[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20190515194556.GA2190@nanopsycho.orion>
Date: Wed, 15 May 2019 21:45:56 +0200
From: Jiri Pirko <jiri@...nulli.us>
To: Pablo Neira Ayuso <pablo@...filter.org>
Cc: netfilter-devel@...r.kernel.org, davem@...emloft.net,
netdev@...r.kernel.org, thomas.lendacky@....com,
f.fainelli@...il.com, ariel.elior@...ium.com,
michael.chan@...adcom.com, santosh@...lsio.com,
madalin.bucur@....com, yisen.zhuang@...wei.com,
salil.mehta@...wei.com, jeffrey.t.kirsher@...el.com,
tariqt@...lanox.com, saeedm@...lanox.com, jiri@...lanox.com,
idosch@...lanox.com, jakub.kicinski@...ronome.com,
peppe.cavallaro@...com, grygorii.strashko@...com, andrew@...n.ch,
vivien.didelot@...oirfairelinux.com, alexandre.torgue@...com,
joabreu@...opsys.com, linux-net-drivers@...arflare.com,
ganeshgr@...lsio.com, ogerlitz@...lanox.com,
Manish.Chopra@...ium.com, marcelo.leitner@...il.com,
mkubecek@...e.cz, venkatkumar.duvvuru@...adcom.com,
julia.lawall@...6.fr, john.fastabend@...il.com
Subject: Re: [PATCH net-next,RFC 2/2] netfilter: nf_tables: add hardware
offload support
Wed, May 15, 2019 at 11:13:26AM CEST, pablo@...filter.org wrote:
>On Wed, May 15, 2019 at 01:03:31AM +0200, Pablo Neira Ayuso wrote:
>> On Tue, May 14, 2019 at 07:01:08PM +0200, Jiri Pirko wrote:
>> > Thu, May 09, 2019 at 06:39:51PM CEST, pablo@...filter.org wrote:
>> > >This patch adds hardware offload support for nftables through the
>> > >existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER
>> > >classifier and the flow rule API. This hardware offload support is
>> > >available for the NFPROTO_NETDEV family and the ingress hook.
>> > >
>> > >Each nftables expression has a new ->offload interface, that is used to
>> > >populate the flow rule object that is attached to the transaction
>> > >object.
>> > >
>> > >There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload
>> > >an entire table, including all of its chains.
>> > >
>> > >This patch supports for basic metadata (layer 3 and 4 protocol numbers),
>> > >5-tuple payload matching and the accept/drop actions; this also includes
>> > >basechain hardware offload only.
>> > >
>> > >Signed-off-by: Pablo Neira Ayuso <pablo@...filter.org>
>> >
>> > [...]
>> >
>> > >+static int nft_flow_offload_chain(struct nft_trans *trans,
>> > >+ enum flow_block_command cmd)
>> > >+{
>> > >+ struct nft_chain *chain = trans->ctx.chain;
>> > >+ struct netlink_ext_ack extack = {};
>> > >+ struct flow_block_offload bo = {};
>> > >+ struct nft_base_chain *basechain;
>> > >+ struct net_device *dev;
>> > >+ int err;
>> > >+
>> > >+ if (!nft_is_base_chain(chain))
>> > >+ return -EOPNOTSUPP;
>> > >+
>> > >+ basechain = nft_base_chain(chain);
>> > >+ dev = basechain->ops.dev;
>> > >+ if (!dev)
>> > >+ return -EOPNOTSUPP;
>> > >+
>> > >+ bo.command = cmd;
>> > >+ bo.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
>> > >+ bo.block_index = (u32)trans->ctx.chain->handle;
>> > >+ bo.extack = &extack;
>> > >+ INIT_LIST_HEAD(&bo.cb_list);
>> > >+
>> > >+ err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);
>> >
>> > Okay, so you pretend to be clsact-ingress-flower. That looks fine.
>> > But how do you ensure that the real one does not bind a block on the
>> > same device too?
>>
>> I could store the interface index in the block_cb object, then use the
>> tuple [ cb, cb_ident, ifindex ] to check if the block is already bound
>> by when flow_block_cb_alloc() is called.
>
>Actually cb_ident would be sufficient. One possibility would be to
That is what I wrote :)
>extend flow_block_cb_alloc() to check for an existing binding.
>
>diff --git a/net/core/flow_offload.c b/net/core/flow_offload.c
>index cf984ef05609..44172014cebe 100644
>--- a/net/core/flow_offload.c
>+++ b/net/core/flow_offload.c
>@@ -193,9 +193,15 @@ struct flow_block_cb *flow_block_cb_alloc(u32 block_index, tc_setup_cb_t *cb,
> {
> struct flow_block_cb *block_cb;
>
>+ list_for_each_entry(block_cb, &flow_block_cb_list, list) {
>+ if (block_cb->cb == cb &&
>+ block_cb->cb_ident == cb_ident)
>+ return ERR_PTR(-EBUSY);
>+ }
>+
> block_cb = kzalloc(sizeof(*block_cb), GFP_KERNEL);
> if (!block_cb)
>- return NULL;
>+ return ERR_PTR(-ENOMEM);
>
> block_cb->cb = cb;
> block_cb->cb_ident = cb_ident;
>
>Thanks.
Powered by blists - more mailing lists