From: Jesse Gross <jesse@nicira.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org
Subject: [PATCH v2 01/14] ebtables: Allow filtering of hardware accelerated vlan frames.
Date: Wed, 20 Oct 2010 16:56:01 -0700 [thread overview]
Message-ID: <1287618974-4714-2-git-send-email-jesse@nicira.com> (raw)
In-Reply-To: <1287618974-4714-1-git-send-email-jesse@nicira.com>
An upcoming commit will allow packets with hardware vlan acceleration
information to be passed though more parts of the network stack, including
packets trunked through the bridge. This adds support for matching and
filtering those packets through ebtables.
Signed-off-by: Jesse Gross <jesse@nicira.com>
---
net/bridge/br_netfilter.c | 16 +++++++++-------
net/bridge/netfilter/ebt_vlan.c | 21 ++++++++++++++-------
net/bridge/netfilter/ebtables.c | 15 +++++++++++----
3 files changed, 34 insertions(+), 18 deletions(-)
diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c
index 7f9ce96..47c2dab 100644
--- a/net/bridge/br_netfilter.c
+++ b/net/bridge/br_netfilter.c
@@ -64,22 +64,24 @@ static int brnf_filter_pppoe_tagged __read_mostly = 0;
static inline __be16 vlan_proto(const struct sk_buff *skb)
{
- return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
+ if (vlan_tx_tag_present(skb))
+ return skb->protocol;
+ else if (skb->protocol == htons(ETH_P_8021Q))
+ return vlan_eth_hdr(skb)->h_vlan_encapsulated_proto;
+ else
+ return 0;
}
#define IS_VLAN_IP(skb) \
- (skb->protocol == htons(ETH_P_8021Q) && \
- vlan_proto(skb) == htons(ETH_P_IP) && \
+ (vlan_proto(skb) == htons(ETH_P_IP) && \
brnf_filter_vlan_tagged)
#define IS_VLAN_IPV6(skb) \
- (skb->protocol == htons(ETH_P_8021Q) && \
- vlan_proto(skb) == htons(ETH_P_IPV6) &&\
+ (vlan_proto(skb) == htons(ETH_P_IPV6) && \
brnf_filter_vlan_tagged)
#define IS_VLAN_ARP(skb) \
- (skb->protocol == htons(ETH_P_8021Q) && \
- vlan_proto(skb) == htons(ETH_P_ARP) && \
+ (vlan_proto(skb) == htons(ETH_P_ARP) && \
brnf_filter_vlan_tagged)
static inline __be16 pppoe_proto(const struct sk_buff *skb)
diff --git a/net/bridge/netfilter/ebt_vlan.c b/net/bridge/netfilter/ebt_vlan.c
index 87b53b3..cc11d6b 100644
--- a/net/bridge/netfilter/ebt_vlan.c
+++ b/net/bridge/netfilter/ebt_vlan.c
@@ -39,8 +39,6 @@ static bool
ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
{
const struct ebt_vlan_info *info = par->matchinfo;
- const struct vlan_hdr *fp;
- struct vlan_hdr _frame;
unsigned short TCI; /* Whole TCI, given from parsed frame */
unsigned short id; /* VLAN ID, given from frame TCI */
@@ -48,9 +46,20 @@ ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
/* VLAN encapsulated Type/Length field, given from orig frame */
__be16 encap;
- fp = skb_header_pointer(skb, 0, sizeof(_frame), &_frame);
- if (fp == NULL)
- return false;
+ if (vlan_tx_tag_present(skb)) {
+ TCI = vlan_tx_tag_get(skb);
+ encap = skb->protocol;
+ } else {
+ const struct vlan_hdr *fp;
+ struct vlan_hdr _frame;
+
+ fp = skb_header_pointer(skb, 0, sizeof(_frame), &_frame);
+ if (fp == NULL)
+ return false;
+
+ TCI = ntohs(fp->h_vlan_TCI);
+ encap = fp->h_vlan_encapsulated_proto;
+ }
/* Tag Control Information (TCI) consists of the following elements:
* - User_priority. The user_priority field is three bits in length,
@@ -59,10 +68,8 @@ ebt_vlan_mt(const struct sk_buff *skb, struct xt_action_param *par)
* (CFI) is a single bit flag value. Currently ignored.
* - VLAN Identifier (VID). The VID is encoded as
* an unsigned binary number. */
- TCI = ntohs(fp->h_vlan_TCI);
id = TCI & VLAN_VID_MASK;
prio = (TCI >> 13) & 0x7;
- encap = fp->h_vlan_encapsulated_proto;
/* Checking VLAN Identifier (VID) */
if (GET_BITMASK(EBT_VLAN_ID))
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c
index bcc102e..a1dcf83 100644
--- a/net/bridge/netfilter/ebtables.c
+++ b/net/bridge/netfilter/ebtables.c
@@ -124,16 +124,23 @@ ebt_dev_check(const char *entry, const struct net_device *device)
#define FWINV2(bool,invflg) ((bool) ^ !!(e->invflags & invflg))
/* process standard matches */
static inline int
-ebt_basic_match(const struct ebt_entry *e, const struct ethhdr *h,
+ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb,
const struct net_device *in, const struct net_device *out)
{
+ const struct ethhdr *h = eth_hdr(skb);
+ __be16 ethproto;
int verdict, i;
+ if (vlan_tx_tag_present(skb))
+ ethproto = htons(ETH_P_8021Q);
+ else
+ ethproto = h->h_proto;
+
if (e->bitmask & EBT_802_3) {
- if (FWINV2(ntohs(h->h_proto) >= 1536, EBT_IPROTO))
+ if (FWINV2(ntohs(ethproto) >= 1536, EBT_IPROTO))
return 1;
} else if (!(e->bitmask & EBT_NOPROTO) &&
- FWINV2(e->ethproto != h->h_proto, EBT_IPROTO))
+ FWINV2(e->ethproto != ethproto, EBT_IPROTO))
return 1;
if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN))
@@ -213,7 +220,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb,
base = private->entries;
i = 0;
while (i < nentries) {
- if (ebt_basic_match(point, eth_hdr(skb), in, out))
+ if (ebt_basic_match(point, skb, in, out))
goto letscontinue;
if (EBT_MATCH_ITERATE(point, ebt_do_match, skb, &acpar) != 0)
--
1.7.1
next prev parent reply other threads:[~2010-10-20 23:56 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-20 23:56 [PATCH v2 00/14] Move vlan acceleration into networking core Jesse Gross
2010-10-20 23:56 ` Jesse Gross [this message]
2010-10-20 23:56 ` [PATCH v2 02/14] vlan: Rename VLAN_GROUP_ARRAY_LEN to VLAN_N_VID Jesse Gross
2010-10-20 23:56 ` [PATCH v2 03/14] vlan: Don't check for vlan group before vlan_tx_tag_present Jesse Gross
2010-10-20 23:56 ` [PATCH v2 04/14] vlan: Enable software emulation for vlan accleration Jesse Gross
2010-10-21 3:32 ` John Fastabend
2010-10-21 15:30 ` Ben Hutchings
2010-10-21 21:44 ` Jesse Gross
2010-10-22 14:12 ` [PATCH net-next-2.6] net: Fix some corner cases in dev_can_checksum() Ben Hutchings
2010-10-22 14:18 ` Ben Hutchings
2010-10-26 0:21 ` Jesse Gross
2010-10-26 13:29 ` Ben Hutchings
2010-10-26 18:11 ` Jesse Gross
2010-10-27 18:00 ` David Miller
2010-10-20 23:56 ` [PATCH v2 05/14] vlan: Avoid hash table lookup to find group Jesse Gross
2010-10-20 23:56 ` [PATCH v2 06/14] vlan: Centralize handling of hardware acceleration Jesse Gross
2010-10-20 23:56 ` [PATCH v2 07/14] ethtool: Add support for vlan accleration Jesse Gross
2010-10-21 3:27 ` John Fastabend
2010-10-21 19:43 ` Jesse Gross
2010-10-20 23:56 ` [PATCH v2 08/14] bridge: Add support for TX vlan offload Jesse Gross
2010-10-20 23:56 ` [PATCH v2 09/14] bnx2: Update bnx2 to use new vlan accleration Jesse Gross
2010-10-21 15:31 ` Ben Hutchings
2010-10-21 21:38 ` Jesse Gross
2010-10-20 23:56 ` [PATCH v2 10/14] ixgbe: Update ixgbe " Jesse Gross
2010-10-22 13:24 ` Michał Mirosław
2010-10-25 17:50 ` Peter P Waskiewicz Jr
2010-10-25 21:40 ` Michał Mirosław
2010-10-25 22:02 ` John Fastabend
2010-10-25 23:23 ` Michał Mirosław
2010-10-26 0:08 ` Jesse Gross
2010-10-20 23:56 ` [PATCH v2 11/14] bnx2x: Update bnx2x " Jesse Gross
2010-10-21 13:54 ` Vladislav Zolotarov
2010-10-21 14:02 ` Vladislav Zolotarov
2010-10-21 14:50 ` Vladislav Zolotarov
2010-10-21 21:36 ` Jesse Gross
2010-10-22 0:57 ` Dmitry Kravkov
2010-10-24 9:21 ` Vladislav Zolotarov
2010-10-24 10:11 ` Vladislav Zolotarov
2010-10-26 0:29 ` Jesse Gross
2010-10-26 9:14 ` Vladislav Zolotarov
2010-10-26 17:57 ` Jesse Gross
2010-10-21 21:34 ` Jesse Gross
2010-10-20 23:56 ` [PATCH v2 12/14] lro: Remove explicit vlan support Jesse Gross
2010-10-20 23:56 ` [PATCH v2 13/14] bonding: Update bonding for new vlan model Jesse Gross
2010-10-20 23:56 ` [PATCH v2 14/14] vlan: Remove accleration legacy functions Jesse Gross
2010-10-21 2:02 ` [PATCH v2 00/14] Move vlan acceleration into networking core David Dillow
2010-10-21 19:32 ` Jesse Gross
2010-10-21 8:33 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1287618974-4714-2-git-send-email-jesse@nicira.com \
--to=jesse@nicira.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).