| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Nov 2019 16:18:54 +0800
From: wenxu <wenxu@...oud.cn>
To: Paul Blakey <paulb@...lanox.com>
Cc: "pablo@...filter.org" <pablo@...filter.org>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Mark Bloch <markb@...lanox.com>
Subject: Re: Question about flow table offload in mlx5e
Hi Paul,
Did your test for this case? There are some problem that I reported?
BR
wenxu
On 11/24/2019 4:46 PM, Paul Blakey wrote:
> Hi,
>
> The syn packet might not be actually offloaded because there isn't a neighbor to resolve the destination mac for the tunnel destination ip (next hop mac).
> Try setting the neighbor via "ip neigh replace dev mlx5_p0 172.168.152.241 lladdr <next hop mac>"
> Or running ping to 172.168.152.241 before adding (or in background) the rule to resolve the mac and make available.
> I'll test it on my end.
>
>
> Thanks,
> Paul.
>
>
>> -----Original Message-----
>> From: wenxu <wenxu@...oud.cn>
>> Sent: Friday, November 22, 2019 8:26 AM
>> To: Paul Blakey <paulb@...lanox.com>
>> Cc: pablo@...filter.org; netdev@...r.kernel.org; Mark Bloch
>> <markb@...lanox.com>
>> Subject: Re: Question about flow table offload in mlx5e
>>
>> Hi Paul,
>>
>>
>> There are some update. I also test it through replacing mlx5e_rep_setup_tc
>> _cb with mlx5e_rep_setup_ft_cb
>>
>>
>> ifconfig mlx_p0 172.168.152.75/24 up
>>
>> ip l add dev tun1 type gretap external
>> tc qdisc add dev tun1 ingress
>> tc qdisc add dev mlx_pf0vf0 ingress
>>
>> tc filter add dev mlx_pf0vf0 pref 2 ingress protocol ip flower skip_sw
>> ip_proto tcp dst_ip 10.0.1.241 src_ip 10.0.0.75 src_port 5002 dst_port 5001
>> tcp_flags 0/0x5 action tunnel_key set dst_ip 172.168.152.241 src_ip 0 id 1000
>> nocsum pipe action mirred egress redirect dev tun1
>>
>> tc filter add dev tun1 pref 2 ingress protocol ip flower ip_proto tcp src_ip
>> 10.0.1.241 dst_ip 10.0.0.75 src_port 5001 dst_port 5002 tcp_flags 0/0x5
>> enc_key_id 1000 enc_src_ip 172.168.152.241 action tunnel_key unset pipe
>> action mirred egress redirect dev mlx_pf0vf0
>>
>>
>> If you run this script on the host, and in the virtual machine run "iperf -c
>> 10.0.1.241 -i 2 -B 10.0.0.75:5002 -t 1000"
>>
>> The tcp syn packet will not be offloaded
>>
>>
>> But if you only run the script without the last filter as following , The tcp syn
>> packet will be offloaded.
>>
>> ifconfig mlx_p0 172.168.152.75/24 up
>>
>> ip l add dev tun1 type gretap external
>> tc qdisc add dev tun1 ingress
>> tc qdisc add dev mlx_pf0vf0 ingress
>>
>> tc filter add dev mlx_pf0vf0 pref 2 ingress protocol ip flower skip_sw
>> ip_proto tcp dst_ip 10.0.1.241 src_ip 10.0.0.75 src_port 5002 dst_port 5001
>> tcp_flags 0/0x5 action tunnel_key set dst_ip 172.168.152.241 src_ip 0 id 1000
>> nocsum pipe action mirred egress redirect dev tun1.
>>
>> I think there are some problem in mlx5e_rep_setup_ft_cb.
>>
>> On 11/21/2019 9:05 PM, Paul Blakey wrote:
>>
>>
>> I see, I will test that, and how about normal FWD rules?
>>
>> Paul.
>>
>>
>>
>> -----Original Message-----
>> From: wenxu <wenxu@...oud.cn>
>> <mailto:wenxu@...oud.cn>
>> Sent: Thursday, November 21, 2019 2:35 PM
>> To: Paul Blakey <paulb@...lanox.com>
>> <mailto:paulb@...lanox.com>
>> Cc: pablo@...filter.org <mailto:pablo@...filter.org> ;
>> netdev@...r.kernel.org <mailto:netdev@...r.kernel.org> ; Mark Bloch
>> <markb@...lanox.com> <mailto:markb@...lanox.com>
>> Subject: Re: Question about flow table offload in mlx5e
>>
>>
>> 在 2019/11/21 19:39, Paul Blakey 写道:
>>
>> They are good fixes, exactly what we had when we
>> tested this, thanks.
>>
>> Regarding encap, I don't know what changes you did,
>> how does the encap
>>
>> rule look? Is it a FWD to vxlan device? If not it should be, as
>> our driver
>> expects that.
>> It is fwd to a gretap devices
>>
>>
>> I tried it on my setup via tc, by changing the callback
>> of tc
>>
>> (mlx5e_rep_setup_tc_cb) to that of ft
>> (mlx5e_rep_setup_ft_cb),
>>
>> and testing a vxlan encap rule:
>> sudo tc qdisc add dev ens1f0_0 ingress
>> sudo ifconfig ens1f0 7.7.7.7/24 up
>> sudo ip link add name vxlan0 type vxlan dev ens1f0
>> remote 7.7.7.8 dstport
>>
>> 4789 external
>>
>> sudo ifconfig vxlan0 up
>> sudo tc filter add dev ens1f0_0 ingress prio 1 chain 0
>> protocol ip flower
>>
>> dst_mac aa:bb:cc:dd:ee:ff ip_proto udp skip_sw action
>> tunnel_key set
>> src_ip 0.0.0.0 dst_ip 7.7.7.8 id 1234 dst_port 4789 pipe action
>> mirred egress
>> redirect dev vxlan
>>
>>
>> then tc show:
>> filter protocol ip pref 1 flower chain 0 handle 0x1
>> dst_mac aa:bb:cc:dd:ee:ff
>>
>> ip_proto udp skip_sw in_hw in_hw_count 1
>>
>> tunnel_key set src_ip 0.0.0.0 dst_ip 7.7.7.8 key_id
>> 1234 dst_port 4789
>>
>> csum pipe
>>
>> Stats: used 119 sec 0 pkt
>> mirred (Egress Redirect to device vxlan0)
>> Stats: used 119 sec 0 pkt
>>
>>
>> Can you send packet that match this offloaded flow to check
>> it is real
>> offloaded?
>>
>> In the flowtable offload with my patches both
>> TC_SETUP_BLOCK and
>> TC_SETUP_FT can offload the rule success
>>
>> But in the TC_SETUP_FT case the packet is not real offloaded.
>>
>>
>> I will test like u did.
>>
>>
>>
>>
>>
>>
>> -----Original Message-----
>> From: wenxu <wenxu@...oud.cn>
>> <mailto:wenxu@...oud.cn>
>> Sent: Thursday, November 21, 2019 10:29 AM
>> To: Paul Blakey <paulb@...lanox.com>
>> <mailto:paulb@...lanox.com>
>> Cc: pablo@...filter.org
>> <mailto:pablo@...filter.org> ; netdev@...r.kernel.org
>> <mailto:netdev@...r.kernel.org> ; Mark Bloch
>> <markb@...lanox.com>
>> <mailto:markb@...lanox.com>
>> Subject: Re: Question about flow table
>> offload in mlx5e
>>
>>
>> On 11/21/2019 3:42 PM, Paul Blakey wrote:
>>
>> Hi,
>>
>> The original design was the block
>> setup to use TC_SETUP_FT type, and
>>
>> the
>>
>> tc event type to be case
>> TC_SETUP_CLSFLOWER.
>>
>> We will post a patch to change that. I
>> would advise to wait till we fix that
>>
>> 😊
>>
>> I'm not sure how you get to this
>> function mlx5e_rep_setup_ft_cb() if it
>>
>> the
>>
>> nf_flow_table_offload ndo_setup_tc event
>> was TC_SETUP_BLOCK, and
>>
>> not
>>
>> TC_SETUP_FT.
>>
>>
>> Yes I change the TC_SETUP_BLOCK to
>> TC_SETUP_FT in the
>> nf_flow_table_offload_setup.
>>
>> Two fixes patch provide:
>>
>> http://patchwork.ozlabs.org/patch/1197818/
>>
>> http://patchwork.ozlabs.org/patch/1197876/
>>
>> So this change made by me is not correct
>> currently?
>>
>>
>> In our driver en_rep.c we have:
>>
>> -------switch (type) {
>> -------case TC_SETUP_BLOCK:
>> ------->-------return
>> flow_block_cb_setup_simple(type_data,
>> ------->------->------->------->------->---
>> ----
>>
>> &mlx5e_rep_block_tc_cb_list,
>>
>> ------->------->------->------->------->---
>> ---- mlx5e_rep_setup_tc_cb,
>> ------->------->------->------->------->---
>> ---- priv, priv, true);
>> -------case TC_SETUP_FT:
>> ------->-------return
>> flow_block_cb_setup_simple(type_data,
>> ------->------->------->------->------->---
>> ----
>>
>> &mlx5e_rep_block_ft_cb_list,
>>
>> ------->------->------->------->------->---
>> ---- mlx5e_rep_setup_ft_cb,
>> ------->------->------->------->------->---
>> ---- priv, priv, true);
>> -------default:
>> ------->-------return -EOPNOTSUPP;
>> -------}
>>
>> In nf_flow_table_offload.c:
>>
>> -------bo.binder_type>-=
>>
>> FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
>>
>> -------bo.extack>------= &extack;
>> -------INIT_LIST_HEAD(&bo.cb_list);
>> -------err = dev->netdev_ops-
>>> ndo_setup_tc(dev, TC_SETUP_BLOCK,
>> &bo);
>>
>> -------if (err < 0)
>> ------->-------return err;
>> -------return
>> nf_flow_table_block_setup(flowtable, &bo, cmd);
>>
>> }
>>
>> EXPORT_SYMBOL_GPL(nf_flow_table_offload_setup);
>>
>>
>> So unless you changed that as well,
>> you should have gotten to
>>
>> mlx5e_rep_setup_tc_cb and not
>> mlx5e_rep_setup_tc_ft.
>>
>> Regarding the encap action, there
>> should be no difference on which
>>
>> chain
>>
>> the rule is on.
>>
>>
>> But for the same encap rule can be real
>> offloaded when setup through
>> through TC_SETUP_BLOCK. But TC_SETUP_FT
>> can't.
>>
>> So it is the problem of TC_SETUP_FT in
>> mlx5e_rep_setup_ft_cb ?
>>
>>
>>
>>
>> -----Original Message-----
>> From: wenxu <wenxu@...oud.cn>
>> <mailto:wenxu@...oud.cn>
>> Sent: Thursday, November 21, 2019
>> 9:30 AM
>> To: Paul Blakey
>> <paulb@...lanox.com> <mailto:paulb@...lanox.com>
>> Cc: pablo@...filter.org
>> <mailto:pablo@...filter.org> ; netdev@...r.kernel.org
>> <mailto:netdev@...r.kernel.org> ; Mark Bloch
>> <markb@...lanox.com>
>> <mailto:markb@...lanox.com>
>> Subject: Question about flow table
>> offload in mlx5e
>>
>> Hi paul,
>>
>> The flow table offload in the mlx5e is
>> based on TC_SETUP_FT.
>>
>>
>> It is almost the same as
>> TC_SETUP_BLOCK.
>>
>> It just set
>> MLX5_TC_FLAG(FT_OFFLOAD) flags and change
>> cls_flower.common.chain_index =
>> FDB_FT_CHAIN;
>>
>> In following codes line 1380 and 1392
>>
>> 1368 static int
>> mlx5e_rep_setup_ft_cb(enum tc_setup_type type, void
>> *type_data,
>> 1369 void *cb_priv)
>> 1370 {
>> 1371 struct flow_cls_offload *f =
>> type_data;
>> 1372 struct flow_cls_offload
>> cls_flower;
>> 1373 struct mlx5e_priv *priv =
>> cb_priv;
>> 1374 struct mlx5_eswitch *esw;
>> 1375 unsigned long flags;
>> 1376 int err;
>> 1377
>> 1378 flags =
>> MLX5_TC_FLAG(INGRESS) |
>> 1379
>> MLX5_TC_FLAG(ESW_OFFLOAD) |
>> 1380
>> MLX5_TC_FLAG(FT_OFFLOAD);
>> 1381 esw = priv->mdev-
>>> priv.eswitch;
>> 1382
>> 1383 switch (type) {
>> 1384 case
>> TC_SETUP_CLSFLOWER:
>> 1385 if
>> (!mlx5_eswitch_prios_supported(esw) || f-
>>
>> common.chain_index)
>>
>> 1386 return -
>> EOPNOTSUPP;
>> 1387
>> 1388 /* Re-use tc offload
>> path by moving the ft flow to the
>> 1389 * reserved ft chain.
>> 1390 */
>> 1391 memcpy(&cls_flower, f,
>> sizeof(*f));
>> 1392
>> cls_flower.common.chain_index = FDB_FT_CHAIN;
>> 1393 err =
>> mlx5e_rep_setup_tc_cls_flower(priv, &cls_flower,
>>
>> flags);
>>
>> 1394 memcpy(&f->stats,
>> &cls_flower.stats, sizeof(f->stats));
>>
>>
>> I want to add tunnel offload support
>> in the flow table, I add some
>>
>> patches
>>
>> in
>>
>> nf_flow_table_offload.
>>
>> Also add the indr setup support in the
>> mlx driver. And Now I can flow
>>
>> table
>>
>> offload with decap.
>>
>>
>> But I meet a problem with the encap.
>> The encap rule can be added in
>> hardware successfully But it can't be
>> offloaded.
>>
>> But I think the rule I added is correct.
>> If I mask the line 1392. The rule
>>
>> also
>>
>> can
>>
>> be add success and can be offloaded.
>>
>> So there are some limit for encap
>> operation for FT_OFFLOAD in
>> FDB_FT_CHAIN?
>>
>>
>> BR
>>
>> wenxu
>>
Powered by blists - more mailing lists