netfilter: nf_tables_offload: allow ethernet interface type only

Hardware offload support at this stage assumes an ethernet device in
place. The flow dissector provides the intermediate representation to
express this selector, so extend it to allow to store the interface
type. Flower does not uses this, so skb_flow_dissect_meta() is not
extended to match on this new field.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
index b1063db..1a0727d 100644 (file)
--- a/include/net/flow_dissector.h
+++ b/include/net/flow_dissector.h
@@ -203,9 +203,11 @@ struct flow_dissector_key_ip {
 /**
  * struct flow_dissector_key_meta:
  * @ingress_ifindex: ingress ifindex
+ * @ingress_iftype: ingress interface type
  */
 struct flow_dissector_key_meta {
        int ingress_ifindex;
+       u16 ingress_iftype;
 };
 
 /**

diff --git a/net/netfilter/nft_cmp.c b/net/netfilter/nft_cmp.c
index 0744b2b..b809206 100644 (file)
--- a/net/netfilter/nft_cmp.c
+++ b/net/netfilter/nft_cmp.c
@@ -10,6 +10,7 @@
 #include <linux/module.h>
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
+#include <linux/if_arp.h>
 #include <linux/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables_core.h>
 #include <net/netfilter/nf_tables_offload.h>
@@ -125,6 +126,11 @@ static int __nft_cmp_offload(struct nft_offload_ctx *ctx,
        flow->match.dissector.used_keys |= BIT(reg->key);
        flow->match.dissector.offset[reg->key] = reg->base_offset;
 
+       if (reg->key == FLOW_DISSECTOR_KEY_META &&
+           reg->offset == offsetof(struct nft_flow_key, meta.ingress_iftype) &&
+           nft_reg_load16(priv->data.data) != ARPHRD_ETHER)
+               return -EOPNOTSUPP;
+
        nft_offload_update_dependency(ctx, &priv->data, priv->len);
 
        return 0;

diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 8fbea03..9740b55 100644 (file)
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -551,6 +551,10 @@ static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
                NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
                                  ingress_ifindex, sizeof(__u32), reg);
                break;
+       case NFT_META_IIFTYPE:
+               NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_META, meta,
+                                 ingress_iftype, sizeof(__u16), reg);
+               break;
        default:
                return -EOPNOTSUPP;
        }