1 From: Pablo Neira Ayuso <pablo@netfilter.org>
2 Date: Thu, 4 Mar 2021 19:24:11 +0100
3 Subject: [PATCH] netfilter: nft_flow_offload: use direct xmit if
4 hardware offload is enabled
6 If there is a forward path to reach an ethernet device and hardware
7 offload is enabled, then use the direct xmit path.
10 --- a/include/net/netfilter/nf_flow_table.h
11 +++ b/include/net/netfilter/nf_flow_table.h
12 @@ -131,6 +131,7 @@ struct flow_offload_tuple {
13 struct dst_entry *dst_cache;
17 u8 h_source[ETH_ALEN];
20 @@ -188,6 +189,7 @@ struct nf_flow_route {
25 u8 h_source[ETH_ALEN];
28 --- a/net/netfilter/nf_flow_table_core.c
29 +++ b/net/netfilter/nf_flow_table_core.c
30 @@ -106,6 +106,7 @@ static int flow_offload_fill_route(struc
31 memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source,
33 flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
34 + flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
36 case FLOW_OFFLOAD_XMIT_XFRM:
37 case FLOW_OFFLOAD_XMIT_NEIGH:
38 --- a/net/netfilter/nf_flow_table_offload.c
39 +++ b/net/netfilter/nf_flow_table_offload.c
40 @@ -506,7 +506,7 @@ static void flow_offload_redirect(struct
41 switch (this_tuple->xmit_type) {
42 case FLOW_OFFLOAD_XMIT_DIRECT:
43 this_tuple = &flow->tuplehash[dir].tuple;
44 - ifindex = this_tuple->out.ifidx;
45 + ifindex = this_tuple->out.hw_ifidx;
47 case FLOW_OFFLOAD_XMIT_NEIGH:
48 other_tuple = &flow->tuplehash[!dir].tuple;
49 --- a/net/netfilter/nft_flow_offload.c
50 +++ b/net/netfilter/nft_flow_offload.c
51 @@ -66,6 +66,7 @@ static int nft_dev_fill_forward_path(con
52 struct nft_forward_info {
53 const struct net_device *indev;
54 const struct net_device *outdev;
55 + const struct net_device *hw_outdev;
59 @@ -76,9 +77,18 @@ struct nft_forward_info {
60 enum flow_offload_xmit_type xmit_type;
63 +static bool nft_is_valid_ether_device(const struct net_device *dev)
65 + if (!dev || (dev->flags & IFF_LOOPBACK) || dev->type != ARPHRD_ETHER ||
66 + dev->addr_len != ETH_ALEN || !is_valid_ether_addr(dev->dev_addr))
72 static void nft_dev_path_info(const struct net_device_path_stack *stack,
73 struct nft_forward_info *info,
75 + unsigned char *ha, struct nf_flowtable *flowtable)
77 const struct net_device_path *path;
79 @@ -140,6 +150,12 @@ static void nft_dev_path_info(const stru
82 info->outdev = info->indev;
84 + info->hw_outdev = info->indev;
86 + if (nf_flowtable_hw_offload(flowtable) &&
87 + nft_is_valid_ether_device(info->indev))
88 + info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT;
91 static bool nft_flowtable_find_dev(const struct net_device *dev,
92 @@ -171,7 +187,7 @@ static void nft_dev_forward_path(struct
95 if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
96 - nft_dev_path_info(&stack, &info, ha);
97 + nft_dev_path_info(&stack, &info, ha, &ft->data);
99 if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
101 @@ -187,6 +203,7 @@ static void nft_dev_forward_path(struct
102 memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
103 memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
104 route->tuple[dir].out.ifindex = info.outdev->ifindex;
105 + route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
106 route->tuple[dir].xmit_type = info.xmit_type;