[net-next,2/5] sfc: handle enc keys in efx_tc_flower_parse_match()

Commit Message

edward.cree@amd.com March 14, 2023, 5:35 p.m. UTC

From: Edward Cree <ecree.xilinx@gmail.com>

Translate the fields from flow dissector into struct efx_tc_match.
In efx_tc_flower_replace(), reject filters that match on them, because
 only 'foreign' filters (i.e. those for which the ingress dev is not
 the sfc netdev or any of its representors, e.g. a tunnel netdev) can
 use them.

Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
---
 drivers/net/ethernet/sfc/tc.c | 65 +++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

Comments

Michal Swiatkowski March 15, 2023, 9:01 a.m. UTC | #1

On Tue, Mar 14, 2023 at 05:35:22PM +0000, edward.cree@amd.com wrote:
> From: Edward Cree <ecree.xilinx@gmail.com>
> 
> Translate the fields from flow dissector into struct efx_tc_match.
> In efx_tc_flower_replace(), reject filters that match on them, because
>  only 'foreign' filters (i.e. those for which the ingress dev is not
>  the sfc netdev or any of its representors, e.g. a tunnel netdev) can
>  use them.
> 
> Signed-off-by: Edward Cree <ecree.xilinx@gmail.com>
> ---
>  drivers/net/ethernet/sfc/tc.c | 65 +++++++++++++++++++++++++++++++++++
>  1 file changed, 65 insertions(+)
> 
> diff --git a/drivers/net/ethernet/sfc/tc.c b/drivers/net/ethernet/sfc/tc.c
> index 2b07bb2fd735..d683665a8d87 100644
> --- a/drivers/net/ethernet/sfc/tc.c
> +++ b/drivers/net/ethernet/sfc/tc.c
> @@ -193,6 +193,11 @@ static int efx_tc_flower_parse_match(struct efx_nic *efx,
>  	      BIT(FLOW_DISSECTOR_KEY_IPV4_ADDRS) |
>  	      BIT(FLOW_DISSECTOR_KEY_IPV6_ADDRS) |
>  	      BIT(FLOW_DISSECTOR_KEY_PORTS) |
> +	      BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) |
> +	      BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) |
> +	      BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) |
> +	      BIT(FLOW_DISSECTOR_KEY_ENC_PORTS) |
> +	      BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) |
>  	      BIT(FLOW_DISSECTOR_KEY_TCP) |
>  	      BIT(FLOW_DISSECTOR_KEY_IP))) {
>  		NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported flower keys %#x",
> @@ -280,6 +285,61 @@ static int efx_tc_flower_parse_match(struct efx_nic *efx,
>  	MAP_KEY_AND_MASK(PORTS, ports, src, l4_sport);
>  	MAP_KEY_AND_MASK(PORTS, ports, dst, l4_dport);
>  	MAP_KEY_AND_MASK(TCP, tcp, flags, tcp_flags);
> +	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_CONTROL)) {
> +		struct flow_match_control fm;
> +
> +		flow_rule_match_enc_control(rule, &fm);
> +		if (fm.mask->flags) {
> +			NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported match on enc_control.flags %#x",
> +					       fm.mask->flags);
> +			return -EOPNOTSUPP;
> +		}
> +		if (!IS_ALL_ONES(fm.mask->addr_type)) {
> +			NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported enc addr_type mask %u (key %u)",
> +					       fm.mask->addr_type,
> +					       fm.key->addr_type);
> +			return -EOPNOTSUPP;
> +		}
> +		switch (fm.key->addr_type) {
> +		case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
> +			MAP_ENC_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, enc_ipv4_addrs,
> +					     src, enc_src_ip);
> +			MAP_ENC_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, enc_ipv4_addrs,
> +					     dst, enc_dst_ip);
> +			break;
> +#ifdef CONFIG_IPV6
> +		case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
> +			MAP_ENC_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, enc_ipv6_addrs,
> +					     src, enc_src_ip6);
> +			MAP_ENC_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, enc_ipv6_addrs,
> +					     dst, enc_dst_ip6);
> +			break;
> +#endif
> +		default:
> +			NL_SET_ERR_MSG_FMT_MOD(extack,
> +					       "Unsupported enc addr_type %u (supported are IPv4, IPv6)",
> +					       fm.key->addr_type);
> +			return -EOPNOTSUPP;
> +		}
> +#if !defined(EFX_USE_KCOMPAT) || defined(EFX_HAVE_FLOW_DISSECTOR_KEY_ENC_IP)
Are these defines already in kernel, or You want to add it to kconfig?
I can't find it in tree, aren't they some kind of OOT driver defines?

> +		MAP_ENC_KEY_AND_MASK(IP, ip, enc_ip, tos, enc_ip_tos);
> +		MAP_ENC_KEY_AND_MASK(IP, ip, enc_ip, ttl, enc_ip_ttl);
> +#endif
> +		MAP_ENC_KEY_AND_MASK(PORTS, ports, enc_ports, src, enc_sport);
> +		MAP_ENC_KEY_AND_MASK(PORTS, ports, enc_ports, dst, enc_dport);
> +		MAP_ENC_KEY_AND_MASK(KEYID, enc_keyid, enc_keyid, keyid, enc_keyid);
> +	} else if (dissector->used_keys &
> +		   (BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) |
> +		    BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) |
> +		    BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) |
> +#if !defined(EFX_USE_KCOMPAT) || defined(EFX_HAVE_FLOW_DISSECTOR_KEY_ENC_IP)
> +		    BIT(FLOW_DISSECTOR_KEY_ENC_IP) |
> +#endif
> +		    BIT(FLOW_DISSECTOR_KEY_ENC_PORTS))) {
> +		NL_SET_ERR_MSG_FMT_MOD(extack, "Flower enc keys require enc_control (keys: %#x)",
> +				       dissector->used_keys);
> +		return -EOPNOTSUPP;
> +	}
>  
>  	return 0;
>  }
> @@ -373,6 +433,11 @@ static int efx_tc_flower_replace(struct efx_nic *efx,
>  	rc = efx_tc_flower_parse_match(efx, fr, &match, extack);
>  	if (rc)
>  		return rc;
> +	if (efx_tc_match_is_encap(&match.mask)) {
> +		NL_SET_ERR_MSG_MOD(extack, "Ingress enc_key matches not supported");
> +		rc = -EOPNOTSUPP;
> +		goto release;
> +	}
>  
>  	if (tc->common.chain_index) {
>  		NL_SET_ERR_MSG_MOD(extack, "No support for nonzero chain_index");

Edward Cree March 15, 2023, 1:48 p.m. UTC | #2

On 15/03/2023 09:01, Michal Swiatkowski wrote:
> On Tue, Mar 14, 2023 at 05:35:22PM +0000, edward.cree@amd.com wrote:
>> +#if !defined(EFX_USE_KCOMPAT) || defined(EFX_HAVE_FLOW_DISSECTOR_KEY_ENC_IP)
> Are these defines already in kernel, or You want to add it to kconfig?
> I can't find it in tree, aren't they some kind of OOT driver defines?

Whoops, yes, that's from our OOT driver, it's part of the machinery we
 use to make it build on older kernels.
Embarrassing copy-paste error that slipped through internal review :(
Will remove all instances of this in v2.  Thanks for catching it!

Patch

diff --git a/drivers/net/ethernet/sfc/tc.c b/drivers/net/ethernet/sfc/tc.c
index 2b07bb2fd735..d683665a8d87 100644
--- a/drivers/net/ethernet/sfc/tc.c
+++ b/drivers/net/ethernet/sfc/tc.c
@@ -193,6 +193,11 @@  static int efx_tc_flower_parse_match(struct efx_nic *efx,
 	      BIT(FLOW_DISSECTOR_KEY_IPV4_ADDRS) |
 	      BIT(FLOW_DISSECTOR_KEY_IPV6_ADDRS) |
 	      BIT(FLOW_DISSECTOR_KEY_PORTS) |
+	      BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) |
+	      BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) |
+	      BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) |
+	      BIT(FLOW_DISSECTOR_KEY_ENC_PORTS) |
+	      BIT(FLOW_DISSECTOR_KEY_ENC_CONTROL) |
 	      BIT(FLOW_DISSECTOR_KEY_TCP) |
 	      BIT(FLOW_DISSECTOR_KEY_IP))) {
 		NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported flower keys %#x",
@@ -280,6 +285,61 @@  static int efx_tc_flower_parse_match(struct efx_nic *efx,
 	MAP_KEY_AND_MASK(PORTS, ports, src, l4_sport);
 	MAP_KEY_AND_MASK(PORTS, ports, dst, l4_dport);
 	MAP_KEY_AND_MASK(TCP, tcp, flags, tcp_flags);
+	if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ENC_CONTROL)) {
+		struct flow_match_control fm;
+
+		flow_rule_match_enc_control(rule, &fm);
+		if (fm.mask->flags) {
+			NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported match on enc_control.flags %#x",
+					       fm.mask->flags);
+			return -EOPNOTSUPP;
+		}
+		if (!IS_ALL_ONES(fm.mask->addr_type)) {
+			NL_SET_ERR_MSG_FMT_MOD(extack, "Unsupported enc addr_type mask %u (key %u)",
+					       fm.mask->addr_type,
+					       fm.key->addr_type);
+			return -EOPNOTSUPP;
+		}
+		switch (fm.key->addr_type) {
+		case FLOW_DISSECTOR_KEY_IPV4_ADDRS:
+			MAP_ENC_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, enc_ipv4_addrs,
+					     src, enc_src_ip);
+			MAP_ENC_KEY_AND_MASK(IPV4_ADDRS, ipv4_addrs, enc_ipv4_addrs,
+					     dst, enc_dst_ip);
+			break;
+#ifdef CONFIG_IPV6
+		case FLOW_DISSECTOR_KEY_IPV6_ADDRS:
+			MAP_ENC_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, enc_ipv6_addrs,
+					     src, enc_src_ip6);
+			MAP_ENC_KEY_AND_MASK(IPV6_ADDRS, ipv6_addrs, enc_ipv6_addrs,
+					     dst, enc_dst_ip6);
+			break;
+#endif
+		default:
+			NL_SET_ERR_MSG_FMT_MOD(extack,
+					       "Unsupported enc addr_type %u (supported are IPv4, IPv6)",
+					       fm.key->addr_type);
+			return -EOPNOTSUPP;
+		}
+#if !defined(EFX_USE_KCOMPAT) || defined(EFX_HAVE_FLOW_DISSECTOR_KEY_ENC_IP)
+		MAP_ENC_KEY_AND_MASK(IP, ip, enc_ip, tos, enc_ip_tos);
+		MAP_ENC_KEY_AND_MASK(IP, ip, enc_ip, ttl, enc_ip_ttl);
+#endif
+		MAP_ENC_KEY_AND_MASK(PORTS, ports, enc_ports, src, enc_sport);
+		MAP_ENC_KEY_AND_MASK(PORTS, ports, enc_ports, dst, enc_dport);
+		MAP_ENC_KEY_AND_MASK(KEYID, enc_keyid, enc_keyid, keyid, enc_keyid);
+	} else if (dissector->used_keys &
+		   (BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) |
+		    BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) |
+		    BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) |
+#if !defined(EFX_USE_KCOMPAT) || defined(EFX_HAVE_FLOW_DISSECTOR_KEY_ENC_IP)
+		    BIT(FLOW_DISSECTOR_KEY_ENC_IP) |
+#endif
+		    BIT(FLOW_DISSECTOR_KEY_ENC_PORTS))) {
+		NL_SET_ERR_MSG_FMT_MOD(extack, "Flower enc keys require enc_control (keys: %#x)",
+				       dissector->used_keys);
+		return -EOPNOTSUPP;
+	}
 
 	return 0;
 }
@@ -373,6 +433,11 @@  static int efx_tc_flower_replace(struct efx_nic *efx,
 	rc = efx_tc_flower_parse_match(efx, fr, &match, extack);
 	if (rc)
 		return rc;
+	if (efx_tc_match_is_encap(&match.mask)) {
+		NL_SET_ERR_MSG_MOD(extack, "Ingress enc_key matches not supported");
+		rc = -EOPNOTSUPP;
+		goto release;
+	}
 
 	if (tc->common.chain_index) {
 		NL_SET_ERR_MSG_MOD(extack, "No support for nonzero chain_index");