This patchset makes it possible to set up a software fastpath between
bridged interfaces. This also creates the possibility to have a hardware
offloaded fastpath between bridged interfaces.
To set up the fastpath with offloading, add this extra flowtable:
table bridge filter {
flowtable fb {
hook ingress priority filter
devices = { lan0, lan1, lan2, lan3, lan4, wlan0, wlan1 }
flags offload
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state established flow add @fb
}
}
Creating a separate fastpath for bridges.
forward fastpath bypass
.----------------------------------------.
/ \
| IP - forwarding |
| / \ v
| / wan ...
| /
| |
| |
| brlan.1
| |
| +-------------------------------+
| | vlan 1 |
| | |
| | brlan (vlan-filtering) |
| +---------------+ |
| | DSA-SWITCH | |
| | | vlan 1 |
| | | to |
| | vlan 1 | untagged |
| +---------------+---------------+
. / \
------>lan0 wlan1
. ^ ^
. | |
. \_________________/
. bridge fastpath bypass
.
^
vlan 1 tagged packets
While testing direct transmit in the software forward-fastpath, it is
useful to enslave the wan interface to another bridge, brwan. This will
make sure both directions of the software forward-fastpath use direct
transmit.
To have the ability to handle xmit direct with outgoing encaps in the
bridge fastpass bypass, we need to be able to handle them without going
through vlan/pppoe devices. So I've applied, amended and squashed wenxu's
patchset. This patch also makes it possible to egress from vlan-filtering
brlan to lan0 with vlan tagged packets, if the bridge master port is doing
the vlan tagging, instead of the vlan-device. Without this patch, this is
not possible in the bridge-fastpath and also not in the forward-fastpath,
as seen in the figure above.
There are also some more fixes for filling in the forward path. These
fixes also apply to for the forward-fastpath. They include handling
DEV_PATH_MTK_WDMA in nft_dev_path_info(). There are now 2 patches for
avoiding ingress_vlans bit set for bridged dsa user ports and foreign
(dsa) ports.
Another patch introduces DEV_PATH_BR_VLAN_KEEP_HW, needed for the
bridge-fastpath only.
Conntrack bridge only tracks untagged and 802.1q. To make the bridge
fastpath experience more similar to the forward fastpath experience,
I've added double vlan, pppoe and pppoe-in-q tagged packets to bridge
conntrack and to bridge filter chain.
I am sending RFC v2 as I previously only owned a dsa device. I now have
obtained a switchdev supporting SWITCHDEV_OBJ_ID_PORT_VLAN, and found
there was more to do to handle the ingress_vlans bit and corresponding
vlan encap.
Changes in v2:
- Introduce DEV_PATH_BR_VLAN_KEEP_HW for use in the bridge-fastpath only.
It is needed for switchdevs supporting SWITCHDEV_OBJ_ID_PORT_VLAN.
- Different approach for handling BR_VLFLAG_ADDED_BY_SWITCHDEV in
br_vlan_fill_forward_path_mode() for foreign devices. Introduce
SWITCHDEV_F_NO_FOREIGN, BR_VLFLAG_TAGGING_BY_SWITCHDEV and
br_switchdev_port_vlan_no_foreign_add(). The latter function can be
used to make sure the vlan was added to a switchdev native device.
When that fails, adding the vlan with br_switchdev_port_vlan_add()
means it was added to a switchdev foreign device.
- Clear ingress_vlans bit and corresponding encap for dsa user ports.
- Add check for ingress_vlans bit to nft_dev_fill_bridge_path().
- Adapted cover letter description to make clear the patches apply
to software fastpath, making hardware-offloaded fastpath possible.
- Fixed clang error for vlan_hdr * and struct ppp_hdr * by adding block.
- Updated !CONFIG_BRIDGE_VLAN_FILTERING version of
br_vlan_fill_forward_path_pvid().
- Removed erroneous check netif_is_bridge_master(ctx->dev) from
dev_fill_bridge_path().
- Cosmetic changes.
Eric Woudstra (14):
netfilter: nf_flow_table_offload: Add nf_flow_encap_push() for xmit
direct
netfilter: bridge: Add conntrack double vlan and pppoe
netfilter: nft_chain_filter: Add bridge double vlan and pppoe
bridge: br_vlan_fill_forward_path_pvid: Add port to port
bridge: br_fill_forward_path add port to port
net: core: dev: Add dev_fill_bridge_path()
netfilter :nf_flow_table_offload: Add nf_flow_rule_bridge()
netfilter: nf_flow_table_inet: Add nf_flowtable_type flowtable_bridge
netfilter: nft_flow_offload: Add NFPROTO_BRIDGE to validate
netfilter: nft_flow_offload: Add DEV_PATH_MTK_WDMA to
nft_dev_path_info()
netfilter: nft_flow_offload: No ingress_vlan forward info for dsa user
port
bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign
bridge: Introduce DEV_PATH_BR_VLAN_KEEP_HW for bridge-fastpath
netfilter: nft_flow_offload: Add bridgeflow to nft_flow_offload_eval()
include/linux/netdevice.h | 3 +
include/net/netfilter/nf_flow_table.h | 3 +
include/net/switchdev.h | 1 +
net/bridge/br_device.c | 23 ++-
net/bridge/br_private.h | 5 +
net/bridge/br_switchdev.c | 15 ++
net/bridge/br_vlan.c | 29 +++-
net/bridge/netfilter/nf_conntrack_bridge.c | 88 +++++++++--
net/core/dev.c | 66 ++++++--
net/netfilter/nf_flow_table_inet.c | 13 ++
net/netfilter/nf_flow_table_ip.c | 96 +++++++++++-
net/netfilter/nf_flow_table_offload.c | 13 ++
net/netfilter/nft_chain_filter.c | 20 ++-
net/netfilter/nft_flow_offload.c | 166 +++++++++++++++++++--
net/switchdev/switchdev.c | 2 +-
15 files changed, 490 insertions(+), 53 deletions(-)
--
2.45.2