[PATCH net-next 0/9] net: fib_rules: Add flow label selector support

[PATCH net-next 0/9] net: fib_rules: Add flow label selector support

[Ido Schimmel]

In some deployments users would like to encode path information into
certain bits of the IPv6 flow label, the UDP source port and the DSCP
and use this information to route packets accordingly.

Redirecting traffic to a routing table based on the flow label is not
currently possible with Linux as FIB rules cannot match on it despite
the flow label being available in the IPv6 flow key.

This patchset extends FIB rules to match on the flow label with a mask.
Future patches will add mask attributes to L4 ports and DSCP matches.

Patches #1-#5 gradually extend FIB rules to match on the flow label.

Patches #6-#7 allow user space to specify a flow label in route get
requests. This is useful for both debugging and testing.

Patch #8 adjusts the fib6_table_lookup tracepoint to print the flow
label to the trace buffer for better observability.

Patch #9 extends the FIB rule selftest with flow label test cases while
utilizing the route get functionality from patch #6.

Ido Schimmel (9):
  net: fib_rules: Add flow label selector attributes
  ipv4: fib_rules: Reject flow label attributes
  ipv6: fib_rules: Add flow label support
  net: fib_rules: Enable flow label selector usage
  netlink: specs: Add FIB rule flow label attributes
  ipv6: Add flow label to route get requests
  netlink: specs: Add route flow label attribute
  tracing: ipv6: Add flow label to fib6_table_lookup tracepoint
  selftests: fib_rule_tests: Add flow label selector match tests

 Documentation/netlink/specs/rt_route.yaml     |  7 +++
 Documentation/netlink/specs/rt_rule.yaml      | 12 ++++
 include/trace/events/fib6.h                   |  8 ++-
 include/uapi/linux/fib_rules.h                |  2 +
 include/uapi/linux/rtnetlink.h                |  1 +
 net/core/fib_rules.c                          |  2 +
 net/ipv4/fib_rules.c                          |  6 ++
 net/ipv6/fib6_rules.c                         | 57 ++++++++++++++++++-
 net/ipv6/route.c                              | 20 ++++++-
 tools/testing/selftests/net/fib_rule_tests.sh | 31 ++++++++++
 10 files changed, 140 insertions(+), 6 deletions(-)

-- 
2.47.1

[PATCH net-next 1/9] net: fib_rules: Add flow label selector attributes

[Ido Schimmel]

Add new FIB rule attributes which will allow user space to match on the
IPv6 flow label with a mask. Temporarily set the type of the attributes
to 'NLA_REJECT' while support is being added in the IPv6 code.

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 include/uapi/linux/fib_rules.h | 2 ++
 net/core/fib_rules.c           | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/include/uapi/linux/fib_rules.h b/include/uapi/linux/fib_rules.h
index a6924dd3aff1..00e9890ca3c0 100644
--- a/include/uapi/linux/fib_rules.h
+++ b/include/uapi/linux/fib_rules.h
@@ -68,6 +68,8 @@ enum {
 	FRA_SPORT_RANGE, /* sport */
 	FRA_DPORT_RANGE, /* dport */
 	FRA_DSCP,	/* dscp */
+	FRA_FLOWLABEL,	/* flowlabel */
+	FRA_FLOWLABEL_MASK,	/* flowlabel mask */
 	__FRA_MAX
 };
 
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 34185d138c95..153b14aade42 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -770,6 +770,8 @@ static const struct nla_policy fib_rule_policy[FRA_MAX + 1] = {
 	[FRA_SPORT_RANGE] = { .len = sizeof(struct fib_rule_port_range) },
 	[FRA_DPORT_RANGE] = { .len = sizeof(struct fib_rule_port_range) },
 	[FRA_DSCP]	= NLA_POLICY_MAX(NLA_U8, INET_DSCP_MASK >> 2),
+	[FRA_FLOWLABEL] = { .type = NLA_REJECT },
+	[FRA_FLOWLABEL_MASK] = { .type = NLA_REJECT },
 };
 
 int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,
-- 
2.47.1

[PATCH net-next 2/9] ipv4: fib_rules: Reject flow label attributes

[Ido Schimmel]

IPv4 FIB rules cannot match on flow label so reject requests that try to
add such rules. Do that in the IPv4 configure callback as the netlink
policy resides in the core and used by both IPv4 and IPv6.

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 net/ipv4/fib_rules.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 8325224ef072..9517b8667e00 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -249,6 +249,12 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
 	int err = -EINVAL;
 	struct fib4_rule *rule4 = (struct fib4_rule *) rule;
 
+	if (tb[FRA_FLOWLABEL] || tb[FRA_FLOWLABEL_MASK]) {
+		NL_SET_ERR_MSG(extack,
+			       "Flow label cannot be specified for IPv4 FIB rules");
+		goto errout;
+	}
+
 	if (!inet_validate_dscp(frh->tos)) {
 		NL_SET_ERR_MSG(extack,
 			       "Invalid dsfield (tos): ECN bits must be 0");
-- 
2.47.1

[PATCH net-next 3/9] ipv6: fib_rules: Add flow label support

[Ido Schimmel]

Implement support for the new flow label selector which allows IPv6 FIB
rules to match on the flow label with a mask. Ensure that both flow
label attributes are specified (or none) and that the mask is valid.

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 net/ipv6/fib6_rules.c | 57 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 55 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/fib6_rules.c b/net/ipv6/fib6_rules.c
index c85c1627cb16..67d39114d9a6 100644
--- a/net/ipv6/fib6_rules.c
+++ b/net/ipv6/fib6_rules.c
@@ -26,6 +26,8 @@ struct fib6_rule {
 	struct fib_rule		common;
 	struct rt6key		src;
 	struct rt6key		dst;
+	__be32			flowlabel;
+	__be32			flowlabel_mask;
 	dscp_t			dscp;
 	u8			dscp_full:1;	/* DSCP or TOS selector */
 };
@@ -34,7 +36,7 @@ static bool fib6_rule_matchall(const struct fib_rule *rule)
 {
 	struct fib6_rule *r = container_of(rule, struct fib6_rule, common);
 
-	if (r->dst.plen || r->src.plen || r->dscp)
+	if (r->dst.plen || r->src.plen || r->dscp || r->flowlabel_mask)
 		return false;
 	return fib_rule_matchall(rule);
 }
@@ -332,6 +334,9 @@ INDIRECT_CALLABLE_SCOPE int fib6_rule_match(struct fib_rule *rule,
 	if (r->dscp && r->dscp != ip6_dscp(fl6->flowlabel))
 		return 0;
 
+	if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
+		return 0;
+
 	if (rule->ip_proto && (rule->ip_proto != fl6->flowi6_proto))
 		return 0;
 
@@ -360,6 +365,35 @@ static int fib6_nl2rule_dscp(const struct nlattr *nla, struct fib6_rule *rule6,
 	return 0;
 }
 
+static int fib6_nl2rule_flowlabel(struct nlattr **tb, struct fib6_rule *rule6,
+				  struct netlink_ext_ack *extack)
+{
+	__be32 flowlabel, flowlabel_mask;
+
+	if (NL_REQ_ATTR_CHECK(extack, NULL, tb, FRA_FLOWLABEL) ||
+	    NL_REQ_ATTR_CHECK(extack, NULL, tb, FRA_FLOWLABEL_MASK))
+		return -EINVAL;
+
+	flowlabel = nla_get_be32(tb[FRA_FLOWLABEL]);
+	flowlabel_mask = nla_get_be32(tb[FRA_FLOWLABEL_MASK]);
+
+	if (flowlabel_mask & ~IPV6_FLOWLABEL_MASK) {
+		NL_SET_ERR_MSG_ATTR(extack, tb[FRA_FLOWLABEL_MASK],
+				    "Invalid flow label mask");
+		return -EINVAL;
+	}
+
+	if (flowlabel & ~flowlabel_mask) {
+		NL_SET_ERR_MSG(extack, "Flow label and mask do not match");
+		return -EINVAL;
+	}
+
+	rule6->flowlabel = flowlabel;
+	rule6->flowlabel_mask = flowlabel_mask;
+
+	return 0;
+}
+
 static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
 			       struct fib_rule_hdr *frh,
 			       struct nlattr **tb,
@@ -379,6 +413,10 @@ static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
 	if (tb[FRA_DSCP] && fib6_nl2rule_dscp(tb[FRA_DSCP], rule6, extack) < 0)
 		goto errout;
 
+	if ((tb[FRA_FLOWLABEL] || tb[FRA_FLOWLABEL_MASK]) &&
+	    fib6_nl2rule_flowlabel(tb, rule6, extack) < 0)
+		goto errout;
+
 	if (rule->action == FR_ACT_TO_TBL && !rule->l3mdev) {
 		if (rule->table == RT6_TABLE_UNSPEC) {
 			NL_SET_ERR_MSG(extack, "Invalid table");
@@ -444,6 +482,14 @@ static int fib6_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh,
 			return 0;
 	}
 
+	if (tb[FRA_FLOWLABEL] &&
+	    nla_get_be32(tb[FRA_FLOWLABEL]) != rule6->flowlabel)
+		return 0;
+
+	if (tb[FRA_FLOWLABEL_MASK] &&
+	    nla_get_be32(tb[FRA_FLOWLABEL_MASK]) != rule6->flowlabel_mask)
+		return 0;
+
 	if (frh->src_len &&
 	    nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr)))
 		return 0;
@@ -472,6 +518,11 @@ static int fib6_rule_fill(struct fib_rule *rule, struct sk_buff *skb,
 		frh->tos = inet_dscp_to_dsfield(rule6->dscp);
 	}
 
+	if (rule6->flowlabel_mask &&
+	    (nla_put_be32(skb, FRA_FLOWLABEL, rule6->flowlabel) ||
+	     nla_put_be32(skb, FRA_FLOWLABEL_MASK, rule6->flowlabel_mask)))
+		goto nla_put_failure;
+
 	if ((rule6->dst.plen &&
 	     nla_put_in6_addr(skb, FRA_DST, &rule6->dst.addr)) ||
 	    (rule6->src.plen &&
@@ -487,7 +538,9 @@ static size_t fib6_rule_nlmsg_payload(struct fib_rule *rule)
 {
 	return nla_total_size(16) /* dst */
 	       + nla_total_size(16) /* src */
-	       + nla_total_size(1); /* dscp */
+	       + nla_total_size(1) /* dscp */
+	       + nla_total_size(4) /* flowlabel */
+	       + nla_total_size(4); /* flowlabel mask */
 }
 
 static void fib6_rule_flush_cache(struct fib_rules_ops *ops)
-- 
2.47.1

Re: [PATCH net-next 3/9] ipv6: fib_rules: Add flow label support

[Guillaume Nault]

On Mon, Dec 16, 2024 at 07:11:55PM +0200, Ido Schimmel wrote:
> @@ -332,6 +334,9 @@ INDIRECT_CALLABLE_SCOPE int fib6_rule_match(struct fib_rule *rule,
>  	if (r->dscp && r->dscp != ip6_dscp(fl6->flowlabel))
>  		return 0;
>  
> +	if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
> +		return 0;
> +

Personally, I'd find the following form easier to read:
+	if ((flowi6_get_flowlabel(fl6) & r->flowlabel_mask) != r->flowlabel)
+		return 0;

Does GCC produce better code with the xor form?

Re: [PATCH net-next 3/9] ipv6: fib_rules: Add flow label support

[Ido Schimmel]

On Tue, Dec 17, 2024 at 02:59:19PM +0100, Guillaume Nault wrote:
> On Mon, Dec 16, 2024 at 07:11:55PM +0200, Ido Schimmel wrote:
> > @@ -332,6 +334,9 @@ INDIRECT_CALLABLE_SCOPE int fib6_rule_match(struct fib_rule *rule,
> >  	if (r->dscp && r->dscp != ip6_dscp(fl6->flowlabel))
> >  		return 0;
> >  
> > +	if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
> > +		return 0;
> > +
> 
> Personally, I'd find the following form easier to read:
> +	if ((flowi6_get_flowlabel(fl6) & r->flowlabel_mask) != r->flowlabel)
> +		return 0;

The FIB rule code already uses the XOR form for other masked matches
('fwmark' for example), so I used it here to be consistent.

> Does GCC produce better code with the xor form?

No big difference.

Original:

static inline __be32 flowi6_get_flowlabel(const struct flowi6 *fl6)
{
        return fl6->flowlabel & IPV6_FLOWLABEL_MASK;
     b85:       81 e2 00 0f ff ff       and    $0xffff0f00,%edx
        if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
     b8b:       33 90 c0 00 00 00       xor    0xc0(%rax),%edx
     b91:       23 90 c4 00 00 00       and    0xc4(%rax),%edx
                return 0;
     b97:       41 b8 00 00 00 00       mov    $0x0,%r8d
        if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
     b9d:       0f 85 31 ff ff ff       jne    ad4 <fib6_rule_match+0x34>

Modified:

        if ((flowi6_get_flowlabel(fl6) & r->flowlabel_mask) != r->flowlabel)
     b85:       23 90 c4 00 00 00       and    0xc4(%rax),%edx
                return 0;
     b8b:       45 31 c0                xor    %r8d,%r8d
        if ((flowi6_get_flowlabel(fl6) & r->flowlabel_mask) != r->flowlabel)
     b8e:       81 e2 00 0f ff ff       and    $0xffff0f00,%edx
     b94:       3b 90 c0 00 00 00       cmp    0xc0(%rax),%edx
     b9a:       0f 85 34 ff ff ff       jne    ad4 <fib6_rule_match+0x34>

Re: [PATCH net-next 3/9] ipv6: fib_rules: Add flow label support

[Guillaume Nault]

On Tue, Dec 17, 2024 at 05:24:34PM +0200, Ido Schimmel wrote:
> On Tue, Dec 17, 2024 at 02:59:19PM +0100, Guillaume Nault wrote:
> > On Mon, Dec 16, 2024 at 07:11:55PM +0200, Ido Schimmel wrote:
> > > @@ -332,6 +334,9 @@ INDIRECT_CALLABLE_SCOPE int fib6_rule_match(struct fib_rule *rule,
> > >  	if (r->dscp && r->dscp != ip6_dscp(fl6->flowlabel))
> > >  		return 0;
> > >  
> > > +	if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
> > > +		return 0;
> > > +
> > 
> > Personally, I'd find the following form easier to read:
> > +	if ((flowi6_get_flowlabel(fl6) & r->flowlabel_mask) != r->flowlabel)
> > +		return 0;
> 
> The FIB rule code already uses the XOR form for other masked matches
> ('fwmark' for example), so I used it here to be consistent.
> 
> > Does GCC produce better code with the xor form?
> 
> No big difference.

Ok, thanks. I didn't realise fwmark used the xor form too.

> 
> Original:
> 
> static inline __be32 flowi6_get_flowlabel(const struct flowi6 *fl6)
> {
>         return fl6->flowlabel & IPV6_FLOWLABEL_MASK;
>      b85:       81 e2 00 0f ff ff       and    $0xffff0f00,%edx
>         if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
>      b8b:       33 90 c0 00 00 00       xor    0xc0(%rax),%edx
>      b91:       23 90 c4 00 00 00       and    0xc4(%rax),%edx
>                 return 0;
>      b97:       41 b8 00 00 00 00       mov    $0x0,%r8d
>         if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask)
>      b9d:       0f 85 31 ff ff ff       jne    ad4 <fib6_rule_match+0x34>
> 
> Modified:
> 
>         if ((flowi6_get_flowlabel(fl6) & r->flowlabel_mask) != r->flowlabel)
>      b85:       23 90 c4 00 00 00       and    0xc4(%rax),%edx
>                 return 0;
>      b8b:       45 31 c0                xor    %r8d,%r8d
>         if ((flowi6_get_flowlabel(fl6) & r->flowlabel_mask) != r->flowlabel)
>      b8e:       81 e2 00 0f ff ff       and    $0xffff0f00,%edx
>      b94:       3b 90 c0 00 00 00       cmp    0xc0(%rax),%edx
>      b9a:       0f 85 34 ff ff ff       jne    ad4 <fib6_rule_match+0x34>
> 

Re: [PATCH net-next 3/9] ipv6: fib_rules: Add flow label support

[Jakub Kicinski]

On Mon, 16 Dec 2024 19:11:55 +0200 Ido Schimmel wrote:
> +	if (flowlabel_mask & ~IPV6_FLOWLABEL_MASK) {
> +		NL_SET_ERR_MSG_ATTR(extack, tb[FRA_FLOWLABEL_MASK],
> +				    "Invalid flow label mask");
> +		return -EINVAL;
> +	}

Have you considered NLA_POLICY_MASK() ?
Technically it does support be32, but we'd need to bswap ~IPV6_FLOWLABEL_MASK
and you need the helper anyway... so up to you.

> +	if (flowlabel & ~flowlabel_mask) {
> +		NL_SET_ERR_MSG(extack, "Flow label and mask do not match");
> +		return -EINVAL;
> +	}

Re: [PATCH net-next 3/9] ipv6: fib_rules: Add flow label support

[Ido Schimmel]

On Wed, Dec 18, 2024 at 07:05:09PM -0800, Jakub Kicinski wrote:
> On Mon, 16 Dec 2024 19:11:55 +0200 Ido Schimmel wrote:
> > +	if (flowlabel_mask & ~IPV6_FLOWLABEL_MASK) {
> > +		NL_SET_ERR_MSG_ATTR(extack, tb[FRA_FLOWLABEL_MASK],
> > +				    "Invalid flow label mask");
> > +		return -EINVAL;
> > +	}
> 
> Have you considered NLA_POLICY_MASK() ?
> Technically it does support be32, but we'd need to bswap ~IPV6_FLOWLABEL_MASK
> and you need the helper anyway... so up to you.

I did consider it, but I preferred to have all the checks at the same
place in the IPv6 code instead of having it split between IPv6 and core

> 
> > +	if (flowlabel & ~flowlabel_mask) {
> > +		NL_SET_ERR_MSG(extack, "Flow label and mask do not match");
> > +		return -EINVAL;
> > +	}

[PATCH net-next 4/9] net: fib_rules: Enable flow label selector usage

[Ido Schimmel]

Now that both IPv4 and IPv6 correctly handle the new flow label
attributes, enable user space to configure FIB rules that make use of
the flow label by changing the policy to stop rejecting them and
accepting 32 bit values in big-endian byte order.

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 net/core/fib_rules.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 153b14aade42..e684ba3ebb38 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -770,8 +770,8 @@ static const struct nla_policy fib_rule_policy[FRA_MAX + 1] = {
 	[FRA_SPORT_RANGE] = { .len = sizeof(struct fib_rule_port_range) },
 	[FRA_DPORT_RANGE] = { .len = sizeof(struct fib_rule_port_range) },
 	[FRA_DSCP]	= NLA_POLICY_MAX(NLA_U8, INET_DSCP_MASK >> 2),
-	[FRA_FLOWLABEL] = { .type = NLA_REJECT },
-	[FRA_FLOWLABEL_MASK] = { .type = NLA_REJECT },
+	[FRA_FLOWLABEL] = { .type = NLA_BE32 },
+	[FRA_FLOWLABEL_MASK] = { .type = NLA_BE32 },
 };
 
 int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,
-- 
2.47.1

[PATCH net-next 5/9] netlink: specs: Add FIB rule flow label attributes

[Ido Schimmel]

Add the new flow label attributes to the spec. Example:

 # ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/rt_rule.yaml \
	--do newrule \
	--json '{"family": 10, "flowlabel": 1, "flowlabel-mask": 1, "action": 1, "table": 1}'
 None
 $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/rt_rule.yaml \
	--dump getrule --json '{"family": 10}' --output-json \
	| jq '.[] | select(.flowlabel == "0x1")'
 {
   "table": 1,
   "suppress-prefixlen": "0xffffffff",
   "protocol": 0,
   "priority": 32765,
   "flowlabel": "0x1",
   "flowlabel-mask": "0x1",
   "family": 10,
   "dst-len": 0,
   "src-len": 0,
   "tos": 0,
   "action": "to-tbl",
   "flags": 0
 }

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 Documentation/netlink/specs/rt_rule.yaml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/Documentation/netlink/specs/rt_rule.yaml b/Documentation/netlink/specs/rt_rule.yaml
index 03a8eef7952e..a9debac3058a 100644
--- a/Documentation/netlink/specs/rt_rule.yaml
+++ b/Documentation/netlink/specs/rt_rule.yaml
@@ -172,6 +172,16 @@ attribute-sets:
       -
         name: dscp
         type: u8
+      -
+        name: flowlabel
+        type: u32
+        byte-order: big-endian
+        display-hint: hex
+      -
+        name: flowlabel-mask
+        type: u32
+        byte-order: big-endian
+        display-hint: hex
 
 operations:
   enum-model: directional
@@ -203,6 +213,8 @@ operations:
             - sport-range
             - dport-range
             - dscp
+            - flowlabel
+            - flowlabel-mask
     -
       name: newrule-ntf
       doc: Notify a rule creation
-- 
2.47.1

[PATCH net-next 6/9] ipv6: Add flow label to route get requests

[Ido Schimmel]

The default IPv6 multipath hash policy takes the flow label into account
when calculating a multipath hash and previous patches added a flow
label selector to IPv6 FIB rules.

Allow user space to specify a flow label in route get requests by adding
a new netlink attribute and using its value to populate the "flowlabel"
field in the IPv6 flow info structure prior to a route lookup.

Deny the attribute in RTM_{NEW,DEL}ROUTE requests by checking for it in
rtm_to_fib6_config() and returning an error if present.

A subsequent patch will use this capability to test the new flow label
selector in IPv6 FIB rules.

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 include/uapi/linux/rtnetlink.h |  1 +
 net/ipv6/route.c               | 20 +++++++++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/rtnetlink.h b/include/uapi/linux/rtnetlink.h
index eccc0e7dcb7d..5ee94c511a28 100644
--- a/include/uapi/linux/rtnetlink.h
+++ b/include/uapi/linux/rtnetlink.h
@@ -393,6 +393,7 @@ enum rtattr_type_t {
 	RTA_SPORT,
 	RTA_DPORT,
 	RTA_NH_ID,
+	RTA_FLOWLABEL,
 	__RTA_MAX
 };
 
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 67ff16c04718..78362822b907 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -5005,6 +5005,7 @@ static const struct nla_policy rtm_ipv6_policy[RTA_MAX+1] = {
 	[RTA_SPORT]		= { .type = NLA_U16 },
 	[RTA_DPORT]		= { .type = NLA_U16 },
 	[RTA_NH_ID]		= { .type = NLA_U32 },
+	[RTA_FLOWLABEL]		= { .type = NLA_BE32 },
 };
 
 static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
@@ -5030,6 +5031,12 @@ static int rtm_to_fib6_config(struct sk_buff *skb, struct nlmsghdr *nlh,
 		goto errout;
 	}
 
+	if (tb[RTA_FLOWLABEL]) {
+		NL_SET_ERR_MSG_ATTR(extack, tb[RTA_FLOWLABEL],
+				    "Flow label cannot be specified for this operation");
+		goto errout;
+	}
+
 	*cfg = (struct fib6_config){
 		.fc_table = rtm->rtm_table,
 		.fc_dst_len = rtm->rtm_dst_len,
@@ -6013,6 +6020,13 @@ static int inet6_rtm_valid_getroute_req(struct sk_buff *skb,
 		return -EINVAL;
 	}
 
+	if (tb[RTA_FLOWLABEL] &&
+	    (nla_get_be32(tb[RTA_FLOWLABEL]) & ~IPV6_FLOWLABEL_MASK)) {
+		NL_SET_ERR_MSG_ATTR(extack, tb[RTA_FLOWLABEL],
+				    "Invalid flow label");
+		return -EINVAL;
+	}
+
 	for (i = 0; i <= RTA_MAX; i++) {
 		if (!tb[i])
 			continue;
@@ -6027,6 +6041,7 @@ static int inet6_rtm_valid_getroute_req(struct sk_buff *skb,
 		case RTA_SPORT:
 		case RTA_DPORT:
 		case RTA_IP_PROTO:
+		case RTA_FLOWLABEL:
 			break;
 		default:
 			NL_SET_ERR_MSG_MOD(extack, "Unsupported attribute in get route request");
@@ -6049,6 +6064,7 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
 	struct sk_buff *skb;
 	struct rtmsg *rtm;
 	struct flowi6 fl6 = {};
+	__be32 flowlabel;
 	bool fibmatch;
 
 	err = inet6_rtm_valid_getroute_req(in_skb, nlh, tb, extack);
@@ -6057,7 +6073,6 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
 
 	err = -EINVAL;
 	rtm = nlmsg_data(nlh);
-	fl6.flowlabel = ip6_make_flowinfo(rtm->rtm_tos, 0);
 	fibmatch = !!(rtm->rtm_flags & RTM_F_FIB_MATCH);
 
 	if (tb[RTA_SRC]) {
@@ -6103,6 +6118,9 @@ static int inet6_rtm_getroute(struct sk_buff *in_skb, struct nlmsghdr *nlh,
 			goto errout;
 	}
 
+	flowlabel = nla_get_be32_default(tb[RTA_FLOWLABEL], 0);
+	fl6.flowlabel = ip6_make_flowinfo(rtm->rtm_tos, flowlabel);
+
 	if (iif) {
 		struct net_device *dev;
 		int flags = 0;
-- 
2.47.1

[PATCH net-next 7/9] netlink: specs: Add route flow label attribute

[Ido Schimmel]

Add the new flow label attribute to the spec. Example:

 # ip link add name dummy1 up type dummy
 # ip -6 route add default table 254 dev dummy1
 # ip -6 route add default table 10 dev dummy1
 # ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/rt_rule.yaml \
	--do newrule \
	--json '{"family": 10, "priority": 1, "flowlabel": 10, "flowlabel-mask": 255, "action": 1, "table": 10}'
 None
 $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/rt_route.yaml \
	--do getroute \
	--json '{"rtm-family": 10, "rta-flowlabel": 1}' --output-json \
	| jq '.["rta-table"]'
 254
 $ ./tools/net/ynl/cli.py --spec Documentation/netlink/specs/rt_route.yaml \
	--do getroute \
	--json '{"rtm-family": 10, "rta-flowlabel": 10}' --output-json \
	| jq '.["rta-table"]'
 10

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 Documentation/netlink/specs/rt_route.yaml | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Documentation/netlink/specs/rt_route.yaml b/Documentation/netlink/specs/rt_route.yaml
index f4368be0caed..a674103e5bc4 100644
--- a/Documentation/netlink/specs/rt_route.yaml
+++ b/Documentation/netlink/specs/rt_route.yaml
@@ -177,6 +177,11 @@ attribute-sets:
       -
         name: rta-nh-id
         type: u32
+      -
+        name: rta-flowlabel
+        type: u32
+        byte-order: big-endian
+        display-hint: hex
   -
     name: rta-metrics
     attributes:
@@ -260,6 +265,7 @@ operations:
             - rta-dport
             - rta-mark
             - rta-uid
+            - rta-flowlabel
         reply:
           value: 24
           attributes: &all-route-attrs
@@ -299,6 +305,7 @@ operations:
             - rta-sport
             - rta-dport
             - rta-nh-id
+            - rta-flowlabel
       dump:
         request:
           value: 26
-- 
2.47.1

[PATCH net-next 8/9] tracing: ipv6: Add flow label to fib6_table_lookup tracepoint

[Ido Schimmel]

The different parameters affecting the IPv6 route lookup are printed to
the trace buffer by the fib6_table_lookup tracepoint. Add the IPv6 flow
label for better observability as it can affect the route lookup both in
terms of multipath hash calculation and policy based routing (FIB
rules). Example:

 # echo 1 > /sys/kernel/tracing/events/fib6/fib6_table_lookup/enable
 # ip -6 route get ::1 flowlabel 0x12345 ipproto udp sport 12345 dport 54321 &> /dev/null
 # cat /sys/kernel/tracing/trace_pipe
               ip-358     [010] .....    44.897484: fib6_table_lookup: table 255 oif 0 iif 1 proto 17 ::/12345 -> ::1/54321 flowlabel 0x12345 tos 0 scope 0 flags 0 ==> dev lo gw :: err 0

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 include/trace/events/fib6.h | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/include/trace/events/fib6.h b/include/trace/events/fib6.h
index 5d7ee2610728..8d22b2e98d48 100644
--- a/include/trace/events/fib6.h
+++ b/include/trace/events/fib6.h
@@ -22,6 +22,7 @@ TRACE_EVENT(fib6_table_lookup,
 		__field(	int,	err		)
 		__field(	int,	oif		)
 		__field(	int,	iif		)
+		__field(	u32,	flowlabel	)
 		__field(	__u8,	tos		)
 		__field(	__u8,	scope		)
 		__field(	__u8,	flags		)
@@ -42,6 +43,7 @@ TRACE_EVENT(fib6_table_lookup,
 		__entry->err = ip6_rt_type_to_error(res->fib6_type);
 		__entry->oif = flp->flowi6_oif;
 		__entry->iif = flp->flowi6_iif;
+		__entry->flowlabel = ntohl(flowi6_get_flowlabel(flp));
 		__entry->tos = ip6_tclass(flp->flowlabel);
 		__entry->scope = flp->flowi6_scope;
 		__entry->flags = flp->flowi6_flags;
@@ -76,11 +78,11 @@ TRACE_EVENT(fib6_table_lookup,
 		}
 	),
 
-	TP_printk("table %3u oif %d iif %d proto %u %pI6c/%u -> %pI6c/%u tos %d scope %d flags %x ==> dev %s gw %pI6c err %d",
+	TP_printk("table %3u oif %d iif %d proto %u %pI6c/%u -> %pI6c/%u flowlabel %#x tos %d scope %d flags %x ==> dev %s gw %pI6c err %d",
 		  __entry->tb_id, __entry->oif, __entry->iif, __entry->proto,
 		  __entry->src, __entry->sport, __entry->dst, __entry->dport,
-		  __entry->tos, __entry->scope, __entry->flags,
-		  __entry->name, __entry->gw, __entry->err)
+		  __entry->flowlabel, __entry->tos, __entry->scope,
+		  __entry->flags, __entry->name, __entry->gw, __entry->err)
 );
 
 #endif /* _TRACE_FIB6_H */
-- 
2.47.1

[PATCH net-next 9/9] selftests: fib_rule_tests: Add flow label selector match tests

[Ido Schimmel]

Add tests for the new FIB rule flow label selector. Test both good and bad
flows and with both input and output routes.

 # ./fib_rule_tests.sh
 IPv6 FIB rule tests
 [...]
    TEST: rule6 check: flowlabel redirect to table                      [ OK ]
    TEST: rule6 check: flowlabel no redirect to table                   [ OK ]
    TEST: rule6 del by pref: flowlabel redirect to table                [ OK ]
    TEST: rule6 check: iif flowlabel redirect to table                  [ OK ]
    TEST: rule6 check: iif flowlabel no redirect to table               [ OK ]
    TEST: rule6 del by pref: iif flowlabel redirect to table            [ OK ]
    TEST: rule6 check: flowlabel masked redirect to table               [ OK ]
    TEST: rule6 check: flowlabel masked no redirect to table            [ OK ]
    TEST: rule6 del by pref: flowlabel masked redirect to table         [ OK ]
    TEST: rule6 check: iif flowlabel masked redirect to table           [ OK ]
    TEST: rule6 check: iif flowlabel masked no redirect to table        [ OK ]
    TEST: rule6 del by pref: iif flowlabel masked redirect to table     [ OK ]
 [...]

 Tests passed: 268
 Tests failed:   0

Reviewed-by: Petr Machata <petrm@nvidia.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
---
 tools/testing/selftests/net/fib_rule_tests.sh | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/tools/testing/selftests/net/fib_rule_tests.sh b/tools/testing/selftests/net/fib_rule_tests.sh
index 1d58b3b87465..847936363a12 100755
--- a/tools/testing/selftests/net/fib_rule_tests.sh
+++ b/tools/testing/selftests/net/fib_rule_tests.sh
@@ -291,6 +291,37 @@ fib_rule6_test()
 			"$getnomatch" "iif dscp redirect to table" \
 			"iif dscp no redirect to table"
 	fi
+
+	fib_check_iproute_support "flowlabel" "flowlabel"
+	if [ $? -eq 0 ]; then
+		match="flowlabel 0xfffff"
+		getmatch="flowlabel 0xfffff"
+		getnomatch="flowlabel 0xf"
+		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
+			"$getnomatch" "flowlabel redirect to table" \
+			"flowlabel no redirect to table"
+
+		match="flowlabel 0xfffff"
+		getmatch="from $SRC_IP6 iif $DEV flowlabel 0xfffff"
+		getnomatch="from $SRC_IP6 iif $DEV flowlabel 0xf"
+		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
+			"$getnomatch" "iif flowlabel redirect to table" \
+			"iif flowlabel no redirect to table"
+
+		match="flowlabel 0x08000/0x08000"
+		getmatch="flowlabel 0xfffff"
+		getnomatch="flowlabel 0xf7fff"
+		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
+			"$getnomatch" "flowlabel masked redirect to table" \
+			"flowlabel masked no redirect to table"
+
+		match="flowlabel 0x08000/0x08000"
+		getmatch="from $SRC_IP6 iif $DEV flowlabel 0xfffff"
+		getnomatch="from $SRC_IP6 iif $DEV flowlabel 0xf7fff"
+		fib_rule6_test_match_n_redirect "$match" "$getmatch" \
+			"$getnomatch" "iif flowlabel masked redirect to table" \
+			"iif flowlabel masked no redirect to table"
+	fi
 }
 
 fib_rule6_vrf_test()
-- 
2.47.1

Re: [PATCH net-next 0/9] net: fib_rules: Add flow label selector support

[Ido Schimmel]

On Mon, Dec 16, 2024 at 07:11:52PM +0200, Ido Schimmel wrote:
> In some deployments users would like to encode path information into
> certain bits of the IPv6 flow label, the UDP source port and the DSCP
> and use this information to route packets accordingly.
> 
> Redirecting traffic to a routing table based on the flow label is not
> currently possible with Linux as FIB rules cannot match on it despite
> the flow label being available in the IPv6 flow key.
> 
> This patchset extends FIB rules to match on the flow label with a mask.
> Future patches will add mask attributes to L4 ports and DSCP matches.
> 
> Patches #1-#5 gradually extend FIB rules to match on the flow label.
> 
> Patches #6-#7 allow user space to specify a flow label in route get
> requests. This is useful for both debugging and testing.
> 
> Patch #8 adjusts the fib6_table_lookup tracepoint to print the flow
> label to the trace buffer for better observability.
> 
> Patch #9 extends the FIB rule selftest with flow label test cases while
> utilizing the route get functionality from patch #6.

Forgot to mention, iproute2 patches can be found here:
https://github.com/idosch/iproute2/tree/submit/flowlabel_rule_v1

Re: [PATCH net-next 0/9] net: fib_rules: Add flow label selector support

[Guillaume Nault]

On Mon, Dec 16, 2024 at 07:11:52PM +0200, Ido Schimmel wrote:
> In some deployments users would like to encode path information into
> certain bits of the IPv6 flow label, the UDP source port and the DSCP
> and use this information to route packets accordingly.
> 
> Redirecting traffic to a routing table based on the flow label is not
> currently possible with Linux as FIB rules cannot match on it despite
> the flow label being available in the IPv6 flow key.
> 
> This patchset extends FIB rules to match on the flow label with a mask.
> Future patches will add mask attributes to L4 ports and DSCP matches.

For the whole series:

Reviewed-by: Guillaume Nault <gnault@redhat.com>

Re: [PATCH net-next 0/9] net: fib_rules: Add flow label selector support

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net-next.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Mon, 16 Dec 2024 19:11:52 +0200 you wrote:
> In some deployments users would like to encode path information into
> certain bits of the IPv6 flow label, the UDP source port and the DSCP
> and use this information to route packets accordingly.
> 
> Redirecting traffic to a routing table based on the flow label is not
> currently possible with Linux as FIB rules cannot match on it despite
> the flow label being available in the IPv6 flow key.
> 
> [...]

Here is the summary with links:
  - [net-next,1/9] net: fib_rules: Add flow label selector attributes
    https://git.kernel.org/netdev/net-next/c/d1d761b3012e
  - [net-next,2/9] ipv4: fib_rules: Reject flow label attributes
    https://git.kernel.org/netdev/net-next/c/f0c898d8c279
  - [net-next,3/9] ipv6: fib_rules: Add flow label support
    https://git.kernel.org/netdev/net-next/c/9aa77531a131
  - [net-next,4/9] net: fib_rules: Enable flow label selector usage
    https://git.kernel.org/netdev/net-next/c/4c25f3f05194
  - [net-next,5/9] netlink: specs: Add FIB rule flow label attributes
    https://git.kernel.org/netdev/net-next/c/c72004aac60a
  - [net-next,6/9] ipv6: Add flow label to route get requests
    https://git.kernel.org/netdev/net-next/c/ba4138032ae3
  - [net-next,7/9] netlink: specs: Add route flow label attribute
    https://git.kernel.org/netdev/net-next/c/d26b8267d9e0
  - [net-next,8/9] tracing: ipv6: Add flow label to fib6_table_lookup tracepoint
    https://git.kernel.org/netdev/net-next/c/002bf68a3b3e
  - [net-next,9/9] selftests: fib_rule_tests: Add flow label selector match tests
    https://git.kernel.org/netdev/net-next/c/5760711e198d

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html