From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next 0/7] dynamic device updates for flowtables
Date: Wed, 20 May 2020 20:16:45 +0200 [thread overview]
Message-ID: <20200520181652.30285-1-pablo@netfilter.org> (raw)
Hi,
Flowtable allows you to enable a fast forwarding path (packets bypass
the classic forwarding path), eg.
table inet filter {
flowtable fastpath {
hook ingress priority 0
devices = { eth0, eth1 }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastpath;
}
}
This ruleset above places TCP and UDP flows in the "fastpath" flowtable.
Flowtables integrate nicely with NAT and lightweight tunnels.
This patchset implements dynamic device updates for flowtables:
Patch #1 generalises the flowtable hook parser to take a hook list.
Patch #2 passes a hook list to the flowtable hook registration/unregistration.
Patch #3 adds a helper function to release the flowtable hook list.
Patch #4 updates the flowtable event notifier to pass a flowtable hook list.
Patch #5 allows users to add new devices to an existing flowtables.
Patch #6 allows users to remove devices to an existing flowtables.
Patch #7 allows to register a flowtable with no initial devices.
This allows users to register a flowtable with no devices:
nft add flowtable x y { hook ingress priority 0\; }
then, add dynamic devices as they show up:
nft add flowtable x y { devices = { ppp0, eth1 } \; }
Devices that go away are automagically removed from the flowtable.
Pablo Neira Ayuso (7):
netfilter: nf_tables: generalise flowtable hook parsing
netfilter: nf_tables: pass hook list to nft_{un,}register_flowtable_net_hooks()
netfilter: nf_tables: add nft_flowtable_hooks_destroy()
netfilter: nf_tables: pass hook list to flowtable event notifier
netfilter: nf_tables: add devices to existing flowtable
netfilter: nf_tables: delete devices from flowtable
netfilter: nf_tables: allow to register flowtable with no devices
include/net/netfilter/nf_tables.h | 7 +
net/netfilter/nf_tables_api.c | 304 ++++++++++++++++++++++++------
2 files changed, 253 insertions(+), 58 deletions(-)
--
2.20.1
next reply other threads:[~2020-05-20 18:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-20 18:16 Pablo Neira Ayuso [this message]
2020-05-20 18:16 ` [PATCH nf-next 1/7] netfilter: nf_tables: generalise flowtable hook parsing Pablo Neira Ayuso
2020-05-20 18:16 ` [PATCH nf-next 2/7] netfilter: nf_tables: pass hook list to nft_{un,}register_flowtable_net_hooks() Pablo Neira Ayuso
2020-05-20 18:16 ` [PATCH nf-next 3/7] netfilter: nf_tables: add nft_flowtable_hooks_destroy() Pablo Neira Ayuso
2020-05-20 18:16 ` [PATCH nf-next 4/7] netfilter: nf_tables: pass hook list to flowtable event notifier Pablo Neira Ayuso
2020-05-20 18:16 ` [PATCH nf-next 5/7] netfilter: nf_tables: add devices to existing flowtable Pablo Neira Ayuso
2020-05-20 18:16 ` [PATCH nf-next 6/7] netfilter: nf_tables: delete devices from flowtable Pablo Neira Ayuso
2020-05-20 18:16 ` [PATCH nf-next 7/7] netfilter: nf_tables: allow to register flowtable with no devices Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200520181652.30285-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).