diff options
| author | Paolo Abeni <pabeni@redhat.com> | 2022-11-08 12:21:51 +0100 |
|---|---|---|
| committer | Paolo Abeni <pabeni@redhat.com> | 2022-11-08 12:21:52 +0100 |
| commit | b2140e971309511074933da3edd5bbfcb6d394e5 (patch) | |
| tree | 9ac5350a35c09d95a4119866e29d344f7d8032fa /include | |
| parent | 47f3ecf4763d3fea37d3453c9ee1f9f2169d71b3 (diff) | |
| parent | a21b06e7319129994f339ed47f512bbe57b77f5b (diff) | |
Merge branch 'net-add-helper-support-in-tc-act_ct-for-ovs-offloading'
Xin Long says:
====================
net: add helper support in tc act_ct for ovs offloading
Ilya reported an issue that FTP traffic would be broken when the OVS flow
with ct(commit,alg=ftp) installed in the OVS kernel module, and it was
caused by that TC didn't support the ftp helper offloaded from OVS.
This patchset is to add the helper support in act_ct for OVS offloading
in kernel net/sched.
The 1st and 2nd patches move some common code into nf_conntrack_helper from
openvswitch so that they could be used by net/sched in the 4th patch (Note
there are still some other common code used in both OVS and TC, and I will
extract it in other patches). The 3rd patch extracts another function in
net/sched to make the 4th patch easier to write. The 4th patch adds this
feature in net/sched.
The user space part will be added in another patch, and with it these OVS
flows (FTP over SNAT) can be used to test this feature:
table=0, in_port=veth1,tcp,tcp_dst=2121,ct_state=-trk \
actions=ct(table=1, nat), normal
table=0, in_port=veth2,tcp,ct_state=-trk actions=ct(table=1, nat)
table=0, in_port=veth1,tcp,ct_state=-trk actions=ct(table=0, nat)
table=0, in_port=veth1,tcp,ct_state=+trk+rel actions=ct(commit, nat),normal
table=0, in_port=veth1,tcp,ct_state=+trk+est actions=veth2"
table=1, in_port=veth1,tcp,tcp_dst=2121,ct_state=+trk+new \
actions=ct(commit, nat(src=7.7.16.1), alg=ftp),normal"
table=1, in_port=veth1,tcp,tcp_dst=2121,ct_state=+trk+est actions=veth2"
table=1, in_port=veth2,tcp,ct_state=+trk+est actions=veth1"
====================
Link: https://lore.kernel.org/r/cover.1667766782.git.lucien.xin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_helper.h | 5 | ||||
| -rw-r--r-- | include/net/tc_act/tc_ct.h | 1 | ||||
| -rw-r--r-- | include/uapi/linux/tc_act/tc_ct.h | 3 |
3 files changed, 9 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index 9939c366f720..f30b1694b690 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h @@ -115,6 +115,11 @@ struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp); int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl, gfp_t flags); +int nf_ct_helper(struct sk_buff *skb, struct nf_conn *ct, + enum ip_conntrack_info ctinfo, u16 proto); +int nf_ct_add_helper(struct nf_conn *ct, const char *name, u8 family, + u8 proto, bool nat, struct nf_conntrack_helper **hp); + void nf_ct_helper_destroy(struct nf_conn *ct); static inline struct nf_conn_help *nfct_help(const struct nf_conn *ct) diff --git a/include/net/tc_act/tc_ct.h b/include/net/tc_act/tc_ct.h index 8250d6f0a462..b24ea2d9400b 100644 --- a/include/net/tc_act/tc_ct.h +++ b/include/net/tc_act/tc_ct.h @@ -10,6 +10,7 @@ #include <net/netfilter/nf_conntrack_labels.h> struct tcf_ct_params { + struct nf_conntrack_helper *helper; struct nf_conn *tmpl; u16 zone; diff --git a/include/uapi/linux/tc_act/tc_ct.h b/include/uapi/linux/tc_act/tc_ct.h index 5fb1d7ac1027..6c5200f0ed38 100644 --- a/include/uapi/linux/tc_act/tc_ct.h +++ b/include/uapi/linux/tc_act/tc_ct.h @@ -22,6 +22,9 @@ enum { TCA_CT_NAT_PORT_MIN, /* be16 */ TCA_CT_NAT_PORT_MAX, /* be16 */ TCA_CT_PAD, + TCA_CT_HELPER_NAME, /* string */ + TCA_CT_HELPER_FAMILY, /* u8 */ + TCA_CT_HELPER_PROTO, /* u8 */ __TCA_CT_MAX }; |