This series reworks the recently added TCA_FLOWER_KEY_ENC_FLAGS
attribute, to be more like TCA_FLOWER_KEY_FLAGS, and use
the unused u32 flags field in TCA_FLOWER_KEY_ENC_CONTROL,
instead of adding another u32 in FLOW_DISSECTOR_KEY_ENC_FLAGS.
I have defined the new FLOW_DIS_F_* and TCA_FLOWER_KEY_FLAGS_*
flags to coexists for now, so the meaning of the flags field
in struct flow_dissector_key_control is not depending on the
context that it is used in. If we run out of bits then we can
always make split them up later, if we really want to.
Davide and Ilya would this work for you?
Currently this series is only compile-tested.
Preliminary discussion about these changes:
https://lore.kernel.org/netdev/[email protected]/
---
If this series is put directly on top of:
668b6a2ef832 ("flow_dissector: add support for tunnel control
flags") and 1d17568e74de ("net/sched: cls_flower: add support
for matching tunnel control flags") as can be done by reverting
them, cherry-picking them, and then applying this series.
Then it gives this combined diffstat:
$ git diff --stat ...
include/net/flow_dissector.h | 17 ++++-
include/uapi/linux/pkt_cls.h | 8 ++
net/core/flow_dissector.c | 34 +++++---
net/sched/cls_flower.c | 103 ++++++++++++++++++++++----
4 files changed, 136 insertions(+), 26 deletions(-)
Normal shortlog and diffstat below:
Asbjørn Sloth Tønnesen (9):
net/sched: flower: define new tunnel flags
net/sched: cls_flower: prepare fl_{set,dump}_key_flags() for ENC_FLAGS
net/sched: cls_flower: add policy for TCA_FLOWER_KEY_FLAGS
flow_dissector: prepare for encapsulated control flags
flow_dissector: set encapsulated control flags from tun_flags
net/sched: cls_flower: add tunnel flags to fl_{set,dump}_key_flags()
net/sched: cls_flower: rework TCA_FLOWER_KEY_ENC_FLAGS usage
flow_dissector: cleanup FLOW_DISSECTOR_KEY_ENC_FLAGS
flow_dissector: set encapsulation control flags for non-IP
include/net/flow_dissector.h | 26 +++----
include/net/ip_tunnels.h | 12 ----
include/uapi/linux/pkt_cls.h | 5 ++
net/core/flow_dissector.c | 50 ++++++-------
net/sched/cls_flower.c | 135 ++++++++++++++++++++---------------
5 files changed, 123 insertions(+), 105 deletions(-)
--
2.45.1
Make sure to set encapsulated control flags also for non-IP
packets, such that it's possible to allow matching on e.g.
TUNNEL_OAM on a geneve packet carrying a non-IP packet.
Suggested-by: Davide Caratti <[email protected]>
Signed-off-by: Asbjørn Sloth Tønnesen <[email protected]>
---
net/core/flow_dissector.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c
index 5fac97dbbd606..41311c8b0b2a4 100644
--- a/net/core/flow_dissector.c
+++ b/net/core/flow_dissector.c
@@ -434,6 +434,10 @@ skb_flow_dissect_tunnel_info(const struct sk_buff *skb,
ipv6->dst = key->u.ipv6.dst;
}
break;
+ default:
+ skb_flow_dissect_set_enc_control(0, ctrl_flags, flow_dissector,
+ target_container);
+ break;
}
if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_ENC_KEYID)) {
--
2.45.1
This policy guards fl_set_key_flags() from seeing flags
not used in the context of TCA_FLOWER_KEY_FLAGS.
Signed-off-by: Asbjørn Sloth Tønnesen <[email protected]>
---
net/sched/cls_flower.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/sched/cls_flower.c b/net/sched/cls_flower.c
index 6a5cecfd95619..6a2afc31f038b 100644
--- a/net/sched/cls_flower.c
+++ b/net/sched/cls_flower.c
@@ -41,6 +41,10 @@
#define TCA_FLOWER_KEY_CT_FLAGS_MASK \
(TCA_FLOWER_KEY_CT_FLAGS_MAX - 1)
+#define TCA_FLOWER_KEY_FLAGS_POLICY_MASK \
+ (TCA_FLOWER_KEY_FLAGS_IS_FRAGMENT | \
+ TCA_FLOWER_KEY_FLAGS_FRAG_IS_FIRST)
+
#define TUNNEL_FLAGS_PRESENT (\
_BITUL(IP_TUNNEL_CSUM_BIT) | \
_BITUL(IP_TUNNEL_DONT_FRAGMENT_BIT) | \
@@ -676,8 +680,10 @@ static const struct nla_policy fl_policy[TCA_FLOWER_MAX + 1] = {
[TCA_FLOWER_KEY_ENC_UDP_SRC_PORT_MASK] = { .type = NLA_U16 },
[TCA_FLOWER_KEY_ENC_UDP_DST_PORT] = { .type = NLA_U16 },
[TCA_FLOWER_KEY_ENC_UDP_DST_PORT_MASK] = { .type = NLA_U16 },
- [TCA_FLOWER_KEY_FLAGS] = { .type = NLA_U32 },
- [TCA_FLOWER_KEY_FLAGS_MASK] = { .type = NLA_U32 },
+ [TCA_FLOWER_KEY_FLAGS] = NLA_POLICY_MASK(NLA_U32,
+ TCA_FLOWER_KEY_FLAGS_POLICY_MASK),
+ [TCA_FLOWER_KEY_FLAGS_MASK] = NLA_POLICY_MASK(NLA_U32,
+ TCA_FLOWER_KEY_FLAGS_POLICY_MASK),
[TCA_FLOWER_KEY_ICMPV4_TYPE] = { .type = NLA_U8 },
[TCA_FLOWER_KEY_ICMPV4_TYPE_MASK] = { .type = NLA_U8 },
[TCA_FLOWER_KEY_ICMPV4_CODE] = { .type = NLA_U8 },
--
2.45.1
hi Asbj?rn, thanks for the patch!
On Tue, Jun 11, 2024 at 11:53:33PM +0000, Asbj?rn Sloth T?nnesen wrote:
> This series reworks the recently added TCA_FLOWER_KEY_ENC_FLAGS
> attribute, to be more like TCA_FLOWER_KEY_FLAGS, and use
> the unused u32 flags field in TCA_FLOWER_KEY_ENC_CONTROL,
> instead of adding another u32 in FLOW_DISSECTOR_KEY_ENC_FLAGS.
>
> I have defined the new FLOW_DIS_F_* and TCA_FLOWER_KEY_FLAGS_*
> flags to coexists for now, so the meaning of the flags field
> in struct flow_dissector_key_control is not depending on the
> context that it is used in. If we run out of bits then we can
> always make split them up later, if we really want to.
>
> Davide and Ilya would this work for you?
If you are ok with this, I can adjust the iproute code I keep locally,
and the kselftest, re-test, and than report back to the series total
reviewed-by.
It's going a take some days though; and of course, those bit will be
upstreamed as well.
WDYT?
> Currently this series is only compile-tested.
>
thanks,
--
davide
Hi Davide,
On 6/12/24 3:06 PM, Davide Caratti wrote:
> On Tue, Jun 11, 2024 at 11:53:33PM +0000, Asbjørn Sloth Tønnesen wrote:
>> This series reworks the recently added TCA_FLOWER_KEY_ENC_FLAGS
>> attribute, to be more like TCA_FLOWER_KEY_FLAGS, and use
>> the unused u32 flags field in TCA_FLOWER_KEY_ENC_CONTROL,
>> instead of adding another u32 in FLOW_DISSECTOR_KEY_ENC_FLAGS.
s/TCA_FLOWER_KEY_ENC_CONTROL/FLOW_DISSECTOR_KEY_ENC_CONTROL/
>> I have defined the new FLOW_DIS_F_* and TCA_FLOWER_KEY_FLAGS_*
>> flags to coexists for now, so the meaning of the flags field
>> in struct flow_dissector_key_control is not depending on the
>> context that it is used in. If we run out of bits then we can
>> always make split them up later, if we really want to.
s/always make split/always split/
>> Davide and Ilya would this work for you?
>
> If you are ok with this, I can adjust the iproute code I keep locally,
> and the kselftest, re-test, and than report back to the series total
> reviewed-by.
> It's going a take some days though; and of course, those bit will be
> upstreamed as well.
>
> WDYT?
That would be great, there is still quite some time left before net-next
closes, I just wanted to get the ball rolling, with some code, so it is
easier to discuss the implementation details.
--
Best regards
Asbjørn Sloth Tønnesen
Network Engineer
Fiberby - AS42541