Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2196231/?format=api
{ "id": 2196231, "url": "http://patchwork.ozlabs.org/api/patches/2196231/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260213071042.3733239-5-lulu@redhat.com/", "project": { "id": 14, "url": "http://patchwork.ozlabs.org/api/projects/14/?format=api", "name": "QEMU Development", "link_name": "qemu-devel", "list_id": "qemu-devel.nongnu.org", "list_email": "qemu-devel@nongnu.org", "web_url": "", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260213071042.3733239-5-lulu@redhat.com>", "list_archive_url": null, "date": "2026-02-13T07:08:04", "name": "[RFC,4/5] net/filter-redirector: add AF_PACKET redirect datapath", "commit_ref": null, "pull_url": null, "state": "new", "archived": false, "hash": "70c750dc9becf449b558cb9a139ce08482a3babf", "submitter": { "id": 78960, "url": "http://patchwork.ozlabs.org/api/people/78960/?format=api", "name": "Cindy Lu", "email": "lulu@redhat.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/qemu-devel/patch/20260213071042.3733239-5-lulu@redhat.com/mbox/", "series": [ { "id": 492063, "url": "http://patchwork.ozlabs.org/api/series/492063/?format=api", "web_url": "http://patchwork.ozlabs.org/project/qemu-devel/list/?series=492063", "date": "2026-02-13T07:08:05", "name": "net/filter-redirector: Add AF_PACKET support for vhost-net", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/492063/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2196231/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2196231/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=BCgWYEQK;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=nongnu.org\n (client-ip=209.51.188.17; helo=lists.gnu.org;\n envelope-from=qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org;\n receiver=patchwork.ozlabs.org)" ], "Received": [ "from lists.gnu.org (lists.gnu.org [209.51.188.17])\n\t(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fC3Jk10qHz1xvQ\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 13 Feb 2026 18:12:22 +1100 (AEDT)", "from localhost ([::1] helo=lists1p.gnu.org)\n\tby lists.gnu.org with esmtp (Exim 4.90_1)\n\t(envelope-from <qemu-devel-bounces@nongnu.org>)\n\tid 1vqnL2-0002k7-0T; Fri, 13 Feb 2026 02:11:40 -0500", "from eggs.gnu.org ([2001:470:142:3::10])\n by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1vqnKy-0002jb-2G\n for qemu-devel@nongnu.org; Fri, 13 Feb 2026 02:11:36 -0500", "from us-smtp-delivery-124.mimecast.com ([170.10.133.124])\n by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)\n (Exim 4.90_1) (envelope-from <lulu@redhat.com>) id 1vqnKv-0005eC-PB\n for qemu-devel@nongnu.org; Fri, 13 Feb 2026 02:11:35 -0500", "from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com\n (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by\n relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3,\n cipher=TLS_AES_256_GCM_SHA384) id us-mta-176-3GPXCd5hOvuvtV6Qi5_0cA-1; Fri,\n 13 Feb 2026 02:11:29 -0500", "from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com\n (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest\n SHA256)\n (No client certificate requested)\n by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS\n id 343651955D8F; Fri, 13 Feb 2026 07:11:28 +0000 (UTC)", "from S2.redhat.com (unknown [10.72.112.33])\n by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP\n id E09801800464; Fri, 13 Feb 2026 07:11:24 +0000 (UTC)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1770966693;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:mime-version:mime-version:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=HfmaBTP49ifwDZty9C9MLcDDDX6UwWiMdcZezZPYKs0=;\n b=BCgWYEQKnImQpGsDAP94XN9e62koCQUo53WXDXqE0mtN5BLV99bQmkGaerXgIvSqYKzJIG\n Ii9tV5SOIhWjIJ4HA7nshg2d5sLeoHv7aIjtDXorV+pySp6bzxe6GAtBiwzebopQyyWWjw\n VgSjJ5zAvt/wP9jbU3ZlX9KgBhGCw7E=", "X-MC-Unique": "3GPXCd5hOvuvtV6Qi5_0cA-1", "X-Mimecast-MFC-AGG-ID": "3GPXCd5hOvuvtV6Qi5_0cA_1770966688", "From": "Cindy Lu <lulu@redhat.com>", "To": "lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com,\n lizhijian@fujitsu.com, qemu-devel@nongnu.org", "Subject": "[RFC 4/5] net/filter-redirector: add AF_PACKET redirect datapath", "Date": "Fri, 13 Feb 2026 15:08:04 +0800", "Message-ID": "<20260213071042.3733239-5-lulu@redhat.com>", "In-Reply-To": "<20260213071042.3733239-1-lulu@redhat.com>", "References": "<20260213071042.3733239-1-lulu@redhat.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-Scanned-By": "MIMEDefang 3.4.1 on 10.30.177.111", "Received-SPF": "pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com;\n helo=us-smtp-delivery-124.mimecast.com", "X-Spam_score_int": "-20", "X-Spam_score": "-2.1", "X-Spam_bar": "--", "X-Spam_report": "(-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001,\n DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1,\n RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001,\n RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001,\n SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no", "X-Spam_action": "no action", "X-BeenThere": "qemu-devel@nongnu.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "qemu development <qemu-devel.nongnu.org>", "List-Unsubscribe": "<https://lists.nongnu.org/mailman/options/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>", "List-Archive": "<https://lists.nongnu.org/archive/html/qemu-devel>", "List-Post": "<mailto:qemu-devel@nongnu.org>", "List-Help": "<mailto:qemu-devel-request@nongnu.org?subject=help>", "List-Subscribe": "<https://lists.nongnu.org/mailman/listinfo/qemu-devel>,\n <mailto:qemu-devel-request@nongnu.org?subject=subscribe>", "Errors-To": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org", "Sender": "qemu-devel-bounces+incoming=patchwork.ozlabs.org@nongnu.org" }, "content": "Complete the AF_PACKET based packet forwarding implementation for\nfilter-redirector:\n\n1. filter_redirector_send_netdev_packet(): Send packets via AF_PACKET\n socket to out_netdev. Updates netdev_tx statistics.\n\n2. filter_redirector_recv_from_chardev(): Handle packets received from\n chardev indev. Can forward to either chardev outdev, AF_PACKET\n out_netdev, or inject into the netfilter chain.\n\n3. filter_redirector_recv_from_netdev(): Handle packets received from\n AF_PACKET in_netdev. Can forward to chardev outdev or inject into\n the netfilter chain.\n\n4. Updated filter_redirector_receive_iov() to support out_netdev as\n an output endpoint. Added logic to skip netdev path consumption\n when redirector has an input endpoint (indev/in_netdev) to prevent\n packet loops.\n\n5. Added netdev_rx and netdev_tx counters to query-netfilter-stats\n output for monitoring AF_PACKET datapath activity.\n\nSigned-off-by: Cindy Lu <lulu@redhat.com>\n---\n net/filter-mirror.c | 177 ++++++++++++++++++++++++++++++++++++++++++--\n 1 file changed, 171 insertions(+), 6 deletions(-)", "diff": "diff --git a/net/filter-mirror.c b/net/filter-mirror.c\nindex f8001612ec..d9e8fcba59 100644\n--- a/net/filter-mirror.c\n+++ b/net/filter-mirror.c\n@@ -65,6 +65,11 @@ struct MirrorState {\n uint64_t indev_bytes;\n uint64_t outdev_packets;\n uint64_t outdev_bytes;\n+ /* netdev replay/capture statistics for filter-redirector */\n+ uint64_t netdev_rx_packets;\n+ uint64_t netdev_rx_bytes;\n+ uint64_t netdev_tx_packets;\n+ uint64_t netdev_tx_bytes;\n };\n \n typedef struct FilterSendCo {\n@@ -158,6 +163,59 @@ static int filter_send(MirrorState *s,\n return data.ret;\n }\n \n+static ssize_t filter_redirector_send_netdev_packet(MirrorState *s,\n+ const struct iovec *iov,\n+ int iovcnt)\n+{\n+ ssize_t size = iov_size(iov, iovcnt);\n+ g_autofree uint8_t *buf = NULL;\n+\n+ if (s->out_netfd < 0) {\n+ return -ENODEV;\n+ }\n+ if (size > NET_BUFSIZE) {\n+ return -EINVAL;\n+ }\n+\n+ buf = g_malloc(size);\n+ iov_to_buf(iov, iovcnt, 0, buf, size);\n+\n+ ssize_t ret = send(s->out_netfd, buf, size, 0);\n+ if (ret < 0) {\n+ return -errno;\n+ }\n+ if (ret > 0) {\n+ s->netdev_tx_packets++;\n+ s->netdev_tx_bytes += ret;\n+ }\n+ return ret;\n+}\n+static ssize_t filter_redirector_send_chardev_iov(MirrorState *s,\n+ const struct iovec *iov,\n+ int iovcnt)\n+{\n+ if (!s->outdev) {\n+ return -ENODEV;\n+ }\n+\n+ if (!qemu_chr_fe_backend_connected(&s->chr_out)) {\n+ return 0;\n+ }\n+\n+ return filter_send(s, iov, iovcnt);\n+}\n+\n+static ssize_t filter_redirector_send_netdev_iov(MirrorState *s,\n+ const struct iovec *iov,\n+ int iovcnt)\n+{\n+ if (!s->out_netdev) {\n+ return -ENODEV;\n+ }\n+\n+ return filter_redirector_send_netdev_packet(s, iov, iovcnt);\n+}\n+\n static void redirector_to_filter(NetFilterState *nf,\n const uint8_t *buf,\n int len)\n@@ -230,6 +288,75 @@ static void redirector_chr_event(void *opaque, QEMUChrEvent event)\n }\n }\n \n+static void filter_redirector_recv_from_chardev(NetFilterState *nf,\n+ const uint8_t *buf,\n+ int len)\n+{\n+ MirrorState *s = FILTER_REDIRECTOR(nf);\n+ ssize_t ret;\n+ struct iovec iov = {\n+ .iov_base = (void *)buf,\n+ .iov_len = len,\n+ };\n+\n+ if (len <= 0) {\n+ return;\n+ }\n+\n+ /* chardev indev */\n+ s->indev_packets++;\n+ s->indev_bytes += len;\n+\n+ if (s->out_netdev) {\n+ ret = filter_redirector_send_netdev_iov(s, &iov, 1);\n+ if (ret < 0) {\n+ error_report(\"filter redirector send failed(%s)\", strerror(-ret));\n+ }\n+ return;\n+ }\n+\n+ if (s->outdev) {\n+ ret = filter_redirector_send_chardev_iov(s, &iov, 1);\n+ if (ret < 0) {\n+ error_report(\"filter redirector send failed(%s)\", strerror(-ret));\n+ } else if (ret > 0) {\n+ s->outdev_packets++;\n+ s->outdev_bytes += ret;\n+ }\n+ return;\n+ }\n+\n+ redirector_to_filter(nf, buf, len);\n+}\n+\n+static bool filter_redirector_recv_from_netdev(NetFilterState *nf,\n+ const uint8_t *buf,\n+ int len)\n+{\n+ MirrorState *s = FILTER_REDIRECTOR(nf);\n+ ssize_t ret;\n+ struct iovec iov = {\n+ .iov_base = (void *)buf,\n+ .iov_len = len,\n+ };\n+\n+ if (len <= 0) {\n+ return false;\n+ }\n+ if (s->outdev) {\n+ ret = filter_redirector_send_chardev_iov(s, &iov, 1);\n+ } else {\n+ redirector_to_filter(nf, buf, len);\n+ return true;\n+ }\n+\n+ if (ret < 0) {\n+ error_report(\"filter redirector send failed(%s)\", strerror(-ret));\n+ return false;\n+ }\n+ return true;\n+}\n+\n static void filter_redirector_netdev_read(void *opaque)\n {\n NetFilterState *nf = opaque;\n@@ -254,7 +381,9 @@ static void filter_redirector_netdev_read(void *opaque)\n continue;\n }\n \n- redirector_to_filter(nf, s->in_netbuf, len);\n+ s->netdev_rx_packets++;\n+ s->netdev_rx_bytes += len;\n+ filter_redirector_recv_from_netdev(nf, s->in_netbuf, len);\n }\n \n if (len < 0 && errno != EAGAIN && errno != EWOULDBLOCK &&\n@@ -296,19 +425,33 @@ static ssize_t filter_redirector_receive_iov(NetFilterState *nf,\n MirrorState *s = FILTER_REDIRECTOR(nf);\n int ret;\n \n- if (qemu_chr_fe_backend_connected(&s->chr_out)) {\n- ret = filter_send(s, iov, iovcnt);\n+ /*\n+ * If this redirector has an explicit input endpoint (indev/in_netdev),\n+ * it acts as an injector for that endpoint and must not consume packets\n+ * from the regular netdev data path. Consuming here can create loops when\n+ * out_netdev points back to the same TAP netdev.\n+ */\n+ if (s->indev || s->in_netdev) {\n+ return 0;\n+ }\n+\n+ if (s->out_netdev || s->outdev) {\n+ if (s->out_netdev) {\n+ ret = filter_redirector_send_netdev_iov(s, iov, iovcnt);\n+ } else {\n+ ret = filter_redirector_send_chardev_iov(s, iov, iovcnt);\n+ }\n if (ret < 0) {\n error_report(\"filter redirector send failed(%s)\", strerror(-ret));\n- } else if (ret > 0) {\n+ } else if (ret > 0 && !s->out_netdev) {\n /* Update outdev statistics on successful send */\n s->outdev_packets++;\n s->outdev_bytes += ret;\n }\n return iov_size(iov, iovcnt);\n- } else {\n- return 0;\n }\n+\n+ return 0;\n }\n \n static void filter_mirror_cleanup(NetFilterState *nf)\n@@ -369,6 +512,16 @@ static void redirector_rs_finalize(SocketReadState *rs)\n MirrorState *s = container_of(rs, MirrorState, rs);\n NetFilterState *nf = NETFILTER(s);\n \n+ /*\n+ * If redirector has an explicit output endpoint, keep the redirect path\n+ * (e.g. indev=red0 -> out_netdev=net0).\n+ * Fallback to direct netfilter injection only when no output is set.\n+ */\n+ if (s->outdev || s->out_netdev) {\n+ filter_redirector_recv_from_chardev(nf, rs->buf, rs->packet_len);\n+ return;\n+ }\n+\n /* Update indev statistics */\n s->indev_packets++;\n s->indev_bytes += rs->packet_len;\n@@ -826,6 +979,18 @@ static GList *filter_redirector_get_stats(NetFilterState *nf)\n counter->bytes = s->outdev_bytes;\n list = g_list_append(list, counter);\n \n+ counter = g_new0(NetFilterCounter, 1);\n+ counter->name = g_strdup(\"netdev_rx\");\n+ counter->packets = s->netdev_rx_packets;\n+ counter->bytes = s->netdev_rx_bytes;\n+ list = g_list_append(list, counter);\n+\n+ counter = g_new0(NetFilterCounter, 1);\n+ counter->name = g_strdup(\"netdev_tx\");\n+ counter->packets = s->netdev_tx_packets;\n+ counter->bytes = s->netdev_tx_bytes;\n+ list = g_list_append(list, counter);\n+\n return list;\n }\n \n", "prefixes": [ "RFC", "4/5" ] }