* [PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload
@ 2019-10-24 10:35 wenxu
2019-10-24 10:35 ` [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
` (4 more replies)
0 siblings, 5 replies; 10+ messages in thread
From: wenxu @ 2019-10-24 10:35 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This series add NFT_TUNNEL_IPV4/6_SRC/DST match and tunnel expr offload.
wenxu (5):
netfilter: nft_tunnel: add nft_tunnel_mode_validate function
netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match
netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate
netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match
netfilter: nft_tunnel: add nft_tunnel_get_offload support
include/net/netfilter/nf_tables_offload.h | 5 ++
include/uapi/linux/netfilter/nf_tables.h | 4 +
net/netfilter/nft_tunnel.c | 130 +++++++++++++++++++++++++++---
3 files changed, 129 insertions(+), 10 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function
2019-10-24 10:35 [PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload wenxu
@ 2019-10-24 10:35 ` wenxu
2019-11-15 22:52 ` Pablo Neira Ayuso
2019-10-24 10:35 ` [PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match wenxu
` (3 subsequent siblings)
4 siblings, 1 reply; 10+ messages in thread
From: wenxu @ 2019-10-24 10:35 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Move mode validate common code to nft_tunnel_mode_validate
function.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nft_tunnel.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 3d4c2ae..78b6e8f 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -18,6 +18,19 @@ struct nft_tunnel {
enum nft_tunnel_mode mode:8;
};
+static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
+ u8 tun_mode)
+{
+ if (priv_mode == NFT_TUNNEL_MODE_NONE ||
+ (priv_mode == NFT_TUNNEL_MODE_RX &&
+ !(tun_mode & IP_TUNNEL_INFO_TX)) ||
+ (priv_mode == NFT_TUNNEL_MODE_TX &&
+ (tun_mode & IP_TUNNEL_INFO_TX)))
+ return true;
+
+ return false;
+}
+
static void nft_tunnel_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
@@ -34,11 +47,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
nft_reg_store8(dest, false);
return;
}
- if (priv->mode == NFT_TUNNEL_MODE_NONE ||
- (priv->mode == NFT_TUNNEL_MODE_RX &&
- !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
- (priv->mode == NFT_TUNNEL_MODE_TX &&
- (tun_info->mode & IP_TUNNEL_INFO_TX)))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
nft_reg_store8(dest, true);
else
nft_reg_store8(dest, false);
@@ -48,11 +57,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (priv->mode == NFT_TUNNEL_MODE_NONE ||
- (priv->mode == NFT_TUNNEL_MODE_RX &&
- !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
- (priv->mode == NFT_TUNNEL_MODE_TX &&
- (tun_info->mode & IP_TUNNEL_INFO_TX)))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
else
regs->verdict.code = NFT_BREAK;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match
2019-10-24 10:35 [PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload wenxu
2019-10-24 10:35 ` [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
@ 2019-10-24 10:35 ` wenxu
2019-10-27 10:32 ` kbuild test robot
2019-10-24 10:35 ` [PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate wenxu
` (2 subsequent siblings)
4 siblings, 1 reply; 10+ messages in thread
From: wenxu @ 2019-10-24 10:35 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add new two NFT_TUNNEL_IPV4_SRC/DST match in nft_tunnel
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_tunnel.c | 22 ++++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 81fed16..7f65019 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1775,6 +1775,8 @@ enum nft_tunnel_key_attributes {
enum nft_tunnel_keys {
NFT_TUNNEL_PATH,
NFT_TUNNEL_ID,
+ NFT_TUNNEL_IPV4_SRC,
+ NFT_TUNNEL_IPV4_DST,
__NFT_TUNNEL_MAX
};
#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 78b6e8f..b60e855 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -62,6 +62,26 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
else
regs->verdict.code = NFT_BREAK;
break;
+ case NFT_TUNNEL_IPV4_SRC:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ *dest = tun_info->key.u.ipv4.src;
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
+ case NFT_TUNNEL_IPV4_DST:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ *dest = tun_info->key.u.ipv4.dst;
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -91,6 +111,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
len = sizeof(u8);
break;
case NFT_TUNNEL_ID:
+ case NFT_TUNNEL_IPV4_SRC:
+ case NFT_TUNNEL_IPV4_DST:
len = sizeof(u32);
break;
default:
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate
2019-10-24 10:35 [PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload wenxu
2019-10-24 10:35 ` [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
2019-10-24 10:35 ` [PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match wenxu
@ 2019-10-24 10:35 ` wenxu
2019-11-15 22:55 ` Pablo Neira Ayuso
2019-10-24 10:35 ` [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match wenxu
2019-10-24 10:35 ` [PATCH nf-next 5/5] netfilter: nft_tunnel: add nft_tunnel_get_offload support wenxu
4 siblings, 1 reply; 10+ messages in thread
From: wenxu @ 2019-10-24 10:35 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add ipv6 tunnel check in nft_tunnel_mode_validate.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nft_tunnel.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index b60e855..580b51b 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -18,9 +18,19 @@ struct nft_tunnel {
enum nft_tunnel_mode mode:8;
};
+enum nft_inet_type {
+ NFT_INET_NONE_TYPE,
+ NFT_INET_IPV4_TYPE,
+ NFT_INET_IPV6_TYPE,
+};
+
static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
- u8 tun_mode)
+ u8 tun_mode, enum nft_inet_type type)
{
+ if ((type == NFT_INET_IPV6_TYPE && !(tun_mode & IP_TUNNEL_INFO_IPV6)) ||
+ (type == NFT_INET_IPV4_TYPE && (tun_mode & IP_TUNNEL_INFO_IPV6)))
+ return false;
+
if (priv_mode == NFT_TUNNEL_MODE_NONE ||
(priv_mode == NFT_TUNNEL_MODE_RX &&
!(tun_mode & IP_TUNNEL_INFO_TX)) ||
@@ -47,7 +57,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
nft_reg_store8(dest, false);
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_NONE_TYPE))
nft_reg_store8(dest, true);
else
nft_reg_store8(dest, false);
@@ -57,7 +68,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_NONE_TYPE))
*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
else
regs->verdict.code = NFT_BREAK;
@@ -67,7 +79,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IPV4_TYPE))
*dest = tun_info->key.u.ipv4.src;
else
regs->verdict.code = NFT_BREAK;
@@ -77,7 +90,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IPV4_TYPE))
*dest = tun_info->key.u.ipv4.dst;
else
regs->verdict.code = NFT_BREAK;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match
2019-10-24 10:35 [PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload wenxu
` (2 preceding siblings ...)
2019-10-24 10:35 ` [PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate wenxu
@ 2019-10-24 10:35 ` wenxu
2019-11-15 22:56 ` Pablo Neira Ayuso
2019-10-24 10:35 ` [PATCH nf-next 5/5] netfilter: nft_tunnel: add nft_tunnel_get_offload support wenxu
4 siblings, 1 reply; 10+ messages in thread
From: wenxu @ 2019-10-24 10:35 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add new two NFT_TUNNEL_IPV6_SRC/DST match in nft_tunnel
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_tunnel.c | 28 ++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 7f65019..584868d 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1777,6 +1777,8 @@ enum nft_tunnel_keys {
NFT_TUNNEL_ID,
NFT_TUNNEL_IPV4_SRC,
NFT_TUNNEL_IPV4_DST,
+ NFT_TUNNEL_IPV6_SRC,
+ NFT_TUNNEL_IPV6_DST,
__NFT_TUNNEL_MAX
};
#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 580b51b..0a3005d 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -96,6 +96,30 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
else
regs->verdict.code = NFT_BREAK;
break;
+ case NFT_TUNNEL_IPV6_SRC:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IPV6_TYPE))
+ memcpy(dest, &tun_info->key.u.ipv6.src,
+ sizeof(struct in6_addr));
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
+ case NFT_TUNNEL_IPV6_DST:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IPV6_TYPE))
+ memcpy(dest, &tun_info->key.u.ipv6.dst,
+ sizeof(struct in6_addr));
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -129,6 +153,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
case NFT_TUNNEL_IPV4_DST:
len = sizeof(u32);
break;
+ case NFT_TUNNEL_IPV6_SRC:
+ case NFT_TUNNEL_IPV6_DST:
+ len = sizeof(struct in6_addr);
+ break;
default:
return -EOPNOTSUPP;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [PATCH nf-next 5/5] netfilter: nft_tunnel: add nft_tunnel_get_offload support
2019-10-24 10:35 [PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload wenxu
` (3 preceding siblings ...)
2019-10-24 10:35 ` [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match wenxu
@ 2019-10-24 10:35 ` wenxu
4 siblings, 0 replies; 10+ messages in thread
From: wenxu @ 2019-10-24 10:35 UTC (permalink / raw)
To: pablo, fw; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add tunnel meta match offload. Currently support for NFT_TUNNEL_ID
NFT_TUNNEL_IPV4_SRC/DST and NFT_TUNNEL_IPV6_SRC/DST
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/net/netfilter/nf_tables_offload.h | 5 ++++
net/netfilter/nft_tunnel.c | 41 +++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 03cf585..f99653b 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -45,6 +45,11 @@ struct nft_flow_key {
struct flow_dissector_key_ip ip;
struct flow_dissector_key_vlan vlan;
struct flow_dissector_key_eth_addrs eth_addrs;
+ struct flow_dissector_key_keyid enc_key_id;
+ union {
+ struct flow_dissector_key_ipv4_addrs enc_ipv4;
+ struct flow_dissector_key_ipv6_addrs enc_ipv6;
+ };
} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
struct nft_flow_match {
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 0a3005d..abfff56 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -11,6 +11,7 @@
#include <net/ip_tunnels.h>
#include <net/vxlan.h>
#include <net/erspan.h>
+#include <net/netfilter/nf_tables_offload.h>
struct nft_tunnel {
enum nft_tunnel_keys key:8;
@@ -192,6 +193,45 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
return -1;
}
+static int nft_tunnel_get_offload(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow,
+ const struct nft_expr *expr)
+{
+ const struct nft_tunnel *priv = nft_expr_priv(expr);
+ struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
+
+ if (priv->mode == NFT_TUNNEL_MODE_TX)
+ return -EOPNOTSUPP;
+
+ switch (priv->key) {
+ case NFT_TUNNEL_ID:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id,
+ keyid, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IPV4_SRC:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+ src, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IPV4_DST:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+ dst, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IPV6_SRC:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+ src, sizeof(struct in6_addr), reg);
+ break;
+ case NFT_TUNNEL_IPV6_DST:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+ dst, sizeof(struct in6_addr), reg);
+ break;
+ case NFT_TUNNEL_PATH:
+ default:
+ return -EOPNOTSUPP;
+ }
+
+ return 0;
+}
+
static struct nft_expr_type nft_tunnel_type;
static const struct nft_expr_ops nft_tunnel_get_ops = {
.type = &nft_tunnel_type,
@@ -199,6 +239,7 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
.eval = nft_tunnel_get_eval,
.init = nft_tunnel_get_init,
.dump = nft_tunnel_get_dump,
+ .offload = nft_tunnel_get_offload,
};
static struct nft_expr_type nft_tunnel_type __read_mostly = {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 10+ messages in thread
* Re: [PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match
2019-10-24 10:35 ` [PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match wenxu
@ 2019-10-27 10:32 ` kbuild test robot
0 siblings, 0 replies; 10+ messages in thread
From: kbuild test robot @ 2019-10-27 10:32 UTC (permalink / raw)
To: wenxu; +Cc: kbuild-all, pablo, fw, netfilter-devel
Hi,
Thank you for the patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/wenxu-ucloud-cn/netfilter-nft_tunnel-support-tunnel-match-expr-offload/20191027-152013
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
reproduce:
# apt-get install sparse
# sparse version: v0.6.1-dirty
make ARCH=x86_64 allmodconfig
make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'
If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> net/netfilter/nft_tunnel.c:71:31: sparse: sparse: incorrect type in assignment (different base types) @@ expected unsigned int [usertype] @@ got restrunsigned int [usertype] @@
>> net/netfilter/nft_tunnel.c:71:31: sparse: expected unsigned int [usertype]
>> net/netfilter/nft_tunnel.c:71:31: sparse: got restricted __be32 [usertype] src
net/netfilter/nft_tunnel.c:81:31: sparse: sparse: incorrect type in assignment (different base types) @@ expected unsigned int [usertype] @@ got restrunsigned int [usertype] @@
net/netfilter/nft_tunnel.c:81:31: sparse: expected unsigned int [usertype]
>> net/netfilter/nft_tunnel.c:81:31: sparse: got restricted __be32 [usertype] dst
net/netfilter/nft_tunnel.c:531:54: sparse: sparse: cast from restricted __be16
net/netfilter/nft_tunnel.c:531:54: sparse: sparse: incorrect type in argument 1 (different base types) @@ expected unsigned short [usertype] val @@ got resunsigned short [usertype] val @@
net/netfilter/nft_tunnel.c:531:54: sparse: expected unsigned short [usertype] val
net/netfilter/nft_tunnel.c:531:54: sparse: got restricted __be16 [usertype] tp_src
net/netfilter/nft_tunnel.c:531:54: sparse: sparse: cast from restricted __be16
net/netfilter/nft_tunnel.c:531:54: sparse: sparse: cast from restricted __be16
net/netfilter/nft_tunnel.c:532:54: sparse: sparse: cast from restricted __be16
net/netfilter/nft_tunnel.c:532:54: sparse: sparse: incorrect type in argument 1 (different base types) @@ expected unsigned short [usertype] val @@ got resunsigned short [usertype] val @@
net/netfilter/nft_tunnel.c:532:54: sparse: expected unsigned short [usertype] val
net/netfilter/nft_tunnel.c:532:54: sparse: got restricted __be16 [usertype] tp_dst
net/netfilter/nft_tunnel.c:532:54: sparse: sparse: cast from restricted __be16
net/netfilter/nft_tunnel.c:532:54: sparse: sparse: cast from restricted __be16
vim +71 net/netfilter/nft_tunnel.c
33
34 static void nft_tunnel_get_eval(const struct nft_expr *expr,
35 struct nft_regs *regs,
36 const struct nft_pktinfo *pkt)
37 {
38 const struct nft_tunnel *priv = nft_expr_priv(expr);
39 u32 *dest = ®s->data[priv->dreg];
40 struct ip_tunnel_info *tun_info;
41
42 tun_info = skb_tunnel_info(pkt->skb);
43
44 switch (priv->key) {
45 case NFT_TUNNEL_PATH:
46 if (!tun_info) {
47 nft_reg_store8(dest, false);
48 return;
49 }
50 if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
51 nft_reg_store8(dest, true);
52 else
53 nft_reg_store8(dest, false);
54 break;
55 case NFT_TUNNEL_ID:
56 if (!tun_info) {
57 regs->verdict.code = NFT_BREAK;
58 return;
59 }
60 if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
61 *dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
62 else
63 regs->verdict.code = NFT_BREAK;
64 break;
65 case NFT_TUNNEL_IPV4_SRC:
66 if (!tun_info) {
67 regs->verdict.code = NFT_BREAK;
68 return;
69 }
70 if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> 71 *dest = tun_info->key.u.ipv4.src;
72 else
73 regs->verdict.code = NFT_BREAK;
74 break;
75 case NFT_TUNNEL_IPV4_DST:
76 if (!tun_info) {
77 regs->verdict.code = NFT_BREAK;
78 return;
79 }
80 if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> 81 *dest = tun_info->key.u.ipv4.dst;
82 else
83 regs->verdict.code = NFT_BREAK;
84 break;
85 default:
86 WARN_ON(1);
87 regs->verdict.code = NFT_BREAK;
88 }
89 }
90
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function
2019-10-24 10:35 ` [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
@ 2019-11-15 22:52 ` Pablo Neira Ayuso
0 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2019-11-15 22:52 UTC (permalink / raw)
To: wenxu; +Cc: fw, netfilter-devel
On Thu, Oct 24, 2019 at 06:35:32PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> Move mode validate common code to nft_tunnel_mode_validate
> function.
>
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
> net/netfilter/nft_tunnel.c | 25 +++++++++++++++----------
> 1 file changed, 15 insertions(+), 10 deletions(-)
>
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 3d4c2ae..78b6e8f 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -18,6 +18,19 @@ struct nft_tunnel {
> enum nft_tunnel_mode mode:8;
> };
>
> +static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
> + u8 tun_mode)
> +{
> + if (priv_mode == NFT_TUNNEL_MODE_NONE ||
> + (priv_mode == NFT_TUNNEL_MODE_RX &&
> + !(tun_mode & IP_TUNNEL_INFO_TX)) ||
> + (priv_mode == NFT_TUNNEL_MODE_TX &&
> + (tun_mode & IP_TUNNEL_INFO_TX)))
> + return true;
> +
> + return false;
> +}
> +
> static void nft_tunnel_get_eval(const struct nft_expr *expr,
> struct nft_regs *regs,
> const struct nft_pktinfo *pkt)
> @@ -34,11 +47,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> nft_reg_store8(dest, false);
> return;
> }
> - if (priv->mode == NFT_TUNNEL_MODE_NONE ||
> - (priv->mode == NFT_TUNNEL_MODE_RX &&
> - !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
> - (priv->mode == NFT_TUNNEL_MODE_TX &&
> - (tun_info->mode & IP_TUNNEL_INFO_TX)))
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> nft_reg_store8(dest, true);
> else
> nft_reg_store8(dest, false);
Probably simplify this?
nft_reg_store8(dest, nft_tunnel_mode_match(priv->mode, tun_info->mode));
The idea is that nft_tunnel_mode_match() returns u8 to store 0 / 1 on
the register.
> @@ -48,11 +57,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> regs->verdict.code = NFT_BREAK;
> return;
> }
> - if (priv->mode == NFT_TUNNEL_MODE_NONE ||
> - (priv->mode == NFT_TUNNEL_MODE_RX &&
> - !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
> - (priv->mode == NFT_TUNNEL_MODE_TX &&
> - (tun_info->mode & IP_TUNNEL_INFO_TX)))
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> *dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
> else
> regs->verdict.code = NFT_BREAK;
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate
2019-10-24 10:35 ` [PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate wenxu
@ 2019-11-15 22:55 ` Pablo Neira Ayuso
0 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2019-11-15 22:55 UTC (permalink / raw)
To: wenxu; +Cc: fw, netfilter-devel
On Thu, Oct 24, 2019 at 06:35:34PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> Add ipv6 tunnel check in nft_tunnel_mode_validate.
>
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
> net/netfilter/nft_tunnel.c | 24 +++++++++++++++++++-----
> 1 file changed, 19 insertions(+), 5 deletions(-)
>
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index b60e855..580b51b 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -18,9 +18,19 @@ struct nft_tunnel {
> enum nft_tunnel_mode mode:8;
> };
>
> +enum nft_inet_type {
> + NFT_INET_NONE_TYPE,
> + NFT_INET_IPV4_TYPE,
> + NFT_INET_IPV6_TYPE,
> +};
> +
> static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
> - u8 tun_mode)
> + u8 tun_mode, enum nft_inet_type type)
> {
> + if ((type == NFT_INET_IPV6_TYPE && !(tun_mode & IP_TUNNEL_INFO_IPV6)) ||
> + (type == NFT_INET_IPV4_TYPE && (tun_mode & IP_TUNNEL_INFO_IPV6)))
> + return false;
> +
> if (priv_mode == NFT_TUNNEL_MODE_NONE ||
> (priv_mode == NFT_TUNNEL_MODE_RX &&
> !(tun_mode & IP_TUNNEL_INFO_TX)) ||
> @@ -47,7 +57,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> nft_reg_store8(dest, false);
> return;
> }
> - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> + NFT_INET_NONE_TYPE))
> nft_reg_store8(dest, true);
> else
> nft_reg_store8(dest, false);
> @@ -57,7 +68,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> regs->verdict.code = NFT_BREAK;
> return;
> }
> - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> + NFT_INET_NONE_TYPE))
> *dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
> else
> regs->verdict.code = NFT_BREAK;
> @@ -67,7 +79,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> regs->verdict.code = NFT_BREAK;
> return;
> }
> - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> + NFT_INET_IPV4_TYPE))
Add nft_tunnel_mode_match_ip() that wraps on nft_tunnel_mode_match()
that I proposed on patch 1/5.
> *dest = tun_info->key.u.ipv4.src;
> else
> regs->verdict.code = NFT_BREAK;
> @@ -77,7 +90,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> regs->verdict.code = NFT_BREAK;
> return;
> }
> - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> + NFT_INET_IPV4_TYPE))
> *dest = tun_info->key.u.ipv4.dst;
> else
> regs->verdict.code = NFT_BREAK;
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match
2019-10-24 10:35 ` [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match wenxu
@ 2019-11-15 22:56 ` Pablo Neira Ayuso
0 siblings, 0 replies; 10+ messages in thread
From: Pablo Neira Ayuso @ 2019-11-15 22:56 UTC (permalink / raw)
To: wenxu; +Cc: fw, netfilter-devel
On Thu, Oct 24, 2019 at 06:35:35PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> Add new two NFT_TUNNEL_IPV6_SRC/DST match in nft_tunnel
>
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nft_tunnel.c | 28 ++++++++++++++++++++++++++++
> 2 files changed, 30 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 7f65019..584868d 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -1777,6 +1777,8 @@ enum nft_tunnel_keys {
> NFT_TUNNEL_ID,
> NFT_TUNNEL_IPV4_SRC,
> NFT_TUNNEL_IPV4_DST,
> + NFT_TUNNEL_IPV6_SRC,
> + NFT_TUNNEL_IPV6_DST,
> __NFT_TUNNEL_MAX
> };
> #define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 580b51b..0a3005d 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -96,6 +96,30 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> else
> regs->verdict.code = NFT_BREAK;
> break;
> + case NFT_TUNNEL_IPV6_SRC:
> + if (!tun_info) {
> + regs->verdict.code = NFT_BREAK;
> + return;
> + }
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> + NFT_INET_IPV6_TYPE))
And here, add nft_tunnel_mode_match_ip6().
> + memcpy(dest, &tun_info->key.u.ipv6.src,
> + sizeof(struct in6_addr));
> + else
> + regs->verdict.code = NFT_BREAK;
> + break;
> + case NFT_TUNNEL_IPV6_DST:
> + if (!tun_info) {
> + regs->verdict.code = NFT_BREAK;
> + return;
> + }
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> + NFT_INET_IPV6_TYPE))
> + memcpy(dest, &tun_info->key.u.ipv6.dst,
> + sizeof(struct in6_addr));
> + else
> + regs->verdict.code = NFT_BREAK;
> + break;
> default:
> WARN_ON(1);
> regs->verdict.code = NFT_BREAK;
> @@ -129,6 +153,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
> case NFT_TUNNEL_IPV4_DST:
> len = sizeof(u32);
> break;
> + case NFT_TUNNEL_IPV6_SRC:
> + case NFT_TUNNEL_IPV6_DST:
> + len = sizeof(struct in6_addr);
> + break;
> default:
> return -EOPNOTSUPP;
> }
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2019-11-15 22:56 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-24 10:35 [PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload wenxu
2019-10-24 10:35 ` [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
2019-11-15 22:52 ` Pablo Neira Ayuso
2019-10-24 10:35 ` [PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match wenxu
2019-10-27 10:32 ` kbuild test robot
2019-10-24 10:35 ` [PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate wenxu
2019-11-15 22:55 ` Pablo Neira Ayuso
2019-10-24 10:35 ` [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match wenxu
2019-11-15 22:56 ` Pablo Neira Ayuso
2019-10-24 10:35 ` [PATCH nf-next 5/5] netfilter: nft_tunnel: add nft_tunnel_get_offload support wenxu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).