nftables: add flags offload to flowtable

Message ID	20210321164916.62556-1-linux@fw-web.de
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: Frank Wunderlich <linux@fw-web.de> To: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Frank Wunderlich <frank-w@public-files.de>, netfilter-devel@vger.kernel.org Subject: [PATCH] nftables: add flags offload to flowtable Date: Sun, 21 Mar 2021 17:49:16 +0100 Message-Id: <20210321164916.62556-1-linux@fw-web.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	nftables: add flags offload to flowtable \| expand nftables: add flags offload to flowtable

Message ID

20210321164916.62556-1-linux@fw-web.de

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Frank Wunderlich <linux@fw-web.de>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Frank Wunderlich <frank-w@public-files.de>,
        netfilter-devel@vger.kernel.org
Subject: [PATCH] nftables: add flags offload to flowtable
Date: Sun, 21 Mar 2021 17:49:16 +0100
Message-Id: <20210321164916.62556-1-linux@fw-web.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

nftables: add flags offload to flowtable | expand

Commit Message

Frank Wunderlich March 21, 2021, 4:49 p.m. UTC

From: Frank Wunderlich <frank-w@public-files.de>

allow flags (currently only offload) in flowtables like it is stated
here: https://lwn.net/Articles/804384/

tested on mt7622/Bananapi-R64

table ip filter {
	flowtable f {
		hook ingress priority filter + 1
		devices = { lan3, lan0, wan }
		flags offload;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @f
	}
}

table ip nat {
	chain post {
		type nat hook postrouting priority filter; policy accept;
		oifname "wan" masquerade
	}
}

Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
---
 include/rule.h     | 8 ++++++++
 src/mnl.c          | 5 +++++
 src/netlink.c      | 2 ++
 src/parser_bison.y | 7 +++++++
 src/rule.c         | 4 ++++
 5 files changed, 26 insertions(+)

Comments

Pablo Neira Ayuso March 25, 2021, 11:14 a.m. UTC | #1

On Sun, Mar 21, 2021 at 05:49:16PM +0100, Frank Wunderlich wrote:
> From: Frank Wunderlich <frank-w@public-files.de>
> 
> allow flags (currently only offload) in flowtables like it is stated
> here: https://lwn.net/Articles/804384/
> 
> tested on mt7622/Bananapi-R64
> 
> table ip filter {
> 	flowtable f {
> 		hook ingress priority filter + 1
> 		devices = { lan3, lan0, wan }
> 		flags offload;
> 	}
> 
> 	chain forward {
> 		type filter hook forward priority filter; policy accept;
> 		ip protocol { tcp, udp } flow add @f
> 	}
> }
> 
> table ip nat {
> 	chain post {
> 		type nat hook postrouting priority filter; policy accept;
> 		oifname "wan" masquerade
> 	}
> }

Applied, thanks.

diff --git a/include/rule.h b/include/rule.h
index 523435f6f5d5..4ef24eb4ec63 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -187,6 +187,14 @@  enum chain_flags {
 	CHAIN_F_BINDING		= 0x4,
 };
 
+/**
+ * enum flowtable_flags - flowtable flags
+ *
+ */
+enum flowtable_flags {
+	FLOWTABLE_F_HW_OFFLOAD	= 0x1, /* NF_FLOWTABLE_HW_OFFLOAD in linux nf_flow_table.h */
+};
+
 /**
  * struct prio_spec - extendend priority specification for mixed
  *                    textual/numerical parsing.
diff --git a/src/mnl.c b/src/mnl.c
index deea586f9b00..ffbfe48158de 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1779,6 +1779,11 @@  int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
 	}
 
+	if (cmd->flowtable->flags & FLOWTABLE_F_HW_OFFLOAD) {
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS,
+				    NFT_FLOWTABLE_HW_OFFLOAD);
+	}
+
 	if (cmd->flowtable->dev_expr) {
 		dev_array = nft_flowtable_dev_array(cmd);
 		nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
diff --git a/src/netlink.c b/src/netlink.c
index 8c86789b8369..103fdbd10690 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1598,6 +1598,8 @@  netlink_delinearize_flowtable(struct netlink_ctx *ctx,
 		xstrdup(nftnl_flowtable_get_str(nlo, NFTNL_FLOWTABLE_NAME));
 	flowtable->handle.handle.id =
 		nftnl_flowtable_get_u64(nlo, NFTNL_FLOWTABLE_HANDLE);
+	if (nftnl_flowtable_is_set(nlo, NFTNL_FLOWTABLE_FLAGS))
+		flowtable->flags = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_FLAGS);
 	dev_array = nftnl_flowtable_get(nlo, NFTNL_FLOWTABLE_DEVICES);
 	while (dev_array[len])
 		len++;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 08a2599e5374..6d69071b1c2d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1993,6 +1993,7 @@  flowtable_block_alloc	:	/* empty */
 flowtable_block		:	/* empty */	{ $$ = $<flowtable>-1; }
 			|	flowtable_block	common_block
 			|	flowtable_block	stmt_separator
+			|	flowtable_block	ft_flags_spec	stmt_separator
 			|	flowtable_block	HOOK		STRING	prio_spec	stmt_separator
 			{
 				$$->hook.loc = @3;
@@ -2375,6 +2376,12 @@  flags_spec		:	FLAGS		OFFLOAD
 			}
 			;
 
+ft_flags_spec		:	FLAGS		OFFLOAD
+			{
+				$<flowtable>0->flags |= FLOWTABLE_F_HW_OFFLOAD;
+			}
+			;
+
 policy_spec		:	POLICY		policy_expr
 			{
 				if ($<chain>0->policy) {
diff --git a/src/rule.c b/src/rule.c
index 1c6010c001c5..f7f905095cbe 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2223,6 +2223,10 @@  static void flowtable_print_declaration(const struct flowtable *flowtable,
 		nft_print(octx, " }%s", opts->stmt_separator);
 	}
 
+	if (flowtable->flags & NFT_FLOWTABLE_HW_OFFLOAD)
+		nft_print(octx, "%s%sflags offload;%s", opts->tab, opts->tab,
+			  opts->stmt_separator);
+
 	if (flowtable->flags & NFT_FLOWTABLE_COUNTER)
 		nft_print(octx, "%s%scounter%s", opts->tab, opts->tab,
 			  opts->stmt_separator);

nftables: add flags offload to flowtable

Commit Message

Comments

Patch