From: Florian Westphal <fw@strlen.de>
To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Subject: [PATCH nf-next 00/14] get rid of skb->nf_bridge pointer
Date: Wed, 1 Apr 2015 22:36:26 +0200 [thread overview]
Message-ID: <1427920600-20366-1-git-send-email-fw@strlen.de> (raw)
[ netdev hackers are encouraged to look at patches #2 and #11 specifically,
those are the ones with largest impact outside netfilter land ]
Remove skb->nf_bridge pointer.
Unfortunately we still need some way to decide if skb is bridged
or not, else kfree_skb, skb_clone etc. would have to do costly lookups
in bridge netfilter.
We use a 2 bit state field in the skb for this purpose.
If its zero, skb is not bridged (same as skb->nf_bridge == NULL
in current kernel).
nf_bridge_info is stored in an rhashtable; bridge netfilter
and the few other places (nfqueue, nflog, physdev match) that need
to access bridge netfilter data do on-demand lookups in an rhashtable
to access the data associated with a bridged skb.
skb_clone and skb_copy will call into netfilter core
helpers for bridged skbs to duplicate the information if needed.
Likewise, kfree_skb removes and frees the bridge netfilter meta data
as well if needed.
In order to avoid those lookups where we're dealing with non-bridged
skbs, we store 2 bit state field in the skb.
Tested, on host connected to kvm-bridge:
ping -s $bignum $ip_behind_bridge
on bridge:
-j REDIRECT
-j DNAT --to-destination $ip_behind_bridge
-m physdev match with in/outdev match in FORWARD and INPUT (indev only)
- same w. active -j NFQUEUE.
Patch 11 substitutes the pointer for on-demand lookups, most of the
other patches prepare for this change by adding helpers and splitting
state information into 'public' and 'bridge netfilter private'.
The alternative to the rhashtable is to store the bridge netfilter
metadata in skb->cb[], but there are some caveats since we need
such metadata to survive local delivery too (else we'd break use of
physdev match in INPUT).
This is why external store was chosen.
Feedback and suggestions welcome.
include/linux/netfilter.h | 8
include/linux/netfilter_bridge.h | 104 +++++-
include/linux/skbuff.h | 87 ++---
include/net/ip.h | 4
net/bridge/br_device.c | 19 -
net/bridge/br_netfilter.c | 482 ++++++++++++++++++++---------
net/bridge/br_private.h | 2
net/core/skbuff.c | 5
net/ipv4/ip_output.c | 30 +
net/ipv4/netfilter/nf_defrag_ipv4.c | 3
net/ipv4/netfilter/nf_reject_ipv4.c | 6
net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 3
net/ipv6/netfilter/nf_reject_ipv6.c | 6
net/netfilter/core.c | 49 ++
net/netfilter/ipset/ip_set_hash_netiface.c | 32 +
net/netfilter/nf_log_common.c | 7
net/netfilter/nf_queue.c | 22 -
net/netfilter/nfnetlink_log.c | 17 -
net/netfilter/nfnetlink_queue_core.c | 34 +-
net/netfilter/xt_physdev.c | 36 +-
20 files changed, 670 insertions(+), 286 deletions(-)
next reply other threads:[~2015-04-01 20:36 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-04-01 20:36 Florian Westphal [this message]
2015-04-01 20:36 ` [PATCH nf-next 01/14] netfilter: bridge: really save frag_max_size between PRE and POST_ROUTING Florian Westphal
2015-04-02 8:53 ` Pablo Neira Ayuso
2015-04-02 8:54 ` Pablo Neira Ayuso
2015-04-01 20:36 ` [PATCH nf-next 02/14] net: untangle ip_fragment and bridge netfilter Florian Westphal
2015-04-02 3:09 ` David Miller
2015-04-02 12:16 ` Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 03/14] netfilter: bridge: don't use nf_bridge_info data to store mac header Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 04/14] netfilter: bridge: start splitting mask into public/private chunks Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 05/14] netfilter: bridge: make BRNF_PKT_TYPE flag a bool Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 06/14] netfilter: bridge: rename and resize 'data' field Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 07/14] netfilter: bridge: add helpers for fetching physin/outdev Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 08/14] netfilter: physdev: use helpers Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 09/14] netfilter: bridge: add and use nf_bridge_info_get helper Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 10/14] netfilter: bridge: move bridge netfilter state into sk_buff Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 11/14] netfilter: bridge: remove skb->nf_bridge Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 12/14] netfilter: bridge: discard nf_bridge info on xmit Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 13/14] netfilter: bridge: neigh_head and physoutdev can't be used at same time Florian Westphal
2015-04-01 20:36 ` [PATCH nf-next 14/14] netfilter: bridge: hold physinport ref during neigh resolution Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1427920600-20366-1-git-send-email-fw@strlen.de \
--to=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).