[nf-next] netfilter: nft_flow_offload: remove secpath check

Message ID 20181011214540.320-1-pablo@netfilter.org
State Deferred
Delegated to: Pablo Neira
Headers show
Series
  • [nf-next] netfilter: nft_flow_offload: remove secpath check
Related show

Commit Message

Pablo Neira Ayuso Oct. 11, 2018, 9:45 p.m.
It is safe to place a flow that is coming from IPSec into the flowtable.
So decapsulated can benefit from the flowtable fastpath.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
---
I'm recovering this patch, this enables faster flowtable forwarding from
ingress. Florian has been asking for a way to restore the xfrm cache,
and I remember Steffen mentioned this two liner should be just enough to
combine the flowtable infrastructure with ipsec.

 net/netfilter/nft_flow_offload.c | 2 --
 1 file changed, 2 deletions(-)

Comments

Steffen Klassert Oct. 17, 2018, 9:01 a.m. | #1
On Thu, Oct 11, 2018 at 11:45:40PM +0200, Pablo Neira Ayuso wrote:
> It is safe to place a flow that is coming from IPSec into the flowtable.
> So decapsulated can benefit from the flowtable fastpath.
> 
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
> ---
> I'm recovering this patch, this enables faster flowtable forwarding from
> ingress. Florian has been asking for a way to restore the xfrm cache,
> and I remember Steffen mentioned this two liner should be just enough to
> combine the flowtable infrastructure with ipsec.

Yes, it was this and we need to relax the requirement to see
traffic in both directions before offloading to the flowtable
(if I remember correct).

Patch

diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index d6bab8c3cbb0..bb21748153ae 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -54,8 +54,6 @@  static bool nft_flow_offload_skip(struct sk_buff *skb)
 
 	if (unlikely(opt->optlen))
 		return true;
-	if (skb_sec_path(skb))
-		return true;
 
 	return false;
 }