Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/1.2/patches/833929/?format=api
{ "id": 833929, "url": "http://patchwork.ozlabs.org/api/1.2/patches/833929/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/20171103152636.9967-3-pablo@netfilter.org/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/1.2/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20171103152636.9967-3-pablo@netfilter.org>", "list_archive_url": null, "date": "2017-11-03T15:26:33", "name": "[RFC,WIP,2/5] netfilter: add software flow offload infrastructure", "commit_ref": null, "pull_url": null, "state": "rfc", "archived": true, "hash": "27f51a03f0766820b300121d72476349c6f1d7cb", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/1.2/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/1.2/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/20171103152636.9967-3-pablo@netfilter.org/mbox/", "series": [ { "id": 11752, "url": "http://patchwork.ozlabs.org/api/1.2/series/11752/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=11752", "date": "2017-11-03T15:26:31", "name": "Flow offload infrastructure", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/11752/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/833929/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/833929/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3yT5R333DPz9ryT\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSat, 4 Nov 2017 02:26:55 +1100 (AEDT)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1755900AbdKCP0v (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 3 Nov 2017 11:26:51 -0400", "from mail.us.es ([193.147.175.20]:43324 \"EHLO mail.us.es\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1755859AbdKCP0s (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tFri, 3 Nov 2017 11:26:48 -0400", "from antivirus1-rhel7.int (unknown [192.168.2.11])\n\tby mail.us.es (Postfix) with ESMTP id C21E8C0B26\n\tfor <netdev@vger.kernel.org>; Fri, 3 Nov 2017 16:26:46 +0100 (CET)", "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id AE881B7FE9\n\tfor <netdev@vger.kernel.org>; Fri, 3 Nov 2017 16:26:46 +0100 (CET)", "by antivirus1-rhel7.int (Postfix, from userid 99)\n\tid A44DBB7FE8; Fri, 3 Nov 2017 16:26:46 +0100 (CET)", "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id C89C6B7FE3;\n\tFri, 3 Nov 2017 16:26:43 +0100 (CET)", "from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int\n\t(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); \n\tFri, 03 Nov 2017 16:26:43 +0100 (CET)", "from salvia.here (unknown [31.4.245.115])\n\t(Authenticated sender: pneira@us.es)\n\tby entrada.int (Postfix) with ESMTPA id 8EBE5403DFA0;\n\tFri, 3 Nov 2017 16:26:43 +0100 (CET)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.1 (2015-04-28) on\n\tantivirus1-rhel7.int", "X-Spam-Level": "", "X-Spam-Status": "No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,\n\tSMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1", "X-Virus-Status": "clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)", "X-SMTPAUTHUS": "auth mail.us.es", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "netdev@vger.kernel.org", "Subject": "[PATCH RFC,\n\tWIP 2/5] netfilter: add software flow offload infrastructure", "Date": "Fri, 3 Nov 2017 16:26:33 +0100", "Message-Id": "<20171103152636.9967-3-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.11.0", "In-Reply-To": "<20171103152636.9967-1-pablo@netfilter.org>", "References": "<20171103152636.9967-1-pablo@netfilter.org>", "X-Virus-Scanned": "ClamAV using ClamSMTP", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "This patch adds the generic software flow offload infrastructure. This\nallows users to configure fast path for established flows that will not\nfollow the classic forwarding path.\n\nThis adds a new hook at netfilter ingress for each existing interface.\nFor each packet that hits the hook, we look up for an existing flow in\nthe table, if there is a hit, the packet is forwarded by using the\ngateway and interfaces that are cached in the flow table entry.\n\nThis comes with a kernel thread to release flow table entries if no\npackets are seen after a little while, so the flow table entry is\nreleased.\n\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n include/net/flow_offload.h | 67 +++++++\n net/netfilter/Kconfig | 7 +\n net/netfilter/Makefile | 3 +\n net/netfilter/nf_flow_offload.c | 386 ++++++++++++++++++++++++++++++++++++++++\n 4 files changed, 463 insertions(+)\n create mode 100644 include/net/flow_offload.h\n create mode 100644 net/netfilter/nf_flow_offload.c", "diff": "diff --git a/include/net/flow_offload.h b/include/net/flow_offload.h\nnew file mode 100644\nindex 000000000000..30bfca7ed3f1\n--- /dev/null\n+++ b/include/net/flow_offload.h\n@@ -0,0 +1,67 @@\n+#ifndef _FLOW_OFFLOAD_H\n+#define _FLOW_OFFLOAD_H\n+\n+#include <linux/in.h>\n+#include <linux/in6.h>\n+#include <linux/netdevice.h>\n+#include <linux/rhashtable.h>\n+#include <linux/rcupdate.h>\n+\n+enum flow_offload_tuple_dir {\n+\tFLOW_OFFLOAD_DIR_ORIGINAL,\n+\tFLOW_OFFLOAD_DIR_REPLY,\n+\t__FLOW_OFFLOAD_DIR_MAX\t\t= FLOW_OFFLOAD_DIR_REPLY,\n+};\n+#define FLOW_OFFLOAD_DIR_MAX\t(__FLOW_OFFLOAD_DIR_MAX + 1)\n+\n+struct flow_offload_tuple {\n+\tunion {\n+\t\tstruct in_addr\t\tsrc_v4;\n+\t\tstruct in6_addr\t\tsrc_v6;\n+\t};\n+\tunion {\n+\t\tstruct in_addr\t\tdst_v4;\n+\t\tstruct in6_addr\t\tdst_v6;\n+\t};\n+\tstruct {\n+\t\t__be16\t\t\tsrc_port;\n+\t\t__be16\t\t\tdst_port;\n+\t};\n+\n+\tu8\t\t\t\tl3proto;\n+\tu8\t\t\t\tl4proto;\n+\tu8\t\t\t\tdir;\n+\n+\tint\t\t\t\tiifidx;\n+\tint\t\t\t\toifidx;\n+\n+\tunion {\n+\t\t__be32\t\t\tgateway;\n+\t\tstruct in6_addr\t\tgateway6;\n+\t};\n+};\n+\n+struct flow_offload_tuple_rhash {\n+\tstruct rhash_head\t\tnode;\n+\tstruct flow_offload_tuple\ttuple;\n+};\n+\n+#define\tFLOW_OFFLOAD_SNAT\t0x1\n+#define\tFLOW_OFFLOAD_DNAT\t0x2\n+#define\tFLOW_OFFLOAD_HW\t\t0x4\n+\n+struct flow_offload {\n+\tstruct flow_offload_tuple_rhash\t\ttuplehash[FLOW_OFFLOAD_DIR_MAX];\n+\tu32\t\t\t\t\tflags;\n+\tunion {\n+\t\t/* Your private driver data here. */\n+\t\tu32\t\ttimeout;\n+\t};\n+\tstruct rcu_head\t\t\t\trcu_head;\n+};\n+\n+int flow_offload_add(struct flow_offload *flow);\n+void flow_offload_del(struct flow_offload *flow);\n+struct flow_offload_tuple_rhash *flow_offload_lookup(struct flow_offload_tuple *tuple);\n+\n+#endif /* _FLOW_OFFLOAD_H */\ndiff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig\nindex e4a13cc8a2e7..f022ca91f49d 100644\n--- a/net/netfilter/Kconfig\n+++ b/net/netfilter/Kconfig\n@@ -436,6 +436,13 @@ config NETFILTER_SYNPROXY\n \n endif # NF_CONNTRACK\n \n+config NF_FLOW_OFFLOAD\n+\ttristate \"Netfilter Generic Flow Offload (GFO) module\"\n+\thelp\n+\t This option adds the flow table core infrastructure.\n+\n+\t To compile it as a module, choose M here.\n+\n config NF_TABLES\n \tselect NETFILTER_NETLINK\n \ttristate \"Netfilter nf_tables support\"\ndiff --git a/net/netfilter/Makefile b/net/netfilter/Makefile\nindex d3891c93edd6..518f54113e06 100644\n--- a/net/netfilter/Makefile\n+++ b/net/netfilter/Makefile\n@@ -69,6 +69,9 @@ obj-$(CONFIG_NETFILTER_SYNPROXY) += nf_synproxy_core.o\n # generic packet duplication from netdev family\n obj-$(CONFIG_NF_DUP_NETDEV)\t+= nf_dup_netdev.o\n \n+# generic flow table\n+obj-$(CONFIG_NF_FLOW_OFFLOAD)+= nf_flow_offload.o\n+\n # nf_tables\n nf_tables-objs := nf_tables_core.o nf_tables_api.o nf_tables_trace.o \\\n \t\t nft_immediate.o nft_cmp.o nft_range.o nft_bitwise.o \\\ndiff --git a/net/netfilter/nf_flow_offload.c b/net/netfilter/nf_flow_offload.c\nnew file mode 100644\nindex 000000000000..c967b29d11a6\n--- /dev/null\n+++ b/net/netfilter/nf_flow_offload.c\n@@ -0,0 +1,386 @@\n+#include <linux/kernel.h>\n+#include <linux/init.h>\n+#include <linux/module.h>\n+#include <linux/netfilter.h>\n+#include <linux/rhashtable.h>\n+#include <linux/ip.h>\n+#include <linux/netdevice.h>\n+#include <net/ip.h>\n+#include <net/neighbour.h>\n+#include <net/flow_offload.h>\n+/* For layer 4 checksum field offset. */\n+#include <linux/tcp.h>\n+#include <linux/udp.h>\n+#include <linux/icmpv6.h>\n+\n+static struct rhashtable flow_table;\n+\n+static u32 flow_offload_hash(const void *data, u32 len, u32 seed)\n+{\n+\tconst struct flow_offload_tuple *tuple = data;\n+\n+\treturn jhash(tuple, offsetof(struct flow_offload_tuple, l4proto), seed);\n+}\n+\n+static u32 flow_offload_hash_obj(const void *data, u32 len, u32 seed)\n+{\n+\tconst struct flow_offload_tuple_rhash *tuplehash = data;\n+\n+\treturn jhash(&tuplehash->tuple, offsetof(struct flow_offload_tuple, l4proto), seed);\n+}\n+\n+static int flow_offload_hash_cmp(struct rhashtable_compare_arg *arg,\n+\t\t\t\t\tconst void *ptr)\n+{\n+\tconst struct flow_offload_tuple_rhash *x = ptr;\n+\tconst struct flow_offload_tuple *tuple = arg->key;\n+\n+\tif (memcmp(&x->tuple, tuple, offsetof(struct flow_offload_tuple, l4proto)))\n+\t\treturn 1;\n+\n+\treturn 0;\n+}\n+\n+static const struct rhashtable_params flow_offload_rhash_params = {\n+\t.head_offset\t\t= offsetof(struct flow_offload_tuple_rhash, node),\n+\t.hashfn\t\t\t= flow_offload_hash,\n+\t.obj_hashfn\t\t= flow_offload_hash_obj,\n+\t.obj_cmpfn\t\t= flow_offload_hash_cmp,\n+\t.automatic_shrinking\t= true,\n+};\n+\n+#define NF_FLOW_LIFETIME\t15\n+\n+int flow_offload_add(struct flow_offload *flow)\n+{\n+\tflow->timeout = (u32)jiffies;\n+\n+\trhashtable_insert_fast(&flow_table, &flow->tuplehash[0].node,\n+\t\t\t flow_offload_rhash_params);\n+\trhashtable_insert_fast(&flow_table, &flow->tuplehash[1].node,\n+\t\t\t flow_offload_rhash_params);\n+\treturn 0;\n+}\n+EXPORT_SYMBOL_GPL(flow_offload_add);\n+\n+void flow_offload_del(struct flow_offload *flow)\n+{\n+\trhashtable_remove_fast(&flow_table, &flow->tuplehash[0].node,\n+\t\t\t flow_offload_rhash_params);\n+\trhashtable_remove_fast(&flow_table, &flow->tuplehash[1].node,\n+\t\t\t flow_offload_rhash_params);\n+\tkfree_rcu(flow, rcu_head);\n+}\n+EXPORT_SYMBOL_GPL(flow_offload_del);\n+\n+struct flow_offload_tuple_rhash *\n+flow_offload_lookup(struct flow_offload_tuple *tuple)\n+{\n+\treturn rhashtable_lookup_fast(&flow_table, tuple,\n+\t\t\t\t flow_offload_rhash_params);\n+}\n+EXPORT_SYMBOL_GPL(flow_offload_lookup);\n+\n+static void nf_flow_offload_work_gc(struct work_struct *work);\n+\n+static DECLARE_DEFERRABLE_WORK(nf_flow_offload_gc,\n+\t\t\t nf_flow_offload_work_gc);\n+\n+static inline bool nf_flow_has_expired(const struct flow_offload *flow)\n+{\n+\treturn (__s32)(flow->timeout - (u32)jiffies) <= 0;\n+}\n+\n+static void nf_flow_offload_work_gc(struct work_struct *work)\n+{\n+\tstruct flow_offload_tuple_rhash *tuplehash;\n+\tstruct rhashtable_iter hti;\n+\tstruct flow_offload *flow;\n+\tint err, counter = 0;\n+\n+\trhashtable_walk_init(&flow_table, &hti, GFP_KERNEL);\n+\terr = rhashtable_walk_start(&hti);\n+\tif (err && err != -EAGAIN)\n+\t\tgoto out;\n+\n+\twhile ((tuplehash = rhashtable_walk_next(&hti))) {\n+\t\tif (IS_ERR(tuplehash)) {\n+\t\t\terr = PTR_ERR(tuplehash);\n+\t\t\tif (err != -EAGAIN)\n+\t\t\t\tgoto out;\n+\n+\t\t\tcontinue;\n+\t\t}\n+\t\tif (tuplehash->tuple.dir)\n+\t\t\tcontinue;\n+\n+\t\tflow = container_of(tuplehash, struct flow_offload, tuplehash[0]);\n+\n+\t\tif (nf_flow_has_expired(flow))\n+\t\t\tflow_offload_del(flow);\n+\n+\t\tcounter++;\n+\t}\n+\n+\trhashtable_walk_stop(&hti);\n+\trhashtable_walk_exit(&hti);\n+\n+out:\n+\tqueue_delayed_work(system_power_efficient_wq, &nf_flow_offload_gc,\n+\t\t\t msecs_to_jiffies(1000));\n+}\n+\n+static int nf_flow_snat_tcp(struct iphdr *iph,\n+\t\t\t const struct flow_offload *flow,\n+\t\t\t struct sk_buff *skb,\n+\t\t\t unsigned int thoff,\n+\t\t\t __be32 addr, __be32 new_addr)\n+{\n+\tstruct tcphdr *tcph;\n+\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*tcph)) ||\n+\t skb_try_make_writable(skb, thoff + sizeof(*tcph)))\n+\t\treturn -1;\n+\n+\ttcph = (void *)(skb_network_header(skb) + thoff);\n+\tinet_proto_csum_replace4(&tcph->check, skb, addr, new_addr, true);\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_snat_udp(struct iphdr *iph,\n+\t\t\t const struct flow_offload *flow,\n+\t\t\t struct sk_buff *skb,\n+\t\t\t unsigned int thoff,\n+\t\t\t __be32 addr, __be32 new_addr)\n+{\n+\tstruct udphdr *udph;\n+\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*udph)) ||\n+\t skb_try_make_writable(skb, thoff + sizeof(*udph)))\n+\t\treturn -1;\n+\n+\tudph = (void *)(skb_network_header(skb) + thoff);\n+\tif (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {\n+\t\tinet_proto_csum_replace4(&udph->check, skb, addr,\n+\t\t\t\t\t new_addr, true);\n+\t\tif (!udph->check)\n+\t\t\tudph->check = CSUM_MANGLED_0;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_snat(struct iphdr *iph,\n+\t\t\tconst struct flow_offload *flow,\n+\t\t\tenum flow_offload_tuple_dir dir, struct sk_buff *skb)\n+{\n+\t__be32 new_addr, addr;\n+\tunsigned int thoff;\n+\n+\tif (skb_try_make_writable(skb, sizeof(*iph)))\n+\t\treturn NF_DROP;\n+\n+\tswitch (dir) {\n+\tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n+\t\taddr = iph->saddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v4.s_addr;\n+\t\tiph->saddr = new_addr;\n+\t\tbreak;\n+\tcase FLOW_OFFLOAD_DIR_REPLY:\n+\t\taddr = iph->daddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v4.s_addr;\n+\t\tiph->daddr = new_addr;\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\tcsum_replace4(&iph->check, addr, new_addr);\n+\n+\tip_decrease_ttl(iph);\n+\n+\tthoff = iph->ihl * 4;\n+\n+\tswitch (iph->protocol) {\n+\tcase IPPROTO_TCP:\n+\t\tif (nf_flow_snat_tcp(iph, flow, skb, thoff, addr, new_addr) < 0)\n+\t\t\treturn NF_DROP;\n+\t\tbreak;\n+\tcase IPPROTO_UDP:\n+\t\tif (nf_flow_snat_udp(iph, flow, skb, thoff, addr, new_addr) < 0)\n+\t\t\treturn NF_DROP;\n+\t\tbreak;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+/* Similar to rt_nexthop(). */\n+static inline __be32 nf_flow_nexthop(__be32 nexthop, __be32 daddr)\n+{\n+\tif (nexthop)\n+\t\treturn nexthop;\n+\n+\treturn daddr;\n+}\n+\n+struct flow_ports {\n+\t__be16 src, dst;\n+};\n+\n+static int nf_flow_tuple_ip(struct iphdr *iph, struct sk_buff *skb,\n+\t\t\t struct flow_offload_tuple *tuple)\n+{\n+\tstruct flow_ports *ports;\n+\tunsigned int thoff;\n+\n+\tif (iph->protocol != IPPROTO_TCP &&\n+\t iph->protocol != IPPROTO_UDP)\n+\t\treturn -1;\n+\n+\tthoff = iph->ihl * 4;\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*ports)))\n+\t\treturn -1;\n+\n+\tports = (struct flow_ports *)(skb_network_header(skb) + thoff);\n+\n+\ttuple->src_v4.s_addr\t= iph->saddr;\n+\ttuple->dst_v4.s_addr\t= iph->daddr;\n+\ttuple->src_port\t\t= ports->src;\n+\ttuple->dst_port\t\t= ports->dst;\n+\ttuple->l3proto\t\t= AF_INET;\n+\ttuple->l4proto\t\t= iph->protocol;\n+\n+\treturn 0;\n+}\n+\n+#define NF_FLOW_TIMEOUT\t(30 * HZ)\n+\n+static unsigned int\n+nf_flow_offload_hook(void *priv, struct sk_buff *skb,\n+\t\t const struct nf_hook_state *state)\n+{\n+\tstruct flow_offload_tuple_rhash *tuplehash;\n+\tstruct flow_offload_tuple tuple = {};\n+\tstruct flow_offload *flow;\n+\tstruct net_device *outdev;\n+\tstruct iphdr *iph;\n+\t__be32 nexthop;\n+\tint err;\n+\n+\tswitch (skb->protocol) {\n+\tcase cpu_to_be16(ETH_P_IP):\n+\t\tif (!pskb_may_pull(skb, sizeof(*iph)))\n+\t\t\treturn NF_ACCEPT;\n+\n+\t\tiph = ip_hdr(skb);\n+\t\tif (ip_is_fragment(iph))\n+\t\t\treturn NF_ACCEPT;\n+\n+\t\terr = nf_flow_tuple_ip(iph, skb, &tuple);\n+\t\tif (err < 0)\n+\t\t\treturn NF_ACCEPT;\n+\t\tbreak;\n+\tdefault:\n+\t\treturn NF_ACCEPT;\n+\t}\n+\n+\ttuplehash = flow_offload_lookup(&tuple);\n+\tif (tuplehash == NULL)\n+\t\treturn NF_ACCEPT;\n+\n+\toutdev = dev_get_by_index_rcu(&init_net, tuplehash->tuple.oifidx);\n+\tif (!outdev)\n+\t\treturn NF_ACCEPT;\n+\n+\tflow = container_of(tuplehash, struct flow_offload,\n+\t\t\t tuplehash[tuplehash->tuple.dir]);\n+\n+\tflow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;\n+\n+\tif (flow->flags & FLOW_OFFLOAD_SNAT &&\n+\t nf_flow_snat(iph, flow, tuplehash->tuple.dir, skb) < 0)\n+\t\treturn NF_DROP;\n+\n+\tskb->dev = outdev;\n+\tnexthop = nf_flow_nexthop(tuplehash->tuple.gateway, iph->daddr);\n+\n+\tneigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);\n+\n+\treturn NF_STOLEN;\n+}\n+\n+static LIST_HEAD(nf_flow_hook_list);\n+\n+struct nf_flow_hook_entry {\n+\tstruct list_head\thead;\n+\tstruct nf_hook_ops\tops;\n+};\n+\n+static int __init nf_flow_offload_module_init(void)\n+{\n+\tstruct rhashtable_params params = flow_offload_rhash_params;\n+\tstruct nf_hook_ops flow_offload_hook = {\n+\t\t.hook\t\t= nf_flow_offload_hook,\n+\t\t.pf\t\t= NFPROTO_NETDEV,\n+\t\t.hooknum\t= NF_NETDEV_INGRESS,\n+\t\t.priority\t= -100,\n+\t};\n+\tstruct nf_flow_hook_entry *entry;\n+\tstruct net_device *dev;\n+\tint err;\n+\n+\tparams.key_len = offsetof(struct flow_offload_tuple, dir);\n+\terr = rhashtable_init(&flow_table, ¶ms);\n+\tif (err < 0)\n+\t\treturn err;\n+\n+\trtnl_lock();\n+\tfor_each_netdev(&init_net, dev) {\n+\t\tentry = kmalloc(sizeof(*entry), GFP_KERNEL);\n+\t\tif (!entry) {\n+\t\t\trtnl_unlock();\n+\t\t\treturn -ENOMEM;\n+\t\t}\n+\t\tentry->ops\t= flow_offload_hook;\n+\t\tentry->ops.dev\t= dev;\n+\t\tlist_add_tail(&entry->head, &nf_flow_hook_list);\n+\n+\t\terr = nf_register_net_hook(&init_net, &entry->ops);\n+\t\tif (err < 0)\n+\t\t\treturn err;\n+\n+\t\tpr_info(\"register flow table for device %s\\n\", dev->name);\n+\t}\n+\trtnl_unlock();\n+\n+\tqueue_delayed_work(system_power_efficient_wq, &nf_flow_offload_gc,\n+\t\t\t msecs_to_jiffies(1000));\n+\treturn err;\n+}\n+\n+static void flow_offload_destroy(void *ptr, void *arg)\n+{\n+\tkfree(ptr);\n+}\n+\n+static void __exit nf_flow_offload_module_exit(void)\n+{\n+\tstruct nf_flow_hook_entry *entry, *next;\n+\n+\tcancel_delayed_work_sync(&nf_flow_offload_gc);\n+\tlist_for_each_entry_safe(entry, next, &nf_flow_hook_list, head) {\n+\t\tpr_info(\"unregister flow table for device %s\\n\",\n+\t\t\tentry->ops.dev->name);\n+\t\tnf_unregister_net_hook(&init_net, &entry->ops);\n+\t\tlist_del(&entry->head);\n+\t\tkfree(entry);\n+\t}\n+\trhashtable_free_and_destroy(&flow_table, flow_offload_destroy, NULL);\n+}\n+\n+module_init(nf_flow_offload_module_init);\n+module_exit(nf_flow_offload_module_exit);\n+\n+MODULE_LICENSE(\"GPL\");\n+MODULE_AUTHOR(\"Pablo Neira Ayuso <pablo@netfilter.org>\");\n", "prefixes": [ "RFC", "WIP", "2/5" ] }