* [PATCH net-next v2 1/2] flow_dissector: add support for tunnel control flags
2024-02-01 16:51 [PATCH net-next v2 0/2] net: allow dissecting/matching tunnel control flags Davide Caratti
@ 2024-02-01 16:51 ` Davide Caratti
2024-02-01 16:51 ` [PATCH net-next v2 2/2] net/sched: cls_flower: add support for matching " Davide Caratti
2024-02-02 12:08 ` [PATCH net-next v2 0/2] net: allow dissecting/matching " Jamal Hadi Salim
2 siblings, 0 replies; 5+ messages in thread
From: Davide Caratti @ 2024-02-01 16:51 UTC (permalink / raw)
To: Jamal Hadi Salim, Cong Wang, Jiri Pirko, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev
Cc: Marcelo Ricardo Leitner, Xin Long, Ilya Maximets
dissect [no]csum, [no]dontfrag, [no]oam flags on 'external' tunnels. This
is a prerequisite for matching these control flags using TC flower.
Suggested-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
include/net/flow_dissector.h | 11 +++++++++++
net/core/flow_dissector.c | 13 ++++++++++++-
2 files changed, 23 insertions(+), 1 deletion(-)
diff --git a/include/net/flow_dissector.h b/include/net/flow_dissector.h
index 1a7131d6cb0e..98a0050d5cc3 100644
--- a/include/net/flow_dissector.h
+++ b/include/net/flow_dissector.h
@@ -329,6 +329,16 @@ struct flow_dissector_key_cfm {
#define FLOW_DIS_CFM_MDL_MASK GENMASK(7, 5)
#define FLOW_DIS_CFM_MDL_MAX 7
+/**
+ * struct flow_dissector_key_enc_flags
+ * @flags: tunnel control flags
+ */
+struct flow_dissector_key_enc_flags {
+ __be16 flags;
+};
+
+#define TUNNEL_FLAGS_PRESENT (TUNNEL_CSUM | TUNNEL_DONT_FRAGMENT | TUNNEL_OAM)
+
enum flow_dissector_key_id {
FLOW_DISSECTOR_KEY_CONTROL, /* struct flow_dissector_key_control */
FLOW_DISSECTOR_KEY_BASIC, /* struct flow_dissector_key_basic */
@@ -363,6 +373,7 @@ enum flow_dissector_key_id {
FLOW_DISSECTOR_KEY_L2TPV3, /* struct flow_dissector_key_l2tpv3 */
FLOW_DISSECTOR_KEY_CFM, /* struct flow_dissector_key_cfm */
FLOW_DISSECTOR_KEY_IPSEC, /* struct flow_dissector_key_ipsec */
+ FLOW_DISSECTOR_KEY_ENC_FLAGS, /* struct flow_dissector_key_enc_flags */
FLOW_DISSECTOR_KEY_MAX,
};
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 272f09251343..9099a5524d7c 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -382,7 +382,9 @@ skb_flow_dissect_tunnel_info(const struct sk_buff *skb,
!dissector_uses_key(flow_dissector,
FLOW_DISSECTOR_KEY_ENC_IP) &&
!dissector_uses_key(flow_dissector,
- FLOW_DISSECTOR_KEY_ENC_OPTS))
+ FLOW_DISSECTOR_KEY_ENC_OPTS) &&
+ !dissector_uses_key(flow_dissector,
+ FLOW_DISSECTOR_KEY_ENC_FLAGS))
return;
info = skb_tunnel_info(skb);
@@ -467,6 +469,15 @@ skb_flow_dissect_tunnel_info(const struct sk_buff *skb,
TUNNEL_OPTIONS_PRESENT;
}
}
+
+ if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_FLAGS)) {
+ struct flow_dissector_key_enc_flags *enc_flags;
+
+ enc_flags = skb_flow_dissector_target(flow_dissector,
+ FLOW_DISSECTOR_KEY_ENC_FLAGS,
+ target_container);
+ enc_flags->flags = info->key.tun_flags & TUNNEL_FLAGS_PRESENT;
+ }
}
EXPORT_SYMBOL(skb_flow_dissect_tunnel_info);
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* [PATCH net-next v2 2/2] net/sched: cls_flower: add support for matching tunnel control flags
2024-02-01 16:51 [PATCH net-next v2 0/2] net: allow dissecting/matching tunnel control flags Davide Caratti
2024-02-01 16:51 ` [PATCH net-next v2 1/2] flow_dissector: add support for " Davide Caratti
@ 2024-02-01 16:51 ` Davide Caratti
2024-02-03 5:08 ` Jakub Kicinski
2024-02-02 12:08 ` [PATCH net-next v2 0/2] net: allow dissecting/matching " Jamal Hadi Salim
2 siblings, 1 reply; 5+ messages in thread
From: Davide Caratti @ 2024-02-01 16:51 UTC (permalink / raw)
To: Jamal Hadi Salim, Cong Wang, Jiri Pirko, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, netdev
Cc: Marcelo Ricardo Leitner, Xin Long, Ilya Maximets
extend cls_flower to match flags belonging to 'TUNNEL_FLAGS_PRESENT' mask
inside skb tunnel metadata.
Suggested-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
---
include/uapi/linux/pkt_cls.h | 3 +++
net/sched/cls_flower.c | 50 +++++++++++++++++++++++++++++++++++-
2 files changed, 52 insertions(+), 1 deletion(-)
diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
index ea277039f89d..e3394f9d06b7 100644
--- a/include/uapi/linux/pkt_cls.h
+++ b/include/uapi/linux/pkt_cls.h
@@ -554,6 +554,9 @@ enum {
TCA_FLOWER_KEY_SPI, /* be32 */
TCA_FLOWER_KEY_SPI_MASK, /* be32 */
+ TCA_FLOWER_KEY_ENC_FLAGS, /* be16 */
+ TCA_FLOWER_KEY_ENC_FLAGS_MASK, /* be16 */
+
__TCA_FLOWER_MAX,
};
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index efb9d2811b73..8da12256568f 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -74,6 +74,7 @@ struct fl_flow_key {
struct flow_dissector_key_l2tpv3 l2tpv3;
struct flow_dissector_key_ipsec ipsec;
struct flow_dissector_key_cfm cfm;
+ struct flow_dissector_key_enc_flags enc_flags;
} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
struct fl_flow_mask_range {
@@ -731,6 +732,10 @@ static const struct nla_policy fl_policy[TCA_FLOWER_MAX + 1] = {
[TCA_FLOWER_KEY_SPI_MASK] = { .type = NLA_U32 },
[TCA_FLOWER_L2_MISS] = NLA_POLICY_MAX(NLA_U8, 1),
[TCA_FLOWER_KEY_CFM] = { .type = NLA_NESTED },
+ [TCA_FLOWER_KEY_ENC_FLAGS] = NLA_POLICY_MASK(NLA_BE16,
+ TUNNEL_FLAGS_PRESENT),
+ [TCA_FLOWER_KEY_ENC_FLAGS_MASK] = NLA_POLICY_MASK(NLA_BE16,
+ TUNNEL_FLAGS_PRESENT),
};
static const struct nla_policy
@@ -1748,6 +1753,21 @@ static int fl_set_key_cfm(struct nlattr **tb,
return 0;
}
+static int fl_set_key_enc_flags(struct nlattr **tb, __be16 *flags_key,
+ __be16 *flags_mask, struct netlink_ext_ack *extack)
+{
+ /* mask is mandatory for flags */
+ if (NL_REQ_ATTR_CHECK(extack, NULL, tb, TCA_FLOWER_KEY_ENC_FLAGS_MASK)) {
+ NL_SET_ERR_MSG(extack, "missing enc_flags mask");
+ return -EINVAL;
+ }
+
+ *flags_key = nla_get_be16(tb[TCA_FLOWER_KEY_ENC_FLAGS]);
+ *flags_mask = nla_get_be16(tb[TCA_FLOWER_KEY_ENC_FLAGS_MASK]);
+
+ return 0;
+}
+
static int fl_set_key(struct net *net, struct nlattr **tb,
struct fl_flow_key *key, struct fl_flow_key *mask,
struct netlink_ext_ack *extack)
@@ -1982,9 +2002,16 @@ static int fl_set_key(struct net *net, struct nlattr **tb,
if (ret)
return ret;
- if (tb[TCA_FLOWER_KEY_FLAGS])
+ if (tb[TCA_FLOWER_KEY_FLAGS]) {
ret = fl_set_key_flags(tb, &key->control.flags,
&mask->control.flags, extack);
+ if (ret)
+ return ret;
+ }
+
+ if (tb[TCA_FLOWER_KEY_ENC_FLAGS])
+ ret = fl_set_key_enc_flags(tb, &key->enc_flags.flags,
+ &mask->enc_flags.flags, extack);
return ret;
}
@@ -2098,6 +2125,8 @@ static void fl_init_dissector(struct flow_dissector *dissector,
FLOW_DISSECTOR_KEY_IPSEC, ipsec);
FL_KEY_SET_IF_MASKED(mask, keys, cnt,
FLOW_DISSECTOR_KEY_CFM, cfm);
+ FL_KEY_SET_IF_MASKED(mask, keys, cnt,
+ FLOW_DISSECTOR_KEY_ENC_FLAGS, enc_flags);
skb_flow_dissector_init(dissector, keys, cnt);
}
@@ -3185,6 +3214,22 @@ static int fl_dump_key_cfm(struct sk_buff *skb,
return err;
}
+static int fl_dump_key_enc_flags(struct sk_buff *skb,
+ struct flow_dissector_key_enc_flags *key,
+ struct flow_dissector_key_enc_flags *mask)
+{
+ if (!memchr_inv(mask, 0, sizeof(*mask)))
+ return 0;
+
+ if (nla_put_be16(skb, TCA_FLOWER_KEY_ENC_FLAGS, key->flags))
+ return -EMSGSIZE;
+
+ if (nla_put_be16(skb, TCA_FLOWER_KEY_ENC_FLAGS_MASK, mask->flags))
+ return -EMSGSIZE;
+
+ return 0;
+}
+
static int fl_dump_key_options(struct sk_buff *skb, int enc_opt_type,
struct flow_dissector_key_enc_opts *enc_opts)
{
@@ -3481,6 +3526,9 @@ static int fl_dump_key(struct sk_buff *skb, struct net *net,
if (fl_dump_key_cfm(skb, &key->cfm, &mask->cfm))
goto nla_put_failure;
+ if (fl_dump_key_enc_flags(skb, &key->enc_flags, &mask->enc_flags))
+ goto nla_put_failure;
+
return 0;
nla_put_failure:
--
2.43.0
^ permalink raw reply related [flat|nested] 5+ messages in thread* Re: [PATCH net-next v2 0/2] net: allow dissecting/matching tunnel control flags
2024-02-01 16:51 [PATCH net-next v2 0/2] net: allow dissecting/matching tunnel control flags Davide Caratti
2024-02-01 16:51 ` [PATCH net-next v2 1/2] flow_dissector: add support for " Davide Caratti
2024-02-01 16:51 ` [PATCH net-next v2 2/2] net/sched: cls_flower: add support for matching " Davide Caratti
@ 2024-02-02 12:08 ` Jamal Hadi Salim
2 siblings, 0 replies; 5+ messages in thread
From: Jamal Hadi Salim @ 2024-02-02 12:08 UTC (permalink / raw)
To: Davide Caratti
Cc: Cong Wang, Jiri Pirko, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, netdev, Marcelo Ricardo Leitner,
Xin Long, Ilya Maximets
On Thu, Feb 1, 2024 at 11:53 AM Davide Caratti <dcaratti@redhat.com> wrote:
>
> Ilya says: "for correct matching on decapsulated packets, we should match
> on not only tunnel id and headers, but also on tunnel configuration flags
> like TUNNEL_NO_CSUM and TUNNEL_DONT_FRAGMENT. This is done to distinguish
> similar tunnels with slightly different configs. And it is important since
> tunnel configuration is flow based, i.e. can be different for every packet,
> even though the main tunnel port is the same."
>
> - patch 1 extends the kernel's flow dissector to extract these flags
> from the packet's tunnel metadata.
> - patch 2 extends TC flower to match on any combination of TUNNEL_NO_CSUM,
> TUNNEL_OAM and TUNNEL_DONT_FRAGMENT.
>
For the patchset:
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
cheers,
jamal
> v2:
> - use NL_REQ_ATTR_CHECK() where possible (thanks Jamal)
> - don't overwrite 'ret' in the error path of fl_set_key_flags()
>
> Davide Caratti (2):
> flow_dissector: add support for tunnel control flags
> net/sched: cls_flower: add support for matching tunnel control flags
>
> include/net/flow_dissector.h | 11 ++++++++
> include/uapi/linux/pkt_cls.h | 3 +++
> net/core/flow_dissector.c | 13 +++++++++-
> net/sched/cls_flower.c | 50 +++++++++++++++++++++++++++++++++++-
> 4 files changed, 75 insertions(+), 2 deletions(-)
>
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 5+ messages in thread