| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Feb 2020 11:45:17 +0100
From: Jiri Pirko <jiri@...nulli.us>
To: netdev@...r.kernel.org
Cc: davem@...emloft.net, kuba@...nel.org, nhorman@...driver.com,
jhs@...atatu.com, xiyou.wangcong@...il.com, idosch@...lanox.com,
mlxsw@...lanox.com
Subject: [patch net-next v2 00/10] mlxsw: Implement ACL-dropped packets identification
From: Jiri Pirko <jiri@...lanox.com>
mlxsw hardware allows to insert a ACL-drop action with a value defined
by user that would be later on passed with a dropped packet.
To implement this, use the existing TC action cookie and pass it to the
driver. As the cookie format coming down from TC and the mlxsw HW cookie
format is different, do the mapping of these two using idr and rhashtable.
The cookie is passed up from the HW through devlink_trap_report() to
drop_monitor code. A new metadata type is used for that.
Example:
$ tc qdisc add dev enp0s16np1 clsact
$ tc filter add dev enp0s16np1 ingress protocol ip pref 10 flower skip_sw dst_ip 192.168.1.2 action drop cookie 3b45fa38c8
^^^^^^^^^^
$ devlink trap set pci/0000:00:10.0 trap acl action trap
$ dropwatch
Initializing null lookup method
dropwatch> set hw true
setting hardware drops monitoring to 1
dropwatch> set alertmode packet
Setting alert mode
Alert mode successfully set
dropwatch> start
Enabling monitoring...
Kernel monitoring activated.
Issue Ctrl-C to stop monitoring
drop at: ingress_flow_action_drop (acl_drops)
origin: hardware
input port ifindex: 30
input port name: enp0s16np1
cookie: 3b45fa38c8 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
timestamp: Fri Jan 24 17:10:53 2020 715387671 nsec
protocol: 0x800
length: 98
original length: 98
This way the user may insert multiple drop rules and monitor the dropped
packets with the information of which action caused the drop.
Jiri Pirko (10):
flow_offload: pass action cookie through offload structures
devlink: add trap metadata type for cookie
drop_monitor: extend by passing cookie from driver
devlink: extend devlink_trap_report() to accept cookie and pass
mlxsw: core_acl_flex_actions: Add trap with userdef action
mlxsw: core_acl_flex_actions: Implement flow_offload action cookie
offload
mlxsw: pci: Extract cookie index for ACL discard trap packets
mlxsw: spectrum_trap: Lookup and pass cookie down to
devlink_trap_report()
netdevsim: add ACL trap reporting cookie as a metadata
selftests: netdevsim: Extend devlink trap test to include flow action
cookie
drivers/net/ethernet/mellanox/mlxsw/core.h | 5 +-
.../mellanox/mlxsw/core_acl_flex_actions.c | 289 +++++++++++++++++-
.../mellanox/mlxsw/core_acl_flex_actions.h | 7 +-
drivers/net/ethernet/mellanox/mlxsw/pci.c | 9 +
drivers/net/ethernet/mellanox/mlxsw/pci_hw.h | 5 +
.../net/ethernet/mellanox/mlxsw/spectrum.h | 11 +-
.../ethernet/mellanox/mlxsw/spectrum_acl.c | 7 +-
.../ethernet/mellanox/mlxsw/spectrum_flower.c | 3 +-
.../ethernet/mellanox/mlxsw/spectrum_trap.c | 46 ++-
drivers/net/netdevsim/dev.c | 117 ++++++-
drivers/net/netdevsim/netdevsim.h | 2 +
include/net/devlink.h | 8 +-
include/net/drop_monitor.h | 3 +
include/net/flow_offload.h | 11 +
include/uapi/linux/devlink.h | 2 +
include/uapi/linux/net_dropmon.h | 1 +
net/core/devlink.c | 14 +-
net/core/drop_monitor.c | 33 +-
net/core/flow_offload.c | 21 ++
net/sched/cls_api.c | 31 +-
.../drivers/net/netdevsim/devlink_trap.sh | 5 +
21 files changed, 605 insertions(+), 25 deletions(-)
--
2.21.1
Powered by blists - more mailing lists