Commit 1a441a9b authored by Vlad Buslov's avatar Vlad Buslov Committed by David S. Miller
Browse files

netfilter: flowtable: cache info of last offload 



Modify flow table offload to cache the last ct info status that was passed
to the driver offload callbacks by extending enum nf_flow_flags with new
"NF_FLOW_HW_ESTABLISHED" flag. Set the flag if ctinfo was 'established'
during last act_ct meta actions fill call. This infrastructure change is
necessary to optimize promoting of UDP connections from 'new' to
'established' in following patches in this series.

Signed-off-by: default avatarVlad Buslov <vladbu@nvidia.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 8f84780b

include/net/netfilter/nf_flow_table.h

+4 −3
Original line number Diff line number Diff line
@@ -57,7 +57,7 @@ struct nf_flowtable_type { 
						 struct net_device *dev,

						 enum flow_block_command cmd);

	int				(*action)(struct net *net,

						  const struct flow_offload *flow,

						  struct flow_offload *flow,

						  enum flow_offload_tuple_dir dir,

						  struct nf_flow_rule *flow_rule);

	void				(*free)(struct nf_flowtable *ft);
@@ -165,6 +165,7 @@ enum nf_flow_flags { 
	NF_FLOW_HW_DEAD,

	NF_FLOW_HW_PENDING,

	NF_FLOW_HW_BIDIRECTIONAL,

	NF_FLOW_HW_ESTABLISHED,

};



enum flow_offload_type {
@@ -313,10 +314,10 @@ void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); 
int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,

				struct net_device *dev,

				enum flow_block_command cmd);

int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,

int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow,

			    enum flow_offload_tuple_dir dir,

			    struct nf_flow_rule *flow_rule);

int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,

int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow,

			    enum flow_offload_tuple_dir dir,

			    struct nf_flow_rule *flow_rule);

net/netfilter/nf_flow_table_inet.c

+1 −1
Original line number Diff line number Diff line
@@ -39,7 +39,7 @@ nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, 
}



static int nf_flow_rule_route_inet(struct net *net,

				   const struct flow_offload *flow,

				   struct flow_offload *flow,

				   enum flow_offload_tuple_dir dir,

				   struct nf_flow_rule *flow_rule)

{

net/netfilter/nf_flow_table_offload.c

+3 −3
Original line number Diff line number Diff line
@@ -679,7 +679,7 @@ nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow, 
	return 0;

}



int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,

int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow,

			    enum flow_offload_tuple_dir dir,

			    struct nf_flow_rule *flow_rule)

{
@@ -704,7 +704,7 @@ int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, 
}

EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv4);



int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,

int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow,

			    enum flow_offload_tuple_dir dir,

			    struct nf_flow_rule *flow_rule)

{
@@ -735,7 +735,7 @@ nf_flow_offload_rule_alloc(struct net *net, 
{

	const struct nf_flowtable *flowtable = offload->flowtable;

	const struct flow_offload_tuple *tuple, *other_tuple;

	const struct flow_offload *flow = offload->flow;

	struct flow_offload *flow = offload->flow;

	struct dst_entry *other_dst = NULL;

	struct nf_flow_rule *flow_rule;

	int err = -ENOMEM;

net/sched/act_ct.c

+7 −5
Original line number Diff line number Diff line
@@ -170,11 +170,11 @@ tcf_ct_flow_table_add_action_nat_udp(const struct nf_conntrack_tuple *tuple, 


static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct,

					      enum ip_conntrack_dir dir,

					      enum ip_conntrack_info ctinfo,

					      struct flow_action *action)

{

	struct nf_conn_labels *ct_labels;

	struct flow_action_entry *entry;

	enum ip_conntrack_info ctinfo;

	u32 *act_ct_labels;



	entry = tcf_ct_flow_table_flow_action_get_next(action);
@@ -182,8 +182,6 @@ static void tcf_ct_flow_table_add_action_meta(struct nf_conn *ct, 
#if IS_ENABLED(CONFIG_NF_CONNTRACK_MARK)

	entry->ct_metadata.mark = READ_ONCE(ct->mark);

#endif

	ctinfo = dir == IP_CT_DIR_ORIGINAL ? IP_CT_ESTABLISHED :

					     IP_CT_ESTABLISHED_REPLY;

	/* aligns with the CT reference on the SKB nf_ct_set */

	entry->ct_metadata.cookie = (unsigned long)ct | ctinfo;

	entry->ct_metadata.orig_dir = dir == IP_CT_DIR_ORIGINAL;
@@ -237,22 +235,26 @@ static int tcf_ct_flow_table_add_action_nat(struct net *net, 
}



static int tcf_ct_flow_table_fill_actions(struct net *net,

					  const struct flow_offload *flow,

					  struct flow_offload *flow,

					  enum flow_offload_tuple_dir tdir,

					  struct nf_flow_rule *flow_rule)

{

	struct flow_action *action = &flow_rule->rule->action;

	int num_entries = action->num_entries;

	struct nf_conn *ct = flow->ct;

	enum ip_conntrack_info ctinfo;

	enum ip_conntrack_dir dir;

	int i, err;



	switch (tdir) {

	case FLOW_OFFLOAD_DIR_ORIGINAL:

		dir = IP_CT_DIR_ORIGINAL;

		ctinfo = IP_CT_ESTABLISHED;

		set_bit(NF_FLOW_HW_ESTABLISHED, &flow->flags);

		break;

	case FLOW_OFFLOAD_DIR_REPLY:

		dir = IP_CT_DIR_REPLY;

		ctinfo = IP_CT_ESTABLISHED_REPLY;

		break;

	default:

		return -EOPNOTSUPP;
@@ -262,7 +264,7 @@ static int tcf_ct_flow_table_fill_actions(struct net *net, 
	if (err)

		goto err_nat;



	tcf_ct_flow_table_add_action_meta(ct, dir, action);

	tcf_ct_flow_table_add_action_meta(ct, dir, ctinfo, action);

	return 0;



err_nat: