* [PATCH nf-next v5 0/2] netfilter: nf_tables_offload: support fwd_netdev offload
@ 2019-08-21 4:56 wenxu
2019-08-21 4:56 ` [PATCH nf-next v5 1/2] netfilter: nf_flow_offload: add net in offload_ctx wenxu
2019-08-21 4:56 ` [PATCH nf-next v5 2/2] netfilter: nft_fwd_netdev: add fw_netdev action support wenxu
0 siblings, 2 replies; 4+ messages in thread
From: wenxu @ 2019-08-21 4:56 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This series patch support fwd_netdev offload:
1). add net in offload ctx to make get the netdevice in the related net.
2). add fw_netdev action offload
This version just split from the orignal big seriese without dependency
with each other
wenxu (2):
netfilter: nf_flow_offload: add net in offload_ctx
netfilter: nft_fwd_netdev: add fw_netdev action support
include/net/netfilter/nf_tables_offload.h | 3 ++-
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nf_tables_offload.c | 3 ++-
net/netfilter/nft_fwd_netdev.c | 26 ++++++++++++++++++++++++++
4 files changed, 31 insertions(+), 3 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH nf-next v5 1/2] netfilter: nf_flow_offload: add net in offload_ctx
2019-08-21 4:56 [PATCH nf-next v5 0/2] netfilter: nf_tables_offload: support fwd_netdev offload wenxu
@ 2019-08-21 4:56 ` wenxu
2019-09-02 6:12 ` wenxu
2019-08-21 4:56 ` [PATCH nf-next v5 2/2] netfilter: nft_fwd_netdev: add fw_netdev action support wenxu
1 sibling, 1 reply; 4+ messages in thread
From: wenxu @ 2019-08-21 4:56 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
In the offload_ctx, the net can be used for other actions
such as fwd netdev
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
v5: no change
include/net/netfilter/nf_tables_offload.h | 3 ++-
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nf_tables_offload.c | 3 ++-
3 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 8a5969d9..71453fd 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -25,6 +25,7 @@ struct nft_offload_ctx {
__be16 l3num;
u8 protonum;
} dep;
+ struct net *net;
unsigned int num_actions;
struct nft_offload_reg regs[NFT_REG32_15 + 1];
};
@@ -61,7 +62,7 @@ struct nft_flow_rule {
#define NFT_OFFLOAD_F_ACTION (1 << 0)
struct nft_rule;
-struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule);
+struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
void nft_flow_rule_destroy(struct nft_flow_rule *flow);
int nft_flow_rule_offload_commit(struct net *net);
void nft_indr_block_get_and_ing_cmd(struct net_device *dev,
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fe3b7b0..d4f611a 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -2844,7 +2844,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
return nft_table_validate(net, table);
if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
- flow = nft_flow_rule_create(rule);
+ flow = nft_flow_rule_create(net, rule);
if (IS_ERR(flow))
return PTR_ERR(flow);
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index d3c4c9c..9d9a864 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -28,12 +28,13 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
return flow;
}
-struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)
+struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule)
{
struct nft_offload_ctx ctx = {
.dep = {
.type = NFT_OFFLOAD_DEP_UNSPEC,
},
+ .net = net,
};
struct nft_flow_rule *flow;
int num_actions = 0, err;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH nf-next v5 2/2] netfilter: nft_fwd_netdev: add fw_netdev action support
2019-08-21 4:56 [PATCH nf-next v5 0/2] netfilter: nf_tables_offload: support fwd_netdev offload wenxu
2019-08-21 4:56 ` [PATCH nf-next v5 1/2] netfilter: nf_flow_offload: add net in offload_ctx wenxu
@ 2019-08-21 4:56 ` wenxu
1 sibling, 0 replies; 4+ messages in thread
From: wenxu @ 2019-08-21 4:56 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
fwd_netdev action offload:
nft --debug=netlink add rule netdev firewall aclout ip daddr 10.0.1.7 fwd to eth0
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
v5: no offload_actions callback
net/netfilter/nft_fwd_netdev.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c
index 61b7f93..8c52765 100644
--- a/net/netfilter/nft_fwd_netdev.c
+++ b/net/netfilter/nft_fwd_netdev.c
@@ -15,6 +15,7 @@
#include <net/netfilter/nf_dup_netdev.h>
#include <net/neighbour.h>
#include <net/ip.h>
+#include <net/netfilter/nf_tables_offload.h>
struct nft_fwd_netdev {
enum nft_registers sreg_dev:8;
@@ -63,6 +64,30 @@ static int nft_fwd_netdev_dump(struct sk_buff *skb, const struct nft_expr *expr)
return -1;
}
+static int nft_fwd_netdev_offload(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow,
+ const struct nft_expr *expr)
+{
+ const struct nft_fwd_netdev *priv = nft_expr_priv(expr);
+ struct nft_offload_reg *reg = &ctx->regs[priv->sreg_dev];
+ const struct nft_data *data = ®->data;
+ struct flow_action_entry *entry;
+ struct net_device *dev;
+ int oif = -1;
+
+ entry = &flow->rule->action.entries[ctx->num_actions++];
+
+ memcpy(&oif, data->data, sizeof(oif));
+ dev = __dev_get_by_index(ctx->net, oif);
+ if (!dev)
+ return -EOPNOTSUPP;
+
+ entry->id = FLOW_ACTION_REDIRECT;
+ entry->dev = dev;
+
+ return 0;
+}
+
struct nft_fwd_neigh {
enum nft_registers sreg_dev:8;
enum nft_registers sreg_addr:8;
@@ -194,6 +219,7 @@ static int nft_fwd_neigh_dump(struct sk_buff *skb, const struct nft_expr *expr)
.eval = nft_fwd_netdev_eval,
.init = nft_fwd_netdev_init,
.dump = nft_fwd_netdev_dump,
+ .offload = nft_fwd_netdev_offload,
};
static const struct nft_expr_ops *
--
1.8.3.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nf-next v5 1/2] netfilter: nf_flow_offload: add net in offload_ctx
2019-08-21 4:56 ` [PATCH nf-next v5 1/2] netfilter: nf_flow_offload: add net in offload_ctx wenxu
@ 2019-09-02 6:12 ` wenxu
0 siblings, 0 replies; 4+ messages in thread
From: wenxu @ 2019-09-02 6:12 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
Hi pablo,
How about this series?
BR
wenxu
On 8/21/2019 12:56 PM, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> In the offload_ctx, the net can be used for other actions
> such as fwd netdev
>
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
> v5: no change
>
> include/net/netfilter/nf_tables_offload.h | 3 ++-
> net/netfilter/nf_tables_api.c | 2 +-
> net/netfilter/nf_tables_offload.c | 3 ++-
> 3 files changed, 5 insertions(+), 3 deletions(-)
>
> diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
> index 8a5969d9..71453fd 100644
> --- a/include/net/netfilter/nf_tables_offload.h
> +++ b/include/net/netfilter/nf_tables_offload.h
> @@ -25,6 +25,7 @@ struct nft_offload_ctx {
> __be16 l3num;
> u8 protonum;
> } dep;
> + struct net *net;
> unsigned int num_actions;
> struct nft_offload_reg regs[NFT_REG32_15 + 1];
> };
> @@ -61,7 +62,7 @@ struct nft_flow_rule {
> #define NFT_OFFLOAD_F_ACTION (1 << 0)
>
> struct nft_rule;
> -struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule);
> +struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
> void nft_flow_rule_destroy(struct nft_flow_rule *flow);
> int nft_flow_rule_offload_commit(struct net *net);
> void nft_indr_block_get_and_ing_cmd(struct net_device *dev,
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index fe3b7b0..d4f611a 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -2844,7 +2844,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk,
> return nft_table_validate(net, table);
>
> if (chain->flags & NFT_CHAIN_HW_OFFLOAD) {
> - flow = nft_flow_rule_create(rule);
> + flow = nft_flow_rule_create(net, rule);
> if (IS_ERR(flow))
> return PTR_ERR(flow);
>
> diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
> index d3c4c9c..9d9a864 100644
> --- a/net/netfilter/nf_tables_offload.c
> +++ b/net/netfilter/nf_tables_offload.c
> @@ -28,12 +28,13 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
> return flow;
> }
>
> -struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)
> +struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule)
> {
> struct nft_offload_ctx ctx = {
> .dep = {
> .type = NFT_OFFLOAD_DEP_UNSPEC,
> },
> + .net = net,
> };
> struct nft_flow_rule *flow;
> int num_actions = 0, err;
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-09-02 6:12 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-21 4:56 [PATCH nf-next v5 0/2] netfilter: nf_tables_offload: support fwd_netdev offload wenxu
2019-08-21 4:56 ` [PATCH nf-next v5 1/2] netfilter: nf_flow_offload: add net in offload_ctx wenxu
2019-09-02 6:12 ` wenxu
2019-08-21 4:56 ` [PATCH nf-next v5 2/2] netfilter: nft_fwd_netdev: add fw_netdev action support wenxu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).