lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 27 Feb 2018 14:53:34 +0100
From:   Jiri Pirko <jiri@...nulli.us>
To:     netdev@...r.kernel.org
Cc:     davem@...emloft.net, petrm@...lanox.com, idosch@...lanox.com,
        mlxsw@...lanox.com, xeb@...l.ru, dsa@...ulusnetworks.com
Subject: [patch net-next 00/15] mlxsw: Offloading encapsulated SPAN

From: Jiri Pirko <jiri@...lanox.com>

Petr says:

This patch series introduces support for mirroring with GRE
encapsulation. It offloads tc action mirred mirror from a mlxsw port to
either a gretap or an ip6gretap netdevice.

Spectrum hardware needs to know all the details of the requested
encapsulation: source and destination MAC and IP addresses, details of
VLAN tagging, etc. The only variables are the encapsulated packet
itself, and TOS field, which may be inherited. To that end, mlxsw driver
resolves the route that encapsulated packets would take, queries the
corresponding neighbor, and with that configuration in hand, configures
the mirroring in the hardware.

The driver also hooks into event handlers for netdevice changes, FIB and
neighbor events, and reconsiders the configuration on each such change.
When the new configuration differs from the currently-offloaded one, the
existing offload is removed and replaced with a new one.

It is possible to mirror to {ip6,}gretap from a matchall rule as well as
from a flower match.

** Note that with this patch set, mlxsw build depends on NET_IPGRE and
   IPV6_GRE.

Current limitations:

- There has to be a route that directs packets to an mlxsw port. We
  intend to extend the logic to support other netdevice types in the
  future, but the eventual egress netdevice will have to be an mlxsw
  port in any case.

- Offload reconfiguration due to changes in netdevice configuration
  creates a window of time where packets are not mirrored. Under some
  circumstances this can be prevented by configuring an unused port
  analyzer and migrating mirrors over to that. However that's currently
  not implemented.

- Remote address of a tunnel device needs to be set, there may not be a
  GRE key, checksumming or sequence numbers, and TTL needs to be fixed
  (non-inherit). These are hard requirements imposed by the underlying
  hardware.

- TOS of a tunnel device needs to be "inherit". The hardware supports a
  fixed TOS, but that's currently not implemented.

The series start with two patches, #1 and #2, that publish one function
and add support for querying IPv6 tunnel parameters.

In patches #3 and #4, we introduce helpers to GRE and tunneling code
that we will use later in the patchset from the SPAN code.

Patches #5 and #6 introduce support for encapsulated SPAN in reg.h.

The following seven patches, #7-#13, then prepare the SPAN codebase for
introduction of mirroring to netdevices that don't correspond to front
panel ports.

Then #14 and #15 pull all this together to implement mirroring to
{ip6,}gretap netdevices.

Petr Machata (15):
  mlxsw: spectrum_ipip: Extract mlxsw_sp_l3addr_is_zero
  mlxsw: spectrum_ipip: Support decoding IPv6 tunnel addresses
  net: GRE: Add is_gretap_dev, is_ip6gretap_dev
  ip_tunnel: Rename & publish init_tunnel_flow
  mlxsw: reg: Add SPAN encapsulation to MPAT register
  mlxsw: reg: Extend mlxsw_reg_mpat_pack()
  mlxsw: span: Remove span_entry by span_id
  mlxsw: spectrum_span: Initialize span_entry.id eagerly
  mlxsw: spectrum_span: Extract mlxsw_sp_span_entry_{de,}configure()
  mlxsw: spectrum: Keep mirror netdev in mlxsw_sp_span_entry
  mlxsw: spectrum_span: Generalize SPAN support
  mlxsw: Handle config changes pertinent to SPAN
  mlxsw: Move a mirroring check to mlxsw_sp_span_entry_create
  mlxsw: spectrum_span: Support mirror to gretap
  mlxsw: spectrum_span: Support mirror to ip6gretap

 drivers/net/ethernet/mellanox/mlxsw/Kconfig        |   4 +
 .../mellanox/mlxsw/core_acl_flex_actions.c         |  19 +-
 .../mellanox/mlxsw/core_acl_flex_actions.h         |   9 +-
 drivers/net/ethernet/mellanox/mlxsw/reg.h          | 145 +++++-
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     |  50 +-
 drivers/net/ethernet/mellanox/mlxsw/spectrum.h     |   2 +-
 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c |   9 +-
 .../mellanox/mlxsw/spectrum_acl_flex_actions.c     |  33 +-
 .../net/ethernet/mellanox/mlxsw/spectrum_ipip.c    |  45 +-
 .../net/ethernet/mellanox/mlxsw/spectrum_ipip.h    |   8 +-
 .../net/ethernet/mellanox/mlxsw/spectrum_router.c  |   7 +
 .../net/ethernet/mellanox/mlxsw/spectrum_span.c    | 522 +++++++++++++++++++--
 .../net/ethernet/mellanox/mlxsw/spectrum_span.h    |  41 +-
 include/net/gre.h                                  |   3 +
 include/net/ip_tunnels.h                           |  16 +
 net/ipv4/ip_gre.c                                  |   6 +
 net/ipv4/ip_tunnel.c                               |  40 +-
 net/ipv6/ip6_gre.c                                 |   6 +
 18 files changed, 808 insertions(+), 157 deletions(-)

-- 
2.14.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ