| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 19 Aug 2023 13:35:11 -0300
From: Victor Nogueira <victor@...atatu.com>
To: jhs@...atatu.com,
xiyou.wangcong@...il.com,
jiri@...nulli.us,
davem@...emloft.net,
edumazet@...gle.com,
kuba@...nel.org,
pabeni@...hat.com,
netdev@...r.kernel.org
Cc: mleitner@...hat.com,
vladbu@...dia.com,
horms@...nel.org,
pctammela@...atatu.com,
kernel@...atatu.com
Subject: [PATCH net-next v2 0/3] net/sched: Introduce tc block ports tracking and use
__context__
The "tc block" is a collection of netdevs/ports which allow qdiscs to share
match-action block instances (as opposed to the traditional tc filter per
netdev/port)[1].
Example setup:
$ tc qdisc add dev ens7 ingress block 22
$ tc qdisc add dev ens8 ingress block 22
Once the block is created we can add a filter using the block index:
$ tc filter add block 22 protocol ip pref 25 \
flower dst_ip 192.168.0.0/16 action drop
A packet with dst IP matching 192.168.0.0/16 arriving on the ingress of
either ens7 or ens8 is dropped.
__this patchset__
Up to this point in the implementation, the block is unaware of its ports.
This patch fixes that and makes the tc block ports available to the
datapath as well as the offload control path (by virtue of the ports being
in the tc block structure).
For the datapath we provide a use case of the tc block in an action
we call "blockcast" in patch 3. This action can be used in an example as
such:
$ tc qdisc add dev ens7 ingress block 22
$ tc qdisc add dev ens8 ingress block 22
$ tc qdisc add dev ens9 ingress block 22
$ tc filter add block 22 protocol ip pref 25 \
flower dst_ip 192.168.0.0/16 action blockcast
When a packet(matching dst IP 192.168.0.0/16) arrives on the ingress of any
of ens7, ens8 or ens9 it will be copied to all ports other than itself.
For example, if it arrives on ens8 then a copy of the packet will be
"blockcasted";-> to both ens7 and ens9 (unmodified), but not to ens7.
For an offload path, one use case is to "group" all ports belonging to a
PCI device into the same tc block.
Patch 1 introduces the required infra. Patch 2 exposes the tc block to the
tc datapath and patch 3 implements datapath usage via a new tc action
"blockcast".
__Acknowledgements__
Suggestions from Vlad Buslov and Marcelo Ricardo Leitner made this patchset
better. The idea of integrating the ports into the tc block was suggested
by Jiri Pirko.
[1] See commit ca46abd6f89f ("Merge branch 'net-sched-allow-qdiscs-to-share-filter-block-instances'")
Changes in v2:
- Remove RFC tag
- Add more details in patch 0(Jiri)
- When CONFIG_NET_TC_SKB_EXT is selected we have unused qdisc_cb
Reported-by: kernel test robot <lkp@...el.com> (and horms@...nel.org)
- Fix bad dev dereference in printk of blockcast action (Simon)
Victor Nogueira (3):
net/sched: Introduce tc block netdev tracking infra
net/sched: cls_api: Expose tc block ports to the datapath
Introduce blockcast tc action
include/net/sch_generic.h | 8 +
include/net/tc_wrapper.h | 5 +
net/sched/Kconfig | 13 ++
net/sched/Makefile | 1 +
net/sched/act_blockcast.c | 299 ++++++++++++++++++++++++++++++++++++++
net/sched/cls_api.c | 11 +-
net/sched/sch_api.c | 79 +++++++++-
net/sched/sch_generic.c | 40 ++++-
8 files changed, 449 insertions(+), 7 deletions(-)
create mode 100644 net/sched/act_blockcast.c
--
2.34.1
Powered by blists - more mailing lists