[PATCH iproute2/next 0/2] set/match the tos/ttl fields of TC based IP tunnels

[PATCH iproute2/next 0/2] set/match the tos/ttl fields of TC based IP tunnels

[Or Gerlitz]

Hi Dave,

This series comes to address the case to set (encap) and match (decap)
also the tos and ttl fields of TC based IP tunnels.

Example command lines in the change log of each patch.

The kernel bits are under review [1], sending this out in parallel.

Or.

[1] https://patchwork.ozlabs.org/cover/945216/

Or Gerlitz (2):
  tc/act_tunnel_key: Enable setup of tos and ttl
  tc/flower: Add match on encapsulating tos/ttl

 include/uapi/linux/pkt_cls.h              |    5 +++
 include/uapi/linux/tc_act/tc_tunnel_key.h |    2 +
 man/man8/tc-flower.8                      |   14 +++++++-
 man/man8/tc-tunnel_key.8                  |    8 ++++
 tc/f_flower.c                             |   27 +++++++++++++++
 tc/m_tunnel_key.c                         |   53 +++++++++++++++++++++++++++++
 6 files changed, 108 insertions(+), 1 deletions(-)

[PATCH iproute2/next 1/2] tc/act_tunnel_key: Enable setup of tos and ttl

[Or Gerlitz]

Allow to set tos and ttl for the tunnel.

For example, here's encap rule that sets tos to the tunnel:

tc filter add dev eth0_0 protocol ip parent ffff: prio 10 flower \
   src_mac e4:11:22:33:44:50 dst_mac e4:11:22:33:44:70 \
   action tunnel_key set src_ip 192.168.10.1 dst_ip 192.168.10.2 id 100 dst_port 4789 tos 0x30 \
   action mirred egress redirect dev vxlan_sys_4789

Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
---
 include/uapi/linux/tc_act/tc_tunnel_key.h |    2 +
 man/man8/tc-tunnel_key.8                  |    8 ++++
 tc/m_tunnel_key.c                         |   53 +++++++++++++++++++++++++++++
 3 files changed, 63 insertions(+), 0 deletions(-)

diff --git a/include/uapi/linux/tc_act/tc_tunnel_key.h b/include/uapi/linux/tc_act/tc_tunnel_key.h
index e284fec..be384d6 100644
--- a/include/uapi/linux/tc_act/tc_tunnel_key.h
+++ b/include/uapi/linux/tc_act/tc_tunnel_key.h
@@ -39,6 +39,8 @@ enum {
 	TCA_TUNNEL_KEY_ENC_OPTS,	/* Nested TCA_TUNNEL_KEY_ENC_OPTS_
 					 * attributes
 					 */
+	TCA_TUNNEL_KEY_ENC_TOS,		/* u8 */
+	TCA_TUNNEL_KEY_ENC_TTL,		/* u8 */
 	__TCA_TUNNEL_KEY_MAX,
 };
 
diff --git a/man/man8/tc-tunnel_key.8 b/man/man8/tc-tunnel_key.8
index 7d4b30e..1e09362 100644
--- a/man/man8/tc-tunnel_key.8
+++ b/man/man8/tc-tunnel_key.8
@@ -16,6 +16,8 @@ tunnel_key - Tunnel metadata manipulation
 .IR ADDRESS
 .BI id " KEY_ID"
 .BI dst_port " UDP_PORT"
+.BI tos " TOS"
+.BI ttl " TTL"
 .RB "[ " csum " | " nocsum " ]"
 
 .SH DESCRIPTION
@@ -89,6 +91,12 @@ is specified in the form CLASS:TYPE:DATA, where CLASS is represented as a
 variable length hexadecimal value. Additionally multiple options may be
 listed using a comma delimiter.
 .TP
+.B tos
+Outer header TOS
+.TP
+.B ttl
+Outer header TTL
+.TP
 .RB [ no ] csum
 Controlls outer UDP checksum. When set to
 .B csum
diff --git a/tc/m_tunnel_key.c b/tc/m_tunnel_key.c
index 5a0e3fc..e9e71e4 100644
--- a/tc/m_tunnel_key.c
+++ b/tc/m_tunnel_key.c
@@ -190,6 +190,22 @@ static int tunnel_key_parse_geneve_opts(char *str, struct nlmsghdr *n)
 	return 0;
 }
 
+static int tunnel_key_parse_tos_ttl(char *str, int type, struct nlmsghdr *n)
+{
+	int ret;
+	__u8 val;
+
+	ret = get_u8(&val, str, 10);
+	if (ret)
+		ret = get_u8(&val, str, 16);
+	if (ret)
+		return -1;
+
+	addattr8(n, MAX_MSG, type, val);
+
+	return 0;
+}
+
 static int parse_tunnel_key(struct action_util *a, int *argc_p, char ***argv_p,
 			    int tca_id, struct nlmsghdr *n)
 {
@@ -273,6 +289,22 @@ static int parse_tunnel_key(struct action_util *a, int *argc_p, char ***argv_p,
 				fprintf(stderr, "Illegal \"geneve_opts\"\n");
 				return -1;
 			}
+		} else if (matches(*argv, "tos") == 0) {
+			NEXT_ARG();
+			ret = tunnel_key_parse_tos_ttl(*argv,
+							TCA_TUNNEL_KEY_ENC_TOS, n);
+			if (ret < 0) {
+				fprintf(stderr, "Illegal \"tos\"\n");
+				return -1;
+			}
+		} else if (matches(*argv, "ttl") == 0) {
+			NEXT_ARG();
+			ret = tunnel_key_parse_tos_ttl(*argv,
+							TCA_TUNNEL_KEY_ENC_TTL, n);
+			if (ret < 0) {
+				fprintf(stderr, "Illegal \"ttl\"\n");
+				return -1;
+			}
 		} else if (matches(*argv, "csum") == 0) {
 			csum = 1;
 		} else if (matches(*argv, "nocsum") == 0) {
@@ -435,6 +467,23 @@ static void tunnel_key_print_key_opt(const char *name, struct rtattr *attr)
 					tb[TCA_TUNNEL_KEY_ENC_OPTS_GENEVE]);
 }
 
+static void tunnel_key_print_tos_ttl(FILE *f, char *name,
+				     struct rtattr *attr)
+{
+	if (!attr)
+		return;
+
+	if (matches(name, "tos") == 0 && rta_getattr_u8(attr) != 0) {
+		print_string(PRINT_FP, NULL, "%s", _SL_);
+		print_uint(PRINT_ANY, "tos", "\ttos 0x%x",
+			   rta_getattr_u8(attr));
+	} else if (matches(name, "ttl") == 0 && rta_getattr_u8(attr) != 0) {
+		print_string(PRINT_FP, NULL, "%s", _SL_);
+		print_uint(PRINT_ANY, "ttl", "\tttl %u",
+			   rta_getattr_u8(attr));
+	}
+}
+
 static int print_tunnel_key(struct action_util *au, FILE *f, struct rtattr *arg)
 {
 	struct rtattr *tb[TCA_TUNNEL_KEY_MAX + 1];
@@ -476,6 +525,10 @@ static int print_tunnel_key(struct action_util *au, FILE *f, struct rtattr *arg)
 					 tb[TCA_TUNNEL_KEY_ENC_OPTS]);
 		tunnel_key_print_flag(f, "nocsum", "csum",
 				      tb[TCA_TUNNEL_KEY_NO_CSUM]);
+		tunnel_key_print_tos_ttl(f, "tos",
+					  tb[TCA_TUNNEL_KEY_ENC_TOS]);
+		tunnel_key_print_tos_ttl(f, "ttl",
+					  tb[TCA_TUNNEL_KEY_ENC_TTL]);
 		break;
 	}
 	print_action_control(f, " ", parm->action, "");
-- 
1.7.1

[PATCH iproute2/next2/next 2/2] tc/flower: Add match on encapsulating tos/ttl

[Or Gerlitz]

Add matching on tos/ttl of the IP tunnel headers.

For example, here's decap rule that matches on the tunnel tos:

tc filter add dev vxlan_sys_4789 protocol ip parent ffff: prio 10 flower \
   enc_src_ip 192.168.10.2 enc_dst_ip 192.168.10.1 enc_key_id 100 enc_dst_port 4789 enc_tos 0x30 \
   src_mac e4:11:22:33:44:70 dst_mac e4:11:22:33:44:50  \
   action tunnel_key unset \
   action mirred egress redirect dev eth0_0

Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
---
 include/uapi/linux/pkt_cls.h |    5 +++++
 man/man8/tc-flower.8         |   14 +++++++++++++-
 tc/f_flower.c                |   27 +++++++++++++++++++++++++++
 3 files changed, 45 insertions(+), 1 deletions(-)

diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
index c4262d9..b451225 100644
--- a/include/uapi/linux/pkt_cls.h
+++ b/include/uapi/linux/pkt_cls.h
@@ -473,6 +473,11 @@ enum {
 	TCA_FLOWER_KEY_CVLAN_PRIO,	/* u8   */
 	TCA_FLOWER_KEY_CVLAN_ETH_TYPE,	/* be16 */
 
+	TCA_FLOWER_KEY_ENC_IP_TOS,	/* u8 */
+	TCA_FLOWER_KEY_ENC_IP_TOS_MASK,	/* u8 */
+	TCA_FLOWER_KEY_ENC_IP_TTL,	/* u8 */
+	TCA_FLOWER_KEY_ENC_IP_TTL_MASK,	/* u8 */
+
 	__TCA_FLOWER_MAX,
 };
 
diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
index bfa66d8..305d7ef 100644
--- a/man/man8/tc-flower.8
+++ b/man/man8/tc-flower.8
@@ -76,6 +76,10 @@ flower \- flow based traffic control filter
 .IR ipv4_address " | " ipv6_address " } | "
 .B enc_dst_port
 .IR port_number " | "
+.B enc_tos
+.IR TOS " | "
+.B enc_ttl
+.IR TTL " | "
 .BR ip_flags
 .IR IP_FLAGS
 .SH DESCRIPTION
@@ -275,6 +279,10 @@ bits is assumed.
 .BI enc_src_ip " PREFIX"
 .TQ
 .BI enc_dst_port " NUMBER"
+.TQ
+.BI enc_tos " NUMBER"
+.TQ
+.BI enc_ttl " NUMBER"
 Match on IP tunnel metadata. Key id
 .I NUMBER
 is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel).
@@ -283,7 +291,11 @@ must be a valid IPv4 or IPv6 address optionally followed by a slash and the
 prefix length. If the prefix is missing, \fBtc\fR assumes a full-length
 host match.  Dst port
 .I NUMBER
-is a 16 bit UDP dst port.
+is a 16 bit UDP dst port. Tos
+.I NUMBER
+is an 8 bit tos (dscp+ecn) value, ttl
+.I NUMBER
+is an 8 bit time-to-live value.
 .TP
 .BI ip_flags " IP_FLAGS"
 .I IP_FLAGS
diff --git a/tc/f_flower.c b/tc/f_flower.c
index 40b4026..a4cf06a 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -77,6 +77,8 @@ static void explain(void)
 		"                       enc_dst_ip [ IPV4-ADDR | IPV6-ADDR ] |\n"
 		"                       enc_src_ip [ IPV4-ADDR | IPV6-ADDR ] |\n"
 		"                       enc_key_id [ KEY-ID ] |\n"
+		"                       enc_tos MASKED-IP_TOS |\n"
+		"                       enc_ttl MASKED-IP_TTL |\n"
 		"                       ip_flags IP-FLAGS | \n"
 		"                       enc_dst_port [ port_number ] }\n"
 		"       FILTERID := X:Y:Z\n"
@@ -1019,6 +1021,26 @@ static int flower_parse_opt(struct filter_util *qu, char *handle,
 				fprintf(stderr, "Illegal \"enc_dst_port\"\n");
 				return -1;
 			}
+		} else if (matches(*argv, "enc_tos") == 0) {
+			NEXT_ARG();
+			ret = flower_parse_ip_tos_ttl(*argv,
+						      TCA_FLOWER_KEY_ENC_IP_TOS,
+						      TCA_FLOWER_KEY_ENC_IP_TOS_MASK,
+						      n);
+			if (ret < 0) {
+				fprintf(stderr, "Illegal \"enc_tos\"\n");
+				return -1;
+			}
+		} else if (matches(*argv, "enc_ttl") == 0) {
+			NEXT_ARG();
+			ret = flower_parse_ip_tos_ttl(*argv,
+						      TCA_FLOWER_KEY_ENC_IP_TTL,
+						      TCA_FLOWER_KEY_ENC_IP_TTL_MASK,
+						      n);
+			if (ret < 0) {
+				fprintf(stderr, "Illegal \"enc_ttl\"\n");
+				return -1;
+			}
 		} else if (matches(*argv, "action") == 0) {
 			NEXT_ARG();
 			ret = parse_action(&argc, &argv, TCA_FLOWER_ACT, n);
@@ -1542,6 +1564,11 @@ static int flower_print_opt(struct filter_util *qu, FILE *f,
 
 	flower_print_port("enc_dst_port", tb[TCA_FLOWER_KEY_ENC_UDP_DST_PORT]);
 
+	flower_print_ip_attr("enc_tos", tb[TCA_FLOWER_KEY_ENC_IP_TOS],
+			    tb[TCA_FLOWER_KEY_ENC_IP_TOS_MASK]);
+	flower_print_ip_attr("enc_ttl", tb[TCA_FLOWER_KEY_ENC_IP_TTL],
+			    tb[TCA_FLOWER_KEY_ENC_IP_TTL_MASK]);
+
 	flower_print_matching_flags("ip_flags", FLOWER_IP_FLAGS,
 				    tb[TCA_FLOWER_KEY_FLAGS],
 				    tb[TCA_FLOWER_KEY_FLAGS_MASK]);
-- 
1.7.1

Re: [PATCH iproute2/next 1/2] tc/act_tunnel_key: Enable setup of tos and ttl

[Roman Mashak]

Or Gerlitz <ogerlitz@mellanox.com> writes:

> Allow to set tos and ttl for the tunnel.
>
> For example, here's encap rule that sets tos to the tunnel:
>
> tc filter add dev eth0_0 protocol ip parent ffff: prio 10 flower \
>    src_mac e4:11:22:33:44:50 dst_mac e4:11:22:33:44:70 \
>    action tunnel_key set src_ip 192.168.10.1 dst_ip 192.168.10.2 id 100 dst_port 4789 tos 0x30 \
>    action mirred egress redirect dev vxlan_sys_4789
>
> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
> Reviewed-by: Roi Dayan <roid@mellanox.com>
> Acked-by: Jiri Pirko <jiri@mellanox.com>

[...]

Or, could you also update tunnel_key actions for the new options in
$(kernel)/tools/testing/selftests/tc-testing/tc-tests/actions/tunnel_key.json
once the patches are accepted ?

Re: [PATCH iproute2/next 1/2] tc/act_tunnel_key: Enable setup of tos and ttl

[Or Gerlitz]

On Thu, Jul 19, 2018 at 2:48 PM, Roman Mashak <mrv@mojatatu.com> wrote:
> Or Gerlitz <ogerlitz@mellanox.com> writes:
>
>> Allow to set tos and ttl for the tunnel.
>>
>> For example, here's encap rule that sets tos to the tunnel:
>>
>> tc filter add dev eth0_0 protocol ip parent ffff: prio 10 flower \
>>    src_mac e4:11:22:33:44:50 dst_mac e4:11:22:33:44:70 \
>>    action tunnel_key set src_ip 192.168.10.1 dst_ip 192.168.10.2 id 100 dst_port 4789 tos 0x30 \
>>    action mirred egress redirect dev vxlan_sys_4789
>>
>> Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
>> Reviewed-by: Roi Dayan <roid@mellanox.com>
>> Acked-by: Jiri Pirko <jiri@mellanox.com>
>
> [...]
>
> Or, could you also update tunnel_key actions for the new options in
> $(kernel)/tools/testing/selftests/tc-testing/tc-tests/actions/tunnel_key.json
> once the patches are accepted ?

yes, I will do that

Re: [PATCH iproute2/next 0/2] set/match the tos/ttl fields of TC based IP tunnels

[David Ahern]

On 7/19/18 5:02 AM, Or Gerlitz wrote:
> Hi Dave,
> 
> This series comes to address the case to set (encap) and match (decap)
> also the tos and ttl fields of TC based IP tunnels.
> 
> Example command lines in the change log of each patch.
> 
> The kernel bits are under review [1], sending this out in parallel.
> 
> Or.
> 
> [1] https://patchwork.ozlabs.org/cover/945216/
> 
> Or Gerlitz (2):
>   tc/act_tunnel_key: Enable setup of tos and ttl
>   tc/flower: Add match on encapsulating tos/ttl
> 
>  include/uapi/linux/pkt_cls.h              |    5 +++
>  include/uapi/linux/tc_act/tc_tunnel_key.h |    2 +
>  man/man8/tc-flower.8                      |   14 +++++++-
>  man/man8/tc-tunnel_key.8                  |    8 ++++
>  tc/f_flower.c                             |   27 +++++++++++++++
>  tc/m_tunnel_key.c                         |   53 +++++++++++++++++++++++++++++
>  6 files changed, 108 insertions(+), 1 deletions(-)
> 

applied to iproute2-next. Thanks