[PATCH] netfilter: flowtable: resolve LAG slave for direct HW offload

[Jihong Min]

FLOW_OFFLOAD_XMIT_DIRECT path discovery can stop at a LAG master because
the real egress port is selected later through ndo_get_xmit_slave().
Hardware flow offload drivers that program per-port redirects need the
selected lower device, while software forwarding must still transmit
through the LAG master.

Keep the route tuple software egress ifindex on the LAG master and carry
a separate hardware redirect ifindex. When the direct egress device is a
LAG master, resolve the selected slave with netdev_get_xmit_slave(),
verify that it belongs to the flowtable, and store it as the hardware
redirect device.

Signed-off-by: Jihong Min <hurryman2212@xxxxxxxxx>
---
 include/net/netfilter/nf_flow_table.h |  1 +
 net/netfilter/nf_flow_table_core.c    |  1 +
 net/netfilter/nf_flow_table_offload.c |  2 +-
 net/netfilter/nf_flow_table_path.c    | 34 ++++++++++++++++++++++++++-
 4 files changed, 36 insertions(+), 2 deletions(-)

diff --git a/include/net/netfilter/nf_flow_table.h b/include/net/netfilter/nf_flow_table.h
index 7b23b245a5a8..ada9db7e5c38 100644
--- a/include/net/netfilter/nf_flow_table.h
+++ b/include/net/netfilter/nf_flow_table.h
@@ -163,6 +163,7 @@ struct flow_offload_tuple {
 		};
 		struct {
 			u32		ifidx;
+			u32		hw_ifidx;
 			u8		h_source[ETH_ALEN];
 			u8		h_dest[ETH_ALEN];
 		} out;
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 785d8c244a77..bc329420f882 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -132,6 +132,7 @@ static int flow_offload_fill_route(struct flow_offload *flow,
 		memcpy(flow_tuple->out.h_source, route->tuple[dir].out.h_source,
 		       ETH_ALEN);
 		flow_tuple->out.ifidx = route->tuple[dir].out.ifindex;
+		flow_tuple->out.hw_ifidx = route->tuple[dir].out.hw_ifindex;
 		dst_release(dst);
 		break;
 	case FLOW_OFFLOAD_XMIT_XFRM:
diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index 002ec15d988b..7c46baa1546d 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -596,7 +596,7 @@ static int flow_offload_redirect(struct net *net,
 	switch (this_tuple->xmit_type) {
 	case FLOW_OFFLOAD_XMIT_DIRECT:
 		this_tuple = &flow->tuplehash[dir].tuple;
-		ifindex = this_tuple->out.ifidx;
+		ifindex = this_tuple->out.hw_ifidx;
 		break;
 	case FLOW_OFFLOAD_XMIT_NEIGH:
 		other_tuple = &flow->tuplehash[!dir].tuple;
diff --git a/net/netfilter/nf_flow_table_path.c b/net/netfilter/nf_flow_table_path.c
index 9e88ea6a2eef..10f38ca27a6f 100644
--- a/net/netfilter/nf_flow_table_path.c
+++ b/net/netfilter/nf_flow_table_path.c
@@ -5,6 +5,7 @@
 #include <linux/etherdevice.h>
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
+#include <linux/netdevice.h>
 #include <linux/spinlock.h>
 #include <linux/netfilter/nf_conntrack_common.h>
 #include <linux/netfilter/nf_tables.h>
@@ -76,6 +77,7 @@ static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
 struct nft_forward_info {
 	const struct net_device *indev;
 	const struct net_device *outdev;
+	const struct net_device *hw_outdev;
 	struct id {
 		__u16	id;
 		__be16	proto;
@@ -179,6 +181,7 @@ static void nft_dev_path_info(const struct net_device_path_stack *stack,
 		}
 	}
 	info->outdev = info->indev;
+	info->hw_outdev = info->indev;
 
 	if (nf_flowtable_hw_offload(flowtable) &&
 	    nft_is_valid_ether_device(info->indev))
@@ -250,6 +253,7 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
 	struct net_device_path_stack stack;
 	struct nft_forward_info info = {};
 	unsigned char ha[ETH_ALEN];
+	struct net_device *lag_slave = NULL;
 	int i;
 
 	if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
@@ -258,9 +262,34 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
 	if (info.outdev)
 		route->tuple[dir].out.ifindex = info.outdev->ifindex;
 
-	if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
+	if (!info.indev)
 		return;
 
+	if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT &&
+	    netif_is_lag_master(info.hw_outdev)) {
+		rcu_read_lock();
+		lag_slave = netdev_get_xmit_slave((struct net_device *)info.hw_outdev,
+						  pkt->skb, false);
+		if (lag_slave)
+			dev_hold(lag_slave);
+		rcu_read_unlock();
+
+		if (!lag_slave)
+			return;
+
+		if (!nft_is_valid_ether_device(lag_slave)) {
+			dev_put(lag_slave);
+			return;
+		}
+
+		info.hw_outdev = lag_slave;
+	}
+
+	if (!nft_flowtable_find_dev(info.hw_outdev, ft)) {
+		dev_put(lag_slave);
+		return;
+	}
+
 	route->tuple[!dir].in.ifindex = info.indev->ifindex;
 	for (i = 0; i < info.num_encaps; i++) {
 		route->tuple[!dir].in.encap[i].id = info.encap[i].id;
@@ -281,9 +310,12 @@ static void nft_dev_forward_path(const struct nft_pktinfo *pkt,
 	if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
 		memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
 		memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
+		route->tuple[dir].out.hw_ifindex = info.hw_outdev->ifindex;
 		route->tuple[dir].xmit_type = info.xmit_type;
 	}
 	route->tuple[dir].out.needs_gso_segment = info.needs_gso_segment;
+
+	dev_put(lag_slave);
 }
 
 int nft_flow_route(const struct nft_pktinfo *pkt, const struct nf_conn *ct,