* [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload
@ 2019-09-13 15:03 wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 1/8] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
` (9 more replies)
0 siblings, 10 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This series add NFT_TUNNEL_IP/6_SRC/DST match and tunnel expr offload.
Also add NFTA_TUNNEL_KEY_RELEASE actions adn objref, tunnel obj offload
This version just rebase to master for patch 7 and make sure
the new code doesn't go over the 80-chars per column boundary
wenxu (8):
netfilter: nft_tunnel: add nft_tunnel_mode_validate function
netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match
netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate
netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match
netfilter: nft_tunnel: support tunnel meta match offload
netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action
netfilter: nft_objref: add nft_objref_type offload
netfilter: nft_tunnel: support nft_tunnel_obj offload
include/net/netfilter/nf_tables.h | 4 +
include/net/netfilter/nf_tables_offload.h | 5 +
include/uapi/linux/netfilter/nf_tables.h | 5 +
net/netfilter/nft_objref.c | 14 +++
net/netfilter/nft_tunnel.c | 159 +++++++++++++++++++++++++++---
5 files changed, 174 insertions(+), 13 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 1/8] netfilter: nft_tunnel: add nft_tunnel_mode_validate function
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 2/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match wenxu
` (8 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Move mode validate common code to nft_tunnel_mode_validate
function.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nft_tunnel.c | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 3d4c2ae..78b6e8f 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -18,6 +18,19 @@ struct nft_tunnel {
enum nft_tunnel_mode mode:8;
};
+static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
+ u8 tun_mode)
+{
+ if (priv_mode == NFT_TUNNEL_MODE_NONE ||
+ (priv_mode == NFT_TUNNEL_MODE_RX &&
+ !(tun_mode & IP_TUNNEL_INFO_TX)) ||
+ (priv_mode == NFT_TUNNEL_MODE_TX &&
+ (tun_mode & IP_TUNNEL_INFO_TX)))
+ return true;
+
+ return false;
+}
+
static void nft_tunnel_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
@@ -34,11 +47,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
nft_reg_store8(dest, false);
return;
}
- if (priv->mode == NFT_TUNNEL_MODE_NONE ||
- (priv->mode == NFT_TUNNEL_MODE_RX &&
- !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
- (priv->mode == NFT_TUNNEL_MODE_TX &&
- (tun_info->mode & IP_TUNNEL_INFO_TX)))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
nft_reg_store8(dest, true);
else
nft_reg_store8(dest, false);
@@ -48,11 +57,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (priv->mode == NFT_TUNNEL_MODE_NONE ||
- (priv->mode == NFT_TUNNEL_MODE_RX &&
- !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
- (priv->mode == NFT_TUNNEL_MODE_TX &&
- (tun_info->mode & IP_TUNNEL_INFO_TX)))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
else
regs->verdict.code = NFT_BREAK;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 2/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 1/8] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 3/8] netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate wenxu
` (7 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add new two NFT_TUNNEL_IP_SRC/DST match in nft_tunnel
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_tunnel.c | 22 ++++++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index ed8881a..d459f49 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1773,6 +1773,8 @@ enum nft_tunnel_key_attributes {
enum nft_tunnel_keys {
NFT_TUNNEL_PATH,
NFT_TUNNEL_ID,
+ NFT_TUNNEL_IP_SRC,
+ NFT_TUNNEL_IP_DST,
__NFT_TUNNEL_MAX
};
#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 78b6e8f..9a55546 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -62,6 +62,26 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
else
regs->verdict.code = NFT_BREAK;
break;
+ case NFT_TUNNEL_IP_SRC:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ *dest = tun_info->key.u.ipv4.src;
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
+ case NFT_TUNNEL_IP_DST:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ *dest = tun_info->key.u.ipv4.dst;
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -91,6 +111,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
len = sizeof(u8);
break;
case NFT_TUNNEL_ID:
+ case NFT_TUNNEL_IP_SRC:
+ case NFT_TUNNEL_IP_DST:
len = sizeof(u32);
break;
default:
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 3/8] netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 1/8] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 2/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 4/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match wenxu
` (6 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add ipv6 tunnel check in nft_tunnel_mode_validate.
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nft_tunnel.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 9a55546..3ca7d80 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -18,9 +18,19 @@ struct nft_tunnel {
enum nft_tunnel_mode mode:8;
};
+enum nft_inet_type {
+ NFT_INET_NONE_TYPE,
+ NFT_INET_IP_TYPE,
+ NFT_INET_IP6_TYPE,
+};
+
static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
- u8 tun_mode)
+ u8 tun_mode, enum nft_inet_type type)
{
+ if ((type == NFT_INET_IP6_TYPE && !(tun_mode & IP_TUNNEL_INFO_IPV6)) ||
+ (type == NFT_INET_IP_TYPE && (tun_mode & IP_TUNNEL_INFO_IPV6)))
+ return false;
+
if (priv_mode == NFT_TUNNEL_MODE_NONE ||
(priv_mode == NFT_TUNNEL_MODE_RX &&
!(tun_mode & IP_TUNNEL_INFO_TX)) ||
@@ -47,7 +57,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
nft_reg_store8(dest, false);
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_NONE_TYPE))
nft_reg_store8(dest, true);
else
nft_reg_store8(dest, false);
@@ -57,7 +68,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_NONE_TYPE))
*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
else
regs->verdict.code = NFT_BREAK;
@@ -67,7 +79,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IP_TYPE))
*dest = tun_info->key.u.ipv4.src;
else
regs->verdict.code = NFT_BREAK;
@@ -77,7 +90,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
regs->verdict.code = NFT_BREAK;
return;
}
- if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IP_TYPE))
*dest = tun_info->key.u.ipv4.dst;
else
regs->verdict.code = NFT_BREAK;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 4/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
` (2 preceding siblings ...)
2019-09-13 15:03 ` [PATCH nf-next v6 3/8] netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 5/8] netfilter: nft_tunnel: support tunnel meta match offload wenxu
` (5 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add new two NFT_TUNNEL_IP6_SRC/DST match in nft_tunnel
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_tunnel.c | 28 ++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index d459f49..da9b1d1 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1775,6 +1775,8 @@ enum nft_tunnel_keys {
NFT_TUNNEL_ID,
NFT_TUNNEL_IP_SRC,
NFT_TUNNEL_IP_DST,
+ NFT_TUNNEL_IP6_SRC,
+ NFT_TUNNEL_IP6_DST,
__NFT_TUNNEL_MAX
};
#define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 3ca7d80..f128b28 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -96,6 +96,30 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
else
regs->verdict.code = NFT_BREAK;
break;
+ case NFT_TUNNEL_IP6_SRC:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IP6_TYPE))
+ memcpy(dest, &tun_info->key.u.ipv6.src,
+ sizeof(struct in6_addr));
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
+ case NFT_TUNNEL_IP6_DST:
+ if (!tun_info) {
+ regs->verdict.code = NFT_BREAK;
+ return;
+ }
+ if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+ NFT_INET_IP6_TYPE))
+ memcpy(dest, &tun_info->key.u.ipv6.dst,
+ sizeof(struct in6_addr));
+ else
+ regs->verdict.code = NFT_BREAK;
+ break;
default:
WARN_ON(1);
regs->verdict.code = NFT_BREAK;
@@ -129,6 +153,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
case NFT_TUNNEL_IP_DST:
len = sizeof(u32);
break;
+ case NFT_TUNNEL_IP6_SRC:
+ case NFT_TUNNEL_IP6_DST:
+ len = sizeof(struct in6_addr);
+ break;
default:
return -EOPNOTSUPP;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 5/8] netfilter: nft_tunnel: support tunnel meta match offload
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
` (3 preceding siblings ...)
2019-09-13 15:03 ` [PATCH nf-next v6 4/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 6/8] netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action wenxu
` (4 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add tunnel meta match offload. Currently support for NFT_TUNNEL_ID
NFT_TUNNEL_SRC_IP and NFT_TUNNEL_DST_IP
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/net/netfilter/nf_tables_offload.h | 5 ++++
net/netfilter/nft_tunnel.c | 41 +++++++++++++++++++++++++++++++
2 files changed, 46 insertions(+)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index ddd048b..a07e18b 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -45,6 +45,11 @@ struct nft_flow_key {
struct flow_dissector_key_ip ip;
struct flow_dissector_key_vlan vlan;
struct flow_dissector_key_eth_addrs eth_addrs;
+ struct flow_dissector_key_keyid enc_key_id;
+ union {
+ struct flow_dissector_key_ipv4_addrs enc_ipv4;
+ struct flow_dissector_key_ipv6_addrs enc_ipv6;
+ };
} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
struct nft_flow_match {
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index f128b28..68ca894 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -11,6 +11,7 @@
#include <net/ip_tunnels.h>
#include <net/vxlan.h>
#include <net/erspan.h>
+#include <net/netfilter/nf_tables_offload.h>
struct nft_tunnel {
enum nft_tunnel_keys key:8;
@@ -192,6 +193,45 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
return -1;
}
+static int nft_tunnel_get_offload(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow,
+ const struct nft_expr *expr)
+{
+ const struct nft_tunnel *priv = nft_expr_priv(expr);
+ struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
+
+ if (priv->mode == NFT_TUNNEL_MODE_TX)
+ return -EOPNOTSUPP;
+
+ switch (priv->key) {
+ case NFT_TUNNEL_ID:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id,
+ keyid, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IP_SRC:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+ src, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IP_DST:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+ dst, sizeof(__u32), reg);
+ break;
+ case NFT_TUNNEL_IP6_SRC:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+ src, sizeof(struct in6_addr), reg);
+ break;
+ case NFT_TUNNEL_IP6_DST:
+ NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+ dst, sizeof(struct in6_addr), reg);
+ break;
+ case NFT_TUNNEL_PATH:
+ default:
+ return -EOPNOTSUPP;
+ }
+
+ return 0;
+}
+
static struct nft_expr_type nft_tunnel_type;
static const struct nft_expr_ops nft_tunnel_get_ops = {
.type = &nft_tunnel_type,
@@ -199,6 +239,7 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
.eval = nft_tunnel_get_eval,
.init = nft_tunnel_get_init,
.dump = nft_tunnel_get_dump,
+ .offload = nft_tunnel_get_offload,
};
static struct nft_expr_type nft_tunnel_type __read_mostly = {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 6/8] netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
` (4 preceding siblings ...)
2019-09-13 15:03 ` [PATCH nf-next v6 5/8] netfilter: nft_tunnel: support tunnel meta match offload wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 7/8] netfilter: nft_objref: add nft_objref_type offload wenxu
` (3 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add new NFTA_TUNNEL_KEY_RELEASE action for future offload
feature
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/uapi/linux/netfilter/nf_tables.h | 1 +
net/netfilter/nft_tunnel.c | 24 +++++++++++++++++++++---
2 files changed, 22 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index da9b1d1..0e24c27 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1766,6 +1766,7 @@ enum nft_tunnel_key_attributes {
NFTA_TUNNEL_KEY_SPORT,
NFTA_TUNNEL_KEY_DPORT,
NFTA_TUNNEL_KEY_OPTS,
+ NFTA_TUNNEL_KEY_RELEASE,
__NFTA_TUNNEL_KEY_MAX
};
#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 68ca894..15d5dc9 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -262,6 +262,7 @@ struct nft_tunnel_opts {
struct nft_tunnel_obj {
struct metadata_dst *md;
struct nft_tunnel_opts opts;
+ bool tunnel_key_release;
};
static const struct nla_policy nft_tunnel_ip_policy[NFTA_TUNNEL_KEY_IP_MAX + 1] = {
@@ -446,6 +447,7 @@ static int nft_tunnel_obj_opts_init(const struct nft_ctx *ctx,
[NFTA_TUNNEL_KEY_TOS] = { .type = NLA_U8, },
[NFTA_TUNNEL_KEY_TTL] = { .type = NLA_U8, },
[NFTA_TUNNEL_KEY_OPTS] = { .type = NLA_NESTED, },
+ [NFTA_TUNNEL_KEY_RELEASE] = { .type = NLA_U8, },
};
static int nft_tunnel_obj_init(const struct nft_ctx *ctx,
@@ -457,6 +459,12 @@ static int nft_tunnel_obj_init(const struct nft_ctx *ctx,
struct metadata_dst *md;
int err;
+ if (tb[NFTA_TUNNEL_KEY_RELEASE] &&
+ nla_get_u8(tb[NFTA_TUNNEL_KEY_RELEASE])) {
+ priv->tunnel_key_release = true;
+ return 0;
+ }
+
if (!tb[NFTA_TUNNEL_KEY_ID])
return -EINVAL;
@@ -539,8 +547,11 @@ static inline void nft_tunnel_obj_eval(struct nft_object *obj,
struct sk_buff *skb = pkt->skb;
skb_dst_drop(skb);
- dst_hold((struct dst_entry *) priv->md);
- skb_dst_set(skb, (struct dst_entry *) priv->md);
+
+ if (!priv->tunnel_key_release) {
+ dst_hold((struct dst_entry *)priv->md);
+ skb_dst_set(skb, (struct dst_entry *)priv->md);
+ }
}
static int nft_tunnel_ip_dump(struct sk_buff *skb, struct ip_tunnel_info *info)
@@ -642,6 +653,12 @@ static int nft_tunnel_obj_dump(struct sk_buff *skb,
struct nft_tunnel_obj *priv = nft_obj_data(obj);
struct ip_tunnel_info *info = &priv->md->u.tun_info;
+ if (priv->tunnel_key_release) {
+ if (nla_put_u8(skb, NFTA_TUNNEL_KEY_RELEASE, 1))
+ goto nla_put_failure;
+ return 0;
+ }
+
if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ID,
tunnel_id_to_key32(info->key.tun_id)) ||
nft_tunnel_ip_dump(skb, info) < 0 ||
@@ -663,7 +680,8 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx,
{
struct nft_tunnel_obj *priv = nft_obj_data(obj);
- metadata_dst_free(priv->md);
+ if (!priv->tunnel_key_release)
+ metadata_dst_free(priv->md);
}
static struct nft_object_type nft_tunnel_obj_type;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 7/8] netfilter: nft_objref: add nft_objref_type offload
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
` (5 preceding siblings ...)
2019-09-13 15:03 ` [PATCH nf-next v6 6/8] netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 8/8] netfilter: nft_tunnel: support nft_tunnel_obj offload wenxu
` (2 subsequent siblings)
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
support offload for nft_objref_type
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/net/netfilter/nf_tables.h | 4 ++++
net/netfilter/nft_objref.c | 14 ++++++++++++++
2 files changed, 18 insertions(+)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 3d9e66a..498f662 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1128,6 +1128,7 @@ struct nft_object_type {
* @destroy: release existing stateful object
* @dump: netlink dump stateful object
* @update: update stateful object
+ * @update: offload stateful object
*/
struct nft_object_ops {
void (*eval)(struct nft_object *obj,
@@ -1144,6 +1145,9 @@ struct nft_object_ops {
bool reset);
void (*update)(struct nft_object *obj,
struct nft_object *newobj);
+ int (*offload)(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow,
+ struct nft_object *obj);
const struct nft_object_type *type;
};
diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c
index bfd18d2..4a70972 100644
--- a/net/netfilter/nft_objref.c
+++ b/net/netfilter/nft_objref.c
@@ -10,6 +10,7 @@
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables_offload.h>
#define nft_objref_priv(expr) *((struct nft_object **)nft_expr_priv(expr))
@@ -82,6 +83,18 @@ static void nft_objref_activate(const struct nft_ctx *ctx,
obj->use++;
}
+static int nft_objref_offload(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow,
+ const struct nft_expr *expr)
+{
+ struct nft_object *obj = nft_objref_priv(expr);
+
+ if (obj->ops->offload)
+ return obj->ops->offload(ctx, flow, obj);
+ else
+ return -EOPNOTSUPP;
+}
+
static struct nft_expr_type nft_objref_type;
static const struct nft_expr_ops nft_objref_ops = {
.type = &nft_objref_type,
@@ -91,6 +104,7 @@ static void nft_objref_activate(const struct nft_ctx *ctx,
.activate = nft_objref_activate,
.deactivate = nft_objref_deactivate,
.dump = nft_objref_dump,
+ .offload = nft_objref_offload,
};
struct nft_objref_map {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 8/8] netfilter: nft_tunnel: support nft_tunnel_obj offload
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
` (6 preceding siblings ...)
2019-09-13 15:03 ` [PATCH nf-next v6 7/8] netfilter: nft_objref: add nft_objref_type offload wenxu
@ 2019-09-13 15:03 ` wenxu
2019-09-18 8:02 ` [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
2019-10-24 9:40 ` wenxu
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-09-13 15:03 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
Add nft_tunnel_obj offload for both encap and decap actions
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
net/netfilter/nft_tunnel.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 15d5dc9..cee8831 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -684,6 +684,25 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx,
metadata_dst_free(priv->md);
}
+static int nft_tunnel_obj_offload(struct nft_offload_ctx *ctx,
+ struct nft_flow_rule *flow,
+ struct nft_object *obj)
+{
+ struct nft_tunnel_obj *priv = nft_obj_data(obj);
+ struct flow_action_entry *entry;
+
+ entry = &flow->rule->action.entries[ctx->num_actions++];
+
+ if (!priv->tunnel_key_release) {
+ entry->id = FLOW_ACTION_TUNNEL_ENCAP;
+ entry->tunnel = &priv->md->u.tun_info;
+ } else {
+ entry->id = FLOW_ACTION_TUNNEL_DECAP;
+ }
+
+ return 0;
+}
+
static struct nft_object_type nft_tunnel_obj_type;
static const struct nft_object_ops nft_tunnel_obj_ops = {
.type = &nft_tunnel_obj_type,
@@ -692,6 +711,7 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx,
.init = nft_tunnel_obj_init,
.destroy = nft_tunnel_obj_destroy,
.dump = nft_tunnel_obj_dump,
+ .offload = nft_tunnel_obj_offload,
};
static struct nft_object_type nft_tunnel_obj_type __read_mostly = {
--
1.8.3.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
` (7 preceding siblings ...)
2019-09-13 15:03 ` [PATCH nf-next v6 8/8] netfilter: nft_tunnel: support nft_tunnel_obj offload wenxu
@ 2019-09-18 8:02 ` wenxu
2019-09-19 9:15 ` Pablo Neira Ayuso
2019-10-24 9:40 ` wenxu
9 siblings, 1 reply; 15+ messages in thread
From: wenxu @ 2019-09-18 8:02 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
Hi pablo,
Any comments for this series?
BR
wenxu
在 2019/9/13 23:03, wenxu@ucloud.cn 写道:
> From: wenxu <wenxu@ucloud.cn>
>
> This series add NFT_TUNNEL_IP/6_SRC/DST match and tunnel expr offload.
> Also add NFTA_TUNNEL_KEY_RELEASE actions adn objref, tunnel obj offload
>
> This version just rebase to master for patch 7 and make sure
> the new code doesn't go over the 80-chars per column boundary
>
> wenxu (8):
> netfilter: nft_tunnel: add nft_tunnel_mode_validate function
> netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match
> netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate
> netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match
> netfilter: nft_tunnel: support tunnel meta match offload
> netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action
> netfilter: nft_objref: add nft_objref_type offload
> netfilter: nft_tunnel: support nft_tunnel_obj offload
>
> include/net/netfilter/nf_tables.h | 4 +
> include/net/netfilter/nf_tables_offload.h | 5 +
> include/uapi/linux/netfilter/nf_tables.h | 5 +
> net/netfilter/nft_objref.c | 14 +++
> net/netfilter/nft_tunnel.c | 159 +++++++++++++++++++++++++++---
> 5 files changed, 174 insertions(+), 13 deletions(-)
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload
2019-09-18 8:02 ` [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
@ 2019-09-19 9:15 ` Pablo Neira Ayuso
2019-10-08 5:41 ` wenxu
0 siblings, 1 reply; 15+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-19 9:15 UTC (permalink / raw)
To: wenxu; +Cc: netfilter-devel
On Wed, Sep 18, 2019 at 04:02:51PM +0800, wenxu wrote:
> Hi pablo,
>
> Any comments for this series?
Merge window is closed since Sunday. Last pull request was sent last
friday. Will get back to this one merge window reopens. Sorry.
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload
2019-09-19 9:15 ` Pablo Neira Ayuso
@ 2019-10-08 5:41 ` wenxu
0 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-10-08 5:41 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel
On 9/19/2019 5:15 PM, Pablo Neira Ayuso wrote:
> On Wed, Sep 18, 2019 at 04:02:51PM +0800, wenxu wrote:
>> Hi pablo,
>>
>> Any comments for this series?
> Merge window is closed since Sunday. Last pull request was sent last
> friday. Will get back to this one merge window reopens. Sorry.
Pablo, any comments for this one? Thx.
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
` (8 preceding siblings ...)
2019-09-18 8:02 ` [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
@ 2019-10-24 9:40 ` wenxu
9 siblings, 0 replies; 15+ messages in thread
From: wenxu @ 2019-10-24 9:40 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
please drop this series. NFTA_TUNNEL_KEY_RELEASE patch don't need after the encap/decap infra add in.
I will repost the tunnel match expr offload patches separetely
Thx!
On 9/13/2019 11:03 PM, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> This series add NFT_TUNNEL_IP/6_SRC/DST match and tunnel expr offload.
> Also add NFTA_TUNNEL_KEY_RELEASE actions adn objref, tunnel obj offload
>
> This version just rebase to master for patch 7 and make sure
> the new code doesn't go over the 80-chars per column boundary
>
> wenxu (8):
> netfilter: nft_tunnel: add nft_tunnel_mode_validate function
> netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match
> netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate
> netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match
> netfilter: nft_tunnel: support tunnel meta match offload
> netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action
> netfilter: nft_objref: add nft_objref_type offload
> netfilter: nft_tunnel: support nft_tunnel_obj offload
>
> include/net/netfilter/nf_tables.h | 4 +
> include/net/netfilter/nf_tables_offload.h | 5 +
> include/uapi/linux/netfilter/nf_tables.h | 5 +
> net/netfilter/nft_objref.c | 14 +++
> net/netfilter/nft_tunnel.c | 159 +++++++++++++++++++++++++++---
> 5 files changed, 174 insertions(+), 13 deletions(-)
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload
2019-09-08 14:22 wenxu
@ 2019-09-08 16:01 ` Pablo Neira Ayuso
0 siblings, 0 replies; 15+ messages in thread
From: Pablo Neira Ayuso @ 2019-09-08 16:01 UTC (permalink / raw)
To: wenxu; +Cc: netfilter-devel
Only one series at a time, sorry.
On Sun, Sep 08, 2019 at 10:22:00PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> This series add NFT_TUNNEL_IP/6_SRC/DST match and tunnel expr offload.
> Also add NFTA_TUNNEL_KEY_RELEASE actions adn objref, tunnel obj offload
>
> This version just rebase to master for patch 7
>
> wenxu (8):
> netfilter: nft_tunnel: add nft_tunnel_mode_validate function
> netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match
> netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate
> netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match
> netfilter: nft_tunnel: support tunnel meta match offload
> netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action
> netfilter: nft_objref: add nft_objref_type offload
> netfilter: nft_tunnel: support nft_tunnel_obj offload
>
> include/net/netfilter/nf_tables.h | 4 +
> include/net/netfilter/nf_tables_offload.h | 5 +
> include/uapi/linux/netfilter/nf_tables.h | 5 +
> net/netfilter/nft_objref.c | 14 +++
> net/netfilter/nft_tunnel.c | 159 +++++++++++++++++++++++++++---
> 5 files changed, 174 insertions(+), 13 deletions(-)
>
> --
> 1.8.3.1
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload
@ 2019-09-08 14:22 wenxu
2019-09-08 16:01 ` Pablo Neira Ayuso
0 siblings, 1 reply; 15+ messages in thread
From: wenxu @ 2019-09-08 14:22 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel
From: wenxu <wenxu@ucloud.cn>
This series add NFT_TUNNEL_IP/6_SRC/DST match and tunnel expr offload.
Also add NFTA_TUNNEL_KEY_RELEASE actions adn objref, tunnel obj offload
This version just rebase to master for patch 7
wenxu (8):
netfilter: nft_tunnel: add nft_tunnel_mode_validate function
netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match
netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate
netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match
netfilter: nft_tunnel: support tunnel meta match offload
netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action
netfilter: nft_objref: add nft_objref_type offload
netfilter: nft_tunnel: support nft_tunnel_obj offload
include/net/netfilter/nf_tables.h | 4 +
include/net/netfilter/nf_tables_offload.h | 5 +
include/uapi/linux/netfilter/nf_tables.h | 5 +
net/netfilter/nft_objref.c | 14 +++
net/netfilter/nft_tunnel.c | 159 +++++++++++++++++++++++++++---
5 files changed, 174 insertions(+), 13 deletions(-)
--
1.8.3.1
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2019-10-24 9:40 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-09-13 15:03 [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 1/8] netfilter: nft_tunnel: add nft_tunnel_mode_validate function wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 2/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 3/8] netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 4/8] netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 5/8] netfilter: nft_tunnel: support tunnel meta match offload wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 6/8] netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 7/8] netfilter: nft_objref: add nft_objref_type offload wenxu
2019-09-13 15:03 ` [PATCH nf-next v6 8/8] netfilter: nft_tunnel: support nft_tunnel_obj offload wenxu
2019-09-18 8:02 ` [PATCH nf-next v6 0/8] netfilter: nf_tables_offload: support tunnel offload wenxu
2019-09-19 9:15 ` Pablo Neira Ayuso
2019-10-08 5:41 ` wenxu
2019-10-24 9:40 ` wenxu
-- strict thread matches above, loose matches on Subject: below --
2019-09-08 14:22 wenxu
2019-09-08 16:01 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).