Re: [PATCH net-next,RFC 2/2] netfilter: nf_tables: add hardware offload support

Tue, 14 May 2019 16:04:01 -0700 

On Tue, May 14, 2019 at 07:01:08PM +0200, Jiri Pirko wrote:
> Thu, May 09, 2019 at 06:39:51PM CEST, pa...@netfilter.org wrote:
> >This patch adds hardware offload support for nftables through the
> >existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER
> >classifier and the flow rule API. This hardware offload support is
> >available for the NFPROTO_NETDEV family and the ingress hook.
> >
> >Each nftables expression has a new ->offload interface, that is used to
> >populate the flow rule object that is attached to the transaction
> >object.
> >
> >There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload
> >an entire table, including all of its chains.
> >
> >This patch supports for basic metadata (layer 3 and 4 protocol numbers),
> >5-tuple payload matching and the accept/drop actions; this also includes
> >basechain hardware offload only.
> >
> >Signed-off-by: Pablo Neira Ayuso <pa...@netfilter.org>
> 
> [...]
> 
> >+static int nft_flow_offload_chain(struct nft_trans *trans,
> >+                              enum flow_block_command cmd)
> >+{
> >+    struct nft_chain *chain = trans->ctx.chain;
> >+    struct netlink_ext_ack extack = {};
> >+    struct flow_block_offload bo = {};
> >+    struct nft_base_chain *basechain;
> >+    struct net_device *dev;
> >+    int err;
> >+
> >+    if (!nft_is_base_chain(chain))
> >+            return -EOPNOTSUPP;
> >+
> >+    basechain = nft_base_chain(chain);
> >+    dev = basechain->ops.dev;
> >+    if (!dev)
> >+            return -EOPNOTSUPP;
> >+
> >+    bo.command = cmd;
> >+    bo.binder_type = TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
> >+    bo.block_index = (u32)trans->ctx.chain->handle;
> >+    bo.extack = &extack;
> >+    INIT_LIST_HEAD(&bo.cb_list);
> >+
> >+    err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);
> 
> Okay, so you pretend to be clsact-ingress-flower. That looks fine.
> But how do you ensure that the real one does not bind a block on the
> same device too?

I could store the interface index in the block_cb object, then use the
tuple [ cb, cb_ident, ifindex ] to check if the block is already bound
by when flow_block_cb_alloc() is called.

Thanks.

Reply via email to