From patchwork Sat Jul 28 21:03:30 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Nishanth Devarajan X-Patchwork-Id: 950509 X-Patchwork-Delegate: dsahern@gmail.com Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="aMA69Z8f"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 41dJGd6C6bz9ryl for ; Sun, 29 Jul 2018 07:03:53 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730985AbeG1Wbg (ORCPT ); Sat, 28 Jul 2018 18:31:36 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:34133 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730844AbeG1Wbg (ORCPT ); Sat, 28 Jul 2018 18:31:36 -0400 Received: by mail-pg1-f193.google.com with SMTP id y5-v6so5134389pgv.1 for ; Sat, 28 Jul 2018 14:03:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=11adu2UXutEBrlTTtaaxmFPgGobPFkcLxrJXQW74Bnk=; b=aMA69Z8fPv/MVZE3QgI6j0IASiGwSZHnVzVJE4oM9PGuiDFNafXZpGtIa8ndAlEugG I9+j60Onr35bgFqhUVwanJ+h/Y7GHBDfTdL2EQV0afTXJc3JUEahvOq4clw5mpy0/0GR W9DdqX1JYHXkFMnQQZ+iNnn+yjIbAKQNZ84daNmiy8vCR78d1kl1378PFRzHFvemyaof jcvCP7fJclE8wnkzSSn1Y1EiO4cuEZ4D+i23oPQpSIZklB2uDeJpZM9bwygjAB3q/Uza rGNvAFNXdWWF6BR2e20l6nu28y3P1tlHdC1TIoItspDxpS/iM6jAaMENhGjZuZNmXKbu +4Gg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=11adu2UXutEBrlTTtaaxmFPgGobPFkcLxrJXQW74Bnk=; b=W7Tkvj3TP3lBlht8amyS4F6lpLF2pi59xrVprSrcV1e7MwjE/OiHwtbFJHZHARdSnU fuFACByVziB/cmnYuGeef8D7JvO5GlVXSEgqbNQMo3E2pbgfQYcNrrrM72RqO/s1Niq2 tPBpcXaVDgQV4Qc1DVsdyX7VJvEQRkhfEk7mD6RUdG2c1//aHCPmsV6TCc8p66NTsUvN SkfwNROMXv9mocFaAiP0ByB0qc5Yupy6Po6g3b8w+YMs15ZM6pSEiWwHz9BnFehcCZnf dwtlrnVQ6hcMkCOBBFXfQuou03XxhsiUsMDEFBx7tNpWi/KHV9oEpXJP4e4Szv2xre9s TIew== X-Gm-Message-State: AOUpUlGpZR4gV/6+0Jo7YmTPFncMLRVc0AuwXPXnLWSFPO1YdbSwRYII lpmPMbJZq/klt9+uWAtLIE0hQDgG X-Google-Smtp-Source: AAOMgpeIiUxKrPDVixafhQzBJ1tz5iH7QYWcFf2BTNhElTOgRnVq3aLbpEZ8v6stVFYPLLTGx2tvyA== X-Received: by 2002:a63:f616:: with SMTP id m22-v6mr10686750pgh.293.1532811828189; Sat, 28 Jul 2018 14:03:48 -0700 (PDT) Received: from gmail.com ([117.193.149.141]) by smtp.gmail.com with ESMTPSA id l84-v6sm12511521pfg.3.2018.07.28.14.03.45 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Sat, 28 Jul 2018 14:03:47 -0700 (PDT) Date: Sun, 29 Jul 2018 02:33:30 +0530 From: Nishanth Devarajan To: netdev@vger.kernel.org Cc: doucette@bu.edu, michel@digirati.com.br Subject: [PATCH iproute2-next] Add tc(8) userspace support for SKB Priority qdisc Message-ID: <20180728210324.GA4665@gmail.com> MIME-Version: 1.0 Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org sch_skbprio is a qdisc that prioritizes packets according to their skb->priority field. Under congestion, it drops already-enqueued lower priority packets to make space available for higher priority packets. Skbprio was conceived as a solution for denial-of-service defenses that need to route packets with different priorities as a means to overcome DoS attacks. Signed-off-by: Nishanth Devarajan Reviewed-by: Michel Machado --- include/uapi/linux/pkt_sched.h | 7 ++++ man/man8/tc-skbprio.8 | 70 ++++++++++++++++++++++++++++++++++++ tc/Makefile | 1 + tc/q_skbprio.c | 81 ++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 159 insertions(+) create mode 100644 man/man8/tc-skbprio.8 create mode 100644 tc/q_skbprio.c diff --git a/include/uapi/linux/pkt_sched.h b/include/uapi/linux/pkt_sched.h index 37b5096..81af99e 100644 --- a/include/uapi/linux/pkt_sched.h +++ b/include/uapi/linux/pkt_sched.h @@ -124,6 +124,12 @@ struct tc_fifo_qopt { __u32 limit; /* Queue length: bytes for bfifo, packets for pfifo */ }; +/* SKBPRIO section */ + +struct tc_skbprio_qopt { + __u32 limit; /* Queue length in packets. */ +}; + /* PRIO section */ #define TCQ_PRIO_BANDS 16 @@ -256,6 +262,7 @@ struct tc_red_qopt { #define TC_RED_ECN 1 #define TC_RED_HARDDROP 2 #define TC_RED_ADAPTATIVE 4 +#define TC_RED_OFFLOADED 8 }; struct tc_red_xstats { diff --git a/man/man8/tc-skbprio.8 b/man/man8/tc-skbprio.8 new file mode 100644 index 0000000..ae4f9e1 --- /dev/null +++ b/man/man8/tc-skbprio.8 @@ -0,0 +1,70 @@ +.TH SKBPRIO 8 "27 July 2018" "iproute2" "Linux" +.SH NAME +skbprio \- SKB Priority Queue + +.SH SYNOPSIS +.B tc qdisc ... add skbprio +.B [ limit +packets +.B ] + +.SH DESCRIPTION +SKB Priority Queue is a queueing discipline intended to prioritize +the most important packets during a denial-of-service ( +.B DoS +) attack. The priority of a packet is given by +.B skb->priority +, where a higher value places the packet closer to the exit of the queue. When +the queue is full, the lowest priority packet in the queue is dropped to make +room for the packet to be added if it has higher priority. If the packet to be +added has lower priority than all packets in the queue, it is dropped. + +Without SKB priority queue, queue length limits must be imposed +on individual sub-queues, and there is no straightforward way to enforce +a global queue length limit across all priorities. SKBprio queue enforces a +global queue length limit while not restricting the lengths of individual +sub-queues. + +While SKB Priority Queue is agnostic to how +.B skb->priority +is assigned. A typical use case is to copy +the 6-bit DS field of IPv4 and IPv6 packets using +.BR tc-skbedit (8) +. If +.B skb->priority +is greater or equal to 64, the priority is assumed to be 63. +Priorities less than 64 are taken at face value. + +SKB Priority Queue enables routers to locally decide which +packets to drop under a DoS attack. +Priorities should be assigned to packets such that the higher the priority, +the more expected behavior a source shows. +So sources have an incentive to play by the rules. + +.SH ALGORITHM + +Skbprio maintains 64 lists (priorities go from 0 to 63). +When a packet is enqueued, it gets inserted at the +.B tail +of its priority list. When a packet needs to be sent out to the network, it is +taken from the head of the highest priority list. When the queue is full, +the packet at the tail of the lowest priority list is dropped to serve the +ingress packet - if it is of higher priority, otherwise the ingress packet is +dropped. This algorithm allocates as much bandwidth as possible to high +priority packets, while only servicing low priority packets when +there is enough bandwidth. + +.SH PARAMETERS +.TP +limit +Maximum queue size specified in packets. It defaults to 64. +The range for this parameter is [0, UINT32_MAX]. + +.SH SEE ALSO +.BR tc-prio (8), +.BR tc-skbedit (8) + +.SH AUTHORS +Nishanth Devarajan , Michel Machado + +This manpage maintained by Bert Hubert diff --git a/tc/Makefile b/tc/Makefile index dfd0026..7646105 100644 --- a/tc/Makefile +++ b/tc/Makefile @@ -71,6 +71,7 @@ TCMODULES += q_clsact.o TCMODULES += e_bpf.o TCMODULES += f_matchall.o TCMODULES += q_cbs.o +TCMODULES += q_skbprio.o TCSO := ifeq ($(TC_CONFIG_ATM),y) diff --git a/tc/q_skbprio.c b/tc/q_skbprio.c new file mode 100644 index 0000000..a2a5077 --- /dev/null +++ b/tc/q_skbprio.c @@ -0,0 +1,81 @@ +/* + * q_skbprio.c SKB PRIORITY QUEUE. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Nishanth Devarajan, + * + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "utils.h" +#include "tc_util.h" + +static void explain(void) +{ + fprintf(stderr, "Usage: ... [ limit NUMBER ]\n"); +} + +static int skbprio_parse_opt(struct qdisc_util *qu, int argc, char **argv, + struct nlmsghdr *n, const char *dev) +{ + int ok = 0; + struct tc_skbprio_qopt opt = {}; + + while (argc > 0) { + if (strcmp(*argv, "limit") == 0) { + NEXT_ARG(); + if (get_size(&opt.limit, *argv)) { + fprintf(stderr, "%s: Illegal value for \"limit\": \"%s\"\n", qu->id, *argv); + return -1; + } + ok++; + } + else if (strcmp(*argv, "help") == 0) { + explain(); + return -1; + } else { + fprintf(stderr, "%s: unknown parameter \"%s\"\n", qu->id, *argv); + explain(); + return -1; + } + argc--; argv++; + } + + if (ok) + addattr_l(n, 1024, TCA_OPTIONS, &opt, sizeof(opt)); + return 0; +} + +static int skbprio_print_opt(struct qdisc_util *qu, FILE *f, struct rtattr *opt) +{ + struct tc_skbprio_qopt *qopt; + + if (opt == NULL) + return 0; + + if (RTA_PAYLOAD(opt) < sizeof(*qopt)) + return -1; + qopt = RTA_DATA(opt); + fprintf(f, "limit %u ", qopt->limit); + return 0; +} + + +struct qdisc_util skbprio_qdisc_util = { + .id = "skbprio", + .parse_qopt = skbprio_parse_opt, + .print_qopt = skbprio_print_opt, +};