* [PATCH nf-next v2 1/4] netfilter: nft_tunnel: add nft_tunnel_mode_match function
2019-11-16 7:49 [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload wenxu
@ 2019-11-16 7:49 ` wenxu
2019-11-16 7:49 ` [PATCH nf-next v2 2/4] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match wenxu
` (3 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: wenxu @ 2019-11-16 7:49 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Move mode match common code to nft_tunnel_mode_match function.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
v2: nft_tunnel_mode_match() returns u8 to store 0 / 1 on the register
net/netfilter/nft_tunnel.c | 29 ++++++++++++++++-------------
1 file changed, 16 insertions(+), 13 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 3d4c2ae..921555f5 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -18,6 +18,19 @@ struct nft_tunnel {
enum nft_tunnel_mode mode:8;
};
+static bool nft_tunnel_mode_match(enum nft_tunnel_mode priv_mode,
+ u8 tun_mode)
+{
+ if (priv_mode == NFT_TUNNEL_MODE_NONE ||
+ (priv_mode == NFT_TUNNEL_MODE_RX &&
+ !(tun_mode & IP_TUNNEL_INFO_TX)) ||
+ (priv_mode == NFT_TUNNEL_MODE_TX &&
+ (tun_mode & IP_TUNNEL_INFO_TX)))
+ return true;
+
+ return false;
+}
+
static void nft_tunnel_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
@@ -34,25 +47,15 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
nft_reg_store8(dest, false);
return;
}
- if (priv->mode == NFT_TUNNEL_MODE_NONE ||
- (priv->mode == NFT_TUNNEL_MODE_RX &&
- !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
- (priv->mode == NFT_TUNNEL_MODE_TX &&
- (tun_info->mode & IP_TUNNEL_INFO_TX)))
- nft_reg_store8(dest, true);
- else
- nft_reg_store8(dest, false);
+ nft_reg_store8(dest, nft_tunnel_mode_match(priv->mode,
+ tun_info->mode));
break;
case NFT_TUNNEL_ID:
if (!tun_info) {
regs->verdict.code = NFT_BREAK;
return;
}
- if (priv->mode == NFT_TUNNEL_MODE_NONE ||
- (priv->mode == NFT_TUNNEL_MODE_RX &&
- !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
- (priv->mode == NFT_TUNNEL_MODE_TX &&
- (tun_info->mode & IP_TUNNEL_INFO_TX)))
+ if (nft_tunnel_mode_match(priv->mode, tun_info->mode))
*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
else
regs->verdict.code = NFT_BREAK;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH nf-next v2 2/4] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match
2019-11-16 7:49 [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload wenxu
2019-11-16 7:49 ` [PATCH nf-next v2 1/4] netfilter: nft_tunnel: add nft_tunnel_mode_match function wenxu
@ 2019-11-16 7:49 ` wenxu
2019-11-16 7:49 ` [PATCH nf-next v2 3/4] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match wenxu
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: wenxu @ 2019-11-16 7:49 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add new two NFT_TUNNEL_IPV4_SRC/DST match in nft_tunnel
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
v2: add nft_tunnel_mode_match_ip
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_tunnel.c | 32 ++++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index bb9b049..1621d72 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1777,6 +1777,8 @@ enum nft_tunnel_key_attributes {
enum nft_tunnel_keys {
NFT_TUNNEL_PATH,
NFT_TUNNEL_ID,
+ NFT_TUNNEL_IPV4_SRC,
+ NFT_TUNNEL_IPV4_DST,
__NFT_TUNNEL_MAX
};
#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 921555f5..67f7718 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -31,6 +31,16 @@ static bool nft_tunnel_mode_match(enum nft_tunnel_mode priv_mode,
return false;
}
+static bool nft_tunnel_mode_match_ip(enum nft_tunnel_mode priv_mode,
+ struct ip_tunnel_info *tun_info)
+{
+ if (nft_tunnel_mode_match(priv_mode, tun_info->mode) &&
+ ip_tunnel_info_af(tun_info) == AF_INET)
+ return true;
+
+ return false;
+}
+
static void nft_tunnel_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
@@ -60,6 +70,26 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
else
regs->verdict.code = NFT_BREAK;
break;
+ case NFT_TUNNEL_IPV4_SRC:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_match_ip(priv->mode, tun_info))
+ *dest = tun_info->key.u.ipv4.src;
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
+ case NFT_TUNNEL_IPV4_DST:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_match_ip(priv->mode, tun_info))
+ *dest = tun_info->key.u.ipv4.dst;
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -89,6 +119,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
len = sizeof(u8);
break;
case NFT_TUNNEL_ID:
+ case NFT_TUNNEL_IPV4_SRC:
+ case NFT_TUNNEL_IPV4_DST:
len = sizeof(u32);
break;
default:
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH nf-next v2 3/4] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match
2019-11-16 7:49 [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload wenxu
2019-11-16 7:49 ` [PATCH nf-next v2 1/4] netfilter: nft_tunnel: add nft_tunnel_mode_match function wenxu
2019-11-16 7:49 ` [PATCH nf-next v2 2/4] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match wenxu
@ 2019-11-16 7:49 ` wenxu
2019-11-16 7:49 ` [PATCH nf-next v2 4/4] netfilter: nft_tunnel: add nft_tunnel_get_offload support wenxu
2019-11-18 22:03 ` [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: wenxu @ 2019-11-16 7:49 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add new two NFT_TUNNEL_IPV6_SRC/DST match in nft_tunnel
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
v2: add nft_tunnel_mode_match_ip6
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_tunnel.c | 36 ++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 1621d72..d067ee7 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1779,6 +1779,8 @@ enum nft_tunnel_keys {
NFT_TUNNEL_ID,
NFT_TUNNEL_IPV4_SRC,
NFT_TUNNEL_IPV4_DST,
+ NFT_TUNNEL_IPV6_SRC,
+ NFT_TUNNEL_IPV6_DST,
__NFT_TUNNEL_MAX
};
#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 67f7718..943a704 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -41,6 +41,16 @@ static bool nft_tunnel_mode_match_ip(enum nft_tunnel_mode priv_mode,
return false;
}
+static bool nft_tunnel_mode_match_ip6(enum nft_tunnel_mode priv_mode,
+ struct ip_tunnel_info *tun_info)
+{
+ if (nft_tunnel_mode_match(priv_mode, tun_info->mode) &&
+ ip_tunnel_info_af(tun_info) == AF_INET6)
+ return true;
+
+ return false;
+}
+
static void nft_tunnel_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
@@ -90,6 +100,28 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
else
regs->verdict.code = NFT_BREAK;
break;
+ case NFT_TUNNEL_IPV6_SRC:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_match_ip6(priv->mode, tun_info))
+ memcpy(dest, &tun_info->key.u.ipv6.src,
+ sizeof(struct in6_addr));
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
+ case NFT_TUNNEL_IPV6_DST:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_match_ip6(priv->mode, tun_info))
+ memcpy(dest, &tun_info->key.u.ipv6.dst,
+ sizeof(struct in6_addr));
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -123,6 +155,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
case NFT_TUNNEL_IPV4_DST:
len = sizeof(u32);
break;
+ case NFT_TUNNEL_IPV6_SRC:
+ case NFT_TUNNEL_IPV6_DST:
+ len = sizeof(struct in6_addr);
+ break;
default:
return -EOPNOTSUPP;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* [PATCH nf-next v2 4/4] netfilter: nft_tunnel: add nft_tunnel_get_offload support
2019-11-16 7:49 [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload wenxu
` (2 preceding siblings ...)
2019-11-16 7:49 ` [PATCH nf-next v2 3/4] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match wenxu
@ 2019-11-16 7:49 ` wenxu
2019-11-18 22:03 ` [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: wenxu @ 2019-11-16 7:49 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add tunnel meta match offload. Currently support for NFT_TUNNEL_ID
NFT_TUNNEL_IPV4_SRC/DST and NFT_TUNNEL_IPV6_SRC/DST
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
v2: no change
include/net/netfilter/nf_tables_offload.h | 5 ++++
net/netfilter/nft_tunnel.c | 41 +++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index ea7d1d7..58ac20c 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -46,6 +46,11 @@ struct nft_flow_key {
struct flow_dissector_key_vlan vlan;
struct flow_dissector_key_eth_addrs eth_addrs;
struct flow_dissector_key_meta meta;
+ struct flow_dissector_key_keyid enc_key_id;
+ union {
+ struct flow_dissector_key_ipv4_addrs enc_ipv4;
+ struct flow_dissector_key_ipv6_addrs enc_ipv6;
+ };
} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
struct nft_flow_match {
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 943a704..5ff543b 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -11,6 +11,7 @@
#include <net/ip_tunnels.h>
#include <net/vxlan.h>
#include <net/erspan.h>
+#include <net/netfilter/nf_tables_offload.h>
struct nft_tunnel {
enum nft_tunnel_keys key:8;
@@ -194,6 +195,45 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
return -1;
}
+static int nft_tunnel_get_offload(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow,
+ const struct nft_expr *expr)
+{
+ const struct nft_tunnel *priv = nft_expr_priv(expr);
+ struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
+
+ if (priv->mode == NFT_TUNNEL_MODE_TX)
+ return -EOPNOTSUPP;
+
+ switch (priv->key) {
+ case NFT_TUNNEL_ID:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id,
+ keyid, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IPV4_SRC:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+ src, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IPV4_DST:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+ dst, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IPV6_SRC:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+ src, sizeof(struct in6_addr), reg);
+ break;
+ case NFT_TUNNEL_IPV6_DST:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+ dst, sizeof(struct in6_addr), reg);
+ break;
+ case NFT_TUNNEL_PATH:
+ default:
+ return -EOPNOTSUPP;
+ }
+
+ return 0;
+}
+
static struct nft_expr_type nft_tunnel_type;
static const struct nft_expr_ops nft_tunnel_get_ops = {
.type = &nft_tunnel_type,
@@ -201,6 +241,7 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
.eval = nft_tunnel_get_eval,
.init = nft_tunnel_get_init,
.dump = nft_tunnel_get_dump,
+ .offload = nft_tunnel_get_offload,
};
static struct nft_expr_type nft_tunnel_type __read_mostly = {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 7+ messages in thread* Re: [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload
2019-11-16 7:49 [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload wenxu
` (3 preceding siblings ...)
2019-11-16 7:49 ` [PATCH nf-next v2 4/4] netfilter: nft_tunnel: add nft_tunnel_get_offload support wenxu
@ 2019-11-18 22:03 ` Pablo Neira Ayuso
2020-02-11 8:38 ` wenxu
4 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2019-11-18 22:03 UTC (permalink / raw)
To: wenxu; +Cc: netfilter-devel
On Sat, Nov 16, 2019 at 03:49:20PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> This series add NFT_TUNNEL_IPV4/6_SRC/DST match and tunnel expr offload.
Thanks. Please, let me revamp a new patch series for the
encapsulation/decapsulation support to make sure those are mixing well
with your tunnel matching support.
> wenxu (4):
> netfilter: nft_tunnel: add nft_tunnel_mode_match function
> netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match
> netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match
> netfilter: nft_tunnel: add nft_tunnel_get_offload support
>
> include/net/netfilter/nf_tables_offload.h | 5 ++
> include/uapi/linux/netfilter/nf_tables.h | 4 +
> net/netfilter/nft_tunnel.c | 138 +++++++++++++++++++++++++++---
> 3 files changed, 134 insertions(+), 13 deletions(-)
>
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 7+ messages in thread* Re: [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload
2019-11-18 22:03 ` [PATCH nf-next v2 0/4] netfilter: nft_tunnel: support tunnel match expr offload Pablo Neira Ayuso
@ 2020-02-11 8:38 ` wenxu
0 siblings, 0 replies; 7+ messages in thread
From: wenxu @ 2020-02-11 8:38 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
在 2019/11/19 6:03, Pablo Neira Ayuso 写道:
> On Sat, Nov 16, 2019 at 03:49:20PM +0800, wenxu@ucloud.cn wrote:
>> From: wenxu <wenxu@ucloud.cn>
>>
>> This series add NFT_TUNNEL_IPV4/6_SRC/DST match and tunnel expr offload.
> Thanks. Please, let me revamp a new patch series for the
> encapsulation/decapsulation support to make sure those are mixing well
> with your tunnel matching support.
Pablo, any update for this series?
>
>> wenxu (4):
>> netfilter: nft_tunnel: add nft_tunnel_mode_match function
>> netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match
>> netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match
>> netfilter: nft_tunnel: add nft_tunnel_get_offload support
>>
>> include/net/netfilter/nf_tables_offload.h | 5 ++
>> include/uapi/linux/netfilter/nf_tables.h | 4 +
>> net/netfilter/nft_tunnel.c | 138 +++++++++++++++++++++++++++---
>> 3 files changed, 134 insertions(+), 13 deletions(-)
>>
>> --
>> 1.8.3.1
>>
^ permalink raw reply [flat|nested] 7+ messages in thread