From: Ido Schimmel <idosch@idosch.org>
To: "Allan W. Nielsen" <allan.nielsen@microchip.com>
Cc: Vladimir Oltean <olteanv@gmail.com>,
davem@davemloft.net, horatiu.vultur@microchip.com,
alexandre.belloni@bootlin.com, antoine.tenart@bootlin.com,
andrew@lunn.ch, f.fainelli@gmail.com, vivien.didelot@gmail.com,
joergen.andreasen@microchip.com, claudiu.manoil@nxp.com,
netdev@vger.kernel.org, UNGLinuxDriver@microchip.com,
alexandru.marginean@nxp.com, xiaoliang.yang_1@nxp.com,
yangbo.lu@nxp.com, po.liu@nxp.com, jiri@mellanox.com,
kuba@kernel.org
Subject: Re: [PATCH net-next] net: mscc: ocelot: deal with problematic MAC_ETYPE VCAP IS2 rules
Date: Sun, 19 Apr 2020 11:30:32 +0300 [thread overview]
Message-ID: <20200419083032.GA3479405@splinter> (raw)
In-Reply-To: <20200419073307.uhm3w2jhsczpchvi@ws.localdomain>
On Sun, Apr 19, 2020 at 09:33:07AM +0200, Allan W. Nielsen wrote:
> Hi,
>
> Sorry I did not manage to provide feedback before it was merged (I will
> need to consult some of my colleagues Monday before I can provide the
> foll feedback).
>
> There are many good things in this patch, but it is not only good.
>
> The problem is that these TCAMs/VCAPs are insanely complicated and it is
> really hard to make them fit nicely into the existing tc frame-work
> (being hard does not mean that we should not try).
>
> In this patch, you try to automatic figure out who the user want the
> TCAM to be configured. It works for 1 use-case but it breaks others.
>
> Before this patch you could do a:
> tc filter add dev swp0 ingress protocol ipv4 \
> flower skip_sw src_ip 10.0.0.1 action drop
> tc filter add dev swp0 ingress \
> flower skip_sw src_mac 96:18:82:00:04:01 action drop
>
> But the second rule would not apply to the ICMP over IPv4 over Ethernet
> packet, it would however apply to non-IP packets.
>
> With this patch it not possible. Your use-case is more common, but the
> other one is not unrealistic.
>
> My concern with this, is that I do not think it is possible to automatic
> detect how these TCAMs needs to be configured by only looking at the
> rules installed by the user. Trying to do this automatic, also makes the
> TCAM logic even harder to understand for the user.
>
> I would prefer that we by default uses some conservative default
> settings which are easy to understand, and then expose some expert
> settings in the sysfs, which can be used to achieve different
> behavioral.
>
> Maybe forcing MAC_ETYPE matches is the most conservative and easiest to
> understand default.
>
> But I do seem to recall that there is a way to allow matching on both
> SMAC and SIP (your original motivation). This may be a better default
> (despite that it consumes more TCAM resources). I will follow up and
> check if this is possible.
>
> Vladimir (and anyone else whom interested): would you be interested in
> spending some time discussion the more high-level architectures and
> use-cases on how to best integrate this TCAM architecture into the Linux
> kernel. Not sure on the outlook for the various conferences, but we
> could arrange some online session to discuss this.
Not sure I completely understand the difficulties you are facing, but it
sounds similar to a problem we had in mlxsw. You might want to look into
"chain templates" [1] in order to restrict the keys that can be used
simultaneously.
I don't mind participating in an online discussion if you think it can
help.
[1] https://github.com/Mellanox/mlxsw/wiki/ACLs#chain-templates
next prev parent reply other threads:[~2020-04-19 8:30 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-17 19:03 [PATCH net-next] net: mscc: ocelot: deal with problematic MAC_ETYPE VCAP IS2 rules Vladimir Oltean
2020-04-18 22:54 ` David Miller
2020-04-19 7:33 ` Allan W. Nielsen
2020-04-19 8:30 ` Ido Schimmel [this message]
2020-04-19 12:47 ` Vladimir Oltean
2020-04-19 13:51 ` Ido Schimmel
2020-04-19 14:12 ` Vladimir Oltean
2020-04-20 10:06 ` Jiri Pirko
2020-04-19 18:16 ` Allan W. Nielsen
2020-04-19 18:01 ` Allan W. Nielsen
2020-04-19 14:20 ` Vladimir Oltean
2020-04-19 18:25 ` Allan W. Nielsen
2020-04-20 0:03 ` Vladimir Oltean
2020-04-20 7:12 ` Ido Schimmel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200419083032.GA3479405@splinter \
--to=idosch@idosch.org \
--cc=UNGLinuxDriver@microchip.com \
--cc=alexandre.belloni@bootlin.com \
--cc=alexandru.marginean@nxp.com \
--cc=allan.nielsen@microchip.com \
--cc=andrew@lunn.ch \
--cc=antoine.tenart@bootlin.com \
--cc=claudiu.manoil@nxp.com \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=horatiu.vultur@microchip.com \
--cc=jiri@mellanox.com \
--cc=joergen.andreasen@microchip.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=olteanv@gmail.com \
--cc=po.liu@nxp.com \
--cc=vivien.didelot@gmail.com \
--cc=xiaoliang.yang_1@nxp.com \
--cc=yangbo.lu@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).