netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH nf-next] netfilter: nf_tables_offload: allow ethernet interface type only
@ 2019-10-29 10:40 Pablo Neira Ayuso
  2019-10-29 17:10 ` Edward Cree
  2019-10-30  3:09 ` wenxu
  0 siblings, 2 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2019-10-29 10:40 UTC (permalink / raw)
  To: netfilter-devel; +Cc: jiri, netdev

Hardware offload support at this stage assumes an ethernet device in
place. The flow dissector provides the intermediate representation to
express this selector, so extend it to allow to store the interface
type. Flower does not uses this, so skb_flow_dissect_meta() is not
extended to allow to match on this new field.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
@Jiri: flower ignores this when checking for the ingress device, probably
       that should restricted there too?

 include/net/flow_dissector.h | 2 ++
 net/netfilter/nft_cmp.c      | 7 +++++++
 net/netfilter/nft_meta.c     | 4 ++++
 3 files changed, 13 insertions(+)

diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
index 5cd12276ae21..7d804db85442 100644
--- a/include/net/flow_dissector.h
+++ b/include/net/flow_dissector.h
@@ -204,9 +204,11 @@ struct flow_dissector_key_ip {
 /**
  * struct flow_dissector_key_meta:
  * @ingress_ifindex: ingress ifindex
+ * @iiftype: interface type
  */
 struct flow_dissector_key_meta {
 	int ingress_ifindex;
+	u16 ingress_iftype;
 };
 
 /**
diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index a0cd6e48e1a0..799acb069d59 100644
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
+#include <linux/if_arp.h>
 #include <linux/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables_core.h>
 #include <net/netfilter/nf_tables_offload.h>
@@ -113,6 +114,7 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
 			     const struct nft_cmp_expr *priv)
 {
 	struct nft_offload_reg *reg = &ctx->regs[priv->sreg];
+	static u16 iftype_ether = ARPHRD_ETHER;
 	u8 *mask = (u8 *)&flow->match.mask;
 	u8 *key = (u8 *)&flow->match.key;
 
@@ -125,6 +127,11 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
 	flow->match.dissector.used_keys |= BIT(reg->key);
 	flow->match.dissector.offset[reg->key] = reg->base_offset;
 
+	if (reg->key == FLOW_DISSECTOR_KEY_META &&
+	    reg->offset == offsetof(struct nft_flow_key, meta.ingress_iftype) &&
+	    memcmp(&priv->data, &iftype_ether, priv->len))
+		return -EOPNOTSUPP;
+
 	nft_offload_update_dependency(ctx, &priv->data, priv->len);
 
 	return 0;
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 8fd21f436347..6fb6a6778e68 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -551,6 +551,10 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
 		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
 				  ingress_ifindex, sizeof(__u32), reg);
 		break;
+	case NFT_META_IIFTYPE:
+		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
+				  ingress_iftype, sizeof(__u16), reg);
+		break;
 	default:
 		return -EOPNOTSUPP;
 	}
-- 
2.11.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_tables_offload: allow ethernet interface type only
  2019-10-29 10:40 [PATCH nf-next] netfilter: nf_tables_offload: allow ethernet interface type only Pablo Neira Ayuso
@ 2019-10-29 17:10 ` Edward Cree
  2019-10-30  3:09 ` wenxu
  1 sibling, 0 replies; 3+ messages in thread
From: Edward Cree @ 2019-10-29 17:10 UTC (permalink / raw)
  To: Pablo Neira Ayuso, netfilter-devel; +Cc: jiri, netdev

On 29/10/2019 10:40, Pablo Neira Ayuso wrote:
> Hardware offload support at this stage assumes an ethernet device in
> place. The flow dissector provides the intermediate representation to
> express this selector, so extend it to allow to store the interface
> type. Flower does not uses this, so skb_flow_dissect_meta() is not
> extended to allow to match on this new field.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> @Jiri: flower ignores this when checking for the ingress device, probably
>        that should restricted there too?
>
>  include/net/flow_dissector.h | 2 ++
>  net/netfilter/nft_cmp.c      | 7 +++++++
>  net/netfilter/nft_meta.c     | 4 ++++
>  3 files changed, 13 insertions(+)
>
> diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
> index 5cd12276ae21..7d804db85442 100644
> --- a/include/net/flow_dissector.h
> +++ b/include/net/flow_dissector.h
> @@ -204,9 +204,11 @@ struct flow_dissector_key_ip {
>  /**
>   * struct flow_dissector_key_meta:
>   * @ingress_ifindex: ingress ifindex
> + * @iiftype: interface type
>   */
>  struct flow_dissector_key_meta {
>  	int ingress_ifindex;
> +	u16 ingress_iftype;
>  };
Comment does not match code wrt name of this new member.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH nf-next] netfilter: nf_tables_offload: allow ethernet interface type only
  2019-10-29 10:40 [PATCH nf-next] netfilter: nf_tables_offload: allow ethernet interface type only Pablo Neira Ayuso
  2019-10-29 17:10 ` Edward Cree
@ 2019-10-30  3:09 ` wenxu
  1 sibling, 0 replies; 3+ messages in thread
From: wenxu @ 2019-10-30  3:09 UTC (permalink / raw)
  To: Pablo Neira Ayuso, netfilter-devel; +Cc: jiri, netdev


On 10/29/2019 6:40 PM, Pablo Neira Ayuso wrote:
> @@ -113,6 +114,7 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
>  			     const struct nft_cmp_expr *priv)
>  {
>  	struct nft_offload_reg *reg = &ctx->regs[priv->sreg];
> +	static u16 iftype_ether = ARPHRD_ETHER;
>  	u8 *mask = (u8 *)&flow->match.mask;
>  	u8 *key = (u8 *)&flow->match.key;
>  
> @@ -125,6 +127,11 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
>  	flow->match.dissector.used_keys |= BIT(reg->key);
>  	flow->match.dissector.offset[reg->key] = reg->base_offset;
>  
> +	if (reg->key == FLOW_DISSECTOR_KEY_META &&
> +	    reg->offset == offsetof(struct nft_flow_key, meta.ingress_iftype) &&
> +	    memcmp(&priv->data, &iftype_ether, priv->len))
Maybe it is better to check the priv->len == sizeof(u16)?
> +		return -EOPNOTSUPP;
> +
>  	nft_offload_update_dependency(ctx, &priv->data, priv->len);
>  
>  	return 0;
> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index 8fd21f436347..6fb6a6778e68 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -551,6 +551,10 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
>  		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
>  				  ingress_ifindex, sizeof(__u32), reg);
>  		break;
> +	case NFT_META_IIFTYPE:
> +		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
> +				  ingress_iftype, sizeof(__u16), reg);
> +		break;
>  	default:
>  		return -EOPNOTSUPP;
>  	}

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-10-30  3:09 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-29 10:40 [PATCH nf-next] netfilter: nf_tables_offload: allow ethernet interface type only Pablo Neira Ayuso
2019-10-29 17:10 ` Edward Cree
2019-10-30  3:09 ` wenxu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).