* [PATCH net-next v15] openvswitch: enable NSH support
@ 2017-11-01 4:03 Yi Yang
2017-11-01 8:46 ` Jiri Benc
` (3 more replies)
0 siblings, 4 replies; 19+ messages in thread
From: Yi Yang @ 2017-11-01 4:03 UTC (permalink / raw)
To: netdev-u79uwXL29TY76Z2rM5mHXA
Cc: dev-yBygre7rU0TnMu66kgdUjQ, jbenc-H+wXaHxf7aLQT0dZR+AlfA, e,
davem-fT/PcQaiUtIeIZ0/mPfg9Q
v14->v15
- Check size in nsh_hdr_from_nlattr
- Fixed four small issues pointed out By Jiri and Eric
v13->v14
- Rename skb_push_nsh to nsh_push per Dave's comment
- Rename skb_pop_nsh to nsh_pop per Dave's comment
v12->v13
- Fix NSH header length check in set_nsh
v11->v12
- Fix missing changes old comments pointed out
- Fix new comments for v11
v10->v11
- Fix the left three disputable comments for v9
but not fixed in v10.
v9->v10
- Change struct ovs_key_nsh to
struct ovs_nsh_key_base base;
__be32 context[NSH_MD1_CONTEXT_SIZE];
- Fix new comments for v9
v8->v9
- Fix build error reported by daily intel build
because nsh module isn't selected by openvswitch
v7->v8
- Rework nested value and mask for OVS_KEY_ATTR_NSH
- Change pop_nsh to adapt to nsh kernel module
- Fix many issues per comments from Jiri Benc
v6->v7
- Remove NSH GSO patches in v6 because Jiri Benc
reworked it as another patch series and they have
been merged.
- Change it to adapt to nsh kernel module added by NSH
GSO patch series
v5->v6
- Fix the rest comments for v4.
- Add NSH GSO support for VxLAN-gpe + NSH and
Eth + NSH.
v4->v5
- Fix many comments by Jiri Benc and Eric Garver
for v4.
v3->v4
- Add new NSH match field ttl
- Update NSH header to the latest format
which will be final format and won't change
per its author's confirmation.
- Fix comments for v3.
v2->v3
- Change OVS_KEY_ATTR_NSH to nested key to handle
length-fixed attributes and length-variable
attriubte more flexibly.
- Remove struct ovs_action_push_nsh completely
- Add code to handle nested attribute for SET_MASKED
- Change PUSH_NSH to use the nested OVS_KEY_ATTR_NSH
to transfer NSH header data.
- Fix comments and coding style issues by Jiri and Eric
v1->v2
- Change encap_nsh and decap_nsh to push_nsh and pop_nsh
- Dynamically allocate struct ovs_action_push_nsh for
length-variable metadata.
OVS master and 2.8 branch has merged NSH userspace
patch series, this patch is to enable NSH support
in kernel data path in order that OVS can support
NSH in compat mode by porting this.
Signed-off-by: Yi Yang <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
---
include/net/nsh.h | 3 +
include/uapi/linux/openvswitch.h | 29 ++++
net/nsh/nsh.c | 59 ++++++++
net/openvswitch/Kconfig | 1 +
net/openvswitch/actions.c | 119 +++++++++++++++
net/openvswitch/flow.c | 51 +++++++
net/openvswitch/flow.h | 7 +
net/openvswitch/flow_netlink.c | 315 ++++++++++++++++++++++++++++++++++++++-
net/openvswitch/flow_netlink.h | 5 +
9 files changed, 588 insertions(+), 1 deletion(-)
diff --git a/include/net/nsh.h b/include/net/nsh.h
index a1eaea2..350b1ad 100644
--- a/include/net/nsh.h
+++ b/include/net/nsh.h
@@ -304,4 +304,7 @@ static inline void nsh_set_flags_ttl_len(struct nshhdr *nsh, u8 flags,
NSH_FLAGS_MASK | NSH_TTL_MASK | NSH_LEN_MASK);
}
+int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh);
+int nsh_pop(struct sk_buff *skb);
+
#endif /* __NET_NSH_H */
diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h
index 0cd6f88..ac2623b 100644
--- a/include/uapi/linux/openvswitch.h
+++ b/include/uapi/linux/openvswitch.h
@@ -333,6 +333,7 @@ enum ovs_key_attr {
OVS_KEY_ATTR_CT_LABELS, /* 16-octet connection tracking label */
OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV4, /* struct ovs_key_ct_tuple_ipv4 */
OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6, /* struct ovs_key_ct_tuple_ipv6 */
+ OVS_KEY_ATTR_NSH, /* Nested set of ovs_nsh_key_* */
#ifdef __KERNEL__
OVS_KEY_ATTR_TUNNEL_INFO, /* struct ip_tunnel_info */
@@ -492,6 +493,30 @@ struct ovs_key_ct_tuple_ipv6 {
__u8 ipv6_proto;
};
+enum ovs_nsh_key_attr {
+ OVS_NSH_KEY_ATTR_UNSPEC,
+ OVS_NSH_KEY_ATTR_BASE, /* struct ovs_nsh_key_base. */
+ OVS_NSH_KEY_ATTR_MD1, /* struct ovs_nsh_key_md1. */
+ OVS_NSH_KEY_ATTR_MD2, /* variable-length octets for MD type 2. */
+ __OVS_NSH_KEY_ATTR_MAX
+};
+
+#define OVS_NSH_KEY_ATTR_MAX (__OVS_NSH_KEY_ATTR_MAX - 1)
+
+struct ovs_nsh_key_base {
+ __u8 flags;
+ __u8 ttl;
+ __u8 mdtype;
+ __u8 np;
+ __be32 path_hdr;
+};
+
+#define NSH_MD1_CONTEXT_SIZE 4
+
+struct ovs_nsh_key_md1 {
+ __be32 context[NSH_MD1_CONTEXT_SIZE];
+};
+
/**
* enum ovs_flow_attr - attributes for %OVS_FLOW_* commands.
* @OVS_FLOW_ATTR_KEY: Nested %OVS_KEY_ATTR_* attributes specifying the flow
@@ -808,6 +833,8 @@ struct ovs_action_push_eth {
* @OVS_ACTION_ATTR_POP_ETH: Pop the outermost Ethernet header off the
* packet.
* @OVS_ACTION_ATTR_CT_CLEAR: Clear conntrack state from the packet.
+ * @OVS_ACTION_ATTR_PUSH_NSH: push NSH header to the packet.
+ * @OVS_ACTION_ATTR_POP_NSH: pop the outermost NSH header off the packet.
*
* Only a single header can be set with a single %OVS_ACTION_ATTR_SET. Not all
* fields within a header are modifiable, e.g. the IPv4 protocol and fragment
@@ -838,6 +865,8 @@ enum ovs_action_attr {
OVS_ACTION_ATTR_PUSH_ETH, /* struct ovs_action_push_eth. */
OVS_ACTION_ATTR_POP_ETH, /* No argument. */
OVS_ACTION_ATTR_CT_CLEAR, /* No argument. */
+ OVS_ACTION_ATTR_PUSH_NSH, /* Nested OVS_NSH_KEY_ATTR_*. */
+ OVS_ACTION_ATTR_POP_NSH, /* No argument. */
__OVS_ACTION_ATTR_MAX, /* Nothing past this will be accepted
* from userspace. */
diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
index 58fb827..2764682 100644
--- a/net/nsh/nsh.c
+++ b/net/nsh/nsh.c
@@ -14,6 +14,65 @@
#include <net/nsh.h>
#include <net/tun_proto.h>
+int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
+{
+ struct nshhdr *nh;
+ size_t length = nsh_hdr_len(pushed_nh);
+ u8 next_proto;
+
+ if (skb->mac_len) {
+ next_proto = TUN_P_ETHERNET;
+ } else {
+ next_proto = tun_p_from_eth_p(skb->protocol);
+ if (!next_proto)
+ return -EAFNOSUPPORT;
+ }
+
+ /* Add the NSH header */
+ if (skb_cow_head(skb, length) < 0)
+ return -ENOMEM;
+
+ skb_push(skb, length);
+ nh = (struct nshhdr *)(skb->data);
+ memcpy(nh, pushed_nh, length);
+ nh->np = next_proto;
+
+ skb->protocol = htons(ETH_P_NSH);
+ skb_reset_mac_header(skb);
+ skb_reset_network_header(skb);
+ skb_reset_mac_len(skb);
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(nsh_push);
+
+int nsh_pop(struct sk_buff *skb)
+{
+ struct nshhdr *nh;
+ size_t length;
+ __be16 inner_proto;
+
+ if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
+ return -ENOMEM;
+ nh = (struct nshhdr *)(skb->data);
+ length = nsh_hdr_len(nh);
+ inner_proto = tun_p_to_eth_p(nh->np);
+ if (!pskb_may_pull(skb, length))
+ return -ENOMEM;
+
+ if (!inner_proto)
+ return -EAFNOSUPPORT;
+
+ skb_pull(skb, length);
+ skb_reset_mac_header(skb);
+ skb_reset_network_header(skb);
+ skb_reset_mac_len(skb);
+ skb->protocol = inner_proto;
+
+ return 0;
+}
+EXPORT_SYMBOL_GPL(nsh_pop);
+
static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
netdev_features_t features)
{
diff --git a/net/openvswitch/Kconfig b/net/openvswitch/Kconfig
index ce94729..2650205 100644
--- a/net/openvswitch/Kconfig
+++ b/net/openvswitch/Kconfig
@@ -14,6 +14,7 @@ config OPENVSWITCH
select MPLS
select NET_MPLS_GSO
select DST_CACHE
+ select NET_NSH
---help---
Open vSwitch is a multilayer Ethernet switch targeted at virtualized
environments. In addition to supporting a variety of features
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index a551232..dd1449d 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -43,6 +43,7 @@
#include "flow.h"
#include "conntrack.h"
#include "vport.h"
+#include "flow_netlink.h"
struct deferred_action {
struct sk_buff *skb;
@@ -380,6 +381,43 @@ static int push_eth(struct sk_buff *skb, struct sw_flow_key *key,
return 0;
}
+static int push_nsh(struct sk_buff *skb, struct sw_flow_key *key,
+ const struct nshhdr *nh)
+{
+ int err;
+
+ err = nsh_push(skb, nh);
+ if (err)
+ return err;
+
+ /* safe right before invalidate_flow_key */
+ key->mac_proto = MAC_PROTO_NONE;
+ invalidate_flow_key(key);
+ return 0;
+}
+
+static int pop_nsh(struct sk_buff *skb, struct sw_flow_key *key)
+{
+ int err;
+
+ if (ovs_key_mac_proto(key) != MAC_PROTO_NONE ||
+ skb->protocol != htons(ETH_P_NSH)) {
+ return -EINVAL;
+ }
+
+ err = nsh_pop(skb);
+ if (err)
+ return err;
+
+ /* safe right before invalidate_flow_key */
+ if (skb->protocol == htons(ETH_P_TEB))
+ key->mac_proto = MAC_PROTO_ETHERNET;
+ else
+ key->mac_proto = MAC_PROTO_NONE;
+ invalidate_flow_key(key);
+ return 0;
+}
+
static void update_ip_l4_checksum(struct sk_buff *skb, struct iphdr *nh,
__be32 addr, __be32 new_addr)
{
@@ -602,6 +640,67 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
return 0;
}
+static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
+ const struct nlattr *a)
+{
+ struct nshhdr *nh;
+ size_t length;
+ int err;
+ u8 flags;
+ u8 ttl;
+ int i;
+
+ struct ovs_key_nsh key;
+ struct ovs_key_nsh mask;
+
+ err = nsh_key_from_nlattr(a, &key, &mask);
+ if (err)
+ return err;
+
+ /* Make sure the NSH base header is there */
+ if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
+ return -ENOMEM;
+
+ nh = nsh_hdr(skb);
+ length = nsh_hdr_len(nh);
+
+ /* Make sure the whole NSH header is there */
+ err = skb_ensure_writable(skb, skb_network_offset(skb) +
+ length);
+ if (unlikely(err))
+ return err;
+
+ nh = nsh_hdr(skb);
+ flags = nsh_get_flags(nh);
+ flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
+ flow_key->nsh.base.flags = flags;
+ ttl = nsh_get_ttl(nh);
+ ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
+ flow_key->nsh.base.ttl = ttl;
+ nsh_set_flags_and_ttl(nh, flags, ttl);
+ nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
+ mask.base.path_hdr);
+ flow_key->nsh.base.path_hdr = nh->path_hdr;
+ switch (nh->mdtype) {
+ case NSH_M_TYPE1:
+ for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
+ nh->md1.context[i] =
+ OVS_MASKED(nh->md1.context[i], key.context[i],
+ mask.context[i]);
+ }
+ memcpy(flow_key->nsh.context, nh->md1.context,
+ sizeof(nh->md1.context));
+ break;
+ case NSH_M_TYPE2:
+ memset(flow_key->nsh.context, 0,
+ sizeof(flow_key->nsh.context));
+ break;
+ default:
+ return -EINVAL;
+ }
+ return 0;
+}
+
/* Must follow skb_ensure_writable() since that can move the skb data. */
static void set_tp_port(struct sk_buff *skb, __be16 *port,
__be16 new_port, __sum16 *check)
@@ -1024,6 +1123,10 @@ static int execute_masked_set_action(struct sk_buff *skb,
get_mask(a, struct ovs_key_ethernet *));
break;
+ case OVS_KEY_ATTR_NSH:
+ err = set_nsh(skb, flow_key, a);
+ break;
+
case OVS_KEY_ATTR_IPV4:
err = set_ipv4(skb, flow_key, nla_data(a),
get_mask(a, struct ovs_key_ipv4 *));
@@ -1214,6 +1317,22 @@ static int do_execute_actions(struct datapath *dp, struct sk_buff *skb,
case OVS_ACTION_ATTR_POP_ETH:
err = pop_eth(skb, key);
break;
+
+ case OVS_ACTION_ATTR_PUSH_NSH: {
+ u8 buffer[NSH_HDR_MAX_LEN];
+ struct nshhdr *nh = (struct nshhdr *)buffer;
+
+ err = nsh_hdr_from_nlattr(nla_data(a), nh,
+ NSH_HDR_MAX_LEN);
+ if (unlikely(err))
+ break;
+ err = push_nsh(skb, key, nh);
+ break;
+ }
+
+ case OVS_ACTION_ATTR_POP_NSH:
+ err = pop_nsh(skb, key);
+ break;
}
if (unlikely(err)) {
diff --git a/net/openvswitch/flow.c b/net/openvswitch/flow.c
index 8c94cef..864ddb1 100644
--- a/net/openvswitch/flow.c
+++ b/net/openvswitch/flow.c
@@ -46,6 +46,7 @@
#include <net/ipv6.h>
#include <net/mpls.h>
#include <net/ndisc.h>
+#include <net/nsh.h>
#include "conntrack.h"
#include "datapath.h"
@@ -490,6 +491,52 @@ static int parse_icmpv6(struct sk_buff *skb, struct sw_flow_key *key,
return 0;
}
+static int parse_nsh(struct sk_buff *skb, struct sw_flow_key *key)
+{
+ struct nshhdr *nh;
+ unsigned int nh_ofs = skb_network_offset(skb);
+ u8 version, length;
+ int err;
+
+ err = check_header(skb, nh_ofs + NSH_BASE_HDR_LEN);
+ if (unlikely(err))
+ return err;
+
+ nh = nsh_hdr(skb);
+ version = nsh_get_ver(nh);
+ length = nsh_hdr_len(nh);
+
+ if (version != 0)
+ return -EINVAL;
+
+ err = check_header(skb, nh_ofs + length);
+ if (unlikely(err))
+ return err;
+
+ nh = nsh_hdr(skb);
+ key->nsh.base.flags = nsh_get_flags(nh);
+ key->nsh.base.ttl = nsh_get_ttl(nh);
+ key->nsh.base.mdtype = nh->mdtype;
+ key->nsh.base.np = nh->np;
+ key->nsh.base.path_hdr = nh->path_hdr;
+ switch (key->nsh.base.mdtype) {
+ case NSH_M_TYPE1:
+ if (length != NSH_M_TYPE1_LEN)
+ return -EINVAL;
+ memcpy(key->nsh.context, nh->md1.context,
+ sizeof(nh->md1));
+ break;
+ case NSH_M_TYPE2:
+ memset(key->nsh.context, 0,
+ sizeof(nh->md1));
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
/**
* key_extract - extracts a flow key from an Ethernet frame.
* @skb: sk_buff that contains the frame, with skb->data pointing to the
@@ -735,6 +782,10 @@ static int key_extract(struct sk_buff *skb, struct sw_flow_key *key)
memset(&key->tp, 0, sizeof(key->tp));
}
}
+ } else if (key->eth.type == htons(ETH_P_NSH)) {
+ error = parse_nsh(skb, key);
+ if (error)
+ return error;
}
return 0;
}
diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
index 1875bba..8eeae749 100644
--- a/net/openvswitch/flow.h
+++ b/net/openvswitch/flow.h
@@ -35,6 +35,7 @@
#include <net/inet_ecn.h>
#include <net/ip_tunnels.h>
#include <net/dst_metadata.h>
+#include <net/nsh.h>
struct sk_buff;
@@ -66,6 +67,11 @@ struct vlan_head {
(offsetof(struct sw_flow_key, recirc_id) + \
FIELD_SIZEOF(struct sw_flow_key, recirc_id))
+struct ovs_key_nsh {
+ struct ovs_nsh_key_base base;
+ __be32 context[NSH_MD1_CONTEXT_SIZE];
+};
+
struct sw_flow_key {
u8 tun_opts[IP_TUNNEL_OPTS_MAX];
u8 tun_opts_len;
@@ -144,6 +150,7 @@ struct sw_flow_key {
};
} ipv6;
};
+ struct ovs_key_nsh nsh; /* network service header */
struct {
/* Connection tracking fields not packed above. */
struct {
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index dc0d790..0d7d4ae 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -48,6 +48,7 @@
#include <net/ndisc.h>
#include <net/mpls.h>
#include <net/vxlan.h>
+#include <net/tun_proto.h>
#include <net/erspan.h>
#include "flow_netlink.h"
@@ -80,9 +81,11 @@ static bool actions_may_change_flow(const struct nlattr *actions)
case OVS_ACTION_ATTR_HASH:
case OVS_ACTION_ATTR_POP_ETH:
case OVS_ACTION_ATTR_POP_MPLS:
+ case OVS_ACTION_ATTR_POP_NSH:
case OVS_ACTION_ATTR_POP_VLAN:
case OVS_ACTION_ATTR_PUSH_ETH:
case OVS_ACTION_ATTR_PUSH_MPLS:
+ case OVS_ACTION_ATTR_PUSH_NSH:
case OVS_ACTION_ATTR_PUSH_VLAN:
case OVS_ACTION_ATTR_SAMPLE:
case OVS_ACTION_ATTR_SET:
@@ -325,12 +328,25 @@ size_t ovs_tun_key_attr_size(void)
+ nla_total_size(4); /* OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS */
}
+size_t ovs_nsh_key_attr_size(void)
+{
+ /* Whenever adding new OVS_NSH_KEY_ FIELDS, we should consider
+ * updating this function.
+ */
+ return nla_total_size(NSH_BASE_HDR_LEN) /* OVS_NSH_KEY_ATTR_BASE */
+ /* OVS_NSH_KEY_ATTR_MD1 and OVS_NSH_KEY_ATTR_MD2 are
+ * mutually exclusive, so the bigger one can cover
+ * the small one.
+ */
+ + nla_total_size(NSH_CTX_HDRS_MAX_LEN);
+}
+
size_t ovs_key_attr_size(void)
{
/* Whenever adding new OVS_KEY_ FIELDS, we should consider
* updating this function.
*/
- BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 28);
+ BUILD_BUG_ON(OVS_KEY_ATTR_TUNNEL_INFO != 29);
return nla_total_size(4) /* OVS_KEY_ATTR_PRIORITY */
+ nla_total_size(0) /* OVS_KEY_ATTR_TUNNEL */
@@ -344,6 +360,8 @@ size_t ovs_key_attr_size(void)
+ nla_total_size(4) /* OVS_KEY_ATTR_CT_MARK */
+ nla_total_size(16) /* OVS_KEY_ATTR_CT_LABELS */
+ nla_total_size(40) /* OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6 */
+ + nla_total_size(0) /* OVS_KEY_ATTR_NSH */
+ + ovs_nsh_key_attr_size()
+ nla_total_size(12) /* OVS_KEY_ATTR_ETHERNET */
+ nla_total_size(2) /* OVS_KEY_ATTR_ETHERTYPE */
+ nla_total_size(4) /* OVS_KEY_ATTR_VLAN */
@@ -377,6 +395,13 @@ static const struct ovs_len_tbl ovs_tunnel_key_lens[OVS_TUNNEL_KEY_ATTR_MAX + 1]
[OVS_TUNNEL_KEY_ATTR_ERSPAN_OPTS] = { .len = sizeof(u32) },
};
+static const struct ovs_len_tbl
+ovs_nsh_key_attr_lens[OVS_NSH_KEY_ATTR_MAX + 1] = {
+ [OVS_NSH_KEY_ATTR_BASE] = { .len = sizeof(struct ovs_nsh_key_base) },
+ [OVS_NSH_KEY_ATTR_MD1] = { .len = sizeof(struct ovs_nsh_key_md1) },
+ [OVS_NSH_KEY_ATTR_MD2] = { .len = OVS_ATTR_VARIABLE },
+};
+
/* The size of the argument for each %OVS_KEY_ATTR_* Netlink attribute. */
static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = {
[OVS_KEY_ATTR_ENCAP] = { .len = OVS_ATTR_NESTED },
@@ -409,6 +434,8 @@ static const struct ovs_len_tbl ovs_key_lens[OVS_KEY_ATTR_MAX + 1] = {
.len = sizeof(struct ovs_key_ct_tuple_ipv4) },
[OVS_KEY_ATTR_CT_ORIG_TUPLE_IPV6] = {
.len = sizeof(struct ovs_key_ct_tuple_ipv6) },
+ [OVS_KEY_ATTR_NSH] = { .len = OVS_ATTR_NESTED,
+ .next = ovs_nsh_key_attr_lens, },
};
static bool check_attr_len(unsigned int attr_len, unsigned int expected_len)
@@ -1227,6 +1254,221 @@ static int metadata_from_nlattrs(struct net *net, struct sw_flow_match *match,
return 0;
}
+int nsh_hdr_from_nlattr(const struct nlattr *attr,
+ struct nshhdr *nh, size_t size)
+{
+ struct nlattr *a;
+ int rem;
+ u8 flags = 0;
+ u8 ttl = 0;
+ int mdlen = 0;
+
+ /* validate_nsh has check this, so we needn't do duplicate check here
+ */
+ if (size < NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+
+ nla_for_each_nested(a, attr, rem) {
+ int type = nla_type(a);
+
+ switch (type) {
+ case OVS_NSH_KEY_ATTR_BASE: {
+ const struct ovs_nsh_key_base *base = nla_data(a);
+
+ flags = base->flags;
+ ttl = base->ttl;
+ nh->np = base->np;
+ nh->mdtype = base->mdtype;
+ nh->path_hdr = base->path_hdr;
+ break;
+ }
+ case OVS_NSH_KEY_ATTR_MD1:
+ mdlen = nla_len(a);
+ if (mdlen > size - NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+ memcpy(&nh->md1, nla_data(a), mdlen);
+ break;
+
+ case OVS_NSH_KEY_ATTR_MD2:
+ mdlen = nla_len(a);
+ if (mdlen > size - NSH_BASE_HDR_LEN)
+ return -ENOBUFS;
+ memcpy(&nh->md2, nla_data(a), mdlen);
+ break;
+
+ default:
+ return -EINVAL;
+ }
+ }
+
+ /* nsh header length = NSH_BASE_HDR_LEN + mdlen */
+ nh->ver_flags_ttl_len = 0;
+ nsh_set_flags_ttl_len(nh, flags, ttl, NSH_BASE_HDR_LEN + mdlen);
+
+ return 0;
+}
+
+int nsh_key_from_nlattr(const struct nlattr *attr,
+ struct ovs_key_nsh *nsh, struct ovs_key_nsh *nsh_mask)
+{
+ struct nlattr *a;
+ int rem;
+
+ /* validate_nsh has check this, so we needn't do duplicate check here
+ */
+ nla_for_each_nested(a, attr, rem) {
+ int type = nla_type(a);
+
+ switch (type) {
+ case OVS_NSH_KEY_ATTR_BASE: {
+ const struct ovs_nsh_key_base *base = nla_data(a);
+ const struct ovs_nsh_key_base *base_mask = base + 1;
+
+ nsh->base = *base;
+ nsh_mask->base = *base_mask;
+ break;
+ }
+ case OVS_NSH_KEY_ATTR_MD1: {
+ const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+ const struct ovs_nsh_key_md1 *md1_mask = md1 + 1;
+
+ memcpy(nsh->context, md1->context, sizeof(*md1));
+ memcpy(nsh_mask->context, md1_mask->context,
+ sizeof(*md1_mask));
+ break;
+ }
+ case OVS_NSH_KEY_ATTR_MD2:
+ /* Not supported yet */
+ return -ENOTSUPP;
+ default:
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
+
+static int nsh_key_put_from_nlattr(const struct nlattr *attr,
+ struct sw_flow_match *match, bool is_mask,
+ bool is_push_nsh, bool log)
+{
+ struct nlattr *a;
+ int rem;
+ bool has_base = false;
+ bool has_md1 = false;
+ bool has_md2 = false;
+ u8 mdtype = 0;
+ int mdlen = 0;
+
+ if (WARN_ON(is_push_nsh && is_mask))
+ return -EINVAL;
+
+ nla_for_each_nested(a, attr, rem) {
+ int type = nla_type(a);
+ int i;
+
+ if (type > OVS_NSH_KEY_ATTR_MAX) {
+ OVS_NLERR(log, "nsh attr %d is out of range max %d",
+ type, OVS_NSH_KEY_ATTR_MAX);
+ return -EINVAL;
+ }
+
+ if (!check_attr_len(nla_len(a),
+ ovs_nsh_key_attr_lens[type].len)) {
+ OVS_NLERR(
+ log,
+ "nsh attr %d has unexpected len %d expected %d",
+ type,
+ nla_len(a),
+ ovs_nsh_key_attr_lens[type].len
+ );
+ return -EINVAL;
+ }
+
+ switch (type) {
+ case OVS_NSH_KEY_ATTR_BASE: {
+ const struct ovs_nsh_key_base *base = nla_data(a);
+
+ has_base = true;
+ mdtype = base->mdtype;
+ SW_FLOW_KEY_PUT(match, nsh.base.flags,
+ base->flags, is_mask);
+ SW_FLOW_KEY_PUT(match, nsh.base.ttl,
+ base->ttl, is_mask);
+ SW_FLOW_KEY_PUT(match, nsh.base.mdtype,
+ base->mdtype, is_mask);
+ SW_FLOW_KEY_PUT(match, nsh.base.np,
+ base->np, is_mask);
+ SW_FLOW_KEY_PUT(match, nsh.base.path_hdr,
+ base->path_hdr, is_mask);
+ break;
+ }
+ case OVS_NSH_KEY_ATTR_MD1: {
+ const struct ovs_nsh_key_md1 *md1 = nla_data(a);
+
+ has_md1 = true;
+ for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++)
+ SW_FLOW_KEY_PUT(match, nsh.context[i],
+ md1->context[i], is_mask);
+ break;
+ }
+ case OVS_NSH_KEY_ATTR_MD2:
+ if (!is_push_nsh) /* Not supported MD type 2 yet */
+ return -ENOTSUPP;
+
+ has_md2 = true;
+ mdlen = nla_len(a);
+ if (mdlen > NSH_CTX_HDRS_MAX_LEN || mdlen <= 0) {
+ OVS_NLERR(
+ log,
+ "Invalid MD length %d for MD type %d",
+ mdlen,
+ mdtype
+ );
+ return -EINVAL;
+ }
+ break;
+ default:
+ OVS_NLERR(log, "Unknown nsh attribute %d",
+ type);
+ return -EINVAL;
+ }
+ }
+
+ if (rem > 0) {
+ OVS_NLERR(log, "nsh attribute has %d unknown bytes.", rem);
+ return -EINVAL;
+ }
+
+ if (has_md1 && has_md2) {
+ OVS_NLERR(
+ 1,
+ "invalid nsh attribute: md1 and md2 are exclusive."
+ );
+ return -EINVAL;
+ }
+
+ if (!is_mask) {
+ if ((has_md1 && mdtype != NSH_M_TYPE1) ||
+ (has_md2 && mdtype != NSH_M_TYPE2)) {
+ OVS_NLERR(1, "nsh attribute has unmatched MD type %d.",
+ mdtype);
+ return -EINVAL;
+ }
+
+ if (is_push_nsh &&
+ (!has_base || (!has_md1 && !has_md2))) {
+ OVS_NLERR(
+ 1,
+ "push_nsh: missing base or metadata attributes"
+ );
+ return -EINVAL;
+ }
+ }
+
+ return 0;
+}
+
static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match,
u64 attrs, const struct nlattr **a,
bool is_mask, bool log)
@@ -1354,6 +1596,13 @@ static int ovs_key_from_nlattrs(struct net *net, struct sw_flow_match *match,
attrs &= ~(1 << OVS_KEY_ATTR_ARP);
}
+ if (attrs & (1 << OVS_KEY_ATTR_NSH)) {
+ if (nsh_key_put_from_nlattr(a[OVS_KEY_ATTR_NSH], match,
+ is_mask, false, log) < 0)
+ return -EINVAL;
+ attrs &= ~(1 << OVS_KEY_ATTR_NSH);
+ }
+
if (attrs & (1 << OVS_KEY_ATTR_MPLS)) {
const struct ovs_key_mpls *mpls_key;
@@ -1670,6 +1919,34 @@ static int ovs_nla_put_vlan(struct sk_buff *skb, const struct vlan_head *vh,
return 0;
}
+static int nsh_key_to_nlattr(const struct ovs_key_nsh *nsh, bool is_mask,
+ struct sk_buff *skb)
+{
+ struct nlattr *start;
+
+ start = nla_nest_start(skb, OVS_KEY_ATTR_NSH);
+ if (!start)
+ return -EMSGSIZE;
+
+ if (nla_put(skb, OVS_NSH_KEY_ATTR_BASE, sizeof(nsh->base), &nsh->base))
+ goto nla_put_failure;
+
+ if (is_mask || nsh->base.mdtype == NSH_M_TYPE1) {
+ if (nla_put(skb, OVS_NSH_KEY_ATTR_MD1,
+ sizeof(nsh->context), nsh->context))
+ goto nla_put_failure;
+ }
+
+ /* Don't support MD type 2 yet */
+
+ nla_nest_end(skb, start);
+
+ return 0;
+
+nla_put_failure:
+ return -EMSGSIZE;
+}
+
static int __ovs_nla_put_key(const struct sw_flow_key *swkey,
const struct sw_flow_key *output, bool is_mask,
struct sk_buff *skb)
@@ -1798,6 +2075,9 @@ static int __ovs_nla_put_key(const struct sw_flow_key *swkey,
ipv6_key->ipv6_tclass = output->ip.tos;
ipv6_key->ipv6_hlimit = output->ip.ttl;
ipv6_key->ipv6_frag = output->ip.frag;
+ } else if (swkey->eth.type == htons(ETH_P_NSH)) {
+ if (nsh_key_to_nlattr(&output->nsh, is_mask, skb))
+ goto nla_put_failure;
} else if (swkey->eth.type == htons(ETH_P_ARP) ||
swkey->eth.type == htons(ETH_P_RARP)) {
struct ovs_key_arp *arp_key;
@@ -2292,6 +2572,19 @@ static int validate_and_copy_set_tun(const struct nlattr *attr,
return err;
}
+static bool validate_nsh(const struct nlattr *attr, bool is_mask,
+ bool is_push_nsh, bool log)
+{
+ struct sw_flow_match match;
+ struct sw_flow_key key;
+ int ret = 0;
+
+ ovs_match_init(&match, &key, true, NULL);
+ ret = nsh_key_put_from_nlattr(attr, &match, is_mask,
+ is_push_nsh, log);
+ return !ret;
+}
+
/* Return false if there are any non-masked bits set.
* Mask follows data immediately, before any netlink padding.
*/
@@ -2434,6 +2727,11 @@ static int validate_set(const struct nlattr *a,
break;
+ case OVS_KEY_ATTR_NSH:
+ if (!validate_nsh(nla_data(a), masked, false, log))
+ return -EINVAL;
+ break;
+
default:
return -EINVAL;
}
@@ -2533,6 +2831,8 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
[OVS_ACTION_ATTR_TRUNC] = sizeof(struct ovs_action_trunc),
[OVS_ACTION_ATTR_PUSH_ETH] = sizeof(struct ovs_action_push_eth),
[OVS_ACTION_ATTR_POP_ETH] = 0,
+ [OVS_ACTION_ATTR_PUSH_NSH] = (u32)-1,
+ [OVS_ACTION_ATTR_POP_NSH] = 0,
};
const struct ovs_action_push_vlan *vlan;
int type = nla_type(a);
@@ -2690,6 +2990,19 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
mac_proto = MAC_PROTO_ETHERNET;
break;
+ case OVS_ACTION_ATTR_PUSH_NSH:
+ mac_proto = MAC_PROTO_NONE;
+ if (!validate_nsh(nla_data(a), false, true, true))
+ return -EINVAL;
+ break;
+
+ case OVS_ACTION_ATTR_POP_NSH:
+ if (key->nsh.base.np == TUN_P_ETHERNET)
+ mac_proto = MAC_PROTO_ETHERNET;
+ else
+ mac_proto = MAC_PROTO_NONE;
+ break;
+
default:
OVS_NLERR(log, "Unknown Action type %d", type);
return -EINVAL;
diff --git a/net/openvswitch/flow_netlink.h b/net/openvswitch/flow_netlink.h
index 929c665..6657606 100644
--- a/net/openvswitch/flow_netlink.h
+++ b/net/openvswitch/flow_netlink.h
@@ -79,4 +79,9 @@ int ovs_nla_put_actions(const struct nlattr *attr,
void ovs_nla_free_flow_actions(struct sw_flow_actions *);
void ovs_nla_free_flow_actions_rcu(struct sw_flow_actions *);
+int nsh_key_from_nlattr(const struct nlattr *attr, struct ovs_key_nsh *nsh,
+ struct ovs_key_nsh *nsh_mask);
+int nsh_hdr_from_nlattr(const struct nlattr *attr, struct nshhdr *nh,
+ size_t size);
+
#endif /* flow_netlink.h */
--
2.5.5
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-01 4:03 [PATCH net-next v15] openvswitch: enable NSH support Yi Yang
@ 2017-11-01 8:46 ` Jiri Benc
2017-11-01 15:21 ` Eric Garver
` (2 subsequent siblings)
3 siblings, 0 replies; 19+ messages in thread
From: Jiri Benc @ 2017-11-01 8:46 UTC (permalink / raw)
To: Yi Yang; +Cc: netdev, dev, e, pshelar, davem
On Wed, 1 Nov 2017 12:03:01 +0800, Yi Yang wrote:
> v14->v15
> - Check size in nsh_hdr_from_nlattr
> - Fixed four small issues pointed out By Jiri and Eric
Acked-by: Jiri Benc <jbenc@redhat.com>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-01 4:03 [PATCH net-next v15] openvswitch: enable NSH support Yi Yang
2017-11-01 8:46 ` Jiri Benc
@ 2017-11-01 15:21 ` Eric Garver
2017-11-02 0:52 ` Pravin Shelar
[not found] ` <1509508981-66202-1-git-send-email-yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
3 siblings, 0 replies; 19+ messages in thread
From: Eric Garver @ 2017-11-01 15:21 UTC (permalink / raw)
To: Yi Yang; +Cc: netdev, dev, jbenc, pshelar, davem
On Wed, Nov 01, 2017 at 12:03:01PM +0800, Yi Yang wrote:
> v14->v15
> - Check size in nsh_hdr_from_nlattr
> - Fixed four small issues pointed out By Jiri and Eric
Thanks Yi.
Acked-by: Eric Garver <e@erig.me>
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-01 4:03 [PATCH net-next v15] openvswitch: enable NSH support Yi Yang
2017-11-01 8:46 ` Jiri Benc
2017-11-01 15:21 ` Eric Garver
@ 2017-11-02 0:52 ` Pravin Shelar
2017-11-02 2:50 ` Yang, Yi
[not found] ` <1509508981-66202-1-git-send-email-yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
3 siblings, 1 reply; 19+ messages in thread
From: Pravin Shelar @ 2017-11-02 0:52 UTC (permalink / raw)
To: Yi Yang
Cc: Linux Kernel Network Developers, ovs dev, Jiri Benc, Eric Garver,
David S. Miller
On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang@intel.com> wrote:
> v14->v15
> - Check size in nsh_hdr_from_nlattr
> - Fixed four small issues pointed out By Jiri and Eric
>
> v13->v14
> - Rename skb_push_nsh to nsh_push per Dave's comment
> - Rename skb_pop_nsh to nsh_pop per Dave's comment
>
> v12->v13
> - Fix NSH header length check in set_nsh
>
> v11->v12
> - Fix missing changes old comments pointed out
> - Fix new comments for v11
>
> v10->v11
> - Fix the left three disputable comments for v9
> but not fixed in v10.
>
> v9->v10
> - Change struct ovs_key_nsh to
> struct ovs_nsh_key_base base;
> __be32 context[NSH_MD1_CONTEXT_SIZE];
> - Fix new comments for v9
>
> v8->v9
> - Fix build error reported by daily intel build
> because nsh module isn't selected by openvswitch
>
> v7->v8
> - Rework nested value and mask for OVS_KEY_ATTR_NSH
> - Change pop_nsh to adapt to nsh kernel module
> - Fix many issues per comments from Jiri Benc
>
> v6->v7
> - Remove NSH GSO patches in v6 because Jiri Benc
> reworked it as another patch series and they have
> been merged.
> - Change it to adapt to nsh kernel module added by NSH
> GSO patch series
>
> v5->v6
> - Fix the rest comments for v4.
> - Add NSH GSO support for VxLAN-gpe + NSH and
> Eth + NSH.
>
> v4->v5
> - Fix many comments by Jiri Benc and Eric Garver
> for v4.
>
> v3->v4
> - Add new NSH match field ttl
> - Update NSH header to the latest format
> which will be final format and won't change
> per its author's confirmation.
> - Fix comments for v3.
>
> v2->v3
> - Change OVS_KEY_ATTR_NSH to nested key to handle
> length-fixed attributes and length-variable
> attriubte more flexibly.
> - Remove struct ovs_action_push_nsh completely
> - Add code to handle nested attribute for SET_MASKED
> - Change PUSH_NSH to use the nested OVS_KEY_ATTR_NSH
> to transfer NSH header data.
> - Fix comments and coding style issues by Jiri and Eric
>
> v1->v2
> - Change encap_nsh and decap_nsh to push_nsh and pop_nsh
> - Dynamically allocate struct ovs_action_push_nsh for
> length-variable metadata.
>
> OVS master and 2.8 branch has merged NSH userspace
> patch series, this patch is to enable NSH support
> in kernel data path in order that OVS can support
> NSH in compat mode by porting this.
>
> Signed-off-by: Yi Yang <yi.y.yang@intel.com>
> ---
I have comment related to checksum, otherwise patch looks good to me.
> include/net/nsh.h | 3 +
> include/uapi/linux/openvswitch.h | 29 ++++
> net/nsh/nsh.c | 59 ++++++++
> net/openvswitch/Kconfig | 1 +
> net/openvswitch/actions.c | 119 +++++++++++++++
> net/openvswitch/flow.c | 51 +++++++
> net/openvswitch/flow.h | 7 +
> net/openvswitch/flow_netlink.c | 315 ++++++++++++++++++++++++++++++++++++++-
> net/openvswitch/flow_netlink.h | 5 +
> 9 files changed, 588 insertions(+), 1 deletion(-)
>
...
> diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
> index 58fb827..2764682 100644
> --- a/net/nsh/nsh.c
> +++ b/net/nsh/nsh.c
> @@ -14,6 +14,65 @@
> #include <net/nsh.h>
> #include <net/tun_proto.h>
>
> +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
> +{
> + struct nshhdr *nh;
> + size_t length = nsh_hdr_len(pushed_nh);
> + u8 next_proto;
> +
> + if (skb->mac_len) {
> + next_proto = TUN_P_ETHERNET;
> + } else {
> + next_proto = tun_p_from_eth_p(skb->protocol);
> + if (!next_proto)
> + return -EAFNOSUPPORT;
> + }
> +
> + /* Add the NSH header */
> + if (skb_cow_head(skb, length) < 0)
> + return -ENOMEM;
> +
> + skb_push(skb, length);
> + nh = (struct nshhdr *)(skb->data);
> + memcpy(nh, pushed_nh, length);
> + nh->np = next_proto;
dont you need to update checksum for CHECKSUM_COMPLETE case?
> +
> + skb->protocol = htons(ETH_P_NSH);
> + skb_reset_mac_header(skb);
> + skb_reset_network_header(skb);
> + skb_reset_mac_len(skb);
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(nsh_push);
> +
> +int nsh_pop(struct sk_buff *skb)
> +{
> + struct nshhdr *nh;
> + size_t length;
> + __be16 inner_proto;
> +
> + if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
> + return -ENOMEM;
> + nh = (struct nshhdr *)(skb->data);
> + length = nsh_hdr_len(nh);
> + inner_proto = tun_p_to_eth_p(nh->np);
> + if (!pskb_may_pull(skb, length))
> + return -ENOMEM;
> +
> + if (!inner_proto)
> + return -EAFNOSUPPORT;
> +
> + skb_pull(skb, length);
same as above, we need to update the checksum.
> + skb_reset_mac_header(skb);
> + skb_reset_network_header(skb);
> + skb_reset_mac_len(skb);
> + skb->protocol = inner_proto;
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(nsh_pop);
> +
> static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
> netdev_features_t features)
> {
...
> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
> index a551232..dd1449d 100644
> --- a/net/openvswitch/actions.c
> +++ b/net/openvswitch/actions.c
...
> @@ -602,6 +640,67 @@ static int set_ipv6(struct sk_buff *skb, struct sw_flow_key *flow_key,
> return 0;
> }
>
> +static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
> + const struct nlattr *a)
> +{
> + struct nshhdr *nh;
> + size_t length;
> + int err;
> + u8 flags;
> + u8 ttl;
> + int i;
> +
> + struct ovs_key_nsh key;
> + struct ovs_key_nsh mask;
> +
> + err = nsh_key_from_nlattr(a, &key, &mask);
> + if (err)
> + return err;
> +
> + /* Make sure the NSH base header is there */
> + if (!pskb_may_pull(skb, skb_network_offset(skb) + NSH_BASE_HDR_LEN))
> + return -ENOMEM;
> +
> + nh = nsh_hdr(skb);
> + length = nsh_hdr_len(nh);
> +
> + /* Make sure the whole NSH header is there */
> + err = skb_ensure_writable(skb, skb_network_offset(skb) +
> + length);
> + if (unlikely(err))
> + return err;
> +
> + nh = nsh_hdr(skb);
> + flags = nsh_get_flags(nh);
> + flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
> + flow_key->nsh.base.flags = flags;
> + ttl = nsh_get_ttl(nh);
> + ttl = OVS_MASKED(ttl, key.base.ttl, mask.base.ttl);
> + flow_key->nsh.base.ttl = ttl;
> + nsh_set_flags_and_ttl(nh, flags, ttl);
> + nh->path_hdr = OVS_MASKED(nh->path_hdr, key.base.path_hdr,
> + mask.base.path_hdr);
> + flow_key->nsh.base.path_hdr = nh->path_hdr;
> + switch (nh->mdtype) {
> + case NSH_M_TYPE1:
> + for (i = 0; i < NSH_MD1_CONTEXT_SIZE; i++) {
> + nh->md1.context[i] =
> + OVS_MASKED(nh->md1.context[i], key.context[i],
> + mask.context[i]);
> + }
> + memcpy(flow_key->nsh.context, nh->md1.context,
> + sizeof(nh->md1.context));
> + break;
> + case NSH_M_TYPE2:
> + memset(flow_key->nsh.context, 0,
> + sizeof(flow_key->nsh.context));
> + break;
> + default:
> + return -EINVAL;
> + }
same as above need to fix checksum for CHECKSUM_COMPLETE case.
> + return 0;
> +}
> +
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-02 0:52 ` Pravin Shelar
@ 2017-11-02 2:50 ` Yang, Yi
2017-11-02 12:06 ` Pravin Shelar
0 siblings, 1 reply; 19+ messages in thread
From: Yang, Yi @ 2017-11-02 2:50 UTC (permalink / raw)
To: Pravin Shelar
Cc: Linux Kernel Network Developers, ovs dev, Jiri Benc, Eric Garver,
David S. Miller
On Thu, Nov 02, 2017 at 08:52:40AM +0800, Pravin Shelar wrote:
> On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang@intel.com> wrote:
> >
> > OVS master and 2.8 branch has merged NSH userspace
> > patch series, this patch is to enable NSH support
> > in kernel data path in order that OVS can support
> > NSH in compat mode by porting this.
> >
> > Signed-off-by: Yi Yang <yi.y.yang@intel.com>
> > ---
> I have comment related to checksum, otherwise patch looks good to me.
Pravin, thank you for your comments, the below part is incremental patch
for checksum, please help check it, I'll send out v16 with this after
you confirm.
diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
index 2764682..d7da99a 100644
--- a/net/nsh/nsh.c
+++ b/net/nsh/nsh.c
@@ -36,6 +36,7 @@ int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
nh = (struct nshhdr *)(skb->data);
memcpy(nh, pushed_nh, length);
nh->np = next_proto;
+ skb_postpush_rcsum(skb, nh, length);
skb->protocol = htons(ETH_P_NSH);
skb_reset_mac_header(skb);
@@ -63,7 +64,7 @@ int nsh_pop(struct sk_buff *skb)
if (!inner_proto)
return -EAFNOSUPPORT;
- skb_pull(skb, length);
+ skb_pull_rcsum(skb, length);
skb_reset_mac_header(skb);
skb_reset_network_header(skb);
skb_reset_mac_len(skb);
diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
index dd1449d..5ba0e35 100644
--- a/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -671,6 +671,7 @@ static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
return err;
nh = nsh_hdr(skb);
+ skb_postpull_rcsum(skb, nh, length);
flags = nsh_get_flags(nh);
flags = OVS_MASKED(flags, key.base.flags, mask.base.flags);
flow_key->nsh.base.flags = flags;
@@ -698,6 +699,7 @@ static int set_nsh(struct sk_buff *skb, struct sw_flow_key *flow_key,
default:
return -EINVAL;
}
+ skb_postpush_rcsum(skb, nh, length);
return 0;
}
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-02 2:50 ` Yang, Yi
@ 2017-11-02 12:06 ` Pravin Shelar
[not found] ` <CAOrHB_BaUS7WfisvX6G+450tEQ2skmsE0v-b27s-_21s25bigw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 19+ messages in thread
From: Pravin Shelar @ 2017-11-02 12:06 UTC (permalink / raw)
To: Yang, Yi
Cc: Linux Kernel Network Developers, ovs dev, Jiri Benc, Eric Garver,
David S. Miller
On Wed, Nov 1, 2017 at 7:50 PM, Yang, Yi <yi.y.yang@intel.com> wrote:
> On Thu, Nov 02, 2017 at 08:52:40AM +0800, Pravin Shelar wrote:
>> On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang@intel.com> wrote:
>> >
>> > OVS master and 2.8 branch has merged NSH userspace
>> > patch series, this patch is to enable NSH support
>> > in kernel data path in order that OVS can support
>> > NSH in compat mode by porting this.
>> >
>> > Signed-off-by: Yi Yang <yi.y.yang@intel.com>
>> > ---
>> I have comment related to checksum, otherwise patch looks good to me.
>
> Pravin, thank you for your comments, the below part is incremental patch
> for checksum, please help check it, I'll send out v16 with this after
> you confirm.
>
This change looks good to me.
I noticed couple of more issues.
1. Can you move the ovs_key_nsh to the union of ipv4 an ipv6?
ipv4/ipv6/nsh key data is mutually exclusive so there is no need for
separate space for nsh key in the ovs key.
2. We need to fix match_validate() with nsh check. Datapath can not
allow any l3 or l4 match if the flow key contains nsh match and
vice-versa. such flow key should be rejected.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
[not found] ` <CAOrHB_BaUS7WfisvX6G+450tEQ2skmsE0v-b27s-_21s25bigw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2017-11-02 12:09 ` Yang, Yi
2017-11-03 1:40 ` Yang, Yi
1 sibling, 0 replies; 19+ messages in thread
From: Yang, Yi @ 2017-11-02 12:09 UTC (permalink / raw)
To: Pravin Shelar
Cc: ovs dev, Linux Kernel Network Developers, Eric Garver, Jiri Benc,
David S. Miller
On Thu, Nov 02, 2017 at 05:06:47AM -0700, Pravin Shelar wrote:
> On Wed, Nov 1, 2017 at 7:50 PM, Yang, Yi <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> > On Thu, Nov 02, 2017 at 08:52:40AM +0800, Pravin Shelar wrote:
> >> On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> >> >
> >> > OVS master and 2.8 branch has merged NSH userspace
> >> > patch series, this patch is to enable NSH support
> >> > in kernel data path in order that OVS can support
> >> > NSH in compat mode by porting this.
> >> >
> >> > Signed-off-by: Yi Yang <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> >> > ---
> >> I have comment related to checksum, otherwise patch looks good to me.
> >
> > Pravin, thank you for your comments, the below part is incremental patch
> > for checksum, please help check it, I'll send out v16 with this after
> > you confirm.
> >
> This change looks good to me.
> I noticed couple of more issues.
> 1. Can you move the ovs_key_nsh to the union of ipv4 an ipv6?
> ipv4/ipv6/nsh key data is mutually exclusive so there is no need for
> separate space for nsh key in the ovs key.
> 2. We need to fix match_validate() with nsh check. Datapath can not
> allow any l3 or l4 match if the flow key contains nsh match and
> vice-versa. such flow key should be rejected.
Ok, I'll fix them ASAP.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
[not found] ` <CAOrHB_BaUS7WfisvX6G+450tEQ2skmsE0v-b27s-_21s25bigw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-02 12:09 ` Yang, Yi
@ 2017-11-03 1:40 ` Yang, Yi
2017-11-04 12:30 ` Pravin Shelar
1 sibling, 1 reply; 19+ messages in thread
From: Yang, Yi @ 2017-11-03 1:40 UTC (permalink / raw)
To: Pravin Shelar
Cc: ovs dev, Linux Kernel Network Developers, Eric Garver, Jiri Benc,
David S. Miller
On Thu, Nov 02, 2017 at 05:06:47AM -0700, Pravin Shelar wrote:
> On Wed, Nov 1, 2017 at 7:50 PM, Yang, Yi <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> > On Thu, Nov 02, 2017 at 08:52:40AM +0800, Pravin Shelar wrote:
> >> On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> >> >
> >> > OVS master and 2.8 branch has merged NSH userspace
> >> > patch series, this patch is to enable NSH support
> >> > in kernel data path in order that OVS can support
> >> > NSH in compat mode by porting this.
> >> >
> >> > Signed-off-by: Yi Yang <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
> >> > ---
> >> I have comment related to checksum, otherwise patch looks good to me.
> >
> > Pravin, thank you for your comments, the below part is incremental patch
> > for checksum, please help check it, I'll send out v16 with this after
> > you confirm.
> >
> This change looks good to me.
> I noticed couple of more issues.
> 1. Can you move the ovs_key_nsh to the union of ipv4 an ipv6?
> ipv4/ipv6/nsh key data is mutually exclusive so there is no need for
> separate space for nsh key in the ovs key.
> 2. We need to fix match_validate() with nsh check. Datapath can not
> allow any l3 or l4 match if the flow key contains nsh match and
> vice-versa. such flow key should be rejected.
Pravin, the below incremental patch should fix the issues you pionted
out, please help confirm/ack, then I'll send out v16 with all acks
from you all for merge. BTW, it has been verified in my sfc test
environment.
diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
index 8eeae749..c670dd2 100644
--- a/net/openvswitch/flow.h
+++ b/net/openvswitch/flow.h
@@ -149,8 +149,8 @@ struct sw_flow_key {
} nd;
};
} ipv6;
+ struct ovs_key_nsh nsh; /* network service header */
};
- struct ovs_key_nsh nsh; /* network service header */
struct {
/* Connection tracking fields not packed above. */
struct {
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index 0d7d4ae..090103c 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -178,7 +178,8 @@ static bool match_validate(const struct sw_flow_match *match,
| (1 << OVS_KEY_ATTR_ICMPV6)
| (1 << OVS_KEY_ATTR_ARP)
| (1 << OVS_KEY_ATTR_ND)
- | (1 << OVS_KEY_ATTR_MPLS));
+ | (1 << OVS_KEY_ATTR_MPLS)
+ | (1 << OVS_KEY_ATTR_NSH));
/* Always allowed mask fields. */
mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL)
@@ -287,6 +288,14 @@ static bool match_validate(const struct sw_flow_match *match,
}
}
+ if (match->key->eth.type == htons(ETH_P_NSH)) {
+ key_expected |= 1 << OVS_KEY_ATTR_NSH;
+ if (match->mask &&
+ match->mask->key.eth.type == htons(0xffff)) {
+ mask_allowed |= 1 << OVS_KEY_ATTR_NSH;
+ }
+ }
+
if ((key_attrs & key_expected) != key_expected) {
/* Key attributes check failed. */
OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)",
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-03 1:40 ` Yang, Yi
@ 2017-11-04 12:30 ` Pravin Shelar
0 siblings, 0 replies; 19+ messages in thread
From: Pravin Shelar @ 2017-11-04 12:30 UTC (permalink / raw)
To: Yang, Yi
Cc: Linux Kernel Network Developers, ovs dev, Jiri Benc, Eric Garver,
David S. Miller
On Thu, Nov 2, 2017 at 6:40 PM, Yang, Yi <yi.y.yang@intel.com> wrote:
> On Thu, Nov 02, 2017 at 05:06:47AM -0700, Pravin Shelar wrote:
>> On Wed, Nov 1, 2017 at 7:50 PM, Yang, Yi <yi.y.yang@intel.com> wrote:
>> > On Thu, Nov 02, 2017 at 08:52:40AM +0800, Pravin Shelar wrote:
>> >> On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang@intel.com> wrote:
>> >> >
>> >> > OVS master and 2.8 branch has merged NSH userspace
>> >> > patch series, this patch is to enable NSH support
>> >> > in kernel data path in order that OVS can support
>> >> > NSH in compat mode by porting this.
>> >> >
>> >> > Signed-off-by: Yi Yang <yi.y.yang@intel.com>
>> >> > ---
>> >> I have comment related to checksum, otherwise patch looks good to me.
>> >
>> > Pravin, thank you for your comments, the below part is incremental patch
>> > for checksum, please help check it, I'll send out v16 with this after
>> > you confirm.
>> >
>> This change looks good to me.
>> I noticed couple of more issues.
>> 1. Can you move the ovs_key_nsh to the union of ipv4 an ipv6?
>> ipv4/ipv6/nsh key data is mutually exclusive so there is no need for
>> separate space for nsh key in the ovs key.
>> 2. We need to fix match_validate() with nsh check. Datapath can not
>> allow any l3 or l4 match if the flow key contains nsh match and
>> vice-versa. such flow key should be rejected.
>
> Pravin, the below incremental patch should fix the issues you pionted
> out, please help confirm/ack, then I'll send out v16 with all acks
> from you all for merge. BTW, it has been verified in my sfc test
> environment.
>
Following patch looks good to me. But I think we needs similar
eth_type check for nsh set action in validate_set() and in
__ovs_nla_copy_actions() for NSH_POP action.
Can you send patch with all changes?
Thanks.
> diff --git a/net/openvswitch/flow.h b/net/openvswitch/flow.h
> index 8eeae749..c670dd2 100644
> --- a/net/openvswitch/flow.h
> +++ b/net/openvswitch/flow.h
> @@ -149,8 +149,8 @@ struct sw_flow_key {
> } nd;
> };
> } ipv6;
> + struct ovs_key_nsh nsh; /* network service header */
> };
> - struct ovs_key_nsh nsh; /* network service header */
> struct {
> /* Connection tracking fields not packed above. */
> struct {
> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
> index 0d7d4ae..090103c 100644
> --- a/net/openvswitch/flow_netlink.c
> +++ b/net/openvswitch/flow_netlink.c
> @@ -178,7 +178,8 @@ static bool match_validate(const struct sw_flow_match *match,
> | (1 << OVS_KEY_ATTR_ICMPV6)
> | (1 << OVS_KEY_ATTR_ARP)
> | (1 << OVS_KEY_ATTR_ND)
> - | (1 << OVS_KEY_ATTR_MPLS));
> + | (1 << OVS_KEY_ATTR_MPLS)
> + | (1 << OVS_KEY_ATTR_NSH));
>
> /* Always allowed mask fields. */
> mask_allowed |= ((1 << OVS_KEY_ATTR_TUNNEL)
> @@ -287,6 +288,14 @@ static bool match_validate(const struct sw_flow_match *match,
> }
> }
>
> + if (match->key->eth.type == htons(ETH_P_NSH)) {
> + key_expected |= 1 << OVS_KEY_ATTR_NSH;
> + if (match->mask &&
> + match->mask->key.eth.type == htons(0xffff)) {
> + mask_allowed |= 1 << OVS_KEY_ATTR_NSH;
> + }
> + }
> +
> if ((key_attrs & key_expected) != key_expected) {
> /* Key attributes check failed. */
> OVS_NLERR(log, "Missing key (keys=%llx, expected=%llx)",
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
[not found] ` <1509508981-66202-1-git-send-email-yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
@ 2017-11-04 14:29 ` Pravin Shelar
2017-11-06 4:19 ` Yang, Yi
[not found] ` <CAOrHB_COGWb78kN70QFKgA3w5v3zasAW=TJbzoE5zZYKao_GvA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 2 replies; 19+ messages in thread
From: Pravin Shelar @ 2017-11-04 14:29 UTC (permalink / raw)
To: Yi Yang
Cc: ovs dev, Linux Kernel Network Developers, Eric Garver, Jiri Benc,
David S. Miller
On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> v14->v15
> - Check size in nsh_hdr_from_nlattr
> - Fixed four small issues pointed out By Jiri and Eric
>
> v13->v14
> - Rename skb_push_nsh to nsh_push per Dave's comment
> - Rename skb_pop_nsh to nsh_pop per Dave's comment
>
> v12->v13
> - Fix NSH header length check in set_nsh
>
> v11->v12
> - Fix missing changes old comments pointed out
> - Fix new comments for v11
>
> v10->v11
> - Fix the left three disputable comments for v9
> but not fixed in v10.
>
> v9->v10
> - Change struct ovs_key_nsh to
> struct ovs_nsh_key_base base;
> __be32 context[NSH_MD1_CONTEXT_SIZE];
> - Fix new comments for v9
>
> v8->v9
> - Fix build error reported by daily intel build
> because nsh module isn't selected by openvswitch
>
> v7->v8
> - Rework nested value and mask for OVS_KEY_ATTR_NSH
> - Change pop_nsh to adapt to nsh kernel module
> - Fix many issues per comments from Jiri Benc
>
> v6->v7
> - Remove NSH GSO patches in v6 because Jiri Benc
> reworked it as another patch series and they have
> been merged.
> - Change it to adapt to nsh kernel module added by NSH
> GSO patch series
>
> v5->v6
> - Fix the rest comments for v4.
> - Add NSH GSO support for VxLAN-gpe + NSH and
> Eth + NSH.
>
> v4->v5
> - Fix many comments by Jiri Benc and Eric Garver
> for v4.
>
> v3->v4
> - Add new NSH match field ttl
> - Update NSH header to the latest format
> which will be final format and won't change
> per its author's confirmation.
> - Fix comments for v3.
>
> v2->v3
> - Change OVS_KEY_ATTR_NSH to nested key to handle
> length-fixed attributes and length-variable
> attriubte more flexibly.
> - Remove struct ovs_action_push_nsh completely
> - Add code to handle nested attribute for SET_MASKED
> - Change PUSH_NSH to use the nested OVS_KEY_ATTR_NSH
> to transfer NSH header data.
> - Fix comments and coding style issues by Jiri and Eric
>
> v1->v2
> - Change encap_nsh and decap_nsh to push_nsh and pop_nsh
> - Dynamically allocate struct ovs_action_push_nsh for
> length-variable metadata.
>
> OVS master and 2.8 branch has merged NSH userspace
> patch series, this patch is to enable NSH support
> in kernel data path in order that OVS can support
> NSH in compat mode by porting this.
>
> Signed-off-by: Yi Yang <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
As commented earlier following are action related validations that can
be moved to flow install phase.
> ---
> include/net/nsh.h | 3 +
> include/uapi/linux/openvswitch.h | 29 ++++
> net/nsh/nsh.c | 59 ++++++++
> net/openvswitch/Kconfig | 1 +
> net/openvswitch/actions.c | 119 +++++++++++++++
> net/openvswitch/flow.c | 51 +++++++
> net/openvswitch/flow.h | 7 +
> net/openvswitch/flow_netlink.c | 315 ++++++++++++++++++++++++++++++++++++++-
> net/openvswitch/flow_netlink.h | 5 +
> 9 files changed, 588 insertions(+), 1 deletion(-)
>
...
> diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
> index 58fb827..2764682 100644
> --- a/net/nsh/nsh.c
> +++ b/net/nsh/nsh.c
> @@ -14,6 +14,65 @@
> #include <net/nsh.h>
> #include <net/tun_proto.h>
>
> +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
> +{
> + struct nshhdr *nh;
> + size_t length = nsh_hdr_len(pushed_nh);
> + u8 next_proto;
> +
> + if (skb->mac_len) {
> + next_proto = TUN_P_ETHERNET;
> + } else {
> + next_proto = tun_p_from_eth_p(skb->protocol);
> + if (!next_proto)
> + return -EAFNOSUPPORT;
check for supported protocols can be moved to flow install validation
in __ovs_nla_copy_actions().
> + }
> +
> + /* Add the NSH header */
> + if (skb_cow_head(skb, length) < 0)
> + return -ENOMEM;
> +
> + skb_push(skb, length);
> + nh = (struct nshhdr *)(skb->data);
> + memcpy(nh, pushed_nh, length);
> + nh->np = next_proto;
> +
> + skb->protocol = htons(ETH_P_NSH);
> + skb_reset_mac_header(skb);
> + skb_reset_network_header(skb);
> + skb_reset_mac_len(skb);
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(nsh_push);
> +
> +int nsh_pop(struct sk_buff *skb)
> +{
> + struct nshhdr *nh;
> + size_t length;
> + __be16 inner_proto;
> +
> + if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
> + return -ENOMEM;
> + nh = (struct nshhdr *)(skb->data);
> + length = nsh_hdr_len(nh);
> + inner_proto = tun_p_to_eth_p(nh->np);
same as above, this check can be moved to flow install __ovs_nla_copy_actions().
> + if (!pskb_may_pull(skb, length))
> + return -ENOMEM;
> +
> + if (!inner_proto)
> + return -EAFNOSUPPORT;
> +
> + skb_pull(skb, length);
> + skb_reset_mac_header(skb);
> + skb_reset_network_header(skb);
> + skb_reset_mac_len(skb);
> + skb->protocol = inner_proto;
> +
> + return 0;
> +}
> +EXPORT_SYMBOL_GPL(nsh_pop);
> +
...
> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
> index a551232..dd1449d 100644
> --- a/net/openvswitch/actions.c
> +++ b/net/openvswitch/actions.c
...
> +static int pop_nsh(struct sk_buff *skb, struct sw_flow_key *key)
> +{
> + int err;
> +
> + if (ovs_key_mac_proto(key) != MAC_PROTO_NONE ||
> + skb->protocol != htons(ETH_P_NSH)) {
> + return -EINVAL;
> + }
> +
These checks can be moved to flow install.
> + err = nsh_pop(skb);
> + if (err)
> + return err;
> +
> + /* safe right before invalidate_flow_key */
> + if (skb->protocol == htons(ETH_P_TEB))
> + key->mac_proto = MAC_PROTO_ETHERNET;
> + else
> + key->mac_proto = MAC_PROTO_NONE;
> + invalidate_flow_key(key);
> + return 0;
> +}
> +
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-04 14:29 ` Pravin Shelar
@ 2017-11-06 4:19 ` Yang, Yi
2017-11-06 12:09 ` Pravin Shelar
[not found] ` <CAOrHB_COGWb78kN70QFKgA3w5v3zasAW=TJbzoE5zZYKao_GvA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
1 sibling, 1 reply; 19+ messages in thread
From: Yang, Yi @ 2017-11-06 4:19 UTC (permalink / raw)
To: Pravin Shelar
Cc: Linux Kernel Network Developers, ovs dev, Jiri Benc, Eric Garver,
David S. Miller
On Sat, Nov 04, 2017 at 10:29:46PM +0800, Pravin Shelar wrote:
> On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang@intel.com> wrote:
> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
> > +{
> > + struct nshhdr *nh;
> > + size_t length = nsh_hdr_len(pushed_nh);
> > + u8 next_proto;
> > +
> > + if (skb->mac_len) {
> > + next_proto = TUN_P_ETHERNET;
> > + } else {
> > + next_proto = tun_p_from_eth_p(skb->protocol);
> > + if (!next_proto)
> > + return -EAFNOSUPPORT;
> check for supported protocols can be moved to flow install validation
> in __ovs_nla_copy_actions().
>
> > + }
> > +
> > + /* Add the NSH header */
> > + if (skb_cow_head(skb, length) < 0)
> > + return -ENOMEM;
> > +
> > + skb_push(skb, length);
> > + nh = (struct nshhdr *)(skb->data);
> > + memcpy(nh, pushed_nh, length);
> > + nh->np = next_proto;
> > +
> > + skb->protocol = htons(ETH_P_NSH);
> > + skb_reset_mac_header(skb);
> > + skb_reset_network_header(skb);
> > + skb_reset_mac_len(skb);
> > +
> > + return 0;
> > +}
> > +EXPORT_SYMBOL_GPL(nsh_push);
> > +
> > +int nsh_pop(struct sk_buff *skb)
> > +{
> > + struct nshhdr *nh;
> > + size_t length;
> > + __be16 inner_proto;
> > +
> > + if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
> > + return -ENOMEM;
> > + nh = (struct nshhdr *)(skb->data);
> > + length = nsh_hdr_len(nh);
> > + inner_proto = tun_p_to_eth_p(nh->np);
> same as above, this check can be moved to flow install __ovs_nla_copy_actions().
Pravin, these two functions are not only for OVS, you can see it is
net/nsh/nsh.c, Jiri and Eric mentioned they also could be used by TC.
I understand you expect some checks should be moved to slow path, but
for there two cases, we can't remove them into __ovs_nla_copy_actions.
>
> > + if (!pskb_may_pull(skb, length))
> > + return -ENOMEM;
> > +
> > + if (!inner_proto)
> > + return -EAFNOSUPPORT;
> > +
> > + skb_pull(skb, length);
> > + skb_reset_mac_header(skb);
> > + skb_reset_network_header(skb);
> > + skb_reset_mac_len(skb);
> > + skb->protocol = inner_proto;
> > +
> > + return 0;
> > +}
> > +EXPORT_SYMBOL_GPL(nsh_pop);
> > +
> ...
> > diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c
> > index a551232..dd1449d 100644
> > --- a/net/openvswitch/actions.c
> > +++ b/net/openvswitch/actions.c
> ...
> > +static int pop_nsh(struct sk_buff *skb, struct sw_flow_key *key)
> > +{
> > + int err;
> > +
> > + if (ovs_key_mac_proto(key) != MAC_PROTO_NONE ||
> > + skb->protocol != htons(ETH_P_NSH)) {
> > + return -EINVAL;
> > + }
> > +
> These checks can be moved to flow install.
Done in v16, here is incremental patch. I have sent out v16.
diff -u b/net/openvswitch/actions.c b/net/openvswitch/actions.c
--- b/net/openvswitch/actions.c
+++ b/net/openvswitch/actions.c
@@ -400,11 +400,6 @@
{
int err;
- if (ovs_key_mac_proto(key) != MAC_PROTO_NONE ||
- skb->protocol != htons(ETH_P_NSH)) {
- return -EINVAL;
- }
-
err = nsh_pop(skb);
if (err)
return err;
diff -u b/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
--- b/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -2737,6 +2737,8 @@
break;
case OVS_KEY_ATTR_NSH:
+ if (eth_type != htons(ETH_P_NSH))
+ return -EINVAL;
if (!validate_nsh(nla_data(a), masked, false, log))
return -EINVAL;
break;
@@ -3006,6 +3008,8 @@
break;
case OVS_ACTION_ATTR_POP_NSH:
+ if (eth_type != htons(ETH_P_NSH))
+ return -EINVAL;
if (key->nsh.base.np == TUN_P_ETHERNET)
mac_proto = MAC_PROTO_ETHERNET;
else
>
> > + err = nsh_pop(skb);
> > + if (err)
> > + return err;
> > +
> > + /* safe right before invalidate_flow_key */
> > + if (skb->protocol == htons(ETH_P_TEB))
> > + key->mac_proto = MAC_PROTO_ETHERNET;
> > + else
> > + key->mac_proto = MAC_PROTO_NONE;
> > + invalidate_flow_key(key);
> > + return 0;
> > +}
> > +
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-06 4:19 ` Yang, Yi
@ 2017-11-06 12:09 ` Pravin Shelar
0 siblings, 0 replies; 19+ messages in thread
From: Pravin Shelar @ 2017-11-06 12:09 UTC (permalink / raw)
To: Yang, Yi
Cc: Linux Kernel Network Developers, ovs dev, Jiri Benc, Eric Garver,
David S. Miller
On Sun, Nov 5, 2017 at 8:19 PM, Yang, Yi <yi.y.yang@intel.com> wrote:
> On Sat, Nov 04, 2017 at 10:29:46PM +0800, Pravin Shelar wrote:
>> On Tue, Oct 31, 2017 at 9:03 PM, Yi Yang <yi.y.yang@intel.com> wrote:
>> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
>> > +{
>> > + struct nshhdr *nh;
>> > + size_t length = nsh_hdr_len(pushed_nh);
>> > + u8 next_proto;
>> > +
>> > + if (skb->mac_len) {
>> > + next_proto = TUN_P_ETHERNET;
>> > + } else {
>> > + next_proto = tun_p_from_eth_p(skb->protocol);
>> > + if (!next_proto)
>> > + return -EAFNOSUPPORT;
>> check for supported protocols can be moved to flow install validation
>> in __ovs_nla_copy_actions().
>>
>> > + }
>> > +
>> > + /* Add the NSH header */
>> > + if (skb_cow_head(skb, length) < 0)
>> > + return -ENOMEM;
>> > +
>> > + skb_push(skb, length);
>> > + nh = (struct nshhdr *)(skb->data);
>> > + memcpy(nh, pushed_nh, length);
>> > + nh->np = next_proto;
>> > +
>> > + skb->protocol = htons(ETH_P_NSH);
>> > + skb_reset_mac_header(skb);
>> > + skb_reset_network_header(skb);
>> > + skb_reset_mac_len(skb);
>> > +
>> > + return 0;
>> > +}
>> > +EXPORT_SYMBOL_GPL(nsh_push);
>> > +
>> > +int nsh_pop(struct sk_buff *skb)
>> > +{
>> > + struct nshhdr *nh;
>> > + size_t length;
>> > + __be16 inner_proto;
>> > +
>> > + if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
>> > + return -ENOMEM;
>> > + nh = (struct nshhdr *)(skb->data);
>> > + length = nsh_hdr_len(nh);
>> > + inner_proto = tun_p_to_eth_p(nh->np);
>> same as above, this check can be moved to flow install __ovs_nla_copy_actions().
>
> Pravin, these two functions are not only for OVS, you can see it is
> net/nsh/nsh.c, Jiri and Eric mentioned they also could be used by TC.
>
I think it can be easily done by other caller of these function, or
you can refactor the APIs itself.
> I understand you expect some checks should be moved to slow path, but
> for there two cases, we can't remove them into __ovs_nla_copy_actions.
>
It is not just about optimization, but having these check in flow
install allows OVS userspace to probe level of NSH support in
datapath.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
[not found] ` <CAOrHB_COGWb78kN70QFKgA3w5v3zasAW=TJbzoE5zZYKao_GvA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2017-11-06 12:22 ` Jiri Benc
[not found] ` <20171106132248.6fa4c5a0-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
0 siblings, 1 reply; 19+ messages in thread
From: Jiri Benc @ 2017-11-06 12:22 UTC (permalink / raw)
To: Pravin Shelar
Cc: Linux Kernel Network Developers, Eric Garver, ovs dev, David S. Miller
On Sat, 4 Nov 2017 07:29:46 -0700, Pravin Shelar wrote:
> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
> > +{
> > + struct nshhdr *nh;
> > + size_t length = nsh_hdr_len(pushed_nh);
> > + u8 next_proto;
> > +
> > + if (skb->mac_len) {
> > + next_proto = TUN_P_ETHERNET;
> > + } else {
> > + next_proto = tun_p_from_eth_p(skb->protocol);
> > + if (!next_proto)
> > + return -EAFNOSUPPORT;
> check for supported protocols can be moved to flow install validation
> in __ovs_nla_copy_actions().
You mean the check for !next_proto? It needs to be present for
correctness of nsh_push. This function has to be self contained, it
will be used by more callers than opevswitch, namely tc.
It's actually not so much a check for "supported protocols", it's
rather a check of return value of a function that converts ethertype to
a 1 byte tunnel type. Blindly using a result of a function that may
return error would be wrong. Openvswitch is free to perform additional
checks but this needs to stay.
> > +int nsh_pop(struct sk_buff *skb)
> > +{
> > + struct nshhdr *nh;
> > + size_t length;
> > + __be16 inner_proto;
> > +
> > + if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
> > + return -ENOMEM;
> > + nh = (struct nshhdr *)(skb->data);
> > + length = nsh_hdr_len(nh);
> > + inner_proto = tun_p_to_eth_p(nh->np);
> same as above, this check can be moved to flow install __ovs_nla_copy_actions().
There's no check here.
> > + if (!pskb_may_pull(skb, length))
> > + return -ENOMEM;
> > +
> > + if (!inner_proto)
> > + return -EAFNOSUPPORT;
Did you mean this one instead? Then see above, this has to stay.
Jiri
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
[not found] ` <20171106132248.6fa4c5a0-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
@ 2017-11-07 10:57 ` Pravin Shelar
2017-11-07 11:28 ` Yang, Yi
0 siblings, 1 reply; 19+ messages in thread
From: Pravin Shelar @ 2017-11-07 10:57 UTC (permalink / raw)
To: Jiri Benc
Cc: Linux Kernel Network Developers, Eric Garver, ovs dev, David S. Miller
On Mon, Nov 6, 2017 at 4:22 AM, Jiri Benc <jbenc-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> On Sat, 4 Nov 2017 07:29:46 -0700, Pravin Shelar wrote:
>> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
>> > +{
>> > + struct nshhdr *nh;
>> > + size_t length = nsh_hdr_len(pushed_nh);
>> > + u8 next_proto;
>> > +
>> > + if (skb->mac_len) {
>> > + next_proto = TUN_P_ETHERNET;
>> > + } else {
>> > + next_proto = tun_p_from_eth_p(skb->protocol);
>> > + if (!next_proto)
>> > + return -EAFNOSUPPORT;
>> check for supported protocols can be moved to flow install validation
>> in __ovs_nla_copy_actions().
>
> You mean the check for !next_proto? It needs to be present for
> correctness of nsh_push. This function has to be self contained, it
> will be used by more callers than opevswitch, namely tc.
>
> It's actually not so much a check for "supported protocols", it's
> rather a check of return value of a function that converts ethertype to
> a 1 byte tunnel type. Blindly using a result of a function that may
> return error would be wrong. Openvswitch is free to perform additional
> checks but this needs to stay.
>
I am not disputing validity of the checks, but it could be done at
flow install phase.
For other use case we could refactor code. If it is too complex, I am
fine with duplicate code that check the protocol in flow install for
now.
>> > +int nsh_pop(struct sk_buff *skb)
>> > +{
>> > + struct nshhdr *nh;
>> > + size_t length;
>> > + __be16 inner_proto;
>> > +
>> > + if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
>> > + return -ENOMEM;
>> > + nh = (struct nshhdr *)(skb->data);
>> > + length = nsh_hdr_len(nh);
>> > + inner_proto = tun_p_to_eth_p(nh->np);
>> same as above, this check can be moved to flow install __ovs_nla_copy_actions().
>
> There's no check here.
>
>> > + if (!pskb_may_pull(skb, length))
>> > + return -ENOMEM;
>> > +
>> > + if (!inner_proto)
>> > + return -EAFNOSUPPORT;
>
> Did you mean this one instead? Then see above, this has to stay.
>
> Jiri
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-07 10:57 ` Pravin Shelar
@ 2017-11-07 11:28 ` Yang, Yi
[not found] ` <20171107112833.GA56179-re2EX8HDrk21gSHoDXDV2kEOCMrvLtNR@public.gmane.org>
0 siblings, 1 reply; 19+ messages in thread
From: Yang, Yi @ 2017-11-07 11:28 UTC (permalink / raw)
To: Pravin Shelar
Cc: Jiri Benc, Linux Kernel Network Developers, ovs dev, Eric Garver,
David S. Miller
On Tue, Nov 07, 2017 at 06:57:30PM +0800, Pravin Shelar wrote:
> On Mon, Nov 6, 2017 at 4:22 AM, Jiri Benc <jbenc@redhat.com> wrote:
> > On Sat, 4 Nov 2017 07:29:46 -0700, Pravin Shelar wrote:
> >> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
> >> > +{
> >> > + struct nshhdr *nh;
> >> > + size_t length = nsh_hdr_len(pushed_nh);
> >> > + u8 next_proto;
> >> > +
> >> > + if (skb->mac_len) {
> >> > + next_proto = TUN_P_ETHERNET;
> >> > + } else {
> >> > + next_proto = tun_p_from_eth_p(skb->protocol);
> >> > + if (!next_proto)
> >> > + return -EAFNOSUPPORT;
> >> check for supported protocols can be moved to flow install validation
> >> in __ovs_nla_copy_actions().
> >
> > You mean the check for !next_proto? It needs to be present for
> > correctness of nsh_push. This function has to be self contained, it
> > will be used by more callers than opevswitch, namely tc.
> >
> > It's actually not so much a check for "supported protocols", it's
> > rather a check of return value of a function that converts ethertype to
> > a 1 byte tunnel type. Blindly using a result of a function that may
> > return error would be wrong. Openvswitch is free to perform additional
> > checks but this needs to stay.
> >
> I am not disputing validity of the checks, but it could be done at
> flow install phase.
> For other use case we could refactor code. If it is too complex, I am
> fine with duplicate code that check the protocol in flow install for
> now.
Ok, I'll add check code in __ovs_nla_copy_actions for both nsh_push and
nsh_pop, but how can we get value of skb->protocol in
__ovs_nla_copy_actions? Is it argument eth_type of
__ovs_nla_copy_actions?
>
> >> > +int nsh_pop(struct sk_buff *skb)
> >> > +{
> >> > + struct nshhdr *nh;
> >> > + size_t length;
> >> > + __be16 inner_proto;
> >> > +
> >> > + if (!pskb_may_pull(skb, NSH_BASE_HDR_LEN))
> >> > + return -ENOMEM;
> >> > + nh = (struct nshhdr *)(skb->data);
> >> > + length = nsh_hdr_len(nh);
> >> > + inner_proto = tun_p_to_eth_p(nh->np);
> >> same as above, this check can be moved to flow install __ovs_nla_copy_actions().
> >
> > There's no check here.
> >
> >> > + if (!pskb_may_pull(skb, length))
> >> > + return -ENOMEM;
> >> > +
> >> > + if (!inner_proto)
> >> > + return -EAFNOSUPPORT;
> >
> > Did you mean this one instead? Then see above, this has to stay.
> >
> > Jiri
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
[not found] ` <CAOrHB_D2khYGGJxNA8hpE4Qnhm7ONKrH=kcNteV=iYWLRnaGHQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
@ 2017-11-07 11:55 ` Yang, Yi
2017-11-07 13:01 ` Pravin Shelar
0 siblings, 1 reply; 19+ messages in thread
From: Yang, Yi @ 2017-11-07 11:55 UTC (permalink / raw)
To: Pravin Shelar
Cc: ovs dev, Linux Kernel Network Developers, Eric Garver, Jiri Benc,
David S. Miller
On Tue, Nov 07, 2017 at 03:58:35AM -0800, Pravin Shelar wrote:
> On Tue, Nov 7, 2017 at 3:28 AM, Yang, Yi <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> > On Tue, Nov 07, 2017 at 06:57:30PM +0800, Pravin Shelar wrote:
> >> On Mon, Nov 6, 2017 at 4:22 AM, Jiri Benc <jbenc-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> >> > On Sat, 4 Nov 2017 07:29:46 -0700, Pravin Shelar wrote:
> >> >> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
> >> >> > +{
> >> >> > + struct nshhdr *nh;
> >> >> > + size_t length = nsh_hdr_len(pushed_nh);
> >> >> > + u8 next_proto;
> >> >> > +
> >> >> > + if (skb->mac_len) {
> >> >> > + next_proto = TUN_P_ETHERNET;
> >> >> > + } else {
> >> >> > + next_proto = tun_p_from_eth_p(skb->protocol);
> >> >> > + if (!next_proto)
> >> >> > + return -EAFNOSUPPORT;
> >> >> check for supported protocols can be moved to flow install validation
> >> >> in __ovs_nla_copy_actions().
> >> >
> >> > You mean the check for !next_proto? It needs to be present for
> >> > correctness of nsh_push. This function has to be self contained, it
> >> > will be used by more callers than opevswitch, namely tc.
> >> >
> >> > It's actually not so much a check for "supported protocols", it's
> >> > rather a check of return value of a function that converts ethertype to
> >> > a 1 byte tunnel type. Blindly using a result of a function that may
> >> > return error would be wrong. Openvswitch is free to perform additional
> >> > checks but this needs to stay.
> >> >
> >> I am not disputing validity of the checks, but it could be done at
> >> flow install phase.
> >> For other use case we could refactor code. If it is too complex, I am
> >> fine with duplicate code that check the protocol in flow install for
> >> now.
> >
> > Ok, I'll add check code in __ovs_nla_copy_actions for both nsh_push and
> > nsh_pop, but how can we get value of skb->protocol in
> > __ovs_nla_copy_actions? Is it argument eth_type of
> > __ovs_nla_copy_actions?
> >
> Yes.
So here is newly-added check code, is it ok?
diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
index fa07a17..b64b754 100644
--- a/net/openvswitch/flow_netlink.c
+++ b/net/openvswitch/flow_netlink.c
@@ -3001,20 +3001,34 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
mac_proto = MAC_PROTO_ETHERNET;
break;
- case OVS_ACTION_ATTR_PUSH_NSH:
+ case OVS_ACTION_ATTR_PUSH_NSH: {
+ u8 next_proto;
+
+ if (mac_proto != MAC_PROTO_ETHERNET) {
+ next_proto = tun_p_from_eth_p(eth_type);
+ if (!next_proto)
+ return -EINVAL;
+ }
mac_proto = MAC_PROTO_NONE;
if (!validate_nsh(nla_data(a), false, true, true))
return -EINVAL;
break;
+ }
+
+ case OVS_ACTION_ATTR_POP_NSH: {
+ __be16 inner_proto;
- case OVS_ACTION_ATTR_POP_NSH:
if (eth_type != htons(ETH_P_NSH))
return -EINVAL;
+ inner_proto = tun_p_to_eth_p(key->nsh.base.np);
+ if (!inner_proto)
+ return -EINVAL;
if (key->nsh.base.np == TUN_P_ETHERNET)
mac_proto = MAC_PROTO_ETHERNET;
else
mac_proto = MAC_PROTO_NONE;
break;
+ }
default:
OVS_NLERR(log, "Unknown Action type %d", type);
^ permalink raw reply related [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
[not found] ` <20171107112833.GA56179-re2EX8HDrk21gSHoDXDV2kEOCMrvLtNR@public.gmane.org>
@ 2017-11-07 11:58 ` Pravin Shelar
[not found] ` <CAOrHB_D2khYGGJxNA8hpE4Qnhm7ONKrH=kcNteV=iYWLRnaGHQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
0 siblings, 1 reply; 19+ messages in thread
From: Pravin Shelar @ 2017-11-07 11:58 UTC (permalink / raw)
To: Yang, Yi
Cc: ovs dev, Linux Kernel Network Developers, Eric Garver, Jiri Benc,
David S. Miller
On Tue, Nov 7, 2017 at 3:28 AM, Yang, Yi <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> On Tue, Nov 07, 2017 at 06:57:30PM +0800, Pravin Shelar wrote:
>> On Mon, Nov 6, 2017 at 4:22 AM, Jiri Benc <jbenc-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
>> > On Sat, 4 Nov 2017 07:29:46 -0700, Pravin Shelar wrote:
>> >> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
>> >> > +{
>> >> > + struct nshhdr *nh;
>> >> > + size_t length = nsh_hdr_len(pushed_nh);
>> >> > + u8 next_proto;
>> >> > +
>> >> > + if (skb->mac_len) {
>> >> > + next_proto = TUN_P_ETHERNET;
>> >> > + } else {
>> >> > + next_proto = tun_p_from_eth_p(skb->protocol);
>> >> > + if (!next_proto)
>> >> > + return -EAFNOSUPPORT;
>> >> check for supported protocols can be moved to flow install validation
>> >> in __ovs_nla_copy_actions().
>> >
>> > You mean the check for !next_proto? It needs to be present for
>> > correctness of nsh_push. This function has to be self contained, it
>> > will be used by more callers than opevswitch, namely tc.
>> >
>> > It's actually not so much a check for "supported protocols", it's
>> > rather a check of return value of a function that converts ethertype to
>> > a 1 byte tunnel type. Blindly using a result of a function that may
>> > return error would be wrong. Openvswitch is free to perform additional
>> > checks but this needs to stay.
>> >
>> I am not disputing validity of the checks, but it could be done at
>> flow install phase.
>> For other use case we could refactor code. If it is too complex, I am
>> fine with duplicate code that check the protocol in flow install for
>> now.
>
> Ok, I'll add check code in __ovs_nla_copy_actions for both nsh_push and
> nsh_pop, but how can we get value of skb->protocol in
> __ovs_nla_copy_actions? Is it argument eth_type of
> __ovs_nla_copy_actions?
>
Yes.
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-07 11:55 ` Yang, Yi
@ 2017-11-07 13:01 ` Pravin Shelar
2017-11-07 13:09 ` Yang, Yi
0 siblings, 1 reply; 19+ messages in thread
From: Pravin Shelar @ 2017-11-07 13:01 UTC (permalink / raw)
To: Yang, Yi
Cc: Jiri Benc, Linux Kernel Network Developers, ovs dev, Eric Garver,
David S. Miller
On Tue, Nov 7, 2017 at 3:55 AM, Yang, Yi <yi.y.yang@intel.com> wrote:
> On Tue, Nov 07, 2017 at 03:58:35AM -0800, Pravin Shelar wrote:
>> On Tue, Nov 7, 2017 at 3:28 AM, Yang, Yi <yi.y.yang@intel.com> wrote:
>> > On Tue, Nov 07, 2017 at 06:57:30PM +0800, Pravin Shelar wrote:
>> >> On Mon, Nov 6, 2017 at 4:22 AM, Jiri Benc <jbenc@redhat.com> wrote:
>> >> > On Sat, 4 Nov 2017 07:29:46 -0700, Pravin Shelar wrote:
>> >> >> > +int nsh_push(struct sk_buff *skb, const struct nshhdr *pushed_nh)
>> >> >> > +{
>> >> >> > + struct nshhdr *nh;
>> >> >> > + size_t length = nsh_hdr_len(pushed_nh);
>> >> >> > + u8 next_proto;
>> >> >> > +
>> >> >> > + if (skb->mac_len) {
>> >> >> > + next_proto = TUN_P_ETHERNET;
>> >> >> > + } else {
>> >> >> > + next_proto = tun_p_from_eth_p(skb->protocol);
>> >> >> > + if (!next_proto)
>> >> >> > + return -EAFNOSUPPORT;
>> >> >> check for supported protocols can be moved to flow install validation
>> >> >> in __ovs_nla_copy_actions().
>> >> >
>> >> > You mean the check for !next_proto? It needs to be present for
>> >> > correctness of nsh_push. This function has to be self contained, it
>> >> > will be used by more callers than opevswitch, namely tc.
>> >> >
>> >> > It's actually not so much a check for "supported protocols", it's
>> >> > rather a check of return value of a function that converts ethertype to
>> >> > a 1 byte tunnel type. Blindly using a result of a function that may
>> >> > return error would be wrong. Openvswitch is free to perform additional
>> >> > checks but this needs to stay.
>> >> >
>> >> I am not disputing validity of the checks, but it could be done at
>> >> flow install phase.
>> >> For other use case we could refactor code. If it is too complex, I am
>> >> fine with duplicate code that check the protocol in flow install for
>> >> now.
>> >
>> > Ok, I'll add check code in __ovs_nla_copy_actions for both nsh_push and
>> > nsh_pop, but how can we get value of skb->protocol in
>> > __ovs_nla_copy_actions? Is it argument eth_type of
>> > __ovs_nla_copy_actions?
>> >
>> Yes.
>
> So here is newly-added check code, is it ok?
>
> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
> index fa07a17..b64b754 100644
> --- a/net/openvswitch/flow_netlink.c
> +++ b/net/openvswitch/flow_netlink.c
> @@ -3001,20 +3001,34 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
> mac_proto = MAC_PROTO_ETHERNET;
> break;
>
> - case OVS_ACTION_ATTR_PUSH_NSH:
> + case OVS_ACTION_ATTR_PUSH_NSH: {
> + u8 next_proto;
> +
next_proto can be moved to the if () block, otherwise, I am fine with
this change.
> + if (mac_proto != MAC_PROTO_ETHERNET) {
> + next_proto = tun_p_from_eth_p(eth_type);
> + if (!next_proto)
> + return -EINVAL;
> + }
> mac_proto = MAC_PROTO_NONE;
> if (!validate_nsh(nla_data(a), false, true, true))
> return -EINVAL;
> break;
> + }
> +
> + case OVS_ACTION_ATTR_POP_NSH: {
> + __be16 inner_proto;
>
> - case OVS_ACTION_ATTR_POP_NSH:
> if (eth_type != htons(ETH_P_NSH))
> return -EINVAL;
> + inner_proto = tun_p_to_eth_p(key->nsh.base.np);
> + if (!inner_proto)
> + return -EINVAL;
> if (key->nsh.base.np == TUN_P_ETHERNET)
> mac_proto = MAC_PROTO_ETHERNET;
> else
> mac_proto = MAC_PROTO_NONE;
> break;
> + }
>
> default:
> OVS_NLERR(log, "Unknown Action type %d", type);
^ permalink raw reply [flat|nested] 19+ messages in thread
* Re: [PATCH net-next v15] openvswitch: enable NSH support
2017-11-07 13:01 ` Pravin Shelar
@ 2017-11-07 13:09 ` Yang, Yi
0 siblings, 0 replies; 19+ messages in thread
From: Yang, Yi @ 2017-11-07 13:09 UTC (permalink / raw)
To: Pravin Shelar
Cc: ovs dev, Linux Kernel Network Developers, Eric Garver, Jiri Benc,
David S. Miller
On Tue, Nov 07, 2017 at 05:01:28AM -0800, Pravin Shelar wrote:
> On Tue, Nov 7, 2017 at 3:55 AM, Yang, Yi <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> > On Tue, Nov 07, 2017 at 03:58:35AM -0800, Pravin Shelar wrote:
> >> On Tue, Nov 7, 2017 at 3:28 AM, Yang, Yi <yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org> wrote:
> >> > On Tue, Nov 07, 2017 at 06:57:30PM +0800, Pravin Shelar wrote:
> >> >> On Mon, Nov 6, 2017 at 4:22 AM, Jiri Benc <jbenc-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> >> >> > On Sat, 4 Nov 2017 07:29:46 -0700, Pravin Shelar wrote:
> >> >> >> > + if (skb->mac_len) {
> >> >> >> > + next_proto = TUN_P_ETHERNET;
> >> >> >> > + } else {
> >> >> >> > + next_proto = tun_p_from_eth_p(skb->protocol);
> >> >> >> > + if (!next_proto)
> >> >> >> > + return -EAFNOSUPPORT;
> >> >> >> check for supported protocols can be moved to flow install validation
> >> >> >> in __ovs_nla_copy_actions().
> >> >> >
> >> >> > You mean the check for !next_proto? It needs to be present for
> >> >> > correctness of nsh_push. This function has to be self contained, it
> >> >> > will be used by more callers than opevswitch, namely tc.
> >> >> >
> >> >> > It's actually not so much a check for "supported protocols", it's
> >> >> > rather a check of return value of a function that converts ethertype to
> >> >> > a 1 byte tunnel type. Blindly using a result of a function that may
> >> >> > return error would be wrong. Openvswitch is free to perform additional
> >> >> > checks but this needs to stay.
> >> >> >
> >> >> I am not disputing validity of the checks, but it could be done at
> >> >> flow install phase.
> >> >> For other use case we could refactor code. If it is too complex, I am
> >> >> fine with duplicate code that check the protocol in flow install for
> >> >> now.
> >> >
> >> > Ok, I'll add check code in __ovs_nla_copy_actions for both nsh_push and
> >> > nsh_pop, but how can we get value of skb->protocol in
> >> > __ovs_nla_copy_actions? Is it argument eth_type of
> >> > __ovs_nla_copy_actions?
> >> >
> >> Yes.
> >
> > So here is newly-added check code, is it ok?
> >
> > diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c
> > index fa07a17..b64b754 100644
> > --- a/net/openvswitch/flow_netlink.c
> > +++ b/net/openvswitch/flow_netlink.c
> > @@ -3001,20 +3001,34 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr,
> > mac_proto = MAC_PROTO_ETHERNET;
> > break;
> >
> > - case OVS_ACTION_ATTR_PUSH_NSH:
> > + case OVS_ACTION_ATTR_PUSH_NSH: {
> > + u8 next_proto;
> > +
> next_proto can be moved to the if () block, otherwise, I am fine with
> this change.
Thanks, fixed it and sent out v17.
^ permalink raw reply [flat|nested] 19+ messages in thread
end of thread, other threads:[~2017-11-07 13:09 UTC | newest]
Thread overview: 19+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-01 4:03 [PATCH net-next v15] openvswitch: enable NSH support Yi Yang
2017-11-01 8:46 ` Jiri Benc
2017-11-01 15:21 ` Eric Garver
2017-11-02 0:52 ` Pravin Shelar
2017-11-02 2:50 ` Yang, Yi
2017-11-02 12:06 ` Pravin Shelar
[not found] ` <CAOrHB_BaUS7WfisvX6G+450tEQ2skmsE0v-b27s-_21s25bigw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-02 12:09 ` Yang, Yi
2017-11-03 1:40 ` Yang, Yi
2017-11-04 12:30 ` Pravin Shelar
[not found] ` <1509508981-66202-1-git-send-email-yi.y.yang-ral2JQCrhuEAvxtiuMwx3w@public.gmane.org>
2017-11-04 14:29 ` Pravin Shelar
2017-11-06 4:19 ` Yang, Yi
2017-11-06 12:09 ` Pravin Shelar
[not found] ` <CAOrHB_COGWb78kN70QFKgA3w5v3zasAW=TJbzoE5zZYKao_GvA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-06 12:22 ` Jiri Benc
[not found] ` <20171106132248.6fa4c5a0-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-11-07 10:57 ` Pravin Shelar
2017-11-07 11:28 ` Yang, Yi
[not found] ` <20171107112833.GA56179-re2EX8HDrk21gSHoDXDV2kEOCMrvLtNR@public.gmane.org>
2017-11-07 11:58 ` Pravin Shelar
[not found] ` <CAOrHB_D2khYGGJxNA8hpE4Qnhm7ONKrH=kcNteV=iYWLRnaGHQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-11-07 11:55 ` Yang, Yi
2017-11-07 13:01 ` Pravin Shelar
2017-11-07 13:09 ` Yang, Yi
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.