1 #include <linux/kernel.h>
2 #include <linux/init.h>
3 #include <linux/module.h>
4 #include <linux/netfilter.h>
5 #include <linux/rhashtable.h>
6 #include <linux/netdevice.h>
7 #include <linux/tc_act/tc_csum.h>
8 #include <net/flow_offload.h>
9 #include <net/netfilter/nf_flow_table.h>
10 #include <net/netfilter/nf_tables.h>
11 #include <net/netfilter/nf_conntrack.h>
12 #include <net/netfilter/nf_conntrack_acct.h>
13 #include <net/netfilter/nf_conntrack_core.h>
14 #include <net/netfilter/nf_conntrack_tuple.h>
16 static struct workqueue_struct *nf_flow_offload_add_wq;
17 static struct workqueue_struct *nf_flow_offload_del_wq;
18 static struct workqueue_struct *nf_flow_offload_stats_wq;
20 struct flow_offload_work {
21 struct list_head list;
22 enum flow_cls_command cmd;
24 struct nf_flowtable *flowtable;
25 struct flow_offload *flow;
26 struct work_struct work;
29 #define NF_FLOW_DISSECTOR(__match, __type, __field) \
30 (__match)->dissector.offset[__type] = \
31 offsetof(struct nf_flow_key, __field)
33 static void nf_flow_rule_lwt_match(struct nf_flow_match *match,
34 struct ip_tunnel_info *tun_info)
36 struct nf_flow_key *mask = &match->mask;
37 struct nf_flow_key *key = &match->key;
38 unsigned int enc_keys;
40 if (!tun_info || !(tun_info->mode & IP_TUNNEL_INFO_TX))
43 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_ENC_CONTROL, enc_control);
44 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id);
45 key->enc_key_id.keyid = tunnel_id_to_key32(tun_info->key.tun_id);
46 mask->enc_key_id.keyid = 0xffffffff;
47 enc_keys = BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) |
48 BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL);
50 if (ip_tunnel_info_af(tun_info) == AF_INET) {
51 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS,
53 key->enc_ipv4.src = tun_info->key.u.ipv4.dst;
54 key->enc_ipv4.dst = tun_info->key.u.ipv4.src;
55 if (key->enc_ipv4.src)
56 mask->enc_ipv4.src = 0xffffffff;
57 if (key->enc_ipv4.dst)
58 mask->enc_ipv4.dst = 0xffffffff;
59 enc_keys |= BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS);
60 key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
62 memcpy(&key->enc_ipv6.src, &tun_info->key.u.ipv6.dst,
63 sizeof(struct in6_addr));
64 memcpy(&key->enc_ipv6.dst, &tun_info->key.u.ipv6.src,
65 sizeof(struct in6_addr));
66 if (memcmp(&key->enc_ipv6.src, &in6addr_any,
67 sizeof(struct in6_addr)))
68 memset(&key->enc_ipv6.src, 0xff,
69 sizeof(struct in6_addr));
70 if (memcmp(&key->enc_ipv6.dst, &in6addr_any,
71 sizeof(struct in6_addr)))
72 memset(&key->enc_ipv6.dst, 0xff,
73 sizeof(struct in6_addr));
74 enc_keys |= BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS);
75 key->enc_control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
78 match->dissector.used_keys |= enc_keys;
81 static int nf_flow_rule_match(struct nf_flow_match *match,
82 const struct flow_offload_tuple *tuple,
83 struct dst_entry *other_dst)
85 struct nf_flow_key *mask = &match->mask;
86 struct nf_flow_key *key = &match->key;
87 struct ip_tunnel_info *tun_info;
89 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_META, meta);
90 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_CONTROL, control);
91 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_BASIC, basic);
92 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4);
93 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6);
94 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_TCP, tcp);
95 NF_FLOW_DISSECTOR(match, FLOW_DISSECTOR_KEY_PORTS, tp);
97 if (other_dst && other_dst->lwtstate) {
98 tun_info = lwt_tun_info(other_dst->lwtstate);
99 nf_flow_rule_lwt_match(match, tun_info);
102 key->meta.ingress_ifindex = tuple->iifidx;
103 mask->meta.ingress_ifindex = 0xffffffff;
105 switch (tuple->l3proto) {
107 key->control.addr_type = FLOW_DISSECTOR_KEY_IPV4_ADDRS;
108 key->basic.n_proto = htons(ETH_P_IP);
109 key->ipv4.src = tuple->src_v4.s_addr;
110 mask->ipv4.src = 0xffffffff;
111 key->ipv4.dst = tuple->dst_v4.s_addr;
112 mask->ipv4.dst = 0xffffffff;
115 key->control.addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
116 key->basic.n_proto = htons(ETH_P_IPV6);
117 key->ipv6.src = tuple->src_v6;
118 memset(&mask->ipv6.src, 0xff, sizeof(mask->ipv6.src));
119 key->ipv6.dst = tuple->dst_v6;
120 memset(&mask->ipv6.dst, 0xff, sizeof(mask->ipv6.dst));
125 mask->control.addr_type = 0xffff;
126 match->dissector.used_keys |= BIT(key->control.addr_type);
127 mask->basic.n_proto = 0xffff;
129 switch (tuple->l4proto) {
132 mask->tcp.flags = cpu_to_be16(be32_to_cpu(TCP_FLAG_RST | TCP_FLAG_FIN) >> 16);
133 match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_TCP);
141 key->basic.ip_proto = tuple->l4proto;
142 mask->basic.ip_proto = 0xff;
144 key->tp.src = tuple->src_port;
145 mask->tp.src = 0xffff;
146 key->tp.dst = tuple->dst_port;
147 mask->tp.dst = 0xffff;
149 match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_META) |
150 BIT(FLOW_DISSECTOR_KEY_CONTROL) |
151 BIT(FLOW_DISSECTOR_KEY_BASIC) |
152 BIT(FLOW_DISSECTOR_KEY_PORTS);
156 static void flow_offload_mangle(struct flow_action_entry *entry,
157 enum flow_action_mangle_base htype, u32 offset,
158 const __be32 *value, const __be32 *mask)
160 entry->id = FLOW_ACTION_MANGLE;
161 entry->mangle.htype = htype;
162 entry->mangle.offset = offset;
163 memcpy(&entry->mangle.mask, mask, sizeof(u32));
164 memcpy(&entry->mangle.val, value, sizeof(u32));
167 static inline struct flow_action_entry *
168 flow_action_entry_next(struct nf_flow_rule *flow_rule)
170 int i = flow_rule->rule->action.num_entries++;
172 return &flow_rule->rule->action.entries[i];
175 static int flow_offload_eth_src(struct net *net,
176 const struct flow_offload *flow,
177 enum flow_offload_tuple_dir dir,
178 struct nf_flow_rule *flow_rule)
180 struct flow_action_entry *entry0 = flow_action_entry_next(flow_rule);
181 struct flow_action_entry *entry1 = flow_action_entry_next(flow_rule);
182 const struct flow_offload_tuple *other_tuple, *this_tuple;
183 struct net_device *dev = NULL;
184 const unsigned char *addr;
188 this_tuple = &flow->tuplehash[dir].tuple;
190 switch (this_tuple->xmit_type) {
191 case FLOW_OFFLOAD_XMIT_DIRECT:
192 addr = this_tuple->out.h_source;
194 case FLOW_OFFLOAD_XMIT_NEIGH:
195 other_tuple = &flow->tuplehash[!dir].tuple;
196 dev = dev_get_by_index(net, other_tuple->iifidx);
200 addr = dev->dev_addr;
207 memcpy(&val16, addr, 2);
209 flow_offload_mangle(entry0, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 4,
213 memcpy(&val, addr + 2, 4);
214 flow_offload_mangle(entry1, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 8,
223 static int flow_offload_eth_dst(struct net *net,
224 const struct flow_offload *flow,
225 enum flow_offload_tuple_dir dir,
226 struct nf_flow_rule *flow_rule)
228 struct flow_action_entry *entry0 = flow_action_entry_next(flow_rule);
229 struct flow_action_entry *entry1 = flow_action_entry_next(flow_rule);
230 const struct flow_offload_tuple *other_tuple, *this_tuple;
231 const struct dst_entry *dst_cache;
232 unsigned char ha[ETH_ALEN];
239 this_tuple = &flow->tuplehash[dir].tuple;
241 switch (this_tuple->xmit_type) {
242 case FLOW_OFFLOAD_XMIT_DIRECT:
243 ether_addr_copy(ha, this_tuple->out.h_dest);
245 case FLOW_OFFLOAD_XMIT_NEIGH:
246 other_tuple = &flow->tuplehash[!dir].tuple;
247 daddr = &other_tuple->src_v4;
248 dst_cache = this_tuple->dst_cache;
249 n = dst_neigh_lookup(dst_cache, daddr);
253 read_lock_bh(&n->lock);
254 nud_state = n->nud_state;
255 ether_addr_copy(ha, n->ha);
256 read_unlock_bh(&n->lock);
259 if (!(nud_state & NUD_VALID))
268 flow_offload_mangle(entry0, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 0,
272 memcpy(&val16, ha + 4, 2);
274 flow_offload_mangle(entry1, FLOW_ACT_MANGLE_HDR_TYPE_ETH, 4,
280 static void flow_offload_ipv4_snat(struct net *net,
281 const struct flow_offload *flow,
282 enum flow_offload_tuple_dir dir,
283 struct nf_flow_rule *flow_rule)
285 struct flow_action_entry *entry = flow_action_entry_next(flow_rule);
286 u32 mask = ~htonl(0xffffffff);
291 case FLOW_OFFLOAD_DIR_ORIGINAL:
292 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v4.s_addr;
293 offset = offsetof(struct iphdr, saddr);
295 case FLOW_OFFLOAD_DIR_REPLY:
296 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v4.s_addr;
297 offset = offsetof(struct iphdr, daddr);
303 flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP4, offset,
307 static void flow_offload_ipv4_dnat(struct net *net,
308 const struct flow_offload *flow,
309 enum flow_offload_tuple_dir dir,
310 struct nf_flow_rule *flow_rule)
312 struct flow_action_entry *entry = flow_action_entry_next(flow_rule);
313 u32 mask = ~htonl(0xffffffff);
318 case FLOW_OFFLOAD_DIR_ORIGINAL:
319 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v4.s_addr;
320 offset = offsetof(struct iphdr, daddr);
322 case FLOW_OFFLOAD_DIR_REPLY:
323 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v4.s_addr;
324 offset = offsetof(struct iphdr, saddr);
330 flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP4, offset,
334 static void flow_offload_ipv6_mangle(struct nf_flow_rule *flow_rule,
336 const __be32 *addr, const __be32 *mask)
338 struct flow_action_entry *entry;
341 for (i = 0, j = 0; i < sizeof(struct in6_addr) / sizeof(u32); i += sizeof(u32), j++) {
342 entry = flow_action_entry_next(flow_rule);
343 flow_offload_mangle(entry, FLOW_ACT_MANGLE_HDR_TYPE_IP6,
344 offset + i, &addr[j], mask);
348 static void flow_offload_ipv6_snat(struct net *net,
349 const struct flow_offload *flow,
350 enum flow_offload_tuple_dir dir,
351 struct nf_flow_rule *flow_rule)
353 u32 mask = ~htonl(0xffffffff);
358 case FLOW_OFFLOAD_DIR_ORIGINAL:
359 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v6.s6_addr32;
360 offset = offsetof(struct ipv6hdr, saddr);
362 case FLOW_OFFLOAD_DIR_REPLY:
363 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v6.s6_addr32;
364 offset = offsetof(struct ipv6hdr, daddr);
370 flow_offload_ipv6_mangle(flow_rule, offset, addr, &mask);
373 static void flow_offload_ipv6_dnat(struct net *net,
374 const struct flow_offload *flow,
375 enum flow_offload_tuple_dir dir,
376 struct nf_flow_rule *flow_rule)
378 u32 mask = ~htonl(0xffffffff);
383 case FLOW_OFFLOAD_DIR_ORIGINAL:
384 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v6.s6_addr32;
385 offset = offsetof(struct ipv6hdr, daddr);
387 case FLOW_OFFLOAD_DIR_REPLY:
388 addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v6.s6_addr32;
389 offset = offsetof(struct ipv6hdr, saddr);
395 flow_offload_ipv6_mangle(flow_rule, offset, addr, &mask);
398 static int flow_offload_l4proto(const struct flow_offload *flow)
400 u8 protonum = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.l4proto;
405 type = FLOW_ACT_MANGLE_HDR_TYPE_TCP;
408 type = FLOW_ACT_MANGLE_HDR_TYPE_UDP;
417 static void flow_offload_port_snat(struct net *net,
418 const struct flow_offload *flow,
419 enum flow_offload_tuple_dir dir,
420 struct nf_flow_rule *flow_rule)
422 struct flow_action_entry *entry = flow_action_entry_next(flow_rule);
427 case FLOW_OFFLOAD_DIR_ORIGINAL:
428 port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port);
429 offset = 0; /* offsetof(struct tcphdr, source); */
430 port = htonl(port << 16);
431 mask = ~htonl(0xffff0000);
433 case FLOW_OFFLOAD_DIR_REPLY:
434 port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port);
435 offset = 0; /* offsetof(struct tcphdr, dest); */
437 mask = ~htonl(0xffff);
443 flow_offload_mangle(entry, flow_offload_l4proto(flow), offset,
447 static void flow_offload_port_dnat(struct net *net,
448 const struct flow_offload *flow,
449 enum flow_offload_tuple_dir dir,
450 struct nf_flow_rule *flow_rule)
452 struct flow_action_entry *entry = flow_action_entry_next(flow_rule);
457 case FLOW_OFFLOAD_DIR_ORIGINAL:
458 port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_port);
459 offset = 0; /* offsetof(struct tcphdr, dest); */
461 mask = ~htonl(0xffff);
463 case FLOW_OFFLOAD_DIR_REPLY:
464 port = ntohs(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_port);
465 offset = 0; /* offsetof(struct tcphdr, source); */
466 port = htonl(port << 16);
467 mask = ~htonl(0xffff0000);
473 flow_offload_mangle(entry, flow_offload_l4proto(flow), offset,
477 static void flow_offload_ipv4_checksum(struct net *net,
478 const struct flow_offload *flow,
479 struct nf_flow_rule *flow_rule)
481 u8 protonum = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.l4proto;
482 struct flow_action_entry *entry = flow_action_entry_next(flow_rule);
484 entry->id = FLOW_ACTION_CSUM;
485 entry->csum_flags = TCA_CSUM_UPDATE_FLAG_IPV4HDR;
489 entry->csum_flags |= TCA_CSUM_UPDATE_FLAG_TCP;
492 entry->csum_flags |= TCA_CSUM_UPDATE_FLAG_UDP;
497 static void flow_offload_redirect(struct net *net,
498 const struct flow_offload *flow,
499 enum flow_offload_tuple_dir dir,
500 struct nf_flow_rule *flow_rule)
502 const struct flow_offload_tuple *this_tuple, *other_tuple;
503 struct flow_action_entry *entry;
504 struct net_device *dev;
507 this_tuple = &flow->tuplehash[dir].tuple;
508 switch (this_tuple->xmit_type) {
509 case FLOW_OFFLOAD_XMIT_DIRECT:
510 this_tuple = &flow->tuplehash[dir].tuple;
511 ifindex = this_tuple->out.hw_ifidx;
513 case FLOW_OFFLOAD_XMIT_NEIGH:
514 other_tuple = &flow->tuplehash[!dir].tuple;
515 ifindex = other_tuple->iifidx;
521 dev = dev_get_by_index(net, ifindex);
525 entry = flow_action_entry_next(flow_rule);
526 entry->id = FLOW_ACTION_REDIRECT;
530 static void flow_offload_encap_tunnel(const struct flow_offload *flow,
531 enum flow_offload_tuple_dir dir,
532 struct nf_flow_rule *flow_rule)
534 const struct flow_offload_tuple *this_tuple;
535 struct flow_action_entry *entry;
536 struct dst_entry *dst;
538 this_tuple = &flow->tuplehash[dir].tuple;
539 if (this_tuple->xmit_type == FLOW_OFFLOAD_XMIT_DIRECT)
542 dst = this_tuple->dst_cache;
543 if (dst && dst->lwtstate) {
544 struct ip_tunnel_info *tun_info;
546 tun_info = lwt_tun_info(dst->lwtstate);
547 if (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX)) {
548 entry = flow_action_entry_next(flow_rule);
549 entry->id = FLOW_ACTION_TUNNEL_ENCAP;
550 entry->tunnel = tun_info;
555 static void flow_offload_decap_tunnel(const struct flow_offload *flow,
556 enum flow_offload_tuple_dir dir,
557 struct nf_flow_rule *flow_rule)
559 const struct flow_offload_tuple *other_tuple;
560 struct flow_action_entry *entry;
561 struct dst_entry *dst;
563 other_tuple = &flow->tuplehash[!dir].tuple;
564 if (other_tuple->xmit_type == FLOW_OFFLOAD_XMIT_DIRECT)
567 dst = other_tuple->dst_cache;
568 if (dst && dst->lwtstate) {
569 struct ip_tunnel_info *tun_info;
571 tun_info = lwt_tun_info(dst->lwtstate);
572 if (tun_info && (tun_info->mode & IP_TUNNEL_INFO_TX)) {
573 entry = flow_action_entry_next(flow_rule);
574 entry->id = FLOW_ACTION_TUNNEL_DECAP;
580 nf_flow_rule_route_common(struct net *net, const struct flow_offload *flow,
581 enum flow_offload_tuple_dir dir,
582 struct nf_flow_rule *flow_rule)
584 const struct flow_offload_tuple *other_tuple;
587 flow_offload_decap_tunnel(flow, dir, flow_rule);
588 flow_offload_encap_tunnel(flow, dir, flow_rule);
590 if (flow_offload_eth_src(net, flow, dir, flow_rule) < 0 ||
591 flow_offload_eth_dst(net, flow, dir, flow_rule) < 0)
594 other_tuple = &flow->tuplehash[!dir].tuple;
596 for (i = 0; i < other_tuple->encap_num; i++) {
597 struct flow_action_entry *entry;
599 if (other_tuple->in_vlan_ingress & BIT(i))
602 entry = flow_action_entry_next(flow_rule);
604 switch (other_tuple->encap[i].proto) {
605 case htons(ETH_P_PPP_SES):
606 entry->id = FLOW_ACTION_PPPOE_PUSH;
607 entry->pppoe.sid = other_tuple->encap[i].id;
609 case htons(ETH_P_8021Q):
610 entry->id = FLOW_ACTION_VLAN_PUSH;
611 entry->vlan.vid = other_tuple->encap[i].id;
612 entry->vlan.proto = other_tuple->encap[i].proto;
620 int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,
621 enum flow_offload_tuple_dir dir,
622 struct nf_flow_rule *flow_rule)
624 if (nf_flow_rule_route_common(net, flow, dir, flow_rule) < 0)
627 if (test_bit(NF_FLOW_SNAT, &flow->flags)) {
628 flow_offload_ipv4_snat(net, flow, dir, flow_rule);
629 flow_offload_port_snat(net, flow, dir, flow_rule);
631 if (test_bit(NF_FLOW_DNAT, &flow->flags)) {
632 flow_offload_ipv4_dnat(net, flow, dir, flow_rule);
633 flow_offload_port_dnat(net, flow, dir, flow_rule);
635 if (test_bit(NF_FLOW_SNAT, &flow->flags) ||
636 test_bit(NF_FLOW_DNAT, &flow->flags))
637 flow_offload_ipv4_checksum(net, flow, flow_rule);
639 flow_offload_redirect(net, flow, dir, flow_rule);
643 EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv4);
645 int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
646 enum flow_offload_tuple_dir dir,
647 struct nf_flow_rule *flow_rule)
649 if (nf_flow_rule_route_common(net, flow, dir, flow_rule) < 0)
652 if (test_bit(NF_FLOW_SNAT, &flow->flags)) {
653 flow_offload_ipv6_snat(net, flow, dir, flow_rule);
654 flow_offload_port_snat(net, flow, dir, flow_rule);
656 if (test_bit(NF_FLOW_DNAT, &flow->flags)) {
657 flow_offload_ipv6_dnat(net, flow, dir, flow_rule);
658 flow_offload_port_dnat(net, flow, dir, flow_rule);
661 flow_offload_redirect(net, flow, dir, flow_rule);
665 EXPORT_SYMBOL_GPL(nf_flow_rule_route_ipv6);
667 #define NF_FLOW_RULE_ACTION_MAX 16
669 static struct nf_flow_rule *
670 nf_flow_offload_rule_alloc(struct net *net,
671 const struct flow_offload_work *offload,
672 enum flow_offload_tuple_dir dir)
674 const struct nf_flowtable *flowtable = offload->flowtable;
675 const struct flow_offload_tuple *tuple, *other_tuple;
676 const struct flow_offload *flow = offload->flow;
677 struct dst_entry *other_dst = NULL;
678 struct nf_flow_rule *flow_rule;
681 flow_rule = kzalloc(sizeof(*flow_rule), GFP_KERNEL);
685 flow_rule->rule = flow_rule_alloc(NF_FLOW_RULE_ACTION_MAX);
686 if (!flow_rule->rule)
689 flow_rule->rule->match.dissector = &flow_rule->match.dissector;
690 flow_rule->rule->match.mask = &flow_rule->match.mask;
691 flow_rule->rule->match.key = &flow_rule->match.key;
693 tuple = &flow->tuplehash[dir].tuple;
694 other_tuple = &flow->tuplehash[!dir].tuple;
695 if (other_tuple->xmit_type == FLOW_OFFLOAD_XMIT_NEIGH)
696 other_dst = other_tuple->dst_cache;
698 err = nf_flow_rule_match(&flow_rule->match, tuple, other_dst);
702 flow_rule->rule->action.num_entries = 0;
703 if (flowtable->type->action(net, flow, dir, flow_rule) < 0)
709 kfree(flow_rule->rule);
716 static void __nf_flow_offload_destroy(struct nf_flow_rule *flow_rule)
718 struct flow_action_entry *entry;
721 for (i = 0; i < flow_rule->rule->action.num_entries; i++) {
722 entry = &flow_rule->rule->action.entries[i];
723 if (entry->id != FLOW_ACTION_REDIRECT)
728 kfree(flow_rule->rule);
732 static void nf_flow_offload_destroy(struct nf_flow_rule *flow_rule[])
736 for (i = 0; i < FLOW_OFFLOAD_DIR_MAX; i++)
737 __nf_flow_offload_destroy(flow_rule[i]);
740 static int nf_flow_offload_alloc(const struct flow_offload_work *offload,
741 struct nf_flow_rule *flow_rule[])
743 struct net *net = read_pnet(&offload->flowtable->net);
745 flow_rule[0] = nf_flow_offload_rule_alloc(net, offload,
746 FLOW_OFFLOAD_DIR_ORIGINAL);
750 flow_rule[1] = nf_flow_offload_rule_alloc(net, offload,
751 FLOW_OFFLOAD_DIR_REPLY);
753 __nf_flow_offload_destroy(flow_rule[0]);
760 static void nf_flow_offload_init(struct flow_cls_offload *cls_flow,
761 __be16 proto, int priority,
762 enum flow_cls_command cmd,
763 const struct flow_offload_tuple *tuple,
764 struct netlink_ext_ack *extack)
766 cls_flow->common.protocol = proto;
767 cls_flow->common.prio = priority;
768 cls_flow->common.extack = extack;
769 cls_flow->command = cmd;
770 cls_flow->cookie = (unsigned long)tuple;
773 static int nf_flow_offload_tuple(struct nf_flowtable *flowtable,
774 struct flow_offload *flow,
775 struct nf_flow_rule *flow_rule,
776 enum flow_offload_tuple_dir dir,
777 int priority, int cmd,
778 struct flow_stats *stats,
779 struct list_head *block_cb_list)
781 struct flow_cls_offload cls_flow = {};
782 struct flow_block_cb *block_cb;
783 struct netlink_ext_ack extack;
784 __be16 proto = ETH_P_ALL;
787 nf_flow_offload_init(&cls_flow, proto, priority, cmd,
788 &flow->tuplehash[dir].tuple, &extack);
789 if (cmd == FLOW_CLS_REPLACE)
790 cls_flow.rule = flow_rule->rule;
792 down_read(&flowtable->flow_block_lock);
793 list_for_each_entry(block_cb, block_cb_list, list) {
794 err = block_cb->cb(TC_SETUP_CLSFLOWER, &cls_flow,
801 up_read(&flowtable->flow_block_lock);
803 if (cmd == FLOW_CLS_STATS)
804 memcpy(stats, &cls_flow.stats, sizeof(*stats));
809 static int flow_offload_tuple_add(struct flow_offload_work *offload,
810 struct nf_flow_rule *flow_rule,
811 enum flow_offload_tuple_dir dir)
813 return nf_flow_offload_tuple(offload->flowtable, offload->flow,
814 flow_rule, dir, offload->priority,
815 FLOW_CLS_REPLACE, NULL,
816 &offload->flowtable->flow_block.cb_list);
819 static void flow_offload_tuple_del(struct flow_offload_work *offload,
820 enum flow_offload_tuple_dir dir)
822 nf_flow_offload_tuple(offload->flowtable, offload->flow, NULL, dir,
823 offload->priority, FLOW_CLS_DESTROY, NULL,
824 &offload->flowtable->flow_block.cb_list);
827 static int flow_offload_rule_add(struct flow_offload_work *offload,
828 struct nf_flow_rule *flow_rule[])
832 ok_count += flow_offload_tuple_add(offload, flow_rule[0],
833 FLOW_OFFLOAD_DIR_ORIGINAL);
834 ok_count += flow_offload_tuple_add(offload, flow_rule[1],
835 FLOW_OFFLOAD_DIR_REPLY);
842 static void flow_offload_work_add(struct flow_offload_work *offload)
844 struct nf_flow_rule *flow_rule[FLOW_OFFLOAD_DIR_MAX];
847 err = nf_flow_offload_alloc(offload, flow_rule);
851 err = flow_offload_rule_add(offload, flow_rule);
853 set_bit(NF_FLOW_HW_REFRESH, &offload->flow->flags);
855 set_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status);
857 nf_flow_offload_destroy(flow_rule);
860 static void flow_offload_work_del(struct flow_offload_work *offload)
862 clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status);
863 flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL);
864 flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY);
865 set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags);
868 static void flow_offload_tuple_stats(struct flow_offload_work *offload,
869 enum flow_offload_tuple_dir dir,
870 struct flow_stats *stats)
872 nf_flow_offload_tuple(offload->flowtable, offload->flow, NULL, dir,
873 offload->priority, FLOW_CLS_STATS, stats,
874 &offload->flowtable->flow_block.cb_list);
877 static void flow_offload_work_stats(struct flow_offload_work *offload)
879 struct flow_stats stats[FLOW_OFFLOAD_DIR_MAX] = {};
882 flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_ORIGINAL, &stats[0]);
883 flow_offload_tuple_stats(offload, FLOW_OFFLOAD_DIR_REPLY, &stats[1]);
885 lastused = max_t(u64, stats[0].lastused, stats[1].lastused);
886 offload->flow->timeout = max_t(u64, offload->flow->timeout,
887 lastused + NF_FLOW_TIMEOUT);
889 if (offload->flowtable->flags & NF_FLOWTABLE_COUNTER) {
891 nf_ct_acct_add(offload->flow->ct,
892 FLOW_OFFLOAD_DIR_ORIGINAL,
893 stats[0].pkts, stats[0].bytes);
895 nf_ct_acct_add(offload->flow->ct,
896 FLOW_OFFLOAD_DIR_REPLY,
897 stats[1].pkts, stats[1].bytes);
901 static void flow_offload_work_handler(struct work_struct *work)
903 struct flow_offload_work *offload;
905 offload = container_of(work, struct flow_offload_work, work);
906 switch (offload->cmd) {
907 case FLOW_CLS_REPLACE:
908 flow_offload_work_add(offload);
910 case FLOW_CLS_DESTROY:
911 flow_offload_work_del(offload);
914 flow_offload_work_stats(offload);
920 clear_bit(NF_FLOW_HW_PENDING, &offload->flow->flags);
924 static void flow_offload_queue_work(struct flow_offload_work *offload)
926 if (offload->cmd == FLOW_CLS_REPLACE)
927 queue_work(nf_flow_offload_add_wq, &offload->work);
928 else if (offload->cmd == FLOW_CLS_DESTROY)
929 queue_work(nf_flow_offload_del_wq, &offload->work);
931 queue_work(nf_flow_offload_stats_wq, &offload->work);
934 static struct flow_offload_work *
935 nf_flow_offload_work_alloc(struct nf_flowtable *flowtable,
936 struct flow_offload *flow, unsigned int cmd)
938 struct flow_offload_work *offload;
940 if (test_and_set_bit(NF_FLOW_HW_PENDING, &flow->flags))
943 offload = kmalloc(sizeof(struct flow_offload_work), GFP_ATOMIC);
945 clear_bit(NF_FLOW_HW_PENDING, &flow->flags);
950 offload->flow = flow;
951 offload->priority = flowtable->priority;
952 offload->flowtable = flowtable;
953 INIT_WORK(&offload->work, flow_offload_work_handler);
959 void nf_flow_offload_add(struct nf_flowtable *flowtable,
960 struct flow_offload *flow)
962 struct flow_offload_work *offload;
964 offload = nf_flow_offload_work_alloc(flowtable, flow, FLOW_CLS_REPLACE);
968 flow_offload_queue_work(offload);
971 void nf_flow_offload_del(struct nf_flowtable *flowtable,
972 struct flow_offload *flow)
974 struct flow_offload_work *offload;
976 offload = nf_flow_offload_work_alloc(flowtable, flow, FLOW_CLS_DESTROY);
980 set_bit(NF_FLOW_HW_DYING, &flow->flags);
981 flow_offload_queue_work(offload);
984 void nf_flow_offload_stats(struct nf_flowtable *flowtable,
985 struct flow_offload *flow)
987 struct flow_offload_work *offload;
990 delta = nf_flow_timeout_delta(flow->timeout);
991 if ((delta >= (9 * NF_FLOW_TIMEOUT) / 10))
994 offload = nf_flow_offload_work_alloc(flowtable, flow, FLOW_CLS_STATS);
998 flow_offload_queue_work(offload);
1001 void nf_flow_table_offload_flush(struct nf_flowtable *flowtable)
1003 if (nf_flowtable_hw_offload(flowtable)) {
1004 flush_workqueue(nf_flow_offload_add_wq);
1005 flush_workqueue(nf_flow_offload_del_wq);
1006 flush_workqueue(nf_flow_offload_stats_wq);
1010 static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
1011 struct flow_block_offload *bo,
1012 enum flow_block_command cmd)
1014 struct flow_block_cb *block_cb, *next;
1018 case FLOW_BLOCK_BIND:
1019 list_splice(&bo->cb_list, &flowtable->flow_block.cb_list);
1021 case FLOW_BLOCK_UNBIND:
1022 list_for_each_entry_safe(block_cb, next, &bo->cb_list, list) {
1023 list_del(&block_cb->list);
1024 flow_block_cb_free(block_cb);
1035 static void nf_flow_table_block_offload_init(struct flow_block_offload *bo,
1037 enum flow_block_command cmd,
1038 struct nf_flowtable *flowtable,
1039 struct netlink_ext_ack *extack)
1041 memset(bo, 0, sizeof(*bo));
1043 bo->block = &flowtable->flow_block;
1045 bo->binder_type = FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
1046 bo->extack = extack;
1047 INIT_LIST_HEAD(&bo->cb_list);
1050 static void nf_flow_table_indr_cleanup(struct flow_block_cb *block_cb)
1052 struct nf_flowtable *flowtable = block_cb->indr.data;
1053 struct net_device *dev = block_cb->indr.dev;
1055 nf_flow_table_gc_cleanup(flowtable, dev);
1056 down_write(&flowtable->flow_block_lock);
1057 list_del(&block_cb->list);
1058 list_del(&block_cb->driver_list);
1059 flow_block_cb_free(block_cb);
1060 up_write(&flowtable->flow_block_lock);
1063 static int nf_flow_table_indr_offload_cmd(struct flow_block_offload *bo,
1064 struct nf_flowtable *flowtable,
1065 struct net_device *dev,
1066 enum flow_block_command cmd,
1067 struct netlink_ext_ack *extack)
1069 nf_flow_table_block_offload_init(bo, dev_net(dev), cmd, flowtable,
1072 return flow_indr_dev_setup_offload(dev, NULL, TC_SETUP_FT, flowtable, bo,
1073 nf_flow_table_indr_cleanup);
1076 static int nf_flow_table_offload_cmd(struct flow_block_offload *bo,
1077 struct nf_flowtable *flowtable,
1078 struct net_device *dev,
1079 enum flow_block_command cmd,
1080 struct netlink_ext_ack *extack)
1084 nf_flow_table_block_offload_init(bo, dev_net(dev), cmd, flowtable,
1086 err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_FT, bo);
1093 int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
1094 struct net_device *dev,
1095 enum flow_block_command cmd)
1097 struct netlink_ext_ack extack = {};
1098 struct flow_block_offload bo;
1101 if (!nf_flowtable_hw_offload(flowtable))
1104 if (dev->netdev_ops->ndo_setup_tc)
1105 err = nf_flow_table_offload_cmd(&bo, flowtable, dev, cmd,
1108 err = nf_flow_table_indr_offload_cmd(&bo, flowtable, dev, cmd,
1113 return nf_flow_table_block_setup(flowtable, &bo, cmd);
1115 EXPORT_SYMBOL_GPL(nf_flow_table_offload_setup);
1117 int nf_flow_table_offload_init(void)
1119 nf_flow_offload_add_wq = alloc_workqueue("nf_ft_offload_add",
1120 WQ_UNBOUND | WQ_SYSFS, 0);
1121 if (!nf_flow_offload_add_wq)
1124 nf_flow_offload_del_wq = alloc_workqueue("nf_ft_offload_del",
1125 WQ_UNBOUND | WQ_SYSFS, 0);
1126 if (!nf_flow_offload_del_wq)
1129 nf_flow_offload_stats_wq = alloc_workqueue("nf_ft_offload_stats",
1130 WQ_UNBOUND | WQ_SYSFS, 0);
1131 if (!nf_flow_offload_stats_wq)
1137 destroy_workqueue(nf_flow_offload_del_wq);
1139 destroy_workqueue(nf_flow_offload_add_wq);
1143 void nf_flow_table_offload_exit(void)
1145 destroy_workqueue(nf_flow_offload_add_wq);
1146 destroy_workqueue(nf_flow_offload_del_wq);
1147 destroy_workqueue(nf_flow_offload_stats_wq);
projects / linux-2.6-microblaze.git / blob