From: Eric Woudstra <ericwouds@gmail.com>
To: Simon Horman <horms@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Nikolay Aleksandrov <razor@blackwall.org>,
Ido Schimmel <idosch@nvidia.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Ahmed Zaki <ahmed.zaki@intel.com>,
Alexander Lobakin <aleksander.lobakin@intel.com>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
bridge@lists.linux.dev
Subject: Re: [PATCH v11 nf-next 6/6] netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval()
Date: Fri, 11 Apr 2025 17:24:24 +0200 [thread overview]
Message-ID: <f6fa54fc-223f-426c-be83-7f7c2d366077@gmail.com> (raw)
In-Reply-To: <20250411105751.GA1156507@horms.kernel.org>
On 4/11/25 12:57 PM, Simon Horman wrote:
> On Tue, Apr 08, 2025 at 04:28:02PM +0200, Eric Woudstra wrote:
>> Edit nft_flow_offload_eval() to make it possible to handle a flowtable of
>> the nft bridge family.
>>
>> Use nft_flow_offload_bridge_init() to fill the flow tuples. It uses
>> nft_dev_fill_bridge_path() in each direction.
>>
>> Signed-off-by: Eric Woudstra <ericwouds@gmail.com>
>> ---
>> net/netfilter/nft_flow_offload.c | 148 +++++++++++++++++++++++++++++--
>> 1 file changed, 143 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
>
> ...
>
>> +static int nft_dev_fill_bridge_path(struct flow_offload *flow,
>> + struct nft_flowtable *ft,
>> + enum ip_conntrack_dir dir,
>> + const struct net_device *src_dev,
>> + const struct net_device *dst_dev,
>> + unsigned char *src_ha,
>> + unsigned char *dst_ha)
>> +{
>> + struct flow_offload_tuple_rhash *th = flow->tuplehash;
>> + struct net_device_path_ctx ctx = {};
>> + struct net_device_path_stack stack;
>> + struct nft_forward_info info = {};
>> + int i, j = 0;
>> +
>> + for (i = th[dir].tuple.encap_num - 1; i >= 0 ; i--) {
>> + if (info.num_encaps >= NF_FLOW_TABLE_ENCAP_MAX)
>> + return -1;
>> +
>> + if (th[dir].tuple.in_vlan_ingress & BIT(i))
>> + continue;
>> +
>> + info.encap[info.num_encaps].id = th[dir].tuple.encap[i].id;
>> + info.encap[info.num_encaps].proto = th[dir].tuple.encap[i].proto;
>> + info.num_encaps++;
>> +
>> + if (th[dir].tuple.encap[i].proto == htons(ETH_P_PPP_SES))
>> + continue;
>> +
>> + if (ctx.num_vlans >= NET_DEVICE_PATH_VLAN_MAX)
>> + return -1;
>> + ctx.vlan[ctx.num_vlans].id = th[dir].tuple.encap[i].id;
>> + ctx.vlan[ctx.num_vlans].proto = th[dir].tuple.encap[i].proto;
>> + ctx.num_vlans++;
>> + }
>> + ctx.dev = src_dev;
>> + ether_addr_copy(ctx.daddr, dst_ha);
>> +
>> + if (dev_fill_bridge_path(&ctx, &stack) < 0)
>> + return -1;
>> +
>> + nft_dev_path_info(&stack, &info, dst_ha, &ft->data);
>> +
>> + if (!info.indev || info.indev != dst_dev)
>> + return -1;
>> +
>> + th[!dir].tuple.iifidx = info.indev->ifindex;
>> + for (i = info.num_encaps - 1; i >= 0; i--) {
>> + th[!dir].tuple.encap[j].id = info.encap[i].id;
>> + th[!dir].tuple.encap[j].proto = info.encap[i].proto;
>> + if (info.ingress_vlans & BIT(i))
>> + th[!dir].tuple.in_vlan_ingress |= BIT(j);
>> + j++;
>> + }
>> + th[!dir].tuple.encap_num = info.num_encaps;
>> +
>> + th[dir].tuple.mtu = dst_dev->mtu;
>> + ether_addr_copy(th[dir].tuple.out.h_source, src_ha);
>> + ether_addr_copy(th[dir].tuple.out.h_dest, dst_ha);
>> + th[dir].tuple.out.ifidx = info.outdev->ifindex;
>> + th[dir].tuple.out.hw_ifidx = info.hw_outdev->ifindex;
>> + th[dir].tuple.out.bridge_vid = info.bridge_vid;
>
> Hi Eric,
>
> I guess I am doing something daft.
> But with this patchset applied on top of nf-next I see
> the following with allmodconfig builds on x86_64.:
>
> CC [M] net/netfilter/nft_flow_offload.o
> net/netfilter/nft_flow_offload.c: In function 'nft_dev_fill_bridge_path':
> net/netfilter/nft_flow_offload.c:248:26: error: 'struct <anonymous>' has no member named 'bridge_vid'
> 248 | th[dir].tuple.out.bridge_vid = info.bridge_vid;
> | ^
> net/netfilter/nft_flow_offload.c:248:44: error: 'struct nft_forward_info' has no member named 'bridge_vid'
> 248 | th[dir].tuple.out.bridge_vid = info.bridge_vid;
> | ^
>
>> + th[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_DIRECT;
>> +
>> + return 0;
>> +}
>
> ...
Hi Simon,
This is from the patch-set:
[PATCH v2 nf-next 0/3] flow offload teardown when layer 2 roaming
My guess is that it could be accepted before this patch-set.
They do not need each other, but 1 needs to be applied before the other.
Regards,
Eric
prev parent reply other threads:[~2025-04-11 15:26 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-08 14:27 [PATCH v11 nf-next 0/6] netfilter: Add bridge-fastpath Eric Woudstra
2025-04-08 14:27 ` [PATCH v11 nf-next 1/6] bridge: Add filling forward path from port to port Eric Woudstra
2025-04-08 14:27 ` [PATCH v11 nf-next 2/6] net: core: dev: Add dev_fill_bridge_path() Eric Woudstra
2025-04-08 14:27 ` [PATCH v11 nf-next 3/6] netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge() Eric Woudstra
2025-04-08 14:28 ` [PATCH v11 nf-next 4/6] netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge Eric Woudstra
2025-04-08 14:28 ` [PATCH v11 nf-next 5/6] netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate Eric Woudstra
2025-04-08 14:28 ` [PATCH v11 nf-next 6/6] netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval() Eric Woudstra
2025-04-11 10:57 ` Simon Horman
2025-04-11 15:24 ` Eric Woudstra [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6fa54fc-223f-426c-be83-7f7c2d366077@gmail.com \
--to=ericwouds@gmail.com \
--cc=ahmed.zaki@intel.com \
--cc=aleksander.lobakin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=razor@blackwall.org \
--cc=sdf@fomichev.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).