Re: [PATCH v5 bpf-next 1/3] netfilter: nf_tables: add flowtable map for xdp offload

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lorenzo Bianconi <lorenzo@kernel.org>
To: Daniel Borkmann <daniel@iogearbox.net>
Cc: bpf@vger.kernel.org, pablo@netfilter.org, kadlec@netfilter.org,
	davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
	pabeni@redhat.com, netfilter-devel@vger.kernel.org,
	netdev@vger.kernel.org, ast@kernel.org, andrii@kernel.org,
	martin.lau@linux.dev, eddyz87@gmail.com,
	lorenzo.bianconi@redhat.com, toke@redhat.com, fw@strlen.de,
	hawk@kernel.org, horms@kernel.org, donhunte@redhat.com,
	memxor@gmail.com
Subject: Re: [PATCH v5 bpf-next 1/3] netfilter: nf_tables: add flowtable map for xdp offload
Date: Sun, 30 Jun 2024 00:06:56 +0200	[thread overview]
Message-ID: <ZoCFgFj7JFMSwlRQ@lore-desk> (raw)
In-Reply-To: <793fd9a3-0562-1edd-e2b4-f88fa81d876d@iogearbox.net>

[-- Attachment #1: Type: text/plain, Size: 4479 bytes --]

> On 6/14/24 5:40 PM, Lorenzo Bianconi wrote:
> [...]
> > diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> > index a010b25076ca0..d9b019c98694b 100644
> > --- a/net/netfilter/nf_flow_table_offload.c
> > +++ b/net/netfilter/nf_flow_table_offload.c
> > @@ -1192,7 +1192,7 @@ int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
> >   	int err;
> >   	if (!nf_flowtable_hw_offload(flowtable))
> > -		return 0;
> > +		return nf_flow_offload_xdp_setup(flowtable, dev, cmd);
> >   	if (dev->netdev_ops->ndo_setup_tc)
> >   		err = nf_flow_table_offload_cmd(&bo, flowtable, dev, cmd,
> > @@ -1200,8 +1200,10 @@ int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
> >   	else
> >   		err = nf_flow_table_indr_offload_cmd(&bo, flowtable, dev, cmd,
> >   						     &extack);
> > -	if (err < 0)
> > +	if (err < 0) {
> > +		nf_flow_offload_xdp_cancel(flowtable, dev, cmd);
> >   		return err;
> > +	}
> >   	return nf_flow_table_block_setup(flowtable, &bo, cmd);
> >   }
> > diff --git a/net/netfilter/nf_flow_table_xdp.c b/net/netfilter/nf_flow_table_xdp.c
> > new file mode 100644
> > index 0000000000000..b9bdf27ba9bd3
> > --- /dev/null
> > +++ b/net/netfilter/nf_flow_table_xdp.c
> > @@ -0,0 +1,163 @@
> > +// SPDX-License-Identifier: GPL-2.0-only
> > +#include <linux/kernel.h>
> > +#include <linux/module.h>
> > +#include <linux/netfilter.h>
> > +#include <linux/rhashtable.h>
> > +#include <linux/netdevice.h>
> > +#include <net/flow_offload.h>
> > +#include <net/netfilter/nf_flow_table.h>
> > +
> > +struct flow_offload_xdp_ft {
> > +	struct list_head head;
> > +	struct nf_flowtable *ft;
> > +	struct rcu_head rcuhead;
> > +};
> > +
> > +struct flow_offload_xdp {
> > +	struct hlist_node hnode;
> > +	unsigned long net_device_addr;
> > +	struct list_head head;
> > +};
> > +
> > +#define NF_XDP_HT_BITS	4
> > +static DEFINE_HASHTABLE(nf_xdp_hashtable, NF_XDP_HT_BITS);
> > +static DEFINE_MUTEX(nf_xdp_hashtable_lock);
> > +
> > +/* caller must hold rcu read lock */
> > +struct nf_flowtable *nf_flowtable_by_dev(const struct net_device *dev)
> > +{
> > +	unsigned long key = (unsigned long)dev;
> > +	struct flow_offload_xdp *iter;
> > +
> > +	hash_for_each_possible_rcu(nf_xdp_hashtable, iter, hnode, key) {
> > +		if (key == iter->net_device_addr) {
> > +			struct flow_offload_xdp_ft *ft_elem;
> > +
> > +			/* The user is supposed to insert a given net_device
> > +			 * just into a single nf_flowtable so we always return
> > +			 * the first element here.
> > +			 */
> > +			ft_elem = list_first_or_null_rcu(&iter->head,
> > +							 struct flow_offload_xdp_ft,
> > +							 head);
> > +			return ft_elem ? ft_elem->ft : NULL;
> > +		}
> > +	}
> > +
> > +	return NULL;
> > +}
> > +
> > +static int nf_flowtable_by_dev_insert(struct nf_flowtable *ft,
> > +				      const struct net_device *dev)
> > +{
> > +	struct flow_offload_xdp *iter, *elem = NULL;
> > +	unsigned long key = (unsigned long)dev;
> > +	struct flow_offload_xdp_ft *ft_elem;
> > +
> > +	ft_elem = kzalloc(sizeof(*ft_elem), GFP_KERNEL_ACCOUNT);
> > +	if (!ft_elem)
> > +		return -ENOMEM;
> > +
> > +	ft_elem->ft = ft;
> > +
> > +	mutex_lock(&nf_xdp_hashtable_lock);
> > +
> > +	hash_for_each_possible(nf_xdp_hashtable, iter, hnode, key) {
> > +		if (key == iter->net_device_addr) {
> > +			elem = iter;
> > +			break;
> > +		}
> > +	}
> > +
> > +	if (!elem) {
> > +		elem = kzalloc(sizeof(*elem), GFP_KERNEL_ACCOUNT);
> > +		if (!elem)
> > +			goto err_unlock;
> > +
> > +		elem->net_device_addr = key;
> 
> Looks good, as I understand (but just to double check) if a device goes away then
> upper layers in the nf flowtable code will trigger the nf_flowtable_by_dev_remove()
> based on the device pointer to clean this up again from nf_xdp_hashtable.

yep, correct. Core nft infrastructure runs nf_flow_offload_xdp_setup() with cmd set
to FLOW_BLOCK_UNBIND (so we run nf_flowtable_by_dev_remove()) when the net_device
is removed.

Regards,
Lorenzo

> 
> > +		INIT_LIST_HEAD(&elem->head);
> > +		hash_add_rcu(nf_xdp_hashtable, &elem->hnode, key);
> > +	}
> > +	list_add_tail_rcu(&ft_elem->head, &elem->head);
> > +
> > +	mutex_unlock(&nf_xdp_hashtable_lock);
> > +
> > +	return 0;
> > +
> > +err_unlock:
> > +	mutex_unlock(&nf_xdp_hashtable_lock);
> > +	kfree(ft_elem);
> > +
> > +	return -ENOMEM;
> > +}

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]

next prev parent reply	other threads:[~2024-06-29 22:07 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-06-14 15:40 [PATCH v5 bpf-next 0/3] netfilter: Add the capability to offload flowtable in XDP layer Lorenzo Bianconi
2024-06-14 15:40 ` [PATCH v5 bpf-next 1/3] netfilter: nf_tables: add flowtable map for xdp offload Lorenzo Bianconi
2024-06-28 21:19   ` Daniel Borkmann
2024-06-29 22:06     ` Lorenzo Bianconi [this message]
2024-06-14 15:40 ` [PATCH v5 bpf-next 2/3] netfilter: add bpf_xdp_flow_lookup kfunc Lorenzo Bianconi
2024-06-28 21:21   ` Daniel Borkmann
2024-06-29 19:57     ` Lorenzo Bianconi
2024-06-14 15:40 ` [PATCH v5 bpf-next 3/3] selftests/bpf: Add selftest for " Lorenzo Bianconi
2024-06-28 21:29   ` Daniel Borkmann
2024-06-29 20:11     ` Lorenzo Bianconi
2024-07-01  8:07       ` Daniel Borkmann
2024-06-28 19:56 ` [PATCH v5 bpf-next 0/3] netfilter: Add the capability to offload flowtable in XDP layer Lorenzo Bianconi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZoCFgFj7JFMSwlRQ@lore-desk \
    --to=lorenzo@kernel.org \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=donhunte@redhat.com \
    --cc=eddyz87@gmail.com \
    --cc=edumazet@google.com \
    --cc=fw@strlen.de \
    --cc=hawk@kernel.org \
    --cc=horms@kernel.org \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=lorenzo.bianconi@redhat.com \
    --cc=martin.lau@linux.dev \
    --cc=memxor@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=toke@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.