lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20200929101016.3743530-22-vladimir.oltean@nxp.com>
Date:   Tue, 29 Sep 2020 13:10:16 +0300
From:   Vladimir Oltean <vladimir.oltean@....com>
To:     davem@...emloft.net
Cc:     alexandre.belloni@...tlin.com, andrew@...n.ch,
        f.fainelli@...il.com, vivien.didelot@...il.com,
        horatiu.vultur@...rochip.com, joergen.andreasen@...rochip.com,
        allan.nielsen@...rochip.com, alexandru.marginean@....com,
        claudiu.manoil@....com, xiaoliang.yang_1@....com,
        hongbo.wang@....com, netdev@...r.kernel.org, kuba@...nel.org,
        jiri@...nulli.us, idosch@...sch.org, UNGLinuxDriver@...rochip.com
Subject: [RFC PATCH v2 net-next 21/21] selftests: ocelot: add some example VCAP IS1, IS2 and ES0 tc offloads

Provide an example script which can be used as a skeleton for offloading
TCAM rules in the Ocelot switches.

Signed-off-by: Vladimir Oltean <vladimir.oltean@....com>
---
Changes in v2:
None.

 MAINTAINERS                                   |   1 +
 .../drivers/net/ocelot/test_tc_chains.sh      | 179 ++++++++++++++++++
 2 files changed, 180 insertions(+)
 create mode 100755 tools/testing/selftests/drivers/net/ocelot/test_tc_chains.sh

diff --git a/MAINTAINERS b/MAINTAINERS
index 42c69d2eeece..bcd6852f1c65 100644
--- a/MAINTAINERS
+++ b/MAINTAINERS
@@ -12542,6 +12542,7 @@ F:	drivers/net/dsa/ocelot/*
 F:	drivers/net/ethernet/mscc/
 F:	include/soc/mscc/ocelot*
 F:	net/dsa/tag_ocelot.c
+F:	tools/testing/selftests/drivers/net/ocelot/*
 
 OCXL (Open Coherent Accelerator Processor Interface OpenCAPI) DRIVER
 M:	Frederic Barrat <fbarrat@...ux.ibm.com>
diff --git a/tools/testing/selftests/drivers/net/ocelot/test_tc_chains.sh b/tools/testing/selftests/drivers/net/ocelot/test_tc_chains.sh
new file mode 100755
index 000000000000..89274a3e9874
--- /dev/null
+++ b/tools/testing/selftests/drivers/net/ocelot/test_tc_chains.sh
@@ -0,0 +1,179 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright 2020 NXP Semiconductors
+
+# Helpers to map a VCAP IS1 and VCAP IS2 lookup and policy to a chain number
+# used by the kernel driver. The numbers are:
+# VCAP IS1 lookup 0:            10000
+# VCAP IS1 lookup 1:            11000
+# VCAP IS1 lookup 2:            12000
+# VCAP IS2 lookup 0 policy 0:   20000
+# VCAP IS2 lookup 0 policy 1:   20001
+# VCAP IS2 lookup 0 policy 255: 20255
+# VCAP IS2 lookup 1 policy 0:   21000
+# VCAP IS2 lookup 1 policy 1:   21001
+# VCAP IS2 lookup 1 policy 255: 21255
+IS1() {
+	local lookup=$1
+
+	echo $((10000 + 1000 * lookup))
+}
+
+IS2() {
+	local lookup=$1
+	local pag=$2
+
+	echo $((20000 + 1000 * lookup + pag))
+}
+
+show_pretty_filters() {
+	local eth=$1
+	local output=
+
+	output=$(tc filter show dev $eth ingress)
+	output="${output//chain $(IS1 0)/VCAP IS1 lookup 0}"
+	output="${output//chain $(IS1 1)/VCAP IS1 lookup 1}"
+	output="${output//chain $(IS1 2)/VCAP IS1 lookup 2}"
+
+	for pag in {0..255}; do
+		output="${output//chain $(IS2 0 $pag)/VCAP IS2 lookup 0 policy $pag}"
+		output="${output//chain $(IS2 1 $pag)/VCAP IS2 lookup 1 policy $pag}"
+	done
+
+	echo "$output"
+}
+
+eth=swp2
+
+tc qdisc add dev $eth clsact
+
+# Set up the TCAM skeleton.
+# The Ocelot switches have a fixed ingress pipeline composed of:
+#
+# +----------------------------------------------+      +-----------------------------------------+
+# |                   VCAP IS1                   |      |                  VCAP IS2               |
+# |                                              |      |                                         |
+# | +----------+    +----------+    +----------+ |      |            +----------+    +----------+ |
+# | | Lookup 0 |    | Lookup 1 |    | Lookup 2 | | --+------> PAG 0: | Lookup 0 | -> | Lookup 1 | |
+# | +----------+ -> +----------+ -> +----------+ |   |  |            +----------+    +----------+ |
+# | |key&action|    |key&action|    |key&action| |   |  |            |key&action|    |key&action| |
+# | |key&action|    |key&action|    |key&action| |   |  |            |    ..    |    |    ..    | |
+# | |    ..    |    |    ..    |    |    ..    | |   |  |            +----------+    +----------+ |
+# | +----------+    +----------+    +----------+ |   |  |                                         |
+# |                                 selects PAG  |   |  |            +----------+    +----------+ |
+# +----------------------------------------------+   +------> PAG 1: | Lookup 0 | -> | Lookup 1 | |
+#                                                    |  |            +----------+    +----------+ |
+#                                                    |  |            |key&action|    |key&action| |
+#                                                    |  |            |    ..    |    |    ..    | |
+#                                                    |  |            +----------+    +----------+ |
+#                                                    |  |      ...                                |
+#                                                    |  |                                         |
+#                                                    |  |            +----------+    +----------+ |
+#                                                    +----> PAG 254: | Lookup 0 | -> | Lookup 1 | |
+#                                                    |  |            +----------+    +----------+ |
+#                                                    |  |            |key&action|    |key&action| |
+#                                                    |  |            |    ..    |    |    ..    | |
+#                                                    |  |            +----------+    +----------+ |
+#                                                    |  |                                         |
+#                                                    |  |            +----------+    +----------+ |
+#                                                    +----> PAG 255: | Lookup 0 | -> | Lookup 1 | |
+#                                                       |            +----------+    +----------+ |
+#                                                       |            |key&action|    |key&action| |
+#                                                       |            |    ..    |    |    ..    | |
+#                                                       |            +----------+    +----------+ |
+#                                                       +-----------------------------------------+
+#
+# Both the VCAP IS1 (Ingress Stage 1) and IS2 (Ingress Stage 2) are indexed
+# (looked up) multiple times: IS1 3 times, and IS2 2 times. Each filter
+# (key and action pair) can be configured to only match during the first, or
+# second, etc, lookup.
+#
+# During one TCAM lookup, the filter processing stops at the first entry that
+# matches, then the pipeline jumps to the next lookup.
+# The driver maps each individual lookup of each individual ingress TCAM to a
+# separate chain number. For correct rule offloading, it is mandatory that each
+# filter installed in one TCAM is terminated by a non-optional GOTO action to
+# the next lookup from the fixed pipeline.
+#
+# A chain can only be used if there is a GOTO action correctly set up from the
+# prior lookup in the processing pipeline. Setting up all chains is not
+# mandatory.
+
+# VCAP IS1 is the Ingress Classification TCAM and can offload the following
+# actions:
+# - skbedit priority
+# - vlan pop
+# - vlan modify
+# - goto (only in lookup 2, the last IS1 lookup)
+#
+# VSC7514 documentation says:
+# Each lookup returns an action vector if there is a match. The potentially
+# three IS1 action vectors are applied in three steps. First, the action vector
+# from the first lookup is applied, then the action vector from the second
+# lookup is applied to the result from the first action vector, and finally,
+# the action vector from the third lookup is applied to the result from the
+# second action vector. This implies that if two or more lookups return an
+# action of DP_ENA = 1; for example, the DP_VAL from the last lookup is used.
+
+tc filter add dev $eth ingress chain 0 flower skip_sw action goto chain $(IS1 0)
+
+#######
+# VCAP IS1 entries in lookup 0
+#######
+tc filter add dev $eth ingress chain $(IS1 0) \
+	protocol ipv4 flower skip_sw src_ip 10.1.1.2 \
+	action skbedit priority 7 \
+	action goto chain $(IS1 1)
+# Last filter must be a catch-all GOTO to the next lookup
+tc filter add dev $eth ingress chain $(IS1 0) flower skip_sw action goto chain $(IS1 1)
+
+# VCAP IS1 entries in lookup 1
+tc filter add dev $eth ingress chain $(IS1 1) \
+	protocol 802.1Q flower skip_sw vlan_id 100 \
+	action vlan modify id 10 \
+	action goto chain $(IS1 2)
+# Last filter must be a catch-all GOTO to the next lookup
+tc filter add dev $eth ingress chain $(IS1 1) flower skip_sw action goto chain $(IS1 2)
+
+#######
+# VCAP IS1 entries in lookup 2. Policies, if used, can only be applied here
+# (as the second parameter to the IS2 helper).
+#######
+# ...
+# Last filter must be a catch-all GOTO to the next lookup
+tc filter add dev $eth ingress chain $(IS1 2) flower skip_sw action goto chain $(IS2 0 0)
+
+# VCAP IS2 is the Security Enforcement ingress TCAM and can offload the
+# following actions:
+# - trap
+# - drop
+# - police
+# The two VCAP IS2 lookups can be segmented into up to 256 groups of rules,
+# called Policies. A Policy is selected through the Policy Association Group
+# (PAG) action of VCAP IS1 (which is the GOTO offload).
+
+#######
+# VCAP IS2 entries in lookup 0. The default policy (0) is used.
+#######
+tc filter add dev $eth ingress chain $(IS2 0 0) \
+	protocol ipv4 flower skip_sw ip_proto udp dst_port 5201 \
+	action police rate 50mbit burst 64k \
+	action goto chain $(IS2 1 0)
+# ...
+# Last filter must be a catch-all GOTO to the next lookup
+tc filter add dev $eth ingress chain $(IS2 0 0) flower skip_sw action goto chain $(IS2 1 0)
+
+#######
+# VCAP IS2 lookup 1, the last pipeline stage, does not need a final GOTO.
+#######
+tc filter add dev $eth ingress chain $(IS2 1 0) \
+	flower skip_sw dst_mac ff:ff:ff:ff:ff:ff \
+	action mirred egress redirect dev swp3
+
+#######
+# VCAP ES0
+#######
+tc filter add dev $eth egress protocol 802.1Q flower skip_sw indev swp0 \
+	vlan_id 1 vlan_prio 1 action vlan push protocol 802.1ad id 2 priority 2
+
+show_pretty_filters $eth
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ