From: Florian Westphal <fw@strlen.de>
To: <netfilter-devel@vger.kernel.org>
Cc: lorenzo@kernel.org, <netdev@vger.kernel.org>,
Florian Westphal <fw@strlen.de>
Subject: [PATCH nf-next 6/8] netfilter: nf_tables: add xdp offload flag
Date: Tue, 21 Nov 2023 13:27:49 +0100 [thread overview]
Message-ID: <20231121122800.13521-7-fw@strlen.de> (raw)
In-Reply-To: <20231121122800.13521-1-fw@strlen.de>
Also make sure this flag cannot be set or cleared, just like
with the regular hw offload flag.
Otherwise we'd have to add more complexity and explicitly
withdraw or add the device to the netdev -> flowtable mapping.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/net/netfilter/nf_flow_table.h | 1 +
include/uapi/linux/netfilter/nf_tables.h | 5 ++++-
net/netfilter/nf_tables_api.c | 14 ++++++++++++--
3 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index 6598ac455d17..11985d9b8370 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -70,6 +70,7 @@ struct nf_flowtable_type {
enum nf_flowtable_flags {
NF_FLOWTABLE_HW_OFFLOAD = 0x1, /* NFT_FLOWTABLE_HW_OFFLOAD */
NF_FLOWTABLE_COUNTER = 0x2, /* NFT_FLOWTABLE_COUNTER */
+ NF_FLOWTABLE_XDP_OFFLOAD = 0x4, /* NFT_FLOWTABLE_XDP_OFFLOAD */
};
struct nf_flowtable {
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index ca30232b7bc8..ed297dc77288 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1675,12 +1675,15 @@ enum nft_object_attributes {
*
* @NFT_FLOWTABLE_HW_OFFLOAD: flowtable hardware offload is enabled
* @NFT_FLOWTABLE_COUNTER: enable flow counters
+ * @NFT_FLOWTABLE_XDP_OFFLOAD: flowtable xdp offload is enabled
*/
enum nft_flowtable_flags {
NFT_FLOWTABLE_HW_OFFLOAD = 0x1,
NFT_FLOWTABLE_COUNTER = 0x2,
+ NFT_FLOWTABLE_XDP_OFFLOAD = 0x4,
NFT_FLOWTABLE_MASK = (NFT_FLOWTABLE_HW_OFFLOAD |
- NFT_FLOWTABLE_COUNTER)
+ NFT_FLOWTABLE_COUNTER |
+ NFT_FLOWTABLE_XDP_OFFLOAD),
};
/**
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 7437b997ca7e..4e21311ec768 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8288,6 +8288,15 @@ static void nft_hooks_destroy(struct list_head *hook_list)
}
}
+static bool nft_flowtable_flag_changes(const struct nf_flowtable *ft,
+ unsigned int new_flags, enum nft_flowtable_flags flag)
+{
+ if ((ft->flags & flag) ^ (new_flags & flag))
+ return true;
+
+ return false;
+}
+
static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
struct nft_flowtable *flowtable,
struct netlink_ext_ack *extack)
@@ -8318,8 +8327,9 @@ static int nft_flowtable_update(struct nft_ctx *ctx, const struct nlmsghdr *nlh,
err = -EOPNOTSUPP;
goto err_flowtable_update_hook;
}
- if ((flowtable->ft->flags & NFT_FLOWTABLE_HW_OFFLOAD) ^
- (flags & NFT_FLOWTABLE_HW_OFFLOAD)) {
+
+ if (nft_flowtable_flag_changes(flowtable->ft, flags, NFT_FLOWTABLE_HW_OFFLOAD) ||
+ nft_flowtable_flag_changes(flowtable->ft, flags, NFT_FLOWTABLE_XDP_OFFLOAD)) {
err = -EOPNOTSUPP;
goto err_flowtable_update_hook;
}
--
2.41.0
next prev parent reply other threads:[~2023-11-21 12:28 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-21 12:27 [PATCH nf-next 0/8] netfilter: make nf_flowtable lifetime differ from container struct Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 1/8] netfilter: flowtable: move nf_flowtable out of container structures Florian Westphal
2023-11-23 13:52 ` Simon Horman
2023-11-23 14:10 ` Florian Westphal
2023-11-25 8:26 ` Simon Horman
2023-11-25 8:36 ` Simon Horman
2023-11-21 12:27 ` [PATCH nf-next 2/8] netfilter: nf_flowtable: replace init callback with a create one Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 3/8] netfilter: nf_flowtable: make free a real free function Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 4/8] netfilter: nf_flowtable: delay flowtable release a second time Florian Westphal
2023-11-21 12:27 ` [PATCH nf-next 5/8] netfilter: nf_tables: reject flowtable hw offload for same device Florian Westphal
2023-11-21 12:27 ` Florian Westphal [this message]
2023-11-21 12:27 ` [PATCH nf-next 7/8] netfilter: nf_tables: add flowtable map for xdp offload Florian Westphal
2023-11-21 14:25 ` Lorenzo Bianconi
2023-11-24 10:59 ` Toke Høiland-Jørgensen
2023-11-30 13:53 ` Florian Westphal
2023-11-30 14:17 ` Toke Høiland-Jørgensen
2023-11-21 12:27 ` [PATCH nf-next 8/8] netfilter: nf_tables: permit duplicate flowtable mappings Florian Westphal
2023-11-24 9:50 ` [PATCH nf-next 0/8] netfilter: make nf_flowtable lifetime differ from container struct Pablo Neira Ayuso
2023-11-24 9:55 ` Florian Westphal
2023-11-24 10:10 ` Pablo Neira Ayuso
2023-11-24 10:16 ` Florian Westphal
2023-11-24 10:48 ` Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231121122800.13521-7-fw@strlen.de \
--to=fw@strlen.de \
--cc=lorenzo@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).