From patchwork Wed Aug 14 10:16:37 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146920 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqn6FB2z9sNC for ; Wed, 14 Aug 2019 20:16:53 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727289AbfHNKQx (ORCPT ); Wed, 14 Aug 2019 06:16:53 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55394 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726221AbfHNKQw (ORCPT ); Wed, 14 Aug 2019 06:16:52 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 6BA3341BB3; Wed, 14 Aug 2019 18:16:49 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 01/12] netfilter: nf_flow_offload: add net in offload_ctx Date: Wed, 14 Aug 2019 18:16:37 +0800 Message-Id: <1565777808-28735-2-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVklVSk9PS0tLS05IT0tOTE1ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MUk6Igw*Dzg1EzlWEjEeCD1M Dj5PCipVSlVKTk1OTExMQ0tCTkhDVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhJT0o3Bg++ X-HM-Tid: 0a6c8fa150392086kuqy6ba3341bb3 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu In the offload_ctx, the net can be used for other actions such as fwd netdev Signed-off-by: wenxu --- v4: no change include/net/netfilter/nf_tables_offload.h | 3 ++- net/netfilter/nf_tables_api.c | 2 +- net/netfilter/nf_tables_offload.c | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index 8a5969d9..71453fd 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -25,6 +25,7 @@ struct nft_offload_ctx { __be16 l3num; u8 protonum; } dep; + struct net *net; unsigned int num_actions; struct nft_offload_reg regs[NFT_REG32_15 + 1]; }; @@ -61,7 +62,7 @@ struct nft_flow_rule { #define NFT_OFFLOAD_F_ACTION (1 << 0) struct nft_rule; -struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule); +struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule); void nft_flow_rule_destroy(struct nft_flow_rule *flow); int nft_flow_rule_offload_commit(struct net *net); void nft_indr_block_get_and_ing_cmd(struct net_device *dev, diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index fe3b7b0..d4f611a 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2844,7 +2844,7 @@ static int nf_tables_newrule(struct net *net, struct sock *nlsk, return nft_table_validate(net, table); if (chain->flags & NFT_CHAIN_HW_OFFLOAD) { - flow = nft_flow_rule_create(rule); + flow = nft_flow_rule_create(net, rule); if (IS_ERR(flow)) return PTR_ERR(flow); diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index d3c4c9c..9d9a864 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -28,12 +28,13 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions) return flow; } -struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule) +struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule) { struct nft_offload_ctx ctx = { .dep = { .type = NFT_OFFLOAD_DEP_UNSPEC, }, + .net = net, }; struct nft_flow_rule *flow; int num_actions = 0, err; From patchwork Wed Aug 14 10:16:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146922 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqq0Fpfz9sN1 for ; Wed, 14 Aug 2019 20:16:55 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727304AbfHNKQx (ORCPT ); Wed, 14 Aug 2019 06:16:53 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55398 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727218AbfHNKQx (ORCPT ); Wed, 14 Aug 2019 06:16:53 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 8A6C541BB8; Wed, 14 Aug 2019 18:16:49 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 02/12] netfilter: nf_tables_offload: add offload_actions callback Date: Wed, 14 Aug 2019 18:16:38 +0800 Message-Id: <1565777808-28735-3-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVklVSk9PS0tLS05IT0tOTE1ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6PTo6Qzo*ITgxPTk1EjcyCDJM DRUaCjZVSlVKTk1OTExMQ0tCTU5CVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhDQ0g3Bg++ X-HM-Tid: 0a6c8fa150ac2086kuqy8a6c541bb8 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu There will be zero one or serval actions for some expr. such as payload set and immediate. The one payload set action maybe split to several offload entries. And only NFT_REG_VERDICT immediate action has 1 offload entry Signed-off-by: wenxu --- v4: no change include/net/netfilter/nf_tables.h | 7 ++++++- include/net/netfilter/nf_tables_offload.h | 2 -- net/netfilter/nf_tables_offload.c | 4 ++-- net/netfilter/nft_immediate.c | 2 +- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index dc301e3..5cf71a0 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -787,7 +787,7 @@ struct nft_expr_ops { int (*offload)(struct nft_offload_ctx *ctx, struct nft_flow_rule *flow, const struct nft_expr *expr); - u32 offload_flags; + int (*offload_actions)(const struct nft_expr *expr); const struct nft_expr_type *type; void *data; }; @@ -796,6 +796,11 @@ struct nft_expr_ops { #define NFT_EXPR_SIZE(size) (sizeof(struct nft_expr) + \ ALIGN(size, __alignof__(struct nft_expr))) +static inline int nft_offload_action(const struct nft_expr *expr) +{ + return 1; +} + /** * struct nft_expr - nf_tables expression * diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index 71453fd..ff032fb 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -59,8 +59,6 @@ struct nft_flow_rule { struct flow_rule *rule; }; -#define NFT_OFFLOAD_F_ACTION (1 << 0) - struct nft_rule; struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule); void nft_flow_rule_destroy(struct nft_flow_rule *flow); diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c index 9d9a864..e097189 100644 --- a/net/netfilter/nf_tables_offload.c +++ b/net/netfilter/nf_tables_offload.c @@ -42,8 +42,8 @@ struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rul expr = nft_expr_first(rule); while (expr->ops && expr != nft_expr_last(rule)) { - if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION) - num_actions++; + if (expr->ops->offload_actions) + num_actions += expr->ops->offload_actions(expr); expr = nft_expr_next(expr); } diff --git a/net/netfilter/nft_immediate.c b/net/netfilter/nft_immediate.c index c7f0ef7..a2110be 100644 --- a/net/netfilter/nft_immediate.c +++ b/net/netfilter/nft_immediate.c @@ -173,7 +173,7 @@ static int nft_immediate_offload(struct nft_offload_ctx *ctx, .dump = nft_immediate_dump, .validate = nft_immediate_validate, .offload = nft_immediate_offload, - .offload_flags = NFT_OFFLOAD_F_ACTION, + .offload_actions = nft_offload_action, }; struct nft_expr_type nft_imm_type __read_mostly = { From patchwork Wed Aug 14 10:16:39 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146918 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqm1RXXz9sML for ; Wed, 14 Aug 2019 20:16:52 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727235AbfHNKQv (ORCPT ); Wed, 14 Aug 2019 06:16:51 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55410 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727220AbfHNKQv (ORCPT ); Wed, 14 Aug 2019 06:16:51 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id A7A1F41BBB; Wed, 14 Aug 2019 18:16:49 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 03/12] netfilter: nft_fwd_netdev: add fw_netdev action support Date: Wed, 14 Aug 2019 18:16:39 +0800 Message-Id: <1565777808-28735-4-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUlDQkJCQkxJSE9IT09ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MhA6USo5CTg0HzkPKDAVCD89 A04aCVFVSlVKTk1OTExMQ0tCTENLVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlMTU43Bg++ X-HM-Tid: 0a6c8fa151282086kuqya7a1f41bbb Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu fwd_netdev action offload: nft --debug=netlink add rule netdev firewall aclout ip daddr 10.0.1.7 fwd to eth0 Signed-off-by: wenxu --- v4: no change net/netfilter/nft_fwd_netdev.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/net/netfilter/nft_fwd_netdev.c b/net/netfilter/nft_fwd_netdev.c index 61b7f93..c5af66b 100644 --- a/net/netfilter/nft_fwd_netdev.c +++ b/net/netfilter/nft_fwd_netdev.c @@ -15,6 +15,7 @@ #include #include #include +#include struct nft_fwd_netdev { enum nft_registers sreg_dev:8; @@ -63,6 +64,30 @@ static int nft_fwd_netdev_dump(struct sk_buff *skb, const struct nft_expr *expr) return -1; } +static int nft_fwd_netdev_offload(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr) +{ + const struct nft_fwd_netdev *priv = nft_expr_priv(expr); + struct nft_offload_reg *reg = &ctx->regs[priv->sreg_dev]; + const struct nft_data *data = ®->data; + struct flow_action_entry *entry; + struct net_device *dev; + int oif = -1; + + entry = &flow->rule->action.entries[ctx->num_actions++]; + + memcpy(&oif, data->data, sizeof(oif)); + dev = __dev_get_by_index(ctx->net, oif); + if (!dev) + return -EOPNOTSUPP; + + entry->id = FLOW_ACTION_REDIRECT; + entry->dev = dev; + + return 0; +} + struct nft_fwd_neigh { enum nft_registers sreg_dev:8; enum nft_registers sreg_addr:8; @@ -194,6 +219,8 @@ static int nft_fwd_neigh_dump(struct sk_buff *skb, const struct nft_expr *expr) .eval = nft_fwd_netdev_eval, .init = nft_fwd_netdev_init, .dump = nft_fwd_netdev_dump, + .offload = nft_fwd_netdev_offload, + .offload_actions = nft_offload_action, }; static const struct nft_expr_ops * From patchwork Wed Aug 14 10:16:40 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146921 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqp2R30z9sML for ; Wed, 14 Aug 2019 20:16:54 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727296AbfHNKQx (ORCPT ); Wed, 14 Aug 2019 06:16:53 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55460 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727229AbfHNKQw (ORCPT ); Wed, 14 Aug 2019 06:16:52 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id C60F541B98; Wed, 14 Aug 2019 18:16:49 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 04/12] netfilter: nft_payload: add nft_set_payload offload support Date: Wed, 14 Aug 2019 18:16:40 +0800 Message-Id: <1565777808-28735-5-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSklCQkJCTE5NQ0pIS05ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NRg6Cxw6Gjg0OTkiAjEKCCsL AhIKFBxVSlVKTk1OTExMQ0tCQ0JCVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhPTkg3Bg++ X-HM-Tid: 0a6c8fa1519e2086kuqyc60f541b98 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu currently payload set only support ll header nft --debug=netlink add rule netdev firewall aclout ip daddr 10.0.1.7 @ll,0,48 set 0x00002e9ca06e2596 @ll,48,48 set 0xfaffffffffff fwd to eth0 Signed-off-by: wenxu --- v4: no change net/netfilter/nft_payload.c | 56 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c index 22a80eb..980e4a1 100644 --- a/net/netfilter/nft_payload.c +++ b/net/netfilter/nft_payload.c @@ -562,12 +562,68 @@ static int nft_payload_set_dump(struct sk_buff *skb, const struct nft_expr *expr return -1; } +static int nft_payload_set_offload(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr) +{ + const struct nft_payload_set *priv = nft_expr_priv(expr); + struct nft_offload_reg *reg = &ctx->regs[priv->sreg]; + const struct nft_data *data = ®->data; + struct flow_action_entry *entry; + u32 len = priv->len; + u32 offset, last; + int n_actions, i; + + if (priv->base != NFT_PAYLOAD_LL_HEADER || len > 16) + return -EOPNOTSUPP; + + offset = priv->offset; + n_actions = len >> 2; + last = len & 0x3; + + for (i = 0; i < n_actions; i++) { + entry = &flow->rule->action.entries[ctx->num_actions++]; + + entry->id = FLOW_ACTION_MANGLE; + entry->mangle.htype = FLOW_ACT_MANGLE_HDR_TYPE_ETH; + entry->mangle.mask = 0; + entry->mangle.val = data->data[i]; + entry->mangle.offset = offset; + offset = offset + 4; + } + + if (last) { + entry = &flow->rule->action.entries[ctx->num_actions++]; + + entry->id = FLOW_ACTION_MANGLE; + entry->mangle.htype = FLOW_ACT_MANGLE_HDR_TYPE_ETH; + entry->mangle.mask = ~((1 << (last * 8)) - 1); + entry->mangle.val = data->data[i]; + entry->mangle.offset = offset; + } + + return 0; +} + +static int nft_payload_set_offload_actions(const struct nft_expr *expr) +{ + const struct nft_payload_set *priv = nft_expr_priv(expr); + u32 len = priv->len; + + if (priv->base != NFT_PAYLOAD_LL_HEADER || len > 16) + return 0; + + return (len >> 2) + !!(len & 3); +} + static const struct nft_expr_ops nft_payload_set_ops = { .type = &nft_payload_type, .size = NFT_EXPR_SIZE(sizeof(struct nft_payload_set)), .eval = nft_payload_set_eval, .init = nft_payload_set_init, .dump = nft_payload_set_dump, + .offload = nft_payload_set_offload, + .offload_actions = nft_payload_set_offload_actions, }; static const struct nft_expr_ops * From patchwork Wed Aug 14 10:16:41 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146923 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqq3vxCz9sML for ; Wed, 14 Aug 2019 20:16:55 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727391AbfHNKQy (ORCPT ); Wed, 14 Aug 2019 06:16:54 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55540 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726230AbfHNKQx (ORCPT ); Wed, 14 Aug 2019 06:16:53 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id E146141BA8; Wed, 14 Aug 2019 18:16:49 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 05/12] netfilter: nft_tunnel: add nft_tunnel_mode_validate function Date: Wed, 14 Aug 2019 18:16:41 +0800 Message-Id: <1565777808-28735-6-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUNPS0tLS0hCSktLTU5ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Nhg6Ngw*CzgyHzk6ODIdCDIf VglPChpVSlVKTk1OTExMQ0pLS0lJVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlCS0k3Bg++ X-HM-Tid: 0a6c8fa1520e2086kuqye146141ba8 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Move mode validate common code to nft_tunnel_mode_validate function. Signed-off-by: wenxu --- v4: new patch net/netfilter/nft_tunnel.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index 3d4c2ae..d374466 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -18,6 +18,18 @@ struct nft_tunnel { enum nft_tunnel_mode mode:8; }; +bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode, u8 tun_mode) +{ + if (priv_mode == NFT_TUNNEL_MODE_NONE || + (priv_mode == NFT_TUNNEL_MODE_RX && + !(tun_mode & IP_TUNNEL_INFO_TX)) || + (priv_mode == NFT_TUNNEL_MODE_TX && + (tun_mode & IP_TUNNEL_INFO_TX))) + return true; + + return false; +} + static void nft_tunnel_get_eval(const struct nft_expr *expr, struct nft_regs *regs, const struct nft_pktinfo *pkt) @@ -34,11 +46,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, nft_reg_store8(dest, false); return; } - if (priv->mode == NFT_TUNNEL_MODE_NONE || - (priv->mode == NFT_TUNNEL_MODE_RX && - !(tun_info->mode & IP_TUNNEL_INFO_TX)) || - (priv->mode == NFT_TUNNEL_MODE_TX && - (tun_info->mode & IP_TUNNEL_INFO_TX))) + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) nft_reg_store8(dest, true); else nft_reg_store8(dest, false); @@ -48,11 +56,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, regs->verdict.code = NFT_BREAK; return; } - if (priv->mode == NFT_TUNNEL_MODE_NONE || - (priv->mode == NFT_TUNNEL_MODE_RX && - !(tun_info->mode & IP_TUNNEL_INFO_TX)) || - (priv->mode == NFT_TUNNEL_MODE_TX && - (tun_info->mode & IP_TUNNEL_INFO_TX))) + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) *dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id)); else regs->verdict.code = NFT_BREAK; From patchwork Wed Aug 14 10:16:42 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146924 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqr051qz9sNC for ; Wed, 14 Aug 2019 20:16:56 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727398AbfHNKQz (ORCPT ); Wed, 14 Aug 2019 06:16:55 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55542 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727220AbfHNKQx (ORCPT ); Wed, 14 Aug 2019 06:16:53 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 2F57641B60; Wed, 14 Aug 2019 18:16:50 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 06/12] netfilter: nft_tunnel: support NFT_TUNNEL_IP_SRC/DST match Date: Wed, 14 Aug 2019 18:16:42 +0800 Message-Id: <1565777808-28735-7-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUNPS0tLS0hCSktLTU5ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MS46Hxw5MDg9NTkZAjE5CDQf SAIKCi1VSlVKTk1OTExMQ0pLSUJKVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlMTEo3Bg++ X-HM-Tid: 0a6c8fa1532a2086kuqy2f57641b60 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Add new two NFT_TUNNEL_IP_SRC/DST match in nft_tunnel Signed-off-by: wenxu --- v4: don't convert ipaddr to host include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_tunnel.c | 22 ++++++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 82abaa1..4f1e5ef 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -1765,6 +1765,8 @@ enum nft_tunnel_key_attributes { enum nft_tunnel_keys { NFT_TUNNEL_PATH, NFT_TUNNEL_ID, + NFT_TUNNEL_IP_SRC, + NFT_TUNNEL_IP_DST, __NFT_TUNNEL_MAX }; #define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1) diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index d374466..fe544bf 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -61,6 +61,26 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, else regs->verdict.code = NFT_BREAK; break; + case NFT_TUNNEL_IP_SRC: + if (!tun_info) { + regs->verdict.code = NFT_BREAK; + return; + } + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) + *dest = tun_info->key.u.ipv4.src; + else + regs->verdict.code = NFT_BREAK; + break; + case NFT_TUNNEL_IP_DST: + if (!tun_info) { + regs->verdict.code = NFT_BREAK; + return; + } + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) + *dest = tun_info->key.u.ipv4.dst; + else + regs->verdict.code = NFT_BREAK; + break; default: WARN_ON(1); regs->verdict.code = NFT_BREAK; @@ -90,6 +110,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx, len = sizeof(u8); break; case NFT_TUNNEL_ID: + case NFT_TUNNEL_IP_SRC: + case NFT_TUNNEL_IP_DST: len = sizeof(u32); break; default: From patchwork Wed Aug 14 10:16:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146925 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqr3g8zz9sML for ; Wed, 14 Aug 2019 20:16:56 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727411AbfHNKQ4 (ORCPT ); Wed, 14 Aug 2019 06:16:56 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55576 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726121AbfHNKQz (ORCPT ); Wed, 14 Aug 2019 06:16:55 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 4D25B41BBE; Wed, 14 Aug 2019 18:16:50 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 07/12] netfilter: nft_tunnel: add ipv6 check in nft_tunnel_mode_validate Date: Wed, 14 Aug 2019 18:16:43 +0800 Message-Id: <1565777808-28735-8-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUNPS0tLS0hCSktLTU5ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Mgw6ERw5STgzDzk1AjcNCDkp TwgKFD1VSlVKTk1OTExMQ0pLSExLVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhKTU83Bg++ X-HM-Tid: 0a6c8fa153992086kuqy4d25b41bbe Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Add ipv6 tunnel check in nft_tunnel_mode_validate. Signed-off-by: wenxu --- v4: new patch net/netfilter/nft_tunnel.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index fe544bf..64bda3d 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -18,8 +18,12 @@ struct nft_tunnel { enum nft_tunnel_mode mode:8; }; -bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode, u8 tun_mode) +bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode, + u8 tun_mode, bool ipv6) { + if (ipv6 && !(tun_mode & IP_TUNNEL_INFO_IPV6)) + return false; + if (priv_mode == NFT_TUNNEL_MODE_NONE || (priv_mode == NFT_TUNNEL_MODE_RX && !(tun_mode & IP_TUNNEL_INFO_TX)) || @@ -46,7 +50,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, nft_reg_store8(dest, false); return; } - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode, false)) nft_reg_store8(dest, true); else nft_reg_store8(dest, false); @@ -56,7 +60,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, regs->verdict.code = NFT_BREAK; return; } - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode, false)) *dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id)); else regs->verdict.code = NFT_BREAK; @@ -66,7 +70,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, regs->verdict.code = NFT_BREAK; return; } - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode, false)) *dest = tun_info->key.u.ipv4.src; else regs->verdict.code = NFT_BREAK; @@ -76,7 +80,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, regs->verdict.code = NFT_BREAK; return; } - if (nft_tunnel_mode_validate(priv->mode, tun_info->mode)) + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode, false)) *dest = tun_info->key.u.ipv4.dst; else regs->verdict.code = NFT_BREAK; From patchwork Wed Aug 14 10:16:44 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146926 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqt0JMVz9sML for ; Wed, 14 Aug 2019 20:16:58 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727414AbfHNKQ4 (ORCPT ); Wed, 14 Aug 2019 06:16:56 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55574 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727266AbfHNKQ4 (ORCPT ); Wed, 14 Aug 2019 06:16:56 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 603F941BBF; Wed, 14 Aug 2019 18:16:50 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 08/12] netfilter: nft_tunnel: support NFT_TUNNEL_IP6_SRC/DST match Date: Wed, 14 Aug 2019 18:16:44 +0800 Message-Id: <1565777808-28735-9-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUNPS0tLS0hCSktLTU5ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6PzI6Oio4HDg*Hzk5EjcyCDk5 TThPCzBVSlVKTk1OTExMQ0pLT0xOVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlDTE03Bg++ X-HM-Tid: 0a6c8fa153e62086kuqy603f941bbf Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Add new two NFT_TUNNEL_IP6_SRC/DST match in nft_tunnel Signed-off-by: wenxu --- v4: new patch include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_tunnel.c | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 4f1e5ef..bfb051f 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -1767,6 +1767,8 @@ enum nft_tunnel_keys { NFT_TUNNEL_ID, NFT_TUNNEL_IP_SRC, NFT_TUNNEL_IP_DST, + NFT_TUNNEL_IP6_SRC, + NFT_TUNNEL_IP6_DST, __NFT_TUNNEL_MAX }; #define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1) diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index 64bda3d..58b6083 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -85,6 +85,26 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr, else regs->verdict.code = NFT_BREAK; break; + case NFT_TUNNEL_IP6_SRC: + if (!tun_info) { + regs->verdict.code = NFT_BREAK; + return; + } + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode, true)) + memcpy(dest, &tun_info->key.u.ipv6.src, sizeof(struct in6_addr)); + else + regs->verdict.code = NFT_BREAK; + break; + case NFT_TUNNEL_IP6_DST: + if (!tun_info) { + regs->verdict.code = NFT_BREAK; + return; + } + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode, true)) + memcpy(dest, &tun_info->key.u.ipv6.dst, sizeof(struct in6_addr)); + else + regs->verdict.code = NFT_BREAK; + break; default: WARN_ON(1); regs->verdict.code = NFT_BREAK; @@ -118,6 +138,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx, case NFT_TUNNEL_IP_DST: len = sizeof(u32); break; + case NFT_TUNNEL_IP6_SRC: + case NFT_TUNNEL_IP6_DST: + len = sizeof(struct in6_addr); + break; default: return -EOPNOTSUPP; } From patchwork Wed Aug 14 10:16:45 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146929 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqv23P2z9sML for ; Wed, 14 Aug 2019 20:16:59 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727425AbfHNKQ6 (ORCPT ); Wed, 14 Aug 2019 06:16:58 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55612 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727229AbfHNKQ4 (ORCPT ); Wed, 14 Aug 2019 06:16:56 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 7C07C41BBC; Wed, 14 Aug 2019 18:16:50 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 09/12] netfilter: nft_tunnel: support tunnel meta match offload Date: Wed, 14 Aug 2019 18:16:45 +0800 Message-Id: <1565777808-28735-10-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUNPS0tLS0hCSktLTU5ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6NTo6Pxw4Szg8EzkTODcMCD89 TA5PCk1VSlVKTk1OTExMQ0pLTUlLVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUhCTks3Bg++ X-HM-Tid: 0a6c8fa154622086kuqy7c07c41bbc Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Add tunnel meta match offload. Currently support for NFT_TUNNEL_ID NFT_TUNNEL_IP(6)_SRC/DST Signed-off-by: wenxu --- v4: add IP6_SRC/DST offload include/net/netfilter/nf_tables_offload.h | 5 ++++ net/netfilter/nft_tunnel.c | 41 +++++++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h index ff032fb..b20c651 100644 --- a/include/net/netfilter/nf_tables_offload.h +++ b/include/net/netfilter/nf_tables_offload.h @@ -45,6 +45,11 @@ struct nft_flow_key { struct flow_dissector_key_ip ip; struct flow_dissector_key_vlan vlan; struct flow_dissector_key_eth_addrs eth_addrs; + struct flow_dissector_key_keyid enc_key_id; + union { + struct flow_dissector_key_ipv4_addrs enc_ipv4; + struct flow_dissector_key_ipv6_addrs enc_ipv6; + }; } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ struct nft_flow_match { diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index 58b6083..018ec27 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -11,6 +11,7 @@ #include #include #include +#include struct nft_tunnel { enum nft_tunnel_keys key:8; @@ -177,6 +178,45 @@ static int nft_tunnel_get_dump(struct sk_buff *skb, return -1; } +static int nft_tunnel_get_offload(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr) +{ + const struct nft_tunnel *priv = nft_expr_priv(expr); + struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; + + if (priv->mode == NFT_TUNNEL_MODE_TX) + return -EOPNOTSUPP; + + switch (priv->key) { + case NFT_TUNNEL_ID: + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id, keyid, + sizeof(__u32), reg); + break; + case NFT_TUNNEL_IP_SRC: + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4, src, + sizeof(__u32), reg); + break; + case NFT_TUNNEL_IP_DST: + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4, dst, + sizeof(__u32), reg); + break; + case NFT_TUNNEL_IP6_SRC: + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6, src, + sizeof(struct in6_addr), reg); + break; + case NFT_TUNNEL_IP6_DST: + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6, dst, + sizeof(struct in6_addr), reg); + break; + case NFT_TUNNEL_PATH: + default: + return -EOPNOTSUPP; + } + + return 0; +} + static struct nft_expr_type nft_tunnel_type; static const struct nft_expr_ops nft_tunnel_get_ops = { .type = &nft_tunnel_type, @@ -184,6 +224,7 @@ static int nft_tunnel_get_dump(struct sk_buff *skb, .eval = nft_tunnel_get_eval, .init = nft_tunnel_get_init, .dump = nft_tunnel_get_dump, + .offload = nft_tunnel_get_offload, }; static struct nft_expr_type nft_tunnel_type __read_mostly = { From patchwork Wed Aug 14 10:16:46 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146928 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqt5TBmz9sNC for ; Wed, 14 Aug 2019 20:16:58 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727409AbfHNKQz (ORCPT ); Wed, 14 Aug 2019 06:16:55 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55614 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727299AbfHNKQz (ORCPT ); Wed, 14 Aug 2019 06:16:55 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id 9CD8141BC3; Wed, 14 Aug 2019 18:16:50 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 10/12] netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action Date: Wed, 14 Aug 2019 18:16:46 +0800 Message-Id: <1565777808-28735-11-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUhCQkJCQ0JLSElMT05ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Nyo6Nww5SDg#MTkuAjAVCDQ9 QylPCTxVSlVKTk1OTExMQ0pLTUNDVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQU9LSkM3Bg++ X-HM-Tid: 0a6c8fa154de2086kuqy9cd8141bc3 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Add new NFTA_TUNNEL_KEY_RELEASE action for future offload feature Signed-off-by: wenxu --- v4: no change include/uapi/linux/netfilter/nf_tables.h | 1 + net/netfilter/nft_tunnel.c | 24 +++++++++++++++++++++--- 2 files changed, 22 insertions(+), 3 deletions(-) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index bfb051f..b37b8a7 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -1758,6 +1758,7 @@ enum nft_tunnel_key_attributes { NFTA_TUNNEL_KEY_SPORT, NFTA_TUNNEL_KEY_DPORT, NFTA_TUNNEL_KEY_OPTS, + NFTA_TUNNEL_KEY_RELEASE, __NFTA_TUNNEL_KEY_MAX }; #define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1) diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index 018ec27..aa3dc52 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -247,6 +247,7 @@ struct nft_tunnel_opts { struct nft_tunnel_obj { struct metadata_dst *md; struct nft_tunnel_opts opts; + bool tunnel_key_release; }; static const struct nla_policy nft_tunnel_ip_policy[NFTA_TUNNEL_KEY_IP_MAX + 1] = { @@ -431,6 +432,7 @@ static int nft_tunnel_obj_opts_init(const struct nft_ctx *ctx, [NFTA_TUNNEL_KEY_TOS] = { .type = NLA_U8, }, [NFTA_TUNNEL_KEY_TTL] = { .type = NLA_U8, }, [NFTA_TUNNEL_KEY_OPTS] = { .type = NLA_NESTED, }, + [NFTA_TUNNEL_KEY_RELEASE] = { .type = NLA_U8, }, }; static int nft_tunnel_obj_init(const struct nft_ctx *ctx, @@ -442,6 +444,12 @@ static int nft_tunnel_obj_init(const struct nft_ctx *ctx, struct metadata_dst *md; int err; + if (tb[NFTA_TUNNEL_KEY_RELEASE]) { + priv->tunnel_key_release = !!nla_get_u8(tb[NFTA_TUNNEL_KEY_RELEASE]); + if (priv->tunnel_key_release) + return 0; + } + if (!tb[NFTA_TUNNEL_KEY_ID]) return -EINVAL; @@ -524,8 +532,11 @@ static inline void nft_tunnel_obj_eval(struct nft_object *obj, struct sk_buff *skb = pkt->skb; skb_dst_drop(skb); - dst_hold((struct dst_entry *) priv->md); - skb_dst_set(skb, (struct dst_entry *) priv->md); + + if (!priv->tunnel_key_release) { + dst_hold((struct dst_entry *)priv->md); + skb_dst_set(skb, (struct dst_entry *)priv->md); + } } static int nft_tunnel_ip_dump(struct sk_buff *skb, struct ip_tunnel_info *info) @@ -627,6 +638,12 @@ static int nft_tunnel_obj_dump(struct sk_buff *skb, struct nft_tunnel_obj *priv = nft_obj_data(obj); struct ip_tunnel_info *info = &priv->md->u.tun_info; + if (priv->tunnel_key_release) { + if (nla_put_u8(skb, NFTA_TUNNEL_KEY_RELEASE, 1)) + goto nla_put_failure; + return 0; + } + if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ID, tunnel_id_to_key32(info->key.tun_id)) || nft_tunnel_ip_dump(skb, info) < 0 || @@ -648,7 +665,8 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx, { struct nft_tunnel_obj *priv = nft_obj_data(obj); - metadata_dst_free(priv->md); + if (!priv->tunnel_key_release) + metadata_dst_free(priv->md); } static struct nft_object_type nft_tunnel_obj_type; From patchwork Wed Aug 14 10:16:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146930 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqv5MTfz9sN1 for ; Wed, 14 Aug 2019 20:16:59 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727431AbfHNKQ6 (ORCPT ); Wed, 14 Aug 2019 06:16:58 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55632 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727383AbfHNKQ4 (ORCPT ); Wed, 14 Aug 2019 06:16:56 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id AD8AD41BC1; Wed, 14 Aug 2019 18:16:50 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 11/12] netfilter: nft_objref: add nft_objref_type offload Date: Wed, 14 Aug 2019 18:16:47 +0800 Message-Id: <1565777808-28735-12-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUhCQkJCQ0JLSElMT05ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MU06Dgw*Ajg6KTkpAjBLCDlM QkIaFBBVSlVKTk1OTExMQ0pLTENCVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlDQ0k3Bg++ X-HM-Tid: 0a6c8fa155222086kuqyad8ad41bc1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu support offload for nft_objref_type Signed-off-by: wenxu --- v4: no change include/net/netfilter/nf_tables.h | 3 +++ net/netfilter/nft_objref.c | 15 +++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 5cf71a0..b007dd9 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -1128,6 +1128,9 @@ struct nft_object_ops { int (*dump)(struct sk_buff *skb, struct nft_object *obj, bool reset); + int (*offload)(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + struct nft_object *obj); const struct nft_object_type *type; }; diff --git a/net/netfilter/nft_objref.c b/net/netfilter/nft_objref.c index bfd18d2..f71cf76 100644 --- a/net/netfilter/nft_objref.c +++ b/net/netfilter/nft_objref.c @@ -10,6 +10,7 @@ #include #include #include +#include #define nft_objref_priv(expr) *((struct nft_object **)nft_expr_priv(expr)) @@ -82,6 +83,18 @@ static void nft_objref_activate(const struct nft_ctx *ctx, obj->use++; } +static int nft_objref_offload(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + const struct nft_expr *expr) +{ + struct nft_object *obj = nft_objref_priv(expr); + + if (obj->ops->offload) + return obj->ops->offload(ctx, flow, obj); + else + return -EOPNOTSUPP; +} + static struct nft_expr_type nft_objref_type; static const struct nft_expr_ops nft_objref_ops = { .type = &nft_objref_type, @@ -91,6 +104,8 @@ static void nft_objref_activate(const struct nft_ctx *ctx, .activate = nft_objref_activate, .deactivate = nft_objref_deactivate, .dump = nft_objref_dump, + .offload = nft_objref_offload, + .offload_actions = nft_offload_action, }; struct nft_objref_map { From patchwork Wed Aug 14 10:16:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1146927 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 467lqt35pKz9sN1 for ; Wed, 14 Aug 2019 20:16:58 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727424AbfHNKQ5 (ORCPT ); Wed, 14 Aug 2019 06:16:57 -0400 Received: from m9784.mail.qiye.163.com ([220.181.97.84]:55634 "EHLO m9784.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727309AbfHNKQz (ORCPT ); Wed, 14 Aug 2019 06:16:55 -0400 Received: from localhost.localdomain (unknown [123.59.132.129]) by m9784.mail.qiye.163.com (Hmail) with ESMTPA id C651341BC4; Wed, 14 Aug 2019 18:16:50 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org, fw@strlen.de Cc: netfilter-devel@vger.kernel.org Subject: [PATCH nf-next v4 12/12] netfilter: nft_tunnel: support nft_tunnel_obj offload Date: Wed, 14 Aug 2019 18:16:48 +0800 Message-Id: <1565777808-28735-13-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 In-Reply-To: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> References: <1565777808-28735-1-git-send-email-wenxu@ucloud.cn> X-HM-Spam-Status: e1kfGhgUHx5ZQUtXWQgYFAkeWUFZVkpVSUhCQkJCQ0JLSElMT05ZV1koWU FJQjdXWS1ZQUlXWQkOFx4IWUFZNTQpNjo3JCkuNz5ZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6Okk6Oio6FTg4AzkwKDIcCD9L OjkKCi1VSlVKTk1OTExMQ0pLQ0JPVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQUlISUI3Bg++ X-HM-Tid: 0a6c8fa155892086kuqyc651341bc4 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: wenxu Add nft_tunnel_obj offload for both encap and decap actions Signed-off-by: wenxu --- v4: no change net/netfilter/nft_tunnel.c | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index aa3dc52..b47838d 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -669,6 +669,25 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx, metadata_dst_free(priv->md); } +static int nft_tunnel_obj_offload(struct nft_offload_ctx *ctx, + struct nft_flow_rule *flow, + struct nft_object *obj) +{ + struct nft_tunnel_obj *priv = nft_obj_data(obj); + struct flow_action_entry *entry; + + entry = &flow->rule->action.entries[ctx->num_actions++]; + + if (!priv->tunnel_key_release) { + entry->id = FLOW_ACTION_TUNNEL_ENCAP; + entry->tunnel = &priv->md->u.tun_info; + } else { + entry->id = FLOW_ACTION_TUNNEL_DECAP; + } + + return 0; +} + static struct nft_object_type nft_tunnel_obj_type; static const struct nft_object_ops nft_tunnel_obj_ops = { .type = &nft_tunnel_obj_type, @@ -677,6 +696,7 @@ static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx, .init = nft_tunnel_obj_init, .destroy = nft_tunnel_obj_destroy, .dump = nft_tunnel_obj_dump, + .offload = nft_tunnel_obj_offload, }; static struct nft_object_type nft_tunnel_obj_type __read_mostly = {