在 2021/4/9 17:31, Pablo Neira Ayuso 写道:
> On Fri, Apr 09, 2021 at 10:27:17AM +0200, Pablo Neira Ayuso wrote:
>> On Fri, Apr 09, 2021 at 01:03:49PM +0800, wenxu@xxxxxxxxx wrote:
>>> From: wenxu <wenxu@xxxxxxxxx>
>>>
>>> For the vlan packet the h_vlan_encapsulated_proto should be set
>>> on the flow_dissector_key_basic->n_porto flow_dissector.
>>>
>>> Fixes: a82055af5959 ("netfilter: nft_payload: add VLAN offload support")
>>> Fixes: 89d8fd44abfb ("netfilter: nft_payload: add C-VLAN offload support")
>>> Signed-off-by: wenxu <wenxu@xxxxxxxxx>
>>> ---
>>> net/netfilter/nft_payload.c | 8 ++++----
>>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
>>> index cb1c8c2..84c5ecc 100644
>>> --- a/net/netfilter/nft_payload.c
>>> +++ b/net/netfilter/nft_payload.c
>>> @@ -233,8 +233,8 @@ static int nft_payload_offload_ll(struct nft_offload_ctx *ctx,
>>> if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
>>> return -EOPNOTSUPP;
>>>
>>> - NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan,
>>> - vlan_tpid, sizeof(__be16), reg);
>>> + NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic,
>>> + n_proto, sizeof(__be16), reg);
>> nftables already sets KEY_BASIC accordingly to 0x8100.
>>
>> # nft --debug=netlink add rule netdev x y vlan id 100
>> netdev
>> [ meta load iiftype => reg 1 ]
>> [ cmp eq reg 1 0x00000001 ]
>> [ payload load 2b @ link header + 12 => reg 1 ]
>> [ cmp eq reg 1 0x00000081 ] <----------------------------- HERE
>> [ payload load 2b @ link header + 14 => reg 1 ]
>> [ bitwise reg 1 = ( reg 1 & 0x0000ff0f ) ^ 0x00000000 ]
>> [ cmp eq reg 1 0x00006400 ]
>>
>> What are you trying to fix?
First the vlan_tpid of KEY_VLAN is not the representation h_vlan_encapsulated_proto, So this
need be fixed. Just see the fl_set_key in the cls_flower.c
fl_set_key-->fl_set_key_vlan(pass the ethernet type of vlan to the vlan_tpid which normal is 0x8100)
Then if the rule match the h_vlan_encapsulated_proto(normally ipv4/6), The h_vlan_encapsulated_proto
will be set to the n_proto of BASIC_KEY. Also see the fl_set_key in the cls_flower.c
if (tb[TCA_FLOWER_KEY_ETH_TYPE]) {
ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_ETH_TYPE]);
if (eth_type_vlan(ethertype)) {
fl_set_key_vlan(tb, ethertype, TCA_FLOWER_KEY_VLAN_ID,
TCA_FLOWER_KEY_VLAN_PRIO, &key->vlan,
&mask->vlan);
if (tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]) { <----------------------------- HERE
ethertype = nla_get_be16(tb[TCA_FLOWER_KEY_VLAN_ETH_TYPE]);
if (eth_type_vlan(ethertype)) {
fl_set_key_vlan(tb, ethertype,
TCA_FLOWER_KEY_CVLAN_ID,
TCA_FLOWER_KEY_CVLAN_PRIO,
&key->cvlan, &mask->cvlan);
fl_set_key_val(tb, &key->basic.n_proto,
TCA_FLOWER_KEY_CVLAN_ETH_TYPE, <----------------------------- HERE
&mask->basic.n_proto,
TCA_FLOWER_UNSPEC,
sizeof(key->basic.n_proto));
} else {
key->basic.n_proto = ethertype; <----------------------------- HERE
mask->basic.n_proto = cpu_to_be16(~0);
}
}
} else {
key->basic.n_proto = ethertype;
mask->basic.n_proto = cpu_to_be16(~0);
}
}
BR
wenxu
> Could you provide a rule that works for tc offload with vlan? I'd like
> to check what internal representation is triggering in the kernel.
>
