Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH nf-next] netfilter: nf_tables: store data in offload context registers
@ 2019-08-01 12:09 Pablo Neira Ayuso
  2019-08-07 14:02 ` kbuild test robot
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2019-08-01 12:09 UTC (permalink / raw)
  To: netfilter-devel

Store immediate data into offload context register. This allows follow
up instructions to take it from the corresponding source register.

This patch is required to support for payload mangling, although other
instructions that take data from source register will benefit from this
too.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_tables_offload.h |  1 +
 net/netfilter/nft_immediate.c             | 24 +++++++++++++++++-------
 2 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 3196663a10e3..4977fbe7ed08 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -9,6 +9,7 @@ struct nft_offload_reg {
 	u32		len;
 	u32		base_offset;
 	u32		offset;
+	struct nft_data data;
 	struct nft_data	mask;
 };
 
diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c
index ca2ae4b95a8d..c7f0ef73d939 100644
--- a/net/netfilter/nft_immediate.c
+++ b/net/netfilter/nft_immediate.c
@@ -125,17 +125,13 @@ static int nft_immediate_validate(const struct nft_ctx *ctx,
 	return 0;
 }
 
-static int nft_immediate_offload(struct nft_offload_ctx *ctx,
-				 struct nft_flow_rule *flow,
-				 const struct nft_expr *expr)
+static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
+					 struct nft_flow_rule *flow,
+					 const struct nft_immediate_expr *priv)
 {
-	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
 	struct flow_action_entry *entry;
 	const struct nft_data *data;
 
-	if (priv->dreg != NFT_REG_VERDICT)
-		return -EOPNOTSUPP;
-
 	entry = &flow->rule->action.entries[ctx->num_actions++];
 
 	data = &priv->data;
@@ -153,6 +149,20 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx,
 	return 0;
 }
 
+static int nft_immediate_offload(struct nft_offload_ctx *ctx,
+				 struct nft_flow_rule *flow,
+				 const struct nft_expr *expr)
+{
+	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
+
+	if (priv->dreg == NFT_REG_VERDICT)
+		return nft_immediate_offload_verdict(ctx, flow, priv);
+
+	memcpy(&ctx->regs[priv->dreg].data, &priv->data, sizeof(priv->data));
+
+	return 0;
+}
+
 static const struct nft_expr_ops nft_imm_ops = {
 	.type		= &nft_imm_type,
 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)),
-- 
2.11.0


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH nf-next] netfilter: nf_tables: store data in offload context registers
  2019-08-01 12:09 [PATCH nf-next] netfilter: nf_tables: store data in offload context registers Pablo Neira Ayuso
@ 2019-08-07 14:02 ` kbuild test robot
  0 siblings, 0 replies; 2+ messages in thread
From: kbuild test robot @ 2019-08-07 14:02 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: kbuild-all, netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 4587 bytes --]

Hi Pablo,

I love your patch! Perhaps something to improve:

[auto build test WARNING on nf-next/master]

url:    https://github.com/0day-ci/linux/commits/Pablo-Neira-Ayuso/netfilter-nf_tables-store-data-in-offload-context-registers/20190804-160102
base:   https://kernel.googlesource.com/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: sh-allmodconfig (attached as .config)
compiler: sh4-linux-gcc (GCC) 7.4.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        GCC_VERSION=7.4.0 make.cross ARCH=sh 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>

All warnings (new ones prefixed by >>):

   net/netfilter/nf_tables_offload.c: In function 'nft_flow_rule_create':
>> net/netfilter/nf_tables_offload.c:73:1: warning: the frame size of 1168 bytes is larger than 1024 bytes [-Wframe-larger-than=]
    }
    ^

vim +73 net/netfilter/nf_tables_offload.c

c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  30  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  31  struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  32  {
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  33  	struct nft_offload_ctx ctx = {
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  34  		.dep	= {
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  35  			.type	= NFT_OFFLOAD_DEP_UNSPEC,
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  36  		},
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  37  	};
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  38  	struct nft_flow_rule *flow;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  39  	int num_actions = 0, err;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  40  	struct nft_expr *expr;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  41  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  42  	expr = nft_expr_first(rule);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  43  	while (expr->ops && expr != nft_expr_last(rule)) {
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  44  		if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION)
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  45  			num_actions++;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  46  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  47  		expr = nft_expr_next(expr);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  48  	}
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  49  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  50  	flow = nft_flow_rule_alloc(num_actions);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  51  	if (!flow)
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  52  		return ERR_PTR(-ENOMEM);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  53  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  54  	expr = nft_expr_first(rule);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  55  	while (expr->ops && expr != nft_expr_last(rule)) {
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  56  		if (!expr->ops->offload) {
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  57  			err = -EOPNOTSUPP;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  58  			goto err_out;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  59  		}
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  60  		err = expr->ops->offload(&ctx, flow, expr);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  61  		if (err < 0)
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  62  			goto err_out;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  63  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  64  		expr = nft_expr_next(expr);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  65  	}
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  66  	flow->proto = ctx.dep.l3num;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  67  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  68  	return flow;
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  69  err_out:
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  70  	nft_flow_rule_destroy(flow);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  71  
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  72  	return ERR_PTR(err);
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09 @73  }
c9626a2cbdb20e Pablo Neira Ayuso 2019-07-09  74  

:::::: The code at line 73 was first introduced by commit
:::::: c9626a2cbdb20e26587b3fad99960520a023432b netfilter: nf_tables: add hardware offload support

:::::: TO: Pablo Neira Ayuso <pablo@netfilter.org>
:::::: CC: David S. Miller <davem@davemloft.net>

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 51919 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-01 12:09 [PATCH nf-next] netfilter: nf_tables: store data in offload context registers Pablo Neira Ayuso
2019-08-07 14:02 ` kbuild test robot

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org netfilter-devel@archiver.kernel.org
	public-inbox-index netfilter-devel


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox