From patchwork Tue Jun 2 13:50:25 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tonghao Zhang X-Patchwork-Id: 1302471 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=whitealder.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20161025 header.b=bxczIqEB; dkim-atps=neutral Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 49btl44xvgz9sSy for ; Tue, 2 Jun 2020 23:52:16 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 7EB40878BA; Tue, 2 Jun 2020 13:52:14 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ODdRhbnUdk70; Tue, 2 Jun 2020 13:52:10 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by whitealder.osuosl.org (Postfix) with ESMTP id 19E9387773; Tue, 2 Jun 2020 13:51:58 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id E19FEC08A6; Tue, 2 Jun 2020 13:51:57 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 16E85C0893 for ; Tue, 2 Jun 2020 13:51:57 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 0206B87886 for ; Tue, 2 Jun 2020 13:51:57 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id maOYWwk5CkhH for ; Tue, 2 Jun 2020 13:51:53 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mail-pl1-f195.google.com (mail-pl1-f195.google.com [209.85.214.195]) by whitealder.osuosl.org (Postfix) with ESMTPS id 2E4C8877E1 for ; Tue, 2 Jun 2020 13:51:53 +0000 (UTC) Received: by mail-pl1-f195.google.com with SMTP id y17so1363166plb.8 for ; Tue, 02 Jun 2020 06:51:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=7yHOX2++G1cZ56BC5ofUsLGeBCIQWlUe34g8m5MyS9Q=; b=bxczIqEBr5qT3B4OF5Tc8h0cGcEgkafIT/5aaLdpSfDuWzC7+p3YaY96QaW74GM/fi +oEk3Zp4HCQsk9GIFMhEBVL5u8IWKYW5qjN6mLQF6XwSwAx8NADNUpCepF9dum9yvY4F ahRKAk776rxeIavm9+dT50aj7nCOScCR95eioMWJYrfWNuxCI7a+CpxxK8+61PAZ9x3k lB1ftfsyo67x02C3gZFxGm6i9u9JgHKpCG28clZ3MlDYY2hlYrPetxJxN4T8k1oM03g7 gH4yLispgLNHCmPBiNFpn9ExsFadtpjqEQIJTybiRZfKM/gKbjOi1fNq1+WfaKBO1ZX2 i+Uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7yHOX2++G1cZ56BC5ofUsLGeBCIQWlUe34g8m5MyS9Q=; b=X2oY8UdgTzS6Uldw7WZMRMLQHOam43pks9t8pqIf3o1BvkPehqGiiNtmQfm92mjudO G/9HRfaCc0PI2nQlkhdhKw9UECqU+NPQ1C66r5JHWKUzbYNens22PrrHcSZw/t1wfqzh dSHbBrTDwqPocSzaZskDfelIjaKMIxQiB7wwS3ySNmsJirHTSQ1ajveuP5gmcLaLb303 iLzafXVi7hWVqYczkQ9bPqbeOkMXFMYQav8mpNooXlsC/7V/9TEFOZGJB5D838/dbzjL czWxYL5wSbggwi09g4UoG8b1S1+JqQOjY+WaiUTq+lqIVpNsG3rP6GL6IUXe+buYt7QZ 2rww== X-Gm-Message-State: AOAM531J/ERjkP2h8piRoCo6TFGdoF+To2AjRJK7yo7G2lLtutPJ52E9 BR0jOFRRDoLn8k/TlgA+hP/etZ6uV0p5qw== X-Google-Smtp-Source: ABdhPJyCgiR8DnhqRCq3Ah+Cew6ICRRoSJ8PS/lDG1XLN7eqVmUGFZAL6zVbxSrYm4/LHiUJM3lhXg== X-Received: by 2002:a17:902:9f90:: with SMTP id g16mr17995500plq.146.1591105912220; Tue, 02 Jun 2020 06:51:52 -0700 (PDT) Received: from localhost.localdomain ([203.100.54.194]) by smtp.gmail.com with ESMTPSA id h21sm2514622pjz.6.2020.06.02.06.51.49 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 02 Jun 2020 06:51:51 -0700 (PDT) From: xiangxia.m.yue@gmail.com To: dev@openvswitch.org Date: Tue, 2 Jun 2020 21:50:25 +0800 Message-Id: <20200602135025.20704-5-xiangxia.m.yue@gmail.com> X-Mailer: git-send-email 2.15.0 In-Reply-To: <20200602135025.20704-1-xiangxia.m.yue@gmail.com> References: <20200602135025.20704-1-xiangxia.m.yue@gmail.com> Cc: simon.horman@netronome.com, i.maximets@ovn.org Subject: [ovs-dev] [PATCH v2 4/4] netdev-offload-tc: Expand tunnel source IPs masked match X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Tonghao Zhang To support more use case, for example, DDOS, which packets should be dropped in hardware, this patch allows users to match only the tunnel source IPs with masked value. $ ovs-appctl dpctl/add-flow "tunnel(src=2.2.2.0/255.255.255.0,tp_dst=4789,ttl=64),\ recirc_id(2),in_port(3),eth(),eth_type(0x0800),ipv4()" "" $ ovs-appctl dpctl/dump-flows tunnel(src=2.2.2.0/255.255.255.0,ttl=64,tp_dst=4789) ... actions:drop $ tc filter show dev vxlan_sys_4789 ingress ... eth_type ipv4 enc_src_ip 2.2.2.0/24 enc_dst_port 4789 enc_ttl 64 in_hw in_hw_count 2 action order 1: gact action drop ... Cc: Simon Horman Cc: Paul Blakey Cc: Roi Dayan Cc: Ben Pfaff Cc: William Tu Cc: Ilya Maximets Signed-off-by: Tonghao Zhang Acked-by: Roi Dayan --- lib/netdev-offload-tc.c | 9 ++++++--- lib/odp-util.c | 3 ++- lib/packets.h | 6 ++++++ 3 files changed, 14 insertions(+), 4 deletions(-) diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c index 8ba22312ec00..f7f9c231e3cf 100644 --- a/lib/netdev-offload-tc.c +++ b/lib/netdev-offload-tc.c @@ -633,14 +633,16 @@ parse_tc_flower_to_match(struct tc_flower *flower, match_set_tun_id(match, flower->key.tunnel.id); match->flow.tunnel.flags |= FLOW_TNL_F_KEY; } - if (flower->mask.tunnel.ipv4.ipv4_dst) { + if (flower->mask.tunnel.ipv4.ipv4_dst || + flower->mask.tunnel.ipv4.ipv4_src) { match_set_tun_dst_masked(match, flower->key.tunnel.ipv4.ipv4_dst, flower->mask.tunnel.ipv4.ipv4_dst); match_set_tun_src_masked(match, flower->key.tunnel.ipv4.ipv4_src, flower->mask.tunnel.ipv4.ipv4_src); - } else if (ipv6_addr_is_set(&flower->mask.tunnel.ipv6.ipv6_dst)) { + } else if (ipv6_addr_is_set(&flower->mask.tunnel.ipv6.ipv6_dst) || + ipv6_addr_is_set(&flower->mask.tunnel.ipv6.ipv6_src)) { match_set_tun_ipv6_dst_masked(match, &flower->key.tunnel.ipv6.ipv6_dst, &flower->mask.tunnel.ipv6.ipv6_dst); @@ -1400,7 +1402,8 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match, chain = key->recirc_id; mask->recirc_id = 0; - if (flow_tnl_dst_is_set(&key->tunnel)) { + if (flow_tnl_dst_is_set(&key->tunnel) || + flow_tnl_src_is_set(&key->tunnel)) { VLOG_DBG_RL(&rl, "tunnel: id %#" PRIx64 " src " IP_FMT " dst " IP_FMT " tp_src %d tp_dst %d", diff --git a/lib/odp-util.c b/lib/odp-util.c index b66d266cca1d..72601dc6ba2b 100644 --- a/lib/odp-util.c +++ b/lib/odp-util.c @@ -6125,7 +6125,8 @@ odp_flow_key_from_flow__(const struct odp_flow_key_parms *parms, nl_msg_put_u32(buf, OVS_KEY_ATTR_PRIORITY, data->skb_priority); - if (flow_tnl_dst_is_set(&flow->tunnel) || export_mask) { + if (flow_tnl_dst_is_set(&flow->tunnel) || + flow_tnl_src_is_set(&flow->tunnel) || export_mask) { tun_key_to_attr(buf, &data->tunnel, &parms->flow->tunnel, parms->key_buf, NULL); } diff --git a/lib/packets.h b/lib/packets.h index 447e6f6fafa5..395bc869eb00 100644 --- a/lib/packets.h +++ b/lib/packets.h @@ -52,6 +52,12 @@ flow_tnl_dst_is_set(const struct flow_tnl *tnl) return tnl->ip_dst || ipv6_addr_is_set(&tnl->ipv6_dst); } +static inline bool +flow_tnl_src_is_set(const struct flow_tnl *tnl) +{ + return tnl->ip_src || ipv6_addr_is_set(&tnl->ipv6_src); +} + struct in6_addr flow_tnl_dst(const struct flow_tnl *tnl); struct in6_addr flow_tnl_src(const struct flow_tnl *tnl);