lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 11 Feb 2022 19:24:34 +0100
From:   Petr Machata <petrm@...dia.com>
To:     Vladimir Oltean <olteanv@...il.com>
CC:     Petr Machata <petrm@...dia.com>, Andrew Lunn <andrew@...n.ch>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, <netdev@...r.kernel.org>,
        Ido Schimmel <idosch@...dia.com>,
        Alexander Duyck <alexander.duyck@...il.com>,
        Jamal Hadi Salim <jhs@...atatu.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Jiri Pirko <jiri@...dia.com>, <f.fainelli@...il.com>,
        <vivien.didelot@...il.com>
Subject: Re: [RFC PATCH net-next 1/2] net: dsa: allow setting port-based QoS
 priority using tc matchall skbedit


Vladimir Oltean <olteanv@...il.com> writes:

> On Fri, Feb 11, 2022 at 08:52:20AM +0100, Petr Machata wrote:
>> 
>> Vladimir Oltean <olteanv@...il.com> writes:
>> 
>> > Hi Andrew,
>> >
>> > On Thu, 14 Jan 2021 at 03:03, Andrew Lunn <andrew@...n.ch> wrote:
>> >> On Thu, Jan 14, 2021 at 02:17:59AM +0200, Vladimir Oltean wrote:
>> >> > On Thu, Jan 14, 2021 at 12:41:28AM +0100, Andrew Lunn wrote:
>> >> > > On Wed, Jan 13, 2021 at 05:41:38PM +0200, Vladimir Oltean wrote:
>> >> > > > + int     (*port_priority_set)(struct dsa_switch *ds, int port,
>> >> > > > +                              struct dsa_mall_skbedit_tc_entry *skbedit);
>> >> > >
>> >> > > The fact we can turn this on/off suggests there should be a way to
>> >> > > disable this in the hardware, when the matchall is removed. I don't
>> >> > > see any such remove support in this patch.
>> >> >
>> >> > I don't understand this comment, sorry. When the matchall filter
>> >> > containing the skbedit action gets removed, DSA calls the driver's
>> >> > .port_priority_set callback again, this time with a priority of 0.
>> >> > There's nothing to "remove" about a port priority. I made an assumption
>> >> > (which I still consider perfectly reasonable) that no port-based
>> >> > prioritization means that all traffic gets classified to traffic class 0.
>> >>
>> >> That does not work for mv88e6xxx. Its default setup, if i remember
>> >> correctly, is it looks at the TOS bits to determine priority
>> >> classes. So in its default state, it is using all the available
>> >> traffic classes.  It can also be configured to look at the VLAN
>> >> priority, or the TCAM can set the priority class, or there is a per
>> >> port default priority, which is what you are describing here. There
>> >> are bits to select which of these happen on ingress, on a per port
>> >> basis.
>> >>
>> >> So setting the port priority to 0 means setting the priority of
>> >> zero. It does not mean go back to the default prioritisation scheme.
>> >>
>> >> I guess any switch which has a range of options for prioritisation
>> >> selection will have a similar problem. It defaults to something,
>> >> probably something a bit smarter than everything goes to traffic class
>> >> 0.
>> >>
>> >>       Andrew
>> >
>> > I was going through my old patches, and re-reading this conversation,
>> > it appears one of us is misunderstanding something.
>> >
>> > I looked at some Marvell datasheet and it has a similar QoS
>> > classification pipeline to Vitesse switches. There is a port-based
>> > default priority which can be overridden by IP DSCP, VLAN PCP, or
>> > advanced QoS classification (TCAM).
>> >
>> > The proposal I had was to configure the default port priority using tc
>> > matchall skbedit priority. Advanced QoS classification would then be
>> > expressed as tc-flower filters with a higher precedence than the
>> > matchall (basically the "catchall"). PCP and DSCP, I don't know if
>> > that can be expressed cleanly using tc. I think there's something in
>> > the dcb ops, but I haven't studied that too deeply.
>> 
>> In 802.1Q-2014, port-default priority is handled as APP entries matching
>> on EtherType of 0. (See Table D-9.) Those are "default priority. For use
>> when priority is not otherwise specified".
>> 
>> So DCB ops just handle these as APP entries. Dunno what DSA does. In
>> mlxsw, we call dcb_ieee_getapp_default_prio_mask() when the DCP set_app
>> hook fires to find the relevant entries and get the priority bitmask.
>
> Thanks, these are great pointers. Last time I looked at DCB ops, the dcb
> iproute program didn't exist, one had to use some LLDP tool IIRC, and it
> was a bit cumbersome and I dismissed it without even looking at all the
> details, I didn't notice that the port-default priority corresponds to a
> selector of 1 and a protocol of 0.
>
> The point is that I'm not bent on using tc-matchall for port-based
> default priority, it's just that I wasn't aware of a better way.
> But I'll look into adding support for DCB ops for my DSA driver, sounds
> like a much, much better fit.
>
>> Now I don't understand DSA at all, but given a chip with fancy defaults,
>> for the DCB interface in particular, it would make sense to me to have
>> two ops. As long as there are default-prio entries, a "set default
>> priority" op would get invoked with the highest configured default
>> priority. When the last entry disappears, an "unset" op would be called.
>
> I don't understand this comment, sorry. I don't know what's a "chip with
> fancy defaults".

I'm referring here to Andrew's "I guess any switch [...] defaults to
something [...] a bit smarter than everything goes to traffic class 0".

>> Not sure what DSA does with ACLs, but it's not clear to me how TC-based
>> prioritization rules coexist with full blown ACLs. I suppose the prio
>> stuff could live on chain 0 and all actions would be skbedit prio pipe
>> goto chain 1 or something. And goto chain 0 is forbidden, because chain
>> 0 is special. Or maybe the prioritization stuff lives on a root qdisc
>> (but no, we need it for ingress packets...) One way or another it looks
>> hairy to dissect and offload accurately IMHO.
>
> There's nothing to understand about the DSA core at all, it has no
> saying in how prioritization or TC rules are configured, that is left
> down to the hardware driver.
>
> To make sure we use the same terminology, when you say "how TC-based
> prioritization rules coexist with full blown ACLs", you mean
> trap/drop/redirect by ACLs, right?

Yeah. But also simple stuff, like skbedit priority, but with complex
matching. Think flower match on a side chain that only gets invoked when
another flower match hits.

> So the ocelot driver has a programmable, fixed pipeline of multiple
> ingress stages (VCAP IS1 for VLAN editing and advanced QoS classification)
> and egress stages (VCAP ES0 for egress VLAN rewriting). We model the
> entire TCAM subsystem using one chain per TCAM lookup, and force gotos
> from the current stage to the next. See
> tools/testing/selftests/drivers/net/ocelot/tc_flower_chains.sh for the
> intended usage model.
>
> Now, that's all for advanced QoS classification, not for port-based
> default, VLAN PCP and IP DSCP. My line of thinking is that we could do
> the latter via dcb-app, and leave the former where it is (skbedit with
> tc-flower), and they'd coexist just fine, right?

That's what we do. I don't like it very much, because DCB is this odd
HW-centric thing that you can't run on bridged veths. But unfortunately
TC filter configuration that describes the dumb stuff and then follows
up with more of the complex stuff that needs to happen _as well_, seems
like it would be a mess to both dissect in the driver and use on the
command line.

Maybe we need a multi-stage clsact qdisc, or something like that... ^o^

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ