From nobody Sun Apr 12 07:20:04 2026 Delivered-To: importer@patchew.org Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass(p=quarantine dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1770966741; cv=none; d=zohomail.com; s=zohoarc; b=dbBgD32Bv51m6bhkVkk9G+cgtsYIjPkYskxhnpeUBUQ6hUIVHgMBNWy3PmZhzmbbUu4VwZAQ1Dt41Cym5NO2n6RmzRZwcMiYivZoMSyFhnhtwDDGKizwK/BFEDJEkVVtf0qhzh5mBeqPV8DH2SQP2A0wl+wAIVbepR4qcLgHGvo= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1770966741; h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:Subject:To:To:Message-Id:Reply-To:Cc; bh=HfmaBTP49ifwDZty9C9MLcDDDX6UwWiMdcZezZPYKs0=; b=a5CE8PpDKsHLqgqLdLJFVBQHok4k9sX2LYrT5gsO7ke+2fdQaLz97fqUN8rgOLHtq7AKqwm5IzeSgBsi9LiCn7rK4eVSWGmXYWhzzsqgqKg7jtR8MrtIK5+Ji+u0zqt+hVVEj91ran3mjF+V7mPEPAqOaL+xdxMVAG0xUHkVpL8= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=pass header.from= (p=quarantine dis=none) Return-Path: Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mx.zohomail.com with SMTPS id 1770966741089107.41824109825757; Thu, 12 Feb 2026 23:12:21 -0800 (PST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1vqnL2-0002k7-0T; Fri, 13 Feb 2026 02:11:40 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vqnKy-0002jb-2G for qemu-devel@nongnu.org; Fri, 13 Feb 2026 02:11:36 -0500 Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1vqnKv-0005eC-PB for qemu-devel@nongnu.org; Fri, 13 Feb 2026 02:11:35 -0500 Received: from mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-176-3GPXCd5hOvuvtV6Qi5_0cA-1; Fri, 13 Feb 2026 02:11:29 -0500 Received: from mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.111]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-05.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 343651955D8F; Fri, 13 Feb 2026 07:11:28 +0000 (UTC) Received: from S2.redhat.com (unknown [10.72.112.33]) by mx-prod-int-08.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id E09801800464; Fri, 13 Feb 2026 07:11:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1770966693; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=HfmaBTP49ifwDZty9C9MLcDDDX6UwWiMdcZezZPYKs0=; b=BCgWYEQKnImQpGsDAP94XN9e62koCQUo53WXDXqE0mtN5BLV99bQmkGaerXgIvSqYKzJIG Ii9tV5SOIhWjIJ4HA7nshg2d5sLeoHv7aIjtDXorV+pySp6bzxe6GAtBiwzebopQyyWWjw VgSjJ5zAvt/wP9jbU3ZlX9KgBhGCw7E= X-MC-Unique: 3GPXCd5hOvuvtV6Qi5_0cA-1 X-Mimecast-MFC-AGG-ID: 3GPXCd5hOvuvtV6Qi5_0cA_1770966688 From: Cindy Lu To: lulu@redhat.com, mst@redhat.com, jasowang@redhat.com, zhangckid@gmail.com, lizhijian@fujitsu.com, qemu-devel@nongnu.org Subject: [RFC 4/5] net/filter-redirector: add AF_PACKET redirect datapath Date: Fri, 13 Feb 2026 15:08:04 +0800 Message-ID: <20260213071042.3733239-5-lulu@redhat.com> In-Reply-To: <20260213071042.3733239-1-lulu@redhat.com> References: <20260213071042.3733239-1-lulu@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.111 Received-SPF: pass (zohomail.com: domain of gnu.org designates 209.51.188.17 as permitted sender) client-ip=209.51.188.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Received-SPF: pass client-ip=170.10.133.124; envelope-from=lulu@redhat.com; helo=us-smtp-delivery-124.mimecast.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: qemu development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: qemu-devel-bounces+importer=patchew.org@nongnu.org X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1770966743164154100 Content-Type: text/plain; charset="utf-8" Complete the AF_PACKET based packet forwarding implementation for filter-redirector: 1. filter_redirector_send_netdev_packet(): Send packets via AF_PACKET socket to out_netdev. Updates netdev_tx statistics. 2. filter_redirector_recv_from_chardev(): Handle packets received from chardev indev. Can forward to either chardev outdev, AF_PACKET out_netdev, or inject into the netfilter chain. 3. filter_redirector_recv_from_netdev(): Handle packets received from AF_PACKET in_netdev. Can forward to chardev outdev or inject into the netfilter chain. 4. Updated filter_redirector_receive_iov() to support out_netdev as an output endpoint. Added logic to skip netdev path consumption when redirector has an input endpoint (indev/in_netdev) to prevent packet loops. 5. Added netdev_rx and netdev_tx counters to query-netfilter-stats output for monitoring AF_PACKET datapath activity. Signed-off-by: Cindy Lu --- net/filter-mirror.c | 177 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 171 insertions(+), 6 deletions(-) diff --git a/net/filter-mirror.c b/net/filter-mirror.c index f8001612ec..d9e8fcba59 100644 --- a/net/filter-mirror.c +++ b/net/filter-mirror.c @@ -65,6 +65,11 @@ struct MirrorState { uint64_t indev_bytes; uint64_t outdev_packets; uint64_t outdev_bytes; + /* netdev replay/capture statistics for filter-redirector */ + uint64_t netdev_rx_packets; + uint64_t netdev_rx_bytes; + uint64_t netdev_tx_packets; + uint64_t netdev_tx_bytes; }; =20 typedef struct FilterSendCo { @@ -158,6 +163,59 @@ static int filter_send(MirrorState *s, return data.ret; } =20 +static ssize_t filter_redirector_send_netdev_packet(MirrorState *s, + const struct iovec *io= v, + int iovcnt) +{ + ssize_t size =3D iov_size(iov, iovcnt); + g_autofree uint8_t *buf =3D NULL; + + if (s->out_netfd < 0) { + return -ENODEV; + } + if (size > NET_BUFSIZE) { + return -EINVAL; + } + + buf =3D g_malloc(size); + iov_to_buf(iov, iovcnt, 0, buf, size); + + ssize_t ret =3D send(s->out_netfd, buf, size, 0); + if (ret < 0) { + return -errno; + } + if (ret > 0) { + s->netdev_tx_packets++; + s->netdev_tx_bytes +=3D ret; + } + return ret; +} +static ssize_t filter_redirector_send_chardev_iov(MirrorState *s, + const struct iovec *iov, + int iovcnt) +{ + if (!s->outdev) { + return -ENODEV; + } + + if (!qemu_chr_fe_backend_connected(&s->chr_out)) { + return 0; + } + + return filter_send(s, iov, iovcnt); +} + +static ssize_t filter_redirector_send_netdev_iov(MirrorState *s, + const struct iovec *iov, + int iovcnt) +{ + if (!s->out_netdev) { + return -ENODEV; + } + + return filter_redirector_send_netdev_packet(s, iov, iovcnt); +} + static void redirector_to_filter(NetFilterState *nf, const uint8_t *buf, int len) @@ -230,6 +288,75 @@ static void redirector_chr_event(void *opaque, QEMUChr= Event event) } } =20 +static void filter_redirector_recv_from_chardev(NetFilterState *nf, + const uint8_t *buf, + int len) +{ + MirrorState *s =3D FILTER_REDIRECTOR(nf); + ssize_t ret; + struct iovec iov =3D { + .iov_base =3D (void *)buf, + .iov_len =3D len, + }; + + if (len <=3D 0) { + return; + } + + /* chardev indev */ + s->indev_packets++; + s->indev_bytes +=3D len; + + if (s->out_netdev) { + ret =3D filter_redirector_send_netdev_iov(s, &iov, 1); + if (ret < 0) { + error_report("filter redirector send failed(%s)", strerror(-re= t)); + } + return; + } + + if (s->outdev) { + ret =3D filter_redirector_send_chardev_iov(s, &iov, 1); + if (ret < 0) { + error_report("filter redirector send failed(%s)", strerror(-re= t)); + } else if (ret > 0) { + s->outdev_packets++; + s->outdev_bytes +=3D ret; + } + return; + } + + redirector_to_filter(nf, buf, len); +} + +static bool filter_redirector_recv_from_netdev(NetFilterState *nf, + const uint8_t *b= uf, + int len) +{ + MirrorState *s =3D FILTER_REDIRECTOR(nf); + ssize_t ret; + struct iovec iov =3D { + .iov_base =3D (void *)buf, + .iov_len =3D len, + }; + + if (len <=3D 0) { + return false; + } + if (s->outdev) { + ret =3D filter_redirector_send_chardev_iov(s, &iov, 1); + } else { + redirector_to_filter(nf, buf, len); + return true; + } + + if (ret < 0) { + error_report("filter redirector send failed(%s)", strerror(-ret)); + return false; + } + return true; +} + static void filter_redirector_netdev_read(void *opaque) { NetFilterState *nf =3D opaque; @@ -254,7 +381,9 @@ static void filter_redirector_netdev_read(void *opaque) continue; } =20 - redirector_to_filter(nf, s->in_netbuf, len); + s->netdev_rx_packets++; + s->netdev_rx_bytes +=3D len; + filter_redirector_recv_from_netdev(nf, s->in_netbuf, len); } =20 if (len < 0 && errno !=3D EAGAIN && errno !=3D EWOULDBLOCK && @@ -296,19 +425,33 @@ static ssize_t filter_redirector_receive_iov(NetFilte= rState *nf, MirrorState *s =3D FILTER_REDIRECTOR(nf); int ret; =20 - if (qemu_chr_fe_backend_connected(&s->chr_out)) { - ret =3D filter_send(s, iov, iovcnt); + /* + * If this redirector has an explicit input endpoint (indev/in_netdev), + * it acts as an injector for that endpoint and must not consume packe= ts + * from the regular netdev data path. Consuming here can create loops = when + * out_netdev points back to the same TAP netdev. + */ + if (s->indev || s->in_netdev) { + return 0; + } + + if (s->out_netdev || s->outdev) { + if (s->out_netdev) { + ret =3D filter_redirector_send_netdev_iov(s, iov, iovcnt); + } else { + ret =3D filter_redirector_send_chardev_iov(s, iov, iovcnt); + } if (ret < 0) { error_report("filter redirector send failed(%s)", strerror(-re= t)); - } else if (ret > 0) { + } else if (ret > 0 && !s->out_netdev) { /* Update outdev statistics on successful send */ s->outdev_packets++; s->outdev_bytes +=3D ret; } return iov_size(iov, iovcnt); - } else { - return 0; } + + return 0; } =20 static void filter_mirror_cleanup(NetFilterState *nf) @@ -369,6 +512,16 @@ static void redirector_rs_finalize(SocketReadState *rs) MirrorState *s =3D container_of(rs, MirrorState, rs); NetFilterState *nf =3D NETFILTER(s); =20 + /* + * If redirector has an explicit output endpoint, keep the redirect pa= th + * (e.g. indev=3Dred0 -> out_netdev=3Dnet0). + * Fallback to direct netfilter injection only when no output is set. + */ + if (s->outdev || s->out_netdev) { + filter_redirector_recv_from_chardev(nf, rs->buf, rs->packet_len); + return; + } + /* Update indev statistics */ s->indev_packets++; s->indev_bytes +=3D rs->packet_len; @@ -826,6 +979,18 @@ static GList *filter_redirector_get_stats(NetFilterSta= te *nf) counter->bytes =3D s->outdev_bytes; list =3D g_list_append(list, counter); =20 + counter =3D g_new0(NetFilterCounter, 1); + counter->name =3D g_strdup("netdev_rx"); + counter->packets =3D s->netdev_rx_packets; + counter->bytes =3D s->netdev_rx_bytes; + list =3D g_list_append(list, counter); + + counter =3D g_new0(NetFilterCounter, 1); + counter->name =3D g_strdup("netdev_tx"); + counter->packets =3D s->netdev_tx_packets; + counter->bytes =3D s->netdev_tx_bytes; + list =3D g_list_append(list, counter); + return list; } =20 --=20 2.52.0