Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 852532,
    "url": "http://patchwork.ozlabs.org/api/patches/852532/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/netdev/patch/20171222192732.13188-4-pablo@netfilter.org/",
    "project": {
        "id": 7,
        "url": "http://patchwork.ozlabs.org/api/projects/7/?format=api",
        "name": "Linux network development",
        "link_name": "netdev",
        "list_id": "netdev.vger.kernel.org",
        "list_email": "netdev@vger.kernel.org",
        "web_url": null,
        "scm_url": null,
        "webscm_url": null,
        "list_archive_url": "",
        "list_archive_url_format": "",
        "commit_url_format": ""
    },
    "msgid": "<20171222192732.13188-4-pablo@netfilter.org>",
    "list_archive_url": null,
    "date": "2017-12-22T19:27:28",
    "name": "[nf-next,v3,3/7] netfilter: flow table support for IPv4",
    "commit_ref": null,
    "pull_url": null,
    "state": "rfc",
    "archived": true,
    "hash": "d9a6f2c151502f4b9fa1727849040c378dee7b9a",
    "submitter": {
        "id": 1315,
        "url": "http://patchwork.ozlabs.org/api/people/1315/?format=api",
        "name": "Pablo Neira Ayuso",
        "email": "pablo@netfilter.org"
    },
    "delegate": {
        "id": 34,
        "url": "http://patchwork.ozlabs.org/api/users/34/?format=api",
        "username": "davem",
        "first_name": "David",
        "last_name": "Miller",
        "email": "davem@davemloft.net"
    },
    "mbox": "http://patchwork.ozlabs.org/project/netdev/patch/20171222192732.13188-4-pablo@netfilter.org/mbox/",
    "series": [
        {
            "id": 20090,
            "url": "http://patchwork.ozlabs.org/api/series/20090/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/netdev/list/?series=20090",
            "date": "2017-12-22T19:27:25",
            "name": "Flow offload infrastructure",
            "version": 3,
            "mbox": "http://patchwork.ozlabs.org/series/20090/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/852532/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/852532/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<netdev-owner@vger.kernel.org>",
        "X-Original-To": "patchwork-incoming@ozlabs.org",
        "Delivered-To": "patchwork-incoming@ozlabs.org",
        "Authentication-Results": "ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)",
        "Received": [
            "from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3z3JT52vrbz9sRm\n\tfor <patchwork-incoming@ozlabs.org>;\n\tSat, 23 Dec 2017 06:28:25 +1100 (AEDT)",
            "(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1756833AbdLVT2X (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tFri, 22 Dec 2017 14:28:23 -0500",
            "from mail.us.es ([193.147.175.20]:42360 \"EHLO mail.us.es\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1756725AbdLVT2H (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tFri, 22 Dec 2017 14:28:07 -0500",
            "from antivirus1-rhel7.int (unknown [192.168.2.11])\n\tby mail.us.es (Postfix) with ESMTP id 28726EBAD8\n\tfor <netdev@vger.kernel.org>; Fri, 22 Dec 2017 20:28:05 +0100 (CET)",
            "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 17CF5F7317\n\tfor <netdev@vger.kernel.org>; Fri, 22 Dec 2017 20:28:05 +0100 (CET)",
            "by antivirus1-rhel7.int (Postfix, from userid 99)\n\tid 0D767F7316; Fri, 22 Dec 2017 20:28:05 +0100 (CET)",
            "from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 70849F730E;\n\tFri, 22 Dec 2017 20:28:02 +0100 (CET)",
            "from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int\n\t(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); \n\tFri, 22 Dec 2017 20:28:02 +0100 (CET)",
            "from salvia.here (129.166.216.87.static.jazztel.es\n\t[87.216.166.129]) (Authenticated sender: pneira@us.es)\n\tby entrada.int (Postfix) with ESMTPA id 8A42B4265A31;\n\tFri, 22 Dec 2017 20:28:01 +0100 (CET)"
        ],
        "X-Spam-Checker-Version": "SpamAssassin 3.4.1 (2015-04-28) on\n\tantivirus1-rhel7.int",
        "X-Spam-Level": "",
        "X-Spam-Status": "No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,\n\tSMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1",
        "X-Virus-Status": "clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)",
        "X-SMTPAUTHUS": "auth mail.us.es",
        "From": "Pablo Neira Ayuso <pablo@netfilter.org>",
        "To": "netfilter-devel@vger.kernel.org",
        "Cc": "netdev@vger.kernel.org, f.fainelli@gmail.com,\n\tsimon.horman@netronome.com, ronye@mellanox.com, jiri@mellanox.com,\n\tnbd@nbd.name, john@phrozen.org, kubakici@wp.pl, fw@strlen.de",
        "Subject": "[PATCH nf-next,v3 3/7] netfilter: flow table support for IPv4",
        "Date": "Fri, 22 Dec 2017 20:27:28 +0100",
        "Message-Id": "<20171222192732.13188-4-pablo@netfilter.org>",
        "X-Mailer": "git-send-email 2.11.0",
        "In-Reply-To": "<20171222192732.13188-1-pablo@netfilter.org>",
        "References": "<20171222192732.13188-1-pablo@netfilter.org>",
        "X-Virus-Scanned": "ClamAV using ClamSMTP",
        "Sender": "netdev-owner@vger.kernel.org",
        "Precedence": "bulk",
        "List-ID": "<netdev.vger.kernel.org>",
        "X-Mailing-List": "netdev@vger.kernel.org"
    },
    "content": "This patch adds the IPv4 flow table type, that implements the datapath\nflow table to forward IPv4 traffic. Rationale is:\n\n1) Look up for the packet in the flow table, from the ingress hook.\n2) If there's a hit, decrement ttl and pass it on to the neighbour layer\n   for transmission.\n3) If there's a miss, packet is passed up to the classic forwarding\n   path.\n\nThis patch also supports layer 3 source and destination NAT.\n\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/ipv4/netfilter/Kconfig              |   8 +\n net/ipv4/netfilter/Makefile             |   3 +\n net/ipv4/netfilter/nf_flow_table_ipv4.c | 283 ++++++++++++++++++++++++++++++++\n 3 files changed, 294 insertions(+)\n create mode 100644 net/ipv4/netfilter/nf_flow_table_ipv4.c",
    "diff": "diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig\nindex c11eb1744ab1..7270771f9565 100644\n--- a/net/ipv4/netfilter/Kconfig\n+++ b/net/ipv4/netfilter/Kconfig\n@@ -77,6 +77,14 @@ config NF_TABLES_ARP\n \n endif # NF_TABLES\n \n+config NF_FLOW_TABLE_IPV4\n+\tselect NF_FLOW_TABLE\n+\ttristate \"Netfilter flow table IPv4 module\"\n+\thelp\n+\t  This option adds the flow table IPv4 support.\n+\n+\t  To compile it as a module, choose M here.\n+\n config NF_DUP_IPV4\n \ttristate \"Netfilter IPv4 packet duplication to alternate destination\"\n \tdepends on !NF_CONNTRACK || NF_CONNTRACK\ndiff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile\nindex f462fee66ac8..116745275dc0 100644\n--- a/net/ipv4/netfilter/Makefile\n+++ b/net/ipv4/netfilter/Makefile\n@@ -42,6 +42,9 @@ obj-$(CONFIG_NFT_REDIR_IPV4) += nft_redir_ipv4.o\n obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o\n obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o\n \n+# flow table support\n+obj-$(CONFIG_NF_FLOW_TABLE_IPV4) += nf_flow_table_ipv4.o\n+\n # generic IP tables \n obj-$(CONFIG_IP_NF_IPTABLES) += ip_tables.o\n \ndiff --git a/net/ipv4/netfilter/nf_flow_table_ipv4.c b/net/ipv4/netfilter/nf_flow_table_ipv4.c\nnew file mode 100644\nindex 000000000000..ac56c0f0492a\n--- /dev/null\n+++ b/net/ipv4/netfilter/nf_flow_table_ipv4.c\n@@ -0,0 +1,283 @@\n+#include <linux/kernel.h>\n+#include <linux/init.h>\n+#include <linux/module.h>\n+#include <linux/netfilter.h>\n+#include <linux/rhashtable.h>\n+#include <linux/ip.h>\n+#include <linux/netdevice.h>\n+#include <net/ip.h>\n+#include <net/neighbour.h>\n+#include <net/netfilter/nf_flow_table.h>\n+#include <net/netfilter/nf_tables.h>\n+/* For layer 4 checksum field offset. */\n+#include <linux/tcp.h>\n+#include <linux/udp.h>\n+\n+static int nf_flow_nat_ip_tcp(struct sk_buff *skb, unsigned int thoff,\n+\t\t\t      __be32 addr, __be32 new_addr)\n+{\n+\tstruct tcphdr *tcph;\n+\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*tcph)) ||\n+\t    skb_try_make_writable(skb, thoff + sizeof(*tcph)))\n+\t\treturn -1;\n+\n+\ttcph = (void *)(skb_network_header(skb) + thoff);\n+\tinet_proto_csum_replace4(&tcph->check, skb, addr, new_addr, true);\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_nat_ip_udp(struct sk_buff *skb, unsigned int thoff,\n+\t\t\t      __be32 addr, __be32 new_addr)\n+{\n+\tstruct udphdr *udph;\n+\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*udph)) ||\n+\t    skb_try_make_writable(skb, thoff + sizeof(*udph)))\n+\t\treturn -1;\n+\n+\tudph = (void *)(skb_network_header(skb) + thoff);\n+\tif (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {\n+\t\tinet_proto_csum_replace4(&udph->check, skb, addr,\n+\t\t\t\t\t new_addr, true);\n+\t\tif (!udph->check)\n+\t\t\tudph->check = CSUM_MANGLED_0;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_nat_ip_l4proto(struct sk_buff *skb, struct iphdr *iph,\n+\t\t\t\t  unsigned int thoff, __be32 addr,\n+\t\t\t\t  __be32 new_addr)\n+{\n+\tswitch (iph->protocol) {\n+\tcase IPPROTO_TCP:\n+\t\tif (nf_flow_nat_ip_tcp(skb, thoff, addr, new_addr) < 0)\n+\t\t\treturn NF_DROP;\n+\t\tbreak;\n+\tcase IPPROTO_UDP:\n+\t\tif (nf_flow_nat_ip_udp(skb, thoff, addr, new_addr) < 0)\n+\t\t\treturn NF_DROP;\n+\t\tbreak;\n+\t}\n+\n+\treturn 0;\n+}\n+\n+static int nf_flow_snat_ip(const struct flow_offload *flow, struct sk_buff *skb,\n+\t\t\t   struct iphdr *iph, unsigned int thoff,\n+\t\t\t   enum flow_offload_tuple_dir dir)\n+{\n+\t__be32 addr, new_addr;\n+\n+\tswitch (dir) {\n+\tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n+\t\taddr = iph->saddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v4.s_addr;\n+\t\tiph->saddr = new_addr;\n+\t\tbreak;\n+\tcase FLOW_OFFLOAD_DIR_REPLY:\n+\t\taddr = iph->daddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v4.s_addr;\n+\t\tiph->daddr = new_addr;\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\tcsum_replace4(&iph->check, addr, new_addr);\n+\n+\treturn nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);\n+}\n+\n+static int nf_flow_dnat_ip(const struct flow_offload *flow, struct sk_buff *skb,\n+\t\t\t   struct iphdr *iph, unsigned int thoff,\n+\t\t\t   enum flow_offload_tuple_dir dir)\n+{\n+\t__be32 addr, new_addr;\n+\n+\tswitch (dir) {\n+\tcase FLOW_OFFLOAD_DIR_ORIGINAL:\n+\t\taddr = iph->daddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v4.s_addr;\n+\t\tiph->daddr = new_addr;\n+\t\tbreak;\n+\tcase FLOW_OFFLOAD_DIR_REPLY:\n+\t\taddr = iph->saddr;\n+\t\tnew_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v4.s_addr;\n+\t\tiph->saddr = new_addr;\n+\t\tbreak;\n+\tdefault:\n+\t\treturn -1;\n+\t}\n+\n+\treturn nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);\n+}\n+\n+static int nf_flow_nat_ip(const struct flow_offload *flow, struct sk_buff *skb,\n+\t\t\t  enum flow_offload_tuple_dir dir)\n+{\n+\tstruct iphdr *iph = ip_hdr(skb);\n+\tunsigned int thoff = iph->ihl * 4;\n+\n+\tif (flow->flags & FLOW_OFFLOAD_SNAT &&\n+\t    (nf_flow_snat_port(flow, skb, thoff, iph->protocol, dir) < 0 ||\n+\t     nf_flow_snat_ip(flow, skb, iph, thoff, dir) < 0))\n+\t\treturn -1;\n+\tif (flow->flags & FLOW_OFFLOAD_DNAT &&\n+\t    (nf_flow_dnat_port(flow, skb, thoff, iph->protocol, dir) < 0 ||\n+\t     nf_flow_dnat_ip(flow, skb, iph, thoff, dir) < 0))\n+\t\treturn -1;\n+\n+\treturn 0;\n+}\n+\n+static bool ip_has_options(unsigned int thoff)\n+{\n+\treturn thoff != sizeof(struct iphdr);\n+}\n+\n+static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,\n+\t\t\t    struct flow_offload_tuple *tuple)\n+{\n+\tstruct flow_ports *ports;\n+\tunsigned int thoff;\n+\tstruct iphdr *iph;\n+\n+\tif (!pskb_may_pull(skb, sizeof(*iph)))\n+\t\treturn -1;\n+\n+\tiph = ip_hdr(skb);\n+\tthoff = iph->ihl * 4;\n+\n+\tif (ip_is_fragment(iph) ||\n+\t    unlikely(ip_has_options(thoff)))\n+\t\treturn -1;\n+\n+\tif (iph->protocol != IPPROTO_TCP &&\n+\t    iph->protocol != IPPROTO_UDP)\n+\t\treturn -1;\n+\n+\tthoff = iph->ihl * 4;\n+\tif (!pskb_may_pull(skb, thoff + sizeof(*ports)))\n+\t\treturn -1;\n+\n+\tports = (struct flow_ports *)(skb_network_header(skb) + thoff);\n+\n+\ttuple->src_v4.s_addr\t= iph->saddr;\n+\ttuple->dst_v4.s_addr\t= iph->daddr;\n+\ttuple->src_port\t\t= ports->source;\n+\ttuple->dst_port\t\t= ports->dest;\n+\ttuple->l3proto\t\t= AF_INET;\n+\ttuple->l4proto\t\t= iph->protocol;\n+\ttuple->iifidx\t\t= dev->ifindex;\n+\n+\treturn 0;\n+}\n+\n+/* Based on ip_exceeds_mtu(). */\n+static bool __nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)\n+{\n+\tif (skb->len <= mtu)\n+\t\treturn false;\n+\n+\tif ((ip_hdr(skb)->frag_off & htons(IP_DF)) == 0)\n+\t\treturn false;\n+\n+\tif (skb_is_gso(skb) && skb_gso_validate_mtu(skb, mtu))\n+\t\treturn false;\n+\n+\treturn true;\n+}\n+\n+static bool nf_flow_exceeds_mtu(struct sk_buff *skb, const struct rtable *rt)\n+{\n+\tu32 mtu;\n+\n+\tmtu = ip_dst_mtu_maybe_forward(&rt->dst, true);\n+\tif (__nf_flow_exceeds_mtu(skb, mtu))\n+\t\treturn true;\n+\n+\treturn false;\n+}\n+\n+static unsigned int\n+nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,\n+\t\t\tconst struct nf_hook_state *state)\n+{\n+\tstruct flow_offload_tuple_rhash *tuplehash;\n+\tstruct nf_flowtable *flow_table = priv;\n+\tstruct flow_offload_tuple tuple = {};\n+\tenum flow_offload_tuple_dir dir;\n+\tstruct flow_offload *flow;\n+\tstruct net_device *outdev;\n+\tconst struct rtable *rt;\n+\tstruct iphdr *iph;\n+\t__be32 nexthop;\n+\n+\tif (skb->protocol != htons(ETH_P_IP))\n+\t\treturn NF_ACCEPT;\n+\n+\tif (nf_flow_tuple_ip(skb, state->in, &tuple) < 0)\n+\t\treturn NF_ACCEPT;\n+\n+\ttuplehash = flow_offload_lookup(flow_table, &tuple);\n+\tif (tuplehash == NULL)\n+\t\treturn NF_ACCEPT;\n+\n+\toutdev = dev_get_by_index_rcu(state->net, tuplehash->tuple.oifidx);\n+\tif (!outdev)\n+\t\treturn NF_ACCEPT;\n+\n+\tdir = tuplehash->tuple.dir;\n+\tflow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);\n+\n+\trt = (const struct rtable *)flow->tuplehash[dir].tuple.dst_cache;\n+\tif (unlikely(nf_flow_exceeds_mtu(skb, rt)))\n+\t\treturn NF_ACCEPT;\n+\n+\tif (skb_try_make_writable(skb, sizeof(*iph)))\n+\t\treturn NF_DROP;\n+\n+\tif (flow->flags & (FLOW_OFFLOAD_SNAT | FLOW_OFFLOAD_DNAT) &&\n+\t    nf_flow_nat_ip(flow, skb, dir) < 0)\n+\t\treturn NF_DROP;\n+\n+\tflow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;\n+\tiph = ip_hdr(skb);\n+\tip_decrease_ttl(iph);\n+\n+\tskb->dev = outdev;\n+\tnexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);\n+\tneigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);\n+\n+\treturn NF_STOLEN;\n+}\n+\n+static struct nf_flowtable_type flowtable_ipv4 = {\n+\t.family\t\t= NFPROTO_IPV4,\n+\t.params\t\t= &nf_flow_offload_rhash_params,\n+\t.gc\t\t= nf_flow_offload_work_gc,\n+\t.hook\t\t= nf_flow_offload_ip_hook,\n+\t.owner\t\t= THIS_MODULE,\n+};\n+\n+static int __init nf_flow_ipv4_module_init(void)\n+{\n+\tnft_register_flowtable_type(&flowtable_ipv4);\n+\n+\treturn 0;\n+}\n+\n+static void __exit nf_flow_ipv4_module_exit(void)\n+{\n+\tnft_unregister_flowtable_type(&flowtable_ipv4);\n+}\n+\n+module_init(nf_flow_ipv4_module_init);\n+module_exit(nf_flow_ipv4_module_exit);\n+\n+MODULE_LICENSE(\"GPL\");\n+MODULE_AUTHOR(\"Pablo Neira Ayuso <pablo@netfilter.org>\");\n+MODULE_ALIAS_NF_FLOWTABLE(AF_INET);\n",
    "prefixes": [
        "nf-next",
        "v3",
        "3/7"
    ]
}