Skip to content

Commit 3bc158f

Browse files
ummakynesdavem330
authored andcommitted
netfilter: nf_tables: map basechain priority to hardware priority
This patch adds initial support for offloading basechains using the priority range from 1 to 65535. This is restricting the netfilter priority range to 16-bit integer since this is what most drivers assume so far from tc. It should be possible to extend this range of supported priorities later on once drivers are updated to support for 32-bit integer priorities. Signed-off-by: Pablo Neira Ayuso <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent ef01ada commit 3bc158f

File tree

3 files changed

+20
-3
lines changed

3 files changed

+20
-3
lines changed

include/net/netfilter/nf_tables_offload.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,4 +73,6 @@ int nft_flow_rule_offload_commit(struct net *net);
7373
(__reg)->key = __key; \
7474
memset(&(__reg)->mask, 0xff, (__reg)->len);
7575

76+
int nft_chain_offload_priority(struct nft_base_chain *basechain);
77+
7678
#endif

net/netfilter/nf_tables_api.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1667,6 +1667,10 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
16671667

16681668
chain->flags |= NFT_BASE_CHAIN | flags;
16691669
basechain->policy = NF_ACCEPT;
1670+
if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
1671+
nft_chain_offload_priority(basechain) < 0)
1672+
return -EOPNOTSUPP;
1673+
16701674
flow_block_init(&basechain->flow_block);
16711675
} else {
16721676
chain = kzalloc(sizeof(*chain), GFP_KERNEL);

net/netfilter/nf_tables_offload.c

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -103,10 +103,11 @@ void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
103103
}
104104

105105
static void nft_flow_offload_common_init(struct flow_cls_common_offload *common,
106-
__be16 proto,
107-
struct netlink_ext_ack *extack)
106+
__be16 proto, int priority,
107+
struct netlink_ext_ack *extack)
108108
{
109109
common->protocol = proto;
110+
common->prio = priority;
110111
common->extack = extack;
111112
}
112113

@@ -124,6 +125,15 @@ static int nft_setup_cb_call(struct nft_base_chain *basechain,
124125
return 0;
125126
}
126127

128+
int nft_chain_offload_priority(struct nft_base_chain *basechain)
129+
{
130+
if (basechain->ops.priority <= 0 ||
131+
basechain->ops.priority > USHRT_MAX)
132+
return -1;
133+
134+
return 0;
135+
}
136+
127137
static int nft_flow_offload_rule(struct nft_trans *trans,
128138
enum flow_cls_command command)
129139
{
@@ -142,7 +152,8 @@ static int nft_flow_offload_rule(struct nft_trans *trans,
142152
if (flow)
143153
proto = flow->proto;
144154

145-
nft_flow_offload_common_init(&cls_flow.common, proto, &extack);
155+
nft_flow_offload_common_init(&cls_flow.common, proto,
156+
basechain->ops.priority, &extack);
146157
cls_flow.command = command;
147158
cls_flow.cookie = (unsigned long) rule;
148159
if (flow)

0 commit comments

Comments
 (0)