From patchwork Tue Jul 23 12:52:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1135616 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45tJKz3zkbz9s7T for ; Tue, 23 Jul 2019 22:52:55 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390014AbfGWMwz (ORCPT ); Tue, 23 Jul 2019 08:52:55 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:26593 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732432AbfGWMwz (ORCPT ); Tue, 23 Jul 2019 08:52:55 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id BBF9D41C45; Tue, 23 Jul 2019 20:52:45 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next 1/7] netfilter: nf_flow_offload: add net in offload_ctx Date: Tue, 23 Jul 2019 20:52:38 +0800 Message-Id: <1563886364-11164-2-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> References: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSkJOS0tLS05JT05JS0JZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MRg6Tgw5TDgwNlErIiwSTh4D Tj1PCQNVSlVKTk1IQ0NNSE1OQ09CVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhKTk83Bg++ X-HM-Tid: 0a6c1ee42c542086kuqybbf9d41c45 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu In the offload_ctx, the net can be used for other actions such as fwd netdev Signed-off-by: wenxu --- include/net/netfilter/nf_tables_offload.h | 3 ++- net/netfilter/nf_tables_api.c | 2 +- net/netfilter/nf_tables_offload.c | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index 3196663..ad61958 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -24,6 +24,7 @@ struct nft_offload_ctx { __be16 l3num; u8 protonum; } dep; + struct net *net; unsigned int num_actions; struct nft_offload_reg regs[NFT_REG32_15 + 1]; }; @@ -60,7 +61,7 @@ struct nft_flow_rule { #define NFT_OFFLOAD_F_ACTION (1 << 0) struct nft_rule; -struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule); +struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule); void nft_flow_rule_destroy(struct nft_flow_rule *flow); int nft_flow_rule_offload_commit(struct net *net); diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 605a7cf..c6dc173 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2844,7 +2844,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, return nft_table_validate(net, table); if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { - flow = nft_flow_rule_create(rule); + flow = nft_flow_rule_create(net, rule); if (IS_ERR(flow)) return PTR_ERR(flow); diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 64f5fd5..5c1fef7 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -28,12 +28,13 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions) return flow; } -struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule) +struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule) { struct nft_offload_ctx ctx = { .dep = { .type = NFT_OFFLOAD_DEP_UNSPEC, }, + .net = net, }; struct nft_flow_rule *flow; int num_actions = 0, err; From patchwork Tue Jul 23 12:52:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1135611 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45tJKt3bZkz9s7T for ; Tue, 23 Jul 2019 22:52:50 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390013AbfGWMwt (ORCPT ); Tue, 23 Jul 2019 08:52:49 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:26617 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732379AbfGWMwt (ORCPT ); Tue, 23 Jul 2019 08:52:49 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id D46B041C93; Tue, 23 Jul 2019 20:52:45 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next 2/7] netfilter: nf_tables_offload: add offload_actions callback Date: Tue, 23 Jul 2019 20:52:39 +0800 Message-Id: <1563886364-11164-3-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> References: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSkJOS0tLS05JT05JS0JZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Mjo6Sgw6Pjg8OlE4SS0cTi8L TTBPCTlVSlVKTk1IQ0NNSE1OQk5KVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhMSU83Bg++ X-HM-Tid: 0a6c1ee42cb82086kuqyd46b041c93 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu There will be zero one or serval actions for some expr. such as payload set and immediate Signed-off-by: wenxu --- include/net/netfilter/nf_tables.h | 7 ++++++- include/net/netfilter/nf_tables_offload.h | 2 -- net/netfilter/nf_tables_offload.c | 4 ++-- net/netfilter/nft_immediate.c | 2 +- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 9b62456..9285df2 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -785,7 +785,7 @@ struct nft_expr_ops { int (*offload)(struct nft_offload_ctx *ctx, struct nft_flow_rule *flow, const struct nft_expr *expr); - u32 offload_flags; + int (*offload_actions)(const struct nft_expr *expr); const struct nft_expr_type *type; void *data; }; @@ -794,6 +794,11 @@ struct nft_expr_ops { #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ ALIGN(size, __alignof__(struct nft_expr))) +static inline int nft_offload_action(const struct nft_expr *expr) +{ + return 1; +} + /** * struct nft_expr - nf_tables expression * diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index ad61958..275d014 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -58,8 +58,6 @@ struct nft_flow_rule { struct flow_rule *rule; }; -#define NFT_OFFLOAD_F_ACTION (1 << 0) - struct nft_rule; struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule); void nft_flow_rule_destroy(struct nft_flow_rule *flow); diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 5c1fef7..33543f5 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -42,8 +42,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rul expr = nft_expr_first(rule); while (expr->ops && expr != nft_expr_last(rule)) { - if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION) - num_actions++; + if (expr->ops->offload_actions) + num_actions += expr->ops->offload_actions(expr); expr = nft_expr_next(expr); } diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c index ca2ae4b..391f699 100644 --- a/net/netfilter/nft_immediate.c +++ b/net/netfilter/nft_immediate.c @@ -163,7 +163,7 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx, .dump = nft_immediate_dump, .validate = nft_immediate_validate, .offload = nft_immediate_offload, - .offload_flags = NFT_OFFLOAD_F_ACTION, + .offload_actions = nft_offload_action, }; struct nft_expr_type nft_imm_type __read_mostly = { From patchwork Tue Jul 23 12:52:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1135612 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45tJKv0w3Pz9sBF for ; Tue, 23 Jul 2019 22:52:51 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390016AbfGWMwu (ORCPT ); Tue, 23 Jul 2019 08:52:50 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:26619 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730891AbfGWMwt (ORCPT ); Tue, 23 Jul 2019 08:52:49 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id ED18041CBE; Tue, 23 Jul 2019 20:52:45 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next 3/7] netfilter: nft_table_offload: Add rtnl for chain and rule operations Date: Tue, 23 Jul 2019 20:52:40 +0800 Message-Id: <1563886364-11164-4-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> References: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUlOS0tLS0lIQ09KQ01ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NxA6Kyo6TDg0NlExMiwUTi4D QxQKCyFVSlVKTk1IQ0NNSE1NS0tDVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlPSE43Bg++ X-HM-Tid: 0a6c1ee42d1d2086kuqyed18041cbe Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu The nft_setup_cb_call and ndo_setup_tc callback should be under rtnl lock or it will report: kernel: RTNL: assertion failed at drivers/net/ethernet/mellanox/mlx5/core/en_rep.c (635) Signed-off-by: wenxu --- net/netfilter/nf_tables_offload.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 33543f5..3e1a1a8 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -115,14 +115,18 @@ static int nft_setup_cb_call(struct nft_base_chain *basechain, enum tc_setup_type type, void *type_data) { struct flow_block_cb *block_cb; - int err; + int err = 0; + rtnl_lock(); list_for_each_entry(block_cb, &basechain->flow_block.cb_list, list) { err = block_cb->cb(type, type_data, block_cb->cb_priv); if (err < 0) - return err; + goto out; } - return 0; + +out: + rtnl_unlock(); + return err; } static int nft_flow_offload_rule(struct nft_trans *trans, @@ -204,9 +208,11 @@ static int nft_flow_offload_chain(struct nft_trans *trans, bo.extack = &extack; INIT_LIST_HEAD(&bo.cb_list); + rtnl_lock(); + err = dev->netdev_ops->ndo_setup_tc(dev, FLOW_SETUP_BLOCK, &bo); if (err < 0) - return err; + goto out; switch (cmd) { case FLOW_BLOCK_BIND: @@ -217,6 +223,8 @@ static int nft_flow_offload_chain(struct nft_trans *trans, break; } +out: + rtnl_unlock(); return err; } From patchwork Tue Jul 23 12:52:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1135613 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45tJKv4GCRz9s00 for ; Tue, 23 Jul 2019 22:52:51 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390017AbfGWMwu (ORCPT ); Tue, 23 Jul 2019 08:52:50 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:26645 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731866AbfGWMwt (ORCPT ); Tue, 23 Jul 2019 08:52:49 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 06DE241CD7; Tue, 23 Jul 2019 20:52:46 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next 4/7] netfilter: nf_tables_offload: split nft_offload_reg to match and action type Date: Tue, 23 Jul 2019 20:52:41 +0800 Message-Id: <1563886364-11164-5-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> References: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUlOS0tLS0lIQ09KQ01ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NyI6Lgw5Mjg4DFE5Ii4oTigo ORAKC0NVSlVKTk1IQ0NNSE1NSklKVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUNLSkM3Bg++ X-HM-Tid: 0a6c1ee42d572086kuqy06de241cd7 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Currently the nft_offload_reg is only can be used for match condition. Can not be used for action. Add nft_offload_reg_type to make nft_offload_reg can be iused for action also. Signed-off-by: wenxu --- include/net/netfilter/nf_tables_offload.h | 20 +++++++++++++++++- net/netfilter/nft_cmp.c | 10 ++++----- net/netfilter/nft_meta.c | 6 ++++-- net/netfilter/nft_payload.c | 34 ++++++++++++++++++++----------- 4 files changed, 50 insertions(+), 20 deletions(-) diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index 275d014..82e3936 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -4,7 +4,13 @@ #include #include -struct nft_offload_reg { +enum nft_offload_reg_type { + NFT_OFFLOAD_REG_UNSPEC = 0, + NFT_OFFLOAD_REG_MATCH, + NFT_OFFLOAD_REG_ACTION, +}; + +struct nft_offload_match { u32 key; u32 len; u32 base_offset; @@ -12,6 +18,18 @@ struct nft_offload_reg { struct nft_data mask; }; +struct nft_offload_action { + struct nft_data data; +}; + +struct nft_offload_reg { + enum nft_offload_reg_type type; + union { + struct nft_offload_match match; + struct nft_offload_action action; + }; +}; + enum nft_offload_dep_type { NFT_OFFLOAD_DEP_UNSPEC = 0, NFT_OFFLOAD_DEP_NETWORK, diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c index bd173b1..ee38cba 100644 --- a/net/netfilter/nft_cmp.c +++ b/net/netfilter/nft_cmp.c @@ -116,14 +116,14 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx, u8 *mask = (u8 *)&flow->match.mask; u8 *key = (u8 *)&flow->match.key; - if (priv->op != NFT_CMP_EQ) + if (priv->op != NFT_CMP_EQ || reg->type != NFT_OFFLOAD_REG_MATCH) return -EOPNOTSUPP; - memcpy(key + reg->offset, &priv->data, priv->len); - memcpy(mask + reg->offset, ®->mask, priv->len); + memcpy(key + reg->match.offset, &priv->data, priv->len); + memcpy(mask + reg->match.offset, ®->match.mask, priv->len); - flow->match.dissector.used_keys |= BIT(reg->key); - flow->match.dissector.offset[reg->key] = reg->base_offset; + flow->match.dissector.used_keys |= BIT(reg->match.key); + flow->match.dissector.offset[reg->match.key] = reg->match.base_offset; nft_offload_update_dependency(ctx, &priv->data, priv->len); diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index f1b1d94..6bb5ba6 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -498,15 +498,17 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx, const struct nft_meta *priv = nft_expr_priv(expr); struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + reg->type = NFT_OFFLOAD_REG_MATCH; + switch (priv->key) { case NFT_META_PROTOCOL: NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, n_proto, - sizeof(__u16), reg); + sizeof(__u16), ®->match); nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK); break; case NFT_META_L4PROTO: NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, - sizeof(__u8), reg); + sizeof(__u8), ®->match); nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); break; default: diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index 22a80eb..36efa1c 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -159,14 +159,16 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx, { struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + reg->type = NFT_OFFLOAD_REG_MATCH; + switch (priv->offset) { case offsetof(struct ethhdr, h_source): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs, - src, ETH_ALEN, reg); + src, ETH_ALEN, ®->match); break; case offsetof(struct ethhdr, h_dest): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs, - dst, ETH_ALEN, reg); + dst, ETH_ALEN, ®->match); break; } @@ -179,18 +181,20 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx, { struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + reg->type = NFT_OFFLOAD_REG_MATCH; + switch (priv->offset) { case offsetof(struct iphdr, saddr): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, src, - sizeof(struct in_addr), reg); + sizeof(struct in_addr), ®->match); break; case offsetof(struct iphdr, daddr): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, dst, - sizeof(struct in_addr), reg); + sizeof(struct in_addr), ®->match); break; case offsetof(struct iphdr, protocol): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, - sizeof(__u8), reg); + sizeof(__u8), ®->match); nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); break; default: @@ -206,18 +210,20 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx, { struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + reg->type = NFT_OFFLOAD_REG_MATCH; + switch (priv->offset) { case offsetof(struct ipv6hdr, saddr): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, src, - sizeof(struct in6_addr), reg); + sizeof(struct in6_addr), ®->match); break; case offsetof(struct ipv6hdr, daddr): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, dst, - sizeof(struct in6_addr), reg); + sizeof(struct in6_addr), ®->match); break; case offsetof(struct ipv6hdr, nexthdr): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, - sizeof(__u8), reg); + sizeof(__u8), ®->match); nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); break; default: @@ -253,14 +259,16 @@ static int nft_payload_offload_tcp(struct nft_offload_ctx *ctx, { struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + reg->type = NFT_OFFLOAD_REG_MATCH; + switch (priv->offset) { case offsetof(struct tcphdr, source): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src, - sizeof(__be16), reg); + sizeof(__be16), ®->match); break; case offsetof(struct tcphdr, dest): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst, - sizeof(__be16), reg); + sizeof(__be16), ®->match); break; default: return -EOPNOTSUPP; @@ -275,14 +283,16 @@ static int nft_payload_offload_udp(struct nft_offload_ctx *ctx, { struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + reg->type = NFT_OFFLOAD_REG_MATCH; + switch (priv->offset) { case offsetof(struct udphdr, source): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src, - sizeof(__be16), reg); + sizeof(__be16), ®->match); break; case offsetof(struct udphdr, dest): NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst, - sizeof(__be16), reg); + sizeof(__be16), ®->match); break; default: return -EOPNOTSUPP; From patchwork Tue Jul 23 12:52:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1135615 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45tJKy2xrWz9s00 for ; Tue, 23 Jul 2019 22:52:54 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390018AbfGWMwy (ORCPT ); Tue, 23 Jul 2019 08:52:54 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:26693 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732379AbfGWMwx (ORCPT ); Tue, 23 Jul 2019 08:52:53 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 22A9841191; Tue, 23 Jul 2019 20:52:46 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next 5/7] netfilter: nft_immediate: add offload support for actions Date: Tue, 23 Jul 2019 20:52:42 +0800 Message-Id: <1563886364-11164-6-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> References: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSExCS0tLS01MTEpLQ0NZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6OE06Dhw6HjgwUVFISS4qTi9D PQ1PCh5VSlVKTk1IQ0NNSE1NSUlLVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhKTEI3Bg++ X-HM-Tid: 0a6c1ee42dc82086kuqy22a9841191 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Immediate offload support for other action to handle the offload_reg Signed-off-by: wenxu --- net/netfilter/nft_immediate.c | 47 +++++++++++++++++++++++++++---------------- 1 file changed, 30 insertions(+), 17 deletions(-) diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c index 391f699..34facc3 100644 --- a/net/netfilter/nft_immediate.c +++ b/net/netfilter/nft_immediate.c @@ -130,29 +130,42 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx, const struct nft_expr *expr) { const struct nft_immediate_expr *priv = nft_expr_priv(expr); + const struct nft_data *data = &priv->data; struct flow_action_entry *entry; - const struct nft_data *data; - - if (priv->dreg != NFT_REG_VERDICT) - return -EOPNOTSUPP; - - entry = &flow->rule->action.entries[ctx->num_actions++]; - data = &priv->data; - switch (data->verdict.code) { - case NF_ACCEPT: - entry->id = FLOW_ACTION_ACCEPT; - break; - case NF_DROP: - entry->id = FLOW_ACTION_DROP; - break; - default: - return -EOPNOTSUPP; + if (priv->dreg == NFT_REG_VERDICT) { + entry = &flow->rule->action.entries[ctx->num_actions++]; + + switch (data->verdict.code) { + case NF_ACCEPT: + entry->id = FLOW_ACTION_ACCEPT; + break; + case NF_DROP: + entry->id = FLOW_ACTION_DROP; + break; + default: + return -EOPNOTSUPP; + } + } else { + struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + + reg->type = NFT_OFFLOAD_REG_ACTION; + memcpy(®->action.data, data, sizeof(*data)); } return 0; } +static int nft_immediate_offload_actions(const struct nft_expr *expr) +{ + const struct nft_immediate_expr *priv = nft_expr_priv(expr); + + if (priv->dreg == NFT_REG_VERDICT) + return 1; + else + return 0; +} + static const struct nft_expr_ops nft_imm_ops = { .type = &nft_imm_type, .size = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)), @@ -163,7 +176,7 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx, .dump = nft_immediate_dump, .validate = nft_immediate_validate, .offload = nft_immediate_offload, - .offload_actions = nft_offload_action, + .offload_actions = nft_immediate_offload_actions, }; struct nft_expr_type nft_imm_type __read_mostly = { From patchwork Tue Jul 23 12:52:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1135617 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45tJL14M5Hz9s00 for ; Tue, 23 Jul 2019 22:52:57 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390040AbfGWMw5 (ORCPT ); Tue, 23 Jul 2019 08:52:57 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:26695 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390011AbfGWMw4 (ORCPT ); Tue, 23 Jul 2019 08:52:56 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 3A6AA41CF1; Tue, 23 Jul 2019 20:52:46 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next 6/7] netfilter: nft_fwd_netdev: add fw_netdev action support Date: Tue, 23 Jul 2019 20:52:43 +0800 Message-Id: <1563886364-11164-7-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> References: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSExCS0tLS01MTEpLQ0NZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MQg6Igw*Tzg9NlE9SSwOTi0s PEtPFEtVSlVKTk1IQ0NNSE1NSEpPVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlDSkI3Bg++ X-HM-Tid: 0a6c1ee42e2a2086kuqy3a6aa41cf1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu fwd_netdev action offload: nft --debug=netlink add rule netdev firewall aclout ip daddr 10.0.1.7 fwd to eth0 Signed-off-by: wenxu --- net/netfilter/nft_fwd_netdev.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c index 61b7f93..06dbd98 100644 --- a/net/netfilter/nft_fwd_netdev.c +++ b/net/netfilter/nft_fwd_netdev.c @@ -15,6 +15,7 @@ #include #include #include +#include struct nft_fwd_netdev { enum nft_registers sreg_dev:8; @@ -63,6 +64,33 @@ static int nft_fwd_netdev_dump(struct sk_buff *skb, const struct nft_expr *expr) return -1; } +static int nft_fwd_netdev_offload(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr) +{ + const struct nft_fwd_netdev *priv = nft_expr_priv(expr); + struct nft_offload_reg *reg = &ctx->regs[priv->sreg_dev]; + const struct nft_data *data = ®->action.data; + struct flow_action_entry *entry; + struct net_device *dev; + int oif = -1; + + if (reg->type != NFT_OFFLOAD_REG_ACTION) + return -EOPNOTSUPP; + + entry = &flow->rule->action.entries[ctx->num_actions++]; + + memcpy(&oif, data->data, sizeof(oif)); + dev = __dev_get_by_index(ctx->net, oif); + if (!dev) + return -EOPNOTSUPP; + + entry->id = FLOW_ACTION_REDIRECT; + entry->dev = dev; + + return 0; +} + struct nft_fwd_neigh { enum nft_registers sreg_dev:8; enum nft_registers sreg_addr:8; @@ -194,6 +222,8 @@ static int nft_fwd_neigh_dump(struct sk_buff *skb, const struct nft_expr *expr) .eval = nft_fwd_netdev_eval, .init = nft_fwd_netdev_init, .dump = nft_fwd_netdev_dump, + .offload = nft_fwd_netdev_offload, + .offload_actions = nft_offload_action, }; static const struct nft_expr_ops * From patchwork Tue Jul 23 12:52:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1135614 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 45tJKw3BdQz9s7T for ; Tue, 23 Jul 2019 22:52:52 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731866AbfGWMww (ORCPT ); Tue, 23 Jul 2019 08:52:52 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:26711 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390014AbfGWMwv (ORCPT ); Tue, 23 Jul 2019 08:52:51 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 5196D41A92; Tue, 23 Jul 2019 20:52:46 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next 7/7] netfilter: nft_payload: add nft_set_payload offload support Date: Tue, 23 Jul 2019 20:52:44 +0800 Message-Id: <1563886364-11164-8-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> References: <1563886364-11164-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSExCS0tLS01MTEpLQ0NZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Pjo6PQw*Cjg*PlEWMiM2Th8s MxYKCgtVSlVKTk1IQ0NNSE1NT0pIVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhPSEg3Bg++ X-HM-Tid: 0a6c1ee42e882086kuqy5196d41a92 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu currently payload set only support ll header nft --debug=netlink add rule netdev firewall aclout ip daddr 10.0.1.7 @ll,0,48 set 0x00002e9ca06e2596 @ll,48,48 set 0xfaffffffffff fwd to eth0 Signed-off-by: wenxu --- net/netfilter/nft_payload.c | 56 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index 36efa1c..544fc40 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -572,12 +572,68 @@ static int nft_payload_set_dump(struct sk_buff *skb, const struct nft_expr *expr return -1; } +static int nft_payload_set_offload(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr) +{ + const struct nft_payload_set *priv = nft_expr_priv(expr); + struct nft_offload_reg *reg = &ctx->regs[priv->sreg]; + const struct nft_data *data = ®->action.data; + struct flow_action_entry *entry; + u32 len = priv->len; + u32 offset, last; + int n_actions, i; + + if (priv->base != NFT_PAYLOAD_LL_HEADER || len > 16) + return -EOPNOTSUPP; + + offset = priv->offset; + n_actions = len >> 2; + last = len & 0x3; + + for (i = 0; i < n_actions; i++) { + entry = &flow->rule->action.entries[ctx->num_actions++]; + + entry->id = FLOW_ACTION_MANGLE; + entry->mangle.htype = FLOW_ACT_MANGLE_HDR_TYPE_ETH; + entry->mangle.mask = 0; + entry->mangle.val = data->data[i]; + entry->mangle.offset = offset; + offset = offset + 4; + } + + if (last) { + entry = &flow->rule->action.entries[ctx->num_actions++]; + + entry->id = FLOW_ACTION_MANGLE; + entry->mangle.htype = FLOW_ACT_MANGLE_HDR_TYPE_ETH; + entry->mangle.mask = ~((1 << (last * 8)) - 1); + entry->mangle.val = data->data[i]; + entry->mangle.offset = offset; + } + + return 0; +} + +static int nft_payload_set_offload_actions(const struct nft_expr *expr) +{ + const struct nft_payload_set *priv = nft_expr_priv(expr); + u32 len = priv->len; + + if (priv->base != NFT_PAYLOAD_LL_HEADER || len > 16) + return 0; + + return (len >> 2) + !!(len & 3); +} + static const struct nft_expr_ops nft_payload_set_ops = { .type = &nft_payload_type, .size = NFT_EXPR_SIZE(sizeof(struct nft_payload_set)), .eval = nft_payload_set_eval, .init = nft_payload_set_init, .dump = nft_payload_set_dump, + .offload = nft_payload_set_offload, + .offload_actions = nft_payload_set_offload_actions, }; static const struct nft_expr_ops *