diff options
Diffstat (limited to 'package/network/utils/nftables/patches/203-src-flow-offload-support.patch')
| -rw-r--r-- | package/network/utils/nftables/patches/203-src-flow-offload-support.patch | 191 |
1 files changed, 191 insertions, 0 deletions
diff --git a/package/network/utils/nftables/patches/203-src-flow-offload-support.patch b/package/network/utils/nftables/patches/203-src-flow-offload-support.patch new file mode 100644 index 0000000..86dfb1d --- /dev/null +++ b/package/network/utils/nftables/patches/203-src-flow-offload-support.patch @@ -0,0 +1,191 @@ +From: Pablo Neira Ayuso <pablo@netfilter.org> +Date: Sun, 3 Dec 2017 21:27:03 +0100 +Subject: [PATCH] src: flow offload support + +This patch allows us to refer to existing flowtables: + + # nft add rule x x flow offload @m + +Packets matching this rule create an entry in the flow table 'm', hence, +follow up packets that get to the flowtable at ingress bypass the +classic forwarding path. + +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + +--- a/include/ct.h ++++ b/include/ct.h +@@ -29,6 +29,8 @@ extern struct expr *ct_expr_alloc(const + extern void ct_expr_update_type(struct proto_ctx *ctx, struct expr *expr); + + extern struct stmt *notrack_stmt_alloc(const struct location *loc); ++extern struct stmt *flow_offload_stmt_alloc(const struct location *loc, ++ const char *table_name); + + extern const struct datatype ct_dir_type; + extern const struct datatype ct_state_type; +--- a/include/statement.h ++++ b/include/statement.h +@@ -10,6 +10,12 @@ extern struct stmt *expr_stmt_alloc(cons + extern struct stmt *verdict_stmt_alloc(const struct location *loc, + struct expr *expr); + ++struct flow_stmt { ++ const char *table_name; ++}; ++ ++struct stmt *flow_stmt_alloc(const struct location *loc, const char *name); ++ + struct objref_stmt { + uint32_t type; + struct expr *expr; +@@ -231,6 +237,7 @@ extern struct stmt *xt_stmt_alloc(const + * @STMT_NOTRACK: notrack statement + * @STMT_OBJREF: stateful object reference statement + * @STMT_EXTHDR: extension header statement ++ * @STMT_FLOW_OFFLOAD: flow offload statement + */ + enum stmt_types { + STMT_INVALID, +@@ -256,6 +263,7 @@ enum stmt_types { + STMT_NOTRACK, + STMT_OBJREF, + STMT_EXTHDR, ++ STMT_FLOW_OFFLOAD, + }; + + /** +@@ -316,6 +324,7 @@ struct stmt { + struct fwd_stmt fwd; + struct xt_stmt xt; + struct objref_stmt objref; ++ struct flow_stmt flow; + }; + }; + +--- a/src/ct.c ++++ b/src/ct.c +@@ -456,3 +456,26 @@ struct stmt *notrack_stmt_alloc(const st + { + return stmt_alloc(loc, ¬rack_stmt_ops); + } ++ ++static void flow_offload_stmt_print(const struct stmt *stmt, ++ struct output_ctx *octx) ++{ ++ printf("flow offload @%s", stmt->flow.table_name); ++} ++ ++static const struct stmt_ops flow_offload_stmt_ops = { ++ .type = STMT_FLOW_OFFLOAD, ++ .name = "flow_offload", ++ .print = flow_offload_stmt_print, ++}; ++ ++struct stmt *flow_offload_stmt_alloc(const struct location *loc, ++ const char *table_name) ++{ ++ struct stmt *stmt; ++ ++ stmt = stmt_alloc(loc, &flow_offload_stmt_ops); ++ stmt->flow.table_name = table_name; ++ ++ return stmt; ++} +--- a/src/evaluate.c ++++ b/src/evaluate.c +@@ -2773,6 +2773,7 @@ int stmt_evaluate(struct eval_ctx *ctx, + case STMT_LIMIT: + case STMT_QUOTA: + case STMT_NOTRACK: ++ case STMT_FLOW_OFFLOAD: + return 0; + case STMT_EXPRESSION: + return stmt_evaluate_expr(ctx, stmt); +--- a/src/netlink_delinearize.c ++++ b/src/netlink_delinearize.c +@@ -680,6 +680,16 @@ static void netlink_parse_notrack(struct + ctx->stmt = notrack_stmt_alloc(loc); + } + ++static void netlink_parse_flow_offload(struct netlink_parse_ctx *ctx, ++ const struct location *loc, ++ const struct nftnl_expr *nle) ++{ ++ const char *table_name; ++ ++ table_name = xstrdup(nftnl_expr_get_str(nle, NFTNL_EXPR_FLOW_TABLE_NAME)); ++ ctx->stmt = flow_offload_stmt_alloc(loc, table_name); ++} ++ + static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle) +@@ -1255,6 +1265,7 @@ static const struct { + { .name = "hash", .parse = netlink_parse_hash }, + { .name = "fib", .parse = netlink_parse_fib }, + { .name = "tcpopt", .parse = netlink_parse_exthdr }, ++ { .name = "flow_offload", .parse = netlink_parse_flow_offload }, + }; + + static int netlink_parse_expr(const struct nftnl_expr *nle, +--- a/src/netlink_linearize.c ++++ b/src/netlink_linearize.c +@@ -1201,6 +1201,17 @@ static void netlink_gen_notrack_stmt(str + nftnl_rule_add_expr(ctx->nlr, nle); + } + ++static void netlink_gen_flow_offload_stmt(struct netlink_linearize_ctx *ctx, ++ const struct stmt *stmt) ++{ ++ struct nftnl_expr *nle; ++ ++ nle = alloc_nft_expr("flow_offload"); ++ nftnl_expr_set_str(nle, NFTNL_EXPR_FLOW_TABLE_NAME, ++ stmt->flow.table_name); ++ nftnl_rule_add_expr(ctx->nlr, nle); ++} ++ + static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx, + const struct stmt *stmt) + { +@@ -1300,6 +1311,8 @@ static void netlink_gen_stmt(struct netl + break; + case STMT_NOTRACK: + return netlink_gen_notrack_stmt(ctx, stmt); ++ case STMT_FLOW_OFFLOAD: ++ return netlink_gen_flow_offload_stmt(ctx, stmt); + case STMT_OBJREF: + return netlink_gen_objref_stmt(ctx, stmt); + default: +--- a/src/parser_bison.y ++++ b/src/parser_bison.y +@@ -248,6 +248,7 @@ int nft_lex(void *, void *, void *); + %token SIZE "size" + + %token FLOW "flow" ++%token OFFLOAD "offload" + %token METER "meter" + %token METERS "meters" + +@@ -3384,6 +3385,10 @@ meta_stmt : META meta_key SET stmt_expr + { + $$ = notrack_stmt_alloc(&@$); + } ++ | FLOW OFFLOAD AT string ++ { ++ $$ = flow_offload_stmt_alloc(&@$, $4); ++ } + ; + + offset_opt : /* empty */ { $$ = 0; } +--- a/src/scanner.l ++++ b/src/scanner.l +@@ -296,6 +296,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr + "memory" { return MEMORY; } + + "flow" { return FLOW; } ++"offload" { return OFFLOAD; } + "meter" { return METER; } + "meters" { return METERS; } + |