Re: [PATCH net-next RFC] netfilter: flowtable: add CT metadata action for nft flowtables

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Elad Yifee <eladwf@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>,
	Phil Sutter <phil@nwl.cc>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next RFC] netfilter: flowtable: add CT metadata action for nft flowtables
Date: Sat, 13 Sep 2025 22:52:43 +0200	[thread overview]
Message-ID: <aMXZm_UL58OkoHlG@strlen.de> (raw)
In-Reply-To: <20250912163043.329233-1-eladwf@gmail.com>

Elad Yifee <eladwf@gmail.com> wrote:
> When offloading a flow via the default nft flowtable path,
> append a FLOW_ACTION_CT_METADATA action if the flow is associated with a conntrack entry.
> We do this in both IPv4 and IPv6 route action builders, after NAT mangles and before redirect.
> This mirrors net/sched/act_ct.c’s tcf_ct_flow_table_add_action_meta() so drivers that already
> parse FLOW_ACTION_CT_METADATA from TC offloads can reuse the same logic for nft flowtables.
> 
> Signed-off-by: Elad Yifee <eladwf@gmail.com>
> ---
>  net/netfilter/nf_flow_table_offload.c | 38 +++++++++++++++++++++++++++
>  1 file changed, 38 insertions(+)
> 
> diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
> index e06bc36f49fe..bccae4052319 100644
> --- a/net/netfilter/nf_flow_table_offload.c
> +++ b/net/netfilter/nf_flow_table_offload.c
> @@ -12,6 +12,7 @@
>  #include <net/netfilter/nf_conntrack_acct.h>
>  #include <net/netfilter/nf_conntrack_core.h>
>  #include <net/netfilter/nf_conntrack_tuple.h>
> +#include <net/netfilter/nf_conntrack_labels.h>
>  
>  static struct workqueue_struct *nf_flow_offload_add_wq;
>  static struct workqueue_struct *nf_flow_offload_del_wq;
> @@ -679,6 +680,41 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow,
>  	return 0;
>  }
>  
> +static void flow_offload_add_ct_metadata(const struct flow_offload *flow,
> +					 enum flow_offload_tuple_dir dir,
> +					 struct nf_flow_rule *flow_rule)
> +{
> +	struct nf_conn *ct = flow->ct;
> +	struct flow_action_entry *entry;
> +#if IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS)
> +	u32 *dst_labels;
> +	struct nf_conn_labels *labels;
> +#endif
> +
> +	if (!ct)
> +		return;

Under what circumstances can flow->ct be NULL?

> +	entry = flow_action_entry_next(flow_rule);
> +	entry->id = FLOW_ACTION_CT_METADATA;
> +
> +#if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)
> +	entry->ct_metadata.mark = READ_ONCE(ct->mark);
> +#endif
> +
> +	entry->ct_metadata.orig_dir = (dir == FLOW_OFFLOAD_DIR_ORIGINAL);
> +
> +#if IS_ENABLED(CONFIG_NF_CONNTRACK_LABELS)
> +	dst_labels = entry->ct_metadata.labels;
> +	labels = nf_ct_labels_find(ct);
> +	if (labels)
> +		memcpy(dst_labels, labels->bits, NF_CT_LABELS_MAX_SIZE);
> +	else
> +		memset(dst_labels, 0, NF_CT_LABELS_MAX_SIZE);
> +#else
> +	memset(entry->ct_metadata.labels, 0, NF_CT_LABELS_MAX_SIZE);
> +#endif
> +}

This looks almost identical tcf_ct_flow_table_add_action_meta().

Any chance to make it a common helper function? act_ct already depends
on nf_flow_table anyway.

next prev parent reply	other threads:[~2025-09-13 20:52 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-09-12 16:30 [PATCH net-next RFC] netfilter: flowtable: add CT metadata action for nft flowtables Elad Yifee
2025-09-13 20:52 ` Florian Westphal [this message]
2025-09-14  6:40   ` Elad Yifee
2025-09-16 16:49 ` Elad Yifee
2025-09-16 22:39   ` Pablo Neira Ayuso
2025-09-17  3:10     ` Elad Yifee
2025-09-17  8:18       ` Pablo Neira Ayuso
2025-09-17 17:33         ` Elad Yifee
2025-09-24 22:51           ` Pablo Neira Ayuso
2025-09-27 13:55             ` Elad Yifee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aMXZm_UL58OkoHlG@strlen.de \
    --to=fw@strlen.de \
    --cc=coreteam@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=eladwf@gmail.com \
    --cc=horms@kernel.org \
    --cc=kadlec@netfilter.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pablo@netfilter.org \
    --cc=phil@nwl.cc \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.