On Sun, 2018-02-11 at 14:26 -0800, Roopa Prabhu wrote:
> From: Roopa Prabhu <ro...@cumulusnetworks.com>
>
> Add support to match on src port, dst port and ip protocol.
>
> Signed-off-by: Roopa Prabhu <ro...@cumulusnetworks.com>
> ---
> include/uapi/linux/fib_rules.h | 3 +++
> net/ipv4/fib_rules.c | 46
> ++++++++++++++++++++++++++++++++++++++++--
> 2 files changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
> index 2b642bf..79ff3c2 100644
> --- a/include/uapi/linux/fib_rules.h
> +++ b/include/uapi/linux/fib_rules.h
> @@ -58,6 +58,9 @@ enum {
> FRA_PAD,
> FRA_L3MDEV, /* iif or oif is l3mdev goto its table */
> FRA_UID_RANGE, /* UID range */
> + FRA_PROTO, /* ip proto */
> + FRA_SPORT, /* sport */
> + FRA_DPORT, /* dport */
> __FRA_MAX
> };
>
> diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
> index 35d646a..f204c85 100644
> --- a/net/ipv4/fib_rules.c
> +++ b/net/ipv4/fib_rules.c
> @@ -45,13 +45,17 @@ struct fib4_rule {
> #ifdef CONFIG_IP_ROUTE_CLASSID
> u32 tclassid;
> #endif
> + __be16 sport;
> + __be16 dport;
> + u8 proto;
> };
>
> static bool fib4_rule_matchall(const struct fib_rule *rule)
> {
> struct fib4_rule *r = container_of(rule, struct fib4_rule, common);
>
> - if (r->dst_len || r->src_len || r->tos)
> + if (r->dst_len || r->src_len || r->tos || r->proto || r->sport ||
> + r->dport)
> return false;
> return fib_rule_matchall(rule);
> }
> @@ -182,6 +186,15 @@ static int fib4_rule_match(struct fib_rule *rule, struct
> flowi *fl, int flags)
> if (r->tos && (r->tos != fl4->flowi4_tos))
> return 0;
>
> + if (r->proto && (r->proto != fl4->flowi4_proto))
> + return 0;
> +
> + if (r->sport && (r->sport != fl4->fl4_sport))
> + return 0;
> +
> + if (r->dport && (r->dport != fl4->fl4_dport))
> + return 0;
> +
Any setup with about 20 rules to be evaluated (per packet cost) will
feel the pain...
I wonder if we could JIT/eBPF this thing.
