| Message ID | 1574330056-5377-1-git-send-email-wenxu@ucloud.cn |
|---|---|
| Headers | show |
| Series | netfilter: nf_flow_table_offload: support tunnel offload | expand |
cc Paul 在 2019/11/21 17:54, wenxu@ucloud.cn 写道: > From: wenxu <wenxu@ucloud.cn> > > This patch provide tunnel offload based on route lwtunnel. > The first two patches support indr callback setup > Then add tunnel match and action offload > > The version already test with mlx driver as following: > > ip link add user1 type vrf table 1 > ip l set user1 up > ip l set dev mlx_pf0vf1 down > ip l set dev mlx_pf0vf1 master user1 > ifconfig mlx_pf0vf1 10.0.0.1/24 up > > ifconfig mlx_p0 172.168.152.75/24 up > > ip l add dev tun1 type gretap external > ip l set dev tun1 master user1 > ifconfig tun1 10.0.1.1/24 up > > ip r r 10.0.0.75 dev mlx_pf0vf1 table 1 > ip r r 10.0.1.241 encap ip id 1000 dst 172.168.152.241 key dev tun1 table 1 > > nft add table firewall > nft add chain firewall zones { type filter hook prerouting priority - 300 \; } > nft add rule firewall zones counter ct zone set iif map { "tun1" : 1, "mlx_pf0vf1" : 1 } > nft add chain firewall rule-1000-ingress > nft add rule firewall rule-1000-ingress ct zone 1 ct state established,related counter accept > nft add rule firewall rule-1000-ingress ct zone 1 ct state invalid counter drop > nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 5001 ct state new counter accept > nft add rule firewall rule-1000-ingress ct zone 1 udp dport 5001 ct state new counter accept > nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 22 ct state new counter accept > nft add rule firewall rule-1000-ingress ct zone 1 ip protocol icmp ct state new counter accept > nft add rule firewall rule-1000-ingress counter drop > nft add chain firewall rules-all { type filter hook prerouting priority - 150 \; } > nft add rule firewall rules-all meta iifkind "vrf" counter accept > nft add rule firewall rules-all iif vmap { "tun1" : jump rule-1000-ingress } > > nft add flowtable firewall fb1 { hook ingress priority 2 \; devices = { mlx_pf0vf1, tun1 } \; } > nft add chain firewall ftb-all {type filter hook forward priority 0 \; policy accept \; } > nft add rule firewall ftb-all ct zone 1 ip protocol tcp flow offload @fb1 > > wenxu (4): > netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup > to support indir setup > netfilter: nf_flow_table_offload: add indr block setup support > netfilter: nf_flow_table_offload: add tunnel match offload support > netfilter: nf_flow_table_offload: add tunnel encap/decap action > offload support > > net/netfilter/nf_flow_table_offload.c | 253 +++++++++++++++++++++++++++++++--- > 1 file changed, 236 insertions(+), 17 deletions(-) >
From: wenxu <wenxu@ucloud.cn> This patch provide tunnel offload based on route lwtunnel. The first two patches support indr callback setup Then add tunnel match and action offload The version already test with mlx driver as following: ip link add user1 type vrf table 1 ip l set user1 up ip l set dev mlx_pf0vf1 down ip l set dev mlx_pf0vf1 master user1 ifconfig mlx_pf0vf1 10.0.0.1/24 up ifconfig mlx_p0 172.168.152.75/24 up ip l add dev tun1 type gretap external ip l set dev tun1 master user1 ifconfig tun1 10.0.1.1/24 up ip r r 10.0.0.75 dev mlx_pf0vf1 table 1 ip r r 10.0.1.241 encap ip id 1000 dst 172.168.152.241 key dev tun1 table 1 nft add table firewall nft add chain firewall zones { type filter hook prerouting priority - 300 \; } nft add rule firewall zones counter ct zone set iif map { "tun1" : 1, "mlx_pf0vf1" : 1 } nft add chain firewall rule-1000-ingress nft add rule firewall rule-1000-ingress ct zone 1 ct state established,related counter accept nft add rule firewall rule-1000-ingress ct zone 1 ct state invalid counter drop nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 5001 ct state new counter accept nft add rule firewall rule-1000-ingress ct zone 1 udp dport 5001 ct state new counter accept nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 22 ct state new counter accept nft add rule firewall rule-1000-ingress ct zone 1 ip protocol icmp ct state new counter accept nft add rule firewall rule-1000-ingress counter drop nft add chain firewall rules-all { type filter hook prerouting priority - 150 \; } nft add rule firewall rules-all meta iifkind "vrf" counter accept nft add rule firewall rules-all iif vmap { "tun1" : jump rule-1000-ingress } nft add flowtable firewall fb1 { hook ingress priority 2 \; devices = { mlx_pf0vf1, tun1 } \; } nft add chain firewall ftb-all {type filter hook forward priority 0 \; policy accept \; } nft add rule firewall ftb-all ct zone 1 ip protocol tcp flow offload @fb1 wenxu (4): netfilter: nf_flow_table_offload: refactor nf_flow_table_offload_setup to support indir setup netfilter: nf_flow_table_offload: add indr block setup support netfilter: nf_flow_table_offload: add tunnel match offload support netfilter: nf_flow_table_offload: add tunnel encap/decap action offload support net/netfilter/nf_flow_table_offload.c | 253 +++++++++++++++++++++++++++++++--- 1 file changed, 236 insertions(+), 17 deletions(-)