cls_flower: Fix the behavior using port ranges with hw-offload

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The recent commit 5c72299fba9d ("net: sched: cls_flower: Classify
packets using port ranges") had added filtering based on port ranges
to tc flower. However the commit missed necessary changes in hw-offload
code, so the feature gave rise to generating incorrect offloaded flow
keys in NIC.

One more detailed example is below:

$ tc qdisc add dev eth0 ingress
$ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
dst_port 100-200 action drop

With the setup above, an exact match filter with dst_port == 0 will be
installed in NIC by hw-offload. IOW, the NIC will have a rule which is
equivalent to the following one.

$ tc qdisc add dev eth0 ingress
$ tc filter add dev eth0 ingress protocol ip flower ip_proto tcp \
dst_port 0 action drop

The behavior was caused by the flow dissector which extracts packet
data into the flow key in the tc flower. More specifically, regardless
of exact match or specified port ranges, fl_init_dissector() set the
FLOW_DISSECTOR_KEY_PORTS flag in struct flow_dissector to extract port
numbers from skb in skb_flow_dissect() called by fl_classify(). Note
that device drivers received the same struct flow_dissector object as
used in skb_flow_dissect(). Thus, offloaded drivers could not identify
which of these is used because the FLOW_DISSECTOR_KEY_PORTS flag was
set to struct flow_dissector in either case.

This patch adds the new FLOW_DISSECTOR_KEY_PORTS_RANGE flag and the new
tp_range field in struct fl_flow_key to recognize which filters are applied
to offloaded drivers. At this point, when filters based on port ranges
passed to drivers, drivers return the EOPNOTSUPP error because they do
not support the feature (the newly created FLOW_DISSECTOR_KEY_PORTS_RANGE
flag).

Fixes: 5c72299fba9d ("net: sched: cls_flower: Classify packets using port ranges")
Signed-off-by: Yoshiki Komachi <komachi.yoshiki@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Yoshiki Komachi and committed by

David S. Miller 6 years ago 8ffb055b 2f23cd42

+94 -60

3 changed files

expand all

include

net

flow_dissector.h

net

core

flow_dissector.c

sched

cls_flower.c

include/net/flow_dissector.h

··· 235 235 FLOW_DISSECTOR_KEY_IPV4_ADDRS, /* struct flow_dissector_key_ipv4_addrs */ 236 236 FLOW_DISSECTOR_KEY_IPV6_ADDRS, /* struct flow_dissector_key_ipv6_addrs */ 237 237 FLOW_DISSECTOR_KEY_PORTS, /* struct flow_dissector_key_ports */ 238 + FLOW_DISSECTOR_KEY_PORTS_RANGE, /* struct flow_dissector_key_ports */ 238 239 FLOW_DISSECTOR_KEY_ICMP, /* struct flow_dissector_key_icmp */ 239 240 FLOW_DISSECTOR_KEY_ETH_ADDRS, /* struct flow_dissector_key_eth_addrs */ 240 241 FLOW_DISSECTOR_KEY_TIPC, /* struct flow_dissector_key_tipc */

+28 -9

net/core/flow_dissector.c

··· 760 760 } 761 761 762 762 static void 763 + __skb_flow_dissect_ports(const struct sk_buff *skb, 764 + struct flow_dissector *flow_dissector, 765 + void *target_container, void *data, int nhoff, 766 + u8 ip_proto, int hlen) 767 + { 768 + enum flow_dissector_key_id dissector_ports = FLOW_DISSECTOR_KEY_MAX; 769 + struct flow_dissector_key_ports *key_ports; 770 + 771 + if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS)) 772 + dissector_ports = FLOW_DISSECTOR_KEY_PORTS; 773 + else if (dissector_uses_key(flow_dissector, 774 + FLOW_DISSECTOR_KEY_PORTS_RANGE)) 775 + dissector_ports = FLOW_DISSECTOR_KEY_PORTS_RANGE; 776 + 777 + if (dissector_ports == FLOW_DISSECTOR_KEY_MAX) 778 + return; 779 + 780 + key_ports = skb_flow_dissector_target(flow_dissector, 781 + dissector_ports, 782 + target_container); 783 + key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto, 784 + data, hlen); 785 + } 786 + 787 + static void 763 788 __skb_flow_dissect_ipv4(const struct sk_buff *skb, 764 789 struct flow_dissector *flow_dissector, 765 790 void *target_container, void *data, const struct iphdr *iph) ··· 953 928 struct flow_dissector_key_control *key_control; 954 929 struct flow_dissector_key_basic *key_basic; 955 930 struct flow_dissector_key_addrs *key_addrs; 956 - struct flow_dissector_key_ports *key_ports; 957 931 struct flow_dissector_key_tags *key_tags; 958 932 struct flow_dissector_key_vlan *key_vlan; 959 933 struct bpf_prog *attached = NULL; ··· 1407 1383 break; 1408 1384 } 1409 1385 1410 - if (dissector_uses_key(flow_dissector, FLOW_DISSECTOR_KEY_PORTS) && 1411 - !(key_control->flags & FLOW_DIS_IS_FRAGMENT)) { 1412 - key_ports = skb_flow_dissector_target(flow_dissector, 1413 - FLOW_DISSECTOR_KEY_PORTS, 1414 - target_container); 1415 - key_ports->ports = __skb_flow_get_ports(skb, nhoff, ip_proto, 1416 - data, hlen); 1417 - } 1386 + if (!(key_control->flags & FLOW_DIS_IS_FRAGMENT)) 1387 + __skb_flow_dissect_ports(skb, flow_dissector, target_container, 1388 + data, nhoff, ip_proto, hlen); 1418 1389 1419 1390 /* Process result of IP proto processing */ 1420 1391 switch (fdret) {

+65 -51

net/sched/cls_flower.c

··· 56 56 struct flow_dissector_key_ip ip; 57 57 struct flow_dissector_key_ip enc_ip; 58 58 struct flow_dissector_key_enc_opts enc_opts; 59 - struct flow_dissector_key_ports tp_min; 60 - struct flow_dissector_key_ports tp_max; 59 + union { 60 + struct flow_dissector_key_ports tp; 61 + struct { 62 + struct flow_dissector_key_ports tp_min; 63 + struct flow_dissector_key_ports tp_max; 64 + }; 65 + } tp_range; 61 66 struct flow_dissector_key_ct ct; 62 67 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ 63 68 ··· 205 200 { 206 201 __be16 min_mask, max_mask, min_val, max_val; 207 202 208 - min_mask = htons(filter->mask->key.tp_min.dst); 209 - max_mask = htons(filter->mask->key.tp_max.dst); 210 - min_val = htons(filter->key.tp_min.dst); 211 - max_val = htons(filter->key.tp_max.dst); 203 + min_mask = htons(filter->mask->key.tp_range.tp_min.dst); 204 + max_mask = htons(filter->mask->key.tp_range.tp_max.dst); 205 + min_val = htons(filter->key.tp_range.tp_min.dst); 206 + max_val = htons(filter->key.tp_range.tp_max.dst); 212 207 213 208 if (min_mask && max_mask) { 214 - if (htons(key->tp.dst) < min_val || 215 - htons(key->tp.dst) > max_val) 209 + if (htons(key->tp_range.tp.dst) < min_val || 210 + htons(key->tp_range.tp.dst) > max_val) 216 211 return false; 217 212 218 213 /* skb does not have min and max values */ 219 - mkey->tp_min.dst = filter->mkey.tp_min.dst; 220 - mkey->tp_max.dst = filter->mkey.tp_max.dst; 214 + mkey->tp_range.tp_min.dst = filter->mkey.tp_range.tp_min.dst; 215 + mkey->tp_range.tp_max.dst = filter->mkey.tp_range.tp_max.dst; 221 216 } 222 217 return true; 223 218 } ··· 228 223 { 229 224 __be16 min_mask, max_mask, min_val, max_val; 230 225 231 - min_mask = htons(filter->mask->key.tp_min.src); 232 - max_mask = htons(filter->mask->key.tp_max.src); 233 - min_val = htons(filter->key.tp_min.src); 234 - max_val = htons(filter->key.tp_max.src); 226 + min_mask = htons(filter->mask->key.tp_range.tp_min.src); 227 + max_mask = htons(filter->mask->key.tp_range.tp_max.src); 228 + min_val = htons(filter->key.tp_range.tp_min.src); 229 + max_val = htons(filter->key.tp_range.tp_max.src); 235 230 236 231 if (min_mask && max_mask) { 237 - if (htons(key->tp.src) < min_val || 238 - htons(key->tp.src) > max_val) 232 + if (htons(key->tp_range.tp.src) < min_val || 233 + htons(key->tp_range.tp.src) > max_val) 239 234 return false; 240 235 241 236 /* skb does not have min and max values */ 242 - mkey->tp_min.src = filter->mkey.tp_min.src; 243 - mkey->tp_max.src = filter->mkey.tp_max.src; 237 + mkey->tp_range.tp_min.src = filter->mkey.tp_range.tp_min.src; 238 + mkey->tp_range.tp_max.src = filter->mkey.tp_range.tp_max.src; 244 239 } 245 240 return true; 246 241 } ··· 739 734 static int fl_set_key_port_range(struct nlattr **tb, struct fl_flow_key *key, 740 735 struct fl_flow_key *mask) 741 736 { 742 - fl_set_key_val(tb, &key->tp_min.dst, 743 - TCA_FLOWER_KEY_PORT_DST_MIN, &mask->tp_min.dst, 744 - TCA_FLOWER_UNSPEC, sizeof(key->tp_min.dst)); 745 - fl_set_key_val(tb, &key->tp_max.dst, 746 - TCA_FLOWER_KEY_PORT_DST_MAX, &mask->tp_max.dst, 747 - TCA_FLOWER_UNSPEC, sizeof(key->tp_max.dst)); 748 - fl_set_key_val(tb, &key->tp_min.src, 749 - TCA_FLOWER_KEY_PORT_SRC_MIN, &mask->tp_min.src, 750 - TCA_FLOWER_UNSPEC, sizeof(key->tp_min.src)); 751 - fl_set_key_val(tb, &key->tp_max.src, 752 - TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_max.src, 753 - TCA_FLOWER_UNSPEC, sizeof(key->tp_max.src)); 737 + fl_set_key_val(tb, &key->tp_range.tp_min.dst, 738 + TCA_FLOWER_KEY_PORT_DST_MIN, &mask->tp_range.tp_min.dst, 739 + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_min.dst)); 740 + fl_set_key_val(tb, &key->tp_range.tp_max.dst, 741 + TCA_FLOWER_KEY_PORT_DST_MAX, &mask->tp_range.tp_max.dst, 742 + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.dst)); 743 + fl_set_key_val(tb, &key->tp_range.tp_min.src, 744 + TCA_FLOWER_KEY_PORT_SRC_MIN, &mask->tp_range.tp_min.src, 745 + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_min.src)); 746 + fl_set_key_val(tb, &key->tp_range.tp_max.src, 747 + TCA_FLOWER_KEY_PORT_SRC_MAX, &mask->tp_range.tp_max.src, 748 + TCA_FLOWER_UNSPEC, sizeof(key->tp_range.tp_max.src)); 754 749 755 - if ((mask->tp_min.dst && mask->tp_max.dst && 756 - htons(key->tp_max.dst) <= htons(key->tp_min.dst)) || 757 - (mask->tp_min.src && mask->tp_max.src && 758 - htons(key->tp_max.src) <= htons(key->tp_min.src))) 750 + if ((mask->tp_range.tp_min.dst && mask->tp_range.tp_max.dst && 751 + htons(key->tp_range.tp_max.dst) <= 752 + htons(key->tp_range.tp_min.dst)) || 753 + (mask->tp_range.tp_min.src && mask->tp_range.tp_max.src && 754 + htons(key->tp_range.tp_max.src) <= 755 + htons(key->tp_range.tp_min.src))) 759 756 return -EINVAL; 760 757 761 758 return 0; ··· 1516 1509 FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4); 1517 1510 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1518 1511 FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6); 1519 - if (FL_KEY_IS_MASKED(mask, tp) || 1520 - FL_KEY_IS_MASKED(mask, tp_min) || FL_KEY_IS_MASKED(mask, tp_max)) 1521 - FL_KEY_SET(keys, cnt, FLOW_DISSECTOR_KEY_PORTS, tp); 1512 + FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1513 + FLOW_DISSECTOR_KEY_PORTS, tp); 1514 + FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1515 + FLOW_DISSECTOR_KEY_PORTS_RANGE, tp_range); 1522 1516 FL_KEY_SET_IF_MASKED(mask, keys, cnt, 1523 1517 FLOW_DISSECTOR_KEY_IP, ip); 1524 1518 FL_KEY_SET_IF_MASKED(mask, keys, cnt, ··· 1568 1560 1569 1561 fl_mask_copy(newmask, mask); 1570 1562 1571 - if ((newmask->key.tp_min.dst && newmask->key.tp_max.dst) || 1572 - (newmask->key.tp_min.src && newmask->key.tp_max.src)) 1563 + if ((newmask->key.tp_range.tp_min.dst && 1564 + newmask->key.tp_range.tp_max.dst) || 1565 + (newmask->key.tp_range.tp_min.src && 1566 + newmask->key.tp_range.tp_max.src)) 1573 1567 newmask->flags |= TCA_FLOWER_MASK_FLAGS_RANGE; 1574 1568 1575 1569 err = fl_init_mask_hashtable(newmask); ··· 2169 2159 static int fl_dump_key_port_range(struct sk_buff *skb, struct fl_flow_key *key, 2170 2160 struct fl_flow_key *mask) 2171 2161 { 2172 - if (fl_dump_key_val(skb, &key->tp_min.dst, TCA_FLOWER_KEY_PORT_DST_MIN, 2173 - &mask->tp_min.dst, TCA_FLOWER_UNSPEC, 2174 - sizeof(key->tp_min.dst)) || 2175 - fl_dump_key_val(skb, &key->tp_max.dst, TCA_FLOWER_KEY_PORT_DST_MAX, 2176 - &mask->tp_max.dst, TCA_FLOWER_UNSPEC, 2177 - sizeof(key->tp_max.dst)) || 2178 - fl_dump_key_val(skb, &key->tp_min.src, TCA_FLOWER_KEY_PORT_SRC_MIN, 2179 - &mask->tp_min.src, TCA_FLOWER_UNSPEC, 2180 - sizeof(key->tp_min.src)) || 2181 - fl_dump_key_val(skb, &key->tp_max.src, TCA_FLOWER_KEY_PORT_SRC_MAX, 2182 - &mask->tp_max.src, TCA_FLOWER_UNSPEC, 2183 - sizeof(key->tp_max.src))) 2162 + if (fl_dump_key_val(skb, &key->tp_range.tp_min.dst, 2163 + TCA_FLOWER_KEY_PORT_DST_MIN, 2164 + &mask->tp_range.tp_min.dst, TCA_FLOWER_UNSPEC, 2165 + sizeof(key->tp_range.tp_min.dst)) || 2166 + fl_dump_key_val(skb, &key->tp_range.tp_max.dst, 2167 + TCA_FLOWER_KEY_PORT_DST_MAX, 2168 + &mask->tp_range.tp_max.dst, TCA_FLOWER_UNSPEC, 2169 + sizeof(key->tp_range.tp_max.dst)) || 2170 + fl_dump_key_val(skb, &key->tp_range.tp_min.src, 2171 + TCA_FLOWER_KEY_PORT_SRC_MIN, 2172 + &mask->tp_range.tp_min.src, TCA_FLOWER_UNSPEC, 2173 + sizeof(key->tp_range.tp_min.src)) || 2174 + fl_dump_key_val(skb, &key->tp_range.tp_max.src, 2175 + TCA_FLOWER_KEY_PORT_SRC_MAX, 2176 + &mask->tp_range.tp_max.src, TCA_FLOWER_UNSPEC, 2177 + sizeof(key->tp_range.tp_max.src))) 2184 2178 return -1; 2185 2179 2186 2180 return 0;