Re: [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Boris Sukholitko <boris.sukholitko@broadcom.com>
Cc: netfilter-devel@vger.kernel.org,
	Ilya Lifshits <ilya.lifshits@broadcom.com>
Subject: Re: [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload
Date: Wed, 3 May 2023 22:30:58 +0200	[thread overview]
Message-ID: <ZFLEgghj7qaIM4Sk@calendula> (raw)
In-Reply-To: <20230503125552.41113-1-boris.sukholitko@broadcom.com>

Hi,

On Wed, May 03, 2023 at 03:55:33PM +0300, Boris Sukholitko wrote:
[...]
> Now lets try to add flow offload:
> 
> table inet filter {
>         flowtable f1 {
>                 hook ingress priority filter
>                 devices = { veth0, veth1 }
>         }
> 
>         chain forward {
>                 type filter hook forward priority filter; policy accept;
>                 ip dscp set cs3
>                 ip protocol { tcp, udp, gre } flow add 
>                 ct state established,related accept
>         }
> }

From user perspective, I think the way to go would be to allow users
to define a ruleset like this:

table inet filter {
        flowtable f1 {
                hook ingress priority filter
                devices = { veth0, veth1 }
        }

        chain ingress {
                type filter hook ingress device veth0 priority filter; policy accept; flags offload;
                ip dscp set cs3
        }

        chain forward {
                type filter hook forward priority filter; policy accept;
                meta l4proto { tcp, udp, gre } flow add @f1
                ct state established,related accept
        }
}

This ruleset defines a policy at ingress, the offload flag tells that
this is offloaded to hardware for veth0, ie. all rule in the 'ingress'
chain will be placed in hardware in the ingress path. The IP DSCP
field is set on at the ingress (offload) hook, therefore, the host
(software) in tcpdump will see already mangled packets with IP DSCP
field set to cs3.

To achieve this, please have a look at net/netfilter/nf_tables_offload.c
for the ruleset offload infrastructure. This is called whenever the
chain comes with the offload flag set on.

struct nft_expr_ops provides an .offload and .offload_action callbacks
which you can use to populate the existing hardware offload API as
defined by include/net/flow_offload.h.

You will also have to extend the offload parser to translate the
nftables bytecode to the (hardware) flow_offload API, similar to what
nft_payload does to infer the header field you want to mangle (the
flow_offload hardware API uses the flow_dissector structure).

It is going to be a bit of work but I think this is feasible.

Thanks.

next prev parent reply	other threads:[~2023-05-03 20:31 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-03 12:55 [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 01/19] selftest: netfilter: use /proc for pid checking Boris Sukholitko
2023-05-03 18:47   ` Florian Westphal
2023-05-04  8:53     ` Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 02/19] selftest: netfilter: no need for ps -x option Boris Sukholitko
2023-05-03 18:53   ` Florian Westphal
2023-05-03 12:55 ` [PATCH nf-next 03/19] selftest: netfilter: wait for specific nc pids Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 04/19] selftest: netfilter: monitor result file sizes Boris Sukholitko
2023-05-03 18:54   ` Florian Westphal
2023-05-03 12:55 ` [PATCH nf-next 05/19] netfilter: nft_payload: refactor mangle operation Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 06/19] netfilter: nft_payload: publish nft_payload_set Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 07/19] netfilter: nft_payload: export mangle Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 08/19] netfilter: nft_payload: use flag for checksum need Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 09/19] netfilter: nft_payload: add offload flag define Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 10/19] netfilter: nft_payload: allow offload in the netlink Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 11/19] netfilter: conntrack: nft extension Kconfig Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 12/19] netfilter: nft: empty nft conntrack extension Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 13/19] netfilter: conntrack: register nft extension Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 14/19] netfilter: nft: add payload context into extension Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 15/19] netfilter: nft: add payload application Boris Sukholitko
2023-05-03 23:32   ` kernel test robot
2023-05-04  0:44   ` kernel test robot
2023-05-03 12:55 ` [PATCH nf-next 16/19] netfilter: nftables: fast path payload mangle Boris Sukholitko
2023-05-03 15:41   ` kernel test robot
2023-05-03 12:55 ` [PATCH nf-next 17/19] netfilter: nftables: payload save mechanism Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 18/19] netfilter: nft_payload: save payload if needed Boris Sukholitko
2023-05-03 12:55 ` [PATCH nf-next 19/19] selftests: netfilter: dscp offload test Boris Sukholitko
2023-05-03 18:46 ` [PATCH nf-next 00/19] netfilter: nftables: dscp modification offload Florian Westphal
2023-05-07 15:22   ` Boris Sukholitko
2023-05-07 17:37     ` Florian Westphal
2023-05-08 13:38       ` Boris Sukholitko
2023-05-08 20:07         ` Pablo Neira Ayuso
2023-05-09 14:56           ` Boris Sukholitko
2023-05-09  9:48         ` Florian Westphal
2023-05-10  7:49           ` Boris Sukholitko
2023-05-10 12:55             ` Florian Westphal
2023-05-11 15:59               ` Boris Sukholitko
2023-05-11 16:36                 ` Florian Westphal
2023-05-03 20:30 ` Pablo Neira Ayuso [this message]
2023-05-03 20:41 ` Pablo Neira Ayuso
2023-05-04  8:50   ` Boris Sukholitko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZFLEgghj7qaIM4Sk@calendula \
    --to=pablo@netfilter.org \
    --cc=boris.sukholitko@broadcom.com \
    --cc=ilya.lifshits@broadcom.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.