nftables: add flags offload to flowtable

allow flags (currently only offload) in flowtables like it is stated
here: https://lwn.net/Articles/804384/

tested on mt7622/Bananapi-R64

table ip filter {
	flowtable f {
		hook ingress priority filter + 1
		devices = { lan3, lan0, wan }
		flags offload;
	}

	chain forward {
		type filter hook forward priority filter; policy accept;
		ip protocol { tcp, udp } flow add @f
	}
}

table ip nat {
	chain post {
		type nat hook postrouting priority filter; policy accept;
		oifname "wan" masquerade
	}
}

Signed-off-by: Frank Wunderlich <frank-w@public-files.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/rule.h b/include/rule.h
index 523435f6f5d53473c3eec1ccde2342d465caa7f1..4ef24eb4ec63e3420715a5f49c88cfd5ddc743fe 100644 (file)
--- a/include/rule.h
+++ b/include/rule.h
@@ -187,6 +187,14 @@ enum chain_flags {
        CHAIN_F_BINDING         = 0x4,
 };
 
+/**
+ * enum flowtable_flags - flowtable flags
+ *
+ */
+enum flowtable_flags {
+       FLOWTABLE_F_HW_OFFLOAD  = 0x1, /* NF_FLOWTABLE_HW_OFFLOAD in linux nf_flow_table.h */
+};
+
 /**
  * struct prio_spec - extendend priority specification for mixed
  *                    textual/numerical parsing.

diff --git a/src/mnl.c b/src/mnl.c
index deea586f9b002cce1a20f8d915a92f891b29f0a6..ffbfe48158de5b3d32ade88996fe656a73031dfe 100644 (file)
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -1779,6 +1779,11 @@ int mnl_nft_flowtable_add(struct netlink_ctx *ctx, struct cmd *cmd,
                nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_PRIO, 0);
        }
 
+       if (cmd->flowtable->flags & FLOWTABLE_F_HW_OFFLOAD) {
+               nftnl_flowtable_set_u32(flo, NFTNL_FLOWTABLE_FLAGS,
+                                   NFT_FLOWTABLE_HW_OFFLOAD);
+       }
+
        if (cmd->flowtable->dev_expr) {
                dev_array = nft_flowtable_dev_array(cmd);
                nftnl_flowtable_set_data(flo, NFTNL_FLOWTABLE_DEVICES,

diff --git a/src/netlink.c b/src/netlink.c
index 8c86789b83692a9bb7cd6072b92e03e874a19c81..103fdbd10690660412402ec33cc62c18d7b0d60b 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -1598,6 +1598,8 @@ netlink_delinearize_flowtable(struct netlink_ctx *ctx,
                xstrdup(nftnl_flowtable_get_str(nlo, NFTNL_FLOWTABLE_NAME));
        flowtable->handle.handle.id =
                nftnl_flowtable_get_u64(nlo, NFTNL_FLOWTABLE_HANDLE);
+       if (nftnl_flowtable_is_set(nlo, NFTNL_FLOWTABLE_FLAGS))
+               flowtable->flags = nftnl_flowtable_get_u32(nlo, NFTNL_FLOWTABLE_FLAGS);
        dev_array = nftnl_flowtable_get(nlo, NFTNL_FLOWTABLE_DEVICES);
        while (dev_array[len])
                len++;

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 5cb4f8e1be9f21a989689181c194e6acbab6ba6e..ca64141ec2d79f30bda156aaf87478a05b7454bb 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1996,6 +1996,7 @@ flowtable_block_alloc     :       /* empty */
 flowtable_block                :       /* empty */     { $$ = $<flowtable>-1; }
                        |       flowtable_block common_block
                        |       flowtable_block stmt_separator
+                       |       flowtable_block ft_flags_spec   stmt_separator
                        |       flowtable_block HOOK            STRING  prio_spec       stmt_separator
                        {
                                $$->hook.loc = @3;
@@ -2378,6 +2379,12 @@ flags_spec               :       FLAGS           OFFLOAD
                        }
                        ;
 
+ft_flags_spec          :       FLAGS           OFFLOAD
+                       {
+                               $<flowtable>0->flags |= FLOWTABLE_F_HW_OFFLOAD;
+                       }
+                       ;
+
 policy_spec            :       POLICY          policy_expr
                        {
                                if ($<chain>0->policy) {

diff --git a/src/rule.c b/src/rule.c
index 1c6010c001c53a1f515892d41316481a6e3c4e9a..f7f905095cbec1b6a2163a0420e34953b37c5cee 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -2223,6 +2223,10 @@ static void flowtable_print_declaration(const struct flowtable *flowtable,
                nft_print(octx, " }%s", opts->stmt_separator);
        }
 
+       if (flowtable->flags & NFT_FLOWTABLE_HW_OFFLOAD)
+               nft_print(octx, "%s%sflags offload;%s", opts->tab, opts->tab,
+                         opts->stmt_separator);
+
        if (flowtable->flags & NFT_FLOWTABLE_COUNTER)
                nft_print(octx, "%s%scounter%s", opts->tab, opts->tab,
                          opts->stmt_separator);