Hi,
Flowtable allows you to enable a fast forwarding path (packets bypass
the classic forwarding path), eg.
table inet filter {
flowtable fastpath {
hook ingress priority 0
devices = { eth0, eth1 }
}
chain forward {
type filter hook forward priority 0; policy accept;
ip protocol { tcp , udp } flow offload @fastpath;
}
}
This ruleset above places TCP and UDP flows in the "fastpath" flowtable.
Flowtables integrate nicely with NAT and lightweight tunnels.
This patchset implements dynamic device updates for flowtables:
Patch #1 generalises the flowtable hook parser to take a hook list.
Patch #2 passes a hook list to the flowtable hook registration/unregistration.
Patch #3 adds a helper function to release the flowtable hook list.
Patch #4 updates the flowtable event notifier to pass a flowtable hook list.
Patch #5 allows users to add new devices to an existing flowtables.
Patch #6 allows users to remove devices to an existing flowtables.
Patch #7 allows to register a flowtable with no initial devices.
This allows users to register a flowtable with no devices:
nft add flowtable x y { hook ingress priority 0\; }
then, add dynamic devices as they show up:
nft add flowtable x y { devices = { ppp0, eth1 } \; }
Devices that go away are automagically removed from the flowtable.
Pablo Neira Ayuso (7):
netfilter: nf_tables: generalise flowtable hook parsing
netfilter: nf_tables: pass hook list to nft_{un,}register_flowtable_net_hooks()
netfilter: nf_tables: add nft_flowtable_hooks_destroy()
netfilter: nf_tables: pass hook list to flowtable event notifier
netfilter: nf_tables: add devices to existing flowtable
netfilter: nf_tables: delete devices from flowtable
netfilter: nf_tables: allow to register flowtable with no devices
include/net/netfilter/nf_tables.h | 7 +
net/netfilter/nf_tables_api.c | 304 ++++++++++++++++++++++++------
2 files changed, 253 insertions(+), 58 deletions(-)
--
2.20.1
