it manually.
Fixes: r46451 ("kmod-regmap: enable MMIO support")
Signed-off-by: Jonas Gorski <jogo@openwrt.org>
SVN-Revision: 46485
NCM specs are not actually mandating a specific position in the frame for
the NDP (Network Datagram Pointer). However, some Huawei devices will
ignore our aggregates if it is not placed after the datagrams it points
to. Add support for doing just this, in a per-device configurable way.
While at it, update NCM subdrivers, disabling this functionality in all of
them, except in huawei_cdc_ncm where it is enabled instead.
We aren't making any distinction between different Huawei NCM devices,
based on what the vendor driver does. Standard NCM devices are left
unaffected: if they are compliant, they should be always usable, still
stay on the safe side.
This change has been tested and working with a Huawei E3131 device (which
works regardless of NDP position) and an E3372 device (which mandates NDP
to be after indexed datagrams).
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: Matti Laakso <malaakso@elisanet.fi>
SVN-Revision: 46464
If a link goes down, don't flush the complete ARL table.
Only flush the entries for the respective port.
Don't touch ARL table if a link goes up.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
SVN-Revision: 46381
Adds functions for flushing ARL table entries per port.
Successfully tested on AR8327. Implementation for AR8216/AR8236/AR8316
is based on the AR8236 datasheet and assumes that the three chips
share a common ATU register layout.
Compile-tested only for AR8216/AR8236/AR8316.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
SVN-Revision: 46380
Adds the chip-specific part of reading ARL table for AR8216/AR8236/AR8316.
It's based on the AR8236 datasheet and compile-tested only as I couldn't
find datasheets for AR8216/AR8316 and don't own devices with these chips.
The existing ar8216_atu_flush implementation was used for all three
chip types, therefore I guess they share a common ATU register layout.
More testing would be appreciated.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
SVN-Revision: 46379
To improve reproducibility, prevent the inclusion of timestamps
in the gzip header.
Signed-off-by: Reiner Herrmann <reiner@reiner-h.de>
SVN-Revision: 46361