[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
/*
|
|
|
|
* net/sched/cls_flow.c Generic flow classifier
|
|
|
|
*
|
|
|
|
* Copyright (c) 2007, 2008 Patrick McHardy <kaber@trash.net>
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License
|
|
|
|
* as published by the Free Software Foundation; either version 2
|
|
|
|
* of the License, or (at your option) any later version.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/list.h>
|
|
|
|
#include <linux/jhash.h>
|
|
|
|
#include <linux/random.h>
|
|
|
|
#include <linux/pkt_cls.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/in.h>
|
|
|
|
#include <linux/ip.h>
|
|
|
|
#include <linux/ipv6.h>
|
2008-02-06 00:21:04 +00:00
|
|
|
#include <linux/if_vlan.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 08:04:11 +00:00
|
|
|
#include <linux/slab.h>
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
|
|
|
|
#include <net/pkt_cls.h>
|
|
|
|
#include <net/ip.h>
|
|
|
|
#include <net/route.h>
|
|
|
|
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
#endif
|
|
|
|
|
|
|
|
struct flow_head {
|
|
|
|
struct list_head filters;
|
|
|
|
};
|
|
|
|
|
|
|
|
struct flow_filter {
|
|
|
|
struct list_head list;
|
|
|
|
struct tcf_exts exts;
|
|
|
|
struct tcf_ematch_tree ematches;
|
2008-07-15 03:36:32 +00:00
|
|
|
struct timer_list perturb_timer;
|
|
|
|
u32 perturb_period;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
u32 handle;
|
|
|
|
|
|
|
|
u32 nkeys;
|
|
|
|
u32 keymask;
|
|
|
|
u32 mode;
|
|
|
|
u32 mask;
|
|
|
|
u32 xor;
|
|
|
|
u32 rshift;
|
|
|
|
u32 addend;
|
|
|
|
u32 divisor;
|
|
|
|
u32 baseclass;
|
2008-07-15 03:36:32 +00:00
|
|
|
u32 hashrnd;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static const struct tcf_ext_map flow_ext_map = {
|
|
|
|
.action = TCA_FLOW_ACT,
|
|
|
|
.police = TCA_FLOW_POLICE,
|
|
|
|
};
|
|
|
|
|
|
|
|
static inline u32 addr_fold(void *addr)
|
|
|
|
{
|
|
|
|
unsigned long a = (unsigned long)addr;
|
|
|
|
|
|
|
|
return (a & 0xFFFFFFFF) ^ (BITS_PER_LONG > 32 ? a >> 32 : 0);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_src(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
switch (skb->protocol) {
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IP):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(ip_hdr(skb)->saddr);
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IPV6):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(ipv6_hdr(skb)->saddr.s6_addr32[3]);
|
|
|
|
default:
|
|
|
|
return addr_fold(skb->sk);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_dst(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
switch (skb->protocol) {
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IP):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(ip_hdr(skb)->daddr);
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IPV6):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(ipv6_hdr(skb)->daddr.s6_addr32[3]);
|
|
|
|
default:
|
2009-06-02 05:19:30 +00:00
|
|
|
return addr_fold(skb_dst(skb)) ^ (__force u16)skb->protocol;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_proto(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
switch (skb->protocol) {
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IP):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ip_hdr(skb)->protocol;
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IPV6):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ipv6_hdr(skb)->nexthdr;
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int has_ports(u8 protocol)
|
|
|
|
{
|
|
|
|
switch (protocol) {
|
|
|
|
case IPPROTO_TCP:
|
|
|
|
case IPPROTO_UDP:
|
|
|
|
case IPPROTO_UDPLITE:
|
|
|
|
case IPPROTO_SCTP:
|
|
|
|
case IPPROTO_DCCP:
|
|
|
|
case IPPROTO_ESP:
|
|
|
|
return 1;
|
|
|
|
default:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_proto_src(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
u32 res = 0;
|
|
|
|
|
|
|
|
switch (skb->protocol) {
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IP): {
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
struct iphdr *iph = ip_hdr(skb);
|
|
|
|
|
|
|
|
if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) &&
|
|
|
|
has_ports(iph->protocol))
|
|
|
|
res = ntohs(*(__be16 *)((void *)iph + iph->ihl * 4));
|
|
|
|
break;
|
|
|
|
}
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IPV6): {
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
struct ipv6hdr *iph = ipv6_hdr(skb);
|
|
|
|
|
|
|
|
if (has_ports(iph->nexthdr))
|
|
|
|
res = ntohs(*(__be16 *)&iph[1]);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
default:
|
|
|
|
res = addr_fold(skb->sk);
|
|
|
|
}
|
|
|
|
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_proto_dst(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
u32 res = 0;
|
|
|
|
|
|
|
|
switch (skb->protocol) {
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IP): {
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
struct iphdr *iph = ip_hdr(skb);
|
|
|
|
|
|
|
|
if (!(iph->frag_off&htons(IP_MF|IP_OFFSET)) &&
|
|
|
|
has_ports(iph->protocol))
|
|
|
|
res = ntohs(*(__be16 *)((void *)iph + iph->ihl * 4 + 2));
|
|
|
|
break;
|
|
|
|
}
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IPV6): {
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
struct ipv6hdr *iph = ipv6_hdr(skb);
|
|
|
|
|
|
|
|
if (has_ports(iph->nexthdr))
|
|
|
|
res = ntohs(*(__be16 *)((void *)&iph[1] + 2));
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
default:
|
2009-06-02 05:19:30 +00:00
|
|
|
res = addr_fold(skb_dst(skb)) ^ (__force u16)skb->protocol;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_iif(const struct sk_buff *skb)
|
|
|
|
{
|
2009-11-20 23:35:04 +00:00
|
|
|
return skb->skb_iif;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_priority(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return skb->priority;
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_mark(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return skb->mark;
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_nfct(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
|
|
|
return addr_fold(skb->nfct);
|
|
|
|
#else
|
|
|
|
return 0;
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
|
|
|
|
#define CTTUPLE(skb, member) \
|
|
|
|
({ \
|
|
|
|
enum ip_conntrack_info ctinfo; \
|
|
|
|
struct nf_conn *ct = nf_ct_get(skb, &ctinfo); \
|
|
|
|
if (ct == NULL) \
|
|
|
|
goto fallback; \
|
|
|
|
ct->tuplehash[CTINFO2DIR(ctinfo)].tuple.member; \
|
|
|
|
})
|
|
|
|
#else
|
|
|
|
#define CTTUPLE(skb, member) \
|
|
|
|
({ \
|
|
|
|
goto fallback; \
|
|
|
|
0; \
|
|
|
|
})
|
|
|
|
#endif
|
|
|
|
|
|
|
|
static u32 flow_get_nfct_src(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
switch (skb->protocol) {
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IP):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(CTTUPLE(skb, src.u3.ip));
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IPV6):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(CTTUPLE(skb, src.u3.ip6[3]));
|
|
|
|
}
|
|
|
|
fallback:
|
|
|
|
return flow_get_src(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_nfct_dst(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
switch (skb->protocol) {
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IP):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(CTTUPLE(skb, dst.u3.ip));
|
2008-09-21 05:20:49 +00:00
|
|
|
case htons(ETH_P_IPV6):
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return ntohl(CTTUPLE(skb, dst.u3.ip6[3]));
|
|
|
|
}
|
|
|
|
fallback:
|
|
|
|
return flow_get_dst(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_nfct_proto_src(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return ntohs(CTTUPLE(skb, src.u.all));
|
|
|
|
fallback:
|
|
|
|
return flow_get_proto_src(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_nfct_proto_dst(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
return ntohs(CTTUPLE(skb, dst.u.all));
|
|
|
|
fallback:
|
|
|
|
return flow_get_proto_dst(skb);
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_rtclassid(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_NET_CLS_ROUTE
|
2009-06-02 05:19:30 +00:00
|
|
|
if (skb_dst(skb))
|
|
|
|
return skb_dst(skb)->tclassid;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
#endif
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_skuid(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
|
2008-11-13 23:39:25 +00:00
|
|
|
return skb->sk->sk_socket->file->f_cred->fsuid;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static u32 flow_get_skgid(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
if (skb->sk && skb->sk->sk_socket && skb->sk->sk_socket->file)
|
2008-11-13 23:39:25 +00:00
|
|
|
return skb->sk->sk_socket->file->f_cred->fsgid;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-02-06 00:21:04 +00:00
|
|
|
static u32 flow_get_vlan_tag(const struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
u16 uninitialized_var(tag);
|
|
|
|
|
|
|
|
if (vlan_get_tag(skb, &tag) < 0)
|
|
|
|
return 0;
|
|
|
|
return tag & VLAN_VID_MASK;
|
|
|
|
}
|
|
|
|
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
static u32 flow_key_get(const struct sk_buff *skb, int key)
|
|
|
|
{
|
|
|
|
switch (key) {
|
|
|
|
case FLOW_KEY_SRC:
|
|
|
|
return flow_get_src(skb);
|
|
|
|
case FLOW_KEY_DST:
|
|
|
|
return flow_get_dst(skb);
|
|
|
|
case FLOW_KEY_PROTO:
|
|
|
|
return flow_get_proto(skb);
|
|
|
|
case FLOW_KEY_PROTO_SRC:
|
|
|
|
return flow_get_proto_src(skb);
|
|
|
|
case FLOW_KEY_PROTO_DST:
|
|
|
|
return flow_get_proto_dst(skb);
|
|
|
|
case FLOW_KEY_IIF:
|
|
|
|
return flow_get_iif(skb);
|
|
|
|
case FLOW_KEY_PRIORITY:
|
|
|
|
return flow_get_priority(skb);
|
|
|
|
case FLOW_KEY_MARK:
|
|
|
|
return flow_get_mark(skb);
|
|
|
|
case FLOW_KEY_NFCT:
|
|
|
|
return flow_get_nfct(skb);
|
|
|
|
case FLOW_KEY_NFCT_SRC:
|
|
|
|
return flow_get_nfct_src(skb);
|
|
|
|
case FLOW_KEY_NFCT_DST:
|
|
|
|
return flow_get_nfct_dst(skb);
|
|
|
|
case FLOW_KEY_NFCT_PROTO_SRC:
|
|
|
|
return flow_get_nfct_proto_src(skb);
|
|
|
|
case FLOW_KEY_NFCT_PROTO_DST:
|
|
|
|
return flow_get_nfct_proto_dst(skb);
|
|
|
|
case FLOW_KEY_RTCLASSID:
|
|
|
|
return flow_get_rtclassid(skb);
|
|
|
|
case FLOW_KEY_SKUID:
|
|
|
|
return flow_get_skuid(skb);
|
|
|
|
case FLOW_KEY_SKGID:
|
|
|
|
return flow_get_skgid(skb);
|
2008-02-06 00:21:04 +00:00
|
|
|
case FLOW_KEY_VLAN_TAG:
|
|
|
|
return flow_get_vlan_tag(skb);
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
default:
|
|
|
|
WARN_ON(1);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int flow_classify(struct sk_buff *skb, struct tcf_proto *tp,
|
|
|
|
struct tcf_result *res)
|
|
|
|
{
|
|
|
|
struct flow_head *head = tp->root;
|
|
|
|
struct flow_filter *f;
|
|
|
|
u32 keymask;
|
|
|
|
u32 classid;
|
|
|
|
unsigned int n, key;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
list_for_each_entry(f, &head->filters, list) {
|
|
|
|
u32 keys[f->nkeys];
|
|
|
|
|
|
|
|
if (!tcf_em_tree_match(skb, &f->ematches, NULL))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
keymask = f->keymask;
|
|
|
|
|
|
|
|
for (n = 0; n < f->nkeys; n++) {
|
|
|
|
key = ffs(keymask) - 1;
|
|
|
|
keymask &= ~(1 << key);
|
|
|
|
keys[n] = flow_key_get(skb, key);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (f->mode == FLOW_MODE_HASH)
|
2008-07-15 03:36:32 +00:00
|
|
|
classid = jhash2(keys, f->nkeys, f->hashrnd);
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
else {
|
|
|
|
classid = keys[0];
|
|
|
|
classid = (classid & f->mask) ^ f->xor;
|
|
|
|
classid = (classid >> f->rshift) + f->addend;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (f->divisor)
|
|
|
|
classid %= f->divisor;
|
|
|
|
|
|
|
|
res->class = 0;
|
|
|
|
res->classid = TC_H_MAKE(f->baseclass, f->baseclass + classid);
|
|
|
|
|
|
|
|
r = tcf_exts_exec(skb, &f->exts, res);
|
|
|
|
if (r < 0)
|
|
|
|
continue;
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2008-07-15 03:36:32 +00:00
|
|
|
static void flow_perturbation(unsigned long arg)
|
|
|
|
{
|
|
|
|
struct flow_filter *f = (struct flow_filter *)arg;
|
|
|
|
|
|
|
|
get_random_bytes(&f->hashrnd, 4);
|
|
|
|
if (f->perturb_period)
|
|
|
|
mod_timer(&f->perturb_timer, jiffies + f->perturb_period);
|
|
|
|
}
|
|
|
|
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
static const struct nla_policy flow_policy[TCA_FLOW_MAX + 1] = {
|
|
|
|
[TCA_FLOW_KEYS] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_MODE] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_BASECLASS] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_RSHIFT] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_ADDEND] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_MASK] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_XOR] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_DIVISOR] = { .type = NLA_U32 },
|
|
|
|
[TCA_FLOW_ACT] = { .type = NLA_NESTED },
|
|
|
|
[TCA_FLOW_POLICE] = { .type = NLA_NESTED },
|
|
|
|
[TCA_FLOW_EMATCHES] = { .type = NLA_NESTED },
|
2008-07-15 03:36:32 +00:00
|
|
|
[TCA_FLOW_PERTURB] = { .type = NLA_U32 },
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
static int flow_change(struct tcf_proto *tp, unsigned long base,
|
|
|
|
u32 handle, struct nlattr **tca,
|
|
|
|
unsigned long *arg)
|
|
|
|
{
|
|
|
|
struct flow_head *head = tp->root;
|
|
|
|
struct flow_filter *f;
|
|
|
|
struct nlattr *opt = tca[TCA_OPTIONS];
|
|
|
|
struct nlattr *tb[TCA_FLOW_MAX + 1];
|
|
|
|
struct tcf_exts e;
|
|
|
|
struct tcf_ematch_tree t;
|
|
|
|
unsigned int nkeys = 0;
|
2008-07-15 03:36:32 +00:00
|
|
|
unsigned int perturb_period = 0;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
u32 baseclass = 0;
|
|
|
|
u32 keymask = 0;
|
|
|
|
u32 mode;
|
|
|
|
int err;
|
|
|
|
|
|
|
|
if (opt == NULL)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
err = nla_parse_nested(tb, TCA_FLOW_MAX, opt, flow_policy);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
if (tb[TCA_FLOW_BASECLASS]) {
|
|
|
|
baseclass = nla_get_u32(tb[TCA_FLOW_BASECLASS]);
|
|
|
|
if (TC_H_MIN(baseclass) == 0)
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (tb[TCA_FLOW_KEYS]) {
|
|
|
|
keymask = nla_get_u32(tb[TCA_FLOW_KEYS]);
|
|
|
|
|
|
|
|
nkeys = hweight32(keymask);
|
|
|
|
if (nkeys == 0)
|
|
|
|
return -EINVAL;
|
2008-02-06 00:19:59 +00:00
|
|
|
|
|
|
|
if (fls(keymask) - 1 > FLOW_KEY_MAX)
|
|
|
|
return -EOPNOTSUPP;
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
err = tcf_exts_validate(tp, tb, tca[TCA_RATE], &e, &flow_ext_map);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
err = tcf_em_tree_validate(tp, tb[TCA_FLOW_EMATCHES], &t);
|
|
|
|
if (err < 0)
|
|
|
|
goto err1;
|
|
|
|
|
|
|
|
f = (struct flow_filter *)*arg;
|
|
|
|
if (f != NULL) {
|
|
|
|
err = -EINVAL;
|
|
|
|
if (f->handle != handle && handle)
|
|
|
|
goto err2;
|
|
|
|
|
|
|
|
mode = f->mode;
|
|
|
|
if (tb[TCA_FLOW_MODE])
|
|
|
|
mode = nla_get_u32(tb[TCA_FLOW_MODE]);
|
|
|
|
if (mode != FLOW_MODE_HASH && nkeys > 1)
|
|
|
|
goto err2;
|
2008-07-15 03:36:32 +00:00
|
|
|
|
|
|
|
if (mode == FLOW_MODE_HASH)
|
|
|
|
perturb_period = f->perturb_period;
|
|
|
|
if (tb[TCA_FLOW_PERTURB]) {
|
|
|
|
if (mode != FLOW_MODE_HASH)
|
|
|
|
goto err2;
|
|
|
|
perturb_period = nla_get_u32(tb[TCA_FLOW_PERTURB]) * HZ;
|
|
|
|
}
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
} else {
|
|
|
|
err = -EINVAL;
|
|
|
|
if (!handle)
|
|
|
|
goto err2;
|
|
|
|
if (!tb[TCA_FLOW_KEYS])
|
|
|
|
goto err2;
|
|
|
|
|
|
|
|
mode = FLOW_MODE_MAP;
|
|
|
|
if (tb[TCA_FLOW_MODE])
|
|
|
|
mode = nla_get_u32(tb[TCA_FLOW_MODE]);
|
|
|
|
if (mode != FLOW_MODE_HASH && nkeys > 1)
|
|
|
|
goto err2;
|
|
|
|
|
2008-07-15 03:36:32 +00:00
|
|
|
if (tb[TCA_FLOW_PERTURB]) {
|
|
|
|
if (mode != FLOW_MODE_HASH)
|
|
|
|
goto err2;
|
|
|
|
perturb_period = nla_get_u32(tb[TCA_FLOW_PERTURB]) * HZ;
|
|
|
|
}
|
|
|
|
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
if (TC_H_MAJ(baseclass) == 0)
|
|
|
|
baseclass = TC_H_MAKE(tp->q->handle, baseclass);
|
|
|
|
if (TC_H_MIN(baseclass) == 0)
|
|
|
|
baseclass = TC_H_MAKE(baseclass, 1);
|
|
|
|
|
|
|
|
err = -ENOBUFS;
|
|
|
|
f = kzalloc(sizeof(*f), GFP_KERNEL);
|
|
|
|
if (f == NULL)
|
|
|
|
goto err2;
|
|
|
|
|
|
|
|
f->handle = handle;
|
|
|
|
f->mask = ~0U;
|
2008-07-15 03:36:32 +00:00
|
|
|
|
|
|
|
get_random_bytes(&f->hashrnd, 4);
|
|
|
|
f->perturb_timer.function = flow_perturbation;
|
|
|
|
f->perturb_timer.data = (unsigned long)f;
|
|
|
|
init_timer_deferrable(&f->perturb_timer);
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
tcf_exts_change(tp, &f->exts, &e);
|
|
|
|
tcf_em_tree_change(tp, &f->ematches, &t);
|
|
|
|
|
|
|
|
tcf_tree_lock(tp);
|
|
|
|
|
|
|
|
if (tb[TCA_FLOW_KEYS]) {
|
|
|
|
f->keymask = keymask;
|
|
|
|
f->nkeys = nkeys;
|
|
|
|
}
|
|
|
|
|
|
|
|
f->mode = mode;
|
|
|
|
|
|
|
|
if (tb[TCA_FLOW_MASK])
|
|
|
|
f->mask = nla_get_u32(tb[TCA_FLOW_MASK]);
|
|
|
|
if (tb[TCA_FLOW_XOR])
|
|
|
|
f->xor = nla_get_u32(tb[TCA_FLOW_XOR]);
|
|
|
|
if (tb[TCA_FLOW_RSHIFT])
|
|
|
|
f->rshift = nla_get_u32(tb[TCA_FLOW_RSHIFT]);
|
|
|
|
if (tb[TCA_FLOW_ADDEND])
|
|
|
|
f->addend = nla_get_u32(tb[TCA_FLOW_ADDEND]);
|
|
|
|
|
|
|
|
if (tb[TCA_FLOW_DIVISOR])
|
|
|
|
f->divisor = nla_get_u32(tb[TCA_FLOW_DIVISOR]);
|
|
|
|
if (baseclass)
|
|
|
|
f->baseclass = baseclass;
|
|
|
|
|
2008-07-15 03:36:32 +00:00
|
|
|
f->perturb_period = perturb_period;
|
|
|
|
del_timer(&f->perturb_timer);
|
|
|
|
if (perturb_period)
|
|
|
|
mod_timer(&f->perturb_timer, jiffies + perturb_period);
|
|
|
|
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
if (*arg == 0)
|
|
|
|
list_add_tail(&f->list, &head->filters);
|
|
|
|
|
|
|
|
tcf_tree_unlock(tp);
|
|
|
|
|
|
|
|
*arg = (unsigned long)f;
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err2:
|
|
|
|
tcf_em_tree_destroy(tp, &t);
|
|
|
|
err1:
|
|
|
|
tcf_exts_destroy(tp, &e);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void flow_destroy_filter(struct tcf_proto *tp, struct flow_filter *f)
|
|
|
|
{
|
2008-07-15 03:36:32 +00:00
|
|
|
del_timer_sync(&f->perturb_timer);
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
tcf_exts_destroy(tp, &f->exts);
|
|
|
|
tcf_em_tree_destroy(tp, &f->ematches);
|
|
|
|
kfree(f);
|
|
|
|
}
|
|
|
|
|
|
|
|
static int flow_delete(struct tcf_proto *tp, unsigned long arg)
|
|
|
|
{
|
|
|
|
struct flow_filter *f = (struct flow_filter *)arg;
|
|
|
|
|
|
|
|
tcf_tree_lock(tp);
|
|
|
|
list_del(&f->list);
|
|
|
|
tcf_tree_unlock(tp);
|
|
|
|
flow_destroy_filter(tp, f);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int flow_init(struct tcf_proto *tp)
|
|
|
|
{
|
|
|
|
struct flow_head *head;
|
|
|
|
|
|
|
|
head = kzalloc(sizeof(*head), GFP_KERNEL);
|
|
|
|
if (head == NULL)
|
|
|
|
return -ENOBUFS;
|
|
|
|
INIT_LIST_HEAD(&head->filters);
|
|
|
|
tp->root = head;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void flow_destroy(struct tcf_proto *tp)
|
|
|
|
{
|
|
|
|
struct flow_head *head = tp->root;
|
|
|
|
struct flow_filter *f, *next;
|
|
|
|
|
|
|
|
list_for_each_entry_safe(f, next, &head->filters, list) {
|
|
|
|
list_del(&f->list);
|
|
|
|
flow_destroy_filter(tp, f);
|
|
|
|
}
|
|
|
|
kfree(head);
|
|
|
|
}
|
|
|
|
|
|
|
|
static unsigned long flow_get(struct tcf_proto *tp, u32 handle)
|
|
|
|
{
|
|
|
|
struct flow_head *head = tp->root;
|
|
|
|
struct flow_filter *f;
|
|
|
|
|
|
|
|
list_for_each_entry(f, &head->filters, list)
|
|
|
|
if (f->handle == handle)
|
|
|
|
return (unsigned long)f;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void flow_put(struct tcf_proto *tp, unsigned long f)
|
|
|
|
{
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int flow_dump(struct tcf_proto *tp, unsigned long fh,
|
|
|
|
struct sk_buff *skb, struct tcmsg *t)
|
|
|
|
{
|
|
|
|
struct flow_filter *f = (struct flow_filter *)fh;
|
|
|
|
struct nlattr *nest;
|
|
|
|
|
|
|
|
if (f == NULL)
|
|
|
|
return skb->len;
|
|
|
|
|
|
|
|
t->tcm_handle = f->handle;
|
|
|
|
|
|
|
|
nest = nla_nest_start(skb, TCA_OPTIONS);
|
|
|
|
if (nest == NULL)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_KEYS, f->keymask);
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_MODE, f->mode);
|
|
|
|
|
|
|
|
if (f->mask != ~0 || f->xor != 0) {
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_MASK, f->mask);
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_XOR, f->xor);
|
|
|
|
}
|
|
|
|
if (f->rshift)
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_RSHIFT, f->rshift);
|
|
|
|
if (f->addend)
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_ADDEND, f->addend);
|
|
|
|
|
|
|
|
if (f->divisor)
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_DIVISOR, f->divisor);
|
|
|
|
if (f->baseclass)
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_BASECLASS, f->baseclass);
|
|
|
|
|
2008-07-15 03:36:32 +00:00
|
|
|
if (f->perturb_period)
|
|
|
|
NLA_PUT_U32(skb, TCA_FLOW_PERTURB, f->perturb_period / HZ);
|
|
|
|
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
if (tcf_exts_dump(skb, &f->exts, &flow_ext_map) < 0)
|
|
|
|
goto nla_put_failure;
|
2008-02-05 10:56:48 +00:00
|
|
|
#ifdef CONFIG_NET_EMATCH
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
if (f->ematches.hdr.nmatches &&
|
|
|
|
tcf_em_tree_dump(skb, &f->ematches, TCA_FLOW_EMATCHES) < 0)
|
|
|
|
goto nla_put_failure;
|
2008-02-05 10:56:48 +00:00
|
|
|
#endif
|
[NET_SCHED]: Add flow classifier
Add new "flow" classifier, which is meant to extend the SFQ hashing
capabilities without hard-coding new hash functions and also allows
deterministic mappings of keys to classes, replacing some out of tree
iptables patches like IPCLASSIFY (maps IPs to classes), IPMARK (maps
IPs to marks, with fw filters to classes), ...
Some examples:
- Classic SFQ hash:
tc filter add ... flow hash \
keys src,dst,proto,proto-src,proto-dst divisor 1024
- Classic SFQ hash, but using information from conntrack to work properly in
combination with NAT:
tc filter add ... flow hash \
keys nfct-src,nfct-dst,proto,nfct-proto-src,nfct-proto-dst divisor 1024
- Map destination IPs of 192.168.0.0/24 to classids 1-257:
tc filter add ... flow map \
key dst addend -192.168.0.0 divisor 256
- alternatively:
tc filter add ... flow map \
key dst and 0xff
- similar, but reverse ordered:
tc filter add ... flow map \
key dst and 0xff xor 0xff
Perturbation is currently not supported because we can't reliable kill the
timer on destruction.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-02-01 02:37:42 +00:00
|
|
|
nla_nest_end(skb, nest);
|
|
|
|
|
|
|
|
if (tcf_exts_dump_stats(skb, &f->exts, &flow_ext_map) < 0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
|
|
return skb->len;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
nlmsg_trim(skb, nest);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void flow_walk(struct tcf_proto *tp, struct tcf_walker *arg)
|
|
|
|
{
|
|
|
|
struct flow_head *head = tp->root;
|
|
|
|
struct flow_filter *f;
|
|
|
|
|
|
|
|
list_for_each_entry(f, &head->filters, list) {
|
|
|
|
if (arg->count < arg->skip)
|
|
|
|
goto skip;
|
|
|
|
if (arg->fn(tp, (unsigned long)f, arg) < 0) {
|
|
|
|
arg->stop = 1;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
skip:
|
|
|
|
arg->count++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static struct tcf_proto_ops cls_flow_ops __read_mostly = {
|
|
|
|
.kind = "flow",
|
|
|
|
.classify = flow_classify,
|
|
|
|
.init = flow_init,
|
|
|
|
.destroy = flow_destroy,
|
|
|
|
.change = flow_change,
|
|
|
|
.delete = flow_delete,
|
|
|
|
.get = flow_get,
|
|
|
|
.put = flow_put,
|
|
|
|
.dump = flow_dump,
|
|
|
|
.walk = flow_walk,
|
|
|
|
.owner = THIS_MODULE,
|
|
|
|
};
|
|
|
|
|
|
|
|
static int __init cls_flow_init(void)
|
|
|
|
{
|
|
|
|
return register_tcf_proto_ops(&cls_flow_ops);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit cls_flow_exit(void)
|
|
|
|
{
|
|
|
|
unregister_tcf_proto_ops(&cls_flow_ops);
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(cls_flow_init);
|
|
|
|
module_exit(cls_flow_exit);
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
|
|
|
|
MODULE_DESCRIPTION("TC flow classifier");
|