All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 03/21] netfilter: flowtable: restrict flow dissector match on meta ingress device
Date: Sat, 18 Jan 2020 21:13:59 +0100	[thread overview]
Message-ID: <20200118201417.334111-4-pablo@netfilter.org> (raw)
In-Reply-To: <20200118201417.334111-1-pablo@netfilter.org>

Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface.

Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_flow_table_offload.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 4d1e81e2880f..b879e673953f 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -24,6 +24,7 @@ struct flow_offload_work {
 };
 
 struct nf_flow_key {
+	struct flow_dissector_key_meta			meta;
 	struct flow_dissector_key_control		control;
 	struct flow_dissector_key_basic			basic;
 	union {
@@ -55,6 +56,7 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
 	struct nf_flow_key *mask = &match->mask;
 	struct nf_flow_key *key = &match->key;
 
+	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4);
@@ -62,6 +64,9 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);
 	NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);
 
+	key->meta.ingress_ifindex = tuple->iifidx;
+	mask->meta.ingress_ifindex = 0xffffffff;
+
 	switch (tuple->l3proto) {
 	case AF_INET:
 		key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
@@ -105,7 +110,8 @@ static int nf_flow_rule_match(struct nf_flow_match *match,
 	key->tp.dst = tuple->dst_port;
 	mask->tp.dst = 0xffff;
 
-	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL) |
+	match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) |
+				      BIT(FLOW_DISSECTOR_KEY_CONTROL) |
 				      BIT(FLOW_DISSECTOR_KEY_BASIC) |
 				      BIT(FLOW_DISSECTOR_KEY_PORTS);
 	return 0;
-- 
2.11.0


  parent reply	other threads:[~2020-01-18 20:14 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-18 20:13 [PATCH 00/21] Netfilter updates for net-next Pablo Neira Ayuso
2020-01-18 20:13 ` [PATCH 01/21] netfilter: nft_bitwise: correct uapi header comment Pablo Neira Ayuso
2020-01-18 20:13 ` [PATCH 02/21] netfilter: flowtable: fetch stats only if flow is still alive Pablo Neira Ayuso
2020-01-18 20:13 ` Pablo Neira Ayuso [this message]
2020-01-18 20:14 ` [PATCH 04/21] netfilter: flowtable: add nf_flow_offload_work_alloc() Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 05/21] netfilter: flowtable: remove dying bit, use teardown bit instead Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 06/21] netfilter: flowtable: use atomic bitwise operations for flow flags Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 07/21] netfilter: flowtable: add nf_flowtable_hw_offload() helper function Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 08/21] netfilter: flowtable: refresh flow if hardware offload fails Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 09/21] netfilter: hashlimit: do not use indirect calls during gc Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 10/21] netfilter: flowtable: add nf_flow_offload_tuple() helper Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 11/21] netfilter: flowtable: add nf_flow_table_offload_cmd() Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 12/21] netfilter: nf_tables: white-space fixes Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 13/21] netfilter: bitwise: remove NULL comparisons from attribute checks Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 14/21] netfilter: bitwise: replace gotos with returns Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 15/21] netfilter: bitwise: add NFTA_BITWISE_OP netlink attribute Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 16/21] netfilter: bitwise: add helper for initializing boolean operations Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 17/21] netfilter: bitwise: add helper for evaluating " Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 18/21] netfilter: bitwise: add helper for dumping " Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 19/21] netfilter: bitwise: only offload " Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 20/21] netfilter: bitwise: add NFTA_BITWISE_DATA attribute Pablo Neira Ayuso
2020-01-18 20:14 ` [PATCH 21/21] netfilter: bitwise: add support for shifts Pablo Neira Ayuso
2020-01-19  9:33 ` [PATCH 00/21] Netfilter updates for net-next David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200118201417.334111-4-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.