| Message ID | 1563886364-11164-3-git-send-email-wenxu@ucloud.cn |
|---|---|
| State | Changes Requested |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | netfilter: nf_tables_offload: support more actions | expand |
On Tue, Jul 23, 2019 at 08:52:39PM +0800, wenxu@ucloud.cn wrote: > From: wenxu <wenxu@ucloud.cn> > > There will be zero one or serval actions for some expr. such as > payload set and immediate > > Signed-off-by: wenxu <wenxu@ucloud.cn> > --- > include/net/netfilter/nf_tables.h | 7 ++++++- > include/net/netfilter/nf_tables_offload.h | 2 -- > net/netfilter/nf_tables_offload.c | 4 ++-- > net/netfilter/nft_immediate.c | 2 +- > 4 files changed, 9 insertions(+), 6 deletions(-) > > diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h > index 9b62456..9285df2 100644 > --- a/include/net/netfilter/nf_tables.h > +++ b/include/net/netfilter/nf_tables.h > @@ -785,7 +785,7 @@ struct nft_expr_ops { > int (*offload)(struct nft_offload_ctx *ctx, > struct nft_flow_rule *flow, > const struct nft_expr *expr); > - u32 offload_flags; > + int (*offload_actions)(const struct nft_expr *expr); I don't understand why you need to add this? is it for payload?
On 7/25/2019 6:14 PM, Pablo Neira Ayuso wrote: > On Tue, Jul 23, 2019 at 08:52:39PM +0800, wenxu@ucloud.cn wrote: >> From: wenxu <wenxu@ucloud.cn> >> >> There will be zero one or serval actions for some expr. such as >> payload set and immediate >> >> Signed-off-by: wenxu <wenxu@ucloud.cn> >> --- >> include/net/netfilter/nf_tables.h | 7 ++++++- >> include/net/netfilter/nf_tables_offload.h | 2 -- >> net/netfilter/nf_tables_offload.c | 4 ++-- >> net/netfilter/nft_immediate.c | 2 +- >> 4 files changed, 9 insertions(+), 6 deletions(-) >> >> diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h >> index 9b62456..9285df2 100644 >> --- a/include/net/netfilter/nf_tables.h >> +++ b/include/net/netfilter/nf_tables.h >> @@ -785,7 +785,7 @@ struct nft_expr_ops { >> int (*offload)(struct nft_offload_ctx *ctx, >> struct nft_flow_rule *flow, >> const struct nft_expr *expr); >> - u32 offload_flags; >> + int (*offload_actions)(const struct nft_expr *expr); > I don't understand why you need to add this? is it for payload? yes it is used for set payload and immediately actions. It maybe splited to several actions. The immediate action may conatian 1 or 0 actions >
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 9b62456..9285df2 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -785,7 +785,7 @@ struct nft_expr_ops { int (*offload)(struct nft_offload_ctx *ctx, struct nft_flow_rule *flow, const struct nft_expr *expr); - u32 offload_flags; + int (*offload_actions)(const struct nft_expr *expr); const struct nft_expr_type *type; void *data; }; @@ -794,6 +794,11 @@ struct nft_expr_ops { #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ ALIGN(size, __alignof__(struct nft_expr))) +static inline int nft_offload_action(const struct nft_expr *expr) +{ + return 1; +} + /** * struct nft_expr - nf_tables expression * diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index ad61958..275d014 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -58,8 +58,6 @@ struct nft_flow_rule { struct flow_rule *rule; }; -#define NFT_OFFLOAD_F_ACTION (1 << 0) - struct nft_rule; struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule); void nft_flow_rule_destroy(struct nft_flow_rule *flow); diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 5c1fef7..33543f5 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -42,8 +42,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rul expr = nft_expr_first(rule); while (expr->ops && expr != nft_expr_last(rule)) { - if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION) - num_actions++; + if (expr->ops->offload_actions) + num_actions += expr->ops->offload_actions(expr); expr = nft_expr_next(expr); } diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c index ca2ae4b..391f699 100644 --- a/net/netfilter/nft_immediate.c +++ b/net/netfilter/nft_immediate.c @@ -163,7 +163,7 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx, .dump = nft_immediate_dump, .validate = nft_immediate_validate, .offload = nft_immediate_offload, - .offload_flags = NFT_OFFLOAD_F_ACTION, + .offload_actions = nft_offload_action, }; struct nft_expr_type nft_imm_type __read_mostly = {