netfilter: nf_tables_offload: allow ethernet interface type only

Hardware offload support at this stage assumes an ethernet device in
place. The flow dissector provides the intermediate representation to
express this selector, so extend it to allow to store the interface
type. Flower does not uses this, so skb_flow_dissect_meta() is not
extended to match on this new field.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
index b1063db63e6690b261af50c879c2305f698769b4..1a0727d1acfa915aa7f38ae27211c717a1657969 100644 (file)
--- a/include/net/flow_dissector.h
+++ b/include/net/flow_dissector.h
@@ -203,9 +203,11 @@ struct flow_dissector_key_ip {
 /**
  * struct flow_dissector_key_meta:
  * @ingress_ifindex: ingress ifindex
+ * @ingress_iftype: ingress interface type
  */
 struct flow_dissector_key_meta {
        int ingress_ifindex;
+       u16 ingress_iftype;
 };
 
 /**

diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index 0744b2bb46da922b20f1a4798639916cd29f8587..b8092069f868fa7ee9608bbe3653e9ec701fbc8f 100644 (file)
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
+#include <linux/if_arp.h>
 #include <linux/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables_core.h>
 #include <net/netfilter/nf_tables_offload.h>
@@ -125,6 +126,11 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
        flow->match.dissector.used_keys |= BIT(reg->key);
        flow->match.dissector.offset[reg->key] = reg->base_offset;
 
+       if (reg->key == FLOW_DISSECTOR_KEY_META &&
+           reg->offset == offsetof(struct nft_flow_key, meta.ingress_iftype) &&
+           nft_reg_load16(priv->data.data) != ARPHRD_ETHER)
+               return -EOPNOTSUPP;
+
        nft_offload_update_dependency(ctx, &priv->data, priv->len);
 
        return 0;

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 8fbea031bd4a746604c2082c7eeb969a37cec912..9740b554fdb311216f2337ccab508cedd3d8c8d1 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -551,6 +551,10 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
                NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
                                  ingress_ifindex, sizeof(__u32), reg);
                break;
+       case NFT_META_IIFTYPE:
+               NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
+                                 ingress_iftype, sizeof(__u16), reg);
+               break;
        default:
                return -EOPNOTSUPP;
        }