* [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match
@ 2019-11-15 12:03 wenxu
2019-11-15 12:03 ` [PATCH nf-next 1/4] netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup to support indir setup wenxu
` (4 more replies)
0 siblings, 5 replies; 9+ messages in thread
From: wenxu @ 2019-11-15 12:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This patch provide tunnel offload based on route lwtunnel.
The first two patches support indr callback setup
Then add tunnel match and action offload
This patch is based on
http://patchwork.ozlabs.org/patch/1194247/
http://patchwork.ozlabs.org/patch/1195539/
wenxu (4):
netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup
to support indir setup
netfilter: nf_flow_table_offload: add indr block setup support
netfilter: nf_flow_table_offload: add tunnel match offload support
netfilter: nf_flow_table_offload: add tunnel encap/decap action
offload support
net/netfilter/nf_flow_table_offload.c | 240 +++++++++++++++++++++++++++++++---
1 file changed, 223 insertions(+), 17 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 9+ messages in thread
* [PATCH nf-next 1/4] netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup to support indir setup
2019-11-15 12:03 [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match wenxu
@ 2019-11-15 12:03 ` wenxu
2019-11-15 12:03 ` [PATCH nf-next 2/4] netfilter: nf_flow_table_offload: add indr block setup support wenxu
` (3 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: wenxu @ 2019-11-15 12:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Refactor nf_flow_table_offload_setup to support indir setup in
the next patch
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nf_flow_table_offload.c | 54 ++++++++++++++++++++++++-----------
1 file changed, 38 insertions(+), 16 deletions(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index c54c9a6..6623f07 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -801,26 +801,31 @@ static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
return err;
}
-int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
- struct net_device *dev,
- enum flow_block_command cmd)
+static void nf_flow_table_block_offload_init(struct flow_block_offload *bo,
+ struct net *net,
+ enum flow_block_command cmd,
+ struct nf_flowtable *flowtable,
+ struct netlink_ext_ack *extack)
+{
+ memset(bo, 0, sizeof(*bo));
+ bo->net = net;
+ bo->block = &flowtable->flow_block;
+ bo->command = cmd;
+ bo->binder_type = FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
+ bo->extack = extack;
+ INIT_LIST_HEAD(&bo->cb_list);
+}
+
+static int nf_flow_table_offload_cmd(struct nf_flowtable *flowtable,
+ struct net_device *dev,
+ enum flow_block_command cmd)
{
struct netlink_ext_ack extack = {};
- struct flow_block_offload bo = {};
+ struct flow_block_offload bo;
int err;
- if (!(flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD))
- return 0;
-
- if (!dev->netdev_ops->ndo_setup_tc)
- return -EOPNOTSUPP;
-
- bo.net = dev_net(dev);
- bo.block = &flowtable->flow_block;
- bo.command = cmd;
- bo.binder_type = FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
- bo.extack = &extack;
- INIT_LIST_HEAD(&bo.cb_list);
+ nf_flow_table_block_offload_init(&bo, dev_net(dev), cmd, flowtable,
+ &extack);
err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);
if (err < 0)
@@ -828,6 +833,23 @@ int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
return nf_flow_table_block_setup(flowtable, &bo, cmd);
}
+
+int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
+ struct net_device *dev,
+ enum flow_block_command cmd)
+{
+ int err;
+
+ if (!(flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD))
+ return 0;
+
+ if (dev->netdev_ops->ndo_setup_tc)
+ err = nf_flow_table_offload_cmd(flowtable, dev, cmd);
+ else
+ err = -EOPNOTSUPP;
+
+ return err;
+}
EXPORT_SYMBOL_GPL(nf_flow_table_offload_setup);
int nf_flow_table_offload_init(void)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH nf-next 2/4] netfilter: nf_flow_table_offload: add indr block setup support
2019-11-15 12:03 [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match wenxu
2019-11-15 12:03 ` [PATCH nf-next 1/4] netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup to support indir setup wenxu
@ 2019-11-15 12:03 ` wenxu
2019-11-15 12:03 ` [PATCH nf-next 3/4] netfilter: nf_flow_table_offload: add tunnel match offload support wenxu
` (2 subsequent siblings)
4 siblings, 0 replies; 9+ messages in thread
From: wenxu @ 2019-11-15 12:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Nf flow table support indr-block setup. It makes flow table offload vlan
and tunnel device.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nf_flow_table_offload.c | 89 ++++++++++++++++++++++++++++++++++-
1 file changed, 88 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 6623f07..2182c55c 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -7,6 +7,7 @@
#include <linux/tc_act/tc_csum.h>
#include <net/flow_offload.h>
#include <net/netfilter/nf_flow_table.h>
+#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_tuple.h>
@@ -834,6 +835,24 @@ static int nf_flow_table_offload_cmd(struct nf_flowtable *flowtable,
return nf_flow_table_block_setup(flowtable, &bo, cmd);
}
+static int nf_flow_table_indr_offload_cmd(struct nf_flowtable *flowtable,
+ struct net_device *dev,
+ enum flow_block_command cmd)
+{
+ struct netlink_ext_ack extack = {};
+ struct flow_block_offload bo;
+
+ nf_flow_table_block_offload_init(&bo, dev_net(dev), cmd, flowtable,
+ &extack);
+
+ flow_indr_block_call(dev, &bo, cmd);
+
+ if (list_empty(&bo.cb_list))
+ return -EOPNOTSUPP;
+
+ return nf_flow_table_block_setup(flowtable, &bo, cmd);
+}
+
int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
struct net_device *dev,
enum flow_block_command cmd)
@@ -846,16 +865,82 @@ int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
if (dev->netdev_ops->ndo_setup_tc)
err = nf_flow_table_offload_cmd(flowtable, dev, cmd);
else
- err = -EOPNOTSUPP;
+ err = nf_flow_table_indr_offload_cmd(flowtable, dev, cmd);
return err;
}
EXPORT_SYMBOL_GPL(nf_flow_table_offload_setup);
+static struct nf_flowtable *__nf_flow_table_offload_get(struct net_device *dev)
+{
+ struct nf_flowtable *n_flowtable;
+ struct nft_flowtable *flowtable;
+ struct net *net = dev_net(dev);
+ struct nft_table *table;
+ struct nft_hook *hook;
+
+ list_for_each_entry(table, &net->nft.tables, list) {
+ list_for_each_entry(flowtable, &table->flowtables, list) {
+ list_for_each_entry(hook, &flowtable->hook_list, list) {
+ if (hook->ops.dev != dev)
+ continue;
+
+ n_flowtable = &flowtable->data;
+ return n_flowtable;
+ }
+ }
+ }
+
+ return NULL;
+}
+
+static void nf_flow_table_indr_block_ing_cmd(struct net_device *dev,
+ struct nf_flowtable *flowtable,
+ flow_indr_block_bind_cb_t *cb,
+ void *cb_priv,
+ enum flow_block_command cmd)
+{
+ struct netlink_ext_ack extack = {};
+ struct flow_block_offload bo;
+
+ if (!flowtable)
+ return;
+
+ nf_flow_table_block_offload_init(&bo, dev_net(dev), cmd, flowtable,
+ &extack);
+
+ cb(dev, cb_priv, TC_SETUP_BLOCK, &bo);
+
+ nf_flow_table_block_setup(flowtable, &bo, cmd);
+}
+
+static void nf_flow_table_indr_block_cb(struct net_device *dev,
+ flow_indr_block_bind_cb_t *cb,
+ void *cb_priv,
+ enum flow_block_command cmd)
+{
+ struct net *net = dev_net(dev);
+ struct nf_flowtable *flowtable;
+
+ mutex_lock(&net->nft.commit_mutex);
+ flowtable = __nf_flow_table_offload_get(dev);
+ if (flowtable)
+ nf_flow_table_indr_block_ing_cmd(dev, flowtable, cb, cb_priv,
+ cmd);
+ mutex_unlock(&net->nft.commit_mutex);
+}
+
+static struct flow_indr_block_ing_entry block_ing_entry = {
+ .cb = nf_flow_table_indr_block_cb,
+ .list = LIST_HEAD_INIT(block_ing_entry.list),
+};
+
int nf_flow_table_offload_init(void)
{
INIT_WORK(&nf_flow_offload_work, flow_offload_work_handler);
+ flow_indr_add_block_ing_cb(&block_ing_entry);
+
return 0;
}
@@ -864,6 +949,8 @@ void nf_flow_table_offload_exit(void)
struct flow_offload_work *offload, *next;
LIST_HEAD(offload_pending_list);
+ flow_indr_del_block_ing_cb(&block_ing_entry);
+
cancel_work_sync(&nf_flow_offload_work);
list_for_each_entry_safe(offload, next, &offload_pending_list, list) {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH nf-next 3/4] netfilter: nf_flow_table_offload: add tunnel match offload support
2019-11-15 12:03 [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match wenxu
2019-11-15 12:03 ` [PATCH nf-next 1/4] netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup to support indir setup wenxu
2019-11-15 12:03 ` [PATCH nf-next 2/4] netfilter: nf_flow_table_offload: add indr block setup support wenxu
@ 2019-11-15 12:03 ` wenxu
2019-11-15 12:03 ` [PATCH nf-next 4/4] netfilter: nf_flow_table_offload: add tunnel encap/decap action " wenxu
2019-11-15 21:48 ` [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match Pablo Neira Ayuso
4 siblings, 0 replies; 9+ messages in thread
From: wenxu @ 2019-11-15 12:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This patch support both ipv4 and ipv6 tunnel_id, tunnel_src and
tunnel_dst match for flowtable offload
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nf_flow_table_offload.c | 54 +++++++++++++++++++++++++++++++++--
1 file changed, 52 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 2182c55c..9b1de6a 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -30,6 +30,11 @@ struct nf_flow_key {
union {
struct flow_dissector_key_ipv4_addrs ipv4;
};
+ struct flow_dissector_key_keyid enc_key_id;
+ union {
+ struct flow_dissector_key_ipv4_addrs enc_ipv4;
+ struct flow_dissector_key_ipv6_addrs enc_ipv6;
+ };
struct flow_dissector_key_tcp tcp;
struct flow_dissector_key_ports tp;
} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
@@ -49,11 +54,49 @@ struct nf_flow_rule {
(__match)->dissector.offset[__type] = \
offsetof(struct nf_flow_key, __field)
+static void nf_flow_rule_lwt_match(struct nf_flow_match *match,
+ struct ip_tunnel_info *tun_info)
+{
+ struct nf_flow_key *mask = &match->mask;
+ struct nf_flow_key *key = &match->key;
+ unsigned int enc_keys;
+
+ if (!tun_info || !(tun_info->mode & IP_TUNNEL_INFO_TX))
+ return;
+
+ NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id);
+ key->enc_key_id.keyid = tunnel_id_to_key32(tun_info->key.tun_id);
+ mask->enc_key_id.keyid = 0xffffffff;
+ enc_keys = BIT(FLOW_DISSECTOR_KEY_ENC_KEYID);
+
+ if (ip_tunnel_info_af(tun_info) == AF_INET) {
+ NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS,
+ enc_ipv4);
+ key->enc_ipv4.src = tun_info->key.u.ipv4.src;
+ key->enc_ipv4.dst = tun_info->key.u.ipv4.dst;
+ mask->enc_ipv4.src = 0xffffffff;
+ mask->enc_ipv4.dst = 0xffffffff;
+ enc_keys |= BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS);
+ } else {
+ memcpy(&key->enc_ipv6.src, &tun_info->key.u.ipv6.src,
+ sizeof(struct in6_addr));
+ memcpy(&key->enc_ipv6.dst, &tun_info->key.u.ipv6.dst,
+ sizeof(struct in6_addr));
+ memset(&key->enc_ipv6.src, 0xff, sizeof(struct in6_addr));
+ memset(&key->enc_ipv6.dst, 0xff, sizeof(struct in6_addr));
+ enc_keys |= BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS);
+ }
+
+ match->dissector.used_keys |= enc_keys;
+}
+
static int nf_flow_rule_match(struct nf_flow_match *match,
- const struct flow_offload_tuple *tuple)
+ const struct flow_offload_tuple *tuple,
+ struct dst_entry *other_dst)
{
struct nf_flow_key *mask = &match->mask;
struct nf_flow_key *key = &match->key;
+ struct ip_tunnel_info *tun_info;
NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);
NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);
@@ -61,6 +104,11 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);
NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);
+ if (other_dst->lwtstate) {
+ tun_info = lwt_tun_info(other_dst->lwtstate);
+ nf_flow_rule_lwt_match(match, tun_info);
+ }
+
switch (tuple->l3proto) {
case AF_INET:
key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
@@ -468,6 +516,7 @@ int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
const struct flow_offload *flow = offload->flow;
const struct flow_offload_tuple *tuple;
struct nf_flow_rule *flow_rule;
+ struct dst_entry *other_dst;
int err = -ENOMEM;
flow_rule = kzalloc(sizeof(*flow_rule), GFP_KERNEL);
@@ -483,7 +532,8 @@ int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
flow_rule->rule->match.key = &flow_rule->match.key;
tuple = &flow->tuplehash[dir].tuple;
- err = nf_flow_rule_match(&flow_rule->match, tuple);
+ other_dst = flow->tuplehash[!dir].tuple.dst_cache;
+ err = nf_flow_rule_match(&flow_rule->match, tuple, other_dst);
if (err < 0)
goto err_flow_match;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* [PATCH nf-next 4/4] netfilter: nf_flow_table_offload: add tunnel encap/decap action offload support
2019-11-15 12:03 [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match wenxu
` (2 preceding siblings ...)
2019-11-15 12:03 ` [PATCH nf-next 3/4] netfilter: nf_flow_table_offload: add tunnel match offload support wenxu
@ 2019-11-15 12:03 ` wenxu
2019-11-15 21:48 ` [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match Pablo Neira Ayuso
4 siblings, 0 replies; 9+ messages in thread
From: wenxu @ 2019-11-15 12:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This patch add tunnel encap decap action offload in the flowtable
offload.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nf_flow_table_offload.c | 47 +++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 9b1de6a..c35e2a9 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -456,6 +456,45 @@ static void flow_offload_redirect(const struct flow_offload *flow,
dev_hold(rt->dst.dev);
}
+static void flow_offload_encap_tunnel(const struct flow_offload *flow,
+ enum flow_offload_tuple_dir dir,
+ struct nf_flow_rule *flow_rule)
+{
+ struct flow_action_entry *entry;
+ struct dst_entry *dst;
+
+ dst = flow->tuplehash[dir].tuple.dst_cache;
+ if (dst->lwtstate) {
+ struct ip_tunnel_info *tun_info;
+
+ tun_info = lwt_tun_info(dst->lwtstate);
+ if (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX)) {
+ entry = flow_action_entry_next(flow_rule);
+ entry->id = FLOW_ACTION_TUNNEL_ENCAP;
+ entry->tunnel = tun_info;
+ }
+ }
+}
+
+static void flow_offload_decap_tunnel(const struct flow_offload *flow,
+ enum flow_offload_tuple_dir dir,
+ struct nf_flow_rule *flow_rule)
+{
+ struct flow_action_entry *entry;
+ struct dst_entry *dst;
+
+ dst = flow->tuplehash[!dir].tuple.dst_cache;
+ if (dst->lwtstate) {
+ struct ip_tunnel_info *tun_info;
+
+ tun_info = lwt_tun_info(dst->lwtstate);
+ if (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX)) {
+ entry = flow_action_entry_next(flow_rule);
+ entry->id = FLOW_ACTION_TUNNEL_DECAP;
+ }
+ }
+}
+
int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,
enum flow_offload_tuple_dir dir,
struct nf_flow_rule *flow_rule)
@@ -478,6 +517,10 @@ int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,
flow_offload_redirect(flow, dir, flow_rule);
+ flow_offload_encap_tunnel(flow, dir, flow_rule);
+
+ flow_offload_decap_tunnel(flow, dir, flow_rule);
+
return 0;
}
EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv4);
@@ -501,6 +544,10 @@ int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
flow_offload_redirect(flow, dir, flow_rule);
+ flow_offload_encap_tunnel(flow, dir, flow_rule);
+
+ flow_offload_decap_tunnel(flow, dir, flow_rule);
+
return 0;
}
EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv6);
--
1.8.3.1
^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match
2019-11-15 12:03 [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match wenxu
` (3 preceding siblings ...)
2019-11-15 12:03 ` [PATCH nf-next 4/4] netfilter: nf_flow_table_offload: add tunnel encap/decap action " wenxu
@ 2019-11-15 21:48 ` Pablo Neira Ayuso
2019-11-16 8:06 ` wenxu
4 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2019-11-15 21:48 UTC (permalink / raw)
To: wenxu; +Cc: netfilter-devel
On Fri, Nov 15, 2019 at 08:03:26PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> This patch provide tunnel offload based on route lwtunnel.
> The first two patches support indr callback setup
> Then add tunnel match and action offload
Could you provide a configuration script for this tunnel setup?
Thanks.
> This patch is based on
> http://patchwork.ozlabs.org/patch/1194247/
> http://patchwork.ozlabs.org/patch/1195539/
>
> wenxu (4):
> netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup
> to support indir setup
> netfilter: nf_flow_table_offload: add indr block setup support
> netfilter: nf_flow_table_offload: add tunnel match offload support
> netfilter: nf_flow_table_offload: add tunnel encap/decap action
> offload support
>
> net/netfilter/nf_flow_table_offload.c | 240 +++++++++++++++++++++++++++++++---
> 1 file changed, 223 insertions(+), 17 deletions(-)
>
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match
2019-11-15 21:48 ` [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match Pablo Neira Ayuso
@ 2019-11-16 8:06 ` wenxu
2019-11-18 21:59 ` Pablo Neira Ayuso
0 siblings, 1 reply; 9+ messages in thread
From: wenxu @ 2019-11-16 8:06 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
在 2019/11/16 5:48, Pablo Neira Ayuso 写道:
> On Fri, Nov 15, 2019 at 08:03:26PM +0800, wenxu@ucloud.cn wrote:
>> From: wenxu <wenxu@ucloud.cn>
>>
>> This patch provide tunnel offload based on route lwtunnel.
>> The first two patches support indr callback setup
>> Then add tunnel match and action offload
> Could you provide a configuration script for this tunnel setup?
>
> Thanks.
The following is a simple configure for tunnel offload forward
ip link add dev gre_sys type gretap key 1000
ip link add user1 type vrf table 1
ip l set dev gre1000 master user1
ip l set dev vf master user1
ip r a 10.0.0.7 dev vf table 1
ip r a default via 10.0.0.100 encap ip id 1000 dst 172.168.0.7 key dev gre1000 table 1 onlink
nft add flowtable firewall fb1 { hook ingress priority 0 \; flags offload \; devices = { gre1000, vf } \; }
>
>> This patch is based on
>> http://patchwork.ozlabs.org/patch/1194247/
>> http://patchwork.ozlabs.org/patch/1195539/
>>
>> wenxu (4):
>> netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup
>> to support indir setup
>> netfilter: nf_flow_table_offload: add indr block setup support
>> netfilter: nf_flow_table_offload: add tunnel match offload support
>> netfilter: nf_flow_table_offload: add tunnel encap/decap action
>> offload support
>>
>> net/netfilter/nf_flow_table_offload.c | 240 +++++++++++++++++++++++++++++++---
>> 1 file changed, 223 insertions(+), 17 deletions(-)
>>
>> --
>> 1.8.3.1
>>
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match
2019-11-16 8:06 ` wenxu
@ 2019-11-18 21:59 ` Pablo Neira Ayuso
2019-11-19 6:40 ` wenxu
0 siblings, 1 reply; 9+ messages in thread
From: Pablo Neira Ayuso @ 2019-11-18 21:59 UTC (permalink / raw)
To: wenxu; +Cc: netfilter-devel
On Sat, Nov 16, 2019 at 04:06:02PM +0800, wenxu wrote:
>
> 在 2019/11/16 5:48, Pablo Neira Ayuso 写道:
> > On Fri, Nov 15, 2019 at 08:03:26PM +0800, wenxu@ucloud.cn wrote:
> >> From: wenxu <wenxu@ucloud.cn>
> >>
> >> This patch provide tunnel offload based on route lwtunnel.
> >> The first two patches support indr callback setup
> >> Then add tunnel match and action offload
> > Could you provide a configuration script for this tunnel setup?
> >
> > Thanks.
>
> The following is a simple configure for tunnel offload forward
>
>
> ip link add dev gre_sys type gretap key 1000
>
> ip link add user1 type vrf table 1
>
> ip l set dev gre1000 master user1
>
> ip l set dev vf master user1
>
> ip r a 10.0.0.7 dev vf table 1
> ip r a default via 10.0.0.100 encap ip id 1000 dst 172.168.0.7 key dev gre1000 table 1 onlink
>
> nft add flowtable firewall fb1 { hook ingress priority 0 \; flags offload \; devices = { gre1000, vf } \; }
Thanks for describing, but how does this work in software?
I'd appreciate if you can describe a configuration in software (no
offload) that I can use here for testing, including how you're
generating traffic there for testing.
^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match
2019-11-18 21:59 ` Pablo Neira Ayuso
@ 2019-11-19 6:40 ` wenxu
0 siblings, 0 replies; 9+ messages in thread
From: wenxu @ 2019-11-19 6:40 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 11/19/2019 5:59 AM, Pablo Neira Ayuso wrote:
> On Sat, Nov 16, 2019 at 04:06:02PM +0800, wenxu wrote:
>> 在 2019/11/16 5:48, Pablo Neira Ayuso 写道:
>>> On Fri, Nov 15, 2019 at 08:03:26PM +0800, wenxu@ucloud.cn wrote:
>>>> From: wenxu <wenxu@ucloud.cn>
>>>>
>>>> This patch provide tunnel offload based on route lwtunnel.
>>>> The first two patches support indr callback setup
>>>> Then add tunnel match and action offload
>>> Could you provide a configuration script for this tunnel setup?
>>>
>>> Thanks.
>> The following is a simple configure for tunnel offload forward
>>
>>
>> ip link add dev gre_sys type gretap key 1000
>>
>> ip link add user1 type vrf table 1
>>
>> ip l set dev gre1000 master user1
>>
>> ip l set dev vf master user1
>>
>> ip r a 10.0.0.7 dev vf table 1
>> ip r a default via 10.0.0.100 encap ip id 1000 dst 172.168.0.7 key dev gre1000 table 1 onlink
>>
>> nft add flowtable firewall fb1 { hook ingress priority 0 \; flags offload \; devices = { gre1000, vf } \; }
> Thanks for describing, but how does this work in software?
>
> I'd appreciate if you can describe a configuration in software (no
> offload) that I can use here for testing, including how you're
> generating traffic there for testing.
There is the whole test script for software only. flowtable offload is
already can work with vrf.
ip netns add ns1
ip netns add cl
ip l add dev veth1 type veth peer name eth0 netns ns1
ip l add dev vethc type veth peer name eth0 netns cl
ip netns exec ns1 ifconfig eth0 10.0.0.7/24 up
ip netns exec ns1 ip r add default via 10.0.0.1
ifconfig vethc 172.168.0.7/24 up
ip l add dev tun1 type gretap external
ip netns exec cl ifconfig eth0 172.168.0.17/24 up
ip netns exec cl ip l add dev tun type gretap local 172.168.0.17 remote 172.168.0.7 key 1000
ip netns exec cl ifconfig tun 10.0.1.7/24 up
ip netns exec cl ip r add default via 10.0.1.1
ip link add user1 type vrf table 1
ip l set user1 up
ip l set dev tun1 master user1
ifconfig veth1 down
ip l set dev veth1 master user1
ifconfig veth1 10.0.0.1/24 up
ifconfig tun1 10.0.1.1/24 up
ip r r 10.0.0.7 dev veth1 table 1
ip r r 10.0.1.7 encap ip id 1000 dst 172.168.0.17 key dev tun1 table 1
nft add table firewall
nft add chain firewall zones { type filter hook prerouting priority - 300 \; }
nft add rule firewall zones counter ct zone set iif map { "tun1" : 1, "veth1" : 1 }
nft add chain firewall rule-1000-ingress
nft add rule firewall rule-1000-ingress ct zone 1 ct state established,related counter accept
nft add rule firewall rule-1000-ingress ct zone 1 ct state invalid counter drop
nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 5001 ct state new counter accept
nft add rule firewall rule-1000-ingress ct zone 1 ip protocol icmp ct state new counter accept
nft add rule firewall rule-1000-ingress counter drop
nft add chain firewall rules-all { type filter hook prerouting priority - 150 \; }
nft add rule firewall rules-all meta iifkind "vrf" counter accept
nft add rule firewall rules-all iif vmap { "tun1" : jump rule-1000-ingress }
nft add flowtable firewall fb1 { hook ingress priority 0 \; devices = { veth1, tun1 } \; }
nft add chain firewall ftb-all {type filter hook forward priority 0 \; policy accept \; }
nft add rule firewall ftb-all ct zone 1 ip protocol tcp flow offload @fb1
you can test it with
ip netns exec ns1 exec iperf -s
ip netns exec ns1 exec iperf -c 10.0.0.7 -t 100 -i 2
cat /proc/net/nf_conntrack | grep zone=1
ipv4 2 tcp 6 src=10.0.1.7 dst=10.0.0.7 sport=56290 dport=5001 src=10.0.0.7 dst=10.0.1.7 sport=5001 dport=56290 [OFFLOAD] mark=0 zone=1 use=3
Ps: there are some tricks. It is better the tun1 as "ip l add dev tun1 type gretap key 1000"
but not " ip l add dev tun1 type gretap external"
But the specific key id gretap when receive the packet will not push up the tun_info which will lead arp response
with no tun_info
I will post a patch to support this in gre.
>
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2019-11-19 6:40 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-15 12:03 [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match wenxu
2019-11-15 12:03 ` [PATCH nf-next 1/4] netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup to support indir setup wenxu
2019-11-15 12:03 ` [PATCH nf-next 2/4] netfilter: nf_flow_table_offload: add indr block setup support wenxu
2019-11-15 12:03 ` [PATCH nf-next 3/4] netfilter: nf_flow_table_offload: add tunnel match offload support wenxu
2019-11-15 12:03 ` [PATCH nf-next 4/4] netfilter: nf_flow_table_offload: add tunnel encap/decap action " wenxu
2019-11-15 21:48 ` [PATCH nf-next 0/4] netfilter: nf_flow_table_offload: support tunnel match Pablo Neira Ayuso
2019-11-16 8:06 ` wenxu
2019-11-18 21:59 ` Pablo Neira Ayuso
2019-11-19 6:40 ` wenxu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.