On 2018-02-20 16:35, Pablo Neira Ayuso wrote:
> On Tue, Feb 20, 2018 at 04:06:11PM +0100, Felix Fietkau wrote:
>> On 2018-02-20 16:01, Pablo Neira Ayuso wrote:
>> > On Tue, Feb 20, 2018 at 03:49:50PM +0100, Felix Fietkau wrote:
>> >> -unsigned int
>> >> -nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
>> >> - const struct nf_hook_state *state)
>> >> -{
>> >> - struct flow_offload_tuple_rhash *tuplehash;
>> >> - struct nf_flowtable *flow_table = priv;
>> >> - struct flow_offload_tuple tuple = {};
>> >> - enum flow_offload_tuple_dir dir;
>> >> - struct flow_offload *flow;
>> >> - struct net_device *outdev;
>> >> - struct in6_addr *nexthop;
>> >> - struct ipv6hdr *ip6h;
>> >> - struct rt6_info *rt;
>> >> -
>> >> - if (skb->protocol != htons(ETH_P_IPV6))
>> >> - return NF_ACCEPT;
>> >> -
>> >> - if (nf_flow_tuple_ipv6(skb, state->in, &tuple) < 0)
>> >> - return NF_ACCEPT;
>> >> -
>> >> - tuplehash = flow_offload_lookup(flow_table, &tuple);
>> >> - if (tuplehash == NULL)
>> >> - return NF_ACCEPT;
>> >> -
>> >> - outdev = dev_get_by_index_rcu(state->net, tuplehash->tuple.oifidx);
>> >> - if (!outdev)
>> >> - return NF_ACCEPT;
>> >> -
>> >> - dir = tuplehash->tuple.dir;
>> >> - flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
>> >> - rt = (struct rt6_info *)flow->tuplehash[dir].tuple.dst_cache;
>> >> -
>> >> - if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
>> >> - return NF_ACCEPT;
>> >> -
>> >> - if (skb_try_make_writable(skb, sizeof(*ip6h)))
>> >> - return NF_DROP;
>> >> -
>> >> - if (flow->flags & (FLOW_OFFLOAD_SNAT | FLOW_OFFLOAD_DNAT) &&
>> >> - nf_flow_nat_ipv6(flow, skb, dir) < 0)
>> >> - return NF_DROP;
>> >> -
>> >> - flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
>> >> - ip6h = ipv6_hdr(skb);
>> >> - ip6h->hop_limit--;
>> >> -
>> >> - skb->dev = outdev;
>> >> - nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
>> >> - neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
>> >> -
>> >> - return NF_STOLEN;
>> >> -}
>> >> -EXPORT_SYMBOL_GPL(nf_flow_offload_ipv6_hook);
>> >
>> > Why do you need to move the hook function to this new core file?
>>
>> For backporting flow table support to xtables I need to move this to a
>> source file that doesn't depend on nftables or ipv6 directly.
>
> I guess this is related to net/netfilter/xt_FLOWOFFLOAD.c.
>
> You probably could add net/ipv4/netfilter/ipt_FLOWOFFLOAD.c and
> net/ipv6/netfilter/ip6t_FLOWOFFLOAD.c, so we can skip placing ipv4 and
> ipv6 code in the same file.
That's exactly what I wanted to avoid. Since nf_flow_table_ipv6 depends
on nftables, I'd have to make two extra modules, one for the ipv4 hook,
one for the ipv6 hook.
So we'd have:
ipt_FLOWOFFLOAD.ko,
ip6t_FLOWOFFLOAD.ko
nf_flow_table_ipv4.ko (without nft bits)
nf_flow_table_ipv6.ko (without nft bits)
nft_flow_table_ipv4.ko (with just nft bits)
nft_flow_table_ipv6.ko (with just nft bits)
I'd say the overhead of having all those modules split up is not that
much smaller than the overhead of including ipv6 code in the core module
even when it may not be needed.
By the way, .text size of nf_flow_table_hw.o with IPv4 + IPv6 combined
is less than 3.5 KiB (when compiled for ARM).
- Felix
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
