From: Eric Woudstra <ericwouds@gmail.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Simon Horman <horms@kernel.org>,
Andrew Lunn <andrew+netdev@lunn.ch>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
Nikolay Aleksandrov <razor@blackwall.org>,
Ido Schimmel <idosch@nvidia.com>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Stanislav Fomichev <sdf@fomichev.me>,
Ahmed Zaki <ahmed.zaki@intel.com>,
Alexander Lobakin <aleksander.lobakin@intel.com>
Cc: netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
bridge@lists.linux.dev, Eric Woudstra <ericwouds@gmail.com>
Subject: [PATCH v11 nf-next 0/6] netfilter: Add bridge-fastpath
Date: Tue, 8 Apr 2025 16:27:56 +0200 [thread overview]
Message-ID: <20250408142802.96101-1-ericwouds@gmail.com> (raw)
This patchset makes it possible to set up a software fastpath between
bridged interfaces. One patch adds the flow rule for the hardware
fastpath. This creates the possibility to have a hardware offloaded
fastpath between bridged interfaces. More patches are added to solve
issues found with the existing code.
To set up the fastpath, add this extra flowtable (with or
without 'flags offload'):
table bridge filter {
flowtable fb {
hook ingress priority filter
devices = { lan0, lan1, lan2, lan3, lan4, wlan0, wlan1 }
flags offload
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state established flow add @fb
}
}
Creating a separate fastpath for bridges.
forward fastpath bypass
.----------------------------------------.
/ \
| IP - forwarding |
| / \ v
| / wan ...
| /
| |
| |
| brlan.1
| |
| +-------------------------------+
| | vlan 1 |
| | |
| | brlan (vlan-filtering) |
| +---------------+ |
| | DSA-SWITCH | |
| | | vlan 1 |
| | | to |
| | vlan 1 | untagged |
| +---------------+---------------+
. / \
------>lan0 wlan1
. ^ ^
. | |
. \_________________/
. bridge fastpath bypass
.
^
vlan 1 tagged packets
Note: While testing direct transmit in the software forward-fastpath,
without the capability of setting the offload flag, it is sometimes useful
to enslave the wan interface to another bridge, brwan. This will make
sure both directions of the software forward-fastpath use direct transmit,
which also happens when the offload flag is set.
Changes in v11:
- Dropped "Introduce DEV_PATH_BR_VLAN_KEEP_HW for bridge-fastpath" from
this patch-set, it has moved to another patch-set.
- Updated nft_flow_offload_bridge_init() changing the way of accessing
headers after fixing nft_do_chain_bridge().
v10 split from patch-set: bridge-fastpath and related improvements v9
Eric Woudstra (6):
bridge: Add filling forward path from port to port
net: core: dev: Add dev_fill_bridge_path()
netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge()
netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge
netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate
netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval()
include/linux/netdevice.h | 2 +
include/net/netfilter/nf_flow_table.h | 3 +
net/bridge/br_device.c | 19 +++-
net/bridge/br_private.h | 2 +
net/bridge/br_vlan.c | 6 +-
net/core/dev.c | 66 ++++++++---
net/netfilter/nf_flow_table_inet.c | 13 +++
net/netfilter/nf_flow_table_offload.c | 13 +++
net/netfilter/nft_flow_offload.c | 151 +++++++++++++++++++++++++-
9 files changed, 250 insertions(+), 25 deletions(-)
--
2.47.1
next reply other threads:[~2025-04-08 14:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-08 14:27 Eric Woudstra [this message]
2025-04-08 14:27 ` [PATCH v11 nf-next 1/6] bridge: Add filling forward path from port to port Eric Woudstra
2025-04-08 14:27 ` [PATCH v11 nf-next 2/6] net: core: dev: Add dev_fill_bridge_path() Eric Woudstra
2025-04-08 14:27 ` [PATCH v11 nf-next 3/6] netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge() Eric Woudstra
2025-04-08 14:28 ` [PATCH v11 nf-next 4/6] netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge Eric Woudstra
2025-04-08 14:28 ` [PATCH v11 nf-next 5/6] netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate Eric Woudstra
2025-04-08 14:28 ` [PATCH v11 nf-next 6/6] netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval() Eric Woudstra
2025-04-11 10:57 ` Simon Horman
2025-04-11 15:24 ` Eric Woudstra
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250408142802.96101-1-ericwouds@gmail.com \
--to=ericwouds@gmail.com \
--cc=ahmed.zaki@intel.com \
--cc=aleksander.lobakin@intel.com \
--cc=andrew+netdev@lunn.ch \
--cc=bridge@lists.linux.dev \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=idosch@nvidia.com \
--cc=kadlec@netfilter.org \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=razor@blackwall.org \
--cc=sdf@fomichev.me \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).