From patchwork Fri Feb 28 20:15:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Woudstra X-Patchwork-Id: 13997098 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 2E75FC282C6 for ; Fri, 28 Feb 2025 20:27:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Transfer-Encoding: MIME-Version:Message-ID:Date:Subject:Cc:To:From:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=Ukvxk53p9GnrKz00DuMW/t8KFJJE9KRed6XPl/L5xk4=; b=KN9pohh5m4Y2cExtWKBLO2BbLm EZmXF0ZrTRf10ST2AXID8m4YKOfq5yCBRX/WdSa2fGwZI5RxgaYHSzRGFFibXVcECCX/ecyUlv2Hq 1r0d30s3SuTYZiSlPGBH4fPvPlJ3hcBBKHPN8jZKgepTwY+yz+X4icoSXE+VRhDl2k93ME3ogYHcy Xne3Q0bwxWEEDWcyWcl6Vfa7q+TSIQg/XvMGV4pOuRG45bXdP8f29VEd75Fp2vqDmVkyfgd4i7Eve LDoIJLEukAETlKcCq+nXmd0bzp1bXtJ0NQ31d0rXkYHJtVhjazXCFXnDUGh44YiKWebTZZzuH8NRZ eTxZGtSw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.98 #2 (Red Hat Linux)) id 1to6xU-0000000CbQy-0rTS; Fri, 28 Feb 2025 20:27:44 +0000 Received: from mail-ej1-x629.google.com ([2a00:1450:4864:20::629]) by bombadil.infradead.org with esmtps (Exim 4.98 #2 (Red Hat Linux)) id 1to6mQ-0000000CYG9-3y9r; Fri, 28 Feb 2025 20:16:20 +0000 Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-aaedd529ba1so263427766b.1; Fri, 28 Feb 2025 12:16:18 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1740773777; x=1741378577; darn=lists.infradead.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Ukvxk53p9GnrKz00DuMW/t8KFJJE9KRed6XPl/L5xk4=; b=Rr8v96LtKlJyGupAIr9ww3vqYkaifm+/rB2MLsbs9d9sSsEoVk9xJYRX/IaJ3GAJsB Zu4XVb9gBUzNhjuIgnn3mbBrC335CU4zrKO7jLGD9GfXi3cK8F6jmPzAuxNoJhyEzx4P ZBcv2jcM0ukqLbniz88I6wKqw0tepJLVmhcLVbN8ZtUvGhcJlo0ZGzdCk2gqX9J4SUHD GoBpdt6qVGld1gPOUOVWPJvvphGggFiMPpXjOwspqe1k7ZBo2RQxPCwZp5i7MWGxHeO+ Go1SIBLDwv2gosveq+orZ8AbWPfjYTsTPbLHC4Ci1k1h1tr62iL54e+8qiHQFTyYmP1V FeEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740773777; x=1741378577; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ukvxk53p9GnrKz00DuMW/t8KFJJE9KRed6XPl/L5xk4=; b=MOSLenwSpMkER71uOmEou+ASQHT8bGOinm75nsRSX3lzeKt4nutH5B/ZCaZklmP7f1 CJnHXnrw+Ye1i5nANciiREmyqwv3I7esX55P4xKabs62mx8HIgZBKsB/8m5p+utz/enz Yj2o5z4sronrYPnUR5fXwfgEQid2Hs2rTGS3ZW9RzTkGG+fGfJQx1KPMJu9CzUVwNlpd +9f6reyQTrksl3BenS3ALWV7VNR22bw+Y9fZ7DElRfBKGXeeUP69bjyqTMWPQo2jZ5lh COoNGSIGqiVs7plls5gS9SIubqhkw9gdANp1vHZilVYmxonMfa6xSjEn3bJi4pFJuQzt gOHA== X-Forwarded-Encrypted: i=1; AJvYcCU48dcZD/M97JHSXF0XNew6CHvkOGIs4J5uWo3h6cPh/GwjnhwMxHfY9r17RNDMapapj+GHD7ZcEtFVyody/L4=@lists.infradead.org, AJvYcCW4SyYz/+ZnJwNIUYBN2xBg3U3Iu//1DMGlv2ikdrgN7ffSxDeMQxlvn1DBMAHlHMvFQEwr2hVgGPGwZQWooJ3H@lists.infradead.org X-Gm-Message-State: AOJu0Yz0wH8WtEFPRFA9Fk1guYHupzdFmfaWX2/3F8vfTy+a8NadKizt eocHA0lEBnDcOfkq+71OZ1Nh+RckFVCHH+qD97g6K4peDMX/rgUi X-Gm-Gg: ASbGncsGJcZf2+ydNJSQH0TFy81/lanNg1vj0QTZn9/kWW+/9sT94icFsq3r+4+y9yZ DPkvOJXwL78kTNhUnn4vGcITQjlEcYpFLi/gylI4C8VGz4wbTC3jwaa2VgbD5iDOS+BkddRTMwL bKWiflohXzQXq9OXgB1ZiyR91RZu7o8jmcgJoOIxl0PZ7s1zi9SRTkrsN/XGzzkcJJvQCYYqkdD l5Dh8FjsOKNFQr+RLMZQg42zInonfvBBjfMXlZ9MlbbZrrvf7+UXAvzBKIYj9Qa0OmKF3JhnqqM 0//bn6zxAxN8VWRYiHVKV1JoNR5sbJmqLZyezSRD3LLwzwBgqslzyCNKrue0AorswvtaMbalhpy FdyuNGZLRZWWu69r0w/N8rSttdc0Zm2k/BxncbwTjD2Y= X-Google-Smtp-Source: AGHT+IFi3QN94LoYUiIPRuS0EubYnvS4AeY8vcNVv01mDRusJEvQKVghy6Bwoph5/cT/4gpnxmhPPQ== X-Received: by 2002:a05:6402:388a:b0:5e5:335:dad1 with SMTP id 4fb4d7f45d1cf-5e50335de57mr7321880a12.27.1740773776257; Fri, 28 Feb 2025 12:16:16 -0800 (PST) Received: from corebook.localdomain (2001-1c00-020d-1300-1b1c-4449-176a-89ea.cable.dynamic.v6.ziggo.nl. [2001:1c00:20d:1300:1b1c:4449:176a:89ea]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-abf0c755c66sm340812666b.136.2025.02.28.12.16.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Feb 2025 12:16:15 -0800 (PST) From: Eric Woudstra To: Michal Ostrowski , Andrew Lunn , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Pablo Neira Ayuso , Jozsef Kadlecsik , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Matthias Brugger , AngeloGioacchino Del Regno , Kuniyuki Iwashima , Sebastian Andrzej Siewior , Ahmed Zaki , Alexander Lobakin , Vladimir Oltean , "Frank Wunderlich" , Daniel Golle Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, bridge@lists.linux.dev, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, linux-hardening@vger.kernel.org, Kees Cook , "Gustavo A. R. Silva" , Eric Woudstra Subject: [PATCH v8 net-next 00/15] bridge-fastpath and related improvements Date: Fri, 28 Feb 2025 21:15:18 +0100 Message-ID: <20250228201533.23836-1-ericwouds@gmail.com> X-Mailer: git-send-email 2.47.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20250228_121618_993523_A3224FD7 X-CRM114-Status: GOOD ( 25.66 ) X-BeenThere: linux-mediatek@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Linux-mediatek" Errors-To: linux-mediatek-bounces+linux-mediatek=archiver.kernel.org@lists.infradead.org This patchset makes it possible to set up a software fastpath between bridged interfaces. One patch adds the flow rule for the hardware fastpath. This creates the possibility to have a hardware offloaded fastpath between bridged interfaces. More patches are added to solve issues found with the existing code. To set up the fastpath with offloading, add this extra flowtable: table bridge filter { flowtable fb { hook ingress priority filter devices = { lan0, lan1, lan2, lan3, lan4, wlan0, wlan1 } flags offload } chain forward { type filter hook forward priority filter; policy accept; ct state established flow add @fb } } Creating a separate fastpath for bridges. forward fastpath bypass .----------------------------------------. / \ | IP - forwarding | | / \ v | / wan ... | / | | | | | brlan.1 | | | +-------------------------------+ | | vlan 1 | | | | | | brlan (vlan-filtering) | | +---------------+ | | | DSA-SWITCH | | | | | vlan 1 | | | | to | | | vlan 1 | untagged | | +---------------+---------------+ . / \ ------>lan0 wlan1 . ^ ^ . | | . \_________________/ . bridge fastpath bypass . ^ vlan 1 tagged packets To have the ability to handle xmit direct with outgoing encaps in the bridge fastpass bypass, we need to be able to handle them without going through vlan/pppoe devices. So I've applied, amended and squashed wenxu's patchset. This patch also makes it possible to egress from vlan-filtering brlan to lan0 with vlan tagged packets, if the bridge master port is doing the vlan tagging, instead of the vlan-device. Without this patch, this is not possible in the bridge-fastpath and also not in the forward-fastpath, as seen in the figure above. There are also some more fixes for filling in the forward path. These fixes also apply to for the forward-fastpath. They include handling DEV_PATH_MTK_WDMA in nft_dev_path_info(). There are now 2 patches for avoiding ingress_vlans bit set for bridged dsa user ports and foreign (dsa) ports. Another patch introduces DEV_PATH_BR_VLAN_KEEP_HW, needed for the bridge-fastpath only. Conntrack bridge only tracks untagged and 802.1q. To make the bridge fastpath experience more similar to the forward fastpath experience, I've added double vlan, pppoe and pppoe-in-q tagged packets to bridge conntrack and to bridge filter chain. Note: While testing direct transmit in the software forward-fastpath, without the capability of setting the offload flag, it is sometimes useful to enslave the wan interface to another bridge, brwan. This will make sure both directions of the software forward-fastpath use direct transmit, which also happens when the offload flag is set. I have send RFC v2 as I previously only owned a dsa device. I now have obtained a switchdev supporting SWITCHDEV_OBJ_ID_PORT_VLAN, and found there was more to do to handle the ingress_vlans bit and corresponding vlan encap. I send v4 and above as non-RFC as the previous 2 RFC's did not get any comment. Changes in v8: - Added commit on top: Avoid zero-length arrays in struct pppoe_hdr. Changes in v7: - Inside br_vlan_fill_forward_path_pvid(), replaced usage of br_vlan_group() with br_vlan_group_rcu() and nbp_vlan_group() with nbp_vlan_group_rcu(). Changes in v6: - Conntrack double vlan and pppoe patch: Set ph and vhdr after the calls to pskb_may_pull(). Changes in v5: - Conntrack double vlan and pppoe patch: Moved pskb_may_pull() up to the first switch statement, to the start of the cases. Removed the second switch statement. Replaced 0xffffffff with U32_MAX. - Added patch removing hw_outdev, out.hw_ifindex and out.hw_ifidx members. - Fix error path returned from nft_flow_offload_bridge_init(). - Cosmetics. Changes in v4: - Added !CONFIG_NET_SWITCHDEV version of br_switchdev_port_vlan_no_foreign_add(). Changes in v3: - Squashed the two 'port to port' patches to avoid build errors when only one of the two commits is applied. Changes in v2: - Introduce DEV_PATH_BR_VLAN_KEEP_HW for use in the bridge-fastpath only. It is needed for switchdevs supporting SWITCHDEV_OBJ_ID_PORT_VLAN. - Different approach for handling BR_VLFLAG_ADDED_BY_SWITCHDEV in br_vlan_fill_forward_path_mode() for foreign devices. Introduce SWITCHDEV_F_NO_FOREIGN, BR_VLFLAG_TAGGING_BY_SWITCHDEV and br_switchdev_port_vlan_no_foreign_add(). The latter function can be used to make sure the vlan was added to a switchdev native device. When that fails, adding the vlan with br_switchdev_port_vlan_add() means it was added to a switchdev foreign device. - Clear ingress_vlans bit and corresponding encap for dsa user ports. - Add check for ingress_vlans bit to nft_dev_fill_bridge_path(). - Adapted cover letter description to make clear the patches apply to software fastpath, making hardware-offloaded fastpath possible. - Fixed clang error for vlan_hdr * and struct ppp_hdr * by adding block. - Updated !CONFIG_BRIDGE_VLAN_FILTERING version of br_vlan_fill_forward_path_pvid(). - Removed erroneous check netif_is_bridge_master(ctx->dev) from dev_fill_bridge_path(). - Cosmetic changes. Eric Woudstra (15): net: pppoe: avoid zero-length arrays in struct pppoe_hdr netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit direct netfilter: flow: remove hw_outdev, out.hw_ifindex and out.hw_ifidx netfilter: bridge: Add conntrack double vlan and pppoe netfilter: nft_chain_filter: Add bridge double vlan and pppoe bridge: Add filling forward path from port to port net: core: dev: Add dev_fill_bridge_path() netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge() netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate netfilter: nft_flow_offload: Add DEV_PATH_MTK_WDMA to nft_dev_path_info() netfilter: nft_flow_offload: No ingress_vlan forward info for dsa user port bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign bridge: Introduce DEV_PATH_BR_VLAN_KEEP_HW for bridge-fastpath netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval() drivers/net/ppp/pppoe.c | 2 +- include/linux/netdevice.h | 3 + include/net/netfilter/nf_flow_table.h | 5 +- include/net/switchdev.h | 1 + include/uapi/linux/if_pppox.h | 4 + net/bridge/br_device.c | 23 ++- net/bridge/br_private.h | 12 ++ net/bridge/br_switchdev.c | 15 ++ net/bridge/br_vlan.c | 29 +++- net/bridge/netfilter/nf_conntrack_bridge.c | 83 ++++++++-- net/core/dev.c | 66 ++++++-- net/netfilter/nf_flow_table_core.c | 1 - net/netfilter/nf_flow_table_inet.c | 13 ++ net/netfilter/nf_flow_table_ip.c | 96 +++++++++++- net/netfilter/nf_flow_table_offload.c | 15 +- net/netfilter/nft_chain_filter.c | 20 ++- net/netfilter/nft_flow_offload.c | 168 +++++++++++++++++++-- net/switchdev/switchdev.c | 2 +- 18 files changed, 497 insertions(+), 61 deletions(-)