From: Petr Machata <petrm@nvidia.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
<netdev@vger.kernel.org>
Cc: Ido Schimmel <idosch@nvidia.com>, Petr Machata <petrm@nvidia.com>,
<mlxsw@nvidia.com>
Subject: [PATCH net-next 0/4] mlxsw: Support traffic redirection from a locked bridge port
Date: Fri, 11 Aug 2023 17:13:54 +0200 [thread overview]
Message-ID: <cover.1691764353.git.petrm@nvidia.com> (raw)
Ido Schimmel writes:
It is possible to add a filter that redirects traffic from the ingress
of a bridge port that is locked (i.e., performs security / SMAC lookup)
and has learning enabled. For example:
# ip link add name br0 type bridge
# ip link set dev swp1 master br0
# bridge link set dev swp1 learning on locked on mab on
# tc qdisc add dev swp1 clsact
# tc filter add dev swp1 ingress pref 1 proto ip flower skip_sw src_ip 192.0.2.1 action mirred egress redirect dev swp2
In the kernel's Rx path, this filter is evaluated before the Rx handler
of the bridge, which means that redirected traffic should not be
affected by bridge port configuration such as learning.
However, the hardware data path is a bit different and the redirect
action (FORWARDING_ACTION in hardware) merely attaches a pointer to the
packet, which is later used by the L2 lookup stage to understand how to
forward the packet. Between both stages - ingress ACL and L2 lookup -
learning and security lookup are performed, which means that redirected
traffic is affected by bridge port configuration, unlike in the kernel's
data path.
The learning discrepancy was handled in commit 577fa14d2100 ("mlxsw:
spectrum: Do not process learned records with a dummy FID") by simply
ignoring learning notifications generated by the redirected traffic. A
similar solution is not possible for the security / SMAC lookup since
- unlike learning - the CPU is not involved and packets that failed the
lookup are dropped by the device.
Instead, solve this by prepending the ignore action to the redirect
action and use it to instruct the device to disable both learning and
the security / SMAC lookup for redirected traffic.
Patch #1 adds the ignore action.
Patch #2 prepends the action to the redirect action in flower offload
code.
Patch #3 removes the workaround in commit 577fa14d2100 ("mlxsw:
spectrum: Do not process learned records with a dummy FID") since it is
no longer needed.
Patch #4 adds a test case.
Ido Schimmel (4):
mlxsw: core_acl_flex_actions: Add IGNORE_ACTION
mlxsw: spectrum_flower: Disable learning and security lookup when
redirecting
mlxsw: spectrum: Stop ignoring learning notifications from redirected
traffic
selftests: forwarding: Add test case for traffic redirection from a
locked port
.../mellanox/mlxsw/core_acl_flex_actions.c | 40 +++++++++++++++++++
.../mellanox/mlxsw/core_acl_flex_actions.h | 2 +
.../net/ethernet/mellanox/mlxsw/spectrum.h | 4 +-
.../ethernet/mellanox/mlxsw/spectrum_acl.c | 9 +++++
.../ethernet/mellanox/mlxsw/spectrum_fid.c | 10 -----
.../ethernet/mellanox/mlxsw/spectrum_flower.c | 10 +++++
.../mellanox/mlxsw/spectrum_switchdev.c | 6 ---
.../net/forwarding/bridge_locked_port.sh | 36 +++++++++++++++++
8 files changed, 100 insertions(+), 17 deletions(-)
--
2.41.0
next reply other threads:[~2023-08-11 15:14 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-11 15:13 Petr Machata [this message]
2023-08-11 15:13 ` [PATCH net-next 1/4] mlxsw: core_acl_flex_actions: Add IGNORE_ACTION Petr Machata
2023-08-11 15:13 ` [PATCH net-next 2/4] mlxsw: spectrum_flower: Disable learning and security lookup when redirecting Petr Machata
2023-08-11 15:13 ` [PATCH net-next 3/4] mlxsw: spectrum: Stop ignoring learning notifications from redirected traffic Petr Machata
2023-08-11 15:13 ` [PATCH net-next 4/4] selftests: forwarding: Add test case for traffic redirection from a locked port Petr Machata
2023-08-14 7:20 ` [PATCH net-next 0/4] mlxsw: Support traffic redirection from a locked bridge port patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1691764353.git.petrm@nvidia.com \
--to=petrm@nvidia.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=idosch@nvidia.com \
--cc=kuba@kernel.org \
--cc=mlxsw@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).