Merge branch 'net-flower-validate-encapsulation-control-flags'

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Asbjørn Sloth Tønnesen says:

====================
net: flower: validate encapsulation control flags

Now that all drivers properly rejects unsupported flower control flags
used with FLOW_DISSECTOR_KEY_CONTROL, then time has come to add similar
checks to the drivers supporting FLOW_DISSECTOR_KEY_ENC_CONTROL.

There are currently just 4 drivers supporting this key, and
3 of those currently doesn't validate encapsulated control flags.

Encapsulation control flags may currently be unused, but they should
still be validated by the drivers, so that drivers will properly
reject any new flags when they are introduced.

This series adds some helper functions, and implements them in all
4 drivers.

NB: It is currently discussed[1] to use encapsulation control flags
for tunnel flags instead of the new FLOW_DISSECTOR_KEY_ENC_FLAGS.

[1] https://lore.kernel.org/netdev/ZmFuxElwZiYJzBkh@dcaratti.users.ipa.redhat.com/
====================

Link: https://lore.kernel.org/r/20240609173358.193178-1-ast@fiberby.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 2 years ago 6fc1b322 dee4dd10

+50 -4

5 changed files

expand all

drivers

net

ethernet

intel

ice

ice_tc_lib.c

mellanox

mlx5

core

tc_tun.c

netronome

nfp

flower

offload.c

sfc

tc.c

include

net

flow_offload.h

drivers/net/ethernet/intel/ice/ice_tc_lib.c

··· 1353 1353 struct ice_tc_flower_fltr *fltr) 1354 1354 { 1355 1355 struct ice_tc_flower_lyr_2_4_hdrs *headers = &fltr->outer_headers; 1356 + struct netlink_ext_ack *extack = fltr->extack; 1356 1357 struct flow_match_control enc_control; 1357 1358 1358 1359 fltr->tunnel_type = ice_tc_tun_get_type(dev); ··· 1373 1372 } 1374 1373 1375 1374 flow_rule_match_enc_control(rule, &enc_control); 1375 + 1376 + if (flow_rule_has_enc_control_flags(enc_control.mask->flags, extack)) 1377 + return -EOPNOTSUPP; 1376 1378 1377 1379 if (enc_control.key->addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS) { 1378 1380 struct flow_match_ipv4_addrs match;

drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun.c

··· 850 850 flow_rule_match_enc_control(rule, &match); 851 851 addr_type = match.key->addr_type; 852 852 853 + if (flow_rule_has_enc_control_flags(match.mask->flags, 854 + extack)) { 855 + err = -EOPNOTSUPP; 856 + goto out; 857 + } 858 + 853 859 /* For tunnel addr_type used same key id`s as for non-tunnel */ 854 860 if (addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS) { 855 861 struct flow_match_ipv4_addrs match;

drivers/net/ethernet/netronome/nfp/flower/offload.c

··· 321 321 322 322 flow_rule_match_enc_control(rule, &enc_ctl); 323 323 324 + if (flow_rule_has_enc_control_flags(enc_ctl.mask->flags, 325 + extack)) 326 + return -EOPNOTSUPP; 327 + 324 328 if (enc_ctl.mask->addr_type != 0xffff) { 325 329 NL_SET_ERR_MSG_MOD(extack, "unsupported offload: wildcarded protocols on tunnels are not supported"); 326 330 return -EOPNOTSUPP;

+1 -4

drivers/net/ethernet/sfc/tc.c

··· 387 387 struct flow_match_control fm; 388 388 389 389 flow_rule_match_enc_control(rule, &fm); 390 - if (fm.mask->flags) { 391 - NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported match on enc_control.flags %#x", 392 - fm.mask->flags); 390 + if (flow_rule_has_enc_control_flags(fm.mask->flags, extack)) 393 391 return -EOPNOTSUPP; 394 - } 395 392 if (!IS_ALL_ONES(fm.mask->addr_type)) { 396 393 NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported enc addr_type mask %u (key %u)", 397 394 fm.mask->addr_type,

+35

include/net/flow_offload.h

··· 472 472 } 473 473 474 474 /** 475 + * flow_rule_is_supp_enc_control_flags() - check for supported control flags 476 + * @supp_enc_flags: encapsulation control flags supported by driver 477 + * @enc_ctrl_flags: encapsulation control flags present in rule 478 + * @extack: The netlink extended ACK for reporting errors. 479 + * 480 + * Return: true if only supported control flags are set, false otherwise. 481 + */ 482 + static inline bool flow_rule_is_supp_enc_control_flags(const u32 supp_enc_flags, 483 + const u32 enc_ctrl_flags, 484 + struct netlink_ext_ack *extack) 485 + { 486 + if (likely((enc_ctrl_flags & ~supp_enc_flags) == 0)) 487 + return true; 488 + 489 + NL_SET_ERR_MSG_FMT_MOD(extack, 490 + "Unsupported match on enc_control.flags %#x", 491 + enc_ctrl_flags); 492 + 493 + return false; 494 + } 495 + 496 + /** 475 497 * flow_rule_has_control_flags() - check for presence of any control flags 476 498 * @ctrl_flags: control flags present in rule 477 499 * @extack: The netlink extended ACK for reporting errors. ··· 504 482 struct netlink_ext_ack *extack) 505 483 { 506 484 return !flow_rule_is_supp_control_flags(0, ctrl_flags, extack); 485 + } 486 + 487 + /** 488 + * flow_rule_has_enc_control_flags() - check for presence of any control flags 489 + * @enc_ctrl_flags: encapsulation control flags present in rule 490 + * @extack: The netlink extended ACK for reporting errors. 491 + * 492 + * Return: true if control flags are set, false otherwise. 493 + */ 494 + static inline bool flow_rule_has_enc_control_flags(const u32 enc_ctrl_flags, 495 + struct netlink_ext_ack *extack) 496 + { 497 + return !flow_rule_is_supp_enc_control_flags(0, enc_ctrl_flags, extack); 507 498 } 508 499 509 500 /**