netfilter: nf_tables: flow offload expression

Add new instruction for the nf_tables VM that allows us to specify what flows are offloaded into a given flow table via name. This new instruction creates the flow entry and adds it to the flow table. Only established flows, ie. we have seen traffic in both directions, are added to the flow table. You can still decide to offload entries at a later stage via packet counting or checking the ct status in case you want to offload assured conntracks. This new extension depends on the conntrack subsystem. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-07 01:04:26 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-01-08 18:11:10 +0100
commit: a3c90f7a2323b331ae816d5b0633e68148e25d04 (patch)
tree: f1627d07f5edde779b90b40249c4cc6d04b17906 /net/netfilter/Kconfig
parent: 7c23b629a8085b11daccd68c62b5116ff498f84a (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 272803079bf2..0ee0fcf3abbf 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -505,6 +505,13 @@ config NFT_CT
 	  This option adds the "ct" expression that you can use to match
 	  connection tracking information such as the flow state.
 
+config NFT_FLOW_OFFLOAD
+	depends on NF_CONNTRACK
+	tristate "Netfilter nf_tables hardware flow offload module"
+	help
+	  This option adds the "flow_offload" expression that you can use to
+	  choose what flows are placed into the hardware.
+
 config NFT_SET_RBTREE
 	tristate "Netfilter nf_tables rbtree set module"
 	help
author	Pablo Neira Ayuso <pablo@netfilter.org>	2018-01-07 01:04:26 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-01-08 18:11:10 +0100
commit	a3c90f7a2323b331ae816d5b0633e68148e25d04 (patch)
tree	f1627d07f5edde779b90b40249c4cc6d04b17906 /net/netfilter/Kconfig
parent	7c23b629a8085b11daccd68c62b5116ff498f84a (diff)