Alternative short title: don't instruct the hardware to match on
EtherType with "protocol 802.1Q" flower filters. It doesn't work for the
reasons detailed below.
With a command such as the following:
tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \
protocol 802.1Q flower skip_sw vlan_id 200 src_mac $h1_mac \
action vlan modify id 300 \
action goto chain $(IS2 0 0)
the created filter is set by ocelot_flower_parse_key() to be of type
OCELOT_VCAP_KEY_ETYPE, and etype is set to {value=0x8100, mask=0xffff}.
This gets propagated all the way to is1_entry_set() which commits it to
hardware (the VCAP_IS1_HK_ETYPE field of the key). Compare this to the
case where src_mac isn't specified - the key type is OCELOT_VCAP_KEY_ANY,
and is1_entry_set() doesn't populate VCAP_IS1_HK_ETYPE.
The problem is that for VLAN-tagged frames, the hardware interprets the
ETYPE field as holding the encapsulated VLAN protocol. So the above
filter will only match those packets which have an encapsulated protocol
of 0x8100, rather than all packets with VLAN ID 200 and the given src_mac.
The reason why this is allowed to occur is because, although we have a
block of code in ocelot_flower_parse_key() which sets "match_protocol"
to false when VLAN keys are present, that code executes too late.
There is another block of code, which executes for Ethernet addresses,
and has a "goto finished_key_parsing" and skips the VLAN header parsing.
By skipping it, "match_protocol" remains with the value it was
initialized with, i.e. "true", and "proto" is set to f->common.protocol,
or 0x8100.
The concept of ignoring some keys rather than erroring out when they are
present but can't be offloaded is dubious in itself, but is present
since the initial commit fe3490e6107e ("net: mscc: ocelot: Hardware
ofload for tc flower filter"), and it's outside of the scope of this
patch to change that.
The problem was introduced when the driver started to interpret the
flower filter's protocol, and populate the VCAP filter's ETYPE field
based on it.
To fix this, it is sufficient to move the code that parses the VLAN keys
earlier than the "goto finished_key_parsing" instruction. This will
ensure that if we have a flower filter with both VLAN and Ethernet
address keys, it won't match on ETYPE 0x8100, because the VLAN key
parsing sets "match_protocol = false".
Fixes: 86b956de119c ("net: mscc: ocelot: support matching on EtherType")
Signed-off-by: Vladimir Oltean <[email protected]>
---
drivers/net/ethernet/mscc/ocelot_flower.c | 24 +++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
diff --git a/drivers/net/ethernet/mscc/ocelot_flower.c b/drivers/net/ethernet/mscc/ocelot_flower.c
index 7c0897e779dc..ee052404eb55 100644
--- a/drivers/net/ethernet/mscc/ocelot_flower.c
+++ b/drivers/net/ethernet/mscc/ocelot_flower.c
@@ -605,6 +605,18 @@ ocelot_flower_parse_key(struct ocelot *ocelot, int port, bool ingress,
flow_rule_match_control(rule, &match);
}
+ if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_VLAN)) {
+ struct flow_match_vlan match;
+
+ flow_rule_match_vlan(rule, &match);
+ filter->key_type = OCELOT_VCAP_KEY_ANY;
+ filter->vlan.vid.value = match.key->vlan_id;
+ filter->vlan.vid.mask = match.mask->vlan_id;
+ filter->vlan.pcp.value[0] = match.key->vlan_priority;
+ filter->vlan.pcp.mask[0] = match.mask->vlan_priority;
+ match_protocol = false;
+ }
+
if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ETH_ADDRS)) {
struct flow_match_eth_addrs match;
@@ -737,18 +749,6 @@ ocelot_flower_parse_key(struct ocelot *ocelot, int port, bool ingress,
match_protocol = false;
}
- if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_VLAN)) {
- struct flow_match_vlan match;
-
- flow_rule_match_vlan(rule, &match);
- filter->key_type = OCELOT_VCAP_KEY_ANY;
- filter->vlan.vid.value = match.key->vlan_id;
- filter->vlan.vid.mask = match.mask->vlan_id;
- filter->vlan.pcp.value[0] = match.key->vlan_priority;
- filter->vlan.pcp.mask[0] = match.mask->vlan_priority;
- match_protocol = false;
- }
-
finished_key_parsing:
if (match_protocol && proto != ETH_P_ALL) {
if (filter->block_id == VCAP_ES0) {
--
2.34.1
We have two IS1 filters of the OCELOT_VCAP_KEY_ANY key type (the one with
"action vlan pop" and the one with "action vlan modify") and one of the
OCELOT_VCAP_KEY_IPV4 key type (the one with "action skbedit priority").
But we have no IS1 filter with the OCELOT_VCAP_KEY_ETYPE key type, and
there was an uncaught breakage there.
To increase test coverage, convert one of the OCELOT_VCAP_KEY_ANY
filters to OCELOT_VCAP_KEY_ETYPE, by making the filter also match on the
MAC SA of the traffic sent by mausezahn, $h1_mac.
Signed-off-by: Vladimir Oltean <[email protected]>
---
tools/testing/selftests/drivers/net/ocelot/tc_flower_chains.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/drivers/net/ocelot/tc_flower_chains.sh b/tools/testing/selftests/drivers/net/ocelot/tc_flower_chains.sh
index 9c79bbcce5a8..aff0a59f92d9 100755
--- a/tools/testing/selftests/drivers/net/ocelot/tc_flower_chains.sh
+++ b/tools/testing/selftests/drivers/net/ocelot/tc_flower_chains.sh
@@ -246,7 +246,7 @@ test_vlan_ingress_modify()
bridge vlan add dev $swp2 vid 300
tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \
- protocol 802.1Q flower skip_sw vlan_id 200 \
+ protocol 802.1Q flower skip_sw vlan_id 200 src_mac $h1_mac \
action vlan modify id 300 \
action goto chain $(IS2 0 0)
--
2.34.1
On Sun, Feb 05, 2023 at 09:24:08PM +0200, Vladimir Oltean wrote:
> Alternative short title: don't instruct the hardware to match on
> EtherType with "protocol 802.1Q" flower filters. It doesn't work for the
> reasons detailed below.
>
> With a command such as the following:
>
> tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \
> protocol 802.1Q flower skip_sw vlan_id 200 src_mac $h1_mac \
> action vlan modify id 300 \
> action goto chain $(IS2 0 0)
>
> the created filter is set by ocelot_flower_parse_key() to be of type
> OCELOT_VCAP_KEY_ETYPE, and etype is set to {value=0x8100, mask=0xffff}.
> This gets propagated all the way to is1_entry_set() which commits it to
> hardware (the VCAP_IS1_HK_ETYPE field of the key). Compare this to the
> case where src_mac isn't specified - the key type is OCELOT_VCAP_KEY_ANY,
> and is1_entry_set() doesn't populate VCAP_IS1_HK_ETYPE.
>
> The problem is that for VLAN-tagged frames, the hardware interprets the
> ETYPE field as holding the encapsulated VLAN protocol. So the above
> filter will only match those packets which have an encapsulated protocol
> of 0x8100, rather than all packets with VLAN ID 200 and the given src_mac.
>
> The reason why this is allowed to occur is because, although we have a
> block of code in ocelot_flower_parse_key() which sets "match_protocol"
> to false when VLAN keys are present, that code executes too late.
> There is another block of code, which executes for Ethernet addresses,
> and has a "goto finished_key_parsing" and skips the VLAN header parsing.
> By skipping it, "match_protocol" remains with the value it was
> initialized with, i.e. "true", and "proto" is set to f->common.protocol,
> or 0x8100.
>
> The concept of ignoring some keys rather than erroring out when they are
> present but can't be offloaded is dubious in itself, but is present
> since the initial commit fe3490e6107e ("net: mscc: ocelot: Hardware
> ofload for tc flower filter"), and it's outside of the scope of this
> patch to change that.
>
> The problem was introduced when the driver started to interpret the
> flower filter's protocol, and populate the VCAP filter's ETYPE field
> based on it.
>
> To fix this, it is sufficient to move the code that parses the VLAN keys
> earlier than the "goto finished_key_parsing" instruction. This will
> ensure that if we have a flower filter with both VLAN and Ethernet
> address keys, it won't match on ETYPE 0x8100, because the VLAN key
> parsing sets "match_protocol = false".
>
> Fixes: 86b956de119c ("net: mscc: ocelot: support matching on EtherType")
> Signed-off-by: Vladimir Oltean <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
Hello:
This series was applied to netdev/net.git (master)
by Paolo Abeni <[email protected]>:
On Sun, 5 Feb 2023 21:24:08 +0200 you wrote:
> Alternative short title: don't instruct the hardware to match on
> EtherType with "protocol 802.1Q" flower filters. It doesn't work for the
> reasons detailed below.
>
> With a command such as the following:
>
> tc filter add dev $swp1 ingress chain $(IS1 2) pref 3 \
> protocol 802.1Q flower skip_sw vlan_id 200 src_mac $h1_mac \
> action vlan modify id 300 \
> action goto chain $(IS2 0 0)
>
> [...]
Here is the summary with links:
- [net,1/2] net: mscc: ocelot: fix VCAP filters not matching on MAC with "protocol 802.1Q"
https://git.kernel.org/netdev/net/c/f964f8399df2
- [net,2/2] selftests: ocelot: tc_flower_chains: make test_vlan_ingress_modify() more comprehensive
https://git.kernel.org/netdev/net/c/bbb253b206b9
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html