| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230112105905.1738-1-paulb@nvidia.com>
Date: Thu, 12 Jan 2023 12:58:59 +0200
From: Paul Blakey <paulb@...dia.com>
To: Paul Blakey <paulb@...dia.com>, <netdev@...r.kernel.org>,
Saeed Mahameed <saeedm@...dia.com>,
Paolo Abeni <pabeni@...hat.com>,
Jakub Kicinski <kuba@...nel.org>,
Eric Dumazet <edumazet@...gle.com>,
Jamal Hadi Salim <jhs@...atatu.com>,
Cong Wang <xiyou.wangcong@...il.com>,
"David S. Miller" <davem@...emloft.net>
CC: Oz Shlomo <ozsh@...dia.com>, Jiri Pirko <jiri@...dia.com>,
Roi Dayan <roid@...dia.com>, Vlad Buslov <vladbu@...dia.com>
Subject: [PATCH net-next 0/4] net/sched: cls_api: Support hardware miss to tc action
Hi,
This series adds support for hardware miss to a specific tc action
instance on a filter's action list. The mlx5 driver patch (besides
the refactors) shows its usage instead of using just chain restore.
This miss to action supports partial offload of a filter's action list,
and and let software continue processing where hardware left off.
Example is the CT action, where new connections need to be handled in
software. And if there is a packet modifying action before the CT action,
then restoring only the chain on misses might cause the rule to not
re-execute the relevant filter in software.
Consider the following scenario:
$ tc filter add dev dev1 ingress chain 0 proto ip flower \
ct_state -trk dst_mac fe:50:56:26:13:7d \
action pedit ex munge eth dst aa:bb:cc:dd:ee:01 \
action ct \
action goto chain 1
$ tc filter add dev dev1 ingress chain 1 proto ip flower \
ct_state +trk+est \
action mirred egress redirect dev ...
$ tc filter add dev dev1 ingress chain 1 proto ip flower \
ct_state +trk+new \
action ct commit \
action mirred egress redirect dev dev2
$ tc filter add dev dev2 ingress chain 0 proto ip flower \
action ct \
action mirred egress redirect dev dev1
A packet doing the pedit in hardware (setting dst_mac to aa:bb:cc:dd:ee:01),
missing in the ct action, and restarting in chain 0 in software will fail
matching the original dst_mac in the flower filter on chain 0.
The above scenario is supported in mlx5 driver by reordering the actions
so ct will be done in hardware before the pedit action, but some packet
modifications can't be reordered in regards to the ct action. An example
of that is a modification to the tuple fields (e.g action pedit ex munge ip
dst 1.1.1.1) since it affects the ct action's result (as it does lookup based
on ip).
Paul Blakey (6):
net/sched: cls_api: Support hardware miss to tc action
net/sched: flower: Move filter handle initialization earlier
net/sched: flower: Support hardware miss to tc action
net/mlx5: Refactor tc miss handling to a single function
net/mlx5e: Rename CHAIN_TO_REG to MAPPED_OBJ_TO_REG
net/mlx5: TC, Set CT miss to the specific ct action instance
.../ethernet/mellanox/mlx5/core/en/rep/tc.c | 225 ++------------
.../mellanox/mlx5/core/en/tc/sample.c | 2 +-
.../ethernet/mellanox/mlx5/core/en/tc_ct.c | 32 +-
.../ethernet/mellanox/mlx5/core/en/tc_ct.h | 2 +
.../net/ethernet/mellanox/mlx5/core/en_rx.c | 4 +-
.../net/ethernet/mellanox/mlx5/core/en_tc.c | 276 ++++++++++++++++--
.../net/ethernet/mellanox/mlx5/core/en_tc.h | 21 +-
.../net/ethernet/mellanox/mlx5/core/eswitch.h | 2 +
.../mellanox/mlx5/core/lib/fs_chains.c | 14 +-
include/linux/skbuff.h | 6 +-
include/net/flow_offload.h | 1 +
include/net/pkt_cls.h | 20 +-
include/net/sch_generic.h | 2 +
net/openvswitch/flow.c | 2 +-
net/sched/act_api.c | 2 +-
net/sched/cls_api.c | 208 ++++++++++++-
net/sched/cls_flower.c | 75 +++--
17 files changed, 580 insertions(+), 314 deletions(-)
--
2.30.1
Powered by blists - more mailing lists