On 4/11/25 12:57 PM, Simon Horman wrote:
> On Tue, Apr 08, 2025 at 04:28:02PM +0200, Eric Woudstra wrote:
>> Edit nft_flow_offload_eval() to make it possible to handle a flowtable of
>> the nft bridge family.
>>
>> Use nft_flow_offload_bridge_init() to fill the flow tuples. It uses
>> nft_dev_fill_bridge_path() in each direction.
>>
>> Signed-off-by: Eric Woudstra <ericwouds@xxxxxxxxx>
>> ---
>> net/netfilter/nft_flow_offload.c | 148 +++++++++++++++++++++++++++++--
>> 1 file changed, 143 insertions(+), 5 deletions(-)
>>
>> diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
>
> ...
>
>> +static int nft_dev_fill_bridge_path(struct flow_offload *flow,
>> + struct nft_flowtable *ft,
>> + enum ip_conntrack_dir dir,
>> + const struct net_device *src_dev,
>> + const struct net_device *dst_dev,
>> + unsigned char *src_ha,
>> + unsigned char *dst_ha)
>> +{
>> + struct flow_offload_tuple_rhash *th = flow->tuplehash;
>> + struct net_device_path_ctx ctx = {};
>> + struct net_device_path_stack stack;
>> + struct nft_forward_info info = {};
>> + int i, j = 0;
>> +
>> + for (i = th[dir].tuple.encap_num - 1; i >= 0 ; i--) {
>> + if (info.num_encaps >= NF_FLOW_TABLE_ENCAP_MAX)
>> + return -1;
>> +
>> + if (th[dir].tuple.in_vlan_ingress & BIT(i))
>> + continue;
>> +
>> + info.encap[info.num_encaps].id = th[dir].tuple.encap[i].id;
>> + info.encap[info.num_encaps].proto = th[dir].tuple.encap[i].proto;
>> + info.num_encaps++;
>> +
>> + if (th[dir].tuple.encap[i].proto == htons(ETH_P_PPP_SES))
>> + continue;
>> +
>> + if (ctx.num_vlans >= NET_DEVICE_PATH_VLAN_MAX)
>> + return -1;
>> + ctx.vlan[ctx.num_vlans].id = th[dir].tuple.encap[i].id;
>> + ctx.vlan[ctx.num_vlans].proto = th[dir].tuple.encap[i].proto;
>> + ctx.num_vlans++;
>> + }
>> + ctx.dev = src_dev;
>> + ether_addr_copy(ctx.daddr, dst_ha);
>> +
>> + if (dev_fill_bridge_path(&ctx, &stack) < 0)
>> + return -1;
>> +
>> + nft_dev_path_info(&stack, &info, dst_ha, &ft->data);
>> +
>> + if (!info.indev || info.indev != dst_dev)
>> + return -1;
>> +
>> + th[!dir].tuple.iifidx = info.indev->ifindex;
>> + for (i = info.num_encaps - 1; i >= 0; i--) {
>> + th[!dir].tuple.encap[j].id = info.encap[i].id;
>> + th[!dir].tuple.encap[j].proto = info.encap[i].proto;
>> + if (info.ingress_vlans & BIT(i))
>> + th[!dir].tuple.in_vlan_ingress |= BIT(j);
>> + j++;
>> + }
>> + th[!dir].tuple.encap_num = info.num_encaps;
>> +
>> + th[dir].tuple.mtu = dst_dev->mtu;
>> + ether_addr_copy(th[dir].tuple.out.h_source, src_ha);
>> + ether_addr_copy(th[dir].tuple.out.h_dest, dst_ha);
>> + th[dir].tuple.out.ifidx = info.outdev->ifindex;
>> + th[dir].tuple.out.hw_ifidx = info.hw_outdev->ifindex;
>> + th[dir].tuple.out.bridge_vid = info.bridge_vid;
>
> Hi Eric,
>
> I guess I am doing something daft.
> But with this patchset applied on top of nf-next I see
> the following with allmodconfig builds on x86_64.:
>
> CC [M] net/netfilter/nft_flow_offload.o
> net/netfilter/nft_flow_offload.c: In function 'nft_dev_fill_bridge_path':
> net/netfilter/nft_flow_offload.c:248:26: error: 'struct <anonymous>' has no member named 'bridge_vid'
> 248 | th[dir].tuple.out.bridge_vid = info.bridge_vid;
> | ^
> net/netfilter/nft_flow_offload.c:248:44: error: 'struct nft_forward_info' has no member named 'bridge_vid'
> 248 | th[dir].tuple.out.bridge_vid = info.bridge_vid;
> | ^
>
>> + th[dir].tuple.xmit_type = FLOW_OFFLOAD_XMIT_DIRECT;
>> +
>> + return 0;
>> +}
>
> ...
Hi Simon,
This is from the patch-set:
[PATCH v2 nf-next 0/3] flow offload teardown when layer 2 roaming
My guess is that it could be accepted before this patch-set.
They do not need each other, but 1 needs to be applied before the other.
Regards,
Eric
