Merge branch 'mlxsw-Offload-TC-action-pedit-munge-tcp-udp-sport-dport'

Ido Schimmel says:

====================
mlxsw: Offload TC action pedit munge tcp/udp sport/dport

Petr says:

On Spectrum-2 and Spectrum-3, it is possible to overwrite L4 port number of
a TCP or UDP packet in the ACL engine. That corresponds to the pedit munges
of tcp and udp sport resp. dport fields. Offload these munges on the
systems where they are supported.

The current offloading code assumes that all systems support the same set
of fields. This now changes, so in patch #1 first split handling of pedit
munges by chip type. The analysis of which packet field a given munge
describes is kept generic.

Patch #2 introduces the new flexible action fields. Patch #3 then adds the
new pedit fields, and dispatches on them on Spectrum>1.

Patch #4 adds a forwarding selftest for pedit dsfield, applicable to SW as
well as HW datapaths.
====================

Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2020-06-22 16:32:11 -07:00
commit 19430ede90
6 changed files with 335 additions and 7 deletions

View File

@ -1684,3 +1684,54 @@ int mlxsw_afa_block_append_mcrouter(struct mlxsw_afa_block *block,
return 0;
}
EXPORT_SYMBOL(mlxsw_afa_block_append_mcrouter);
/* L4 Port Action
* --------------
* The L4_PORT_ACTION is used for modifying the sport and dport fields of the packet, e.g. for NAT.
* If (the L4 is TCP) or if (the L4 is UDP and checksum field!=0) then the L4 checksum is updated.
*/
#define MLXSW_AFA_L4PORT_CODE 0x12
#define MLXSW_AFA_L4PORT_SIZE 1
enum mlxsw_afa_l4port_s_d {
/* configure src_l4_port */
MLXSW_AFA_L4PORT_S_D_SRC,
/* configure dst_l4_port */
MLXSW_AFA_L4PORT_S_D_DST,
};
/* afa_l4port_s_d
* Source or destination.
*/
MLXSW_ITEM32(afa, l4port, s_d, 0x00, 31, 1);
/* afa_l4port_l4_port
* Number of port to change to.
*/
MLXSW_ITEM32(afa, l4port, l4_port, 0x08, 0, 16);
static void mlxsw_afa_l4port_pack(char *payload, enum mlxsw_afa_l4port_s_d s_d, u16 l4_port)
{
mlxsw_afa_l4port_s_d_set(payload, s_d);
mlxsw_afa_l4port_l4_port_set(payload, l4_port);
}
int mlxsw_afa_block_append_l4port(struct mlxsw_afa_block *block, bool is_dport, u16 l4_port,
struct netlink_ext_ack *extack)
{
enum mlxsw_afa_l4port_s_d s_d = is_dport ? MLXSW_AFA_L4PORT_S_D_DST :
MLXSW_AFA_L4PORT_S_D_SRC;
char *act = mlxsw_afa_block_append_action(block,
MLXSW_AFA_L4PORT_CODE,
MLXSW_AFA_L4PORT_SIZE);
if (IS_ERR(act)) {
NL_SET_ERR_MSG_MOD(extack, "Cannot append L4_PORT action");
return PTR_ERR(act);
}
mlxsw_afa_l4port_pack(act, s_d, l4_port);
return 0;
}
EXPORT_SYMBOL(mlxsw_afa_block_append_l4port);

View File

@ -82,5 +82,7 @@ int mlxsw_afa_block_append_fid_set(struct mlxsw_afa_block *block, u16 fid,
int mlxsw_afa_block_append_mcrouter(struct mlxsw_afa_block *block,
u16 expected_irif, u16 min_mtu,
bool rmid_valid, u32 kvdl_index);
int mlxsw_afa_block_append_l4port(struct mlxsw_afa_block *block, bool is_dport, u16 l4_port,
struct netlink_ext_ack *extack);
#endif

View File

@ -4594,6 +4594,7 @@ static int mlxsw_sp1_init(struct mlxsw_core *mlxsw_core,
mlxsw_sp->afa_ops = &mlxsw_sp1_act_afa_ops;
mlxsw_sp->afk_ops = &mlxsw_sp1_afk_ops;
mlxsw_sp->mr_tcam_ops = &mlxsw_sp1_mr_tcam_ops;
mlxsw_sp->acl_rulei_ops = &mlxsw_sp1_acl_rulei_ops;
mlxsw_sp->acl_tcam_ops = &mlxsw_sp1_acl_tcam_ops;
mlxsw_sp->nve_ops_arr = mlxsw_sp1_nve_ops_arr;
mlxsw_sp->mac_mask = mlxsw_sp1_mac_mask;
@ -4621,6 +4622,7 @@ static int mlxsw_sp2_init(struct mlxsw_core *mlxsw_core,
mlxsw_sp->afa_ops = &mlxsw_sp2_act_afa_ops;
mlxsw_sp->afk_ops = &mlxsw_sp2_afk_ops;
mlxsw_sp->mr_tcam_ops = &mlxsw_sp2_mr_tcam_ops;
mlxsw_sp->acl_rulei_ops = &mlxsw_sp2_acl_rulei_ops;
mlxsw_sp->acl_tcam_ops = &mlxsw_sp2_acl_tcam_ops;
mlxsw_sp->nve_ops_arr = mlxsw_sp2_nve_ops_arr;
mlxsw_sp->mac_mask = mlxsw_sp2_mac_mask;
@ -4644,6 +4646,7 @@ static int mlxsw_sp3_init(struct mlxsw_core *mlxsw_core,
mlxsw_sp->afa_ops = &mlxsw_sp2_act_afa_ops;
mlxsw_sp->afk_ops = &mlxsw_sp2_afk_ops;
mlxsw_sp->mr_tcam_ops = &mlxsw_sp2_mr_tcam_ops;
mlxsw_sp->acl_rulei_ops = &mlxsw_sp2_acl_rulei_ops;
mlxsw_sp->acl_tcam_ops = &mlxsw_sp2_acl_tcam_ops;
mlxsw_sp->nve_ops_arr = mlxsw_sp2_nve_ops_arr;
mlxsw_sp->mac_mask = mlxsw_sp2_mac_mask;

View File

@ -120,6 +120,7 @@ struct mlxsw_sp_kvdl;
struct mlxsw_sp_nve;
struct mlxsw_sp_kvdl_ops;
struct mlxsw_sp_mr_tcam_ops;
struct mlxsw_sp_acl_rulei_ops;
struct mlxsw_sp_acl_tcam_ops;
struct mlxsw_sp_nve_ops;
struct mlxsw_sp_sb_vals;
@ -164,6 +165,7 @@ struct mlxsw_sp {
const struct mlxsw_afa_ops *afa_ops;
const struct mlxsw_afk_ops *afk_ops;
const struct mlxsw_sp_mr_tcam_ops *mr_tcam_ops;
const struct mlxsw_sp_acl_rulei_ops *acl_rulei_ops;
const struct mlxsw_sp_acl_tcam_ops *acl_tcam_ops;
const struct mlxsw_sp_nve_ops **nve_ops_arr;
const struct mlxsw_sp_rif_ops **rif_ops_arr;
@ -856,6 +858,17 @@ void mlxsw_sp_acl_fini(struct mlxsw_sp *mlxsw_sp);
u32 mlxsw_sp_acl_region_rehash_intrvl_get(struct mlxsw_sp *mlxsw_sp);
int mlxsw_sp_acl_region_rehash_intrvl_set(struct mlxsw_sp *mlxsw_sp, u32 val);
struct mlxsw_sp_acl_mangle_action;
struct mlxsw_sp_acl_rulei_ops {
int (*act_mangle_field)(struct mlxsw_sp *mlxsw_sp, struct mlxsw_sp_acl_rule_info *rulei,
struct mlxsw_sp_acl_mangle_action *mact, u32 val,
struct netlink_ext_ack *extack);
};
extern struct mlxsw_sp_acl_rulei_ops mlxsw_sp1_acl_rulei_ops;
extern struct mlxsw_sp_acl_rulei_ops mlxsw_sp2_acl_rulei_ops;
/* spectrum_acl_tcam.c */
struct mlxsw_sp_acl_tcam;
struct mlxsw_sp_acl_tcam_region;

View File

@ -508,6 +508,8 @@ enum mlxsw_sp_acl_mangle_field {
MLXSW_SP_ACL_MANGLE_FIELD_IP_DSFIELD,
MLXSW_SP_ACL_MANGLE_FIELD_IP_DSCP,
MLXSW_SP_ACL_MANGLE_FIELD_IP_ECN,
MLXSW_SP_ACL_MANGLE_FIELD_IP_SPORT,
MLXSW_SP_ACL_MANGLE_FIELD_IP_DPORT,
};
struct mlxsw_sp_acl_mangle_action {
@ -538,13 +540,26 @@ struct mlxsw_sp_acl_mangle_action {
MLXSW_SP_ACL_MANGLE_ACTION(FLOW_ACT_MANGLE_HDR_TYPE_IP6, \
_offset, _mask, _shift, _field)
#define MLXSW_SP_ACL_MANGLE_ACTION_TCP(_offset, _mask, _shift, _field) \
MLXSW_SP_ACL_MANGLE_ACTION(FLOW_ACT_MANGLE_HDR_TYPE_TCP, _offset, _mask, _shift, _field)
#define MLXSW_SP_ACL_MANGLE_ACTION_UDP(_offset, _mask, _shift, _field) \
MLXSW_SP_ACL_MANGLE_ACTION(FLOW_ACT_MANGLE_HDR_TYPE_UDP, _offset, _mask, _shift, _field)
static struct mlxsw_sp_acl_mangle_action mlxsw_sp_acl_mangle_actions[] = {
MLXSW_SP_ACL_MANGLE_ACTION_IP4(0, 0xff00ffff, 16, IP_DSFIELD),
MLXSW_SP_ACL_MANGLE_ACTION_IP4(0, 0xff03ffff, 18, IP_DSCP),
MLXSW_SP_ACL_MANGLE_ACTION_IP4(0, 0xfffcffff, 16, IP_ECN),
MLXSW_SP_ACL_MANGLE_ACTION_IP6(0, 0xf00fffff, 20, IP_DSFIELD),
MLXSW_SP_ACL_MANGLE_ACTION_IP6(0, 0xf03fffff, 22, IP_DSCP),
MLXSW_SP_ACL_MANGLE_ACTION_IP6(0, 0xffcfffff, 20, IP_ECN),
MLXSW_SP_ACL_MANGLE_ACTION_TCP(0, 0x0000ffff, 16, IP_SPORT),
MLXSW_SP_ACL_MANGLE_ACTION_TCP(0, 0xffff0000, 0, IP_DPORT),
MLXSW_SP_ACL_MANGLE_ACTION_UDP(0, 0x0000ffff, 16, IP_SPORT),
MLXSW_SP_ACL_MANGLE_ACTION_UDP(0, 0xffff0000, 0, IP_DPORT),
};
static int
@ -563,11 +578,48 @@ mlxsw_sp_acl_rulei_act_mangle_field(struct mlxsw_sp *mlxsw_sp,
case MLXSW_SP_ACL_MANGLE_FIELD_IP_ECN:
return mlxsw_afa_block_append_qos_ecn(rulei->act_block,
val, extack);
default:
return -EOPNOTSUPP;
}
}
static int mlxsw_sp1_acl_rulei_act_mangle_field(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_acl_rule_info *rulei,
struct mlxsw_sp_acl_mangle_action *mact,
u32 val, struct netlink_ext_ack *extack)
{
int err;
err = mlxsw_sp_acl_rulei_act_mangle_field(mlxsw_sp, rulei, mact, val, extack);
if (err != -EOPNOTSUPP)
return err;
NL_SET_ERR_MSG_MOD(extack, "Unsupported mangle field");
return err;
}
static int mlxsw_sp2_acl_rulei_act_mangle_field(struct mlxsw_sp *mlxsw_sp,
struct mlxsw_sp_acl_rule_info *rulei,
struct mlxsw_sp_acl_mangle_action *mact,
u32 val, struct netlink_ext_ack *extack)
{
int err;
err = mlxsw_sp_acl_rulei_act_mangle_field(mlxsw_sp, rulei, mact, val, extack);
if (err != -EOPNOTSUPP)
return err;
switch (mact->field) {
case MLXSW_SP_ACL_MANGLE_FIELD_IP_SPORT:
return mlxsw_afa_block_append_l4port(rulei->act_block, false, val, extack);
case MLXSW_SP_ACL_MANGLE_FIELD_IP_DPORT:
return mlxsw_afa_block_append_l4port(rulei->act_block, true, val, extack);
default:
break;
}
/* We shouldn't have gotten a match in the first place! */
WARN_ONCE(1, "Unhandled mangle field");
return -EINVAL;
NL_SET_ERR_MSG_MOD(extack, "Unsupported mangle field");
return err;
}
int mlxsw_sp_acl_rulei_act_mangle(struct mlxsw_sp *mlxsw_sp,
@ -576,6 +628,7 @@ int mlxsw_sp_acl_rulei_act_mangle(struct mlxsw_sp *mlxsw_sp,
u32 offset, u32 mask, u32 val,
struct netlink_ext_ack *extack)
{
const struct mlxsw_sp_acl_rulei_ops *acl_rulei_ops = mlxsw_sp->acl_rulei_ops;
struct mlxsw_sp_acl_mangle_action *mact;
size_t i;
@ -585,13 +638,13 @@ int mlxsw_sp_acl_rulei_act_mangle(struct mlxsw_sp *mlxsw_sp,
mact->offset == offset &&
mact->mask == mask) {
val >>= mact->shift;
return mlxsw_sp_acl_rulei_act_mangle_field(mlxsw_sp,
rulei, mact,
val, extack);
return acl_rulei_ops->act_mangle_field(mlxsw_sp,
rulei, mact,
val, extack);
}
}
NL_SET_ERR_MSG_MOD(extack, "Unsupported mangle field");
NL_SET_ERR_MSG_MOD(extack, "Unknown mangle field");
return -EINVAL;
}
@ -930,3 +983,11 @@ int mlxsw_sp_acl_region_rehash_intrvl_set(struct mlxsw_sp *mlxsw_sp, u32 val)
return mlxsw_sp_acl_tcam_vregion_rehash_intrvl_set(mlxsw_sp,
&acl->tcam, val);
}
struct mlxsw_sp_acl_rulei_ops mlxsw_sp1_acl_rulei_ops = {
.act_mangle_field = mlxsw_sp1_acl_rulei_act_mangle_field,
};
struct mlxsw_sp_acl_rulei_ops mlxsw_sp2_acl_rulei_ops = {
.act_mangle_field = mlxsw_sp2_acl_rulei_act_mangle_field,
};

View File

@ -0,0 +1,198 @@
#!/bin/bash
# SPDX-License-Identifier: GPL-2.0
# This test sends traffic from H1 to H2. Either on ingress of $swp1, or on egress of $swp2, the
# traffic is acted upon by a pedit action. An ingress filter installed on $h2 verifies that the
# packet looks like expected.
#
# +----------------------+ +----------------------+
# | H1 | | H2 |
# | + $h1 | | $h2 + |
# | | 192.0.2.1/28 | | 192.0.2.2/28 | |
# +----|-----------------+ +----------------|-----+
# | |
# +----|----------------------------------------------------------------|-----+
# | SW | | |
# | +-|----------------------------------------------------------------|-+ |
# | | + $swp1 BR $swp2 + | |
# | +--------------------------------------------------------------------+ |
# +---------------------------------------------------------------------------+
ALL_TESTS="
ping_ipv4
test_udp_sport
test_udp_dport
test_tcp_sport
test_tcp_dport
"
NUM_NETIFS=4
source lib.sh
source tc_common.sh
: ${HIT_TIMEOUT:=2000} # ms
h1_create()
{
simple_if_init $h1 192.0.2.1/28 2001:db8:1::1/64
}
h1_destroy()
{
simple_if_fini $h1 192.0.2.1/28 2001:db8:1::1/64
}
h2_create()
{
simple_if_init $h2 192.0.2.2/28 2001:db8:1::2/64
tc qdisc add dev $h2 clsact
}
h2_destroy()
{
tc qdisc del dev $h2 clsact
simple_if_fini $h2 192.0.2.2/28 2001:db8:1::2/64
}
switch_create()
{
ip link add name br1 up type bridge vlan_filtering 1
ip link set dev $swp1 master br1
ip link set dev $swp1 up
ip link set dev $swp2 master br1
ip link set dev $swp2 up
tc qdisc add dev $swp1 clsact
tc qdisc add dev $swp2 clsact
}
switch_destroy()
{
tc qdisc del dev $swp2 clsact
tc qdisc del dev $swp1 clsact
ip link set dev $swp2 nomaster
ip link set dev $swp1 nomaster
ip link del dev br1
}
setup_prepare()
{
h1=${NETIFS[p1]}
swp1=${NETIFS[p2]}
swp2=${NETIFS[p3]}
h2=${NETIFS[p4]}
h2mac=$(mac_get $h2)
vrf_prepare
h1_create
h2_create
switch_create
}
cleanup()
{
pre_cleanup
switch_destroy
h2_destroy
h1_destroy
vrf_cleanup
}
ping_ipv4()
{
ping_test $h1 192.0.2.2
}
ping_ipv6()
{
ping6_test $h1 2001:db8:1::2
}
do_test_pedit_l4port_one()
{
local pedit_locus=$1; shift
local pedit_prot=$1; shift
local pedit_action=$1; shift
local match_prot=$1; shift
local match_flower=$1; shift
local mz_flags=$1; shift
local saddr=$1; shift
local daddr=$1; shift
tc filter add $pedit_locus handle 101 pref 1 \
flower action pedit ex munge $pedit_action
tc filter add dev $h2 ingress handle 101 pref 1 prot $match_prot \
flower skip_hw $match_flower action pass
RET=0
$MZ $mz_flags $h1 -c 10 -d 20msec -p 100 \
-a own -b $h2mac -q -t $pedit_prot sp=54321,dp=12345
local pkts
pkts=$(busywait "$TC_HIT_TIMEOUT" until_counter_is ">= 10" \
tc_rule_handle_stats_get "dev $h2 ingress" 101)
check_err $? "Expected to get 10 packets, but got $pkts."
pkts=$(tc_rule_handle_stats_get "$pedit_locus" 101)
((pkts >= 10))
check_err $? "Expected to get 10 packets on pedit rule, but got $pkts."
log_test "$pedit_locus pedit $pedit_action"
tc filter del dev $h2 ingress pref 1
tc filter del $pedit_locus pref 1
}
do_test_pedit_l4port()
{
local locus=$1; shift
local prot=$1; shift
local pedit_port=$1; shift
local flower_port=$1; shift
local port
for port in 1 11111 65535; do
do_test_pedit_l4port_one "$locus" "$prot" \
"$prot $pedit_port set $port" \
ip "ip_proto $prot $flower_port $port" \
"-A 192.0.2.1 -B 192.0.2.2"
done
}
test_udp_sport()
{
do_test_pedit_l4port "dev $swp1 ingress" udp sport src_port
do_test_pedit_l4port "dev $swp2 egress" udp sport src_port
}
test_udp_dport()
{
do_test_pedit_l4port "dev $swp1 ingress" udp dport dst_port
do_test_pedit_l4port "dev $swp2 egress" udp dport dst_port
}
test_tcp_sport()
{
do_test_pedit_l4port "dev $swp1 ingress" tcp sport src_port
do_test_pedit_l4port "dev $swp2 egress" tcp sport src_port
}
test_tcp_dport()
{
do_test_pedit_l4port "dev $swp1 ingress" tcp dport dst_port
do_test_pedit_l4port "dev $swp2 egress" tcp dport dst_port
}
trap cleanup EXIT
setup_prepare
setup_wait
tests_run
exit $EXIT_STATUS