src: support for offload chain flag

This patch extends the basechain definition to allow users to specify
the offload flag. This flag enables hardware offload if your drivers
supports it.

 # cat file.nft
 table netdev x {
    chain y {
       type filter hook ingress device eth0 priority 10; flags offload;
    }
 }
 # nft -f file.nft

Note: You have to enable offload via ethtool:

 # ethtool -K eth0 hw-tc-offload on

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/include/rule.h b/include/rule.h
index ced63f3ea1b84f1c3834db2a25e5cc12c4bbc0d7..224e68717bc73e6c5a170f1cc87bfbd581060ca6 100644 (file)
--- a/include/rule.h
+++ b/include/rule.h
@@ -175,6 +175,7 @@ extern struct table *table_lookup_fuzzy(const struct handle *h,
  */
 enum chain_flags {
        CHAIN_F_BASECHAIN       = 0x1,
+       CHAIN_F_HW_OFFLOAD      = 0x2,
 };
 
 /**

diff --git a/src/mnl.c b/src/mnl.c
index bca5add0f8ebc9c2afc30166ca8e3c346c267bc6..a517712c14eb21a1d8e5f56aa8a90b5905e27993 100644 (file)
--- a/src/mnl.c
+++ b/src/mnl.c
@@ -624,6 +624,10 @@ int mnl_nft_chain_add(struct netlink_ctx *ctx, struct cmd *cmd,
        nftnl_chain_set_u32(nlc, NFTNL_CHAIN_FAMILY, cmd->handle.family);
 
        if (cmd->chain) {
+               if (cmd->chain->flags & CHAIN_F_HW_OFFLOAD) {
+                       nftnl_chain_set_u32(nlc, NFTNL_CHAIN_FLAGS,
+                                           CHAIN_F_HW_OFFLOAD);
+               }
                if (cmd->chain->flags & CHAIN_F_BASECHAIN) {
                        nftnl_chain_set_u32(nlc, NFTNL_CHAIN_HOOKNUM,
                                            cmd->chain->hooknum);

diff --git a/src/netlink.c b/src/netlink.c
index 0c6b8c58238b72a1d9f959d34add8d56e619efb8..671923f3eebaa3a24fe105149435b4e2155937c7 100644 (file)
--- a/src/netlink.c
+++ b/src/netlink.c
@@ -435,6 +435,8 @@ struct chain *netlink_delinearize_chain(struct netlink_ctx *ctx,
                xstrdup(nftnl_chain_get_str(nlc, NFTNL_CHAIN_TABLE));
        chain->handle.handle.id =
                nftnl_chain_get_u64(nlc, NFTNL_CHAIN_HANDLE);
+       if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_FLAGS))
+               chain->flags = nftnl_chain_get_u32(nlc, NFTNL_CHAIN_FLAGS);
 
        if (nftnl_chain_is_set(nlc, NFTNL_CHAIN_HOOKNUM) &&
            nftnl_chain_is_set(nlc, NFTNL_CHAIN_PRIO) &&

diff --git a/src/parser_bison.y b/src/parser_bison.y
index 4c27fcc635dcb3bca3131e0b2a10a048257a53cc..b37e9e565cc1e8db009b9af3a93d1f95ce8a5e1d 100644 (file)
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -1667,6 +1667,7 @@ chain_block               :       /* empty */     { $$ = $<chain>-1; }
                        |       chain_block     stmt_separator
                        |       chain_block     hook_spec       stmt_separator
                        |       chain_block     policy_spec     stmt_separator
+                       |       chain_block     flags_spec      stmt_separator
                        |       chain_block     rule            stmt_separator
                        {
                                list_add_tail(&$2->list, &$1->rules);
@@ -2154,6 +2155,12 @@ dev_spec         :       DEVICE  string
                        |       /* empty */             { $$ = NULL; }
                        ;
 
+flags_spec             :       FLAGS           OFFLOAD
+                       {
+                               $<chain>0->flags |= CHAIN_F_HW_OFFLOAD;
+                       }
+                       ;
+
 policy_spec            :       POLICY          policy_expr
                        {
                                if ($<chain>0->policy) {

diff --git a/src/rule.c b/src/rule.c
index 9e58ee66f9841ed39656d4bc94cefba997764443..8e58526890916e2a0cad2d49ebe95fb95648e46e 100644 (file)
--- a/src/rule.c
+++ b/src/rule.c
@@ -1177,6 +1177,9 @@ static void chain_print_declaration(const struct chain *chain,
                        nft_print(octx, " policy %s;",
                                  chain_policy2str(policy));
                }
+               if (chain->flags & CHAIN_F_HW_OFFLOAD)
+                       nft_print(octx, " flags offload;");
+
                nft_print(octx, "\n");
        }
 }