diff options
author | Frank Wunderlich <frank-w@public-files.de> | 2021-03-21 17:49:16 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-03-25 12:10:30 +0100 |
commit | 8e6cc9f373854ed580156ec6f01bcd97786fa9f7 (patch) | |
tree | 03ed5f94524a9dd610b45fbabc6bd2356e07682f | |
parent | f699e4c06a26b4977f4a5d220a0c5260b71d6433 (diff) |
nftables: add flags offload to flowtable
allow flags (currently only offload) in flowtables like it is stated
here: https://lwn.net/Articles/804384/
tested on mt7622/Bananapi-R64
table ip filter {
flowtable f {
hook ingress priority filter + 1
devices = { lan3, lan0, wan }
flags offload;
}
chain forward {
type filter hook forward priority filter; policy accept;
ip protocol { tcp, udp } flow add @f
}
}
table ip nat {
chain post {
type nat hook postrouting priority filter; policy accept;
oifname "wan" masquerade
}
}
Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | include/rule.h | 8 | ||||
-rw-r--r-- | src/mnl.c | 5 | ||||
-rw-r--r-- | src/netlink.c | 2 | ||||
-rw-r--r-- | src/parser_bison.y | 7 | ||||
-rw-r--r-- | src/rule.c | 4 |
5 files changed, 26 insertions, 0 deletions
diff --git a/include/rule.h b/include/rule.h index 523435f6..4ef24eb4 100644 --- a/include/rule.h +++ b/include/rule.h @@ -188,6 +188,14 @@ enum chain_flags { }; /** + * enum flowtable_flags - flowtable flags + * + */ +enum flowtable_flags { + FLOWTABLE_F_HW_OFFLOAD = 0x1, /* NF_FLOWTABLE_HW_OFFLOAD in linux nf_flow_table.h */ +}; + +/** * struct prio_spec - extendend priority specification for mixed * textual/numerical parsing. * @@ -1779,6 +1779,11 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd, nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0); } + if (cmd->flowtable->flags & FLOWTABLE_F_HW_OFFLOAD) { + nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS, + NFT_FLOWTABLE_HW_OFFLOAD); + } + if (cmd->flowtable->dev_expr) { dev_array = nft_flowtable_dev_array(cmd); nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES, diff --git a/src/netlink.c b/src/netlink.c index 8c86789b..103fdbd1 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -1598,6 +1598,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx, xstrdup(nftnl_flowtable_get_str(nlo, NFTNL_FLOWTABLE_NAME)); flowtable->handle.handle.id = nftnl_flowtable_get_u64(nlo, NFTNL_FLOWTABLE_HANDLE); + if (nftnl_flowtable_is_set(nlo, NFTNL_FLOWTABLE_FLAGS)) + flowtable->flags = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_FLAGS); dev_array = nftnl_flowtable_get(nlo, NFTNL_FLOWTABLE_DEVICES); while (dev_array[len]) len++; diff --git a/src/parser_bison.y b/src/parser_bison.y index 5cb4f8e1..ca64141e 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -1996,6 +1996,7 @@ flowtable_block_alloc : /* empty */ flowtable_block : /* empty */ { $$ = $<flowtable>-1; } | flowtable_block common_block | flowtable_block stmt_separator + | flowtable_block ft_flags_spec stmt_separator | flowtable_block HOOK STRING prio_spec stmt_separator { $$->hook.loc = @3; @@ -2378,6 +2379,12 @@ flags_spec : FLAGS OFFLOAD } ; +ft_flags_spec : FLAGS OFFLOAD + { + $<flowtable>0->flags |= FLOWTABLE_F_HW_OFFLOAD; + } + ; + policy_spec : POLICY policy_expr { if ($<chain>0->policy) { @@ -2223,6 +2223,10 @@ static void flowtable_print_declaration(const struct flowtable *flowtable, nft_print(octx, " }%s", opts->stmt_separator); } + if (flowtable->flags & NFT_FLOWTABLE_HW_OFFLOAD) + nft_print(octx, "%s%sflags offload;%s", opts->tab, opts->tab, + opts->stmt_separator); + if (flowtable->flags & NFT_FLOWTABLE_COUNTER) nft_print(octx, "%s%scounter%s", opts->tab, opts->tab, opts->stmt_separator); |