Introduce a netfilter egress hook to allow filtering outbound AF_PACKETs such as DHCP and to prepare for in-kernel NAT64/NAT46. An earlier version of this series was applied by Pablo Neira Ayuso back in March and subsequently reverted by Daniel Borkmann over performance concerns. I've now reworked the series following a discussion between Daniel and Florian Westphal: https://lore.kernel.org/netdev/20200318123315.GI979@xxxxxxxxxxxxx/ Briefly, traffic control and netfilter handling is moved out of the __dev_queue_xmit() hotpath into a noinline function which is dynamically patched in using a static_key. In that function, each of tc and nft are patched in with additional static_keys. Thus, if neither tc nor nft is used, performance improves compared to the status quo (see measurements in patch [3/3]). However if tc is used, performance degrades a little due to the "noinline", the additional outer static key and the added netfilter code. That's kind of a bummer. If anyone has ideas how to mitigate this performance degradation, please come forward. To test the new netfilter egress hook, apply this nft patch to add rules from user space: https://lore.kernel.org/netfilter-devel/d6b6896fdd8408e4ddbd66ab524709e5cf82ea32.1583929080.git.lukas@xxxxxxxxx/ Thanks! Lukas Wunner (3): netfilter: Rename ingress hook include file netfilter: Generalize ingress hook netfilter: Introduce egress hook include/linux/netdevice.h | 8 +++ include/linux/netfilter_ingress.h | 58 ----------------- include/linux/netfilter_netdev.h | 102 ++++++++++++++++++++++++++++++ include/linux/rtnetlink.h | 2 +- include/uapi/linux/netfilter.h | 1 + net/core/dev.c | 56 +++++++++++++--- net/netfilter/Kconfig | 8 +++ net/netfilter/core.c | 24 +++++-- net/netfilter/nft_chain_filter.c | 4 +- net/sched/Kconfig | 3 + 10 files changed, 194 insertions(+), 72 deletions(-) delete mode 100644 include/linux/netfilter_ingress.h create mode 100644 include/linux/netfilter_netdev.h -- 2.27.0
