Commit 8bb69f3b authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller
Browse files

netfilter: nf_tables: add flowtable offload control plane 



This patch adds the NFTA_FLOWTABLE_FLAGS attribute that allows users to
specify the NF_FLOWTABLE_HW_OFFLOAD flag. This patch also adds a new
setup interface for the flowtable type to perform the flowtable offload
block callback configuration.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent f1363e05

include/net/netfilter/nf_flow_table.h

+18 −0
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 
#include <linux/rcupdate.h>

#include <linux/netfilter.h>

#include <linux/netfilter/nf_conntrack_tuple_common.h>

#include <net/flow_offload.h>

#include <net/dst.h>



struct nf_flowtable;
@@ -16,17 +17,27 @@ struct nf_flowtable_type { 
	struct list_head		list;

	int				family;

	int				(*init)(struct nf_flowtable *ft);

	int				(*setup)(struct nf_flowtable *ft,

						 struct net_device *dev,

						 enum flow_block_command cmd);

	void				(*free)(struct nf_flowtable *ft);

	nf_hookfn			*hook;

	struct module			*owner;

};



enum nf_flowtable_flags {

	NF_FLOWTABLE_HW_OFFLOAD		= 0x1,

};



struct nf_flowtable {

	struct list_head		list;

	struct rhashtable		rhashtable;

	int				priority;

	const struct nf_flowtable_type	*type;

	struct delayed_work		gc_work;

	unsigned int			flags;

	struct flow_block		flow_block;

	possible_net_t			net;

};



enum flow_offload_tuple_dir {
@@ -131,4 +142,11 @@ unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, 
#define MODULE_ALIAS_NF_FLOWTABLE(family)	\

	MODULE_ALIAS("nf-flowtable-" __stringify(family))



static inline int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,

					      struct net_device *dev,

					      enum flow_block_command cmd)

{

	return 0;

}



#endif /* _NF_FLOW_TABLE_H */

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -1518,6 +1518,7 @@ enum nft_object_attributes { 
 * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)

 * @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)

 * @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)

 * @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)

 */

enum nft_flowtable_attributes {

	NFTA_FLOWTABLE_UNSPEC,
@@ -1527,6 +1528,7 @@ enum nft_flowtable_attributes { 
	NFTA_FLOWTABLE_USE,

	NFTA_FLOWTABLE_HANDLE,

	NFTA_FLOWTABLE_PAD,

	NFTA_FLOWTABLE_FLAGS,

	__NFTA_FLOWTABLE_MAX

};

#define NFTA_FLOWTABLE_MAX	(__NFTA_FLOWTABLE_MAX - 1)

net/ipv4/netfilter/nf_flow_table_ipv4.c

+1 −0
Original line number Diff line number Diff line
@@ -9,6 +9,7 @@ 
static struct nf_flowtable_type flowtable_ipv4 = {

	.family		= NFPROTO_IPV4,

	.init		= nf_flow_table_init,

	.setup		= nf_flow_table_offload_setup,

	.free		= nf_flow_table_free,

	.hook		= nf_flow_offload_ip_hook,

	.owner		= THIS_MODULE,

net/ipv6/netfilter/nf_flow_table_ipv6.c

+1 −0
Original line number Diff line number Diff line
@@ -10,6 +10,7 @@ 
static struct nf_flowtable_type flowtable_ipv6 = {

	.family		= NFPROTO_IPV6,

	.init		= nf_flow_table_init,

	.setup		= nf_flow_table_offload_setup,

	.free		= nf_flow_table_free,

	.hook		= nf_flow_offload_ipv6_hook,

	.owner		= THIS_MODULE,

net/netfilter/nf_flow_table_inet.c

+1 −0
Original line number Diff line number Diff line
@@ -24,6 +24,7 @@ nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, 
static struct nf_flowtable_type flowtable_inet = {

	.family		= NFPROTO_INET,

	.init		= nf_flow_table_init,

	.setup		= nf_flow_table_offload_setup,

	.free		= nf_flow_table_free,

	.hook		= nf_flow_offload_inet_hook,

	.owner		= THIS_MODULE,

CRA Git | Maintained and supported by SUSTech CRA and CCSE