Currently traffic that hits the SW offloading path is not accounted for
and the conntrack counters will only show the first packet of the flow.
This patch adds a small helper function that gets called from the nf_hooks,
updating the accounting counters.
Signed-off-by: John Crispin <john@xxxxxxxxxxx>
---
include/net/netfilter/nf_flow_table.h | 2 ++
net/netfilter/nf_flow_table_core.c | 18 ++++++++++++++++++
net/netfilter/nf_flow_table_ip.c | 3 +++
3 files changed, 23 insertions(+)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index ba9fa4592f2b..ee5f5817fb12 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -125,6 +125,8 @@ unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state);
+void nf_flow_offload_acct(struct flow_offload *flow, struct sk_buff *skb,
+ int dir);
#define MODULE_ALIAS_NF_FLOWTABLE(family) \
MODULE_ALIAS("nf-flowtable-" __stringify(family))
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index eb0d1658ac05..08ca7c888295 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -11,6 +11,7 @@
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_tuple.h>
+#include <net/netfilter/nf_conntrack_acct.h>
struct flow_offload_entry {
struct flow_offload flow;
@@ -151,6 +152,23 @@ void flow_offload_free(struct flow_offload *flow)
}
EXPORT_SYMBOL_GPL(flow_offload_free);
+void nf_flow_offload_acct(struct flow_offload *flow, struct sk_buff *skb,
+ int dir)
+{
+ struct flow_offload_entry *entry;
+ struct nf_conn_acct *acct;
+
+ entry = container_of(flow, struct flow_offload_entry, flow);
+ acct = nf_conn_acct_find(entry->ct);
+ if (acct) {
+ struct nf_conn_counter *counter = acct->counter;
+
+ atomic64_inc(&counter[dir].packets);
+ atomic64_add(skb->len, &counter[dir].bytes);
+ }
+}
+EXPORT_SYMBOL_GPL(nf_flow_table_acct);
+
static u32 flow_offload_hash(const void *data, u32 len, u32 seed)
{
const struct flow_offload_tuple *tuple = data;
diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c
index 15ed91309992..3d509e6cc607 100644
--- a/net/netfilter/nf_flow_table_ip.c
+++ b/net/netfilter/nf_flow_table_ip.c
@@ -11,6 +11,7 @@
#include <net/ip6_route.h>
#include <net/neighbour.h>
#include <net/netfilter/nf_flow_table.h>
+
/* For layer 4 checksum field offset. */
#include <linux/tcp.h>
#include <linux/udp.h>
@@ -266,6 +267,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);
skb_dst_set_noref(skb, &rt->dst);
neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);
+ nf_flow_offload_acct(flow, skb, dir);
return NF_STOLEN;
}
@@ -483,6 +485,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
skb_dst_set_noref(skb, &rt->dst);
neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
+ nf_flow_offload_acct(flow, skb, dir);
return NF_STOLEN;
}
--
2.11.0
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
