Re: [PATCH net-next 2/7] nfp: compile flower vxlan tunnel metadata match fields

2017-09-26 Thread John Hurley 
On Tue, Sep 26, 2017 at 4:33 PM, Or Gerlitz  wrote:
> On Tue, Sep 26, 2017 at 6:11 PM, John Hurley  
> wrote:
>> On Tue, Sep 26, 2017 at 3:12 PM, Or Gerlitz  wrote:
>>> On Tue, Sep 26, 2017 at 4:58 PM, John Hurley  
>>> wrote:
 On Mon, Sep 25, 2017 at 7:35 PM, Or Gerlitz  wrote:
> On Mon, Sep 25, 2017 at 1:23 PM, Simon Horman
>  wrote:
>> From: John Hurley 
>>
>> Compile ovs-tc flower vxlan metadata match fields for offloading. Only
>
> anything in the npf kernel bits has direct relation to ovs? what?
>

 Sorry, this is a typo  and should refer to TC.

>> +++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
>> @@ -52,8 +52,25 @@
>>  BIT(FLOW_DISSECTOR_KEY_PORTS) | \
>>  BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \
>>  BIT(FLOW_DISSECTOR_KEY_VLAN) | \
>> +BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
>> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
>> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \
>
> this series takes care of IPv6 tunnels too?

 IPv6 is not included in this set.
 The reason the IPv6 bit is included here is to account for behavior we
 have noticed in TC flower.
 If, for example, I add a filter with the following match fields:
 'protocol ip flower enc_src_ip 10.0.0.1 enc_dst_ip 10.0.0.2
 enc_dst_port 4789 enc_key_id 123'
 The 'used_keys' value in the dissector marks both IPv4 and IPv6 encap
 addresses as 'used'.
 I am not sure if this is a bug in TC or that we are expected to check
 the enc_control fields to determine if IPv4 or v6 addresses are used.
>>>
>>> you should have your code to check enc_control->addr_type to be
>>> FLOW_DISSECTOR_KEY_IPV4_ADDRS or IPV6_ADDRS
>>>
>>>
 Including the IPv6 used_keys bit in our whitelist approach allows us
 to accept legitimate IPv4 tunnel rules in these situations.
>>>
>>> mmm can please take a look on fl_init_dissector() and tell me if you
>>> see why FLOW_DISSECTOR_KEY_IPV6_ADDRS is set for ipv4 tunnels,
>>> I am not sure.
>>
>>
>> The fl_init_dissector uses the FL_KEY_SET_IF_MASKED macro to set an
>> array of keys which are then translated to the used_keys values.
>> The FL_KEY_SET_IF_MASKED takes a 'struct fl_flow_key' as input and
>> checks if any mask bits are set in a particular field - if so it
>> eventually marks it as used.
>> In struct fl_flow_key, the encap ipv4 and ipv6 addresses are
>> represented as a union of the 2.
>> Therefore, if we have masked bits set for IPv4, they are also being
>> set for the IPv6 field.
>
> I see, do you consider it a bug?

The code seems to insist that, if either IPv4 or IPv6 is in use then a
control encap key is also used:

if (FL_KEY_IS_MASKED(>key, enc_ipv4) ||
   FL_KEY_IS_MASKED(>key, enc_ipv6))
FL_KEY_SET(keys, cnt, FLOW_DISSECTOR_KEY_ENC_CONTROL,
  enc_control);

Therefore, I think it should be ok to use this to determine the IP
type in use by the tunnel.

Re: [PATCH net-next 2/7] nfp: compile flower vxlan tunnel metadata match fields

2017-09-26 Thread Or Gerlitz 
On Tue, Sep 26, 2017 at 6:11 PM, John Hurley  wrote:
> On Tue, Sep 26, 2017 at 3:12 PM, Or Gerlitz  wrote:
>> On Tue, Sep 26, 2017 at 4:58 PM, John Hurley  
>> wrote:
>>> On Mon, Sep 25, 2017 at 7:35 PM, Or Gerlitz  wrote:
 On Mon, Sep 25, 2017 at 1:23 PM, Simon Horman
  wrote:
> From: John Hurley 
>
> Compile ovs-tc flower vxlan metadata match fields for offloading. Only

 anything in the npf kernel bits has direct relation to ovs? what?

>>>
>>> Sorry, this is a typo  and should refer to TC.
>>>
> +++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
> @@ -52,8 +52,25 @@
>  BIT(FLOW_DISSECTOR_KEY_PORTS) | \
>  BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \
>  BIT(FLOW_DISSECTOR_KEY_VLAN) | \
> +BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \

 this series takes care of IPv6 tunnels too?
>>>
>>> IPv6 is not included in this set.
>>> The reason the IPv6 bit is included here is to account for behavior we
>>> have noticed in TC flower.
>>> If, for example, I add a filter with the following match fields:
>>> 'protocol ip flower enc_src_ip 10.0.0.1 enc_dst_ip 10.0.0.2
>>> enc_dst_port 4789 enc_key_id 123'
>>> The 'used_keys' value in the dissector marks both IPv4 and IPv6 encap
>>> addresses as 'used'.
>>> I am not sure if this is a bug in TC or that we are expected to check
>>> the enc_control fields to determine if IPv4 or v6 addresses are used.
>>
>> you should have your code to check enc_control->addr_type to be
>> FLOW_DISSECTOR_KEY_IPV4_ADDRS or IPV6_ADDRS
>>
>>
>>> Including the IPv6 used_keys bit in our whitelist approach allows us
>>> to accept legitimate IPv4 tunnel rules in these situations.
>>
>> mmm can please take a look on fl_init_dissector() and tell me if you
>> see why FLOW_DISSECTOR_KEY_IPV6_ADDRS is set for ipv4 tunnels,
>> I am not sure.
>
>
> The fl_init_dissector uses the FL_KEY_SET_IF_MASKED macro to set an
> array of keys which are then translated to the used_keys values.
> The FL_KEY_SET_IF_MASKED takes a 'struct fl_flow_key' as input and
> checks if any mask bits are set in a particular field - if so it
> eventually marks it as used.
> In struct fl_flow_key, the encap ipv4 and ipv6 addresses are
> represented as a union of the 2.
> Therefore, if we have masked bits set for IPv4, they are also being
> set for the IPv6 field.

I see, do you consider it a bug?

Re: [PATCH net-next 2/7] nfp: compile flower vxlan tunnel metadata match fields

2017-09-26 Thread John Hurley 
On Tue, Sep 26, 2017 at 3:12 PM, Or Gerlitz  wrote:
> On Tue, Sep 26, 2017 at 4:58 PM, John Hurley  
> wrote:
>> On Mon, Sep 25, 2017 at 7:35 PM, Or Gerlitz  wrote:
>>> On Mon, Sep 25, 2017 at 1:23 PM, Simon Horman
>>>  wrote:
 From: John Hurley 

 Compile ovs-tc flower vxlan metadata match fields for offloading. Only
>>>
>>> anything in the npf kernel bits has direct relation to ovs? what?
>>>
>>
>> Sorry, this is a typo  and should refer to TC.
>>
 +++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
 @@ -52,8 +52,25 @@
  BIT(FLOW_DISSECTOR_KEY_PORTS) | \
  BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \
  BIT(FLOW_DISSECTOR_KEY_VLAN) | \
 +BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
 +BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
 +BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \
>>>
>>> this series takes care of IPv6 tunnels too?
>>
>> IPv6 is not included in this set.
>> The reason the IPv6 bit is included here is to account for behavior we
>> have noticed in TC flower.
>> If, for example, I add a filter with the following match fields:
>> 'protocol ip flower enc_src_ip 10.0.0.1 enc_dst_ip 10.0.0.2
>> enc_dst_port 4789 enc_key_id 123'
>> The 'used_keys' value in the dissector marks both IPv4 and IPv6 encap
>> addresses as 'used'.
>> I am not sure if this is a bug in TC or that we are expected to check
>> the enc_control fields to determine if IPv4 or v6 addresses are used.
>
> you should have your code to check enc_control->addr_type to be
> FLOW_DISSECTOR_KEY_IPV4_ADDRS or IPV6_ADDRS
>
>
>> Including the IPv6 used_keys bit in our whitelist approach allows us
>> to accept legitimate IPv4 tunnel rules in these situations.
>
> mmm can please take a look on fl_init_dissector() and tell me if you
> see why FLOW_DISSECTOR_KEY_IPV6_ADDRS is set for ipv4 tunnels,
> I am not sure.


The fl_init_dissector uses the FL_KEY_SET_IF_MASKED macro to set an
array of keys which are then translated to the used_keys values.
The FL_KEY_SET_IF_MASKED takes a 'struct fl_flow_key' as input and
checks if any mask bits are set in a particular field - if so it
eventually marks it as used.
In struct fl_flow_key, the encap ipv4 and ipv6 addresses are
represented as a union of the 2.
Therefore, if we have masked bits set for IPv4, they are also being
set for the IPv6 field.


>
>> If it is found to be IPv6 when the rule is parsed, it will be rejected here.

Re: [PATCH net-next 2/7] nfp: compile flower vxlan tunnel metadata match fields

2017-09-26 Thread Or Gerlitz 
On Tue, Sep 26, 2017 at 4:58 PM, John Hurley  wrote:
> On Mon, Sep 25, 2017 at 7:35 PM, Or Gerlitz  wrote:
>> On Mon, Sep 25, 2017 at 1:23 PM, Simon Horman
>>  wrote:
>>> From: John Hurley 
>>>
>>> Compile ovs-tc flower vxlan metadata match fields for offloading. Only
>>
>> anything in the npf kernel bits has direct relation to ovs? what?
>>
>
> Sorry, this is a typo  and should refer to TC.
>
>>> +++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
>>> @@ -52,8 +52,25 @@
>>>  BIT(FLOW_DISSECTOR_KEY_PORTS) | \
>>>  BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \
>>>  BIT(FLOW_DISSECTOR_KEY_VLAN) | \
>>> +BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
>>> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
>>> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \
>>
>> this series takes care of IPv6 tunnels too?
>
> IPv6 is not included in this set.
> The reason the IPv6 bit is included here is to account for behavior we
> have noticed in TC flower.
> If, for example, I add a filter with the following match fields:
> 'protocol ip flower enc_src_ip 10.0.0.1 enc_dst_ip 10.0.0.2
> enc_dst_port 4789 enc_key_id 123'
> The 'used_keys' value in the dissector marks both IPv4 and IPv6 encap
> addresses as 'used'.
> I am not sure if this is a bug in TC or that we are expected to check
> the enc_control fields to determine if IPv4 or v6 addresses are used.

you should have your code to check enc_control->addr_type to be
FLOW_DISSECTOR_KEY_IPV4_ADDRS or IPV6_ADDRS


> Including the IPv6 used_keys bit in our whitelist approach allows us
> to accept legitimate IPv4 tunnel rules in these situations.

mmm can please take a look on fl_init_dissector() and tell me if you
see why FLOW_DISSECTOR_KEY_IPV6_ADDRS is set for ipv4 tunnels,
I am not sure.

> If it is found to be IPv6 when the rule is parsed, it will be rejected here.

Re: [PATCH net-next 2/7] nfp: compile flower vxlan tunnel metadata match fields

2017-09-26 Thread John Hurley 
On Mon, Sep 25, 2017 at 7:35 PM, Or Gerlitz  wrote:
> On Mon, Sep 25, 2017 at 1:23 PM, Simon Horman
>  wrote:
>> From: John Hurley 
>>
>> Compile ovs-tc flower vxlan metadata match fields for offloading. Only
>
> anything in the npf kernel bits has direct relation to ovs? what?
>

Sorry, this is a typo  and should refer to TC.

>> +++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
>> @@ -52,8 +52,25 @@
>>  BIT(FLOW_DISSECTOR_KEY_PORTS) | \
>>  BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \
>>  BIT(FLOW_DISSECTOR_KEY_VLAN) | \
>> +BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
>> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
>> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \
>
> this series takes care of IPv6 tunnels too?

IPv6 is not included in this set.
The reason the IPv6 bit is included here is to account for behavior we
have noticed in TC flower.
If, for example, I add a filter with the following match fields:
'protocol ip flower enc_src_ip 10.0.0.1 enc_dst_ip 10.0.0.2
enc_dst_port 4789 enc_key_id 123'
The 'used_keys' value in the dissector marks both IPv4 and IPv6 encap
addresses as 'used'.
I am not sure if this is a bug in TC or that we are expected to check
the enc_control fields to determine if IPv4 or v6 addresses are used.
Including the IPv6 used_keys bit in our whitelist approach allows us
to accept legitimate IPv4 tunnel rules in these situations.
If it is found to be IPv6 when the rule is parsed, it will be rejected here.

Re: [PATCH net-next 2/7] nfp: compile flower vxlan tunnel metadata match fields

2017-09-25 Thread Or Gerlitz 
On Mon, Sep 25, 2017 at 1:23 PM, Simon Horman
 wrote:
> From: John Hurley 
>
> Compile ovs-tc flower vxlan metadata match fields for offloading. Only

anything in the npf kernel bits has direct relation to ovs? what?

> +++ b/drivers/net/ethernet/netronome/nfp/flower/offload.c
> @@ -52,8 +52,25 @@
>  BIT(FLOW_DISSECTOR_KEY_PORTS) | \
>  BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | \
>  BIT(FLOW_DISSECTOR_KEY_VLAN) | \
> +BIT(FLOW_DISSECTOR_KEY_ENC_KEYID) | \
> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS) | \
> +BIT(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS) | \

this series takes care of IPv6 tunnels too?

[PATCH net-next 2/7] nfp: compile flower vxlan tunnel metadata match fields

2017-09-25 Thread Simon Horman 
From: John Hurley 

Compile ovs-tc flower vxlan metadata match fields for offloading. Only
support offload of tunnel data when the VXLAN port specifically matches
well known port 4789.

Signed-off-by: John Hurley 
Signed-off-by: Simon Horman 
---
 drivers/net/ethernet/netronome/nfp/flower/cmsg.h   | 38 
 drivers/net/ethernet/netronome/nfp/flower/main.h   |  2 +
 drivers/net/ethernet/netronome/nfp/flower/match.c  | 60 +--
 .../net/ethernet/netronome/nfp/flower/offload.c| 70 +++---
 4 files changed, 158 insertions(+), 12 deletions(-)

diff --git a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h 
b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
index 7a5ccf0cc7c2..af9165b3b652 100644
--- a/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
+++ b/drivers/net/ethernet/netronome/nfp/flower/cmsg.h
@@ -83,6 +83,14 @@
 #define NFP_FL_PUSH_VLAN_CFI   BIT(12)
 #define NFP_FL_PUSH_VLAN_VID   GENMASK(11, 0)
 
+/* Tunnel ports */
+#define NFP_FL_PORT_TYPE_TUN   0x5000
+
+enum nfp_flower_tun_type {
+   NFP_FL_TUNNEL_NONE =0,
+   NFP_FL_TUNNEL_VXLAN =   2,
+};
+
 struct nfp_fl_output {
__be16 a_op;
__be16 flags;
@@ -230,6 +238,36 @@ struct nfp_flower_ipv6 {
struct in6_addr ipv6_dst;
 };
 
+/* Flow Frame VXLAN --> Tunnel details (4W/16B)
+ * -
+ *3   2   1
+ *  1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0 9 8 7 6 5 4 3 2 1 0
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | ipv4_addr_src |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | ipv4_addr_dst |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |   tun_flags   |   tos |   ttl |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * |   gpe_flags   |Reserved   | Next Protocol |
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ * | VNI   |   Reserved|
+ * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
+ */
+struct nfp_flower_vxlan {
+   __be32 ip_src;
+   __be32 ip_dst;
+   __be16 tun_flags;
+   u8 tos;
+   u8 ttl;
+   u8 gpe_flags;
+   u8 reserved[2];
+   u8 nxt_proto;
+   __be32 tun_id;
+};
+
+#define NFP_FL_TUN_VNI_OFFSET 8
+
 /* The base header for a control message packet.
  * Defines an 8-bit version, and an 8-bit type, padded
  * to a 32-bit word. Rest of the packet is type-specific.
diff --git a/drivers/net/ethernet/netronome/nfp/flower/main.h 
b/drivers/net/ethernet/netronome/nfp/flower/main.h
index c20dd00a1cae..cd695eabce02 100644
--- a/drivers/net/ethernet/netronome/nfp/flower/main.h
+++ b/drivers/net/ethernet/netronome/nfp/flower/main.h
@@ -58,6 +58,8 @@ struct nfp_app;
 #define NFP_FL_MASK_REUSE_TIME_NS  4
 #define NFP_FL_MASK_ID_LOCATION1
 
+#define NFP_FL_VXLAN_PORT  4789
+
 struct nfp_fl_mask_id {
struct circ_buf mask_id_free_list;
struct timespec64 *last_used;
diff --git a/drivers/net/ethernet/netronome/nfp/flower/match.c 
b/drivers/net/ethernet/netronome/nfp/flower/match.c
index d25b5038c3a2..1fd1bab0611f 100644
--- a/drivers/net/ethernet/netronome/nfp/flower/match.c
+++ b/drivers/net/ethernet/netronome/nfp/flower/match.c
@@ -77,14 +77,17 @@ nfp_flower_compile_meta(struct nfp_flower_meta_one *frame, 
u8 key_type)
 
 static int
 nfp_flower_compile_port(struct nfp_flower_in_port *frame, u32 cmsg_port,
-   bool mask_version)
+   bool mask_version, enum nfp_flower_tun_type tun_type)
 {
if (mask_version) {
frame->in_port = cpu_to_be32(~0);
return 0;
}
 
-   frame->in_port = cpu_to_be32(cmsg_port);
+   if (tun_type)
+   frame->in_port = cpu_to_be32(NFP_FL_PORT_TYPE_TUN | tun_type);
+   else
+   frame->in_port = cpu_to_be32(cmsg_port);
 
return 0;
 }
@@ -189,15 +192,53 @@ nfp_flower_compile_ipv6(struct nfp_flower_ipv6 *frame,
}
 }
 
+static void
+nfp_flower_compile_vxlan(struct nfp_flower_vxlan *frame,
+struct tc_cls_flower_offload *flow,
+bool mask_version)
+{
+   struct fl_flow_key *target = mask_version ? flow->mask : flow->key;
+   struct flow_dissector_key_ipv4_addrs *vxlan_ips;
+   struct flow_dissector_key_keyid *vni;
+
+   /* Wildcard TOS/TTL/GPE_FLAGS/NXT_PROTO for now. */
+   memset(frame, 0, sizeof(struct nfp_flower_vxlan));
+
+   if (dissector_uses_key(flow->dissector,
+  FLOW_DISSECTOR_KEY_ENC_KEYID)) {
+