From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf-next,v3 4/6] netfilter: nft_inner: add percpu inner context
Date: Fri, 7 Oct 2022 11:16:12 +0200 [thread overview]
Message-ID: <20221007091614.339582-5-pablo@netfilter.org> (raw)
In-Reply-To: <20221007091614.339582-1-pablo@netfilter.org>
Add NFT_PKTINFO_INNER_FULL flag to annotate that inner offsets are
available. Store nft_inner_tun_ctx object in percpu area to cache
existing inner offsets for this skbuff.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
v3: update percpu tunnel context if header parsing is successful,
to avoid possible inconsistent state in tunnel context.
include/net/netfilter/nf_tables.h | 1 +
include/net/netfilter/nf_tables_core.h | 1 +
net/netfilter/nft_inner.c | 26 ++++++++++++++++++++++----
3 files changed, 24 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index c5827f8a0010..e2296ab5c83e 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -24,6 +24,7 @@ struct module;
enum {
NFT_PKTINFO_L4PROTO = (1 << 0),
NFT_PKTINFO_INNER = (1 << 1),
+ NFT_PKTINFO_INNER_FULL = (1 << 2),
};
struct nft_pktinfo {
diff --git a/include/net/netfilter/nf_tables_core.h b/include/net/netfilter/nf_tables_core.h
index d80ec9a371a9..c05b690eb348 100644
--- a/include/net/netfilter/nf_tables_core.h
+++ b/include/net/netfilter/nf_tables_core.h
@@ -148,6 +148,7 @@ enum {
};
struct nft_inner_tun_ctx {
+ u8 type;
u8 inner_tunoff;
u8 inner_lloff;
u8 inner_nhoff;
diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c
index 9f72ab854423..61d02f97fda0 100644
--- a/net/netfilter/nft_inner.c
+++ b/net/netfilter/nft_inner.c
@@ -21,6 +21,8 @@
#include <linux/ip.h>
#include <linux/ipv6.h>
+static DEFINE_PER_CPU(struct nft_inner_tun_ctx, nft_pcpu_tun_ctx);
+
struct __nft_expr {
const struct nft_expr_ops *ops;
union {
@@ -169,7 +171,7 @@ static int nft_inner_parse_tunhdr(const struct nft_inner *priv,
}
static int nft_inner_parse(const struct nft_inner *priv,
- const struct nft_pktinfo *pkt,
+ struct nft_pktinfo *pkt,
struct nft_inner_tun_ctx *tun_ctx)
{
struct nft_inner_tun_ctx ctx = {};
@@ -188,25 +190,41 @@ static int nft_inner_parse(const struct nft_inner *priv,
}
*tun_ctx = ctx;
+ tun_ctx->type = priv->type;
+ pkt->flags |= NFT_PKTINFO_INNER_FULL;
return 0;
}
+static bool nft_inner_parse_needed(const struct nft_inner *priv,
+ const struct nft_pktinfo *pkt,
+ const struct nft_inner_tun_ctx *tun_ctx)
+{
+ if (!(pkt->flags & NFT_PKTINFO_INNER_FULL))
+ return true;
+
+ if (priv->type != tun_ctx->type)
+ return true;
+
+ return false;
+}
+
static void nft_inner_eval(const struct nft_expr *expr, struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
+ struct nft_inner_tun_ctx *tun_ctx = this_cpu_ptr(&nft_pcpu_tun_ctx);
const struct nft_inner *priv = nft_expr_priv(expr);
- struct nft_inner_tun_ctx tun_ctx = {};
if (nft_payload_inner_offset(pkt) < 0)
goto err;
- if (nft_inner_parse(priv, pkt, &tun_ctx) < 0)
+ if (nft_inner_parse_needed(priv, pkt, tun_ctx) &&
+ nft_inner_parse(priv, (struct nft_pktinfo *)pkt, tun_ctx) < 0)
goto err;
switch (priv->expr_type) {
case NFT_INNER_EXPR_PAYLOAD:
- nft_payload_inner_eval((struct nft_expr *)&priv->expr, regs, pkt, &tun_ctx);
+ nft_payload_inner_eval((struct nft_expr *)&priv->expr, regs, pkt, tun_ctx);
break;
default:
WARN_ON_ONCE(1);
--
2.30.2
next prev parent reply other threads:[~2022-10-07 9:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-07 9:16 [PATCH nf-next,v3 0/6] nf_tables inner tunnel header match support Pablo Neira Ayuso
2022-10-07 9:16 ` [PATCH nf-next,v3 1/6] netfilter: nft_payload: access GRE payload via inner offset Pablo Neira Ayuso
2022-10-07 9:16 ` [PATCH nf-next,v3 2/6] netfilter: nft_payload: access ipip payload for " Pablo Neira Ayuso
2022-10-07 9:16 ` [PATCH nf-next,v3 3/6] netfilter: nft_inner: support for inner tunnel header matching Pablo Neira Ayuso
2022-10-07 9:16 ` Pablo Neira Ayuso [this message]
2022-10-07 9:16 ` [PATCH nf-next,v3 5/6] netfilter: nft_meta: add inner match support Pablo Neira Ayuso
2022-10-07 9:16 ` [PATCH nf-next,v3 6/6] netfilter: nft_inner: add geneve support Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221007091614.339582-5-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).