netfilter: nf_tables: add hardware offload support
This patch adds hardware offload support for nftables through the existing netdev_ops->ndo_setup_tc() interface, the TC_SETUP_CLSFLOWER classifier and the flow rule API. This hardware offload support is available for the NFPROTO_NETDEV family and the ingress hook. Each nftables expression has a new ->offload interface, that is used to populate the flow rule object that is attached to the transaction object. There is a new per-table NFT_TABLE_F_HW flag, that is set on to offload an entire table, including all of its chains. This patch supports for basic metadata (layer 3 and 4 protocol numbers), 5-tuple payload matching and the accept/drop actions; this also includes basechain hardware offload only. Signed-off-by:Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
David S. Miller <davem@davemloft.net>
Showing
- include/net/netfilter/nf_tables.h 14 additions, 0 deletionsinclude/net/netfilter/nf_tables.h
- include/net/netfilter/nf_tables_offload.h 76 additions, 0 deletionsinclude/net/netfilter/nf_tables_offload.h
- include/uapi/linux/netfilter/nf_tables.h 2 additions, 0 deletionsinclude/uapi/linux/netfilter/nf_tables.h
- net/netfilter/Makefile 1 addition, 1 deletionnet/netfilter/Makefile
- net/netfilter/nf_tables_api.c 33 additions, 6 deletionsnet/netfilter/nf_tables_api.c
- net/netfilter/nf_tables_offload.c 267 additions, 0 deletionsnet/netfilter/nf_tables_offload.c
- net/netfilter/nft_cmp.c 53 additions, 0 deletionsnet/netfilter/nft_cmp.c
- net/netfilter/nft_immediate.c 31 additions, 0 deletionsnet/netfilter/nft_immediate.c
- net/netfilter/nft_meta.c 27 additions, 0 deletionsnet/netfilter/nft_meta.c
- net/netfilter/nft_payload.c 187 additions, 0 deletionsnet/netfilter/nft_payload.c
Loading
Please register or sign in to comment