From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-ej1-f49.google.com (mail-ej1-f49.google.com [209.85.218.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D769640682F for ; Mon, 29 Jun 2026 12:33:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782736417; cv=none; b=VoB295+xRX+IR3A/fXd2rSsUSk77vNWRz2pwslwUYsNC7PJXM2SGOWH4bn2m/nIIvXltvz53DmN8GN+t23yy0QuINykccw0ueTaFEqvZ3GN5DmZd65tapOeC6cz8jY5YKxmS+iHGzyWpUbtzbPTj90Wx6ukWQN/MTYSqVU4ylAQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782736417; c=relaxed/simple; bh=FLmf68CizDgbkWkilfIYmqlhpJjGjSd3CzUEP2obw5s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=IOmtdv6Qf9gHr8YBqDXD9e+NI6cMDRd4JN0s4K0Eq9oZ1NCMnNEpieDmcfFI4bTrz2q4LEMQQixDEO1P/1T8Pd/Lj6DqFo6P5Xdct7dwuIMmsFeqXqTVghjAQD9TBf9bYh1a9sB5XPVdG0sOlGh8R/Kq+b9bkPRTYQXtZEN5JPE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=RgE5djvf; arc=none smtp.client-ip=209.85.218.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="RgE5djvf" Received: by mail-ej1-f49.google.com with SMTP id a640c23a62f3a-c126eb4e228so83504266b.1 for ; Mon, 29 Jun 2026 05:33:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782736414; x=1783341214; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=B0BtFT/DLMwlAC+IMAnaYdEaIQ9JUWZrSmMLsMhq+s0=; b=RgE5djvfa2/29IlLg79qmpnBPkFA1sgr2pggoc1WxASGsGcamn6Yq5KrjVBPbnZQQD FCDwa2El+OupzMMb4fvC43ACKNsvkblu0MUN/CTxW2PWZOJVtupJW6u4WCmGWLwZdNpF 25bS80YFWSVTnKCPsc45p9Zj12L/tv9k7WxqwESaIvT08Vs1KPF43PPqp6gyKVt1ExHK O8Fv9xE+MTBfIdURRwSMnNsIwNuNI0JO/mDm5KMRPa0W2xmFTOko1vz5HepgTgqACF7A r/HEFGtkDnIHMmTdxc9lteZDq5F9ZuHsOTktVajrCHBi4epFhpWV/p4Zm+qLLgUdqIR3 c7nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782736414; x=1783341214; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=B0BtFT/DLMwlAC+IMAnaYdEaIQ9JUWZrSmMLsMhq+s0=; b=HOiEnu072yqolukdBkaXfATevRmTZkpFGZBdr4fnkuluSA3bpARfxoyykOG7cgiDeP ZM1MGuFaNUwDN6lzi0sV2LJ7tjAhG75Fk3WsgJbWM6CFfdw32n2qf5ap7MkRIpfJbn5w LLugcVTW5il2AlDXVtAbfsjXr5hcKsxvdrfeI2EO4TeA1SB4pw70pzpKqRUrYNl2AnE8 0bliPRS91ASRsAD53eHIw9MpyItAEvqYC9qaJ+nfr7vH9qzVLPXUKYWFcIokm/juzG3p poOijP3gfMZc4U0W2x7cU9S+ILOXd4oHWFDAhgAS1t6H3JKeTbv408ipLRiQSsJ7SxAD xXIw== X-Forwarded-Encrypted: i=1; AHgh+RoRSmqX2JuVK8KUU7vE9ctdjFVHr7RFNbI5vk4hPG5fEwoDW3IMAzZE/DMpmrNHlZ+z1nnn+O0=@vger.kernel.org X-Gm-Message-State: AOJu0YwX6fHgf8YO71vUNST0m5AusqZC3Fmyu0SMEYkb24H5KcSC0/x2 uh+WTO9ciso2+aO3k9/k81rCV7OQ4PoZFKm3tjC/LJ2R8IMKs+TML5dG X-Gm-Gg: AfdE7clWDZpLCrdKcw9mH6yTyNYHAkgofMqiUiEp+qRj6VhUk4G1gkIFIHDImjoBkH2 23MCxLZ9iuCJuV6oDMXiVdPCj3mXfEMkF/KEFMUQSJQxIFiT4Y+fdW1kROPLEgaVI6hnKghLUvh 6NZVxxUFTYm0Yfqo/Hxgcxa3wDRBd2rZW6F1aHfrTUDui4SkWZPVlBow0zY+Kki/u3r16SxKNsk XovvcJdsxISPZNOWn/VdqYFvcdtKtPSDZHq/FkyzgKWKWIm+pewQBc/pSXiYGHLOy2HVyXJwMQS fJ70VXyvAddHMHdkijeL1dMSdnZ4otCyu4QFTcti2cHMJIhsQrArpBzdhmtXAqOBeLoLOLImkq0 I/afqupzZc3jTVaASFfVf93a0YcAC1tnIKIcpfY2VFkAy7FO/t5GtJQltVF+oALjheMGfWoNTZH 4NCvC2aDs= X-Received: by 2002:a17:906:f58a:b0:c12:34ec:ad25 with SMTP id a640c23a62f3a-c1234ecbf2bmr445790166b.65.1782736414123; Mon, 29 Jun 2026 05:33:34 -0700 (PDT) Received: from fedora ([46.205.218.111]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-c11fbe05c22sm773866566b.39.2026.06.29.05.33.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 29 Jun 2026 05:33:32 -0700 (PDT) From: Daniel Pawlik To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org Cc: pablo@netfilter.org, fw@strlen.de, phil@nwl.cc, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, horms@kernel.org, andrew+netdev@lunn.ch, razor@blackwall.org, idosch@nvidia.com, matthias.bgg@gmail.com, angelogioacchino.delregno@collabora.com, bridge@lists.linux.dev, coreteam@netfilter.org, linux-mediatek@lists.infradead.org, linux-arm-kernel@lists.infradead.org, rchen14b@gmail.com, lorenzo@kernel.org, Daniel Pawlik Subject: [PATCH 5/5] netfilter: nf_flow_table_path: add VLAN passthrough support Date: Mon, 29 Jun 2026 14:32:53 +0200 Message-ID: <20260629123253.1912621-6-pawlik.dan@gmail.com> X-Mailer: git-send-email 2.54.0 In-Reply-To: <20260629123253.1912621-1-pawlik.dan@gmail.com> References: <20260629123253.1912621-1-pawlik.dan@gmail.com> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Ryan Chen VLAN passthrough packets can be offloaded when bridge-nf-filter-vlan-tagged is enabled. When a packet has a VLAN tag and the bridge does not have VLAN filtering enabled (passthrough mode), record the VLAN encap info so the hardware flow offload entry includes the correct VLAN tag. Without this change, VLAN-tagged bridged traffic cannot be offloaded by PPE because the VLAN encap information is missing from the flow entry. Enable with: echo 1 > /proc/sys/net/bridge/bridge-nf-filter-vlan-tagged Based on a MediaTek SDK patch by Chak-Kei Lam . Signed-off-by: Ryan Chen Signed-off-by: Daniel Pawlik --- net/netfilter/nf_flow_table_path.c | 32 ++++++++++++++++++++++++++++-- 1 file changed, 30 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c index 580aa1db3cb4..d15c425c88c4 100644 --- a/net/netfilter/nf_flow_table_path.c +++ b/net/netfilter/nf_flow_table_path.c @@ -17,6 +17,7 @@ #include #include #include +#include #include #include @@ -136,6 +137,29 @@ struct nft_forward_info { enum flow_offload_xmit_type xmit_type; }; +static void nft_fill_vlan_passthrough_info(const struct nft_pktinfo *pkt, + struct nft_forward_info *info) +{ + if (!skb_vlan_tag_present(pkt->skb)) + return; + + rcu_read_lock(); + /* when bridge VLAN filtering is enabled, the bridge handles the tag */ + if (netif_is_bridge_port(pkt->skb->dev) && + !br_vlan_is_enabled_rcu(pkt->skb->dev)) { + if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) { + info->indev = NULL; + } else { + info->encap[info->num_encaps].id = + skb_vlan_tag_get_id(pkt->skb); + info->encap[info->num_encaps].proto = + pkt->skb->vlan_proto; + info->num_encaps++; + } + } + rcu_read_unlock(); +} + static int nft_dev_path_info(const struct net_device_path_stack *stack, struct nft_forward_info *info, unsigned char *ha, struct nf_flowtable *flowtable) @@ -326,8 +350,12 @@ static int nft_dev_forward_path(const struct nft_pktinfo *pkt, nft_br_vlan_dev_fill_forward_path(pkt, &ctx); } - if (nft_dev_fill_forward_path(&ctx, route, dst, ct, dir, ha, &stack) < 0 || - nft_dev_path_info(&stack, &info, ha, &ft->data) < 0) + if (nft_dev_fill_forward_path(&ctx, route, dst, ct, dir, ha, &stack) < 0) + return -ENOENT; + + nft_fill_vlan_passthrough_info(pkt, &info); + + if (nft_dev_path_info(&stack, &info, ha, &ft->data) < 0) return -ENOENT; if (!nft_flowtable_find_dev(info.indev, ft)) -- 2.54.0