[PATCH iproute2/net-next 0/7] tc: flower: Masked ICMP match and ND match

[PATCH iproute2/net-next 0/7] tc: flower: Masked ICMP match and ND match

[Simon Horman]

Hi,

this series have several related parts.

* tc: flower: Update documentation to indicate ARP takes IPv4 prefixes

  Enhance documentation for consistency with later documentation changes.

* tc: flower: use correct type when calling flower_icmp_attr_type

  Type correction to ICMP code; should not have runtime effect

* tc: flower: provide generic masked u8 parser helper
  tc: flower: provide generic masked u8 print helper

  Generic parsing and printing of masked u8 options

* tc: flower: support masked ICMP code and type match

  Support masking ICMP code and type matches.
  Unmasked matching is already supported by iproute2
  Masked matching is already supported by the kernel.

  This is used by the ND patches

* tc: flower: Add TCA_FLOWER_KEY_ND_*
  tc: flower: Support matching on ND

The last two patches are marked as RFC as they support functionality
submitted to but not yet not yet present in the kernel.


Simon Horman (7):
  tc: flower: Update documentation to indicate ARP takes IPv4 prefixes
  tc: flower: use correct type when calling flower_icmp_attr_type
  tc: flower: provide generic masked u8 parser helper
  tc: flower: provide generic masked u8 print helper
  tc: flower: support masked ICMP code and type match
  tc: flower: Add TCA_FLOWER_KEY_ND_*
  tc: flower: Support matching on ND

 include/linux/pkt_cls.h |   7 ++
 man/man8/tc-flower.8    |  58 +++++++++--
 tc/f_flower.c           | 260 +++++++++++++++++++++++++++++++++++++-----------
 3 files changed, 258 insertions(+), 67 deletions(-)

-- 
2.7.0.rc3.207.g0ac5344

[PATCH iproute2/net-next 1/7] tc: flower: Update documentation to indicate ARP takes IPv4 prefixes

[Simon Horman]

Unlike other PREFIXES documented in the usage for tc flower,
arp_sip and arp_tip take only IPV4 prefixes.

Signed-off-by: Simon Horman <simon.horman@netronome.com>
---
 man/man8/tc-flower.8 | 8 ++++----
 tc/f_flower.c        | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
index 2bdd2effd882..b1bef8b7637a 100644
--- a/man/man8/tc-flower.8
+++ b/man/man8/tc-flower.8
@@ -36,7 +36,7 @@ flower \- flow based traffic control filter
 .BR dst_port " | " src_port " } "
 .IR port_number " } | { "
 .BR arp_tip " | " arp_sip " } "
-.IR PREFIX " | "
+.IR IPV4_PREFIX " | "
 .BR arp_op " { " request " | " reply " | "
 .IR OP " } | { "
 .BR arp_tha " | " arp_sha " } "
@@ -139,11 +139,11 @@ Match on ICMP type or code. Only available for
 .BR ip_proto " values " icmp  " and " icmpv6
 which have to be specified in beforehand.
 .TP
-.BI arp_tip " PREFIX"
+.BI arp_tip " IPV4_PREFIX"
 .TQ
-.BI arp_sip " PREFIX"
+.BI arp_sip " IPV4_PREFIX"
 Match on ARP or RARP sender or target IP address.
-.I PREFIX
+.I IPV4_PREFIX
 must be a valid IPv4 address optionally followed by a slash and the prefix
 length. If the prefix is missing, \fBtc\fR assumes a full-length host
 match.
diff --git a/tc/f_flower.c b/tc/f_flower.c
index 403100c92af0..7cb2cd45a783 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -59,8 +59,8 @@ static void explain(void)
 		"                       src_port PORT-NUMBER |\n"
 		"                       type ICMP-TYPE |\n"
 		"                       code ICMP-CODE |\n"
-		"                       arp_tip PREFIX |\n"
-		"                       arp_sip PREFIX |\n"
+		"                       arp_tip IPV4-PREFIX |\n"
+		"                       arp_sip IPV4-PREFIX |\n"
 		"                       arp_op [ request | reply | OP ] |\n"
 		"                       arp_tha MASKED-LLADDR |\n"
 		"                       arp_sha MASKED-LLADDR |\n"
-- 
2.7.0.rc3.207.g0ac5344

[PATCH iproute2/net-next 2/7] tc: flower: use correct type when calling flower_icmp_attr_type

[Simon Horman]

Use enum flower_icmp_field rather than bool as type of third parameter
when calling flower_icmp_attr_type.

Fixes: eb3b5696f163 ("tc: flower: support matching on ICMP type and code")
Signed-off-by: Simon Horman <simon.horman@netronome.com>
--
This should not have a run-time affect assuming both false and,
FLOWER_ICMP_FIELD_TYPE, first value of enum flower_icmp_field rather,
are zero.
---
 tc/f_flower.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/tc/f_flower.c b/tc/f_flower.c
index 7cb2cd45a783..0f2251315975 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -1061,10 +1061,12 @@ static int flower_print_opt(struct filter_util *qu, FILE *f,
 	if (nl_type >= 0)
 		flower_print_port(f, "src_port", tb[nl_type]);
 
-	nl_type = flower_icmp_attr_type(eth_type, ip_proto, false);
+	nl_type = flower_icmp_attr_type(eth_type, ip_proto,
+					FLOWER_ICMP_FIELD_TYPE);
 	if (nl_type >= 0)
 		flower_print_icmp(f, "icmp_type", tb[nl_type]);
-	nl_type = flower_icmp_attr_type(eth_type, ip_proto, true);
+	nl_type = flower_icmp_attr_type(eth_type, ip_proto,
+					FLOWER_ICMP_FIELD_CODE);
 	if (nl_type >= 0)
 		flower_print_icmp(f, "icmp_code", tb[nl_type]);
 
-- 
2.7.0.rc3.207.g0ac5344

[PATCH iproute2/net-next 3/7] tc: flower: provide generic masked u8 parser helper

[Simon Horman]

Provide generic masked u8 paser helper and use it to parse arp operations.

Also consistently use __u8 rather than uint8_t, in keeping with the
pervasive style in the file.

Signed-off-by: Simon Horman <simon.horman@netronome.com>
---
 tc/f_flower.c | 55 ++++++++++++++++++++++++++++++++++++++++---------------
 1 file changed, 40 insertions(+), 15 deletions(-)

diff --git a/tc/f_flower.c b/tc/f_flower.c
index 0f2251315975..5554cc05118b 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -309,33 +309,30 @@ static int flower_parse_arp_ip_addr(char *str, __be16 eth_type,
 				      TCA_FLOWER_UNSPEC, TCA_FLOWER_UNSPEC, n);
 }
 
-static int flower_parse_arp_op(char *str, __be16 eth_type,
-			       int op_type, int mask_type,
-			       struct nlmsghdr *n)
+static int flower_parse_u8(char *str, int value_type, int mask_type,
+			   int (*value_from_name)(const char *str,
+						 __u8 *value),
+			   bool (*value_validate)(__u8 value),
+			   struct nlmsghdr *n)
 {
 	char *slash;
 	int ret, err = -1;
-	uint8_t value, mask;
+	__u8 value, mask;
 
 	slash = strchr(str, '/');
 	if (slash)
 		*slash = '\0';
 
-	if (!flower_eth_type_arp(eth_type))
-		goto err;
-
-	if (!strcmp(str, "request")) {
-		value = ARPOP_REQUEST;
-	} else if (!strcmp(str, "reply")) {
-		value = ARPOP_REPLY;
-	} else {
+	ret = value_from_name ? value_from_name(str, &value) : -1;
+	if (ret < 0) {
 		ret = get_u8(&value, str, 10);
 		if (ret)
 			goto err;
-		if (value && value != ARPOP_REQUEST && value != ARPOP_REPLY)
-			goto err;
 	}
 
+	if (value_validate && !value_validate(value))
+		goto err;
+
 	if (slash) {
 		ret = get_u8(&mask, slash + 1, 10);
 		if (ret)
@@ -345,7 +342,7 @@ static int flower_parse_arp_op(char *str, __be16 eth_type,
 		mask = UINT8_MAX;
 	}
 
-	addattr8(n, MAX_MSG, op_type, value);
+	addattr8(n, MAX_MSG, value_type, value);
 	addattr8(n, MAX_MSG, mask_type, mask);
 
 	err = 0;
@@ -355,6 +352,34 @@ err:
 	return err;
 }
 
+static int flower_arp_op_from_name(const char *name, __u8 *op)
+{
+	if (!strcmp(name, "request"))
+		*op = ARPOP_REQUEST;
+	else if (!strcmp(name, "reply"))
+		*op = ARPOP_REPLY;
+	else
+		return -1;
+
+	return 0;
+}
+
+static bool flow_arp_op_validate(__u8 op)
+{
+	return !op || op == ARPOP_REQUEST || op == ARPOP_REPLY;
+}
+
+static int flower_parse_arp_op(char *str, __be16 eth_type,
+			       int op_type, int mask_type,
+			       struct nlmsghdr *n)
+{
+	if (!flower_eth_type_arp(eth_type))
+		return -1;
+
+	return flower_parse_u8(str, op_type, mask_type, flower_arp_op_from_name,
+			       flow_arp_op_validate, n);
+}
+
 static int flower_icmp_attr_type(__be16 eth_type, __u8 ip_proto,
 				 enum flower_icmp_field field)
 {
-- 
2.7.0.rc3.207.g0ac5344

[PATCH iproute2/net-next 4/7] tc: flower: provide generic masked u8 print helper

[Simon Horman]

Provide generic masked u8 print helper and use it to print arp operations.

Also:
* Make name parameter of arp op print helper const.
* Consistently use __u8 rather than uint8_t, in keeping with the
  pervasive style in the file.

Signed-off-by: Simon Horman <simon.horman@netronome.com>
---
 tc/f_flower.c | 44 +++++++++++++++++++++++++++++++++-----------
 1 file changed, 33 insertions(+), 11 deletions(-)

diff --git a/tc/f_flower.c b/tc/f_flower.c
index 5554cc05118b..6a0bedcc4d5d 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -352,6 +352,18 @@ err:
 	return err;
 }
 
+static const char *flower_print_arp_op_to_name(__u8 op)
+{
+	switch (op) {
+	case ARPOP_REQUEST:
+		return "request";
+	case ARPOP_REPLY:
+		return "reply";
+	default:
+		return NULL;
+	}
+}
+
 static int flower_arp_op_from_name(const char *name, __u8 *op)
 {
 	if (!strcmp(name, "request"))
@@ -993,31 +1005,41 @@ static void flower_print_icmp(FILE *f, char *name, struct rtattr *attr)
 		fprintf(f, "\n  %s %d", name, rta_getattr_u8(attr));
 }
 
-static void flower_print_arp_op(FILE *f, char *name,
-				struct rtattr *op_attr,
-				struct rtattr *mask_attr)
+static void flower_print_masked_u8(FILE *f, const char *name,
+				   struct rtattr *attr,
+				   struct rtattr *mask_attr,
+				   const char *(*value_to_str)(__u8 value))
 {
-	uint8_t op, mask;
+	const char *value_str = NULL;
+	__u8 value, mask;
 
-	if (!op_attr)
+	if (!attr)
 		return;
 
-	op = rta_getattr_u8(op_attr);
+	value = rta_getattr_u8(attr);
 	mask = mask_attr ? rta_getattr_u8(mask_attr) : UINT8_MAX;
+	if (mask == UINT8_MAX && value_to_str)
+		value_str = value_to_str(value);
 
 	fprintf(f, "\n  %s ", name);
 
-	if (mask == UINT8_MAX && op == ARPOP_REQUEST)
-		fprintf(f, "request");
-	else if (mask == UINT8_MAX && op == ARPOP_REPLY)
-		fprintf(f, "reply");
+	if (value_str)
+		fputs(value_str, f);
 	else
-		fprintf(f, "%d", op);
+		fprintf(f, "%d", value);
 
 	if (mask != UINT8_MAX)
 		fprintf(f, "/%d", mask);
 }
 
+static void flower_print_arp_op(FILE *f, const char *name,
+				struct rtattr *op_attr,
+				struct rtattr *mask_attr)
+{
+	flower_print_masked_u8(f, name, op_attr, mask_attr,
+			       flower_print_arp_op_to_name);
+}
+
 static int flower_print_opt(struct filter_util *qu, FILE *f,
 			    struct rtattr *opt, __u32 handle)
 {
-- 
2.7.0.rc3.207.g0ac5344

[PATCH iproute2/net-next 5/7] tc: flower: support masked ICMP code and type match

[Simon Horman]

Extend ICMP code and type match to support masks.

Also add missing documentation to synopsis in manpage.

tc qdisc add dev eth0 ingress
tc filter add dev eth0 protocol ipv6 parent ffff: flower \
	indev eth0 ip_proto icmpv6 type 128/240 code 0 action drop

Signed-off-by: Simon Horman <simon.horman@netronome.com>
---
 man/man8/tc-flower.8 | 16 ++++++++++----
 tc/f_flower.c        | 59 ++++++++++++++++++++++++++++++----------------------
 2 files changed, 46 insertions(+), 29 deletions(-)

diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
index b1bef8b7637a..fc5bac503324 100644
--- a/man/man8/tc-flower.8
+++ b/man/man8/tc-flower.8
@@ -34,7 +34,11 @@ flower \- flow based traffic control filter
 .BR dst_ip " | " src_ip " } "
 .IR PREFIX " | { "
 .BR dst_port " | " src_port " } "
-.IR port_number " } | { "
+.IR port_number " } | "
+.B type
+.IR MASKED_TYPE " | "
+.B code
+.IR MASKED_CODE " | { "
 .BR arp_tip " | " arp_sip " } "
 .IR IPV4_PREFIX " | "
 .BR arp_op " { " request " | " reply " | "
@@ -132,10 +136,14 @@ Match on layer 4 protocol source or destination port number. Only available for
 .BR ip_proto " values " udp ", " tcp  " and " sctp
 which have to be specified in beforehand.
 .TP
-.BI type " NUMBER"
+.BI type " MASKED_TYPE"
 .TQ
-.BI code " NUMBER"
-Match on ICMP type or code. Only available for
+.BI code " MASKED_CODE"
+Match on ICMP type or code. A mask may be optionally provided to limit the
+bits of the address which are matched. A mask is provided by following the
+address with a slash and then the mask. The mask must be as a number which
+represents a bitwise mask If the mask is missing then a match on all bits
+is assumed.  Only available for
 .BR ip_proto " values " icmp  " and " icmpv6
 which have to be specified in beforehand.
 .TP
diff --git a/tc/f_flower.c b/tc/f_flower.c
index 6a0bedcc4d5d..6bd03f2b8e4b 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -57,8 +57,8 @@ static void explain(void)
 		"                       src_ip PREFIX |\n"
 		"                       dst_port PORT-NUMBER |\n"
 		"                       src_port PORT-NUMBER |\n"
-		"                       type ICMP-TYPE |\n"
-		"                       code ICMP-CODE |\n"
+		"                       type MASKED-ICMP-TYPE |\n"
+		"                       code MASKED-ICMP-CODE |\n"
 		"                       arp_tip IPV4-PREFIX |\n"
 		"                       arp_sip IPV4-PREFIX |\n"
 		"                       arp_op [ request | reply | OP ] |\n"
@@ -407,24 +407,32 @@ static int flower_icmp_attr_type(__be16 eth_type, __u8 ip_proto,
 	return -1;
 }
 
+static int flower_icmp_attr_mask_type(__be16 eth_type, __u8 ip_proto,
+				      enum flower_icmp_field field)
+{
+	if (eth_type == htons(ETH_P_IP) && ip_proto == IPPROTO_ICMP)
+		return field == FLOWER_ICMP_FIELD_CODE ?
+			TCA_FLOWER_KEY_ICMPV4_CODE_MASK :
+			TCA_FLOWER_KEY_ICMPV4_TYPE_MASK;
+	else if (eth_type == htons(ETH_P_IPV6) && ip_proto == IPPROTO_ICMPV6)
+		return field == FLOWER_ICMP_FIELD_CODE ?
+			TCA_FLOWER_KEY_ICMPV6_CODE_MASK :
+			TCA_FLOWER_KEY_ICMPV6_TYPE_MASK;
+
+	return -1;
+}
+
 static int flower_parse_icmp(char *str, __u16 eth_type, __u8 ip_proto,
 			     enum flower_icmp_field field, struct nlmsghdr *n)
 {
-	int ret;
-	int type;
-	uint8_t value;
-
-	type = flower_icmp_attr_type(eth_type, ip_proto, field);
-	if (type < 0)
-		return -1;
+	int value_type, mask_type;
 
-	ret = get_u8(&value, str, 10);
-	if (ret)
+	value_type = flower_icmp_attr_type(eth_type, ip_proto, field);
+	mask_type = flower_icmp_attr_mask_type(eth_type, ip_proto, field);
+	if (value_type < 0 || mask_type < 0)
 		return -1;
 
-	addattr8(n, MAX_MSG, type, value);
-
-	return 0;
+	return flower_parse_u8(str, value_type, mask_type, NULL, NULL, n);
 }
 
 static int flower_port_attr_type(__u8 ip_proto, enum flower_endpoint endpoint)
@@ -999,12 +1007,6 @@ static void flower_print_key_id(FILE *f, const char *name,
 		fprintf(f, "\n  %s %d", name, rta_getattr_be32(attr));
 }
 
-static void flower_print_icmp(FILE *f, char *name, struct rtattr *attr)
-{
-	if (attr)
-		fprintf(f, "\n  %s %d", name, rta_getattr_u8(attr));
-}
-
 static void flower_print_masked_u8(FILE *f, const char *name,
 				   struct rtattr *attr,
 				   struct rtattr *mask_attr,
@@ -1044,9 +1046,9 @@ static int flower_print_opt(struct filter_util *qu, FILE *f,
 			    struct rtattr *opt, __u32 handle)
 {
 	struct rtattr *tb[TCA_FLOWER_MAX + 1];
+	int nl_type, nl_mask_type;
 	__be16 eth_type = 0;
 	__u8 ip_proto = 0xff;
-	int nl_type;
 
 	if (!opt)
 		return 0;
@@ -1110,12 +1112,19 @@ static int flower_print_opt(struct filter_util *qu, FILE *f,
 
 	nl_type = flower_icmp_attr_type(eth_type, ip_proto,
 					FLOWER_ICMP_FIELD_TYPE);
-	if (nl_type >= 0)
-		flower_print_icmp(f, "icmp_type", tb[nl_type]);
+	nl_mask_type = flower_icmp_attr_mask_type(eth_type, ip_proto,
+						  FLOWER_ICMP_FIELD_TYPE);
+	if (nl_type >= 0 && nl_mask_type >= 0)
+		flower_print_masked_u8(f, "icmp_type", tb[nl_type],
+				       tb[nl_mask_type], NULL);
+
 	nl_type = flower_icmp_attr_type(eth_type, ip_proto,
 					FLOWER_ICMP_FIELD_CODE);
-	if (nl_type >= 0)
-		flower_print_icmp(f, "icmp_code", tb[nl_type]);
+	nl_mask_type = flower_icmp_attr_mask_type(eth_type, ip_proto,
+						  FLOWER_ICMP_FIELD_CODE);
+	if (nl_type >= 0 && nl_mask_type >= 0)
+		flower_print_masked_u8(f, "icmp_code", tb[nl_type],
+				       tb[nl_mask_type], NULL);
 
 	flower_print_ip4_addr(f, "arp_sip", tb[TCA_FLOWER_KEY_ARP_SIP],
 			     tb[TCA_FLOWER_KEY_ARP_SIP_MASK]);
-- 
2.7.0.rc3.207.g0ac5344

[PATCH iproute2/net-next 6/7] tc: flower: Add TCA_FLOWER_KEY_ND_*

[Simon Horman]

Changes proposed for net-next.

Signed-off-by: Simon Horman <simon.horman@netronome.com>
---
 include/linux/pkt_cls.h | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/include/linux/pkt_cls.h b/include/linux/pkt_cls.h
index 345551e71410..fc9e9bef726e 100644
--- a/include/linux/pkt_cls.h
+++ b/include/linux/pkt_cls.h
@@ -430,6 +430,13 @@ enum {
 	TCA_FLOWER_KEY_ARP_THA,		/* ETH_ALEN */
 	TCA_FLOWER_KEY_ARP_THA_MASK,	/* ETH_ALEN */
 
+	TCA_FLOWER_KEY_ND_TARGET,	/* struct in6_addr */
+	TCA_FLOWER_KEY_ND_TARGET_MASK,	/* struct in6_addr */
+	TCA_FLOWER_KEY_ND_SLL,		/* ETH_ALEN */
+	TCA_FLOWER_KEY_ND_SLL_MASK,	/* ETH_ALEN */
+	TCA_FLOWER_KEY_ND_TLL,		/* ETH_ALEN */
+	TCA_FLOWER_KEY_ND_TLL_MASK,	/* ETH_ALEN */
+
 	__TCA_FLOWER_MAX,
 };
 
-- 
2.7.0.rc3.207.g0ac5344

[PATCH iproute2/net-next 7/7] tc: flower: Support matching on ND

[Simon Horman]

Allow matching on Neighbour Discovery target IP, and source and
destination link-layer addresses for neighbour solicitation and
advertisement messages.

Sample usage:

tc qdisc add dev eth0 ingress

tc filter add dev eth0 protocol ipv6 parent ffff: flower \
	indev eth0 ip_proto icmpv6 type 136 code 0 \
	nd_target 2001:470:7eb3:403:201:8eff:fe22:8fea \
	nd_tll 00:01:8e:22:8f:ea action drop

Signed-off-by: Simon Horman <simon.horman@netronome.com>
---
 man/man8/tc-flower.8 |  34 ++++++++++++++++--
 tc/f_flower.c        | 100 +++++++++++++++++++++++++++++++++++++++++++++++----
 2 files changed, 126 insertions(+), 8 deletions(-)

diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8
index fc5bac503324..27b7771cb3bb 100644
--- a/man/man8/tc-flower.8
+++ b/man/man8/tc-flower.8
@@ -35,6 +35,10 @@ flower \- flow based traffic control filter
 .IR PREFIX " | { "
 .BR dst_port " | " src_port " } "
 .IR port_number " } | "
+.B nd_target
+.IR IPV6_PREFIX " | { "
+.BR nd_tll " | " nd_sll " } "
+.IR MASKED_LLADDR " | "
 .B type
 .IR MASKED_TYPE " | "
 .B code
@@ -147,6 +151,23 @@ is assumed.  Only available for
 .BR ip_proto " values " icmp  " and " icmpv6
 which have to be specified in beforehand.
 .TP
+.BI nd_target " IPV6_PREFIX"
+Match on Neighbour Discovery target IPv6 address.
+.I IPV6_PREFIX
+must be a valid IPv6 address optionally followed by a slash and the prefix
+length. If the prefix is missing, \fBtc\fR assumes a full-length host
+match.
+.TP
+.BI nd_tll " MASKED_LLADDR"
+.TQ
+.BI nd_sll " MASKED_LLADDR"
+Match on source or destination MAC address.  A mask may be optionally
+provided to limit the bits of the address which are matched. A mask is
+provided by following the address with a slash and then the mask. It may be
+provided in LLADDR format, in which case it is a bitwise mask, or as a
+number of high bits to match. If the mask is missing then a match on all
+bits is assumed.
+.TP
 .BI arp_tip " IPV4_PREFIX"
 .TQ
 .BI arp_sip " IPV4_PREFIX"
@@ -214,10 +235,19 @@ depend on
 .B ip_proto
 being set to
 .BR tcp ", " udp " or " sctp,
-and finally ICMP matches (\fBcode\fR and \fBtype\fR) depend on
+ICMP matches (\fBcode\fR and \fBtype\fR) depend on
 .B ip_proto
 being set to
-.BR icmp " or " icmpv6.
+.BR icmp " or " icmpv6,
+and finally neighbour discovery matches (\fBnd_target\fR, \fBnd_dll\fR
+and \fBnd_tll\fR) depend on
+.B icmp_code
+being set to
+.BR 0
+and
+.B icmp_type
+being set to
+.BR 135 " or " 136.
 .P
 There can be only used one mask per one prio. If user needs to specify different
 mask, he has to use different prio.
diff --git a/tc/f_flower.c b/tc/f_flower.c
index 6bd03f2b8e4b..927b3b33562d 100644
--- a/tc/f_flower.c
+++ b/tc/f_flower.c
@@ -64,6 +64,9 @@ static void explain(void)
 		"                       arp_op [ request | reply | OP ] |\n"
 		"                       arp_tha MASKED-LLADDR |\n"
 		"                       arp_sha MASKED-LLADDR |\n"
+		"                       nd_target IPV6-PREFIX |\n"
+		"                       nd_sll MASKED-LLADDR |\n"
+		"                       nd_tll MASKED-LLADDR |\n"
 		"                       enc_dst_ip [ IPV4-ADDR | IPV6-ADDR ] |\n"
 		"                       enc_src_ip [ IPV4-ADDR | IPV6-ADDR ] |\n"
 		"                       enc_key_id [ KEY-ID ] |\n"
@@ -310,6 +313,7 @@ static int flower_parse_arp_ip_addr(char *str, __be16 eth_type,
 }
 
 static int flower_parse_u8(char *str, int value_type, int mask_type,
+			   __u8 *value_p, __u8 *mask_p,
 			   int (*value_from_name)(const char *str,
 						 __u8 *value),
 			   bool (*value_validate)(__u8 value),
@@ -345,6 +349,10 @@ static int flower_parse_u8(char *str, int value_type, int mask_type,
 	addattr8(n, MAX_MSG, value_type, value);
 	addattr8(n, MAX_MSG, mask_type, mask);
 
+	if (value_p)
+		*value_p = value;
+	if (mask_p)
+		*mask_p = mask;
 	err = 0;
 err:
 	if (slash)
@@ -388,8 +396,9 @@ static int flower_parse_arp_op(char *str, __be16 eth_type,
 	if (!flower_eth_type_arp(eth_type))
 		return -1;
 
-	return flower_parse_u8(str, op_type, mask_type, flower_arp_op_from_name,
-			       flow_arp_op_validate, n);
+	return flower_parse_u8(str, op_type, mask_type, NULL, NULL,
+			       flower_arp_op_from_name, flow_arp_op_validate,
+			       n);
 }
 
 static int flower_icmp_attr_type(__be16 eth_type, __u8 ip_proto,
@@ -423,7 +432,8 @@ static int flower_icmp_attr_mask_type(__be16 eth_type, __u8 ip_proto,
 }
 
 static int flower_parse_icmp(char *str, __u16 eth_type, __u8 ip_proto,
-			     enum flower_icmp_field field, struct nlmsghdr *n)
+			     enum flower_icmp_field field, __u8 *value_p,
+			     __u8 *mask_p, struct nlmsghdr *n)
 {
 	int value_type, mask_type;
 
@@ -432,7 +442,19 @@ static int flower_parse_icmp(char *str, __u16 eth_type, __u8 ip_proto,
 	if (value_type < 0 || mask_type < 0)
 		return -1;
 
-	return flower_parse_u8(str, value_type, mask_type, NULL, NULL, n);
+	return flower_parse_u8(str, value_type, mask_type, value_p, mask_p,
+			       NULL, NULL, n);
+}
+
+static bool flower_check_nd_prereq(__be16 eth_type, __u8 ip_proto,
+				  __u8 icmp_type, __u8 icmp_type_mask,
+				  __u8 icmp_code, __u8 icmp_code_mask)
+{
+	return eth_type == htons(ETH_P_IPV6) &&
+		ip_proto == IPPROTO_ICMPV6 &&
+		(icmp_type == 135 || icmp_type == 136) &&
+		icmp_type_mask == 0xff &&
+		icmp_code == 0 && icmp_code_mask == 0xff;
 }
 
 static int flower_port_attr_type(__u8 ip_proto, enum flower_endpoint endpoint)
@@ -508,7 +530,11 @@ static int flower_parse_opt(struct filter_util *qu, char *handle,
 	struct rtattr *tail;
 	__be16 eth_type = TC_H_MIN(t->tcm_info);
 	__be16 vlan_ethtype = 0;
+	__u8 icmp_type_mask = 0;
+	__u8 icmp_code_mask = 0;
 	__u8 ip_proto = 0xff;
+	__u8 icmp_type = 0;
+	__u8 icmp_code = 0;
 	__u32 flags = 0;
 	__u32 mtf = 0;
 	__u32 mtf_mask = 0;
@@ -674,7 +700,9 @@ static int flower_parse_opt(struct filter_util *qu, char *handle,
 		} else if (matches(*argv, "type") == 0) {
 			NEXT_ARG();
 			ret = flower_parse_icmp(*argv, eth_type, ip_proto,
-						FLOWER_ICMP_FIELD_TYPE, n);
+						FLOWER_ICMP_FIELD_TYPE,
+						&icmp_type, &icmp_type_mask,
+						n);
 			if (ret < 0) {
 				fprintf(stderr, "Illegal \"icmp type\"\n");
 				return -1;
@@ -682,11 +710,55 @@ static int flower_parse_opt(struct filter_util *qu, char *handle,
 		} else if (matches(*argv, "code") == 0) {
 			NEXT_ARG();
 			ret = flower_parse_icmp(*argv, eth_type, ip_proto,
-						FLOWER_ICMP_FIELD_CODE, n);
+						FLOWER_ICMP_FIELD_CODE,
+						&icmp_code, &icmp_code_mask,
+						n);
 			if (ret < 0) {
 				fprintf(stderr, "Illegal \"icmp code\"\n");
 				return -1;
 			}
+		} else if (matches(*argv, "nd_target") == 0) {
+			NEXT_ARG();
+			if (!flower_check_nd_prereq(vlan_ethtype ?
+						    vlan_ethtype : eth_type,
+						    ip_proto, icmp_type,
+						    icmp_type_mask, icmp_code,
+						    icmp_code_mask) ||
+			    __flower_parse_ip_addr(*argv, AF_INET6,
+						   TCA_FLOWER_UNSPEC,
+						   TCA_FLOWER_UNSPEC,
+						   TCA_FLOWER_KEY_ND_TARGET,
+						   TCA_FLOWER_KEY_ND_TARGET_MASK,
+						   n) < 0) {
+				fprintf(stderr, "Illegal \"nd_target\"\n");
+				return -1;
+			}
+		} else if (matches(*argv, "nd_sll") == 0) {
+			NEXT_ARG();
+			if (!flower_check_nd_prereq(vlan_ethtype ?
+						    vlan_ethtype : eth_type,
+						    ip_proto, icmp_type,
+						    icmp_type_mask, icmp_code,
+						    icmp_code_mask) ||
+			    flower_parse_eth_addr(*argv, TCA_FLOWER_KEY_ND_SLL,
+						  TCA_FLOWER_KEY_ND_SLL_MASK,
+						  n) < 0) {
+				fprintf(stderr, "Illegal \"nd_sll\"\n");
+				return -1;
+			}
+		} else if (matches(*argv, "nd_tll") == 0) {
+			NEXT_ARG();
+			if (!flower_check_nd_prereq(vlan_ethtype ?
+						    vlan_ethtype : eth_type,
+						    ip_proto, icmp_type,
+						    icmp_type_mask, icmp_code,
+						    icmp_code_mask) ||
+			    flower_parse_eth_addr(*argv, TCA_FLOWER_KEY_ND_TLL,
+						  TCA_FLOWER_KEY_ND_TLL_MASK,
+						  n) < 0) {
+				fprintf(stderr, "Illegal \"nd_tll\"\n");
+				return -1;
+			}
 		} else if (matches(*argv, "arp_tip") == 0) {
 			NEXT_ARG();
 			ret = flower_parse_arp_ip_addr(*argv, vlan_ethtype ?
@@ -986,6 +1058,7 @@ static void flower_print_ip_addr(FILE *f, char *name, __be16 eth_type,
 	else if (bits < len * 8)
 		fprintf(f, "/%d", bits);
 }
+
 static void flower_print_ip4_addr(FILE *f, char *name,
 				  struct rtattr *addr_attr,
 				  struct rtattr *mask_attr)
@@ -994,6 +1067,14 @@ static void flower_print_ip4_addr(FILE *f, char *name,
 				    addr_attr, mask_attr, 0, 0);
 }
 
+static void flower_print_ip6_addr(FILE *f, char *name,
+				  struct rtattr *addr_attr,
+				  struct rtattr *mask_attr)
+{
+	return flower_print_ip_addr(f, name, htons(ETH_P_IPV6),
+				    0, 0, addr_attr, mask_attr);
+}
+
 static void flower_print_port(FILE *f, char *name, struct rtattr *attr)
 {
 	if (attr)
@@ -1126,6 +1207,13 @@ static int flower_print_opt(struct filter_util *qu, FILE *f,
 		flower_print_masked_u8(f, "icmp_code", tb[nl_type],
 				       tb[nl_mask_type], NULL);
 
+	flower_print_ip6_addr(f, "nd_target", tb[TCA_FLOWER_KEY_ND_TARGET],
+			     tb[TCA_FLOWER_KEY_ND_TARGET_MASK]);
+	flower_print_eth_addr(f, "nd_tll", tb[TCA_FLOWER_KEY_ND_TLL],
+			      tb[TCA_FLOWER_KEY_ND_TLL_MASK]);
+	flower_print_eth_addr(f, "nd_sll", tb[TCA_FLOWER_KEY_ND_SLL],
+			      tb[TCA_FLOWER_KEY_ND_SLL_MASK]);
+
 	flower_print_ip4_addr(f, "arp_sip", tb[TCA_FLOWER_KEY_ARP_SIP],
 			     tb[TCA_FLOWER_KEY_ARP_SIP_MASK]);
 	flower_print_ip4_addr(f, "arp_tip", tb[TCA_FLOWER_KEY_ARP_TIP],
-- 
2.7.0.rc3.207.g0ac5344

Re: [PATCH iproute2/net-next 7/7] tc: flower: Support matching on ND

[Jiri Pirko]

Thu, Feb 02, 2017 at 11:38:40AM CET, simon.horman@netronome.com wrote:
>Allow matching on Neighbour Discovery target IP, and source and
>destination link-layer addresses for neighbour solicitation and
>advertisement messages.
>
>Sample usage:
>
>tc qdisc add dev eth0 ingress
>
>tc filter add dev eth0 protocol ipv6 parent ffff: flower \
>	indev eth0 ip_proto icmpv6 type 136 code 0 \
>	nd_target 2001:470:7eb3:403:201:8eff:fe22:8fea \
>	nd_tll 00:01:8e:22:8f:ea action drop
>
>Signed-off-by: Simon Horman <simon.horman@netronome.com>


Why you are adding this to iproute2? You only poster RFC for kernel.

Please push to kernel first, let it merge, then send iproute2 support.

Re: [PATCH iproute2/net-next 7/7] tc: flower: Support matching on ND

[Simon Horman]

On Thu, Feb 02, 2017 at 06:27:48PM +0100, Jiri Pirko wrote:
> Thu, Feb 02, 2017 at 11:38:40AM CET, simon.horman@netronome.com wrote:
> >Allow matching on Neighbour Discovery target IP, and source and
> >destination link-layer addresses for neighbour solicitation and
> >advertisement messages.
> >
> >Sample usage:
> >
> >tc qdisc add dev eth0 ingress
> >
> >tc filter add dev eth0 protocol ipv6 parent ffff: flower \
> >	indev eth0 ip_proto icmpv6 type 136 code 0 \
> >	nd_target 2001:470:7eb3:403:201:8eff:fe22:8fea \
> >	nd_tll 00:01:8e:22:8f:ea action drop
> >
> >Signed-off-by: Simon Horman <simon.horman@netronome.com>
> 
> 
> Why you are adding this to iproute2? You only poster RFC for kernel.
> 
> Please push to kernel first, let it merge, then send iproute2 support.

Hi Jiri,

I think there is a value in making the user-space code available in
parallel with the kernel changes to allow testing and so by any interested
parties.

If this is not acceptable I'm happy to stop doing so. But in my ideal world
I'd be very happy to see other TC kernel updates accompanied by
implementations their user-space tool counterparts.

Re: [PATCH iproute2/net-next 7/7] tc: flower: Support matching on ND

[Jiri Pirko]

Mon, Feb 06, 2017 at 09:44:00AM CET, simon.horman@netronome.com wrote:
>On Thu, Feb 02, 2017 at 06:27:48PM +0100, Jiri Pirko wrote:
>> Thu, Feb 02, 2017 at 11:38:40AM CET, simon.horman@netronome.com wrote:
>> >Allow matching on Neighbour Discovery target IP, and source and
>> >destination link-layer addresses for neighbour solicitation and
>> >advertisement messages.
>> >
>> >Sample usage:
>> >
>> >tc qdisc add dev eth0 ingress
>> >
>> >tc filter add dev eth0 protocol ipv6 parent ffff: flower \
>> >	indev eth0 ip_proto icmpv6 type 136 code 0 \
>> >	nd_target 2001:470:7eb3:403:201:8eff:fe22:8fea \
>> >	nd_tll 00:01:8e:22:8f:ea action drop
>> >
>> >Signed-off-by: Simon Horman <simon.horman@netronome.com>
>> 
>> 
>> Why you are adding this to iproute2? You only poster RFC for kernel.
>> 
>> Please push to kernel first, let it merge, then send iproute2 support.
>
>Hi Jiri,
>
>I think there is a value in making the user-space code available in
>parallel with the kernel changes to allow testing and so by any interested
>parties.

Then mark it "RFC".


>
>If this is not acceptable I'm happy to stop doing so. But in my ideal world
>I'd be very happy to see other TC kernel updates accompanied by
>implementations their user-space tool counterparts.

Re: [oss-drivers] Re: [PATCH iproute2/net-next 7/7] tc: flower: Support matching on ND

[Simon Horman]

On Mon, Feb 06, 2017 at 10:44:59AM +0100, Jiri Pirko wrote:
> Mon, Feb 06, 2017 at 09:44:00AM CET, simon.horman@netronome.com wrote:
> >On Thu, Feb 02, 2017 at 06:27:48PM +0100, Jiri Pirko wrote:
> >> Thu, Feb 02, 2017 at 11:38:40AM CET, simon.horman@netronome.com wrote:
> >> >Allow matching on Neighbour Discovery target IP, and source and
> >> >destination link-layer addresses for neighbour solicitation and
> >> >advertisement messages.
> >> >
> >> >Sample usage:
> >> >
> >> >tc qdisc add dev eth0 ingress
> >> >
> >> >tc filter add dev eth0 protocol ipv6 parent ffff: flower \
> >> >	indev eth0 ip_proto icmpv6 type 136 code 0 \
> >> >	nd_target 2001:470:7eb3:403:201:8eff:fe22:8fea \
> >> >	nd_tll 00:01:8e:22:8f:ea action drop
> >> >
> >> >Signed-off-by: Simon Horman <simon.horman@netronome.com>
> >> 
> >> 
> >> Why you are adding this to iproute2? You only poster RFC for kernel.
> >> 
> >> Please push to kernel first, let it merge, then send iproute2 support.
> >
> >Hi Jiri,
> >
> >I think there is a value in making the user-space code available in
> >parallel with the kernel changes to allow testing and so by any interested
> >parties.
> 
> Then mark it "RFC".

Sorry, that was my intention. Somehow it didn't happen.

> >If this is not acceptable I'm happy to stop doing so. But in my ideal world
> >I'd be very happy to see other TC kernel updates accompanied by
> >implementations their user-space tool counterparts.

Re: [PATCH iproute2/net-next 0/7] tc: flower: Masked ICMP match and ND match

[Stephen Hemminger]

On Thu,  2 Feb 2017 11:38:33 +0100
Simon Horman <simon.horman@netronome.com> wrote:

> Hi,
> 
> this series have several related parts.
> 
> * tc: flower: Update documentation to indicate ARP takes IPv4 prefixes
> 
>   Enhance documentation for consistency with later documentation changes.
> 
> * tc: flower: use correct type when calling flower_icmp_attr_type
> 
>   Type correction to ICMP code; should not have runtime effect
> 
> * tc: flower: provide generic masked u8 parser helper
>   tc: flower: provide generic masked u8 print helper
> 
>   Generic parsing and printing of masked u8 options
> 
> * tc: flower: support masked ICMP code and type match
> 
>   Support masking ICMP code and type matches.
>   Unmasked matching is already supported by iproute2
>   Masked matching is already supported by the kernel.
> 
>   This is used by the ND patches
> 
> * tc: flower: Add TCA_FLOWER_KEY_ND_*
>   tc: flower: Support matching on ND
> 
> The last two patches are marked as RFC as they support functionality
> submitted to but not yet not yet present in the kernel.
> 
> 
> Simon Horman (7):
>   tc: flower: Update documentation to indicate ARP takes IPv4 prefixes
>   tc: flower: use correct type when calling flower_icmp_attr_type
>   tc: flower: provide generic masked u8 parser helper
>   tc: flower: provide generic masked u8 print helper
>   tc: flower: support masked ICMP code and type match
>   tc: flower: Add TCA_FLOWER_KEY_ND_*
>   tc: flower: Support matching on ND
> 
>  include/linux/pkt_cls.h |   7 ++
>  man/man8/tc-flower.8    |  58 +++++++++--
>  tc/f_flower.c           | 260 +++++++++++++++++++++++++++++++++++++-----------
>  3 files changed, 258 insertions(+), 67 deletions(-)
> 

Since this patchset depended on changes to pkt_cls.h which are not accepted upstream
into net-next, I marked it as awaiting upstream.  When the corresponding kernel changes
are accepted into net-next please resubmit it.

Re: [PATCH iproute2/net-next 0/7] tc: flower: Masked ICMP match and ND match

[Simon Horman]

On Mon, Feb 6, 2017 at 11:28 PM, Stephen Hemminger
<stephen@networkplumber.org> wrote:
> On Thu,  2 Feb 2017 11:38:33 +0100
> Simon Horman <simon.horman@netronome.com> wrote:
>
>> Hi,
>>
>> this series have several related parts.
>>
>> * tc: flower: Update documentation to indicate ARP takes IPv4 prefixes
>>
>>   Enhance documentation for consistency with later documentation changes.
>>
>> * tc: flower: use correct type when calling flower_icmp_attr_type
>>
>>   Type correction to ICMP code; should not have runtime effect
>>
>> * tc: flower: provide generic masked u8 parser helper
>>   tc: flower: provide generic masked u8 print helper
>>
>>   Generic parsing and printing of masked u8 options
>>
>> * tc: flower: support masked ICMP code and type match
>>
>>   Support masking ICMP code and type matches.
>>   Unmasked matching is already supported by iproute2
>>   Masked matching is already supported by the kernel.
>>
>>   This is used by the ND patches
>>
>> * tc: flower: Add TCA_FLOWER_KEY_ND_*
>>   tc: flower: Support matching on ND
>>
>> The last two patches are marked as RFC as they support functionality
>> submitted to but not yet not yet present in the kernel.
>>
>>
>> Simon Horman (7):
>>   tc: flower: Update documentation to indicate ARP takes IPv4 prefixes
>>   tc: flower: use correct type when calling flower_icmp_attr_type
>>   tc: flower: provide generic masked u8 parser helper
>>   tc: flower: provide generic masked u8 print helper
>>   tc: flower: support masked ICMP code and type match
>>   tc: flower: Add TCA_FLOWER_KEY_ND_*
>>   tc: flower: Support matching on ND
>>
>>  include/linux/pkt_cls.h |   7 ++
>>  man/man8/tc-flower.8    |  58 +++++++++--
>>  tc/f_flower.c           | 260 +++++++++++++++++++++++++++++++++++++-----------
>>  3 files changed, 258 insertions(+), 67 deletions(-)
>>
>
> Since this patchset depended on changes to pkt_cls.h which are not accepted upstream
> into net-next, I marked it as awaiting upstream.  When the corresponding kernel changes
> are accepted into net-next please resubmit it.

Hi Stephen,

I think that the first 5 patches can be considered independently of
the last two which have the dependency you describe. Sorry for not
making this clearer; e.g. by posting them separately. Would it help if
I reposted the first five patches?

Re: [PATCH iproute2/net-next 7/7] tc: flower: Support matching on ND

[Stephen Hemminger]

On Mon, 6 Feb 2017 09:44:00 +0100
Simon Horman <simon.horman@netronome.com> wrote:

> On Thu, Feb 02, 2017 at 06:27:48PM +0100, Jiri Pirko wrote:
> > Thu, Feb 02, 2017 at 11:38:40AM CET, simon.horman@netronome.com wrote:  
> > >Allow matching on Neighbour Discovery target IP, and source and
> > >destination link-layer addresses for neighbour solicitation and
> > >advertisement messages.
> > >
> > >Sample usage:
> > >
> > >tc qdisc add dev eth0 ingress
> > >
> > >tc filter add dev eth0 protocol ipv6 parent ffff: flower \
> > >	indev eth0 ip_proto icmpv6 type 136 code 0 \
> > >	nd_target 2001:470:7eb3:403:201:8eff:fe22:8fea \
> > >	nd_tll 00:01:8e:22:8f:ea action drop
> > >
> > >Signed-off-by: Simon Horman <simon.horman@netronome.com>  
> > 
> > 
> > Why you are adding this to iproute2? You only poster RFC for kernel.
> > 
> > Please push to kernel first, let it merge, then send iproute2 support.  
> 
> Hi Jiri,
> 
> I think there is a value in making the user-space code available in
> parallel with the kernel changes to allow testing and so by any interested
> parties.

The problem is that the ABI is not defined until it makes it into upstream
kernel tree. If a set of developers needs tools, then they can keep a temporary
fork (which is what the CAKE developers are doing).

> If this is not acceptable I'm happy to stop doing so. But in my ideal world
> I'd be very happy to see other TC kernel updates accompanied by
> implementations their user-space tool counterparts.

If you want something in right away resend those patches.