Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/852530/?format=api
{ "id": 852530, "url": "http://patchwork.ozlabs.org/api/patches/852530/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/20171222192732.13188-5-pablo@netfilter.org/", "project": { "id": 7, "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api", "name": "Linux network development", "link_name": "netdev", "list_id": "netdev.vger.kernel.org", "list_email": "netdev@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20171222192732.13188-5-pablo@netfilter.org>", "list_archive_url": null, "date": "2017-12-22T19:27:29", "name": "[nf-next,v3,4/7] netfilter: flow table support for IPv6", "commit_ref": null, "pull_url": null, "state": "rfc", "archived": true, "hash": "7ca9e9ff565152e2caddc8a9fdcd3f192323f407", "submitter": { "id": 1315, "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api", "name": "Pablo Neira Ayuso", "email": "pablo@netfilter.org" }, "delegate": { "id": 34, "url": "http://patchwork.ozlabs.org/api/users/34/?format=api", "username": "davem", "first_name": "David", "last_name": "Miller", "email": "davem@davemloft.net" }, "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/20171222192732.13188-5-pablo@netfilter.org/mbox/", "series": [ { "id": 20090, "url": "http://patchwork.ozlabs.org/api/series/20090/?format=api", "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=20090", "date": "2017-12-22T19:27:25", "name": "Flow offload infrastructure", "version": 3, "mbox": "http://patchwork.ozlabs.org/series/20090/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/852530/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/852530/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<netdev-owner@vger.kernel.org>", "X-Original-To": "patchwork-incoming@ozlabs.org", "Delivered-To": "patchwork-incoming@ozlabs.org", "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)", "Received": [ "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3z3JT13Zxnz9s7f\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSat, 23 Dec 2017 06:28:21 +1100 (AEDT)", "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1756824AbdLVT2U (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 22 Dec 2017 14:28:20 -0500", "from mail.us.es ([193.147.175.20]:42380 \"EHLO mail.us.es\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1756735AbdLVT2I (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tFri, 22 Dec 2017 14:28:08 -0500", "from antivirus1-rhel7.int (unknown [192.168.2.11])\n\tby mail.us.es (Postfix) with ESMTP id 67E4DEBAD9\n\tfor <netdev@vger.kernel.org>; Fri, 22 Dec 2017 20:28:06 +0100 (CET)", "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 56F23F7315\n\tfor <netdev@vger.kernel.org>; Fri, 22 Dec 2017 20:28:06 +0100 (CET)", "by antivirus1-rhel7.int (Postfix, from userid 99)\n\tid 45005F7322; Fri, 22 Dec 2017 20:28:06 +0100 (CET)", "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id BFA39F731C;\n\tFri, 22 Dec 2017 20:28:03 +0100 (CET)", "from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int\n\t(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); \n\tFri, 22 Dec 2017 20:28:03 +0100 (CET)", "from salvia.here (129.166.216.87.static.jazztel.es\n\t[87.216.166.129]) (Authenticated sender: pneira@us.es)\n\tby entrada.int (Postfix) with ESMTPA id E3D964265A31;\n\tFri, 22 Dec 2017 20:28:02 +0100 (CET)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.1 (2015-04-28) on\n\tantivirus1-rhel7.int", "X-Spam-Level": "", "X-Spam-Status": "No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,\n\tSMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1", "X-Virus-Status": "clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)", "X-SMTPAUTHUS": "auth mail.us.es", "From": "Pablo Neira Ayuso <pablo@netfilter.org>", "To": "netfilter-devel@vger.kernel.org", "Cc": "netdev@vger.kernel.org, f.fainelli@gmail.com,\n\tsimon.horman@netronome.com, ronye@mellanox.com, jiri@mellanox.com,\n\tnbd@nbd.name, john@phrozen.org, kubakici@wp.pl, fw@strlen.de", "Subject": "[PATCH nf-next,v3 4/7] netfilter: flow table support for IPv6", "Date": "Fri, 22 Dec 2017 20:27:29 +0100", "Message-Id": "<20171222192732.13188-5-pablo@netfilter.org>", "X-Mailer": "git-send-email 2.11.0", "In-Reply-To": "<20171222192732.13188-1-pablo@netfilter.org>", "References": "<20171222192732.13188-1-pablo@netfilter.org>", "X-Virus-Scanned": "ClamAV using ClamSMTP", "Sender": "netdev-owner@vger.kernel.org", "Precedence": "bulk", "List-ID": "<netdev.vger.kernel.org>", "X-Mailing-List": "netdev@vger.kernel.org" }, "content": "This patch adds the IPv6 flow table type, that implements the datapath\nflow table to forward IPv6 traffic.\n\nThis patch exports ip6_dst_mtu_forward() that is required to check for\nmtu to pass up packets that need PMTUD handling to the classic\nforwarding path.\n\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n include/net/ipv6.h | 2 +\n net/ipv6/ip6_output.c | 3 +-\n net/ipv6/netfilter/Kconfig | 8 +\n net/ipv6/netfilter/Makefile | 3 +\n net/ipv6/netfilter/nf_flow_table_ipv6.c | 277 ++++++++++++++++++++++++++++++++\n 5 files changed, 292 insertions(+), 1 deletion(-)\n create mode 100644 net/ipv6/netfilter/nf_flow_table_ipv6.c", "diff": "diff --git a/include/net/ipv6.h b/include/net/ipv6.h\nindex 6eac5cf8f1e6..ff069a8e0cde 100644\n--- a/include/net/ipv6.h\n+++ b/include/net/ipv6.h\n@@ -912,6 +912,8 @@ static inline struct sk_buff *ip6_finish_skb(struct sock *sk)\n \t\t\t &inet6_sk(sk)->cork);\n }\n \n+unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst);\n+\n int ip6_dst_lookup(struct net *net, struct sock *sk, struct dst_entry **dst,\n \t\t struct flowi6 *fl6);\n struct dst_entry *ip6_dst_lookup_flow(const struct sock *sk, struct flowi6 *fl6,\ndiff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c\nindex 43ca864327c7..5ccd082ce182 100644\n--- a/net/ipv6/ip6_output.c\n+++ b/net/ipv6/ip6_output.c\n@@ -362,7 +362,7 @@ static inline int ip6_forward_finish(struct net *net, struct sock *sk,\n \treturn dst_output(net, sk, skb);\n }\n \n-static unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst)\n+unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst)\n {\n \tunsigned int mtu;\n \tstruct inet6_dev *idev;\n@@ -382,6 +382,7 @@ static unsigned int ip6_dst_mtu_forward(const struct dst_entry *dst)\n \n \treturn mtu;\n }\n+EXPORT_SYMBOL_GPL(ip6_dst_mtu_forward);\n \n static bool ip6_pkt_too_big(const struct sk_buff *skb, unsigned int mtu)\n {\ndiff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig\nindex 6acb2eecd986..806e95375ec8 100644\n--- a/net/ipv6/netfilter/Kconfig\n+++ b/net/ipv6/netfilter/Kconfig\n@@ -71,6 +71,14 @@ config NFT_FIB_IPV6\n endif # NF_TABLES_IPV6\n endif # NF_TABLES\n \n+config NF_FLOW_TABLE_IPV6\n+\tselect NF_FLOW_TABLE\n+\ttristate \"Netfilter flow table IPv6 module\"\n+\thelp\n+\t This option adds the flow table IPv6 support.\n+\n+\t To compile it as a module, choose M here.\n+\n config NF_DUP_IPV6\n \ttristate \"Netfilter IPv6 packet duplication to alternate destination\"\n \tdepends on !NF_CONNTRACK || NF_CONNTRACK\ndiff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile\nindex fe180c96040e..7dceadbb9eea 100644\n--- a/net/ipv6/netfilter/Makefile\n+++ b/net/ipv6/netfilter/Makefile\n@@ -44,6 +44,9 @@ obj-$(CONFIG_NFT_REDIR_IPV6) += nft_redir_ipv6.o\n obj-$(CONFIG_NFT_DUP_IPV6) += nft_dup_ipv6.o\n obj-$(CONFIG_NFT_FIB_IPV6) += nft_fib_ipv6.o\n \n+# flow table support\n+obj-$(CONFIG_NF_FLOW_TABLE_IPV6) += nf_flow_table_ipv6.o\n+\n # matches\n obj-$(CONFIG_IP6_NF_MATCH_AH) += ip6t_ah.o\n obj-$(CONFIG_IP6_NF_MATCH_EUI64) += ip6t_eui64.o\ndiff --git a/net/ipv6/netfilter/nf_flow_table_ipv6.c b/net/ipv6/netfilter/nf_flow_table_ipv6.c\nnew file mode 100644\nindex 000000000000..ab78703154d8\n--- /dev/null\n+++ b/net/ipv6/netfilter/nf_flow_table_ipv6.c\n@@ -0,0 +1,277 @@\n+#include <linux/kernel.h>\n+#include <linux/init.h>\n+#include <linux/module.h>\n+#include <linux/netfilter.h>\n+#include <linux/rhashtable.h>\n+#include <linux/ipv6.h>\n+#include <linux/netdevice.h>\n+#include <linux/ipv6.h>\n+#include <net/ipv6.h>\n+#include <net/ip6_route.h>\n+#include <net/neighbour.h>\n+#include <net/netfilter/nf_flow_table.h>\n+#include <net/netfilter/nf_tables.h>\n+/* For layer 4 checksum field offset. */\n+#include <linux/tcp.h>\n+#include <linux/udp.h>\n+\n+static int nf_flow_nat_ipv6_tcp(struct sk_buff *skb, unsigned int thoff,\n+\t\t\t\tstruct in6_addr *addr,\n+\t\t\t\tstruct in6_addr *new_addr)\n+{\n+\tstruct tcphdr *tcph;\n+\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*tcph)) ||\n+\t skb_try_make_writable(skb, thoff + sizeof(*tcph)))\n+\t\treturn -1;\n+\n+\ttcph = (void *)(skb_network_header(skb) + thoff);\n+\tinet_proto_csum_replace16(&tcph->check, skb, addr->s6_addr32,\n+\t\t\t\t new_addr->s6_addr32, true);\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_nat_ipv6_udp(struct sk_buff *skb, unsigned int thoff,\n+\t\t\t\tstruct in6_addr *addr,\n+\t\t\t\tstruct in6_addr *new_addr)\n+{\n+\tstruct udphdr *udph;\n+\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*udph)) ||\n+\t skb_try_make_writable(skb, thoff + sizeof(*udph)))\n+\t\treturn -1;\n+\n+\tudph = (void *)(skb_network_header(skb) + thoff);\n+\tif (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {\n+\t\tinet_proto_csum_replace16(&udph->check, skb, addr->s6_addr32,\n+\t\t\t\t\t new_addr->s6_addr32, true);\n+\t\tif (!udph->check)\n+\t\t\tudph->check = CSUM_MANGLED_0;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_nat_ipv6_l4proto(struct sk_buff *skb, struct ipv6hdr *ip6h,\n+\t\t\t\t unsigned int thoff, struct in6_addr *addr,\n+\t\t\t\t struct in6_addr *new_addr)\n+{\n+\tswitch (ip6h->nexthdr) {\n+\tcase IPPROTO_TCP:\n+\t\tif (nf_flow_nat_ipv6_tcp(skb, thoff, addr, new_addr) < 0)\n+\t\t\treturn NF_DROP;\n+\t\tbreak;\n+\tcase IPPROTO_UDP:\n+\t\tif (nf_flow_nat_ipv6_udp(skb, thoff, addr, new_addr) < 0)\n+\t\t\treturn NF_DROP;\n+\t\tbreak;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_snat_ipv6(const struct flow_offload *flow,\n+\t\t\t struct sk_buff *skb, struct ipv6hdr *ip6h,\n+\t\t\t unsigned int thoff,\n+\t\t\t enum flow_offload_tuple_dir dir)\n+{\n+\tstruct in6_addr addr, new_addr;\n+\n+\tswitch (dir) {\n+\tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n+\t\taddr = ip6h->saddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v6;\n+\t\tip6h->saddr = new_addr;\n+\t\tbreak;\n+\tcase FLOW_OFFLOAD_DIR_REPLY:\n+\t\taddr = ip6h->daddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v6;\n+\t\tip6h->daddr = new_addr;\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\n+\treturn nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);\n+}\n+\n+static int nf_flow_dnat_ipv6(const struct flow_offload *flow,\n+\t\t\t struct sk_buff *skb, struct ipv6hdr *ip6h,\n+\t\t\t unsigned int thoff,\n+\t\t\t enum flow_offload_tuple_dir dir)\n+{\n+\tstruct in6_addr addr, new_addr;\n+\n+\tswitch (dir) {\n+\tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n+\t\taddr = ip6h->daddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v6;\n+\t\tip6h->daddr = new_addr;\n+\t\tbreak;\n+\tcase FLOW_OFFLOAD_DIR_REPLY:\n+\t\taddr = ip6h->saddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v6;\n+\t\tip6h->saddr = new_addr;\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\n+\treturn nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);\n+}\n+\n+static int nf_flow_nat_ipv6(const struct flow_offload *flow,\n+\t\t\t struct sk_buff *skb,\n+\t\t\t enum flow_offload_tuple_dir dir)\n+{\n+\tstruct ipv6hdr *ip6h = ipv6_hdr(skb);\n+\tunsigned int thoff = sizeof(*ip6h);\n+\n+\tif (flow->flags & FLOW_OFFLOAD_SNAT &&\n+\t (nf_flow_snat_port(flow, skb, thoff, ip6h->nexthdr, dir) < 0 ||\n+\t nf_flow_snat_ipv6(flow, skb, ip6h, thoff, dir) < 0))\n+\t\treturn -1;\n+\tif (flow->flags & FLOW_OFFLOAD_DNAT &&\n+\t (nf_flow_dnat_port(flow, skb, thoff, ip6h->nexthdr, dir) < 0 ||\n+\t nf_flow_dnat_ipv6(flow, skb, ip6h, thoff, dir) < 0))\n+\t\treturn -1;\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,\n+\t\t\t struct flow_offload_tuple *tuple)\n+{\n+\tstruct flow_ports *ports;\n+\tstruct ipv6hdr *ip6h;\n+\tunsigned int thoff;\n+\n+\tif (!pskb_may_pull(skb, sizeof(*ip6h)))\n+\t\treturn -1;\n+\n+\tip6h = ipv6_hdr(skb);\n+\n+\tif (ip6h->nexthdr != IPPROTO_TCP &&\n+\t ip6h->nexthdr != IPPROTO_UDP)\n+\t\treturn -1;\n+\n+\tthoff = sizeof(*ip6h);\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*ports)))\n+\t\treturn -1;\n+\n+\tports = (struct flow_ports *)(skb_network_header(skb) + thoff);\n+\n+\ttuple->src_v6\t\t= ip6h->saddr;\n+\ttuple->dst_v6\t\t= ip6h->daddr;\n+\ttuple->src_port\t\t= ports->source;\n+\ttuple->dst_port\t\t= ports->dest;\n+\ttuple->l3proto\t\t= AF_INET6;\n+\ttuple->l4proto\t\t= ip6h->nexthdr;\n+\ttuple->iifidx\t\t= dev->ifindex;\n+\n+\treturn 0;\n+}\n+\n+/* Based on ip_exceeds_mtu(). */\n+static bool __nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)\n+{\n+\tif (skb->len <= mtu)\n+\t\treturn false;\n+\n+\tif (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))\n+\t\treturn false;\n+\n+\treturn true;\n+}\n+\n+static bool nf_flow_exceeds_mtu(struct sk_buff *skb, const struct rt6_info *rt)\n+{\n+\tu32 mtu;\n+\n+\tmtu = ip6_dst_mtu_forward(&rt->dst);\n+\tif (__nf_flow_exceeds_mtu(skb, mtu))\n+\t\treturn true;\n+\n+\treturn false;\n+}\n+\n+static unsigned int\n+nf_flow_ipv6_offload_hook(void *priv, struct sk_buff *skb,\n+\t\t\t const struct nf_hook_state *state)\n+{\n+\tstruct flow_offload_tuple_rhash *tuplehash;\n+\tstruct nf_flowtable *flow_table = priv;\n+\tstruct flow_offload_tuple tuple = {};\n+\tenum flow_offload_tuple_dir dir;\n+\tstruct flow_offload *flow;\n+\tstruct net_device *outdev;\n+\tstruct in6_addr *nexthop;\n+\tstruct ipv6hdr *ip6h;\n+\tstruct rt6_info *rt;\n+\n+\tif (skb->protocol != htons(ETH_P_IPV6))\n+\t\treturn NF_ACCEPT;\n+\n+\tif (nf_flow_tuple_ipv6(skb, state->in, &tuple) < 0)\n+\t\treturn NF_ACCEPT;\n+\n+\ttuplehash = flow_offload_lookup(flow_table, &tuple);\n+\tif (tuplehash == NULL)\n+\t\treturn NF_ACCEPT;\n+\n+\toutdev = dev_get_by_index_rcu(state->net, tuplehash->tuple.oifidx);\n+\tif (!outdev)\n+\t\treturn NF_ACCEPT;\n+\n+\tdir = tuplehash->tuple.dir;\n+\tflow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);\n+\n+\trt = (struct rt6_info *)flow->tuplehash[dir].tuple.dst_cache;\n+\tif (unlikely(nf_flow_exceeds_mtu(skb, rt)))\n+\t\treturn NF_ACCEPT;\n+\n+\tif (skb_try_make_writable(skb, sizeof(*ip6h)))\n+\t\treturn NF_DROP;\n+\n+\tif (flow->flags & (FLOW_OFFLOAD_SNAT | FLOW_OFFLOAD_DNAT) &&\n+\t nf_flow_nat_ipv6(flow, skb, dir) < 0)\n+\t\treturn NF_DROP;\n+\n+\tflow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;\n+\tip6h = ipv6_hdr(skb);\n+\tip6h->hop_limit--;\n+\n+\tskb->dev = outdev;\n+\tnexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);\n+\tneigh_xmit(NEIGH_ND_TABLE, outdev, &nexthop, skb);\n+\n+\treturn NF_STOLEN;\n+}\n+\n+static struct nf_flowtable_type flowtable_ipv6 = {\n+\t.family\t\t= NFPROTO_IPV6,\n+\t.params\t\t= &nf_flow_offload_rhash_params,\n+\t.gc\t\t= nf_flow_offload_work_gc,\n+\t.hook\t\t= nf_flow_ipv6_offload_hook,\n+\t.owner\t\t= THIS_MODULE,\n+};\n+\n+static int __init nf_flow_ipv6_module_init(void)\n+{\n+\tnft_register_flowtable_type(&flowtable_ipv6);\n+\n+\treturn 0;\n+}\n+\n+static void __exit nf_flow_ipv6_module_exit(void)\n+{\n+\tnft_unregister_flowtable_type(&flowtable_ipv6);\n+}\n+\n+module_init(nf_flow_ipv6_module_init);\n+module_exit(nf_flow_ipv6_module_exit);\n+\n+MODULE_LICENSE(\"GPL\");\n+MODULE_AUTHOR(\"Pablo Neira Ayuso <pablo@netfilter.org>\");\n+MODULE_ALIAS_NF_FLOWTABLE(AF_INET6);\n", "prefixes": [ "nf-next", "v3", "4/7" ] }