![Koen Vandeputte](/assets/img/avatar_default.png)
The following patches were removed because they are integrated in the upstream kernel 5.4: * backport-5.4/047-v4.21-mtd-keep-original-flags-for-every-struct-mtd_info.patch * backport-5.4/048-v4.21-mtd-improve-calculating-partition-boundaries-when-ch.patch * backport-5.4/080-v5.1-0001-bcma-keep-a-direct-pointer-to-the-struct-device.patch * backport-5.4/080-v5.1-0002-bcma-use-dev_-printing-functions.patch * backport-5.4/095-Allow-class-e-address-assignment-via-ifconfig-ioctl.patch * backport-5.4/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch * backport-5.4/200-v5.2-usb-dwc2-Set-lpm-mode-parameters-depend-on-HW-configuration.patch * backport-5.4/210-arm64-sve-Disentangle-uapi-asm-ptrace.h-from-uapi-as.patch * backport-5.4/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch * backport-5.4/450-v5.0-mtd-spinand-winbond-Add-support-for-W25N01GV.patch * backport-5.4/451-v5.0-mtd-spinand-Add-initial-support-for-Toshiba-TC58CVG2.patch * backport-5.4/452-v5.0-mtd-spinand-add-support-for-GigaDevice-GD5FxGQ4xA.patch * backport-5.4/455-v5.1-mtd-spinand-Add-support-for-all-Toshiba-Memory-produ.patch * backport-5.4/456-v5.1-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UExxG.patch * backport-5.4/460-v5.0-mtd-spi-nor-Add-support-for-mx25u12835f.patch * backport-5.4/460-v5.3-mtd-spinand-Define-macros-for-page-read-ops-with-thr.patch * backport-5.4/461-v5.3-mtd-spinand-Add-support-for-two-byte-device-IDs.patch * backport-5.4/462-v5.3-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UFxxG.patch * backport-5.4/463-v5.3-mtd-spinand-Add-initial-support-for-Paragon-PN26G0xA.patch * backport-5.4/700-v5.1-net-phylink-only-call-mac_config-during-resolve-when.patch * backport-5.4/701-v5.2-net-phylink-ensure-inband-AN-works-correctly.patch * backport-5.4/702-v4.20-net-ethernet-Add-helper-for-MACs-which-support-asym-.patch * backport-5.4/703-v4.20-net-ethernet-Add-helper-for-set_pauseparam-for-Asym-.patch * backport-5.4/704-v4.20-net-phy-Stop-with-excessive-soft-reset.patch * backport-5.4/705-v5.1-net-phy-provide-full-set-of-accessor-functions-to-MM.patch * backport-5.4/706-v5.1-net-phy-add-register-modifying-helpers-returning-1-o.patch * backport-5.4/707-v5.1-net-phy-add-genphy_c45_check_and_restart_aneg.patch * backport-5.4/708-v5.3-net-phylink-remove-netdev-from-phylink-mii-ioctl-emu.patch * backport-5.4/709-v5.3-net-phylink-support-for-link-gpio-interrupt.patch * backport-5.4/710-v5.3-net-phy-allow-Clause-45-access-via-mii-ioctl.patch * backport-5.4/711-v5.3-net-sfp-add-mandatory-attach-detach-methods-for-sfp-.patch * backport-5.4/712-v5.3-net-sfp-remove-sfp-bus-use-of-netdevs.patch * backport-5.4/713-v5.2-net-phylink-avoid-reducing-support-mask.patch * backport-5.4/714-v5.3-net-sfp-Stop-SFP-polling-and-interrupt-handling-duri.patch * backport-5.4/715-v5.3-net-phylink-don-t-start-and-stop-SGMII-PHYs-in-SFP-m.patch * backport-5.4/740-v5.5-net-phy-avoid-matching-all-ones-clause-45-PHY-IDs.patch * backport-5.4/741-v5.5-net-phylink-fix-link-mode-modification-in-PHY-mode.patch * pending-5.4/103-MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch * pending-5.4/131-spi-use-gpio_set_value_cansleep-for-setting-chipsele.patch * pending-5.4/132-spi-spi-gpio-fix-crash-when-num-chipselects-is-0.patch * pending-5.4/220-optimize_inlining.patch * pending-5.4/341-MIPS-mm-remove-no-op-dma_map_ops-where-possible.patch * pending-5.4/475-mtd-spi-nor-Add-Winbond-w25q128jv-support.patch * pending-5.4/477-mtd-add-spi-nor-add-mx25u3235f.patch * pending-5.4/479-mtd-spi-nor-add-eon-en25qh64.patch Some bigger changes were done to this feature and we did not port this patch yet: * hack-5.4/207-disable-modorder.patch This depends on BOOTMEM which was removed from the kernel, this needs some bigger changes: * hack-5.4/930-crashlog.patch A different version of the FPU disable patch was merged upstream, OpenWrt needs some adaptations. * pending-5.4/304-mips_disable_fpu.patch - no crashlog support yet as a required file got deleted upstream - Removed patch below, which is now seen as a recursive dependency [1] - Removed patch below due to build error [2] - fix still required to avoid identical function def [3] - Fixes included from Blocktrron - Fixes included from Chunkeey - Fix included from nbd regarding "dst leak in Flow Offload" [1] target/linux/generic/hack-5.4/260-crypto_test_dependencies.patch [2] target/linux/generic/hack-5.4/207-disable-modorder.patch [3] target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> Signed-off-by: David Bauer <mail@david-bauer.net> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com> Signed-off-by: Robert Marko <robimarko@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
590 lines
15 KiB
Diff
590 lines
15 KiB
Diff
From: Felix Fietkau <nbd@nbd.name>
|
|
Date: Tue, 20 Feb 2018 15:56:02 +0100
|
|
Subject: [PATCH] netfilter: add xt_OFFLOAD target
|
|
|
|
Signed-off-by: Felix Fietkau <nbd@nbd.name>
|
|
---
|
|
create mode 100644 net/netfilter/xt_OFFLOAD.c
|
|
|
|
--- a/net/ipv4/netfilter/Kconfig
|
|
+++ b/net/ipv4/netfilter/Kconfig
|
|
@@ -56,8 +56,6 @@ config NF_TABLES_ARP
|
|
help
|
|
This option enables the ARP support for nf_tables.
|
|
|
|
-endif # NF_TABLES
|
|
-
|
|
config NF_FLOW_TABLE_IPV4
|
|
tristate "Netfilter flow table IPv4 module"
|
|
depends on NF_FLOW_TABLE
|
|
@@ -66,6 +64,8 @@ config NF_FLOW_TABLE_IPV4
|
|
|
|
To compile it as a module, choose M here.
|
|
|
|
+endif # NF_TABLES
|
|
+
|
|
config NF_DUP_IPV4
|
|
tristate "Netfilter IPv4 packet duplication to alternate destination"
|
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
|
--- a/net/ipv6/netfilter/Kconfig
|
|
+++ b/net/ipv6/netfilter/Kconfig
|
|
@@ -45,7 +45,6 @@ config NFT_FIB_IPV6
|
|
multicast or blackhole.
|
|
|
|
endif # NF_TABLES_IPV6
|
|
-endif # NF_TABLES
|
|
|
|
config NF_FLOW_TABLE_IPV6
|
|
tristate "Netfilter flow table IPv6 module"
|
|
@@ -55,6 +54,8 @@ config NF_FLOW_TABLE_IPV6
|
|
|
|
To compile it as a module, choose M here.
|
|
|
|
+endif # NF_TABLES
|
|
+
|
|
config NF_DUP_IPV6
|
|
tristate "Netfilter IPv6 packet duplication to alternate destination"
|
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
|
--- a/net/netfilter/Kconfig
|
|
+++ b/net/netfilter/Kconfig
|
|
@@ -702,8 +702,6 @@ config NFT_FIB_NETDEV
|
|
|
|
endif # NF_TABLES_NETDEV
|
|
|
|
-endif # NF_TABLES
|
|
-
|
|
config NF_FLOW_TABLE_INET
|
|
tristate "Netfilter flow table mixed IPv4/IPv6 module"
|
|
depends on NF_FLOW_TABLE
|
|
@@ -712,11 +710,12 @@ config NF_FLOW_TABLE_INET
|
|
|
|
To compile it as a module, choose M here.
|
|
|
|
+endif # NF_TABLES
|
|
+
|
|
config NF_FLOW_TABLE
|
|
tristate "Netfilter flow table module"
|
|
depends on NETFILTER_INGRESS
|
|
depends on NF_CONNTRACK
|
|
- depends on NF_TABLES
|
|
help
|
|
This option adds the flow table core infrastructure.
|
|
|
|
@@ -1005,6 +1004,15 @@ config NETFILTER_XT_TARGET_NOTRACK
|
|
depends on NETFILTER_ADVANCED
|
|
select NETFILTER_XT_TARGET_CT
|
|
|
|
+config NETFILTER_XT_TARGET_FLOWOFFLOAD
|
|
+ tristate '"FLOWOFFLOAD" target support'
|
|
+ depends on NF_FLOW_TABLE
|
|
+ depends on NETFILTER_INGRESS
|
|
+ help
|
|
+ This option adds a `FLOWOFFLOAD' target, which uses the nf_flow_offload
|
|
+ module to speed up processing of packets by bypassing the usual
|
|
+ netfilter chains
|
|
+
|
|
config NETFILTER_XT_TARGET_RATEEST
|
|
tristate '"RATEEST" target support'
|
|
depends on NETFILTER_ADVANCED
|
|
--- a/net/netfilter/Makefile
|
|
+++ b/net/netfilter/Makefile
|
|
@@ -144,6 +144,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
|
|
+obj-$(CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD) += xt_FLOWOFFLOAD.o
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o
|
|
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
|
|
--- /dev/null
|
|
+++ b/net/netfilter/xt_FLOWOFFLOAD.c
|
|
@@ -0,0 +1,427 @@
|
|
+/*
|
|
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License version 2 as
|
|
+ * published by the Free Software Foundation.
|
|
+ */
|
|
+#include <linux/module.h>
|
|
+#include <linux/init.h>
|
|
+#include <linux/netfilter.h>
|
|
+#include <linux/netfilter/xt_FLOWOFFLOAD.h>
|
|
+#include <net/ip.h>
|
|
+#include <net/netfilter/nf_conntrack.h>
|
|
+#include <net/netfilter/nf_conntrack_extend.h>
|
|
+#include <net/netfilter/nf_conntrack_helper.h>
|
|
+#include <net/netfilter/nf_flow_table.h>
|
|
+
|
|
+static struct nf_flowtable nf_flowtable;
|
|
+static HLIST_HEAD(hooks);
|
|
+static DEFINE_SPINLOCK(hooks_lock);
|
|
+static struct delayed_work hook_work;
|
|
+
|
|
+struct xt_flowoffload_hook {
|
|
+ struct hlist_node list;
|
|
+ struct nf_hook_ops ops;
|
|
+ struct net *net;
|
|
+ bool registered;
|
|
+ bool used;
|
|
+};
|
|
+
|
|
+static unsigned int
|
|
+xt_flowoffload_net_hook(void *priv, struct sk_buff *skb,
|
|
+ const struct nf_hook_state *state)
|
|
+{
|
|
+ switch (skb->protocol) {
|
|
+ case htons(ETH_P_IP):
|
|
+ return nf_flow_offload_ip_hook(priv, skb, state);
|
|
+ case htons(ETH_P_IPV6):
|
|
+ return nf_flow_offload_ipv6_hook(priv, skb, state);
|
|
+ }
|
|
+
|
|
+ return NF_ACCEPT;
|
|
+}
|
|
+
|
|
+int nf_flow_table_iterate(struct nf_flowtable *flow_table,
|
|
+ void (*iter)(struct flow_offload *flow, void *data),
|
|
+ void *data);
|
|
+
|
|
+static int
|
|
+xt_flowoffload_create_hook(struct net_device *dev)
|
|
+{
|
|
+ struct xt_flowoffload_hook *hook;
|
|
+ struct nf_hook_ops *ops;
|
|
+
|
|
+ hook = kzalloc(sizeof(*hook), GFP_ATOMIC);
|
|
+ if (!hook)
|
|
+ return -ENOMEM;
|
|
+
|
|
+ ops = &hook->ops;
|
|
+ ops->pf = NFPROTO_NETDEV;
|
|
+ ops->hooknum = NF_NETDEV_INGRESS;
|
|
+ ops->priority = 10;
|
|
+ ops->priv = &nf_flowtable;
|
|
+ ops->hook = xt_flowoffload_net_hook;
|
|
+ ops->dev = dev;
|
|
+
|
|
+ hlist_add_head(&hook->list, &hooks);
|
|
+ mod_delayed_work(system_power_efficient_wq, &hook_work, 0);
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static struct xt_flowoffload_hook *
|
|
+flow_offload_lookup_hook(struct net_device *dev)
|
|
+{
|
|
+ struct xt_flowoffload_hook *hook;
|
|
+
|
|
+ hlist_for_each_entry(hook, &hooks, list) {
|
|
+ if (hook->ops.dev == dev)
|
|
+ return hook;
|
|
+ }
|
|
+
|
|
+ return NULL;
|
|
+}
|
|
+
|
|
+static void
|
|
+xt_flowoffload_check_device(struct net_device *dev)
|
|
+{
|
|
+ struct xt_flowoffload_hook *hook;
|
|
+
|
|
+ spin_lock_bh(&hooks_lock);
|
|
+ hook = flow_offload_lookup_hook(dev);
|
|
+ if (hook)
|
|
+ hook->used = true;
|
|
+ else
|
|
+ xt_flowoffload_create_hook(dev);
|
|
+ spin_unlock_bh(&hooks_lock);
|
|
+}
|
|
+
|
|
+static void
|
|
+xt_flowoffload_register_hooks(void)
|
|
+{
|
|
+ struct xt_flowoffload_hook *hook;
|
|
+
|
|
+restart:
|
|
+ hlist_for_each_entry(hook, &hooks, list) {
|
|
+ if (hook->registered)
|
|
+ continue;
|
|
+
|
|
+ hook->registered = true;
|
|
+ hook->net = dev_net(hook->ops.dev);
|
|
+ spin_unlock_bh(&hooks_lock);
|
|
+ nf_register_net_hook(hook->net, &hook->ops);
|
|
+ spin_lock_bh(&hooks_lock);
|
|
+ goto restart;
|
|
+ }
|
|
+
|
|
+}
|
|
+
|
|
+static void
|
|
+xt_flowoffload_cleanup_hooks(void)
|
|
+{
|
|
+ struct xt_flowoffload_hook *hook;
|
|
+
|
|
+restart:
|
|
+ hlist_for_each_entry(hook, &hooks, list) {
|
|
+ if (hook->used || !hook->registered)
|
|
+ continue;
|
|
+
|
|
+ hlist_del(&hook->list);
|
|
+ spin_unlock_bh(&hooks_lock);
|
|
+ nf_unregister_net_hook(hook->net, &hook->ops);
|
|
+ kfree(hook);
|
|
+ spin_lock_bh(&hooks_lock);
|
|
+ goto restart;
|
|
+ }
|
|
+
|
|
+}
|
|
+
|
|
+static void
|
|
+xt_flowoffload_check_hook(struct flow_offload *flow, void *data)
|
|
+{
|
|
+ struct flow_offload_tuple *tuple = &flow->tuplehash[0].tuple;
|
|
+ struct xt_flowoffload_hook *hook;
|
|
+ bool *found = data;
|
|
+ struct rtable *rt = (struct rtable *)tuple->dst_cache;
|
|
+
|
|
+ spin_lock_bh(&hooks_lock);
|
|
+ hlist_for_each_entry(hook, &hooks, list) {
|
|
+ if (hook->ops.dev->ifindex != tuple->iifidx &&
|
|
+ hook->ops.dev->ifindex != rt->dst.dev->ifindex)
|
|
+ continue;
|
|
+
|
|
+ hook->used = true;
|
|
+ *found = true;
|
|
+ }
|
|
+ spin_unlock_bh(&hooks_lock);
|
|
+}
|
|
+
|
|
+static void
|
|
+xt_flowoffload_hook_work(struct work_struct *work)
|
|
+{
|
|
+ struct xt_flowoffload_hook *hook;
|
|
+ bool found = false;
|
|
+ int err;
|
|
+
|
|
+ spin_lock_bh(&hooks_lock);
|
|
+ xt_flowoffload_register_hooks();
|
|
+ hlist_for_each_entry(hook, &hooks, list)
|
|
+ hook->used = false;
|
|
+ spin_unlock_bh(&hooks_lock);
|
|
+
|
|
+ err = nf_flow_table_iterate(&nf_flowtable, xt_flowoffload_check_hook,
|
|
+ &found);
|
|
+ if (err && err != -EAGAIN)
|
|
+ goto out;
|
|
+
|
|
+ spin_lock_bh(&hooks_lock);
|
|
+ xt_flowoffload_cleanup_hooks();
|
|
+ spin_unlock_bh(&hooks_lock);
|
|
+
|
|
+out:
|
|
+ if (found)
|
|
+ queue_delayed_work(system_power_efficient_wq, &hook_work, HZ);
|
|
+}
|
|
+
|
|
+static bool
|
|
+xt_flowoffload_skip(struct sk_buff *skb, int family)
|
|
+{
|
|
+ if (skb_sec_path(skb))
|
|
+ return true;
|
|
+
|
|
+ if (family == NFPROTO_IPV4) {
|
|
+ const struct ip_options *opt = &(IPCB(skb)->opt);
|
|
+
|
|
+ if (unlikely(opt->optlen))
|
|
+ return true;
|
|
+ }
|
|
+
|
|
+ return false;
|
|
+}
|
|
+
|
|
+static struct dst_entry *
|
|
+xt_flowoffload_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir,
|
|
+ const struct xt_action_param *par, int ifindex)
|
|
+{
|
|
+ struct dst_entry *dst = NULL;
|
|
+ struct flowi fl;
|
|
+
|
|
+ memset(&fl, 0, sizeof(fl));
|
|
+ switch (xt_family(par)) {
|
|
+ case NFPROTO_IPV4:
|
|
+ fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
|
|
+ fl.u.ip4.flowi4_oif = ifindex;
|
|
+ break;
|
|
+ case NFPROTO_IPV6:
|
|
+ fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6;
|
|
+ fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
|
|
+ fl.u.ip6.flowi6_oif = ifindex;
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ nf_route(xt_net(par), &dst, &fl, false, xt_family(par));
|
|
+
|
|
+ return dst;
|
|
+}
|
|
+
|
|
+static int
|
|
+xt_flowoffload_route(struct sk_buff *skb, const struct nf_conn *ct,
|
|
+ const struct xt_action_param *par,
|
|
+ struct nf_flow_route *route, enum ip_conntrack_dir dir)
|
|
+{
|
|
+ struct dst_entry *this_dst, *other_dst;
|
|
+
|
|
+ this_dst = xt_flowoffload_dst(ct, !dir, par, xt_out(par)->ifindex);
|
|
+ other_dst = xt_flowoffload_dst(ct, dir, par, xt_in(par)->ifindex);
|
|
+
|
|
+ route->tuple[dir].dst = this_dst;
|
|
+ route->tuple[!dir].dst = other_dst;
|
|
+
|
|
+ if (!this_dst || !other_dst)
|
|
+ return -ENOENT;
|
|
+
|
|
+ if (dst_xfrm(this_dst) || dst_xfrm(other_dst))
|
|
+ return -EINVAL;
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static unsigned int
|
|
+flowoffload_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
|
+{
|
|
+ const struct xt_flowoffload_target_info *info = par->targinfo;
|
|
+ struct tcphdr _tcph, *tcph = NULL;
|
|
+ enum ip_conntrack_info ctinfo;
|
|
+ enum ip_conntrack_dir dir;
|
|
+ struct nf_flow_route route;
|
|
+ struct flow_offload *flow = NULL;
|
|
+ struct nf_conn *ct;
|
|
+ struct net *net;
|
|
+
|
|
+ if (xt_flowoffload_skip(skb, xt_family(par)))
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+ ct = nf_ct_get(skb, &ctinfo);
|
|
+ if (ct == NULL)
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+ switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
|
|
+ case IPPROTO_TCP:
|
|
+ if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED)
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+ tcph = skb_header_pointer(skb, par->thoff,
|
|
+ sizeof(_tcph), &_tcph);
|
|
+ if (unlikely(!tcph || tcph->fin || tcph->rst))
|
|
+ return XT_CONTINUE;
|
|
+ break;
|
|
+ case IPPROTO_UDP:
|
|
+ break;
|
|
+ default:
|
|
+ return XT_CONTINUE;
|
|
+ }
|
|
+
|
|
+ if (nf_ct_ext_exist(ct, NF_CT_EXT_HELPER) ||
|
|
+ ct->status & IPS_SEQ_ADJUST)
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+ if (!nf_ct_is_confirmed(ct))
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+ if (!xt_in(par) || !xt_out(par))
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+ if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+ dir = CTINFO2DIR(ctinfo);
|
|
+
|
|
+ if (xt_flowoffload_route(skb, ct, par, &route, dir) == 0)
|
|
+ flow = flow_offload_alloc(ct, &route);
|
|
+
|
|
+ dst_release(route.tuple[dir].dst);
|
|
+ dst_release(route.tuple[!dir].dst);
|
|
+
|
|
+ if (!flow)
|
|
+ goto err_flow_route;
|
|
+
|
|
+ if (tcph) {
|
|
+ ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
|
|
+ ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
|
|
+ }
|
|
+
|
|
+ if (flow_offload_add(&nf_flowtable, flow) < 0)
|
|
+ goto err_flow_add;
|
|
+
|
|
+ xt_flowoffload_check_device(xt_in(par));
|
|
+ xt_flowoffload_check_device(xt_out(par));
|
|
+
|
|
+ net = read_pnet(&nf_flowtable.ft_net);
|
|
+ if (!net)
|
|
+ write_pnet(&nf_flowtable.ft_net, xt_net(par));
|
|
+
|
|
+ if (info->flags & XT_FLOWOFFLOAD_HW)
|
|
+ nf_flow_offload_hw_add(xt_net(par), flow, ct);
|
|
+
|
|
+ return XT_CONTINUE;
|
|
+
|
|
+err_flow_add:
|
|
+ flow_offload_free(flow);
|
|
+err_flow_route:
|
|
+ clear_bit(IPS_OFFLOAD_BIT, &ct->status);
|
|
+ return XT_CONTINUE;
|
|
+}
|
|
+
|
|
+
|
|
+static int flowoffload_chk(const struct xt_tgchk_param *par)
|
|
+{
|
|
+ struct xt_flowoffload_target_info *info = par->targinfo;
|
|
+
|
|
+ if (info->flags & ~XT_FLOWOFFLOAD_MASK)
|
|
+ return -EINVAL;
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static struct xt_target offload_tg_reg __read_mostly = {
|
|
+ .family = NFPROTO_UNSPEC,
|
|
+ .name = "FLOWOFFLOAD",
|
|
+ .revision = 0,
|
|
+ .targetsize = sizeof(struct xt_flowoffload_target_info),
|
|
+ .usersize = sizeof(struct xt_flowoffload_target_info),
|
|
+ .checkentry = flowoffload_chk,
|
|
+ .target = flowoffload_tg,
|
|
+ .me = THIS_MODULE,
|
|
+};
|
|
+
|
|
+static int xt_flowoffload_table_init(struct nf_flowtable *table)
|
|
+{
|
|
+ table->flags = NF_FLOWTABLE_F_HW;
|
|
+ nf_flow_table_init(table);
|
|
+ return 0;
|
|
+}
|
|
+
|
|
+static void xt_flowoffload_table_cleanup(struct nf_flowtable *table)
|
|
+{
|
|
+ nf_flow_table_free(table);
|
|
+}
|
|
+
|
|
+static int flow_offload_netdev_event(struct notifier_block *this,
|
|
+ unsigned long event, void *ptr)
|
|
+{
|
|
+ struct xt_flowoffload_hook *hook = NULL;
|
|
+ struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
|
+
|
|
+ if (event != NETDEV_UNREGISTER)
|
|
+ return NOTIFY_DONE;
|
|
+
|
|
+ spin_lock_bh(&hooks_lock);
|
|
+ hook = flow_offload_lookup_hook(dev);
|
|
+ if (hook) {
|
|
+ hlist_del(&hook->list);
|
|
+ }
|
|
+ spin_unlock_bh(&hooks_lock);
|
|
+ if (hook) {
|
|
+ nf_unregister_net_hook(hook->net, &hook->ops);
|
|
+ kfree(hook);
|
|
+ }
|
|
+
|
|
+ nf_flow_table_cleanup(dev);
|
|
+
|
|
+ return NOTIFY_DONE;
|
|
+}
|
|
+
|
|
+static struct notifier_block flow_offload_netdev_notifier = {
|
|
+ .notifier_call = flow_offload_netdev_event,
|
|
+};
|
|
+
|
|
+static int __init xt_flowoffload_tg_init(void)
|
|
+{
|
|
+ int ret;
|
|
+
|
|
+ register_netdevice_notifier(&flow_offload_netdev_notifier);
|
|
+
|
|
+ INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work);
|
|
+
|
|
+ ret = xt_flowoffload_table_init(&nf_flowtable);
|
|
+ if (ret)
|
|
+ return ret;
|
|
+
|
|
+ ret = xt_register_target(&offload_tg_reg);
|
|
+ if (ret)
|
|
+ xt_flowoffload_table_cleanup(&nf_flowtable);
|
|
+
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+static void __exit xt_flowoffload_tg_exit(void)
|
|
+{
|
|
+ xt_unregister_target(&offload_tg_reg);
|
|
+ xt_flowoffload_table_cleanup(&nf_flowtable);
|
|
+ unregister_netdevice_notifier(&flow_offload_netdev_notifier);
|
|
+}
|
|
+
|
|
+MODULE_LICENSE("GPL");
|
|
+module_init(xt_flowoffload_tg_init);
|
|
+module_exit(xt_flowoffload_tg_exit);
|
|
--- a/net/netfilter/nf_flow_table_core.c
|
|
+++ b/net/netfilter/nf_flow_table_core.c
|
|
@@ -7,7 +7,6 @@
|
|
#include <linux/netdevice.h>
|
|
#include <net/ip.h>
|
|
#include <net/ip6_route.h>
|
|
-#include <net/netfilter/nf_tables.h>
|
|
#include <net/netfilter/nf_flow_table.h>
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
|
@@ -338,8 +337,7 @@ flow_offload_lookup(struct nf_flowtable
|
|
}
|
|
EXPORT_SYMBOL_GPL(flow_offload_lookup);
|
|
|
|
-static int
|
|
-nf_flow_table_iterate(struct nf_flowtable *flow_table,
|
|
+int nf_flow_table_iterate(struct nf_flowtable *flow_table,
|
|
void (*iter)(struct flow_offload *flow, void *data),
|
|
void *data)
|
|
{
|
|
@@ -372,6 +370,7 @@ nf_flow_table_iterate(struct nf_flowtabl
|
|
|
|
return err;
|
|
}
|
|
+EXPORT_SYMBOL_GPL(nf_flow_table_iterate);
|
|
|
|
static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data)
|
|
{
|
|
--- /dev/null
|
|
+++ b/include/uapi/linux/netfilter/xt_FLOWOFFLOAD.h
|
|
@@ -0,0 +1,17 @@
|
|
+/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */
|
|
+#ifndef _XT_FLOWOFFLOAD_H
|
|
+#define _XT_FLOWOFFLOAD_H
|
|
+
|
|
+#include <linux/types.h>
|
|
+
|
|
+enum {
|
|
+ XT_FLOWOFFLOAD_HW = 1 << 0,
|
|
+
|
|
+ XT_FLOWOFFLOAD_MASK = XT_FLOWOFFLOAD_HW
|
|
+};
|
|
+
|
|
+struct xt_flowoffload_target_info {
|
|
+ __u32 flags;
|
|
+};
|
|
+
|
|
+#endif /* _XT_FLOWOFFLOAD_H */
|
|
--- a/include/net/netfilter/nf_flow_table.h
|
|
+++ b/include/net/netfilter/nf_flow_table.h
|
|
@@ -128,6 +128,10 @@ static inline void flow_offload_dead(str
|
|
flow->flags |= FLOW_OFFLOAD_DYING;
|
|
}
|
|
|
|
+int nf_flow_table_iterate(struct nf_flowtable *flow_table,
|
|
+ void (*iter)(struct flow_offload *flow, void *data),
|
|
+ void *data);
|
|
+
|
|
int nf_flow_snat_port(const struct flow_offload *flow,
|
|
struct sk_buff *skb, unsigned int thoff,
|
|
u8 protocol, enum flow_offload_tuple_dir dir);
|