lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <05d6df9a-4e84-0e8d-0c4c-7f04cb18bb6a@mojatatu.com>
Date:   Fri, 26 Jun 2020 09:28:08 -0400
From:   Jamal Hadi Salim <jhs@...atatu.com>
To:     Po Liu <po.liu@....com>,
        "davem@...emloft.net" <davem@...emloft.net>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "idosch@...sch.org" <idosch@...sch.org>
Cc:     "jiri@...nulli.us" <jiri@...nulli.us>,
        "vinicius.gomes@...el.com" <vinicius.gomes@...el.com>,
        "vlad@...lov.dev" <vlad@...lov.dev>,
        Claudiu Manoil <claudiu.manoil@....com>,
        Vladimir Oltean <vladimir.oltean@....com>,
        Alexandru Marginean <alexandru.marginean@....com>,
        "michael.chan@...adcom.com" <michael.chan@...adcom.com>,
        "vishal@...lsio.com" <vishal@...lsio.com>,
        "saeedm@...lanox.com" <saeedm@...lanox.com>,
        "leon@...nel.org" <leon@...nel.org>,
        "jiri@...lanox.com" <jiri@...lanox.com>,
        "idosch@...lanox.com" <idosch@...lanox.com>,
        "alexandre.belloni@...tlin.com" <alexandre.belloni@...tlin.com>,
        "UNGLinuxDriver@...rochip.com" <UNGLinuxDriver@...rochip.com>,
        "kuba@...nel.org" <kuba@...nel.org>,
        "xiyou.wangcong@...il.com" <xiyou.wangcong@...il.com>,
        "simon.horman@...ronome.com" <simon.horman@...ronome.com>,
        "pablo@...filter.org" <pablo@...filter.org>,
        "moshe@...lanox.com" <moshe@...lanox.com>,
        "m-karicheri2@...com" <m-karicheri2@...com>,
        "andre.guedes@...ux.intel.com" <andre.guedes@...ux.intel.com>,
        "stephen@...workplumber.org" <stephen@...workplumber.org>,
        Edward Cree <ecree@...arflare.com>
Subject: Re: [v1,net-next 3/4] net: qos: police action add index for tc flower
 offloading

On 2020-06-24 8:34 p.m., Po Liu wrote:
> 
> 
>> -----Original Message-----

>> That is the point i was trying to get to. Basically:
>> You have a counter table which is referenced by "index"
>> You also have a meter/policer table which is referenced by "index".
> 
> They should be one same group and same meaning.
> 

Didnt follow. You mean the index is the same for both the
stat and policer?

>>
>> For policers, they maintain their own stats. So when i say:
>> tc ... flower ... action police ... index 5 The index referred to is in the
>> policer table
>>
> 
> Sure. Means police with No. 5 entry.
> 
>> But for other actions, example when i say:
>> tc ... flower ... action drop index 10
> 
> Still the question, does gact action drop could bind with index? It doesn't meanful.
> 

Depends on your hardware. From this discussion i am
trying to understand where the constraint is for your case.
Whether it is your h/w or the TSN spec.
For a sample counting which is flexible see here:
https://p4.org/p4-spec/docs/PSA.html#sec-counters

That concept is not specific to P4 but rather to
newer flow-based hardware.

More context:
The assumption these days is we can have a _lot_ of flows with a lot
of actions.
Then you want to be able to collect the stats separately, possibly one
counter entry for each action of interest.
Why is this important?f For analytics uses cases,
when you are retrieving the stats you want to reduce the amount of
data being retrieved. Typically these stats are polled every X seconds.
For starters, you dont dump filters (which in your case seems to be
the only way to get the stats).
In current tc, you dump the actions. But that could be improved so
you can just dump the stats. The mapping of stats index to actions
is known to the entity doing the dump.

Does that make sense?

>> The index is in the counter/stats table.
>> It is not exactly "10" in hardware, the driver magically hides it from the
>> user - so it could be hw counter index 1234
> 
> Not exactly. Current flower offloading stats means get the chain index for that flow filter. The other actions should bind to that chain index.
 >

So if i read correctly: You have an index per filter pointing to the
counter table.
Is this something _you_ decided to do in software or is it how the
hardware works? (note i referred to this as "legacy ACL" approach
earlier. It worked like that in old hardware because the main use
case was to have one action on a match (drop/accept kind).

>Like IEEE802.1Qci, what I am doing is bind gate action to filter chain(mandatory). And also police action as optional.

I cant seem to find this spec online. Is it freely available?
Also, if i understand you correctly you are saying according to this
spec you can only have the following type of policy:
tc .. filter match-spec-here .. \
action gate gate-action-attributes \
action police ...

That "action gate" MUST always be present
but "action police" is optional?

> There is stream counter table which summary the counters pass gate action entry and police action entry for that chain index(there is a bit different if two chain sharing same action list).
> One chain counter which tc show stats get counter source:
> struct psfp_streamfilter_counters {
>          u64 matching_frames_count;
>          u64 passing_frames_count;
>          u64 not_passing_frames_count;
>          u64 passing_sdu_count;
>          u64 not_passing_sdu_count;
>          u64 red_frames_count;
> };
>

Assuming psfp is something defined in IEEE802.1Qci and the spec will
describe these?
Is the filter  "index" pointing to one of those in some counter table?


> When pass to the user space, summarize as:
>          stats.pkts = counters.matching_frames_count +  counters.not_passing_sdu_count - filter->stats.pkts;
 >
>          stats.drops = counters.not_passing_frames_count + counters.not_passing_sdu_count +   counters.red_frames_count - filter->stats.drops;
>

Thanks for the explanation.
What is filter->stats?
The rest of those counters seem related to the gate action.
How do you account for policing actions?

cheers,
jamal

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ