tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

netfilter: nf_conntrack: add IPS_HW_OFFLOAD status bit

This bit indicates that the conntrack entry is offloaded to hardware
flow table. nf_conntrack entry will be tagged with [HW_OFFLOAD] if
it's offload to hardware.

cat /proc/net/nf_conntrack
ipv4 2 tcp 6 \
src=1.1.1.17 dst=1.1.1.16 sport=56394 dport=5001 \
src=1.1.1.16 dst=1.1.1.17 sport=5001 dport=56394 [HW_OFFLOAD] \
mark=0 zone=0 use=3

Note that HW_OFFLOAD/OFFLOAD/ASSURED are mutually exclusive.

Changelog:

* V1->V2:
- Remove check of lastused from stats. It was meant for cases such
as removing driver module while traffic still running. Better to
handle such cases from garbage collector.

Signed-off-by: Bodong Wang <bodong@mellanox.com>
Reviewed-by: Oz Shlomo <ozsh@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Bodong Wang and committed by
Pablo Neira Ayuso 74f99482 3fd8dc26

+12 -3
+6 -2
include/uapi/linux/netfilter/nf_conntrack_common.h
··· 114 114 IPS_OFFLOAD_BIT = 14, 115 115 IPS_OFFLOAD = (1 << IPS_OFFLOAD_BIT), 116 116 117 + /* Conntrack has been offloaded to hardware. */ 118 + IPS_HW_OFFLOAD_BIT = 15, 119 + IPS_HW_OFFLOAD = (1 << IPS_HW_OFFLOAD_BIT), 120 + 117 121 /* Be careful here, modifying these bits can make things messy, 118 122 * so don't let users modify them directly. 119 123 */ 120 124 IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK | 121 125 IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING | 122 126 IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_UNTRACKED | 123 - IPS_OFFLOAD), 127 + IPS_OFFLOAD | IPS_HW_OFFLOAD), 124 128 125 - __IPS_MAX_BIT = 15, 129 + __IPS_MAX_BIT = 16, 126 130 }; 127 131 128 132 /* Connection tracking event types */
+3 -1
net/netfilter/nf_conntrack_standalone.c
··· 348 348 if (seq_print_acct(s, ct, IP_CT_DIR_REPLY)) 349 349 goto release; 350 350 351 - if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 351 + if (test_bit(IPS_HW_OFFLOAD_BIT, &ct->status)) 352 + seq_puts(s, "[HW_OFFLOAD] "); 353 + else if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 352 354 seq_puts(s, "[OFFLOAD] "); 353 355 else if (test_bit(IPS_ASSURED_BIT, &ct->status)) 354 356 seq_puts(s, "[ASSURED] ");
+3
net/netfilter/nf_flow_table_offload.c
··· 754 754 err = flow_offload_rule_add(offload, flow_rule); 755 755 if (err < 0) 756 756 set_bit(NF_FLOW_HW_REFRESH, &offload->flow->flags); 757 + else 758 + set_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); 757 759 758 760 nf_flow_offload_destroy(flow_rule); 759 761 } 760 762 761 763 static void flow_offload_work_del(struct flow_offload_work *offload) 762 764 { 765 + clear_bit(IPS_HW_OFFLOAD_BIT, &offload->flow->ct->status); 763 766 flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_ORIGINAL); 764 767 flow_offload_tuple_del(offload, FLOW_OFFLOAD_DIR_REPLY); 765 768 set_bit(NF_FLOW_HW_DEAD, &offload->flow->flags);