lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 31 Oct 2019 19:55:34 +0000
From:   Ariel Levkovich <lariel@...lanox.com>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     Jiri Pirko <jiri@...lanox.com>,
        "stephen@...workplumber.org" <stephen@...workplumber.org>,
        Ariel Levkovich <lariel@...lanox.com>
Subject: [PATCH iproute2-next v2 3/3] ip: Add SR-IOV VF VGT+ support

Introduce a new API that can add/remove allowed vlan-ids per VF to
support the VGT+ feature.
Also intoroduce a new API to query the current allowed vlan-ids per VF.

VGT+ is a security feature that gives the administrator the ability of
controlling the allowed vlan-ids list that can be transmitted/received
from/to the VF.
The allowed vlan-ids list is called "trunk".
Admin can add/delete a range of allowed vlan-ids via iptool.

Example:
After this series of configuration :
1) ip link set eth3 vf 0 trunk add 10 100 (allow vlan-id 10-100, default tpid 0x8100)
2) ip link set eth3 vf 0 trunk add 105 proto 802.1q (allow vlan-id 105 tpid 0x8100)
3) ip link set eth3 vf 0 trunk add 105 proto 802.1ad (allow vlan-id 105 tpid 0x88a8)
4) ip link set eth3 vf 0 trunk rem 90 (block vlan-id 90)
5) ip link set eth3 vf 0 trunk rem 50 60 (block vlan-ids 50-60)
The VF 0 can only communicate on vlan-ids: 10-49,61-89,91-100,105 with tpid 0x8100
and vlan-id 105 with tpid 0x88a8.

For this purpose we added the following netlink sr-iov commands:
1) IFLA_VF_VLAN_RANGE: used to add/remove allowed vlan-ids range.
we added the ifla_vf_vlan_range struct to specify the range we want to
add/remove from the userspace.
2) IFLA_VF_VLAN_TRUNK: used to query the allowed vlan-ids trunk.
we added ifla_vf_vlan_trunk struct for sending the allowed vlan-ids
trunk to the userspace.
The allowed vlan-ids will be presented only when the query is for
a specific vf.

Example:
Running the following command will set the vlan trunk to include 10-100:
1)ip link set eth3 vf 0 trunk add 10 100

Then running:
2)ip link show dev eth3 vf 0
Will show:
vf 0     link/ether 00:00:00:00:00:00 brd 00:00:00:00:00:f3, spoof checking off, link-state auto, trust off, query_rss off
    Allowed 802.1Q VLANs: 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,
    29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52,
    53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76,
    77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100.

Signed-off-by: Ariel Levkovich <lariel@...lanox.com>
---
 include/uapi/linux/if_link.h | 19 ++++++++++++++++
 ip/ipaddress.c               | 52 ++++++++++++++++++++++++++++++++++++++++++++
 ip/iplink.c                  | 46 +++++++++++++++++++++++++++++++++++++++
 man/man8/ip-link.8.in        | 17 ++++++++++++++-
 4 files changed, 133 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index 6304add..ff29803 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -698,6 +698,8 @@ enum {
 	IFLA_VF_VLAN_LIST,	/* nested list of vlans, option for QinQ */
 	IFLA_VF_BROADCAST,	/* VF broadcast */
 	IFLA_VF_VLAN_MODE,	/* vlan tagging mode */
+	IFLA_VF_VLAN_RANGE,	/* VF add/remove vlan-ids range */
+	IFLA_VF_VLAN_TRUNK,	/* VF allowed vlan-ids trunk */
 	__IFLA_VF_MAX,
 };
 
@@ -747,6 +749,23 @@ struct ifla_vf_vlan_info {
 	__be16 vlan_proto; /* VLAN protocol either 802.1Q or 802.1ad */
 };
 
+struct ifla_vf_vlan_range {
+	__u32 vf;
+	__u32 start_vid;   /* 0 - 4095, 0 - for untagged and priority tagged */
+	__u32 end_vid;     /* 0 - 4095, 0 - for untagged and priority tagged */
+	__u32 setting;     /* 0 : Add range , 1 : Remove range */
+	__be16 vlan_proto; /* VLAN protocol either 802.1Q or 802.1ad */
+};
+
+#define BITS_PER_BYTE		8
+#define VLAN_N_VID		4096
+#define VF_VLAN_BITMAP		__KERNEL_DIV_ROUND_UP(VLAN_N_VID, sizeof(__u64) * BITS_PER_BYTE)
+struct ifla_vf_vlan_trunk {
+	__u32 vf;
+	__u64 trunk_vid_8021q_bitmap[VF_VLAN_BITMAP];
+	__u64 trunk_vid_8021ad_bitmap[VF_VLAN_BITMAP];
+};
+
 struct ifla_vf_tx_rate {
 	__u32 vf;
 	__u32 rate; /* Max TX bandwidth in Mbps, 0 disables throttling */
diff --git a/ip/ipaddress.c b/ip/ipaddress.c
index 9c04cee..961d2dc 100644
--- a/ip/ipaddress.c
+++ b/ip/ipaddress.c
@@ -350,6 +350,7 @@ static void print_af_spec(FILE *fp, struct rtattr *af_spec_attr)
 }
 
 static void print_vf_stats64(FILE *fp, struct rtattr *vfstats);
+static void print_vf_vlan_trunk(FILE *fp, __u64 *bitmap, const char *proto);
 
 static const char *vlan_modes[] = {
 	[IFLA_VF_VLAN_MODE_UNSPEC] = "n/a",
@@ -545,6 +546,18 @@ static void print_vfinfo(FILE *fp, struct ifinfomsg *ifi, struct rtattr *vfinfo)
 
 	if (vf[IFLA_VF_STATS] && show_stats)
 		print_vf_stats64(fp, vf[IFLA_VF_STATS]);
+
+	/*
+	 * VF trunk query should always be the last if-condition because it adds
+	 * new lines to the end of the vf info output.
+	 */
+	if (vf[IFLA_VF_VLAN_TRUNK]) {
+		struct ifla_vf_vlan_trunk *vf_trunk =
+				RTA_DATA(vf[IFLA_VF_VLAN_TRUNK]);
+
+		print_vf_vlan_trunk(fp, vf_trunk->trunk_vid_8021q_bitmap, "802.1Q");
+		print_vf_vlan_trunk(fp, vf_trunk->trunk_vid_8021ad_bitmap, "802.1ad");
+	}
 }
 
 void print_num(FILE *fp, unsigned int width, uint64_t count)
@@ -587,6 +600,45 @@ void print_num(FILE *fp, unsigned int width, uint64_t count)
 	fprintf(fp, "%-*s ", width, buf);
 }
 
+static void print_vf_vlan_trunk(FILE *fp, __u64 *bitmap, const char *proto)
+{
+#define VF_VLAN_TRUNK_LINE_SZ	100
+	int vids_per_dword = sizeof(bitmap[0]) * 8;
+	char trunk_line[2 * VF_VLAN_TRUNK_LINE_SZ] = {0};
+	bool printed_title = false;
+	bool need_newline = false;
+	int vid;
+
+	for (vid = 0; vid < VLAN_N_VID ; vid++) {
+		if ((bitmap[vid / vids_per_dword] >> (vid % vids_per_dword)) & 0x1) {
+			if (strlen(trunk_line) >= VF_VLAN_TRUNK_LINE_SZ)
+				need_newline = true;
+
+			if (!printed_title) {
+				sprintf(trunk_line,
+					"\n    Allowed %s VLANs: ", proto);
+				printed_title = true;
+			}
+
+			if (need_newline) {
+				fprintf(fp, "%s", trunk_line);
+				trunk_line[0] = '\0';
+			}
+
+			sprintf(trunk_line, "%s%s%d, ", trunk_line,
+				(need_newline ? "\n    " : ""), vid);
+
+			need_newline = false;
+		}
+	}
+
+	if (strlen(trunk_line)) {
+		trunk_line[strlen(trunk_line) - 2] = '.';
+		trunk_line[strlen(trunk_line) - 1] = '\0';
+		fprintf(fp, "%s", trunk_line);
+	}
+}
+
 static void print_vf_stats64(FILE *fp, struct rtattr *vfstats)
 {
 	struct rtattr *vf[IFLA_VF_STATS_MAX + 1];
diff --git a/ip/iplink.c b/ip/iplink.c
index ef33232..31076fc 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -89,6 +89,7 @@ void iplink_usage(void)
 		"			[ alias NAME ]\n"
 		"			[ vf NUM [ mac LLADDR ]\n"
 		"				 [ vlan VLANID [ qos VLAN-QOS ] [ proto VLAN-PROTO ] ]\n"
+		"				 [ trunk { add | rem } START-VLANID [ END-VLANID ] [ proto VLAN-PROTO ] ]\n"
 		"				 [ rate TXRATE ]\n"
 		"				 [ max_tx_rate TXRATE ]\n"
 		"				 [ min_tx_rate TXRATE ]\n"
@@ -429,6 +430,51 @@ static int iplink_parse_vf(int vf, int *argcp, char ***argvp,
 				}
 				addattr_nest_end(&req->n, vfvlanlist);
 			}
+		} else if (matches(*argv, "trunk") == 0) {
+			struct ifla_vf_vlan_range ivvr;
+
+			ivvr.vf = vf;
+			ivvr.vlan_proto = htons(ETH_P_8021Q);
+			NEXT_ARG();
+			if (matches(*argv, "add") && matches(*argv, "rem"))
+				invarg("Invalid \"trunk\" operation\n", *argv);
+			ivvr.setting = !matches(*argv, "add");
+			NEXT_ARG();
+			if (get_unsigned(&ivvr.start_vid, *argv, 0))
+				invarg("Invalid \"trunk\" start value\n", *argv);
+			ivvr.end_vid = ivvr.start_vid;
+			if (NEXT_ARG_OK()) {
+				NEXT_ARG();
+				if (get_unsigned(&ivvr.end_vid, *argv, 0))
+					PREV_ARG();
+			}
+			if (NEXT_ARG_OK()) {
+				NEXT_ARG();
+				if (matches(*argv, "proto") == 0) {
+					NEXT_ARG();
+					if (ll_proto_a2n(&ivvr.vlan_proto, *argv))
+						invarg("protocol is invalid\n", *argv);
+					if (ivvr.vlan_proto != htons(ETH_P_8021AD) &&
+					    ivvr.vlan_proto != htons(ETH_P_8021Q)) {
+						SPRINT_BUF(b1);
+						SPRINT_BUF(b2);
+						char msg[64 + sizeof(b1) + sizeof(b2)];
+
+						sprintf(msg,
+							"Invalid \"vlan protocol\" value - supported %s, %s\n",
+							ll_proto_n2a(htons(ETH_P_8021Q),
+								     b1, sizeof(b1)),
+							ll_proto_n2a(htons(ETH_P_8021AD),
+								     b2, sizeof(b2)));
+						invarg(msg, *argv);
+					}
+				} else {
+					/* rewind arg */
+					PREV_ARG();
+				}
+			}
+			addattr_l(&req->n, sizeof(*req),
+				  IFLA_VF_VLAN_RANGE, &ivvr, sizeof(ivvr));
 		} else if (matches(*argv, "rate") == 0) {
 			struct ifla_vf_tx_rate ivt;
 
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 29744d4..23f6235 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -128,7 +128,12 @@ ip-link \- network device configuration
 .br
 .RB "[ " node_guid " eui64 ]"
 .br
-.RB "[ " port_guid " eui64 ] ]"
+.RB "[ " port_guid " eui64 ]"
+.br
+.RB "[ " trunk " { " add " | " rem " } "
+.IR START-VLAN-ID " [ " END-VLAN-ID " ] "
+.RB "[ " proto
+.IR VLAN-PROTO " ] ] ] "
 .br
 .in -9
 .RB "[ { " xdp " | " xdpgeneric  " | " xdpdrv " | " xdpoffload " } { " off " | "
@@ -2043,6 +2048,16 @@ performance. (e.g. VF multicast promiscuous mode)
 .sp
 .BI port_guid " eui64"
 - configure port GUID for Infiniband VFs.
+.sp
+.BI trunk " add|rem START-VLANID [END-VLANID] [proto VLAN-PROTO] "
+- add or remove allowed vlan-ids range that can be used by the VF. Range 0-4095
+while 0 is used for untagged and priority tagged traffic.
+.B vf
+parameter must be specified.
+.B END-VLANID
+parameter is optional. If omitted, assumes range of one vlan-id.
+.B proto
+parameter is optional, either 802.1Q or 802.1ad. If omitted, assumes 802.1Q.
 .in -8
 
 .TP
-- 
1.8.3.1

Powered by blists - more mailing lists