| Message ID | 1566207905-22203-1-git-send-email-wenxu@ucloud.cn |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nf-next,1/3] netfilter: nf_offload: Make nft_flow_offload_chain public | expand |
Hi pablo, any idea about this series? BR wenxu On 8/19/2019 5:45 PM, wenxu@ucloud.cn wrote: > From: wenxu <wenxu@ucloud.cn> > > Refactor nft_flow_offload_chain and make it public in header > > Signed-off-by: wenxu <wenxu@ucloud.cn> > --- > include/net/netfilter/nf_tables_offload.h | 3 +++ > net/netfilter/nf_tables_offload.c | 25 ++++++++++++++++--------- > 2 files changed, 19 insertions(+), 9 deletions(-) > > diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h > index 8a5969d9..a13aab1 100644 > --- a/include/net/netfilter/nf_tables_offload.h > +++ b/include/net/netfilter/nf_tables_offload.h > @@ -69,6 +69,9 @@ void nft_indr_block_get_and_ing_cmd(struct net_device *dev, > void *cb_priv, > enum flow_block_command command); > > +int nft_flow_offload_chain(struct nft_chain *chain, > + enum flow_block_command cmd); > + > #define NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ > (__reg)->base_offset = \ > offsetof(struct nft_flow_key, __base); \ > diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c > index fd8d3ab..3ffe4bb 100644 > --- a/net/netfilter/nf_tables_offload.c > +++ b/net/netfilter/nf_tables_offload.c > @@ -262,10 +262,9 @@ static int nft_indr_block_offload_cmd(struct nft_base_chain *chain, > > #define FLOW_SETUP_BLOCK TC_SETUP_BLOCK > > -static int nft_flow_offload_chain(struct nft_trans *trans, > - enum flow_block_command cmd) > +int nft_flow_offload_chain(struct nft_chain *chain, > + enum flow_block_command cmd) > { > - struct nft_chain *chain = trans->ctx.chain; > struct nft_base_chain *basechain; > struct net_device *dev; > > @@ -277,16 +276,24 @@ static int nft_flow_offload_chain(struct nft_trans *trans, > if (!dev) > return -EOPNOTSUPP; > > + if (dev->netdev_ops->ndo_setup_tc) > + return nft_block_offload_cmd(basechain, dev, cmd); > + else > + return nft_indr_block_offload_cmd(basechain, dev, cmd); > +} > + > +static int __nft_flow_offload_chain(struct nft_trans *trans, > + enum flow_block_command cmd) > +{ > + struct nft_chain *chain = trans->ctx.chain; > + > /* Only default policy to accept is supported for now. */ > if (cmd == FLOW_BLOCK_BIND && > nft_trans_chain_policy(trans) != -1 && > nft_trans_chain_policy(trans) != NF_ACCEPT) > return -EOPNOTSUPP; > > - if (dev->netdev_ops->ndo_setup_tc) > - return nft_block_offload_cmd(basechain, dev, cmd); > - else > - return nft_indr_block_offload_cmd(basechain, dev, cmd); > + return nft_flow_offload_chain(chain, cmd); > } > > int nft_flow_rule_offload_commit(struct net *net) > @@ -303,13 +310,13 @@ int nft_flow_rule_offload_commit(struct net *net) > if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)) > continue; > > - err = nft_flow_offload_chain(trans, FLOW_BLOCK_BIND); > + err = __nft_flow_offload_chain(trans, FLOW_BLOCK_BIND); > break; > case NFT_MSG_DELCHAIN: > if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)) > continue; > > - err = nft_flow_offload_chain(trans, FLOW_BLOCK_UNBIND); > + err = __nft_flow_offload_chain(trans, FLOW_BLOCK_UNBIND); > break; > case NFT_MSG_NEWRULE: > if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
Could you explore fixing up this by registering a netdev handler from nf_tables_offload.c? Now we have a nft_offload_init() and _exit() functions, you could register this from there. I think notifier block priority should allow for running this before __nft_release_basechain().
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index 8a5969d9..a13aab1 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -69,6 +69,9 @@ void nft_indr_block_get_and_ing_cmd(struct net_device *dev, void *cb_priv, enum flow_block_command command); +int nft_flow_offload_chain(struct nft_chain *chain, + enum flow_block_command cmd); + #define NFT_OFFLOAD_MATCH(__key, __base, __field, __len, __reg) \ (__reg)->base_offset = \ offsetof(struct nft_flow_key, __base); \ diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index fd8d3ab..3ffe4bb 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -262,10 +262,9 @@ static int nft_indr_block_offload_cmd(struct nft_base_chain *chain, #define FLOW_SETUP_BLOCK TC_SETUP_BLOCK -static int nft_flow_offload_chain(struct nft_trans *trans, - enum flow_block_command cmd) +int nft_flow_offload_chain(struct nft_chain *chain, + enum flow_block_command cmd) { - struct nft_chain *chain = trans->ctx.chain; struct nft_base_chain *basechain; struct net_device *dev; @@ -277,16 +276,24 @@ static int nft_flow_offload_chain(struct nft_trans *trans, if (!dev) return -EOPNOTSUPP; + if (dev->netdev_ops->ndo_setup_tc) + return nft_block_offload_cmd(basechain, dev, cmd); + else + return nft_indr_block_offload_cmd(basechain, dev, cmd); +} + +static int __nft_flow_offload_chain(struct nft_trans *trans, + enum flow_block_command cmd) +{ + struct nft_chain *chain = trans->ctx.chain; + /* Only default policy to accept is supported for now. */ if (cmd == FLOW_BLOCK_BIND && nft_trans_chain_policy(trans) != -1 && nft_trans_chain_policy(trans) != NF_ACCEPT) return -EOPNOTSUPP; - if (dev->netdev_ops->ndo_setup_tc) - return nft_block_offload_cmd(basechain, dev, cmd); - else - return nft_indr_block_offload_cmd(basechain, dev, cmd); + return nft_flow_offload_chain(chain, cmd); } int nft_flow_rule_offload_commit(struct net *net) @@ -303,13 +310,13 @@ int nft_flow_rule_offload_commit(struct net *net) if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)) continue; - err = nft_flow_offload_chain(trans, FLOW_BLOCK_BIND); + err = __nft_flow_offload_chain(trans, FLOW_BLOCK_BIND); break; case NFT_MSG_DELCHAIN: if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)) continue; - err = nft_flow_offload_chain(trans, FLOW_BLOCK_UNBIND); + err = __nft_flow_offload_chain(trans, FLOW_BLOCK_UNBIND); break; case NFT_MSG_NEWRULE: if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))