1. Patchew
  2. QEMU
  3. View series

[RFC v2 0/9] net/filter-redirector: Add AF_PACKET support for vhost-net

Cindy Lu posted 9 patches 3 weeks, 5 days ago
Failed in applying to current master (apply log)
hw/net/virtio-net.c |  66 +++++-
include/net/queue.h |   5 +
net/filter-mirror.c | 493 ++++++++++++++++++++++++++++++++++++++++++--
net/filter.c        |  16 +-
4 files changed, 551 insertions(+), 29 deletions(-)
[RFC v2 0/9] net/filter-redirector: Add AF_PACKET support for vhost-net
Posted by Cindy Lu 3 weeks, 5 days ago 
Hi, All

This series adds an AF_PACKET support for vhost tap
device in filter-redirector/filter-buffer.when the vhost=on will use
AF_PACKET to capture and inject,

Example Usage(not change with exist upstream code)
=============
Primary VM (mirror incoming packets to secondary via chardev socket):

  -netdev tap,id=net0,vhost=on,...
  -chardev socket,id=mirror0,host=...,port=...,server=on,wait=off
  -object filter-redirector,id=vm1redir,netdev=net0,outdev=mirror0...

Secondary VM (receive mirrored packets):
  
  -netdev tap,id=net0,vhost=on,...
  -chardev socket,id=red0,host=...,port=...,reconnect-ms=..
  -object filter-buffer,id=swbuf,netdev=net0,queue=tx,interval=1000000,status=off.....
  -object filter-redirector,id=r1,netdev=net0,queue=tx,indev=red0,status=off,enable_when
  _stopped=true.... \

TODO
=======  
This series still based on tap device. The vhost-vdpa support is on going,will send soon 

changset
===========
change in v2: 
1. add support for filter-buffer 
2. remove the in_netdev and out_netdev for AF_PACKET bind port, now only use netdev 
when the vhost=on start use AF_PACKET to capture and inject, when use vhost=off will use
the existing code
3. add CAP_NET_RAW check
4. address the comment 


Testing
=======
- Tested with vhost=on/off TAP netdev on x86_64

Cindy Lu (9):
  net/filter: allow redirector on vhost TAP backends
  net/filter-redirector: add role helpers for AF_PACKET paths
  net/filter-redirector: add AF_PACKET socket setup and input handler
  net/filter-redirector: add send helpers and netdev counters
  net/filter-redirector: route chardev and AF_PACKET receive paths
  net/filter: Add support for filter-buffer
  virtio-net: keep tap read polling disabled while vhost owns RX
  virtio-net: handle short vnet headers on replay RX
  net/filter-redirector: check CAP_NET_RAW before creating AF_PACKET

 hw/net/virtio-net.c |  66 +++++-
 include/net/queue.h |   5 +
 net/filter-mirror.c | 493 ++++++++++++++++++++++++++++++++++++++++++--
 net/filter.c        |  16 +-
 4 files changed, 551 insertions(+), 29 deletions(-)

-- 
2.52.0
Re: [RFC v2 0/9] net/filter-redirector: Add AF_PACKET support for vhost-net
Posted by Jason Wang 3 weeks, 4 days ago 
On Thu, Mar 12, 2026 at 3:14 PM Cindy Lu <lulu@redhat.com> wrote:
>
> Hi, All
>
> This series adds an AF_PACKET support for vhost tap
> device in filter-redirector/filter-buffer.when the vhost=on will use
> AF_PACKET to capture and inject,
>
> Example Usage(not change with exist upstream code)
> =============
> Primary VM (mirror incoming packets to secondary via chardev socket):
>
>   -netdev tap,id=net0,vhost=on,...
>   -chardev socket,id=mirror0,host=...,port=...,server=on,wait=off
>   -object filter-redirector,id=vm1redir,netdev=net0,outdev=mirror0...
>
> Secondary VM (receive mirrored packets):
>
>   -netdev tap,id=net0,vhost=on,...
>   -chardev socket,id=red0,host=...,port=...,reconnect-ms=..
>   -object filter-buffer,id=swbuf,netdev=net0,queue=tx,interval=1000000,status=off.....
>   -object filter-redirector,id=r1,netdev=net0,queue=tx,indev=red0,status=off,enable_when
>   _stopped=true.... \
>
> TODO
> =======
> This series still based on tap device. The vhost-vdpa support is on going,will send soon
>

Thanks for the series. But I think I still have the same question as
v1. Any reason to tightly coupled packet socket into the netfilter.
Couldn'y we reuse chardev for that?

Thanks

> changset
> ===========
> change in v2:
> 1. add support for filter-buffer
> 2. remove the in_netdev and out_netdev for AF_PACKET bind port, now only use netdev
> when the vhost=on start use AF_PACKET to capture and inject, when use vhost=off will use
> the existing code
> 3. add CAP_NET_RAW check
> 4. address the comment
>
>
> Testing
> =======
> - Tested with vhost=on/off TAP netdev on x86_64
>
> Cindy Lu (9):
>   net/filter: allow redirector on vhost TAP backends
>   net/filter-redirector: add role helpers for AF_PACKET paths
>   net/filter-redirector: add AF_PACKET socket setup and input handler
>   net/filter-redirector: add send helpers and netdev counters
>   net/filter-redirector: route chardev and AF_PACKET receive paths
>   net/filter: Add support for filter-buffer
>   virtio-net: keep tap read polling disabled while vhost owns RX
>   virtio-net: handle short vnet headers on replay RX
>   net/filter-redirector: check CAP_NET_RAW before creating AF_PACKET
>
>  hw/net/virtio-net.c |  66 +++++-
>  include/net/queue.h |   5 +
>  net/filter-mirror.c | 493 ++++++++++++++++++++++++++++++++++++++++++--
>  net/filter.c        |  16 +-
>  4 files changed, 551 insertions(+), 29 deletions(-)
>
> --
> 2.52.0
>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.