* [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys
@ 2025-02-18 4:32 Cong Wang
2025-02-18 4:32 ` [Patch net 1/4] " Cong Wang
` (4 more replies)
0 siblings, 5 replies; 8+ messages in thread
From: Cong Wang @ 2025-02-18 4:32 UTC (permalink / raw)
To: netdev; +Cc: Cong Wang
This patchset contains two fixes for flow_dissector handling of mixed
port and port-range keys, for both tc-flower case and bpf case. Each
of them also comes with a selftest.
---
Cong Wang (4):
flow_dissector: Fix handling of mixed port and port-range keys
selftests/net/forwarding: Add a test case for tc-flower of mixed port
and port-range
flow_dissector: Fix port range key handling in BPF conversion
selftests/bpf: Add a specific dst port matching
net/core/flow_dissector.c | 49 +++++++++++--------
.../flow_dissector_classification.c | 7 ++-
.../net/forwarding/tc_flower_port_range.sh | 46 +++++++++++++++++
3 files changed, 81 insertions(+), 21 deletions(-)
--
2.34.1
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Patch net 1/4] flow_dissector: Fix handling of mixed port and port-range keys
2025-02-18 4:32 [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys Cong Wang
@ 2025-02-18 4:32 ` Cong Wang
2025-02-19 14:39 ` Ido Schimmel
2025-02-18 4:32 ` [Patch net 2/4] selftests/net/forwarding: Add a test case for tc-flower of mixed port and port-range Cong Wang
` (3 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Cong Wang @ 2025-02-18 4:32 UTC (permalink / raw)
To: netdev
Cc: Cong Wang, Qiang Zhang, Yoshiki Komachi, Jamal Hadi Salim,
Jiri Pirko
This patch fixes a bug in TC flower filter where rules combining a
specific destination port with a source port range weren't working
correctly.
The specific case was when users tried to configure rules like:
tc filter add dev ens38 ingress protocol ip flower ip_proto udp \
dst_port 5000 src_port 2000-3000 action drop
The root cause was in the flow dissector code. While both
FLOW_DISSECTOR_KEY_PORTS and FLOW_DISSECTOR_KEY_PORTS_RANGE flags
were being set correctly in the classifier, the __skb_flow_dissect_ports()
function was only populating one of them: whichever came first in
the enum check. This meant that when the code needed both a specific
port and a port range, one of them would be left as 0, causing the
filter to not match packets as expected.
Fix it by removing the either/or logic and instead checking and
populating both key types independently when they're in use.
Fixes: 8ffb055beae5 ("cls_flower: Fix the behavior using port ranges with hw-offload")
Reported-by: Qiang Zhang <dtzq01@gmail.com>
Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/
Cc: Yoshiki Komachi <komachi.yoshiki@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
net/core/flow_dissector.c | 31 +++++++++++++++++++------------
1 file changed, 19 insertions(+), 12 deletions(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 5db41bf2ed93..c33af3ef0b79 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -853,23 +853,30 @@ __skb_flow_dissect_ports(const struct sk_buff *skb,
void *target_container, const void *data,
int nhoff, u8 ip_proto, int hlen)
{
- enum flow_dissector_key_id dissector_ports = FLOW_DISSECTOR_KEY_MAX;
- struct flow_dissector_key_ports *key_ports;
+ struct flow_dissector_key_ports_range *key_ports_range = NULL;
+ struct flow_dissector_key_ports *key_ports = NULL;
+ __be32 ports;
if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
- dissector_ports = FLOW_DISSECTOR_KEY_PORTS;
- else if (dissector_uses_key(flow_dissector,
- FLOW_DISSECTOR_KEY_PORTS_RANGE))
- dissector_ports = FLOW_DISSECTOR_KEY_PORTS_RANGE;
+ key_ports = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_PORTS,
+ target_container);
- if (dissector_ports == FLOW_DISSECTOR_KEY_MAX)
+ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS_RANGE))
+ key_ports_range = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_PORTS_RANGE,
+ target_container);
+
+ if (!key_ports && !key_ports_range)
return;
- key_ports = skb_flow_dissector_target(flow_dissector,
- dissector_ports,
- target_container);
- key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto,
- data, hlen);
+ ports = __skb_flow_get_ports(skb, nhoff, ip_proto, data, hlen);
+
+ if (key_ports)
+ key_ports->ports = ports;
+
+ if (key_ports_range)
+ key_ports_range->tp.ports = ports;
}
static void
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Patch net 2/4] selftests/net/forwarding: Add a test case for tc-flower of mixed port and port-range
2025-02-18 4:32 [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys Cong Wang
2025-02-18 4:32 ` [Patch net 1/4] " Cong Wang
@ 2025-02-18 4:32 ` Cong Wang
2025-02-19 14:40 ` Ido Schimmel
2025-02-18 4:32 ` [Patch net 3/4] flow_dissector: Fix port range key handling in BPF conversion Cong Wang
` (2 subsequent siblings)
4 siblings, 1 reply; 8+ messages in thread
From: Cong Wang @ 2025-02-18 4:32 UTC (permalink / raw)
To: netdev; +Cc: Cong Wang, Qiang Zhang, Jamal Hadi Salim, Jiri Pirko
After this patch:
# ./tc_flower_port_range.sh
TEST: Port range matching - IPv4 UDP [ OK ]
TEST: Port range matching - IPv4 TCP [ OK ]
TEST: Port range matching - IPv6 UDP [ OK ]
TEST: Port range matching - IPv6 TCP [ OK ]
TEST: Port range matching - IPv4 UDP Drop [ OK ]
Cc: Qiang Zhang <dtzq01@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
.../net/forwarding/tc_flower_port_range.sh | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/tools/testing/selftests/net/forwarding/tc_flower_port_range.sh b/tools/testing/selftests/net/forwarding/tc_flower_port_range.sh
index 3885a2a91f7d..baed5e380dae 100755
--- a/tools/testing/selftests/net/forwarding/tc_flower_port_range.sh
+++ b/tools/testing/selftests/net/forwarding/tc_flower_port_range.sh
@@ -20,6 +20,7 @@ ALL_TESTS="
test_port_range_ipv4_tcp
test_port_range_ipv6_udp
test_port_range_ipv6_tcp
+ test_port_range_ipv4_udp_drop
"
NUM_NETIFS=4
@@ -194,6 +195,51 @@ test_port_range_ipv6_tcp()
__test_port_range $proto $ip_proto $sip $dip $mode "$name"
}
+test_port_range_ipv4_udp_drop()
+{
+ local proto=ipv4
+ local ip_proto=udp
+ local sip=192.0.2.1
+ local dip=192.0.2.2
+ local mode="-4"
+ local name="IPv4 UDP Drop"
+ local dmac=$(mac_get $h2)
+ local smac=$(mac_get $h1)
+ local sport_min=2000
+ local sport_max=3000
+ local sport_mid=$((sport_min + (sport_max - sport_min) / 2))
+ local dport=5000
+
+ RET=0
+
+ tc filter add dev $swp1 ingress protocol $proto handle 101 pref 1 \
+ flower src_ip $sip dst_ip $dip ip_proto $ip_proto \
+ src_port $sport_min-$sport_max \
+ dst_port $dport \
+ action drop
+
+ # Test ports outside range - should pass
+ $MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
+ -t $ip_proto "sp=$((sport_min - 1)),dp=$dport"
+ $MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
+ -t $ip_proto "sp=$((sport_max + 1)),dp=$dport"
+
+ # Test ports inside range - should be dropped
+ $MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
+ -t $ip_proto "sp=$sport_min,dp=$dport"
+ $MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
+ -t $ip_proto "sp=$sport_mid,dp=$dport"
+ $MZ $mode $h1 -c 1 -q -p 100 -a $smac -b $dmac -A $sip -B $dip \
+ -t $ip_proto "sp=$sport_max,dp=$dport"
+
+ tc_check_packets "dev $swp1 ingress" 101 3
+ check_err $? "Filter did not drop the expected number of packets"
+
+ tc filter del dev $swp1 ingress protocol $proto pref 1 handle 101 flower
+
+ log_test "Port range matching - $name"
+}
+
setup_prepare()
{
h1=${NETIFS[p1]}
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Patch net 3/4] flow_dissector: Fix port range key handling in BPF conversion
2025-02-18 4:32 [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys Cong Wang
2025-02-18 4:32 ` [Patch net 1/4] " Cong Wang
2025-02-18 4:32 ` [Patch net 2/4] selftests/net/forwarding: Add a test case for tc-flower of mixed port and port-range Cong Wang
@ 2025-02-18 4:32 ` Cong Wang
2025-02-18 4:32 ` [Patch net 4/4] selftests/bpf: Add a specific dst port matching Cong Wang
2025-02-20 3:10 ` [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys patchwork-bot+netdevbpf
4 siblings, 0 replies; 8+ messages in thread
From: Cong Wang @ 2025-02-18 4:32 UTC (permalink / raw)
To: netdev
Cc: Cong Wang, Qiang Zhang, Yoshiki Komachi, Jamal Hadi Salim,
Jiri Pirko
Fix how port range keys are handled in __skb_flow_bpf_to_target() by:
- Separating PORTS and PORTS_RANGE key handling
- Using correct key_ports_range structure for range keys
- Properly initializing both key types independently
This ensures port range information is correctly stored in its dedicated
structure rather than incorrectly using the regular ports key structure.
Fixes: 59fb9b62fb6c ("flow_dissector: Fix to use new variables for port ranges in bpf hook")
Reported-by: Qiang Zhang <dtzq01@gmail.com>
Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/
Cc: Yoshiki Komachi <komachi.yoshiki@gmail.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
net/core/flow_dissector.c | 18 ++++++++++--------
1 file changed, 10 insertions(+), 8 deletions(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index c33af3ef0b79..9cd8de6bebb5 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -931,6 +931,7 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
struct flow_dissector *flow_dissector,
void *target_container)
{
+ struct flow_dissector_key_ports_range *key_ports_range = NULL;
struct flow_dissector_key_ports *key_ports = NULL;
struct flow_dissector_key_control *key_control;
struct flow_dissector_key_basic *key_basic;
@@ -975,20 +976,21 @@ static void __skb_flow_bpf_to_target(const struct bpf_flow_keys *flow_keys,
key_control->addr_type = FLOW_DISSECTOR_KEY_IPV6_ADDRS;
}
- if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS))
+ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) {
key_ports = skb_flow_dissector_target(flow_dissector,
FLOW_DISSECTOR_KEY_PORTS,
target_container);
- else if (dissector_uses_key(flow_dissector,
- FLOW_DISSECTOR_KEY_PORTS_RANGE))
- key_ports = skb_flow_dissector_target(flow_dissector,
- FLOW_DISSECTOR_KEY_PORTS_RANGE,
- target_container);
-
- if (key_ports) {
key_ports->src = flow_keys->sport;
key_ports->dst = flow_keys->dport;
}
+ if (dissector_uses_key(flow_dissector,
+ FLOW_DISSECTOR_KEY_PORTS_RANGE)) {
+ key_ports_range = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_PORTS_RANGE,
+ target_container);
+ key_ports_range->tp.src = flow_keys->sport;
+ key_ports_range->tp.dst = flow_keys->dport;
+ }
if (dissector_uses_key(flow_dissector,
FLOW_DISSECTOR_KEY_FLOW_LABEL)) {
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Patch net 4/4] selftests/bpf: Add a specific dst port matching
2025-02-18 4:32 [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys Cong Wang
` (2 preceding siblings ...)
2025-02-18 4:32 ` [Patch net 3/4] flow_dissector: Fix port range key handling in BPF conversion Cong Wang
@ 2025-02-18 4:32 ` Cong Wang
2025-02-20 3:10 ` [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys patchwork-bot+netdevbpf
4 siblings, 0 replies; 8+ messages in thread
From: Cong Wang @ 2025-02-18 4:32 UTC (permalink / raw)
To: netdev; +Cc: Cong Wang, bpf, Daniel Borkmann, Andrii Nakryiko
After this patch:
#102/1 flow_dissector_classification/ipv4:OK
#102/2 flow_dissector_classification/ipv4_continue_dissect:OK
#102/3 flow_dissector_classification/ipip:OK
#102/4 flow_dissector_classification/gre:OK
#102/5 flow_dissector_classification/port_range:OK
#102/6 flow_dissector_classification/ipv6:OK
#102 flow_dissector_classification:OK
Summary: 1/6 PASSED, 0 SKIPPED, 0 FAILED
Cc: bpf@vger.kernel.org
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
.../bpf/prog_tests/flow_dissector_classification.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/flow_dissector_classification.c b/tools/testing/selftests/bpf/prog_tests/flow_dissector_classification.c
index 3729fbfd3084..80b153d3ddec 100644
--- a/tools/testing/selftests/bpf/prog_tests/flow_dissector_classification.c
+++ b/tools/testing/selftests/bpf/prog_tests/flow_dissector_classification.c
@@ -542,8 +542,12 @@ static void detach_program(struct bpf_flow *skel, int prog_fd)
static int set_port_drop(int pf, bool multi_port)
{
+ char dst_port[16];
+
+ snprintf(dst_port, sizeof(dst_port), "%d", CFG_PORT_INNER);
+
SYS(fail, "tc qdisc add dev lo ingress");
- SYS(fail_delete_qdisc, "tc filter add %s %s %s %s %s %s %s %s %s %s",
+ SYS(fail_delete_qdisc, "tc filter add %s %s %s %s %s %s %s %s %s %s %s %s",
"dev lo",
"parent FFFF:",
"protocol", pf == PF_INET6 ? "ipv6" : "ip",
@@ -551,6 +555,7 @@ static int set_port_drop(int pf, bool multi_port)
"flower",
"ip_proto udp",
"src_port", multi_port ? "8-10" : "9",
+ "dst_port", dst_port,
"action drop");
return 0;
--
2.34.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [Patch net 1/4] flow_dissector: Fix handling of mixed port and port-range keys
2025-02-18 4:32 ` [Patch net 1/4] " Cong Wang
@ 2025-02-19 14:39 ` Ido Schimmel
0 siblings, 0 replies; 8+ messages in thread
From: Ido Schimmel @ 2025-02-19 14:39 UTC (permalink / raw)
To: Cong Wang
Cc: netdev, Qiang Zhang, Yoshiki Komachi, Jamal Hadi Salim,
Jiri Pirko
On Mon, Feb 17, 2025 at 08:32:07PM -0800, Cong Wang wrote:
> This patch fixes a bug in TC flower filter where rules combining a
> specific destination port with a source port range weren't working
> correctly.
>
> The specific case was when users tried to configure rules like:
>
> tc filter add dev ens38 ingress protocol ip flower ip_proto udp \
> dst_port 5000 src_port 2000-3000 action drop
>
> The root cause was in the flow dissector code. While both
> FLOW_DISSECTOR_KEY_PORTS and FLOW_DISSECTOR_KEY_PORTS_RANGE flags
> were being set correctly in the classifier, the __skb_flow_dissect_ports()
> function was only populating one of them: whichever came first in
> the enum check. This meant that when the code needed both a specific
> port and a port range, one of them would be left as 0, causing the
> filter to not match packets as expected.
>
> Fix it by removing the either/or logic and instead checking and
> populating both key types independently when they're in use.
>
> Fixes: 8ffb055beae5 ("cls_flower: Fix the behavior using port ranges with hw-offload")
> Reported-by: Qiang Zhang <dtzq01@gmail.com>
> Closes: https://lore.kernel.org/netdev/CAPx+-5uvFxkhkz4=j_Xuwkezjn9U6kzKTD5jz4tZ9msSJ0fOJA@mail.gmail.com/
> Cc: Yoshiki Komachi <komachi.yoshiki@gmail.com>
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Jiri Pirko <jiri@resnulli.us>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Patch net 2/4] selftests/net/forwarding: Add a test case for tc-flower of mixed port and port-range
2025-02-18 4:32 ` [Patch net 2/4] selftests/net/forwarding: Add a test case for tc-flower of mixed port and port-range Cong Wang
@ 2025-02-19 14:40 ` Ido Schimmel
0 siblings, 0 replies; 8+ messages in thread
From: Ido Schimmel @ 2025-02-19 14:40 UTC (permalink / raw)
To: Cong Wang; +Cc: netdev, Qiang Zhang, Jamal Hadi Salim, Jiri Pirko
On Mon, Feb 17, 2025 at 08:32:08PM -0800, Cong Wang wrote:
> After this patch:
>
> # ./tc_flower_port_range.sh
> TEST: Port range matching - IPv4 UDP [ OK ]
> TEST: Port range matching - IPv4 TCP [ OK ]
> TEST: Port range matching - IPv6 UDP [ OK ]
> TEST: Port range matching - IPv6 TCP [ OK ]
> TEST: Port range matching - IPv4 UDP Drop [ OK ]
>
> Cc: Qiang Zhang <dtzq01@gmail.com>
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Cc: Jiri Pirko <jiri@resnulli.us>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Tested with offload as well.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys
2025-02-18 4:32 [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys Cong Wang
` (3 preceding siblings ...)
2025-02-18 4:32 ` [Patch net 4/4] selftests/bpf: Add a specific dst port matching Cong Wang
@ 2025-02-20 3:10 ` patchwork-bot+netdevbpf
4 siblings, 0 replies; 8+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-02-20 3:10 UTC (permalink / raw)
To: Cong Wang; +Cc: netdev
Hello:
This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Mon, 17 Feb 2025 20:32:06 -0800 you wrote:
> This patchset contains two fixes for flow_dissector handling of mixed
> port and port-range keys, for both tc-flower case and bpf case. Each
> of them also comes with a selftest.
>
> ---
> Cong Wang (4):
> flow_dissector: Fix handling of mixed port and port-range keys
> selftests/net/forwarding: Add a test case for tc-flower of mixed port
> and port-range
> flow_dissector: Fix port range key handling in BPF conversion
> selftests/bpf: Add a specific dst port matching
>
> [...]
Here is the summary with links:
- [net,1/4] flow_dissector: Fix handling of mixed port and port-range keys
https://git.kernel.org/netdev/net/c/3e5796862c69
- [net,2/4] selftests/net/forwarding: Add a test case for tc-flower of mixed port and port-range
https://git.kernel.org/netdev/net/c/dfc1580f960b
- [net,3/4] flow_dissector: Fix port range key handling in BPF conversion
https://git.kernel.org/netdev/net/c/69ab34f705fb
- [net,4/4] selftests/bpf: Add a specific dst port matching
https://git.kernel.org/netdev/net/c/15de6ba95dbe
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-02-20 3:10 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-18 4:32 [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys Cong Wang
2025-02-18 4:32 ` [Patch net 1/4] " Cong Wang
2025-02-19 14:39 ` Ido Schimmel
2025-02-18 4:32 ` [Patch net 2/4] selftests/net/forwarding: Add a test case for tc-flower of mixed port and port-range Cong Wang
2025-02-19 14:40 ` Ido Schimmel
2025-02-18 4:32 ` [Patch net 3/4] flow_dissector: Fix port range key handling in BPF conversion Cong Wang
2025-02-18 4:32 ` [Patch net 4/4] selftests/bpf: Add a specific dst port matching Cong Wang
2025-02-20 3:10 ` [Patch net 0/4] flow_dissector: Fix handling of mixed port and port-range keys patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).