Skip to content

Commit 0e795b3

Browse files
ummakynesummakynes
committed
netfilter: nft_inner: add percpu inner context
Add NFT_PKTINFO_INNER_FULL flag to annotate that inner offsets are available. Store nft_inner_tun_ctx object in percpu area to cache existing inner offsets for this skbuff. Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 3a07327 commit 0e795b3

File tree

3 files changed

+24
-4
lines changed

3 files changed

+24
-4
lines changed

include/net/netfilter/nf_tables.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ struct module;
2424
enum {
2525
NFT_PKTINFO_L4PROTO = (1 << 0),
2626
NFT_PKTINFO_INNER = (1 << 1),
27+
NFT_PKTINFO_INNER_FULL = (1 << 2),
2728
};
2829

2930
struct nft_pktinfo {

include/net/netfilter/nf_tables_core.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -149,6 +149,7 @@ enum {
149149
};
150150

151151
struct nft_inner_tun_ctx {
152+
u16 type;
152153
u16 inner_tunoff;
153154
u16 inner_lloff;
154155
u16 inner_nhoff;

net/netfilter/nft_inner.c

Lines changed: 22 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,8 @@
2121
#include <linux/ip.h>
2222
#include <linux/ipv6.h>
2323

24+
static DEFINE_PER_CPU(struct nft_inner_tun_ctx, nft_pcpu_tun_ctx);
25+
2426
/* Same layout as nft_expr but it embeds the private expression data area. */
2527
struct __nft_expr {
2628
const struct nft_expr_ops *ops;
@@ -180,7 +182,7 @@ static int nft_inner_parse_tunhdr(const struct nft_inner *priv,
180182
}
181183

182184
static int nft_inner_parse(const struct nft_inner *priv,
183-
const struct nft_pktinfo *pkt,
185+
struct nft_pktinfo *pkt,
184186
struct nft_inner_tun_ctx *tun_ctx)
185187
{
186188
struct nft_inner_tun_ctx ctx = {};
@@ -199,25 +201,41 @@ static int nft_inner_parse(const struct nft_inner *priv,
199201
}
200202

201203
*tun_ctx = ctx;
204+
tun_ctx->type = priv->type;
205+
pkt->flags |= NFT_PKTINFO_INNER_FULL;
202206

203207
return 0;
204208
}
205209

210+
static bool nft_inner_parse_needed(const struct nft_inner *priv,
211+
const struct nft_pktinfo *pkt,
212+
const struct nft_inner_tun_ctx *tun_ctx)
213+
{
214+
if (!(pkt->flags & NFT_PKTINFO_INNER_FULL))
215+
return true;
216+
217+
if (priv->type != tun_ctx->type)
218+
return true;
219+
220+
return false;
221+
}
222+
206223
static void nft_inner_eval(const struct nft_expr *expr, struct nft_regs *regs,
207224
const struct nft_pktinfo *pkt)
208225
{
226+
struct nft_inner_tun_ctx *tun_ctx = this_cpu_ptr(&nft_pcpu_tun_ctx);
209227
const struct nft_inner *priv = nft_expr_priv(expr);
210-
struct nft_inner_tun_ctx tun_ctx = {};
211228

212229
if (nft_payload_inner_offset(pkt) < 0)
213230
goto err;
214231

215-
if (nft_inner_parse(priv, pkt, &tun_ctx) < 0)
232+
if (nft_inner_parse_needed(priv, pkt, tun_ctx) &&
233+
nft_inner_parse(priv, (struct nft_pktinfo *)pkt, tun_ctx) < 0)
216234
goto err;
217235

218236
switch (priv->expr_type) {
219237
case NFT_INNER_EXPR_PAYLOAD:
220-
nft_payload_inner_eval((struct nft_expr *)&priv->expr, regs, pkt, &tun_ctx);
238+
nft_payload_inner_eval((struct nft_expr *)&priv->expr, regs, pkt, tun_ctx);
221239
break;
222240
default:
223241
WARN_ON_ONCE(1);

0 commit comments

Comments
 (0)