Rpi 6.18.y: Add NETFILTER_XTABLES_LEGACY to the configs to build iptables#7213
Open
6by9 wants to merge 635 commits intoraspberrypi:rpi-6.18.yfrom
Open
Rpi 6.18.y: Add NETFILTER_XTABLES_LEGACY to the configs to build iptables#72136by9 wants to merge 635 commits intoraspberrypi:rpi-6.18.yfrom
6by9 wants to merge 635 commits intoraspberrypi:rpi-6.18.yfrom
Conversation
Offset the backend dev-nodes starting at /dev/video20 onwards to maintain backward compatibility with the pre-upstreamed kernel driver. Signed-off-by: Naushir Patuck <naush@raspberrypi.com>
Add YAML device tree bindings for the Raspberry Pi RP2040 GPIO Bridge. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com>
The Raspberry Pi RP2040 GPIO bridge is an I2C-attached device exposing both a Tx-only SPI controller, and a GPIO controller. Due to the relative difference in transfer rates between standard-mode I2C and SPI, the GPIO bridge makes use of 12 MiB of non-volatile storage to cache repeated transfers. This cache is arranged in ~8 KiB blocks and is addressed by the MD5 digest of the data contained therein. Optionally, this driver is able to take advantage of Raspberry Pi RP1 GPIOs to achieve faster than I2C data transfer rates. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> spi: rp2040-gpio-bridge: Add debugfs progress indicator Useful for tracking upload progress via userspace. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> spi: rp2040-gpio-bridge: add missing MD5 dependency rp2040-gpio-bridge relies on the md5 crypto driver. This dependency cannot be determined automatically as rp2040-gpio-bridge does not use any of md5's symbols directly. Declare a soft 'pre' dependency on md5 to ensure that it is included and loaded before rp2040-gpio-bridge. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> spi: rp2040-gpio-bridge: fix gpiod error handling In some circumstances, devm_gpiod_get_array_optional() can return PTR_ERR rather than NULL to indicate failure. Handle these cases. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> spi: rp2040-gpio-bridge: probe: Cfg fast_xfer clk Fast transfer mode requires that the first bit of data is clocked with a rising edge. This can cause extra bits of data to be clocked on hardware where the clock signal uses a pull-up. This change ensures that clk is driven low before fast data transfer mode is entered. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com>
The snps,block-size DT property declares the maximum block size for each channel of the dw-axi-dmac. However, the driver ignores these when setting max_seg_size and uses MAX_BLOCK_SIZE (4096) instead. To take advantage of the efficiencies of larger blocks, calculate the minimum block size across all channels and use that instead. See: raspberrypi#6256 Signed-off-by: Phil Elwell <phil@raspberrypi.com>
The firmware advertises its features as a string of words separated by spaces. Ensure that feature names are only matched in their entirety. Signed-off-by: Phil Elwell <phil@raspberrypi.com>
The Cypress firmwares use "extsae" to indicate wpa_supplicant-hosted SAE/WPA3. Signed-off-by: Phil Elwell <phil@raspberrypi.com>
support sae executed in wpa_supplicant and offload 4-way handshake offload. Signed-off-by: Chien-Chia Chen <carella.chen@infineon.com> JIRA: SWWLAN-142424
TMOD_TO is the transmit-only mode that doesn't put data into the receive FIFO. Using TMOD_TO when the user doesn't want the received data saves CPU time and memory bandwidth. Signed-off-by: Phil Elwell <phil@raspberrypi.com>
TMOD_RO is the receive-only mode that doesn't require data in the transmit FIFO in order to generate clock cycles. Using TMOD_RO when the device doesn't care about the data sent to it saves CPU time and memory bandwidth. Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Disabling the peripheral resets controller state which has a dangerous side-effect of disabling the DMA handshake interface while it is active. This can cause DMA channels to hang. The error recovery pathway will wait for DMA to stop and reset the chip anyway, so mask further FIFO interrupts and let the transfer finish gracefully. Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
There's no real need to constrain MEM access widths to 32-bit (or narrower), as the DMAC is intelligent enough to size memory accesses appropriately. Wider accesses are more efficient. Similarly, MEM burst lengths don't need to be a function of DEV burst lengths - the DMAC packs/unpacks data into/from its internal channel FIFOs appropriately. Longer accesses are more efficient. However, the DMAC doesn't have complete support for unaligned accesses, and blocks are always defined in integer multiples of SRC_WIDTH, so odd source lengths or buffer alignments will prevent wide accesses being used, as before. There is an implicit requirement to limit requested DEV read burst lengths to less than the hardware's maximum configured MSIZE - otherwise RX data will be left over at the end of a block. There is no config register that reports this value, so the AXI burst length parameter is used to produce a facsimile of it. Warn if such a request arrives that doesn't respect this. Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
Do an end-run around ASoC in lieu of not being able to easily find the associated DMA controller capabilities. Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
Ensure the transmit FIFO has emptied before ending the transfer by dropping the TX threshold to 0 when the last byte has been pushed into the FIFO. Include a similar fix for the non-IRQ paths. See: raspberrypi#6285 Fixes: 6014649 ("spi: dw: Save bandwidth with the TMOD_TO feature") Signed-off-by: Phil Elwell <phil@raspberrypi.com>
The DW SPI interface has a 16-bit clock divider, where the bottom bit of the divisor must be 0. Limit how low the clock speed can go to prevent the clock divider from being truncated, as that could lead to a much higher clock rate than requested. Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Signed-off-by: Phil Elwell <phil@raspberrypi.com>
In the same way that other subsystems support the setting of device id numbers from Device Tree aliases, allow gpiochip numbers to be derived from "gpiochip<n>" aliases. Signed-off-by: Phil Elwell <phil@raspberrypi.com>
Although later functions can handle a NULL fwnode, fwnode can't handle being passed a NULL pointer. See: raspberrypi#6305 Signed-off-by: Phil Elwell <phil@raspberrypi.com>
The check if the oscillator stop bit is set was reading from Control_1 register instead of the Seconds register. This caused the Seconds register to be incorrectly changed if bit 7 of Control_1 happens to be set. Signed-off-by: Axel Hammarberg <axel.hammarberg@gmail.com>
Add YAML device tree binding for the Sony IMX500 CMOS image sensor / CNN inference engine. Also, add a MAINTAINERS entry. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com>
The Sony IMX500 is a stacked 1/2.3-inch CMOS digital image sensor and inbuilt AI processor with an active array CNN (Convolutional Neural Network) inference engine. The native sensor size is 4056H x 3040V, and the module also contains an in-built ISP for the CNN. The module is programmable through an I2C interface with firmware and neural network uploads being made over SPI. This driver supports imaging only. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> media: i2c: imx500: Inbuilt AI processor support Add support for the IMX500's inbuilt AI processor. The IMX500 program loader, AI processor firmware, DNN weights are accessed via the kernel's firmware interface on 'open' and are transferred to the IMX500 over SPI. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> media: i2c: imx500: Enable LED during SPI transfers The Raspberry Pi 'AI Camera' is equipped with an LED. Enable this LED during SPI transfers to indicate to the end-user that progress is being made during large tramsfers. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> drivers: media: imx500: Fixes for vblank control Reduce the default/max framerate of the 2x2 binned mode to 30fps. The current limit of 50fps can cause the sensor to produce corrupt frames and cause missing framing events. Also fixup the vblank control min/max/default/step paramters when setting up. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> drivers: media: imx500: Simplify the vblank control init Set the VBLANK control minimum and default values to IMX500_VBLANK_MIN unconditionally everywhere. Remove the mode specific framerate_default parameter, it is now unused. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> drivers: media: imx500: Enable LS correction This correction is calibrated to approx 5000K. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> imx500: Fix for long exposure setup The IMX500 (unlike the IMX477/IMX708) requires two regsiters to be set for the exposure shift value to work correctly. The additional register write (which was missing) is for the integration time shift. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> drivers: media: imx500: Enable sensor temperature monitoring The register needs to be disabled before loading any firmware, otherwise the upload fails for unknown reasons. Re-enable before starting the sensor streaming. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> drivers: media: imx500: Add device id readback control Add a new custom control V4L2_CID_USER_GET_IMX500_DEVICE_ID to allow userland to query the device id from the IMX500 sensor eeprom. Note that this device id can only be accessed when a network firmware has been upoloaded to the device, so cannot be cached on probe. Signed-off-by: Naushir Patuck <naush@raspberrypi.com> media: i2c: imx500: pm_runtime error paths This change amends various error-paths in imx500_start_streaming() to ensure that pm_runtime refcounts do not remain erroneously incremented on failure. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> media: i2c: imx500: GPIO acquire/release semantics When the imx500 driver is used as part of the 'AI Camera', the poweroff state is never reached as the camera and gpio driver share a regulator. By releasing the GPIOs when they are not in use, 'AI Camera' is able to achieve a powered-down state. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com> media: i2c: imx500: input tensor injection Input tensor injection is a debug feature that allows a user-controlled input to be passed directly to IMX500's inference engine (bypassing the in-built ISP). Three new custom controls are added to ENABLE_INJECTION before streaming begins, to provide appropriate input tensors via an INPUT_TENSOR_FD, and to provide notification of DNN results in the sensor output via INJECTION_CMP_FRM. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com>
Add EXPORT_SYMBOL_GPL() for find_cpio_data() so that loadable modules may also parse uncompressed cpio. Signed-off-by: Richard Oliver <richard.oliver@raspberrypi.com>
The i.MX8MP makes calls on it's source device to determine the link-frequency that should be configured on the CSI2 receiver. When the source is behind a video mux, we need to pass this call through to the connected device. Map the control handler of the source device to the video-mux, essentially proxying all controls on the mux to the device which has it's link enabled. Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
system_heap.max_order=<uint> Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Add numa_policy kernel argument to allow overriding the kernel's default NUMA policy at boot time. Syntax identical to what tmpfs accepts as it's mpol argument is accepted. Some examples: numa_policy=interleave numa_policy=interleave=skip-interleave numa_policy=bind:0-3,5,7,9-15 numa_policy=bind=static:1-2 Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
... Make sure CMA zones do not straddle the emulated NUMA nodes ... Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
…ed allocations Add iommu_dma_numa_policy= kernel parameter which can be used to modify the NUMA allocation policy of remapped buffer allocations. Policy is only used for devices which are not associated with a NUMA node. Syntax identical to what tmpfs accepts as it's mpol argument is accepted. Some examples: iommu_dma_numa_policy=interleave iommu_dma_numa_policy=interleave=skip-interleave iommu_dma_numa_policy=bind:0-3,5,7,9-15 iommu_dma_numa_policy=bind=static:1-2 Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
To help work around certain memory controller limitations or similar, a random NUMA allocation memory policy is added. Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Some apps like linpack use numa_setpolicy to disable numa, but that tends to have a significant performance hit for us. If you have a cmdline.txt setting of numa_policy (to something other than default), then lets ignore runtime changes and stick with the cmdline.txt setting. Not specifying numa_setpolicy in cmdline, or setting numa_setpolicy=default(*) will allow runtime settings to work. (*) easier to do when numa_setpolicy=interleave is set in DT. Ignore logging for the first 40 seconds as there are some expected switches during boot. Signed-off-by: Dom Cobley <popcornmix@gmail.com> Show process name in set_mempolicy() ignored message Signed-off-by: Trevor Man <tman_github@trejan.com>
As a workaround (and possibly a fix) for CPU spins observed on BCM2837, use ptep_clear_flush_young instead of ptep_test_and_clear_young inside lru_gen_look_around in order to expose PTE changes to the MMU. Note that on architectures that don't require an explicit flush, ptep_clear_flush_young just calls ptep_test_and_clear_young. Signed-off-by: Phil Elwell <phil@raspberrypi.com>
A user has reported that a card of this model from late 2021 doesn't work, so extend the date range and make it match on all card sizes. Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
commit ca042de upstream. Switch from s_stream to enable_streams and disable_streams callbacks. Reviewed-by: Kieran Bingham <kieran.bingham@ideasonboard.com> Signed-off-by: Jai Luthra <jai.luthra@ideasonboard.com> Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Hans Verkuil <hverkuil+cisco@kernel.org>
The buffer address needs to be for the last line of the image if vertically flipped. The main commit code was handling this, but the async path wasn't. Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
…nfigs Build CONFIG_VIDEO_VD56G3 and CONFIG_VIDEO_VD55G1 as module by default. Signed-off-by: Benjamin Mugnier <benjamin.mugnier@foss.st.com>
Provide two device trees : vd56g3 is monochrome, while vd66gy is RGB. Factorize most of the definitions in vd56g3_vd66gy-overlay.dtsi and describe the overlays in README. Support both cam0 and cam1 interfaces with raspberry pi __overrides__ mechanism. Signed-off-by: Benjamin Mugnier <benjamin.mugnier@foss.st.com>
Provide two device trees : vd55g1 is monochrome, while vd65g4 is RGB. Factorize most of the definitions in vd55g1_vd65g4-overlay.dtsi and describe the overlays in README. Support both cam0 and cam1 interfaces with raspberry pi __overrides__ mechanism. Signed-off-by: Benjamin Mugnier <benjamin.mugnier@foss.st.com>
MMU error messages are useful to help developers quickly identify issues in userspace graphics drivers, but always printing them can swamp the kernel log. Add a module parameter, ``debug_mmu``, to gate MMU error logging. Logging is disabled by default and can be enabled when needed with ``v3d.debug_mmu=1``. Signed-off-by: Maíra Canal <mairacanal@riseup.net>
pl011_axi_probe was missing the equivlent hrtimer initialisation from commit 2c1fd53 ("serial: amba-pl011: Fix RTS handling in RS485 mode") and commit 8cb4418 ("serial: amba-pl011: Switch to use hrtimer_setup()") resulting in the kernel blowing up as soon as pl011_rs485_stop_tx tried to use them. Add the hrtimer initialisation. Fixes: 120c89e ("serial: pl011: rp1 uart support") Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Enable support for the MediaTek MT7925E PCIe Wi-Fi 7 interface. Contributed by GitHub user @f-io. See: raspberrypi#7046 (comment) Signed-off-by: Phil Elwell <phil@raspberrypi.com>
This adds a new driver for complex, multi-channel soundcards. The cards have their own management using an onboard MCU for clock generation and controls of various DACs or ADCs. Data provided by the MCU's register via I2C allows flexible configuration of a number of DAC and ADC channels, volumes, gain settings and other functions like mute and filter settings. Signed-off-by: j-schambacher <joerg@hifiberry.com>
Adds two overlays for clock consumer and provider mode. Only compatible with Pi 5 (bcm2712). Signed-off-by: j-schambacher <joerg@hifiberry.com>
Adding the Studio DAC8x to the bcm2711 and bcm2712 defconfigs. Signed-off-by: j-schambacher <joerg@hifiberry.com>
The lz4hc module is required to support bcachefs-tools dkms builds.
…a 24" This reverts commit 1a651cb.
This reverts commit 6bd5419.
The BCM2711 and BCM2712 SoCs used on Rapsberry Pi 4 and Raspberry Pi 5 boards include an HEVC decoder block. Add a driver for it. Signed-off-by: John Cox <john.cox@raspberrypi.com> Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Upstream will take the multi-planar SAND format, but add back in the downstream single planar variant for backwards compatibility Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
To avoid user complaints that /dev/video0 isn't their USB webcam, add downstream patch that allows setting the preferred video device number. Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Signed-off-by: Dave Stevenson <dave.stevenson@raspberrypi.com>
Contributor
Author
|
Needing to double check the options - iptables.ko.xz doesn't appear to have got built for me. |
Contributor
Author
|
Doh, helps to search for |
Collaborator
|
My reading was that iptables on debian uses nftables under the hood, so I don't know if this is necessary (but I admit this is untested). |
HiassofT
reviewed
Jan 27, 2026
| CONFIG_NF_FLOW_TABLE_INET=m | ||
| CONFIG_NF_FLOW_TABLE=m | ||
| CONFIG_NETFILTER_XTABLES_COMPAT=y | ||
| CONFIG_NETFILTER_XTABLES_LEGACY=y |
Contributor
There was a problem hiding this comment.
This is a no-op, NETFILTER_XTABLES_LEGACY isn't compatible with PREEMPT_RT
https://github.com/raspberrypi/linux/blob/rpi-6.18.y/net/netfilter/Kconfig#L761-L769
config NETFILTER_XTABLES_LEGACY
bool "Netfilter legacy tables support"
depends on !PREEMPT_RT
help
Say Y here if you still require support for legacy tables. This is
required by the legacy tools (iptables-legacy) and is not needed if
you use iptables over nftables (iptables-nft).
Legacy support is not limited to IP, it also includes EBTABLES and
ARPTABLES.
Contributor
|
Personally I see the absence of the legacy iptables stack as a bonus as it means you can't acidentially use it at the same time as the modern nftables stack - which is possible but strongly discouraged as it can result in rather unpredictable behaviour and hard to diagnose issues. As more and more programs move away from legacy iptables (eg systemd dropped iptables support in v259) nftables will be used on more systems as well and the chance of mixing both stacks increases. iptables-nft (which is the default on Debian for ages if you enter "iptables") provides a nice bridge for legacy programs (eg docker comes to mind), but even if iptables defaults to the nft backend programs can still add legacy rules directly via the kernel API - absence of the legacy API prevents that and usually result in easy to spot error messages. Note that this is my very personal opinion on that topic and I'm not saying you should not enable the legacy stack (eg upstream Debian still has it enabled in kernel 6.18) - that's entirely up to you to decide |
Contributor
Author
|
I'd also prefer not to enable it, however if large VPN providers like NordVPN are still sticking to using legacy iptables then there's little other option. NordSecurity/nordvpn-linux#467 I'm hoping popcornmix is right that iptables-nft (as provided by the iptables package) provides the relevant access but on top of nftables, however it's not an area I know much about. |
Contributor
|
Yes, popcornmix is right, iptables-nft does the job - I've been using that for ages |
popcornmix
force-pushed
the
rpi-6.18.y
branch
from
4528fbb to
5705c7f
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
https://forums.raspberrypi.com/viewtopic.php?p=2360609#p2360609
Various VPN providers (notably NordVPN) appear still to be sticking with iptables, despite it being replaced by nft-tables since Buster (2019).
6.17 moved the kernel modules behind NETFILTER_XTABLES_LEGACY, so enable the legacy path.