| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 Nov 2019 00:29:50 +0100
From: Pablo Neira Ayuso <pablo@...filter.org>
To: netfilter-devel@...r.kernel.org
Cc: davem@...emloft.net, netdev@...r.kernel.org, paulb@...lanox.com,
ozsh@...lanox.com, majd@...lanox.com, saeedm@...lanox.com
Subject: [PATCH net-next 0/6] netfilter flowtable hardware offload
Hi,
The following patchset adds hardware offload support for the flowtable
infrastructure [1]. This infrastructure provides a fast datapath for
the classic Linux forwarding path that users can enable through policy,
eg.
table inet x {
flowtable f {
hook ingress priority 10 devices = { eth0, eth1 }
flags offload
}
chain y {
type filter hook forward priority 0; policy accept;
ip protocol tcp flow offload @f
}
}
This example above enables the fastpath for TCP traffic between devices
eth0 and eth1. Users can turn on the hardware offload through the
'offload' flag from the flowtable definition. If this new flag is not
specified, the software flowtable datapath is used.
This patchset is composed of 4 preparation patches:
#1 Move pointer to conntrack object to the flow_offload structure.
#2 Remove useless union from the flow_offload structure.
#3 Remove superfluous flow_offload_entry structure.
#4 Detach routing information from the flow_offload object to leave
room to extend this infrastructure, eg. accelerate bridge forwarding.
And 2 patches to add the hardware offload control and data planes:
#5 Add the netlink control plane and the interface to set up the flowtable
hardware offload. This includes a new NFTA_FLOWTABLE_FLAGS netlink
attribute to convey the optional NF_FLOWTABLE_HW_OFFLOAD flag.
#6 Add the hardware offload datapath: This code uses the flow_offload
API available at net/core/flow_offload.h to represent the flow
through two flow_rule objects to configure an exact 5-tuple matching
on each direction plus the corresponding forwarding actions, that is,
the MAC address, NAT and checksum updates; and port redirection in
order to configure the hardware datapath. This patch only supports
for IPv4 support and statistics collection for flow aging as an initial
step.
This patchset introduces a new flow_block callback type that needs to be
set up to configure the flowtable hardware offload.
The first client of this infrastructure follows up after this batch.
I would like to thank Mellanox for developing the first upstream driver
to use this infrastructure.
Please, apply.
[1] Documentation/networking/nf_flowtable.txt
Pablo Neira Ayuso (6):
netfilter: nf_flow_table: move conntrack object to struct flow_offload
netfilter: nf_flow_table: remove union from flow_offload structure
netfilter: nf_flowtable: remove flow_offload_entry structure
netfilter: nf_flow_table: detach routing information from flow description
netfilter: nf_tables: add flowtable offload control plane
netfilter: nf_flow_table: hardware offload support
include/linux/netdevice.h | 1 +
include/net/netfilter/nf_flow_table.h | 60 ++-
include/uapi/linux/netfilter/nf_tables.h | 2 +
net/ipv4/netfilter/nf_flow_table_ipv4.c | 2 +
net/ipv6/netfilter/nf_flow_table_ipv6.c | 2 +
net/netfilter/Makefile | 3 +-
net/netfilter/nf_flow_table_core.c | 173 ++++---
net/netfilter/nf_flow_table_inet.c | 2 +
net/netfilter/nf_flow_table_offload.c | 758 +++++++++++++++++++++++++++++++
net/netfilter/nf_tables_api.c | 21 +-
net/netfilter/nft_flow_offload.c | 5 +-
11 files changed, 955 insertions(+), 74 deletions(-)
create mode 100644 net/netfilter/nf_flow_table_offload.c
--
2.11.0
Powered by blists - more mailing lists