| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250408142802.96101-1-ericwouds@gmail.com>
Date: Tue, 8 Apr 2025 16:27:56 +0200
From: Eric Woudstra <ericwouds@...il.com>
To: "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>,
Andrew Lunn <andrew+netdev@...n.ch>,
Pablo Neira Ayuso <pablo@...filter.org>,
Jozsef Kadlecsik <kadlec@...filter.org>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Ido Schimmel <idosch@...dia.com>,
Kuniyuki Iwashima <kuniyu@...zon.com>,
Stanislav Fomichev <sdf@...ichev.me>,
Ahmed Zaki <ahmed.zaki@...el.com>,
Alexander Lobakin <aleksander.lobakin@...el.com>
Cc: netdev@...r.kernel.org,
netfilter-devel@...r.kernel.org,
bridge@...ts.linux.dev,
Eric Woudstra <ericwouds@...il.com>
Subject: [PATCH v11 nf-next 0/6] netfilter: Add bridge-fastpath
This patchset makes it possible to set up a software fastpath between
bridged interfaces. One patch adds the flow rule for the hardware
fastpath. This creates the possibility to have a hardware offloaded
fastpath between bridged interfaces. More patches are added to solve
issues found with the existing code.
To set up the fastpath, add this extra flowtable (with or
without 'flags offload'):
table bridge filter {
flowtable fb {
hook ingress priority filter
devices = { lan0, lan1, lan2, lan3, lan4, wlan0, wlan1 }
flags offload
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state established flow add @fb
}
}
Creating a separate fastpath for bridges.
forward fastpath bypass
.----------------------------------------.
/ \
| IP - forwarding |
| / \ v
| / wan ...
| /
| |
| |
| brlan.1
| |
| +-------------------------------+
| | vlan 1 |
| | |
| | brlan (vlan-filtering) |
| +---------------+ |
| | DSA-SWITCH | |
| | | vlan 1 |
| | | to |
| | vlan 1 | untagged |
| +---------------+---------------+
. / \
------>lan0 wlan1
. ^ ^
. | |
. \_________________/
. bridge fastpath bypass
.
^
vlan 1 tagged packets
Note: While testing direct transmit in the software forward-fastpath,
without the capability of setting the offload flag, it is sometimes useful
to enslave the wan interface to another bridge, brwan. This will make
sure both directions of the software forward-fastpath use direct transmit,
which also happens when the offload flag is set.
Changes in v11:
- Dropped "Introduce DEV_PATH_BR_VLAN_KEEP_HW for bridge-fastpath" from
this patch-set, it has moved to another patch-set.
- Updated nft_flow_offload_bridge_init() changing the way of accessing
headers after fixing nft_do_chain_bridge().
v10 split from patch-set: bridge-fastpath and related improvements v9
Eric Woudstra (6):
bridge: Add filling forward path from port to port
net: core: dev: Add dev_fill_bridge_path()
netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge()
netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge
netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate
netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval()
include/linux/netdevice.h | 2 +
include/net/netfilter/nf_flow_table.h | 3 +
net/bridge/br_device.c | 19 +++-
net/bridge/br_private.h | 2 +
net/bridge/br_vlan.c | 6 +-
net/core/dev.c | 66 ++++++++---
net/netfilter/nf_flow_table_inet.c | 13 +++
net/netfilter/nf_flow_table_offload.c | 13 +++
net/netfilter/nft_flow_offload.c | 151 +++++++++++++++++++++++++-
9 files changed, 250 insertions(+), 25 deletions(-)
--
2.47.1
Powered by blists - more mailing lists