On 1/19/2020 4:01 AM, Pablo Neira Ayuso wrote:
> On Tue, Jan 14, 2020 at 06:00:38PM +0800, wenxu@xxxxxxxxx wrote:
> [...]
>> @@ -891,10 +909,76 @@ int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
>> }
>> EXPORT_SYMBOL_GPL(nf_flow_table_offload_setup);
>>
>> +static struct nf_flowtable *__nf_flow_table_offload_get(struct net_device *dev)
>> +{
>> + struct nf_flowtable *n_flowtable;
>> + struct nft_flowtable *flowtable;
>> + struct net *net = dev_net(dev);
>> + struct nft_table *table;
>> + struct nft_hook *hook;
>> +
>> + list_for_each_entry(table, &net->nft.tables, list) {
>> + list_for_each_entry(flowtable, &table->flowtables, list) {
>> + list_for_each_entry(hook, &flowtable->hook_list, list) {
>> + if (hook->ops.dev != dev)
>> + continue;
>> +
>> + n_flowtable = &flowtable->data;
>> + return n_flowtable;
>> + }
>> + }
>> + }
>> +
>> + return NULL;
>> +}
> This assumes that there is a one to one mapping between flowtable and
> netdevices. Actually, there might be several flowtables to the same
> netdevice.
Currently with hardware offload a device can only bind with one indr flow-block,
So it also can only bind with one flowtable.
Maybe it only need to check whether the flowtable with flag NF_FLOWTABLE_HW_OFFLOAD ?
>
> I'm still looking, it will take me a while to figure out where to go,
> please stay tuned.
>
> Thank you.
>
