lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 15 Feb 2017 10:52:30 +0200
From:   Or Gerlitz <ogerlitz@...lanox.com>
To:     "David S. Miller" <davem@...emloft.net>
Cc:     Jakub Kicinski <jakub.kicinski@...ronome.com>,
        John Fastabend <john.r.fastabend@...el.com>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Roi Dayan <roid@...lanox.com>, Jiri Pirko <jiri@...lanox.com>,
        netdev@...r.kernel.org, Or Gerlitz <ogerlitz@...lanox.com>
Subject: [PATCH net-next V3 0/7] net/sched: Reflect HW offload status in classifiers 

Currently there is no way of querying whether a filter is
offloaded to HW or not when using "both" policy (where none
of skip_sw or skip_hw flags are set by user-space).

Added two new flags, "in hw" and "not in hw" such that user space 
can determine if a filter is actually offloaded to hw. The "in hw" 
UAPI semantics was chosen so it's similar to the "skip hw" flag logic.

If none of these two flags are set, this signals running
over older kernel.

As an example, add one vlan push + fwd rule, one matchall rule and one u32 rule 
without any flags, and another vlan + fwd skip_sw rule, such that the different TC 
classifier attempt to offload all of them -- all over mlx5 SRIOV VF rep:

# tc filter add dev eth2_0 protocol ip parent ffff: 
	flower skip_sw indev eth2_0 src_mac e4:11:22:33:44:50 dst_mac e4:1d:2d:a5:f3:9d 
	action vlan push id 52 action mirred egress redirect dev eth2

# tc filter add dev eth2_0 protocol ip parent ffff: 
	flower indev eth2_0 src_mac e4:11:22:33:44:50 dst_mac e4:11:22:33:44:51 
	action vlan push id 53 action mirred egress redirect dev eth2

# tc filter add dev eth2_0 parent ffff: matchall action mirred egress mirror dev veth1

# tc filter add dev eth2_0 parent ffff: protocol ip prio 99 handle 800:0:1 
	u32 ht 800: flowid 800:1 match ip src 192.168.1.0/24 action drop

Since that VF rep doesn't offload matchall/u32 and can currently offload
only one vlan push rule we expect three of the rules not to be offloaded:

# tc filter show dev eth2_0 parent ffff:

filter protocol ip pref 99 u32 
filter protocol ip pref 99 u32 fh 800: ht divisor 1 
filter protocol ip pref 99 u32 fh 800::1 order 1 key ht 800 bkt 0 flowid 800:1 not in_hw 
  match c0a80100/ffffff00 at 12
	action order 1: gact action drop
	 random type none pass val 0
	 index 8 ref 1 bind 1
 
filter protocol all pref 49150 matchall 
filter protocol all pref 49150 matchall handle 0x1 
  not in_hw
	action order 1: mirred (Egress Mirror to device veth1) pipe
 	index 27 ref 1 bind 1
 
filter protocol ip pref 49151 flower 
filter protocol ip pref 49151 flower handle 0x1 
  indev eth2_0
  dst_mac e4:11:22:33:44:51
  src_mac e4:11:22:33:44:50
  eth_type ipv4
  not in_hw
	action order 1:  vlan push id 53 protocol 802.1Q priority 0 pipe
	 index 20 ref 1 bind 1
 
	action order 2: mirred (Egress Redirect to device eth2) stolen
 	index 26 ref 1 bind 1
 
filter protocol ip pref 49152 flower 
filter protocol ip pref 49152 flower handle 0x1 
  indev eth2_0
  dst_mac e4:1d:2d:a5:f3:9d
  src_mac e4:11:22:33:44:50
  eth_type ipv4
  skip_sw
  in_hw
	action order 1:  vlan push id 52 protocol 802.1Q priority 0 pipe
	 index 19 ref 1 bind 1
 
	action order 2: mirred (Egress Redirect to device eth2) stolen
 	index 25 ref 1 bind 1

v2 --> v3 changes:

 - fixed the matchall dump flags patch to do proper checks (Jakub)
 - added the same proper checks to flower where they were missing 
 - that flower patch was added as #1 and hence all the other patches are offed-by-one
 
v1 --> v2 changes:
 - applied feedback from Jakub and Dave -- where none of the skip flags were set, 
   the suggested approach didn't allow user space to distringuish between old kernel
   to a case when offloading to HW worked fine.

Or Gerlitz (6):
  net/sched: cls_matchall: Dump skip flags
  net/sched: Reflect HW offload status
  net/sched: cls_flower: Reflect HW offload status
  net/sched: cls_matchall: Reflect HW offloading status
  net/sched: cls_u32: Reflect HW offload status
  net/sched: cls_bpf: Reflect HW offload status

 include/net/pkt_cls.h        |  5 +++++
 include/uapi/linux/pkt_cls.h |  6 ++++--
 net/sched/cls_bpf.c          | 13 +++++++++++--
 net/sched/cls_flower.c       |  5 +++++
 net/sched/cls_matchall.c     | 14 ++++++++++++--
 net/sched/cls_u32.c          | 10 ++++++++++
 6 files changed, 47 insertions(+), 6 deletions(-)

-- 
2.3.7

*** BLURB HERE ***

Or Gerlitz (7):
  net/sched: cls_flower: Properly handle classifier flags dumping
  net/sched: cls_matchall: Dump the classifier flags
  net/sched: Reflect HW offload status
  net/sched: cls_flower: Reflect HW offload status
  net/sched: cls_matchall: Reflect HW offloading status
  net/sched: cls_u32: Reflect HW offload status
  net/sched: cls_bpf: Reflect HW offload status

 include/net/pkt_cls.h        |  5 +++++
 include/uapi/linux/pkt_cls.h |  6 ++++--
 net/sched/cls_bpf.c          | 13 +++++++++++--
 net/sched/cls_flower.c       |  8 +++++++-
 net/sched/cls_matchall.c     | 15 +++++++++++++--
 net/sched/cls_u32.c          | 10 ++++++++++
 6 files changed, 50 insertions(+), 7 deletions(-)

-- 
2.3.7

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ