From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Dumazet Subject: Re: [PATCH RFC net-next 1/4] ipv4: fib_rules: support match on sport, dport and ip proto Date: Mon, 12 Feb 2018 12:49:33 -0800 Message-ID: <1518468573.3715.163.camel@gmail.com> References: <1518387989-33735-1-git-send-email-roopa@cumulusnetworks.com> <1518387989-33735-2-git-send-email-roopa@cumulusnetworks.com> Mime-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit Cc: dsa@cumulusnetworks.com, nikolay@cumulusnetworks.com To: Roopa Prabhu , netdev@vger.kernel.org Return-path: Received: from mail-io0-f194.google.com ([209.85.223.194]:34043 "EHLO mail-io0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752400AbeBLUth (ORCPT ); Mon, 12 Feb 2018 15:49:37 -0500 Received: by mail-io0-f194.google.com with SMTP id e7so4557383ioj.1 for ; Mon, 12 Feb 2018 12:49:37 -0800 (PST) In-Reply-To: <1518387989-33735-2-git-send-email-roopa@cumulusnetworks.com> Sender: netdev-owner@vger.kernel.org List-ID: On Sun, 2018-02-11 at 14:26 -0800, Roopa Prabhu wrote: > From: Roopa Prabhu > > Add support to match on src port, dst port and ip protocol. > > Signed-off-by: Roopa Prabhu > --- > include/uapi/linux/fib_rules.h | 3 +++ > net/ipv4/fib_rules.c | 46 ++++++++++++++++++++++++++++++++++++++++-- > 2 files changed, 47 insertions(+), 2 deletions(-) > > diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h > index 2b642bf..79ff3c2 100644 > --- a/include/uapi/linux/fib_rules.h > +++ b/include/uapi/linux/fib_rules.h > @@ -58,6 +58,9 @@ enum { > FRA_PAD, > FRA_L3MDEV, /* iif or oif is l3mdev goto its table */ > FRA_UID_RANGE, /* UID range */ > + FRA_PROTO, /* ip proto */ > + FRA_SPORT, /* sport */ > + FRA_DPORT, /* dport */ > __FRA_MAX > }; > > diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c > index 35d646a..f204c85 100644 > --- a/net/ipv4/fib_rules.c > +++ b/net/ipv4/fib_rules.c > @@ -45,13 +45,17 @@ struct fib4_rule { > #ifdef CONFIG_IP_ROUTE_CLASSID > u32 tclassid; > #endif > + __be16 sport; > + __be16 dport; > + u8 proto; > }; > > static bool fib4_rule_matchall(const struct fib_rule *rule) > { > struct fib4_rule *r = container_of(rule, struct fib4_rule, common); > > - if (r->dst_len || r->src_len || r->tos) > + if (r->dst_len || r->src_len || r->tos || r->proto || r->sport || > + r->dport) > return false; > return fib_rule_matchall(rule); > } > @@ -182,6 +186,15 @@ static int fib4_rule_match(struct fib_rule *rule, struct flowi *fl, int flags) > if (r->tos && (r->tos != fl4->flowi4_tos)) > return 0; > > + if (r->proto && (r->proto != fl4->flowi4_proto)) > + return 0; > + > + if (r->sport && (r->sport != fl4->fl4_sport)) > + return 0; > + > + if (r->dport && (r->dport != fl4->fl4_dport)) > + return 0; > + Any setup with about 20 rules to be evaluated (per packet cost) will feel the pain... I wonder if we could JIT/eBPF this thing.