* [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters
@ 2019-07-27 17:32 Ido Schimmel
2019-07-27 17:32 ` [PATCH net-next 1/3] mlxsw: spectrum_flower: Forbid to offload mirred redirect on egress Ido Schimmel
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Ido Schimmel @ 2019-07-27 17:32 UTC (permalink / raw)
To: netdev; +Cc: davem, jiri, mlxsw, Ido Schimmel
From: Ido Schimmel <idosch@mellanox.com>
Patches #1-#2 make mlxsw reject unsupported egress filters. These
include filters that match on VLAN and filters associated with a
redirect action. Patch #1 rejects such filters when they are configured
on egress and patch #2 rejects such filters when they are configured in
a shared block that user tries to bind to egress.
Patch #3 forbids matching on reserved TCP flags as this is not supported
by the current keys that mlxsw uses.
Jiri Pirko (3):
mlxsw: spectrum_flower: Forbid to offload mirred redirect on egress
mlxsw: spectrum_acl: Track rules that forbid egress block bind
mlxsw: spectrum_flower: Forbid to offload match on reserved TCP flags
bits
.../net/ethernet/mellanox/mlxsw/spectrum.c | 2 +-
.../net/ethernet/mellanox/mlxsw/spectrum.h | 7 ++++--
.../ethernet/mellanox/mlxsw/spectrum_acl.c | 17 ++++++++++----
.../ethernet/mellanox/mlxsw/spectrum_flower.c | 22 +++++++++++++++++++
4 files changed, 41 insertions(+), 7 deletions(-)
--
2.21.0
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH net-next 1/3] mlxsw: spectrum_flower: Forbid to offload mirred redirect on egress 2019-07-27 17:32 [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters Ido Schimmel @ 2019-07-27 17:32 ` Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 2/3] mlxsw: spectrum_acl: Track rules that forbid egress block bind Ido Schimmel ` (2 subsequent siblings) 3 siblings, 0 replies; 5+ messages in thread From: Ido Schimmel @ 2019-07-27 17:32 UTC (permalink / raw) To: netdev; +Cc: davem, jiri, mlxsw, Ido Schimmel From: Jiri Pirko <jiri@mellanox.com> Spectrum ASIC does not support redirection on egress, so refuse to insert such flows: $ tc qdisc add dev ens16np1 clsact $ tc filter add dev ens16np1 egress protocol all pref 1 handle 101 flower skip_sw action mirred egress redirect dev ens16np2 Error: mlxsw_spectrum: Redirect action is not supported on egress. Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: Ido Schimmel <idosch@mellanox.com> --- drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c index 202e9a246019..1eeac8a36ead 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c @@ -78,6 +78,11 @@ static int mlxsw_sp_flower_parse_actions(struct mlxsw_sp *mlxsw_sp, struct mlxsw_sp_fid *fid; u16 fid_index; + if (mlxsw_sp_acl_block_is_egress_bound(block)) { + NL_SET_ERR_MSG_MOD(extack, "Redirect action is not supported on egress"); + return -EOPNOTSUPP; + } + fid = mlxsw_sp_acl_dummy_fid(mlxsw_sp); fid_index = mlxsw_sp_fid_index(fid); err = mlxsw_sp_acl_rulei_act_fid_set(mlxsw_sp, rulei, -- 2.21.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net-next 2/3] mlxsw: spectrum_acl: Track rules that forbid egress block bind 2019-07-27 17:32 [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 1/3] mlxsw: spectrum_flower: Forbid to offload mirred redirect on egress Ido Schimmel @ 2019-07-27 17:32 ` Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 3/3] mlxsw: spectrum_flower: Forbid to offload match on reserved TCP flags bits Ido Schimmel 2019-07-27 21:32 ` [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters David Miller 3 siblings, 0 replies; 5+ messages in thread From: Ido Schimmel @ 2019-07-27 17:32 UTC (permalink / raw) To: netdev; +Cc: davem, jiri, mlxsw, Ido Schimmel From: Jiri Pirko <jiri@mellanox.com> Some matches and actions are not supported on egress. Track such rules and forbid a bind of block which contains them to egress. With this patch, the kernel tells the user he cannot do that: $ tc qdisc add dev ens16np1 ingress_block 22 clsact $ tc filter add block 22 protocol 802.1q pref 2 handle 101 flower vlan_id 100 skip_sw action pass $ tc qdisc add dev ens16np2 egress_block 22 clsact Error: mlxsw_spectrum: Block cannot be bound to egress because it contains unsupported rules. Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: Ido Schimmel <idosch@mellanox.com> --- drivers/net/ethernet/mellanox/mlxsw/spectrum.c | 2 +- drivers/net/ethernet/mellanox/mlxsw/spectrum.h | 7 +++++-- .../net/ethernet/mellanox/mlxsw/spectrum_acl.c | 17 +++++++++++++---- .../ethernet/mellanox/mlxsw/spectrum_flower.c | 11 +++++++++++ 4 files changed, 30 insertions(+), 7 deletions(-) diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c index 7e8a54068d92..9277b3f125e8 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.c @@ -1625,7 +1625,7 @@ mlxsw_sp_setup_tc_block_flower_bind(struct mlxsw_sp_port *mlxsw_sp_port, } flow_block_cb_incref(block_cb); err = mlxsw_sp_acl_block_bind(mlxsw_sp, acl_block, - mlxsw_sp_port, ingress); + mlxsw_sp_port, ingress, f->extack); if (err) goto err_block_bind; diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h index 131f62ce9297..c78d93afbb9d 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum.h +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum.h @@ -623,7 +623,8 @@ struct mlxsw_sp_acl_rule_info { unsigned int priority; struct mlxsw_afk_element_values values; struct mlxsw_afa_block *act_block; - u8 action_created:1; + u8 action_created:1, + egress_bind_blocker:1; unsigned int counter_index; }; @@ -642,6 +643,7 @@ struct mlxsw_sp_acl_block { struct mlxsw_sp *mlxsw_sp; unsigned int rule_count; unsigned int disable_count; + unsigned int egress_blocker_rule_count; struct net *net; }; @@ -657,7 +659,8 @@ void mlxsw_sp_acl_block_destroy(struct mlxsw_sp_acl_block *block); int mlxsw_sp_acl_block_bind(struct mlxsw_sp *mlxsw_sp, struct mlxsw_sp_acl_block *block, struct mlxsw_sp_port *mlxsw_sp_port, - bool ingress); + bool ingress, + struct netlink_ext_ack *extack); int mlxsw_sp_acl_block_unbind(struct mlxsw_sp *mlxsw_sp, struct mlxsw_sp_acl_block *block, struct mlxsw_sp_port *mlxsw_sp_port, diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c index e8ac90564dbe..1aaab8446270 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c @@ -239,7 +239,8 @@ mlxsw_sp_acl_block_lookup(struct mlxsw_sp_acl_block *block, int mlxsw_sp_acl_block_bind(struct mlxsw_sp *mlxsw_sp, struct mlxsw_sp_acl_block *block, struct mlxsw_sp_port *mlxsw_sp_port, - bool ingress) + bool ingress, + struct netlink_ext_ack *extack) { struct mlxsw_sp_acl_block_binding *binding; int err; @@ -247,6 +248,11 @@ int mlxsw_sp_acl_block_bind(struct mlxsw_sp *mlxsw_sp, if (WARN_ON(mlxsw_sp_acl_block_lookup(block, mlxsw_sp_port, ingress))) return -EEXIST; + if (!ingress && block->egress_blocker_rule_count) { + NL_SET_ERR_MSG_MOD(extack, "Block cannot be bound to egress because it contains unsupported rules"); + return -EOPNOTSUPP; + } + binding = kzalloc(sizeof(*binding), GFP_KERNEL); if (!binding) return -ENOMEM; @@ -672,6 +678,7 @@ int mlxsw_sp_acl_rule_add(struct mlxsw_sp *mlxsw_sp, { struct mlxsw_sp_acl_ruleset *ruleset = rule->ruleset; const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; + struct mlxsw_sp_acl_block *block = ruleset->ht_key.block; int err; err = ops->rule_add(mlxsw_sp, ruleset->priv, rule->priv, rule->rulei); @@ -689,14 +696,14 @@ int mlxsw_sp_acl_rule_add(struct mlxsw_sp *mlxsw_sp, * one, to be directly bound to device. The rest of the * rulesets are bound by "Goto action set". */ - err = mlxsw_sp_acl_ruleset_block_bind(mlxsw_sp, ruleset, - ruleset->ht_key.block); + err = mlxsw_sp_acl_ruleset_block_bind(mlxsw_sp, ruleset, block); if (err) goto err_ruleset_block_bind; } list_add_tail(&rule->list, &mlxsw_sp->acl->rules); - ruleset->ht_key.block->rule_count++; + block->rule_count++; + block->egress_blocker_rule_count += rule->rulei->egress_bind_blocker; return 0; err_ruleset_block_bind: @@ -712,7 +719,9 @@ void mlxsw_sp_acl_rule_del(struct mlxsw_sp *mlxsw_sp, { struct mlxsw_sp_acl_ruleset *ruleset = rule->ruleset; const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops; + struct mlxsw_sp_acl_block *block = ruleset->ht_key.block; + block->egress_blocker_rule_count -= rule->rulei->egress_bind_blocker; ruleset->ht_key.block->rule_count--; list_del(&rule->list); if (!ruleset->ht_key.chain_index && diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c index 1eeac8a36ead..c86d582dafbe 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c @@ -83,6 +83,11 @@ static int mlxsw_sp_flower_parse_actions(struct mlxsw_sp *mlxsw_sp, return -EOPNOTSUPP; } + /* Forbid block with this rulei to be bound + * to egress in future. + */ + rulei->egress_bind_blocker = 1; + fid = mlxsw_sp_acl_dummy_fid(mlxsw_sp); fid_index = mlxsw_sp_fid_index(fid); err = mlxsw_sp_acl_rulei_act_fid_set(mlxsw_sp, rulei, @@ -395,6 +400,12 @@ static int mlxsw_sp_flower_parse(struct mlxsw_sp *mlxsw_sp, NL_SET_ERR_MSG_MOD(f->common.extack, "vlan_id key is not supported on egress"); return -EOPNOTSUPP; } + + /* Forbid block with this rulei to be bound + * to egress in future. + */ + rulei->egress_bind_blocker = 1; + if (match.mask->vlan_id != 0) mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_VID, -- 2.21.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net-next 3/3] mlxsw: spectrum_flower: Forbid to offload match on reserved TCP flags bits 2019-07-27 17:32 [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 1/3] mlxsw: spectrum_flower: Forbid to offload mirred redirect on egress Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 2/3] mlxsw: spectrum_acl: Track rules that forbid egress block bind Ido Schimmel @ 2019-07-27 17:32 ` Ido Schimmel 2019-07-27 21:32 ` [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters David Miller 3 siblings, 0 replies; 5+ messages in thread From: Ido Schimmel @ 2019-07-27 17:32 UTC (permalink / raw) To: netdev; +Cc: davem, jiri, mlxsw, Ido Schimmel From: Jiri Pirko <jiri@mellanox.com> Matching on reserved TCP flags bits is only supported using custom parser. Since the usecase for that is not known now, just forbid to offload rules that match on these bits. Reported-by: Alex Kushnarov <alexanderk@mellanox.com> Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: Ido Schimmel <idosch@mellanox.com> --- drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c index c86d582dafbe..0ad1a24abfc6 100644 --- a/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c +++ b/drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c @@ -267,6 +267,12 @@ static int mlxsw_sp_flower_parse_tcp(struct mlxsw_sp *mlxsw_sp, flow_rule_match_tcp(rule, &match); + if (match.mask->flags & htons(0x0E00)) { + NL_SET_ERR_MSG_MOD(f->common.extack, "TCP flags match not supported on reserved bits"); + dev_err(mlxsw_sp->bus_info->dev, "TCP flags match not supported on reserved bits\n"); + return -EINVAL; + } + mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_TCP_FLAGS, ntohs(match.key->flags), ntohs(match.mask->flags)); -- 2.21.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters 2019-07-27 17:32 [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters Ido Schimmel ` (2 preceding siblings ...) 2019-07-27 17:32 ` [PATCH net-next 3/3] mlxsw: spectrum_flower: Forbid to offload match on reserved TCP flags bits Ido Schimmel @ 2019-07-27 21:32 ` David Miller 3 siblings, 0 replies; 5+ messages in thread From: David Miller @ 2019-07-27 21:32 UTC (permalink / raw) To: idosch; +Cc: netdev, jiri, mlxsw, idosch From: Ido Schimmel <idosch@idosch.org> Date: Sat, 27 Jul 2019 20:32:54 +0300 > From: Ido Schimmel <idosch@mellanox.com> > > Patches #1-#2 make mlxsw reject unsupported egress filters. These > include filters that match on VLAN and filters associated with a > redirect action. Patch #1 rejects such filters when they are configured > on egress and patch #2 rejects such filters when they are configured in > a shared block that user tries to bind to egress. > > Patch #3 forbids matching on reserved TCP flags as this is not supported > by the current keys that mlxsw uses. Series applied, thanks. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-07-27 21:32 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2019-07-27 17:32 [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 1/3] mlxsw: spectrum_flower: Forbid to offload mirred redirect on egress Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 2/3] mlxsw: spectrum_acl: Track rules that forbid egress block bind Ido Schimmel 2019-07-27 17:32 ` [PATCH net-next 3/3] mlxsw: spectrum_flower: Forbid to offload match on reserved TCP flags bits Ido Schimmel 2019-07-27 21:32 ` [PATCH net-next 0/3] mlxsw: spectrum_acl: Forbid unsupported filters David Miller
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox