On 10/29/2019 6:40 PM, Pablo Neira Ayuso wrote:
> @@ -113,6 +114,7 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
> const struct nft_cmp_expr *priv)
> {
> struct nft_offload_reg *reg = &ctx->regs[priv->sreg];
> + static u16 iftype_ether = ARPHRD_ETHER;
> u8 *mask = (u8 *)&flow->match.mask;
> u8 *key = (u8 *)&flow->match.key;
>
> @@ -125,6 +127,11 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
> flow->match.dissector.used_keys |= BIT(reg->key);
> flow->match.dissector.offset[reg->key] = reg->base_offset;
>
> + if (reg->key == FLOW_DISSECTOR_KEY_META &&
> + reg->offset == offsetof(struct nft_flow_key, meta.ingress_iftype) &&
> + memcmp(&priv->data, &iftype_ether, priv->len))
Maybe it is better to check the priv->len == sizeof(u16)?
> + return -EOPNOTSUPP;
> +
> nft_offload_update_dependency(ctx, &priv->data, priv->len);
>
> return 0;
> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index 8fd21f436347..6fb6a6778e68 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -551,6 +551,10 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
> NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
> ingress_ifindex, sizeof(__u32), reg);
> break;
> + case NFT_META_IIFTYPE:
> + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
> + ingress_iftype, sizeof(__u16), reg);
> + break;
> default:
> return -EOPNOTSUPP;
> }
