lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 19 Nov 2018 01:15:07 +0100
From:   Pablo Neira Ayuso <pablo@...filter.org>
To:     netdev@...r.kernel.org
Cc:     davem@...emloft.net, thomas.lendacky@....com, f.fainelli@...il.com,
        ariel.elior@...ium.com, michael.chan@...adcom.com,
        santosh@...lsio.com, madalin.bucur@....com,
        yisen.zhuang@...wei.com, salil.mehta@...wei.com,
        jeffrey.t.kirsher@...el.com, tariqt@...lanox.com,
        saeedm@...lanox.com, jiri@...lanox.com, idosch@...lanox.com,
        jakub.kicinski@...ronome.com, peppe.cavallaro@...com,
        grygorii.strashko@...com, andrew@...n.ch,
        vivien.didelot@...oirfairelinux.com, alexandre.torgue@...com,
        joabreu@...opsys.com, linux-net-drivers@...arflare.com,
        ganeshgr@...lsio.com, ogerlitz@...lanox.com
Subject: [PATCH 00/12 net-next,v2] add flow_rule infrastructure

Hi,

This patchset introduces a kernel intermediate representation (IR) to
express ACL hardware offloads, as already described in previous RFC and
v1 patchset [1] [2]. The idea is to normalize the frontend U/APIs to use
the flow dissectors and the flow actions so drivers can reuse the
existing TC offload driver codebase - that has been converted to use the
flow_rule infrastructure.

After this patch, as Or previously described, there is one extra layer:

kernel frontend U/API X --> kernel parser Y --> IR --> driver --> HW API
kernel frontend U/API Z --> kernel parser W --> IR --> driver --> HW API

However, cost of this layer is very small, adding 1 million rules via
tc -batch, perf shows:

     0.06%  tc               [kernel.vmlinux]    [k] tc_setup_flow_action

at position 187 in the call graph, far from the top ten. The flow_match
representation uses the flow dissector infrastructure, just like
cls_flower, therefore, there is no need for conversion of the rule match
side.

The flow_action representation is very similar to the TC action plus
this includes wake-up-on-lan and queue to CPU actions that are needed
for the ethtool_rx_flow_spec interface in the bcm_sf2 driver, that is
converted in this patchset to use it. It is now possible to add tc
cls_flower support for bcm_sf2 and reuse the existing parser that was
originally designed for the ethtool_rx_flow_spec interface.

As requested, this new patchset also converts qlogic/qede to use this
new infrastructure (see patch 12/12). This driver currently has two
parsers, one for ethtool_rx_flow_spec and another for tc cls_flower.
This driver supports for simple 5-tuple matching and available actions
are packet drop and queue. This patch updates the driver code to use one
single parser to populate HW IR.

Thanks.

[1] https://lwn.net/Articles/766695/
[2] https://marc.info/?l=linux-netdev&m=154233253114506&w=2

Pablo Neira Ayuso (12):
  flow_dissector: add flow_rule and flow_match structures and use them
  net/mlx5e: support for two independent packet edit actions
  flow_dissector: add flow action infrastructure
  cls_api: add translator to flow_action representation
  cls_flower: add statistics retrieval infrastructure and use it
  drivers: net: use flow action infrastructure
  cls_flower: don't expose TC actions to drivers anymore
  flow_dissector: add wake-up-on-lan and queue to flow_action
  flow_dissector: add basic ethtool_rx_flow_spec to flow_rule structure
    translator
  dsa: bcm_sf2: use flow_rule infrastructure
  qede: place ethtool_rx_flow_spec after code after TC flower codebase
  qede: use ethtool_rx_flow_rule() to remove duplicated parser code

 drivers/net/dsa/bcm_sf2_cfp.c                      | 108 +--
 drivers/net/ethernet/broadcom/bnxt/bnxt_tc.c       | 252 +++----
 .../net/ethernet/chelsio/cxgb4/cxgb4_tc_flower.c   | 450 ++++++-------
 drivers/net/ethernet/intel/i40e/i40e_main.c        | 178 ++---
 drivers/net/ethernet/intel/iavf/iavf_main.c        | 195 +++---
 drivers/net/ethernet/intel/igb/igb_main.c          |  64 +-
 drivers/net/ethernet/mellanox/mlx5/core/en_tc.c    | 743 ++++++++++-----------
 drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c |   2 +-
 .../net/ethernet/mellanox/mlxsw/spectrum_flower.c  | 259 ++++---
 drivers/net/ethernet/netronome/nfp/flower/action.c | 196 +++---
 drivers/net/ethernet/netronome/nfp/flower/match.c  | 417 ++++++------
 .../net/ethernet/netronome/nfp/flower/offload.c    | 151 ++---
 drivers/net/ethernet/qlogic/qede/qede_filter.c     | 537 ++++++---------
 include/net/flow_dissector.h                       | 185 +++++
 include/net/pkt_cls.h                              |  29 +-
 net/core/flow_dissector.c                          | 341 ++++++++++
 net/sched/cls_api.c                                | 113 ++++
 net/sched/cls_flower.c                             |  42 +-
 18 files changed, 2279 insertions(+), 1983 deletions(-)

-- 
2.11.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ