From patchwork Sun Oct 13 18:54:57 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13834028 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 40D87CF2579 for ; Sun, 13 Oct 2024 18:58:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Reply-To:Content-Type:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=GbZ+4AfljpB6Mob7lVDrAx0dHSaVOpAjB7zGVS+eC1Y=; b=w7ajQzqdyZZsSOAStL88vBqkNA gYPUTm7/vpGuq5mzKGMurJL8BpcBEd4RSK+BnurYICITzJ0zby93k/filqDh67Y3pZWxu0oPh6iZ2 9MeqFSDHgKctvHG1ubOeCMEDHkMiFtzGLUXxxjKpEgWyqGdIH/GdOJHOqMs4b60KKejd7GX5gCnod y23GY6kvOnTCyiNa85QR8rwHazUjui7bb8TyLWGkh2Ecp3Xt0bFklqm4KlUZSrT/q/NbAKNQiSOq5 /rCdqVOR0xZIFu4j2tHPVD+KdEq4ks80JYvZ1nGvqPSRlHaLwrmJPBO/cgfjBi03gvmZnGvcEc3RL QEt05qSA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1t03nM-000000035BV-280I; Sun, 13 Oct 2024 18:58:24 +0000 Received: from mail-ej1-x631.google.com ([2a00:1450:4864:20::631]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1t03kc-000000034Xz-3ZFZ; Sun, 13 Oct 2024 18:55:36 +0000 Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a9963e47b69so570259966b.1; Sun, 13 Oct 2024 11:55:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1728845733; x=1729450533; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=GbZ+4AfljpB6Mob7lVDrAx0dHSaVOpAjB7zGVS+eC1Y=; b=GL45tKWrxshfBGXbhw2tpDuMBz7JSJhHjPS5DnRvub0gCGblMfh1yR0QGGxqcYOkfv 0kUy0DcP4TgBd5yPjLWUrIJcITeH3EkE3bBYKw0OksqyqWjlWXWMGt8jdJyb8TLC9rOE 7lOiluXVo3h3lGp+cHt456DgX8gv+JR93jpUieHBVgkjiWYXOPxrszowNbi0Dp4F5GS/ 5VxF6VqRDeFM9R3ceTFwVmcu++sdHk1Xo0M9aiYXi88JGR34nioG0HKTWD4qUNW3IYhF HyGcj4vftH/h5/2c6oQQvkKd1YCJPlo3Zj2o+c4XOPlZcC0g3PY3z+CHL3/9Zt02BBMQ un8g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1728845733; x=1729450533; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=GbZ+4AfljpB6Mob7lVDrAx0dHSaVOpAjB7zGVS+eC1Y=; b=o38zIR6wzDx9cVx19pqDoV1S3TscZXvlF5zxQEOUIKTbCDfS9Mq38/Z40EBcy9824V DJ2ZkTIlWCPZgX0dMaMlwrs+/aUAoZtKvcHXau+/8LAFwkeILfoAYMWvKdBqwiU0FHPB 4gWTaJFSrDid52D63+DIoB3qMHZ50o7wfrLEa/uNeG0LoAUVQ5nRp6RNufRO+zOcXZ+M qLO16uy10YFjJx09LdEBRc5h9F1Aknba30ayKSa2HpP4ccwxfTtgu411bvDsjO72QANf DLFjTmlDTQ9JFa26wsCT7ueLi1eXO03kcXZzphwUaEac5c6T4uduX6yFhzOWURiY4VHo dypQ== X-Forwarded-Encrypted: i=1; AJvYcCV/jl40jSQxoB4w4ypXjjepqhPKSXAjclJz3Kp8A2BukQayvq/m8er5Wh5XL7CiQQUD//jIewuAHkF+gCKfDjc=@lists.infradead.org, AJvYcCVNWGJb4qEfHx/8H8AM5bQsYlSw+qMEI27onMKVQ0NbHeO7dsb8Vmw9pUSZul+bHX+4wJOIhIKVQPEFQ2uuIjuk@lists.infradead.org X-Gm-Message-State: AOJu0YxkwN/4LnqMt+W+wnIV7Y09YBAj/pe6GX4aekqeRB5C7DXtut08 EpQUi8Oa1j1zvaC16VD/0pv4OqN2nCcWB4pftkDkXFG/qKo1ZqfJ X-Google-Smtp-Source: AGHT+IHBwmUQlNXjLHzouwP3A/HnrJ9ShbIZ6PYI3ty3qPemvkmnTevcw0/QiFnh3+dIcw+vQiViIw== X-Received: by 2002:a17:907:d1a:b0:a9a:72c:f36f with SMTP id a640c23a62f3a-a9a072cf878mr239291766b.50.1728845732725; Sun, 13 Oct 2024 11:55:32 -0700 (PDT) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a12d384b9sm13500866b.172.2024.10.13.11.55.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Oct 2024 11:55:32 -0700 (PDT) From: Eric Woudstra To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Pablo Neira Ayuso , Jozsef Kadlecsik , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Jiri Pirko , Sebastian Andrzej Siewior , Lorenzo Bianconi , "Frank Wunderlich" , Daniel Golle , Eric Woudstra Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org Subject: [PATCH RFC v1 net-next 01/12] netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit direct Date: Sun, 13 Oct 2024 20:54:57 +0200 Message-ID: <20241013185509.4430-2-ericwouds@gmail.com> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241013185509.4430-1-ericwouds@gmail.com> References: <20241013185509.4430-1-ericwouds@gmail.com> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20241013_115534_915539_C5AB6D02 X-CRM114-Status: GOOD ( 19.31 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org Loosely based on wenxu's patches: "nf_flow_table_offload: offload the vlan/PPPoE encap in the flowtable". Fixed double vlan and pppoe packets, almost entirely rewriting the patch. After this patch, it is possible to transmit packets in the fastpath with outgoing encaps, without using vlan- and/or pppoe-devices. This makes it possible to use more different kinds of network setups. For example, when bridge tagging is used to egress vlan tagged packets using the forward fastpath. Another example is passing 802.1q tagged packets through a bridge using the bridge fastpath. This also makes the software fastpath process more similar to the hardware offloaded fastpath process, where encaps are also pushed. After applying this patch, always info->outdev = info->hw_outdev, so the netfilter code can be further cleaned up by removing: * hw_outdev from struct nft_forward_info * out.hw_ifindex from struct nf_flow_route * out.hw_ifidx from struct flow_offload_tuple Signed-off-by: Eric Woudstra --- net/netfilter/nf_flow_table_ip.c | 96 +++++++++++++++++++++++++++++++- net/netfilter/nft_flow_offload.c | 6 +- 2 files changed, 96 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_flow_table_ip.c b/net/netfilter/nf_flow_table_ip.c index 98edcaa37b38..9221ddb6f07a 100644 --- a/net/netfilter/nf_flow_table_ip.c +++ b/net/netfilter/nf_flow_table_ip.c @@ -302,6 +302,92 @@ static bool nf_flow_skb_encap_protocol(struct sk_buff *skb, __be16 proto, return false; } +static inline int nf_flow_vlan_inner_push(struct sk_buff *skb, __be16 proto, u16 id) +{ + struct vlan_hdr *vhdr; + + if (skb_cow_head(skb, VLAN_HLEN)) + return -1; + + __skb_push(skb, VLAN_HLEN); + skb_reset_network_header(skb); + + vhdr = (struct vlan_hdr *)(skb->data); + vhdr->h_vlan_TCI = htons(id); + vhdr->h_vlan_encapsulated_proto = skb->protocol; + skb->protocol = proto; + + return 0; +} + +static inline int nf_flow_ppoe_push(struct sk_buff *skb, u16 id) +{ + struct ppp_hdr { + struct pppoe_hdr hdr; + __be16 proto; + } *ph; + int data_len = skb->len + 2; + __be16 proto; + + if (skb_cow_head(skb, PPPOE_SES_HLEN)) + return -1; + + if (skb->protocol == htons(ETH_P_IP)) + proto = htons(PPP_IP); + else if (skb->protocol == htons(ETH_P_IPV6)) + proto = htons(PPP_IPV6); + else + return -1; + + __skb_push(skb, PPPOE_SES_HLEN); + skb_reset_network_header(skb); + + ph = (struct ppp_hdr *)(skb->data); + ph->hdr.ver = 1; + ph->hdr.type = 1; + ph->hdr.code = 0; + ph->hdr.sid = htons(id); + ph->hdr.length = htons(data_len); + ph->proto = proto; + skb->protocol = htons(ETH_P_PPP_SES); + + return 0; +} + +static int nf_flow_encap_push(struct sk_buff *skb, + struct flow_offload_tuple_rhash *tuplehash, + unsigned short *type) +{ + int i = 0, ret = 0; + + if (!tuplehash->tuple.encap_num) + return 0; + + if (tuplehash->tuple.encap[i].proto == htons(ETH_P_8021Q) || + tuplehash->tuple.encap[i].proto == htons(ETH_P_8021AD)) { + __vlan_hwaccel_put_tag(skb, tuplehash->tuple.encap[i].proto, + tuplehash->tuple.encap[i].id); + i++; + if (i >= tuplehash->tuple.encap_num) + return 0; + } + + switch (tuplehash->tuple.encap[i].proto) { + case htons(ETH_P_8021Q): + *type = ETH_P_8021Q; + ret = nf_flow_vlan_inner_push(skb, + tuplehash->tuple.encap[i].proto, + tuplehash->tuple.encap[i].id); + break; + case htons(ETH_P_PPP_SES): + *type = ETH_P_PPP_SES; + ret = nf_flow_ppoe_push(skb, + tuplehash->tuple.encap[i].id); + break; + } + return ret; +} + static void nf_flow_encap_pop(struct sk_buff *skb, struct flow_offload_tuple_rhash *tuplehash) { @@ -331,6 +417,7 @@ static void nf_flow_encap_pop(struct sk_buff *skb, static unsigned int nf_flow_queue_xmit(struct net *net, struct sk_buff *skb, const struct flow_offload_tuple_rhash *tuplehash, + struct flow_offload_tuple_rhash *other_tuplehash, unsigned short type) { struct net_device *outdev; @@ -339,6 +426,9 @@ static unsigned int nf_flow_queue_xmit(struct net *net, struct sk_buff *skb, if (!outdev) return NF_DROP; + if (nf_flow_encap_push(skb, other_tuplehash, &type) < 0) + return NF_DROP; + skb->dev = outdev; dev_hard_header(skb, skb->dev, type, tuplehash->tuple.out.h_dest, tuplehash->tuple.out.h_source, skb->len); @@ -458,7 +548,8 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, ret = NF_STOLEN; break; case FLOW_OFFLOAD_XMIT_DIRECT: - ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IP); + ret = nf_flow_queue_xmit(state->net, skb, tuplehash, + &flow->tuplehash[!dir], ETH_P_IP); if (ret == NF_DROP) flow_offload_teardown(flow); break; @@ -753,7 +844,8 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, ret = NF_STOLEN; break; case FLOW_OFFLOAD_XMIT_DIRECT: - ret = nf_flow_queue_xmit(state->net, skb, tuplehash, ETH_P_IPV6); + ret = nf_flow_queue_xmit(state->net, skb, tuplehash, + &flow->tuplehash[!dir], ETH_P_IPV6); if (ret == NF_DROP) flow_offload_teardown(flow); break; diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c index e8f800788c4a..bb15aa55e6fb 100644 --- a/net/netfilter/nft_flow_offload.c +++ b/net/netfilter/nft_flow_offload.c @@ -124,13 +124,12 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, info->indev = NULL; break; } - if (!info->outdev) - info->outdev = path->dev; info->encap[info->num_encaps].id = path->encap.id; info->encap[info->num_encaps].proto = path->encap.proto; info->num_encaps++; if (path->type == DEV_PATH_PPPOE) memcpy(info->h_dest, path->encap.h_dest, ETH_ALEN); + info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT; break; case DEV_PATH_BRIDGE: if (is_zero_ether_addr(info->h_source)) @@ -158,8 +157,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack, break; } } - if (!info->outdev) - info->outdev = info->indev; + info->outdev = info->indev; info->hw_outdev = info->indev;