[PATCH] nftables: add flags offload to flowtable

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] nftables: add flags offload to flowtable
@ 2021-03-21 16:49 Frank Wunderlich
  2021-03-25 11:14 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Frank Wunderlich @ 2021-03-21 16:49 UTC (permalink / raw)
  To: Pablo Neira Ayuso; +Cc: Frank Wunderlich, netfilter-devel

From: Frank Wunderlich <frank-w@public-files.de>

allow flags (currently only offload) in flowtables like it is stated
here: https://lwn.net/Articles/804384/

tested on mt7622/Bananapi-R64

table ip filter {
	flowtable f {
		hook ingress priority filter + 1
		devices = { lan3, lan0, wan }
		flags offload;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @f
	}
}

table ip nat {
	chain post {
		type nat hook postrouting priority filter; policy accept;
		oifname "wan" masquerade
	}
}

Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
---
 include/rule.h     | 8 ++++++++
 src/mnl.c          | 5 +++++
 src/netlink.c      | 2 ++
 src/parser_bison.y | 7 +++++++
 src/rule.c         | 4 ++++
 5 files changed, 26 insertions(+)

diff --git a/include/rule.h b/include/rule.h
index 523435f6f5d5..4ef24eb4ec63 100644
--- a/include/rule.h
+++ b/include/rule.h
@@ -187,6 +187,14 @@ enum chain_flags {
 	CHAIN_F_BINDING		= 0x4,
 };
 
+/**
+ * enum flowtable_flags - flowtable flags
+ *
+ */
+enum flowtable_flags {
+	FLOWTABLE_F_HW_OFFLOAD	= 0x1, /* NF_FLOWTABLE_HW_OFFLOAD in linux nf_flow_table.h */
+};
+
 /**
  * struct prio_spec - extendend priority specification for mixed
  *                    textual/numerical parsing.
diff --git a/src/mnl.c b/src/mnl.c
index deea586f9b00..ffbfe48158de 100644
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1779,6 +1779,11 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
 		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
 	}
 
+	if (cmd->flowtable->flags & FLOWTABLE_F_HW_OFFLOAD) {
+		nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS,
+				    NFT_FLOWTABLE_HW_OFFLOAD);
+	}
+
 	if (cmd->flowtable->dev_expr) {
 		dev_array = nft_flowtable_dev_array(cmd);
 		nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,
diff --git a/src/netlink.c b/src/netlink.c
index 8c86789b8369..103fdbd10690 100644
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1598,6 +1598,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx,
 		xstrdup(nftnl_flowtable_get_str(nlo, NFTNL_FLOWTABLE_NAME));
 	flowtable->handle.handle.id =
 		nftnl_flowtable_get_u64(nlo, NFTNL_FLOWTABLE_HANDLE);
+	if (nftnl_flowtable_is_set(nlo, NFTNL_FLOWTABLE_FLAGS))
+		flowtable->flags = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_FLAGS);
 	dev_array = nftnl_flowtable_get(nlo, NFTNL_FLOWTABLE_DEVICES);
 	while (dev_array[len])
 		len++;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 08a2599e5374..6d69071b1c2d 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1993,6 +1993,7 @@ flowtable_block_alloc	:	/* empty */
 flowtable_block		:	/* empty */	{ $$ = $<flowtable>-1; }
 			|	flowtable_block	common_block
 			|	flowtable_block	stmt_separator
+			|	flowtable_block	ft_flags_spec	stmt_separator
 			|	flowtable_block	HOOK		STRING	prio_spec	stmt_separator
 			{
 				$$->hook.loc = @3;
@@ -2375,6 +2376,12 @@ flags_spec		:	FLAGS		OFFLOAD
 			}
 			;
 
+ft_flags_spec		:	FLAGS		OFFLOAD
+			{
+				$<flowtable>0->flags |= FLOWTABLE_F_HW_OFFLOAD;
+			}
+			;
+
 policy_spec		:	POLICY		policy_expr
 			{
 				if ($<chain>0->policy) {
diff --git a/src/rule.c b/src/rule.c
index 1c6010c001c5..f7f905095cbe 100644
--- a/src/rule.c
+++ b/src/rule.c
@@ -2223,6 +2223,10 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
 		nft_print(octx, " }%s", opts->stmt_separator);
 	}
 
+	if (flowtable->flags & NFT_FLOWTABLE_HW_OFFLOAD)
+		nft_print(octx, "%s%sflags offload;%s", opts->tab, opts->tab,
+			  opts->stmt_separator);
+
 	if (flowtable->flags & NFT_FLOWTABLE_COUNTER)
 		nft_print(octx, "%s%scounter%s", opts->tab, opts->tab,
 			  opts->stmt_separator);
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] nftables: add flags offload to flowtable
  2021-03-21 16:49 [PATCH] nftables: add flags offload to flowtable Frank Wunderlich
@ 2021-03-25 11:14 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2021-03-25 11:14 UTC (permalink / raw)
  To: Frank Wunderlich; +Cc: Frank Wunderlich, netfilter-devel

On Sun, Mar 21, 2021 at 05:49:16PM +0100, Frank Wunderlich wrote:
> From: Frank Wunderlich <frank-w@public-files.de>
> 
> allow flags (currently only offload) in flowtables like it is stated
> here: https://lwn.net/Articles/804384/
> 
> tested on mt7622/Bananapi-R64
> 
> table ip filter {
> 	flowtable f {
> 		hook ingress priority filter + 1
> 		devices = { lan3, lan0, wan }
> 		flags offload;
> 	}
> 
> 	chain forward {
> 		type filter hook forward priority filter; policy accept;
> 		ip protocol { tcp, udp } flow add @f
> 	}
> }
> 
> table ip nat {
> 	chain post {
> 		type nat hook postrouting priority filter; policy accept;
> 		oifname "wan" masquerade
> 	}
> }

Applied, thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2021-03-25 11:15 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2021-03-21 16:49 [PATCH] nftables: add flags offload to flowtable Frank Wunderlich
2021-03-25 11:14 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).