| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <9f9f3cf0-7a78-40f1-b8d5-f06a2d428210@blackwall.org>
Date: Mon, 14 Oct 2024 09:35:26 +0300
From: Nikolay Aleksandrov <razor@...ckwall.org>
To: Eric Woudstra <ericwouds@...il.com>, "David S. Miller"
<davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>, Roopa Prabhu <roopa@...dia.com>,
Matthias Brugger <matthias.bgg@...il.com>,
AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>,
Jiri Pirko <jiri@...nulli.us>,
Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Lorenzo Bianconi <lorenzo@...nel.org>,
Frank Wunderlich <frank-w@...lic-files.de>,
Daniel Golle <daniel@...rotopia.org>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
netfilter-devel@...r.kernel.org, coreteam@...filter.org,
bridge@...ts.linux.dev, linux-arm-kernel@...ts.infradead.org,
linux-mediatek@...ts.infradead.org
Subject: Re: [PATCH RFC v1 net-next 00/12] bridge-fastpath and related
improvements
On 13/10/2024 21:54, Eric Woudstra wrote:
> This patchset makes it possible to set up a (hardware offloaded) fastpath
> for bridged interfaces.
>
The subject and this sentence are misleading, you're talking about netfilter bridge
fastpath offload, please mention it in both places. When you just say bridge fast
path, I think of the software fast path.
> To set up the fastpath with offloading, add this extra flowtable:
>
> table bridge filter {
> flowtable fb {
> hook ingress priority filter
> devices = { lan0, lan1, lan2, lan3, lan4, wlan0, wlan1 }
> flags offload
> }
> chain forward {
> type filter hook forward priority filter; policy accept;
> ct state established flow add @fb
> }
> }
>
> Creating a separate fastpath for bridges.
>
> forward fastpath bypass
> .----------------------------------------.
> / \
> | IP - forwarding |
> | / \ v
> | / wan ...
> | /
> | |
> | |
> | brlan.1
> | |
> | +-------------------------------+
> | | vlan 1 |
> | | |
> | | brlan (vlan-filtering) |
> | +---------------+ |
> | | DSA-SWITCH | |
> | | | vlan 1 |
> | | | to |
> | | vlan 1 | untagged |
> | +---------------+---------------+
> . / \
> ------>lan0 wlan1
> . ^ ^
> . | |
> . \_________________/
> . bridge fastpath bypass
> .
> ^
> vlan 1 tagged packets
>
> To have the ability to handle xmit direct with outgoing encaps in the
> bridge fastpass bypass, we need to be able to handle them without going
> through vlan/pppoe devices. So I've applied, amended and squashed wenxu's
> patchset. This patch also makes it possible to egress from vlan-filtering
> brlan to lan0 with vlan tagged packets, if the bridge master port is doing
> the vlan tagging, instead of the vlan-device. Without this patch, this is
> not possible in the bridge-fastpath and also not in the forward-fastpath,
> as seen in the figure above.
>
> There are also some more fixes for filling in the forward path. These
> fixes also apply to for the forward-fastpath. They include handling
> DEV_PATH_MTK_WDMA in nft_dev_path_info() and avoiding
> DEV_PATH_BR_VLAN_UNTAG_HW for bridges with ports that use dsa.
>
> Conntrack bridge only tracks untagged and 802.1q. To make the bridge
> fastpath experience more similar to the forward fastpath experience,
> I've added double vlan, pppoe and pppoe-in-q tagged packets to bridge
> conntrack and to bridge filter chain.
>
> Eric Woudstra (12):
> netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit
> direct
> netfilter: bridge: Add conntrack double vlan and pppoe
> netfilter: nft_chain_filter: Add bridge double vlan and pppoe
> bridge: br_vlan_fill_forward_path_pvid: Add port to port
> bridge: br_fill_forward_path add port to port
> net: core: dev: Add dev_fill_bridge_path()
> netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge()
> netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge
> netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate
> netfilter: nft_flow_offload: Add DEV_PATH_MTK_WDMA to
> nft_dev_path_info()
> bridge: br_vlan_fill_forward_path_mode no _UNTAG_HW for dsa
> netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval()
>
> include/linux/netdevice.h | 2 +
> include/net/netfilter/nf_flow_table.h | 3 +
> net/bridge/br_device.c | 20 ++-
> net/bridge/br_private.h | 2 +
> net/bridge/br_vlan.c | 24 +++-
> net/bridge/netfilter/nf_conntrack_bridge.c | 86 ++++++++++--
> net/core/dev.c | 77 +++++++++--
> net/netfilter/nf_flow_table_inet.c | 13 ++
> net/netfilter/nf_flow_table_ip.c | 96 ++++++++++++-
> net/netfilter/nf_flow_table_offload.c | 13 ++
> net/netfilter/nft_chain_filter.c | 20 ++-
> net/netfilter/nft_flow_offload.c | 154 +++++++++++++++++++--
> 12 files changed, 463 insertions(+), 47 deletions(-)
>
Powered by blists - more mailing lists