netfilter: nf_tables: map basechain priority to hardware priority

This patch adds initial support for offloading basechains using the priority range from 1 to 65535. This is restricting the netfilter priority range to 16-bit integer since this is what most drivers assume so far from tc. It should be possible to extend this range of supported priorities later on once drivers are updated to support for 32-bit integer priorities. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2019-08-15 21:24:10 -0400
committer: David S. Miller <davem@davemloft.net> 2019-08-18 17:13:23 -0400
commit: 3bc158f8d0330f0ac58597c023acca2234c14616 (patch)
tree: 717dbcde06dcd1d5e1f672e3235a190037315c70
parent: ef01adae0e43cfb2468d0ea07137cc63cf31495c (diff)
3 files changed, 20 insertions, 3 deletions
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 3196663a10e3..c8b9dec376f5 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -73,4 +73,6 @@ int nft_flow_rule_offload_commit(struct net *net);
        (__reg)->key            = __key;                                \
        memset(&(__reg)->mask, 0xff, (__reg)->len);
+int nft_chain_offload_priority(struct nft_base_chain *basechain);
 #endif
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 88abbddf8967..d47469f824a1 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1667,6 +1667,10 @@ static int nf_tables_addchain(struct nft_ctx *ctx, u8 family, u8 genmask,
                chain->flags |= NFT_BASE_CHAIN | flags;
                basechain->policy = NF_ACCEPT;
+                if (chain->flags & NFT_CHAIN_HW_OFFLOAD &&
+                    nft_chain_offload_priority(basechain) < 0)
+                        return -EOPNOTSUPP;
                flow_block_init(&basechain->flow_block);
        } else {
                chain = kzalloc(sizeof(*chain), GFP_KERNEL);
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c
index 64f5fd5f240e..c0d18c1d77ac 100644
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -103,10 +103,11 @@ void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
 }
 static void nft_flow_offload_common_init(struct flow_cls_common_offload *common,
-                                         __be16 proto,
+                                         __be16 proto, int priority,
-                                        struct netlink_ext_ack *extack)
+                                         struct netlink_ext_ack *extack)
 {
        common->protocol = proto;
+        common->prio = priority;
        common->extack = extack;
 }
@@ -124,6 +125,15 @@ static int nft_setup_cb_call(struct nft_base_chain *basechain,
        return 0;
 }
+int nft_chain_offload_priority(struct nft_base_chain *basechain)
+{
+        if (basechain->ops.priority <= 0 ||
+            basechain->ops.priority > USHRT_MAX)
+                return -1;
+        return 0;
+}
 static int nft_flow_offload_rule(struct nft_trans *trans,
                                 enum flow_cls_command command)
 {
@@ -142,7 +152,8 @@ static int nft_flow_offload_rule(struct nft_trans *trans,
        if (flow)
                proto = flow->proto;
-        nft_flow_offload_common_init(&cls_flow.common, proto, &extack);
+        nft_flow_offload_common_init(&cls_flow.common, proto,
+                                     basechain->ops.priority, &extack);
        cls_flow.command = command;
        cls_flow.cookie = (unsigned long) rule;
        if (flow)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2019-08-15 21:24:10 -0400
committer	David S. Miller <davem@davemloft.net>	2019-08-18 17:13:23 -0400
commit	3bc158f8d0330f0ac58597c023acca2234c14616 (patch)
tree	717dbcde06dcd1d5e1f672e3235a190037315c70
parent	ef01adae0e43cfb2468d0ea07137cc63cf31495c (diff)