14 Jul, 2020
1 commit
-
Previously, shared blocks were only relevant for the pseudo-qdiscs ingress
and clsact. Recently, a qevent facility was introduced, which allows to
bind blocks to well-defined slots of a qdisc instance. RED in particular
got two qevents: early_drop and mark. Drivers that wish to offload these
blocks will be sent the usual notification, and need to know which qdisc it
is related to.To that end, extend flow_block_offload with a "sch" pointer, and initialize
as appropriate. This prompts changes in the indirect block facility, which
now tracks the scheduler in addition to the netdevice. Update signatures of
several functions similarly.Signed-off-by: Petr Machata
Signed-off-by: David S. Miller
20 Jun, 2020
1 commit
-
If the representor is removed, then identify the indirect flow_blocks
that need to be removed by the release callback and the port representor
structure. To identify the port representor structure, a new
indr.cb_priv field needs to be introduced. The flow_block also needs to
be removed from the driver list from the cleanup path.Fixes: 1fac52da5942 ("net: flow_offload: consolidate indirect flow_block infrastructure")
Signed-off-by: wenxu
Signed-off-by: David S. Miller
02 Jun, 2020
2 commits
-
Drivers do not register to netdev events to set up indirect blocks
anymore. Remove __flow_indr_block_cb_register() and
__flow_indr_block_cb_unregister().The frontends set up the callbacks through flow_indr_dev_setup_block()
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller -
Update existing frontends to use flow_indr_dev_setup_offload().
This new function must be called if ->ndo_setup_tc is unset to deal
with tunnel devices.If there is no driver that is subscribed to new tunnel device
flow_block bindings, then this function bails out with EOPNOTSUPP.If the driver module is removed, the ->cleanup() callback removes the
entries that belong to this tunnel device. This cleanup procedures is
triggered when the device unregisters the tunnel device offload handler.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
16 May, 2020
1 commit
-
Move the bpf verifier trace check into the new switch statement in
HEAD.Resolve the overlapping changes in hinic, where bug fixes overlap
the addition of VF support.Signed-off-by: David S. Miller
11 May, 2020
2 commits
-
This workqueue is in charge of handling offloaded flow tasks like
add/del/stats we should not use WQ_MEM_RECLAIM flag.
The flag can result in the following warning.[ 485.557189] ------------[ cut here ]------------
[ 485.562976] workqueue: WQ_MEM_RECLAIM nf_flow_table_offload:flow_offload_worr
[ 485.562985] WARNING: CPU: 7 PID: 3731 at kernel/workqueue.c:2610 check_flush0
[ 485.590191] Kernel panic - not syncing: panic_on_warn set ...
[ 485.597100] CPU: 7 PID: 3731 Comm: kworker/u112:8 Not tainted 5.7.0-rc1.21802
[ 485.606629] Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.4.3 01/177
[ 485.615487] Workqueue: nf_flow_table_offload flow_offload_work_handler [nf_f]
[ 485.624834] Call Trace:
[ 485.628077] dump_stack+0x50/0x70
[ 485.632280] panic+0xfb/0x2d7
[ 485.636083] ? check_flush_dependency+0x110/0x130
[ 485.641830] __warn.cold.12+0x20/0x2a
[ 485.646405] ? check_flush_dependency+0x110/0x130
[ 485.652154] ? check_flush_dependency+0x110/0x130
[ 485.657900] report_bug+0xb8/0x100
[ 485.662187] ? sched_clock_cpu+0xc/0xb0
[ 485.666974] do_error_trap+0x9f/0xc0
[ 485.671464] do_invalid_op+0x36/0x40
[ 485.675950] ? check_flush_dependency+0x110/0x130
[ 485.681699] invalid_op+0x28/0x30Fixes: 7da182a998d6 ("netfilter: flowtable: Use work entry per offload command")
Reported-by: Marcelo Ricardo Leitner
Signed-off-by: Roi Dayan
Reviewed-by: Paul Blakey
Signed-off-by: Pablo Neira Ayuso -
Gc step can queue offloaded flow del work or stats work.
Those work items can race each other and a flow could be freed
before the stats work is executed and querying it.
To avoid that, add a pending bit that if a work exists for a flow
don't queue another work for it.
This will also avoid adding multiple stats works in case stats work
didn't complete but gc step started again.Signed-off-by: Paul Blakey
Reviewed-by: Roi Dayan
Signed-off-by: Pablo Neira Ayuso
27 Apr, 2020
1 commit
-
This bit indicates that the conntrack entry is offloaded to hardware
flow table. nf_conntrack entry will be tagged with [HW_OFFLOAD] if
it's offload to hardware.cat /proc/net/nf_conntrack
ipv4 2 tcp 6 \
src=1.1.1.17 dst=1.1.1.16 sport=56394 dport=5001 \
src=1.1.1.16 dst=1.1.1.17 sport=5001 dport=56394 [HW_OFFLOAD] \
mark=0 zone=0 use=3Note that HW_OFFLOAD/OFFLOAD/ASSURED are mutually exclusive.
Changelog:
* V1->V2:
- Remove check of lastused from stats. It was meant for cases such
as removing driver module while traffic still running. Better to
handle such cases from garbage collector.Signed-off-by: Bodong Wang
Reviewed-by: Oz Shlomo
Reviewed-by: Paul Blakey
Signed-off-by: Pablo Neira Ayuso
31 Mar, 2020
1 commit
-
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-nextThe following patchset contains Netfilter/IPVS updates for net-next:
1) Add support to specify a stateful expression in set definitions,
this allows users to specify e.g. counters per set elements.2) Flowtable software counter support.
3) Flowtable hardware offload counter support, from wenxu.
3) Parallelize flowtable hardware offload requests, from Paul Blakey.
This includes a patch to add one work entry per offload command.4) Several patches to rework nf_queue refcount handling, from Florian
Westphal.4) A few fixes for the flowtable tunnel offload: Fix crash if tunneling
information is missing and set up indirect flow block as TC_SETUP_FT,
patch from wenxu.5) Stricter netlink attribute sanity check on filters, from Romain Bellan
and Florent Fourcot.5) Annotations to make sparse happy, from Jules Irenge.
6) Improve icmp errors in debugging information, from Haishuang Yan.
7) Fix warning in IPVS icmp error debugging, from Haishuang Yan.
8) Fix endianess issue in tcp extension header, from Sergey Marinkevich.
====================Signed-off-by: David S. Miller
30 Mar, 2020
1 commit
-
Store the conntrack counters to the conntrack entry in the
HW flowtable offload.Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
28 Mar, 2020
3 commits
-
To allow offload commands to execute in parallel, create workqueue
for flow table offload, and use a work entry per offload command.Signed-off-by: Paul Blakey
Reviewed-by: Oz Shlomo
Signed-off-by: Pablo Neira Ayuso -
Currently flow offload threads are synchronized by the flow block mutex.
Use rw lock instead to increase flow insertion (read) concurrency.Signed-off-by: Paul Blakey
Reviewed-by: Oz Shlomo
Signed-off-by: Pablo Neira Ayuso -
The indirect block setup should use TC_SETUP_FT as the type instead of
TC_SETUP_BLOCK. Adjust existing users of the indirect flow block
infrastructure.Fixes: b5140a36da78 ("netfilter: flowtable: add indr block setup support")
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
26 Mar, 2020
1 commit
-
Overlapping header include additions in macsec.c
A bug fix in 'net' overlapping with the removal of 'version'
string in ena_netdev.cOverlapping test additions in selftests Makefile
Overlapping PCI ID table adjustments in iwlwifi driver.
Signed-off-by: David S. Miller
20 Mar, 2020
2 commits
-
nf_flow_rule_match() sets control.addr_type in key, so needs to also set
the corresponding mask. An exact match is wanted, so mask is all ones.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Edward Cree
Signed-off-by: Pablo Neira Ayuso -
The tc ct action does not cache the route in the flowtable entry.
Fixes: 88bf6e4114d5 ("netfilter: flowtable: add tunnel encap/decap action offload support")
Fixes: cfab6dbd0ecf ("netfilter: flowtable: add tunnel match offload support")
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
15 Mar, 2020
5 commits
-
This patch add tunnel encap decap action offload in the flowtable
offload.Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso -
This patch support both ipv4 and ipv6 tunnel_id, tunnel_src and
tunnel_dst match for flowtable offloadSigned-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso -
Add etfilter flowtable support indr-block setup. It makes flowtable offload
vlan and tunnel device.Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso -
Add nf_flow_table_block_offload_init prepare for the indr block
offload patchSigned-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso -
This patch doesn't change any functionality.
Signed-off-by: Paul Blakey
Signed-off-by: Pablo Neira Ayuso
13 Mar, 2020
2 commits
-
NF flow table API associate 5-tuple rule with an action list by calling
the flow table type action() CB to fill the rule's actions.In action CB of act_ct, populate the ct offload entry actions with a new
ct_metadata action. Initialize the ct_metadata with the ct mark, label and
zone information. If ct nat was performed, then also append the relevant
packet mangle actions (e.g. ipv4/ipv6/tcp/udp header rewrites).Drivers that offload the ft entries may match on the 5-tuple and perform
the action list.Signed-off-by: Paul Blakey
Reviewed-by: Jiri Pirko
Reviewed-by: Edward Cree
Signed-off-by: David S. Miller -
Let drivers to add their cb allowing them to receive flow offload events
of type TC_SETUP_CLSFLOWER (REPLACE/DEL/STATS) for flows managed by the
flow table.Signed-off-by: Paul Blakey
Reviewed-by: Jiri Pirko
Signed-off-by: David S. Miller
07 Feb, 2020
1 commit
-
nftables test case
tests/shell/testcases/flowtable/0001flowtable_0results in a crash. After the refactor, if we leave early via
nf_flowtable_hw_offload(), then "struct flow_block_offload" is left
in an uninitialized state, but later users assume its initialised.Fixes: a7965d58ddab02 ("netfilter: flowtable: add nf_flow_table_offload_cmd()")
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
01 Feb, 2020
1 commit
-
During the refactor this was accidently removed.
Fixes: ae29045018c8 ("netfilter: flowtable: add nf_flow_offload_tuple() helper")
Signed-off-by: Paul Blakey
Signed-off-by: Pablo Neira Ayuso
16 Jan, 2020
8 commits
-
Split nf_flow_table_offload_setup() in two functions to make it more
maintainable.Signed-off-by: Pablo Neira Ayuso
-
Consolidate code to configure the flow_cls_offload structure into one
helper function.Signed-off-by: Pablo Neira Ayuso
-
If nf_flow_offload_add() fails to add the flow to hardware, then the
NF_FLOW_HW_REFRESH flag bit is set and the flow remains in the flowtable
software path.If flowtable hardware offload is enabled, this patch enqueues a new
request to offload this flow to hardware.Signed-off-by: Pablo Neira Ayuso
-
This function checks for the NF_FLOWTABLE_HW_OFFLOAD flag, meaning that
the flowtable hardware offload is enabled.Signed-off-by: Pablo Neira Ayuso
-
Originally, all flow flag bits were set on only from the workqueue. With
the introduction of the flow teardown state and hardware offload this is
no longer true. Let's be safe and use atomic bitwise operation to
operation with flow flags.Fixes: 59c466dd68e7 ("netfilter: nf_flow_table: add a new flow state for tearing down offloading")
Signed-off-by: Pablo Neira Ayuso -
Add helper function to allocate and initialize flow offload work and use
it to consolidate existing code.Signed-off-by: Pablo Neira Ayuso
-
Set on FLOW_DISSECTOR_KEY_META meta key using flow tuple ingress interface.
Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso -
Do not fetch statistics if flow has expired since it might not in
hardware anymore. After this update, remove the FLOW_OFFLOAD_HW_DYING
check from nf_flow_offload_stats() since this flag is never set on.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso
Acked-by: wenxu
06 Jan, 2020
1 commit
-
This patch adds nf_flowtable_time_stamp and updates the existing code to
use it.This patch is also implicitly fixing up hardware statistic fetching via
nf_flow_offload_stats() where casting to u32 is missing. Use
nf_flow_timeout_delta() to fix this.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Pablo Neira Ayuso
Acked-by: wenxu
05 Jan, 2020
3 commits
-
Shift on 32-bit word to define the port number depends on the flow
direction.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Fixes: 7acd9378dc652 ("netfilter: nf_flow_table_offload: Correct memcpy size for flow_overload_mangle()")
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso -
It is better to get the dst_neigh with neigh->lock and check the
nud_state is VALID. If there is not neigh previous, the lookup will
Create a non NUD_VALID with 00:00:00:00:00:00 mac.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso -
Ethernet destination for original traffic takes the source ethernet address
in the reply direction. For reply traffic, this takes the source
ethernet address of the original direction.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: wenxu
Signed-off-by: Pablo Neira Ayuso
20 Dec, 2019
1 commit
-
In some configurations, gcc reports an integer overflow:
net/netfilter/nf_flow_table_offload.c: In function 'nf_flow_rule_match':
net/netfilter/nf_flow_table_offload.c:80:21: error: unsigned conversion from 'int' to '__be16' {aka 'short unsigned int'} changes value from '327680' to '0' [-Werror=overflow]
mask->tcp.flags = TCP_FLAG_RST | TCP_FLAG_FIN;
^~~~~~~~~~~~From what I can tell, we want the upper 16 bits of these constants,
so they need to be shifted in cpu-endian mode.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Signed-off-by: Arnd Bergmann
Signed-off-by: Pablo Neira Ayuso
10 Dec, 2019
1 commit
-
In function 'memcpy',
inlined from 'flow_offload_mangle' at net/netfilter/nf_flow_table_offload.c:112:2,
inlined from 'flow_offload_port_dnat' at net/netfilter/nf_flow_table_offload.c:373:2,
inlined from 'nf_flow_rule_route_ipv4' at net/netfilter/nf_flow_table_offload.c:424:3:
./include/linux/string.h:376:4: error: call to '__read_overflow2' declared with attribute error: detected read beyond size of object passed as 2nd parameter
376 | __read_overflow2();
| ^~~~~~~~~~~~~~~~~~The original u8* was done in the hope to make this more adaptable but
consensus is to keep this like it is in tc pedit.Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")
Reported-by: Laura Abbott
Signed-off-by: Pablo Neira Ayuso
01 Dec, 2019
1 commit
-
Add missing IPv6 matching description to flow_rule object.
Fixes: 5c27d8d76ce8 ("netfilter: nf_flow_table_offload: add IPv6 support")
Signed-off-by: Pablo Neira Ayuso