OpenWrt – Blame information for rev 3
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From: Felix Fietkau <nbd@nbd.name> |
2 | Date: Tue, 20 Feb 2018 15:56:02 +0100 |
||
3 | Subject: [PATCH] netfilter: add xt_OFFLOAD target |
||
4 | |||
5 | Signed-off-by: Felix Fietkau <nbd@nbd.name> |
||
6 | --- |
||
7 | create mode 100644 net/netfilter/xt_OFFLOAD.c |
||
8 | |||
9 | --- a/net/ipv4/netfilter/Kconfig |
||
10 | +++ b/net/ipv4/netfilter/Kconfig |
||
3 | office | 11 | @@ -75,8 +75,6 @@ config NF_TABLES_ARP |
1 | office | 12 | help |
13 | This option enables the ARP support for nf_tables. |
||
14 | |||
15 | -endif # NF_TABLES |
||
16 | - |
||
17 | config NF_FLOW_TABLE_IPV4 |
||
18 | tristate "Netfilter flow table IPv4 module" |
||
19 | depends on NF_FLOW_TABLE |
||
3 | office | 20 | @@ -85,6 +83,8 @@ config NF_FLOW_TABLE_IPV4 |
1 | office | 21 | |
22 | To compile it as a module, choose M here. |
||
23 | |||
24 | +endif # NF_TABLES |
||
25 | + |
||
26 | config NF_DUP_IPV4 |
||
27 | tristate "Netfilter IPv4 packet duplication to alternate destination" |
||
28 | depends on !NF_CONNTRACK || NF_CONNTRACK |
||
29 | --- a/net/ipv6/netfilter/Kconfig |
||
30 | +++ b/net/ipv6/netfilter/Kconfig |
||
31 | @@ -97,7 +97,6 @@ config NFT_FIB_IPV6 |
||
32 | multicast or blackhole. |
||
33 | |||
34 | endif # NF_TABLES_IPV6 |
||
35 | -endif # NF_TABLES |
||
36 | |||
37 | config NF_FLOW_TABLE_IPV6 |
||
38 | tristate "Netfilter flow table IPv6 module" |
||
39 | @@ -107,6 +106,8 @@ config NF_FLOW_TABLE_IPV6 |
||
40 | |||
41 | To compile it as a module, choose M here. |
||
42 | |||
43 | +endif # NF_TABLES |
||
44 | + |
||
45 | config NF_DUP_IPV6 |
||
46 | tristate "Netfilter IPv6 packet duplication to alternate destination" |
||
47 | depends on !NF_CONNTRACK || NF_CONNTRACK |
||
48 | --- a/net/netfilter/Kconfig |
||
49 | +++ b/net/netfilter/Kconfig |
||
3 | office | 50 | @@ -665,8 +665,6 @@ config NFT_FIB_NETDEV |
1 | office | 51 | |
52 | endif # NF_TABLES_NETDEV |
||
53 | |||
54 | -endif # NF_TABLES |
||
55 | - |
||
56 | config NF_FLOW_TABLE_INET |
||
57 | tristate "Netfilter flow table mixed IPv4/IPv6 module" |
||
58 | depends on NF_FLOW_TABLE |
||
3 | office | 59 | @@ -675,11 +673,12 @@ config NF_FLOW_TABLE_INET |
1 | office | 60 | |
61 | To compile it as a module, choose M here. |
||
62 | |||
63 | +endif # NF_TABLES |
||
64 | + |
||
65 | config NF_FLOW_TABLE |
||
66 | tristate "Netfilter flow table module" |
||
67 | depends on NETFILTER_INGRESS |
||
68 | depends on NF_CONNTRACK |
||
69 | - depends on NF_TABLES |
||
70 | help |
||
71 | This option adds the flow table core infrastructure. |
||
72 | |||
3 | office | 73 | @@ -968,6 +967,15 @@ config NETFILTER_XT_TARGET_NOTRACK |
1 | office | 74 | depends on NETFILTER_ADVANCED |
75 | select NETFILTER_XT_TARGET_CT |
||
76 | |||
77 | +config NETFILTER_XT_TARGET_FLOWOFFLOAD |
||
78 | + tristate '"FLOWOFFLOAD" target support' |
||
79 | + depends on NF_FLOW_TABLE |
||
80 | + depends on NETFILTER_INGRESS |
||
81 | + help |
||
82 | + This option adds a `FLOWOFFLOAD' target, which uses the nf_flow_offload |
||
83 | + module to speed up processing of packets by bypassing the usual |
||
84 | + netfilter chains |
||
85 | + |
||
86 | config NETFILTER_XT_TARGET_RATEEST |
||
87 | tristate '"RATEEST" target support' |
||
88 | depends on NETFILTER_ADVANCED |
||
89 | --- a/net/netfilter/Makefile |
||
90 | +++ b/net/netfilter/Makefile |
||
91 | @@ -134,6 +134,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIF |
||
92 | obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o |
||
93 | obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o |
||
94 | obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o |
||
95 | +obj-$(CONFIG_NETFILTER_XT_TARGET_FLOWOFFLOAD) += xt_FLOWOFFLOAD.o |
||
96 | obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o |
||
97 | obj-$(CONFIG_NETFILTER_XT_TARGET_HMARK) += xt_HMARK.o |
||
98 | obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o |
||
99 | --- /dev/null |
||
100 | +++ b/net/netfilter/xt_FLOWOFFLOAD.c |
||
3 | office | 101 | @@ -0,0 +1,365 @@ |
1 | office | 102 | +/* |
103 | + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name> |
||
104 | + * |
||
105 | + * This program is free software; you can redistribute it and/or modify |
||
106 | + * it under the terms of the GNU General Public License version 2 as |
||
107 | + * published by the Free Software Foundation. |
||
108 | + */ |
||
109 | +#include <linux/module.h> |
||
110 | +#include <linux/init.h> |
||
111 | +#include <linux/netfilter.h> |
||
112 | +#include <linux/netfilter/xt_FLOWOFFLOAD.h> |
||
113 | +#include <net/ip.h> |
||
114 | +#include <net/netfilter/nf_conntrack.h> |
||
115 | +#include <net/netfilter/nf_flow_table.h> |
||
116 | + |
||
117 | +static struct nf_flowtable nf_flowtable; |
||
118 | +static HLIST_HEAD(hooks); |
||
119 | +static DEFINE_SPINLOCK(hooks_lock); |
||
120 | +static struct delayed_work hook_work; |
||
121 | + |
||
122 | +struct xt_flowoffload_hook { |
||
123 | + struct hlist_node list; |
||
124 | + struct nf_hook_ops ops; |
||
125 | + struct net *net; |
||
126 | + bool registered; |
||
127 | + bool used; |
||
128 | +}; |
||
129 | + |
||
130 | +static unsigned int |
||
131 | +xt_flowoffload_net_hook(void *priv, struct sk_buff *skb, |
||
132 | + const struct nf_hook_state *state) |
||
133 | +{ |
||
134 | + switch (skb->protocol) { |
||
135 | + case htons(ETH_P_IP): |
||
136 | + return nf_flow_offload_ip_hook(priv, skb, state); |
||
137 | + case htons(ETH_P_IPV6): |
||
138 | + return nf_flow_offload_ipv6_hook(priv, skb, state); |
||
139 | + } |
||
140 | + |
||
141 | + return NF_ACCEPT; |
||
142 | +} |
||
143 | + |
||
144 | +static int |
||
145 | +xt_flowoffload_create_hook(struct net_device *dev) |
||
146 | +{ |
||
147 | + struct xt_flowoffload_hook *hook; |
||
148 | + struct nf_hook_ops *ops; |
||
149 | + |
||
150 | + hook = kzalloc(sizeof(*hook), GFP_ATOMIC); |
||
151 | + if (!hook) |
||
152 | + return -ENOMEM; |
||
153 | + |
||
154 | + ops = &hook->ops; |
||
155 | + ops->pf = NFPROTO_NETDEV; |
||
156 | + ops->hooknum = NF_NETDEV_INGRESS; |
||
157 | + ops->priority = 10; |
||
158 | + ops->priv = &nf_flowtable; |
||
159 | + ops->hook = xt_flowoffload_net_hook; |
||
160 | + ops->dev = dev; |
||
161 | + |
||
162 | + hlist_add_head(&hook->list, &hooks); |
||
163 | + mod_delayed_work(system_power_efficient_wq, &hook_work, 0); |
||
164 | + |
||
165 | + return 0; |
||
166 | +} |
||
167 | + |
||
168 | +static struct xt_flowoffload_hook * |
||
169 | +flow_offload_lookup_hook(struct net_device *dev) |
||
170 | +{ |
||
171 | + struct xt_flowoffload_hook *hook; |
||
172 | + |
||
173 | + hlist_for_each_entry(hook, &hooks, list) { |
||
174 | + if (hook->ops.dev == dev) |
||
175 | + return hook; |
||
176 | + } |
||
177 | + |
||
178 | + return NULL; |
||
179 | +} |
||
180 | + |
||
181 | +static void |
||
182 | +xt_flowoffload_check_device(struct net_device *dev) |
||
183 | +{ |
||
184 | + struct xt_flowoffload_hook *hook; |
||
185 | + |
||
186 | + spin_lock_bh(&hooks_lock); |
||
187 | + hook = flow_offload_lookup_hook(dev); |
||
188 | + if (hook) |
||
189 | + hook->used = true; |
||
190 | + else |
||
191 | + xt_flowoffload_create_hook(dev); |
||
192 | + spin_unlock_bh(&hooks_lock); |
||
193 | +} |
||
194 | + |
||
195 | +static void |
||
196 | +xt_flowoffload_register_hooks(void) |
||
197 | +{ |
||
198 | + struct xt_flowoffload_hook *hook; |
||
199 | + |
||
200 | +restart: |
||
201 | + hlist_for_each_entry(hook, &hooks, list) { |
||
202 | + if (hook->registered) |
||
203 | + continue; |
||
204 | + |
||
205 | + hook->registered = true; |
||
206 | + hook->net = dev_net(hook->ops.dev); |
||
207 | + spin_unlock_bh(&hooks_lock); |
||
208 | + nf_register_net_hook(hook->net, &hook->ops); |
||
209 | + spin_lock_bh(&hooks_lock); |
||
210 | + goto restart; |
||
211 | + } |
||
212 | + |
||
213 | +} |
||
214 | + |
||
215 | +static void |
||
216 | +xt_flowoffload_cleanup_hooks(void) |
||
217 | +{ |
||
218 | + struct xt_flowoffload_hook *hook; |
||
219 | + |
||
220 | +restart: |
||
221 | + hlist_for_each_entry(hook, &hooks, list) { |
||
222 | + if (hook->used || !hook->registered) |
||
223 | + continue; |
||
224 | + |
||
225 | + hlist_del(&hook->list); |
||
226 | + spin_unlock_bh(&hooks_lock); |
||
227 | + nf_unregister_net_hook(hook->net, &hook->ops); |
||
228 | + kfree(hook); |
||
229 | + spin_lock_bh(&hooks_lock); |
||
230 | + goto restart; |
||
231 | + } |
||
232 | + |
||
233 | +} |
||
234 | + |
||
235 | +static void |
||
236 | +xt_flowoffload_check_hook(struct flow_offload *flow, void *data) |
||
237 | +{ |
||
238 | + struct flow_offload_tuple *tuple = &flow->tuplehash[0].tuple; |
||
239 | + struct xt_flowoffload_hook *hook; |
||
240 | + bool *found = data; |
||
241 | + |
||
242 | + spin_lock_bh(&hooks_lock); |
||
243 | + hlist_for_each_entry(hook, &hooks, list) { |
||
244 | + if (hook->ops.dev->ifindex != tuple->iifidx && |
||
245 | + hook->ops.dev->ifindex != tuple->oifidx) |
||
246 | + continue; |
||
247 | + |
||
248 | + hook->used = true; |
||
249 | + *found = true; |
||
250 | + } |
||
251 | + spin_unlock_bh(&hooks_lock); |
||
252 | +} |
||
253 | + |
||
254 | +static void |
||
255 | +xt_flowoffload_hook_work(struct work_struct *work) |
||
256 | +{ |
||
257 | + struct xt_flowoffload_hook *hook; |
||
258 | + bool found = false; |
||
259 | + int err; |
||
260 | + |
||
261 | + spin_lock_bh(&hooks_lock); |
||
262 | + xt_flowoffload_register_hooks(); |
||
263 | + hlist_for_each_entry(hook, &hooks, list) |
||
264 | + hook->used = false; |
||
265 | + spin_unlock_bh(&hooks_lock); |
||
266 | + |
||
267 | + err = nf_flow_table_iterate(&nf_flowtable, xt_flowoffload_check_hook, |
||
268 | + &found); |
||
269 | + if (err && err != -EAGAIN) |
||
270 | + goto out; |
||
271 | + |
||
272 | + spin_lock_bh(&hooks_lock); |
||
273 | + xt_flowoffload_cleanup_hooks(); |
||
274 | + spin_unlock_bh(&hooks_lock); |
||
275 | + |
||
276 | +out: |
||
277 | + if (found) |
||
278 | + queue_delayed_work(system_power_efficient_wq, &hook_work, HZ); |
||
279 | +} |
||
280 | + |
||
281 | +static bool |
||
282 | +xt_flowoffload_skip(struct sk_buff *skb) |
||
283 | +{ |
||
284 | + struct ip_options *opt = &(IPCB(skb)->opt); |
||
285 | + |
||
286 | + if (unlikely(opt->optlen)) |
||
287 | + return true; |
||
288 | + if (skb_sec_path(skb)) |
||
289 | + return true; |
||
290 | + |
||
291 | + return false; |
||
292 | +} |
||
293 | + |
||
294 | +static struct dst_entry * |
||
295 | +xt_flowoffload_dst(const struct nf_conn *ct, enum ip_conntrack_dir dir, |
||
296 | + const struct xt_action_param *par) |
||
297 | +{ |
||
298 | + struct dst_entry *dst = NULL; |
||
299 | + struct flowi fl; |
||
300 | + |
||
301 | + memset(&fl, 0, sizeof(fl)); |
||
302 | + switch (xt_family(par)) { |
||
303 | + case NFPROTO_IPV4: |
||
304 | + fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip; |
||
305 | + break; |
||
306 | + case NFPROTO_IPV6: |
||
307 | + fl.u.ip6.saddr = ct->tuplehash[dir].tuple.dst.u3.in6; |
||
308 | + fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6; |
||
309 | + break; |
||
310 | + } |
||
311 | + |
||
312 | + nf_route(xt_net(par), &dst, &fl, false, xt_family(par)); |
||
313 | + |
||
314 | + return dst; |
||
315 | +} |
||
316 | + |
||
317 | +static int |
||
318 | +xt_flowoffload_route(struct sk_buff *skb, const struct nf_conn *ct, |
||
319 | + const struct xt_action_param *par, |
||
320 | + struct nf_flow_route *route, enum ip_conntrack_dir dir) |
||
321 | +{ |
||
322 | + struct dst_entry *this_dst, *other_dst; |
||
323 | + |
||
324 | + this_dst = xt_flowoffload_dst(ct, dir, par); |
||
325 | + other_dst = xt_flowoffload_dst(ct, !dir, par); |
||
326 | + if (!this_dst || !other_dst) |
||
327 | + return -ENOENT; |
||
328 | + |
||
329 | + route->tuple[dir].dst = this_dst; |
||
330 | + route->tuple[dir].ifindex = xt_in(par)->ifindex; |
||
331 | + route->tuple[!dir].dst = other_dst; |
||
332 | + route->tuple[!dir].ifindex = xt_out(par)->ifindex; |
||
333 | + |
||
334 | + return 0; |
||
335 | +} |
||
336 | + |
||
337 | +static unsigned int |
||
338 | +flowoffload_tg(struct sk_buff *skb, const struct xt_action_param *par) |
||
339 | +{ |
||
340 | + const struct xt_flowoffload_target_info *info = par->targinfo; |
||
341 | + enum ip_conntrack_info ctinfo; |
||
342 | + enum ip_conntrack_dir dir; |
||
343 | + struct nf_flow_route route; |
||
344 | + struct flow_offload *flow; |
||
345 | + struct nf_conn *ct; |
||
346 | + |
||
347 | + if (xt_flowoffload_skip(skb)) |
||
348 | + return XT_CONTINUE; |
||
349 | + |
||
350 | + ct = nf_ct_get(skb, &ctinfo); |
||
351 | + if (ct == NULL) |
||
352 | + return XT_CONTINUE; |
||
353 | + |
||
354 | + switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) { |
||
355 | + case IPPROTO_TCP: |
||
356 | + if (ct->proto.tcp.state != TCP_CONNTRACK_ESTABLISHED) |
||
357 | + return XT_CONTINUE; |
||
358 | + break; |
||
359 | + case IPPROTO_UDP: |
||
360 | + break; |
||
361 | + default: |
||
362 | + return XT_CONTINUE; |
||
363 | + } |
||
364 | + |
||
3 | office | 365 | + if (test_bit(IPS_HELPER_BIT, &ct->status)) |
1 | office | 366 | + return XT_CONTINUE; |
367 | + |
||
368 | + if (ctinfo == IP_CT_NEW || |
||
369 | + ctinfo == IP_CT_RELATED) |
||
370 | + return XT_CONTINUE; |
||
371 | + |
||
372 | + if (!xt_in(par) || !xt_out(par)) |
||
373 | + return XT_CONTINUE; |
||
374 | + |
||
375 | + if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status)) |
||
376 | + return XT_CONTINUE; |
||
377 | + |
||
378 | + dir = CTINFO2DIR(ctinfo); |
||
379 | + |
||
380 | + if (xt_flowoffload_route(skb, ct, par, &route, dir) < 0) |
||
381 | + goto err_flow_route; |
||
382 | + |
||
383 | + flow = flow_offload_alloc(ct, &route); |
||
384 | + if (!flow) |
||
385 | + goto err_flow_alloc; |
||
386 | + |
||
387 | + if (flow_offload_add(&nf_flowtable, flow) < 0) |
||
388 | + goto err_flow_add; |
||
389 | + |
||
390 | + xt_flowoffload_check_device(xt_in(par)); |
||
391 | + xt_flowoffload_check_device(xt_out(par)); |
||
392 | + |
||
393 | + if (info->flags & XT_FLOWOFFLOAD_HW) |
||
394 | + nf_flow_offload_hw_add(xt_net(par), flow, ct); |
||
395 | + |
||
396 | + return XT_CONTINUE; |
||
397 | + |
||
398 | +err_flow_add: |
||
399 | + flow_offload_free(flow); |
||
400 | +err_flow_alloc: |
||
401 | + dst_release(route.tuple[!dir].dst); |
||
402 | +err_flow_route: |
||
403 | + clear_bit(IPS_OFFLOAD_BIT, &ct->status); |
||
404 | + return XT_CONTINUE; |
||
405 | +} |
||
406 | + |
||
407 | + |
||
408 | +static int flowoffload_chk(const struct xt_tgchk_param *par) |
||
409 | +{ |
||
410 | + struct xt_flowoffload_target_info *info = par->targinfo; |
||
411 | + |
||
412 | + if (info->flags & ~XT_FLOWOFFLOAD_MASK) |
||
413 | + return -EINVAL; |
||
414 | + |
||
415 | + return 0; |
||
416 | +} |
||
417 | + |
||
418 | +static struct xt_target offload_tg_reg __read_mostly = { |
||
419 | + .family = NFPROTO_UNSPEC, |
||
420 | + .name = "FLOWOFFLOAD", |
||
421 | + .revision = 0, |
||
422 | + .targetsize = sizeof(struct xt_flowoffload_target_info), |
||
423 | + .usersize = sizeof(struct xt_flowoffload_target_info), |
||
424 | + .checkentry = flowoffload_chk, |
||
425 | + .target = flowoffload_tg, |
||
426 | + .me = THIS_MODULE, |
||
427 | +}; |
||
428 | + |
||
429 | +static int xt_flowoffload_table_init(struct nf_flowtable *table) |
||
430 | +{ |
||
431 | + table->flags = NF_FLOWTABLE_F_HW; |
||
432 | + nf_flow_table_init(table); |
||
433 | + return 0; |
||
434 | +} |
||
435 | + |
||
436 | +static void xt_flowoffload_table_cleanup(struct nf_flowtable *table) |
||
437 | +{ |
||
438 | + nf_flow_table_free(table); |
||
439 | +} |
||
440 | + |
||
441 | +static int __init xt_flowoffload_tg_init(void) |
||
442 | +{ |
||
443 | + int ret; |
||
444 | + |
||
445 | + INIT_DELAYED_WORK(&hook_work, xt_flowoffload_hook_work); |
||
446 | + |
||
447 | + ret = xt_flowoffload_table_init(&nf_flowtable); |
||
448 | + if (ret) |
||
449 | + return ret; |
||
450 | + |
||
451 | + ret = xt_register_target(&offload_tg_reg); |
||
452 | + if (ret) |
||
453 | + xt_flowoffload_table_cleanup(&nf_flowtable); |
||
454 | + |
||
455 | + return ret; |
||
456 | +} |
||
457 | + |
||
458 | +static void __exit xt_flowoffload_tg_exit(void) |
||
459 | +{ |
||
460 | + xt_unregister_target(&offload_tg_reg); |
||
461 | + xt_flowoffload_table_cleanup(&nf_flowtable); |
||
462 | +} |
||
463 | + |
||
464 | +MODULE_LICENSE("GPL"); |
||
465 | +module_init(xt_flowoffload_tg_init); |
||
466 | +module_exit(xt_flowoffload_tg_exit); |
||
467 | --- a/net/netfilter/nf_flow_table_core.c |
||
468 | +++ b/net/netfilter/nf_flow_table_core.c |
||
469 | @@ -6,7 +6,6 @@ |
||
470 | #include <linux/netdevice.h> |
||
471 | #include <net/ip.h> |
||
472 | #include <net/ip6_route.h> |
||
473 | -#include <net/netfilter/nf_tables.h> |
||
474 | #include <net/netfilter/nf_flow_table.h> |
||
475 | #include <net/netfilter/nf_conntrack.h> |
||
476 | #include <net/netfilter/nf_conntrack_core.h> |
||
477 | --- /dev/null |
||
478 | +++ b/include/uapi/linux/netfilter/xt_FLOWOFFLOAD.h |
||
479 | @@ -0,0 +1,17 @@ |
||
480 | +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ |
||
481 | +#ifndef _XT_FLOWOFFLOAD_H |
||
482 | +#define _XT_FLOWOFFLOAD_H |
||
483 | + |
||
484 | +#include <linux/types.h> |
||
485 | + |
||
486 | +enum { |
||
487 | + XT_FLOWOFFLOAD_HW = 1 << 0, |
||
488 | + |
||
489 | + XT_FLOWOFFLOAD_MASK = XT_FLOWOFFLOAD_HW |
||
490 | +}; |
||
491 | + |
||
492 | +struct xt_flowoffload_target_info { |
||
493 | + __u32 flags; |
||
494 | +}; |
||
495 | + |
||
496 | +#endif /* _XT_FLOWOFFLOAD_H */ |