On 13/10/2024 21:54, Eric Woudstra wrote:
> This patchset makes it possible to set up a (hardware offloaded) fastpath
> for bridged interfaces.
>
The subject and this sentence are misleading, you're talking about netfilter bridge
fastpath offload, please mention it in both places. When you just say bridge fast
path, I think of the software fast path.
> To set up the fastpath with offloading, add this extra flowtable:
>
> table bridge filter {
> flowtable fb {
> hook ingress priority filter
> devices = { lan0, lan1, lan2, lan3, lan4, wlan0, wlan1 }
> flags offload
> }
> chain forward {
> type filter hook forward priority filter; policy accept;
> ct state established flow add @fb
> }
> }
>
> Creating a separate fastpath for bridges.
>
> forward fastpath bypass
> .----------------------------------------.
> / \
> | IP - forwarding |
> | / \ v
> | / wan ...
> | /
> | |
> | |
> | brlan.1
> | |
> | +-------------------------------+
> | | vlan 1 |
> | | |
> | | brlan (vlan-filtering) |
> | +---------------+ |
> | | DSA-SWITCH | |
> | | | vlan 1 |
> | | | to |
> | | vlan 1 | untagged |
> | +---------------+---------------+
> . / \
> ------>lan0 wlan1
> . ^ ^
> . | |
> . \_________________/
> . bridge fastpath bypass
> .
> ^
> vlan 1 tagged packets
>
> To have the ability to handle xmit direct with outgoing encaps in the
> bridge fastpass bypass, we need to be able to handle them without going
> through vlan/pppoe devices. So I've applied, amended and squashed wenxu's
> patchset. This patch also makes it possible to egress from vlan-filtering
> brlan to lan0 with vlan tagged packets, if the bridge master port is doing
> the vlan tagging, instead of the vlan-device. Without this patch, this is
> not possible in the bridge-fastpath and also not in the forward-fastpath,
> as seen in the figure above.
>
> There are also some more fixes for filling in the forward path. These
> fixes also apply to for the forward-fastpath. They include handling
> DEV_PATH_MTK_WDMA in nft_dev_path_info() and avoiding
> DEV_PATH_BR_VLAN_UNTAG_HW for bridges with ports that use dsa.
>
> Conntrack bridge only tracks untagged and 802.1q. To make the bridge
> fastpath experience more similar to the forward fastpath experience,
> I've added double vlan, pppoe and pppoe-in-q tagged packets to bridge
> conntrack and to bridge filter chain.
>
> Eric Woudstra (12):
> netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit
> direct
> netfilter: bridge: Add conntrack double vlan and pppoe
> netfilter: nft_chain_filter: Add bridge double vlan and pppoe
> bridge: br_vlan_fill_forward_path_pvid: Add port to port
> bridge: br_fill_forward_path add port to port
> net: core: dev: Add dev_fill_bridge_path()
> netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge()
> netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge
> netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate
> netfilter: nft_flow_offload: Add DEV_PATH_MTK_WDMA to
> nft_dev_path_info()
> bridge: br_vlan_fill_forward_path_mode no _UNTAG_HW for dsa
> netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval()
>
> include/linux/netdevice.h | 2 +
> include/net/netfilter/nf_flow_table.h | 3 +
> net/bridge/br_device.c | 20 ++-
> net/bridge/br_private.h | 2 +
> net/bridge/br_vlan.c | 24 +++-
> net/bridge/netfilter/nf_conntrack_bridge.c | 86 ++++++++++--
> net/core/dev.c | 77 +++++++++--
> net/netfilter/nf_flow_table_inet.c | 13 ++
> net/netfilter/nf_flow_table_ip.c | 96 ++++++++++++-
> net/netfilter/nf_flow_table_offload.c | 13 ++
> net/netfilter/nft_chain_filter.c | 20 ++-
> net/netfilter/nft_flow_offload.c | 154 +++++++++++++++++++--
> 12 files changed, 463 insertions(+), 47 deletions(-)
>
