| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 16 Mar 2020 11:18:13 +0200 From: Paul Blakey <paulb@...lanox.com> To: wenxu <wenxu@...oud.cn> Cc: Linux Kernel Network Developers <netdev@...r.kernel.org> Subject: Re: ct_act can't offload in hardware On 3/16/2020 10:23 AM, wenxu wrote: > Hi paul, > > > I test the ct offload with tc in net-next branch and meet some problem > > > gre_sys is a getap device. > > # tc filter add dev gre_sys ingress prio 2 chain 0 proto ip flower enc_dst_ip 172.168.152.75 enc_src_ip 172.168.152.208 enc_key_id 1000 enc_tos 0x0/ff dst_ip 1.1.1.7 ct_state -trk action ct zone 1 nat pipe action goto chain 1 > > The rule show is not_in_hw > > # tc filter ls dev gre_sys ingress > > filter protocol ip pref 2 flower chain 0 > filter protocol ip pref 2 flower chain 0 handle 0x1 > eth_type ipv4 > dst_ip 1.1.1.7 > enc_dst_ip 172.168.152.75 > enc_src_ip 172.168.152.208 > enc_key_id 1000 > enc_tos 0x0/ff > ct_state -trk > not_in_hw > action order 1: ct zone 1 nat pipe > index 1 ref 1 bind 1 > > action order 2: gact action goto chain 1 > random type none pass val 0 > index 1 ref 1 bind 1 > > > # dmesg > > mlx5_core 0000:81:00.0 net2: Chains on tunnel devices isn't supported without register metadata support > > I update the fw to 16.27.1016 and also the problem is exist. > > # ethtool -i net2 > > driver: mlx5e_rep > version: 5.6.0-rc5+ > firmware-version: 16.27.1016 (MT_0000000080) > expansion-rom-version: > bus-info: 0000:81:00.0 > supports-statistics: yes > supports-test: no > supports-eeprom-access: no > supports-register-dump: no > supports-priv-flags: no > > Are there aome method to enable the register metadata support? > > > BR > > wenxu Hi Originally we needed metadata support just because it was enabled by default and it enabled the loopback feature which is what actually needed for the above type of rules (tunnel + chain). But after patch 1e62e222db2e0dc7af0a89c225311d319c5d1c4f - "net/mlx5: E-Switch, Use vport metadata matching only when mandatory" metadata is not enabled by default, and it's needed for the above. My upstream patch 5b7cb74 "net/mlx5: E-Switch, Enable reg c1 loopback when possible" Enabled the needed loopback feature by default as it was also needed for connection tracking. Instead of relying on mlx5_eswitch_vport_match_metadata_enabled(esw) in parse_tunnel_attr(), we need to relay on mlx5_eswitch_reg_c1_loopback_enabled(esw). I have a patch under internal review that does this. For now, you can either disable this mlx5_eswitch_vport_match_metadata_enabled(esw) check in parse_tunnel_attr() or more correctly replace it with the mlx5_eswitch_reg_c1_loopback_enabled(esw) check. Thanks, Paul. >
Powered by blists - more mailing lists