From: wenxu
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag
in act_ct")
Signed-off-by: wenxu
---
v5: new patch
v6: no change
vr76: no change
net/
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag
in act_ct")
Signed-off-by: wenxu
---
v5: new patch
v8: no change
net/core/dev.c | 2
From: wenxu
Currently kernel tc subsystem can do conntrack in cat_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v8: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag
in act_ct")
Signed-off-by: wenxu
---
v9: no change
net/core/dev.c | 2 ++
1 file
From: wenxu
Currently kernel tc subsystem can do conntrack in cat_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v9: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v10: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
Currently kernel tc subsystem can do conntrack in cat_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag
in act_ct")
Signed-off-by: wenxu
---
v10: no change
net/core/dev.c | 2 ++
1 file
From: wenxu
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag
in act_ct")
Signed-off-by: wenxu
---
v11: no change
net/core/dev.c | 2 ++
1 file
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v11: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
Currently kernel tc subsystem can do conntrack in cat_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
在 2020/11/15 2:05, Cong Wang 写道:
> On Wed, Nov 11, 2020 at 9:44 PM wrote:
>> diff --git a/net/sched/act_frag.c b/net/sched/act_frag.c
>> new file mode 100644
>> index 000..3a7ab92
>> --- /dev/null
>> +++ b/net/sched/act_frag.c
> It is kinda confusing to see this is a module. It provides some
> On 2020-11-15 8:05 a.m., wenxu wrote:
>>
>> 在 2020/11/15 2:05, Cong Wang 写道:
>>> On Wed, Nov 11, 2020 at 9:44 PM wrote:
>>>> diff --git a/net/sched/act_frag.c b/net/sched/act_frag.c
>>>> new file mode 100644
>>>> index 000..3a7ab92
>>
On 11/17/2020 3:01 AM, Cong Wang wrote:
> On Sun, Nov 15, 2020 at 5:06 AM wenxu wrote:
>>
>> 在 2020/11/15 2:05, Cong Wang 写道:
>>> On Wed, Nov 11, 2020 at 9:44 PM wrote:
>>>> diff --git a/net/sched/act_frag.c b/net/sched/act_frag.c
>>>>
在 2020/11/18 6:43, Cong Wang 写道:
> On Mon, Nov 16, 2020 at 8:06 PM wenxu wrote:
>>
>> On 11/17/2020 3:01 AM, Cong Wang wrote:
>>> On Sun, Nov 15, 2020 at 5:06 AM wenxu wrote:
>>>> 在 2020/11/15 2:05, Cong Wang 写道:
>>>>> On Wed, Nov 11, 20
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v2: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag
in act_ct")
Signed-off-by: wenxu
---
v2: no change
net/core/dev.c | 2 ++
1 file
From: wenxu
Currently kernel tc subsystem can do conntrack in cat_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
Qemu get virtio_net_config from the vdpa driver. So The vdpa driver
should set the VIRTIO_NET_S_LINK_UP flag to virtio_net_config like
vdpa_sim. Or the link of virtio net NIC in the virtual machine will
never up.
Fixes:1a86b377aa21 ("vdpa/mlx5: Add VDPA driver for supported
From: wenxu
The TUNNEL_DONT_FRAGMENT flags specific the tunnel outer ip can do
fragment or not in the md mode. Without the TUNNEL_DONT_FRAGMENT
should always do fragment. So it should not care the frag_off in
inner ip.
Fixes: cfc7381b3002 ("ip_tunnel: add collect_md mode to IPIP tunnel&quo
;t cut the big tso packet to several small tcp packet and send to
virtio net device?
BR
wenxu
#x27;t cut the big tso packet to several small tcp packet and send to
virtio net device?
BR
wenxu
On 10/24/2020 5:12 AM, Jakub Kicinski wrote:
> On Wed, 21 Oct 2020 17:21:55 +0800 we...@ucloud.cn wrote:
>> From: wenxu
>>
>> The TUNNEL_DONT_FRAGMENT flags specific the tunnel outer ip can do
>> fragment or not in the md mode. Without the TUNNEL_DONT_FRAGMENT
>&
On 10/27/2020 11:55 PM, Jakub Kicinski wrote:
> On Tue, 27 Oct 2020 08:51:07 -0600 David Ahern wrote:
>>> Is this another incarnation of 4cb47a8644cc ("tunnels: PMTU discovery
>>> support for directly bridged IP packets")? Sounds like non-UDP tunnels
>>> need the same treatment to make PMTUD work
So there are some proper solution for this problem. In the Internet we can't
avoid the fragment packets.
BR
wenxu
From: wenxu
The tunnel dvice such as vxlan, bareudp and geneve in the lwt mode set
the outer df only based TUNNEL_DONT_FRAGMENT.
And this is also the some behavior for gre device before switching to use
ip_md_tunnel_xmit as the following patch.
962924f ip_gre: Refactor collect metatdata mode
Cohen wrote:
> On Thu, Oct 22, 2020 at 06:40:56PM +0800, wenxu wrote:
>
> Please make sure your firmware is updated.
>
> https://www.mellanox.com/support/firmware/connectx6dx
>
>> Hi mellanox team,
>>
>>
>> I test the mlx5 vdpa in linux-5.9 and meet severa
On 10/30/2020 6:59 AM, Marcelo Ricardo Leitner wrote:
> Cc'ing Cong, Paul, Oz and Davide.
>
> On Thu, Oct 29, 2020 at 10:22:04AM +0800, wenxu wrote:
>> Only do gso for the reassembly big packet is also can't fix all the
>> case such for icmp packet.
> Good
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net/sch_generic.h
index
From: wenxu
Currently kernel tc subsystem can do conntrack in cat_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
Currently kernel tc subsystem can do conntrack in cat_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v2: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
On 11/5/2020 4:04 PM, Marcelo Ricardo Leitner wrote:
> On Wed, Nov 04, 2020 at 04:56:32PM +0800, we...@ucloud.cn wrote:
>
>
>
>> +
>> static void tcf_action_goto_chain_exec(const struct tc_action *a,
>> struct tcf_result *res)
>> {
>> diff --git a/net/sched/a
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v3: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
On 11/5/2020 4:14 PM, Marcelo Ricardo Leitner wrote:
> On Thu, Nov 05, 2020 at 03:52:27PM +0800, we...@ucloud.cn wrote:
>
> We cross-posted :)
> I think my comments on the v1 still applies, btw.
>
> ...
>> This patch add support for a xmit hook to mirred, that gets executed before
>> xmiting the
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v4: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
7
> [ 558.694101] skb linear: 00f0: 38 39 30 31 32 33 34 35 36 37 38 39 30
> 31 32 33
> [ 558.695523] skb linear: 0100: 34 35 36 37 38 39 30 31 32 33 34 35 36
> 37 38 39
Hi Vlad,
I find the packet in the warning is not a defrag one. It is a gso packet.
The tcf_frag_xmit_hook should first check the mru. I think the
problem is qdisc_skb_cb(skb)->mru is not init in the sch_handle_ingress.
BR
wenxu
>
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
Currently kernel tc subsystem can do conntrack in act_ct. But when several
fragment packets go through the act_ct, function tcf_ct_handle_fragments
will defrag the packets to a big one. But the last action will redirect
mirred to a device which maybe lead the reassembly big packet
From: wenxu
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a713d ("net/sched: act_ct: fix miss set mru for ovs after defrag
in act_ct")
Signed-off-by: wenxu
---
v5: new patch
net/core/dev.c | 2 ++
1 file
From: wenxu
This one is prepare for the next patch.
Signed-off-by: wenxu
---
v5: no change
include/net/sch_generic.h | 5 -
net/sched/act_mirred.c| 21 +++--
2 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/sch_generic.h b/include/net
From: wenxu
Add invalid and reply flags validate in the fl_validate_ct_state.
Signed-off-by: wenxu
---
net/sched/cls_flower.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 2409e52..18430db 100644
--- a/net/sched
From: wenxu
Add invalid and reply flags validate in the fl_validate_ct_state.
This makes the checking complete if compared to ovs'
validate_ct_state().
Signed-off-by: wenxu
---
net/sched/cls_flower.c | 15 +++
1 file changed, 15 insertions(+)
diff --git a/net/sched/cls_flowe
From: wenxu
In the nft_offload there is the mate flow_dissector with no
ingress_ifindex but with ingress_iftype that only be used
in the software. So if the mask of ingress_ifindex in meta is
0, this meta check should be bypass.
Fixes: 6d65bc64e232 ("net/mlx5e: Add mlx5e_flower_parse
From: wenxu
Reject the unknown ct_state flags of cls flower rules. This also make
the userspace like ovs to probe the ct_state flags support in the
kernel.
Signed-off-by: wenxu
---
include/uapi/linux/pkt_cls.h | 9 +
net/sched/cls_flower.c | 4
2 files changed, 13
From: wenxu
Reject the unsupported and invalid ct_state flags of cls flower rules.
Fixes: e0ace68af2ac ("net/sched: cls_flower: Add matching on conntrack info")
Signed-off-by: wenxu
---
include/uapi/linux/pkt_cls.h | 7 +++
net/sched/cls_flower.c
在 2021/2/4 21:38, Marcelo Ricardo Leitner 写道:
> Hi,
>
> On Thu, Feb 04, 2021 at 12:17:24PM +0800, we...@ucloud.cn wrote:
>> From: wenxu
>>
>> Reject the unknown ct_state flags of cls flower rules. This also make
>> the userspace like ovs to probe the ct_sta
From: wenxu
Reject the unsupported and invalid ct_state flags of cls flower rules.
Fixes: e0ace68af2ac ("net/sched: cls_flower: Add matching on conntrack info")
Signed-off-by: wenxu
---
v3: using NLA_POLICY_MASK and NL_SET_ERR_MSG_ATTR
include/uapi/linux/pkt_cls.h | 7 +++
From: wenxu
Reject the unsupported and invalid ct_state flags of cls flower rules.
Fixes: e0ace68af2ac ("net/sched: cls_flower: Add matching on conntrack info")
Signed-off-by: wenxu
---
net/sched/cls_flower.c | 36 +++-
1 file changed, 35 insert
From: wenxu
Reject the unsupported and invalid ct_state flags of cls flower rules.
Fixes: e0ace68af2ac ("net/sched: cls_flower: Add matching on conntrack info")
Signed-off-by: wenxu
---
include/uapi/linux/pkt_cls.h | 2 ++
net/sched/cls_flower.c
viour, I have not figured
> out what to do about it yet.
>
> On 2021/03/13 00:06, Marcelo Leitner wrote:
>> Hi there,
>>
>> On Wed, Mar 10, 2021 at 12:06:52PM +0100, Ilya Maximets wrote:
>>> Hi, Louis. Thanks for your report!
>>>
>>> Marcelo, Paul
From: wenxu
The ct_state validate should not only check the mask bit and also
check the state bit.
For the +new+est case example, The 'new' and 'est' bits should be
set in both state_mask and state flags. Or the -new-est case also
will be reject by kernel.
Fixes: 1bcc
From: wenxu
When openvswitch conntrack offload with act_ct action. The first rule
do conntrack in the act_ct in tc subsystem. And miss the next rule in
the tc and fallback to the ovs datapath but miss set post_ct flag
which will lead the ct_state_key with -trk flag.
Fixes: 7baf2429a1a9 (&quo
From: wenxu
The ct_state validate should not only check the mask bit and also
check mask_bit & key_bit..
For the +new+est case example, The 'new' and 'est' bits should be
set in both state_mask and state flags. Or the -new-est case also
will be reject by kernel.
When Op
Reviewed-by: wenxu
BR
wenxu
On 3/23/2021 2:13 AM, Marcelo Ricardo Leitner wrote:
> From: Marcelo Ricardo Leitner
>
> Invalid detection works with two distinct moments: act_ct tries to find
> a conntrack entry and set post_ct true, indicating that that was
> attempted.
From: wenxu
Ipsec and tls netdev features build should be done after the
mlx5e_init_ipesc/tls which finishs the init for the ipsec/tls
in the driver.
Fixes: 3ef14e463f6e ("net/mlx5e: Separate between netdev objects and mlx5e
profiles initialization")
Signed-off-by: wenxu
---
d
Hi Florian,
Thx, the patch is work!
Br
wenxu
On 6/10/2019 5:44 PM, Florian Westphal wrote:
> we...@ucloud.cn wrote:
>> From: wenxu
>>
>> nft add rule bridge firewall rule-100-ingress ip protocol icmp drop
> nft --debug=netlink add rule bridge firewall rule-100-ing
From: wenxu
bridge vlan add dev veth1 vid 200 pvid untagged
bridge vlan add dev veth2 vid 200 pvid untagged
nft add table bridge firewall
nft add chain bridge firewall zones { type filter hook prerouting priority -
300 \; }
nft add rule bridge firewall zones counter ct zone set vlan id map
On 6/18/2019 6:42 AM, Florian Westphal wrote:
> Pablo Neira Ayuso wrote:
>>> Subject: Change bridge l3 dependency to meta protocol
>>>
>>> This examines skb->protocol instead of ethernet header type, which
>>> might be different when vlan is involved.
>>>
>>> + if (ctx->pctx.family == NFPROT
在 2019/6/18 17:37, Florian Westphal 写道:
> wenxu wrote:
>> On 6/18/2019 6:42 AM, Florian Westphal wrote:
>>> Pablo Neira Ayuso wrote:
>>>>> Subject: Change bridge l3 dependency to meta protocol
>>>>>
>>>>> This examines skb-
On 6/19/2019 12:40 AM, Pablo Neira Ayuso wrote:
> On Sat, Jun 15, 2019 at 08:14:21PM +0800, we...@ucloud.cn wrote:
> [...]
>> +static void nft_bridge_pvid_eval(const struct nft_expr *expr,
>> + struct nft_regs *regs,
>> + const struct nft_pk
From: wenxu
nft add table bridge firewall
nft add chain bridge firewall zones { type filter hook prerouting priority -
300 \; }
nft add rule bridge firewall zones counter ct zone set vlan id map { 100 : 1,
200 : 2 }
As above set the bridge port with pvid, the received packet don't contai
From: wenxu
nft add table bridge firewall
nft add chain bridge firewall zones { type filter hook prerouting priority -
300 \; }
nft add rule bridge firewall zones counter ct zone set vlan id map { 100 : 1,
200 : 2 }
As above set the bridge port with pvid, the received packet don't contai
From: wenxu
ip netns exec ns1 ip a a dev eth0 10.0.0.7/24
ip netns exec ns2 ip link a link eth0 name vlan type vlan id 200
ip netns exec ns2 ip a a dev vlan 10.0.0.8/24
ip l add dev br0 type bridge vlan_filtering 1
brctl addif br0 veth1
brctl addif br0 veth2
bridge vlan add dev veth1 vid 200
From: wenxu
nft add table bridge firewall
nft add chain bridge firewall zones { type filter hook prerouting priority -
300 \; }
nft add rule bridge firewall zones counter ct zone set vlan id map { 100 : 1,
200 : 2 }
As above set the bridge port with pvid, the received packet don't contai
From: wenxu
nft add table bridge firewall
nft add chain bridge firewall zones { type filter hook prerouting priority -
300 \; }
nft add rule bridge firewall zones counter ct zone set vlan id map { 100 : 1,
200 : 2 }
As above set the bridge port with pvid, the received packet don't contai
I will post the nftable patches latter. Thanks!
在 2019/6/20 1:02, Pablo Neira Ayuso 写道:
> On Wed, Jun 19, 2019 at 03:16:24PM +0800, we...@ucloud.cn wrote:
>> From: wenxu
>>
>> nft add table bridge firewall
>> nft add chain bridge firewall zones { type filter hook pr
在 2019/6/20 18:48, Pablo Neira Ayuso 写道:
> On Wed, Jun 19, 2019 at 10:35:07PM +0800, we...@ucloud.cn wrote:
> [...]
>> So if the first fragment packet don't contain vlan tag, all of the
>> remain should not contain vlan tag..
> If I understand correctly, the problem is this:
>
> * First fragment
Hi pablo,
Any idea about these two patches?
BR
wenxu
On 6/20/2019 9:17 AM, we...@ucloud.cn wrote:
> From: wenxu
>
> nft add table bridge firewall
> nft add chain bridge firewall zones { type filter hook prerouting priority -
> 300 \; }
> nft add rule bridge firewall zon
From: wenxu
With nf_conntrack_bridge function. The bridge family can do
conntrack it self. The flow offload function based on the
conntrack. So the flow in the bridge wih conntrack can be
offloaded.
Signed-off-by: wenxu
---
include/net/netfilter/nf_flow_table.h | 30 +++-
net
From: wenxu
This patch adds the bridge flow table type, that implements the datapath
flow table to forward IPv4 traffic through bridge.
Signed-off-by: wenxu
---
net/bridge/netfilter/Kconfig| 8 +
net/bridge/netfilter/Makefile | 1 +
net/bridge/netfilter
From: wenxu
Add struct flow_offload_dst to support more offload method to replace
dst_cache which only work for route offload.
Signed-off-by: wenxu
---
include/net/netfilter/nf_flow_table.h | 12 ++--
net/netfilter/nf_flow_table_core.c| 22 +++---
net/netfilter
I agree with you, It's a more generic way to set the vlan tag not base on
any bridge. I will resubmit NFT_META_BRI_VLAN_PROTO and
NFT_META_VLAN patches
在 2019/6/26 18:29, Pablo Neira Ayuso 写道:
> Could you add a NFT_META_BRI_VLAN_PROTO? Similar to patch 1/2, to
> retrieve p->br->vlan_proto.
>
> T
From: wenxu
This patch provide a meta vlan to set the vlan tag of the packet.
for q-in-q vlan id 20:
meta vlan set 0x88a8:20
set the default 0x8100 vlan type with vlan id 20
meta vlan set 20
Signed-off-by: wenxu
---
include/uapi/linux/netfilter/nf_tables.h | 4
net/netfilter
From: wenxu
This patch provide a meta to get the bridge vlan proto
nft add rule bridge firewall zones counter meta br_vlan_proto 0x8100
Signed-off-by: wenxu
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 9 +
2 files changed, 11
On 6/27/2019 3:19 AM, Florian Westphal wrote:
> Florian Westphal wrote:
>> we...@ucloud.cn wrote:
>>> diff --git a/net/netfilter/nf_flow_table_ip.c
>>> b/net/netfilter/nf_flow_table_ip.c
>>> index 0016bb8..9af01ef 100644
>>> --- a/net/netfilter/nf_flow_table_ip.c
>>> +++ b/net/netfilter/nf_flo
From: wenxu
This patch provide a meta vlan to set the vlan tag of the packet.
for q-in-q vlan id 20:
meta vlan set 0x88a8:20
set the default 0x8100 vlan type with vlan id 20
meta vlan set 20
Signed-off-by: wenxu
---
include/uapi/linux/netfilter/nf_tables.h | 4
net/netfilter
From: wenxu
This patch provide a meta to get the bridge vlan proto
nft add rule bridge firewall zones counter meta br_iifvproto 0x8100
Signed-off-by: wenxu
---
include/uapi/linux/netfilter/nf_tables.h | 4
net/netfilter/nft_meta.c | 18 ++
2 files
在 2019/6/27 20:35, Pablo Neira Ayuso 写道:
> On Thu, Jun 27, 2019 at 10:09:17AM +0800, we...@ucloud.cn wrote:
>> From: wenxu
>>
>> This patch provide a meta vlan to set the vlan tag of the packet.
>>
>> for q-in-q vlan id 20:
>> meta vlan set 0x88a8:20
>
From: wenxu
This patch provide a meta to get the bridge vlan proto
nft add rule bridge firewall zones counter meta br_vlan_proto 0x8100
Signed-off-by: wenxu
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 9 +
2 files changed, 11
From: wenxu
This patch provide a meta vlan to set the vlan tag of the packet.
for q-in-q outer vlan id 20:
meta vlan set 0x88a8:20
set the default 0x8100 vlan type with vlan id 20
meta vlan set 20
Signed-off-by: wenxu
---
include/uapi/linux/netfilter/nf_tables.h | 4
net/netfilter
On 6/27/2019 8:58 PM, Pablo Neira Ayuso wrote:
> On Thu, Jun 27, 2019 at 02:22:36PM +0800, wenxu wrote:
>> On 6/27/2019 3:19 AM, Florian Westphal wrote:
>>> Florian Westphal wrote:
> [...]
>>>> Whats the idea with this patch?
>>>>
>>>> D
From: wenxu
Add struct flow_offload_dst to support more offload method to replace
dst_cache which only work for route offload.
Signed-off-by: wenxu
---
include/net/netfilter/nf_flow_table.h | 12 ++--
net/netfilter/nf_flow_table_core.c| 22 +++---
net/netfilter
From: wenxu
This patch separate the inet family operation to single function.
Prepare for supporting the bridge family.
Signed-off-by: wenxu
---
net/netfilter/nf_flow_table_core.c | 52 --
net/netfilter/nf_flow_table_ip.c | 34
From: wenxu
With nf_conntrack_bridge function. The bridge family can do
conntrack it self. The flow offload function based on the
conntrack. So the flow in the bridge wih conntrack can be
offloaded.
Signed-off-by: wenxu
---
include/net/netfilter/nf_flow_table.h | 31 +++-
net/bridge
From: wenxu
This patch adds the bridge flow table type, that implements the datapath
flow table to forward IPv4 traffic through bridge.
Signed-off-by: wenxu
---
net/bridge/netfilter/Kconfig| 8 +
net/bridge/netfilter/Makefile | 1 +
net/bridge/netfilter
On 6/28/2019 2:06 PM, Florian Westphal wrote:
> wenxu wrote:
>> ns21 iperf to 10.0.0.8 with dport 22 in ns22
>> first time with OFFLOAD enable
>>
>> nft add flowtable bridge firewall fb2 { hook ingress priority 0 \; devices =
>> { veth21, veth22 } \; }
>>
From: wenxu
Add nf_nat_bridge_ops to do nat in the bridge family
Signed-off-by: wenxu
---
include/net/netfilter/nf_nat.h | 3 ++
net/netfilter/nf_nat_proto.c | 63 ++
2 files changed, 66 insertions(+)
diff --git a/include/net/netfilter/nf_nat.h b
From: wenxu
Add nft_chan_nat_bridge to handle nat rule in bridge family
Signed-off-by: wenxu
---
net/netfilter/nft_chain_nat.c | 26 ++
1 file changed, 26 insertions(+)
diff --git a/net/netfilter/nft_chain_nat.c b/net/netfilter/nft_chain_nat.c
index 2f89bde..2ae3fbb
From: wenxu
Add nft_bridge_nat_type to configure nat rule in bridge family
Signed-off-by: wenxu
---
net/netfilter/nft_nat.c | 49 +++--
1 file changed, 47 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
On 7/8/2019 10:17 PM, Florian Westphal wrote:
> we...@ucloud.cn wrote:
>> From: wenxu
>>
>> Add nf_nat_bridge_ops to do nat in the bridge family
> Whats the use case for this?
>
> The reason I'm asking is that a bridge doesn't know about IP,
> Bridg
101 - 200 of 405 matches
Mail list logo
