From: wenxu <wenxu@xxxxxxxxx>
Nf flow table support indr-block setup. It makes flow table offload vlan
and tunnel device.
Signed-off-by: wenxu <wenxu@xxxxxxxxx>
---
v3: rebase to upstream: make flow_indr_ing_block_entry
to flow_indr_block_entry
net/netfilter/nf_flow_table_offload.c | 89 ++++++++++++++++++++++++++++++++++-
1 file changed, 88 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 89eb1a5..39e2edf 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -7,6 +7,7 @@
#include <linux/tc_act/tc_csum.h>
#include <net/flow_offload.h>
#include <net/netfilter/nf_flow_table.h>
+#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_tuple.h>
@@ -841,6 +842,24 @@ static int nf_flow_table_offload_cmd(struct nf_flowtable *flowtable,
return nf_flow_table_block_setup(flowtable, &bo, cmd);
}
+static int nf_flow_table_indr_offload_cmd(struct nf_flowtable *flowtable,
+ struct net_device *dev,
+ enum flow_block_command cmd)
+{
+ struct netlink_ext_ack extack = {};
+ struct flow_block_offload bo;
+
+ nf_flow_table_block_offload_init(&bo, dev_net(dev), cmd, flowtable,
+ &extack);
+
+ flow_indr_block_call(dev, &bo, cmd);
+
+ if (list_empty(&bo.cb_list))
+ return -EOPNOTSUPP;
+
+ return nf_flow_table_block_setup(flowtable, &bo, cmd);
+}
+
int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
struct net_device *dev,
enum flow_block_command cmd)
@@ -853,16 +872,82 @@ int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
if (dev->netdev_ops->ndo_setup_tc)
err = nf_flow_table_offload_cmd(flowtable, dev, cmd);
else
- err = -EOPNOTSUPP;
+ err = nf_flow_table_indr_offload_cmd(flowtable, dev, cmd);
return err;
}
EXPORT_SYMBOL_GPL(nf_flow_table_offload_setup);
+static struct nf_flowtable *__nf_flow_table_offload_get(struct net_device *dev)
+{
+ struct nf_flowtable *n_flowtable;
+ struct nft_flowtable *flowtable;
+ struct net *net = dev_net(dev);
+ struct nft_table *table;
+ struct nft_hook *hook;
+
+ list_for_each_entry(table, &net->nft.tables, list) {
+ list_for_each_entry(flowtable, &table->flowtables, list) {
+ list_for_each_entry(hook, &flowtable->hook_list, list) {
+ if (hook->ops.dev != dev)
+ continue;
+
+ n_flowtable = &flowtable->data;
+ return n_flowtable;
+ }
+ }
+ }
+
+ return NULL;
+}
+
+static void nf_flow_table_indr_block_ing_cmd(struct net_device *dev,
+ struct nf_flowtable *flowtable,
+ flow_indr_block_bind_cb_t *cb,
+ void *cb_priv,
+ enum flow_block_command cmd)
+{
+ struct netlink_ext_ack extack = {};
+ struct flow_block_offload bo;
+
+ if (!flowtable)
+ return;
+
+ nf_flow_table_block_offload_init(&bo, dev_net(dev), cmd, flowtable,
+ &extack);
+
+ cb(dev, cb_priv, TC_SETUP_FT, &bo);
+
+ nf_flow_table_block_setup(flowtable, &bo, cmd);
+}
+
+static void nf_flow_table_indr_block_cb(struct net_device *dev,
+ flow_indr_block_bind_cb_t *cb,
+ void *cb_priv,
+ enum flow_block_command cmd)
+{
+ struct net *net = dev_net(dev);
+ struct nf_flowtable *flowtable;
+
+ mutex_lock(&net->nft.commit_mutex);
+ flowtable = __nf_flow_table_offload_get(dev);
+ if (flowtable)
+ nf_flow_table_indr_block_ing_cmd(dev, flowtable, cb, cb_priv,
+ cmd);
+ mutex_unlock(&net->nft.commit_mutex);
+}
+
+static struct flow_indr_block_entry block_ing_entry = {
+ .cb = nf_flow_table_indr_block_cb,
+ .list = LIST_HEAD_INIT(block_ing_entry.list),
+};
+
int nf_flow_table_offload_init(void)
{
INIT_WORK(&nf_flow_offload_work, flow_offload_work_handler);
+ flow_indr_add_block_cb(&block_ing_entry);
+
return 0;
}
@@ -871,6 +956,8 @@ void nf_flow_table_offload_exit(void)
struct flow_offload_work *offload, *next;
LIST_HEAD(offload_pending_list);
+ flow_indr_del_block_cb(&block_ing_entry);
+
cancel_work_sync(&nf_flow_offload_work);
list_for_each_entry_safe(offload, next, &offload_pending_list, list) {
--
1.8.3.1
