Exposing device ACL setting through devlink

Exposing device ACL setting through devlink

[Thomas Falcon]

Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM VNIC devices to administrators through devlink (originally through sysfs files, but that was rejected in favor of devlink). Could you give any tips on how you might go about doing this?

Thanks,
Tom

Re: Exposing device ACL setting through devlink

[Jiri Pirko]

Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM VNIC devices to administrators through devlink (originally through sysfs files, but that was rejected in favor of devlink). Could you give any tips on how you might go about doing this?

Tom, I believe you need to provide more info about what exactly do you
need to setup. But from what you wrote, it seems like you are looking
for bridge/tc offload. The infra is already in place and drivers are
implementing it. See mlxsw for example.

Re: Exposing device ACL setting through devlink

[Jakub Kicinski]

On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
> Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
> >Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
> >VNIC devices to administrators through devlink (originally through
> >sysfs files, but that was rejected in favor of devlink). Could you
> >give any tips on how you might go about doing this?  
> 
> Tom, I believe you need to provide more info about what exactly do you
> need to setup. But from what you wrote, it seems like you are looking
> for bridge/tc offload. The infra is already in place and drivers are
> implementing it. See mlxsw for example.

I think Tom's use case is effectively exposing the the VF which VLANs
and what MAC addrs it can use. Plus it's pvid. See:

https://www.spinics.net/lists/netdev/msg679750.html

Re: Exposing device ACL setting through devlink

[Thomas Falcon]

On 9/4/20 5:37 PM, Jakub Kicinski wrote:
> On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
>> Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>>> Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
>>> VNIC devices to administrators through devlink (originally through
>>> sysfs files, but that was rejected in favor of devlink). Could you
>>> give any tips on how you might go about doing this?
>> Tom, I believe you need to provide more info about what exactly do you
>> need to setup. But from what you wrote, it seems like you are looking
>> for bridge/tc offload. The infra is already in place and drivers are
>> implementing it. See mlxsw for example.
> I think Tom's use case is effectively exposing the the VF which VLANs
> and what MAC addrs it can use. Plus it's pvid. See:
>
> https://www.spinics.net/lists/netdev/msg679750.html

Thanks, Jakub,

Right now, the use-case is to expose the allowed VLAN's and MAC 
addresses and the VF's PVID. Other use-cases may be explored later on 
though.

Re: Exposing device ACL setting through devlink

[Jiri Pirko]

Tue, Sep 08, 2020 at 08:27:13PM CEST, tlfalcon@linux.ibm.com wrote:
>On 9/4/20 5:37 PM, Jakub Kicinski wrote:
>> On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
>> > Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>> > > Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
>> > > VNIC devices to administrators through devlink (originally through
>> > > sysfs files, but that was rejected in favor of devlink). Could you
>> > > give any tips on how you might go about doing this?
>> > Tom, I believe you need to provide more info about what exactly do you
>> > need to setup. But from what you wrote, it seems like you are looking
>> > for bridge/tc offload. The infra is already in place and drivers are
>> > implementing it. See mlxsw for example.
>> I think Tom's use case is effectively exposing the the VF which VLANs
>> and what MAC addrs it can use. Plus it's pvid. See:
>> 
>> https://www.spinics.net/lists/netdev/msg679750.html
>
>Thanks, Jakub,
>
>Right now, the use-case is to expose the allowed VLAN's and MAC addresses and
>the VF's PVID. Other use-cases may be explored later on though.

Who is configuring those?

What does mean "allowed MAC address"? Does it mean a MAC address that VF
can use to send packet as a source MAC?

What does mean "allowed VLAN"? VF is sending vlan tagged frames and only
some VIDs are allowed.

Pardon my ignorance, this may be routine in the nic world. However I
find the desc very vague. Please explain in details, then we can try to
find fitting solution.

Thanks!

Re: Exposing device ACL setting through devlink

[Thomas Falcon]

On 9/10/20 2:00 AM, Jiri Pirko wrote:
> Tue, Sep 08, 2020 at 08:27:13PM CEST, tlfalcon@linux.ibm.com wrote:
>> On 9/4/20 5:37 PM, Jakub Kicinski wrote:
>>> On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
>>>> Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>>>>> Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
>>>>> VNIC devices to administrators through devlink (originally through
>>>>> sysfs files, but that was rejected in favor of devlink). Could you
>>>>> give any tips on how you might go about doing this?
>>>> Tom, I believe you need to provide more info about what exactly do you
>>>> need to setup. But from what you wrote, it seems like you are looking
>>>> for bridge/tc offload. The infra is already in place and drivers are
>>>> implementing it. See mlxsw for example.
>>> I think Tom's use case is effectively exposing the the VF which VLANs
>>> and what MAC addrs it can use. Plus it's pvid. See:
>>>
>>> https://www.spinics.net/lists/netdev/msg679750.html
>> Thanks, Jakub,
>>
>> Right now, the use-case is to expose the allowed VLAN's and MAC addresses and
>> the VF's PVID. Other use-cases may be explored later on though.
> Who is configuring those?
>
> What does mean "allowed MAC address"? Does it mean a MAC address that VF
> can use to send packet as a source MAC?
>
> What does mean "allowed VLAN"? VF is sending vlan tagged frames and only
> some VIDs are allowed.
>
> Pardon my ignorance, this may be routine in the nic world. However I
> find the desc very vague. Please explain in details, then we can try to
> find fitting solution.
>
> Thanks!

These MAC or VLAN ACL settings are configured on the Power Hypervisor.

The rules for a VF can be to allow or deny all MAC addresses or VLAN 
ID's or to allow a specified list of MAC address and VLAN ID's. The 
interface allows or denies frames based on whether the ID in the VLAN 
tag or the source MAC address is included in the list of allowed VLAN 
ID's or MAC addresses specified during creation of the VF.

Thanks for your help,

Tom

Re: Exposing device ACL setting through devlink

[Jiri Pirko]

Thu, Sep 17, 2020 at 10:31:10PM CEST, tlfalcon@linux.ibm.com wrote:
>
>On 9/10/20 2:00 AM, Jiri Pirko wrote:
>> Tue, Sep 08, 2020 at 08:27:13PM CEST, tlfalcon@linux.ibm.com wrote:
>> > On 9/4/20 5:37 PM, Jakub Kicinski wrote:
>> > > On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
>> > > > Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>> > > > > Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
>> > > > > VNIC devices to administrators through devlink (originally through
>> > > > > sysfs files, but that was rejected in favor of devlink). Could you
>> > > > > give any tips on how you might go about doing this?
>> > > > Tom, I believe you need to provide more info about what exactly do you
>> > > > need to setup. But from what you wrote, it seems like you are looking
>> > > > for bridge/tc offload. The infra is already in place and drivers are
>> > > > implementing it. See mlxsw for example.
>> > > I think Tom's use case is effectively exposing the the VF which VLANs
>> > > and what MAC addrs it can use. Plus it's pvid. See:
>> > > 
>> > > https://www.spinics.net/lists/netdev/msg679750.html
>> > Thanks, Jakub,
>> > 
>> > Right now, the use-case is to expose the allowed VLAN's and MAC addresses and
>> > the VF's PVID. Other use-cases may be explored later on though.
>> Who is configuring those?
>> 
>> What does mean "allowed MAC address"? Does it mean a MAC address that VF
>> can use to send packet as a source MAC?
>> 
>> What does mean "allowed VLAN"? VF is sending vlan tagged frames and only
>> some VIDs are allowed.
>> 
>> Pardon my ignorance, this may be routine in the nic world. However I
>> find the desc very vague. Please explain in details, then we can try to
>> find fitting solution.
>> 
>> Thanks!
>
>These MAC or VLAN ACL settings are configured on the Power Hypervisor.
>
>The rules for a VF can be to allow or deny all MAC addresses or VLAN ID's or
>to allow a specified list of MAC address and VLAN ID's. The interface allows
>or denies frames based on whether the ID in the VLAN tag or the source MAC
>address is included in the list of allowed VLAN ID's or MAC addresses
>specified during creation of the VF.

At which point are you doing this ACL? Sounds to me, like this is the
job of "a switch" which connects VFs and physical port. Then, you just
need to configure this switch to pass/drop packets according to match.
And that is what there is already implemented with TC-flower/u32 + actions
and bridge offload.


>
>Thanks for your help,
>
>Tom
>

Re: Exposing device ACL setting through devlink

[Thomas Falcon]

On 9/18/20 2:20 AM, Jiri Pirko wrote:
> Thu, Sep 17, 2020 at 10:31:10PM CEST, tlfalcon@linux.ibm.com wrote:
>> On 9/10/20 2:00 AM, Jiri Pirko wrote:
>>> Tue, Sep 08, 2020 at 08:27:13PM CEST, tlfalcon@linux.ibm.com wrote:
>>>> On 9/4/20 5:37 PM, Jakub Kicinski wrote:
>>>>> On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
>>>>>> Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>>>>>>> Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
>>>>>>> VNIC devices to administrators through devlink (originally through
>>>>>>> sysfs files, but that was rejected in favor of devlink). Could you
>>>>>>> give any tips on how you might go about doing this?
>>>>>> Tom, I believe you need to provide more info about what exactly do you
>>>>>> need to setup. But from what you wrote, it seems like you are looking
>>>>>> for bridge/tc offload. The infra is already in place and drivers are
>>>>>> implementing it. See mlxsw for example.
>>>>> I think Tom's use case is effectively exposing the the VF which VLANs
>>>>> and what MAC addrs it can use. Plus it's pvid. See:
>>>>>
>>>>> https://www.spinics.net/lists/netdev/msg679750.html
>>>> Thanks, Jakub,
>>>>
>>>> Right now, the use-case is to expose the allowed VLAN's and MAC addresses and
>>>> the VF's PVID. Other use-cases may be explored later on though.
>>> Who is configuring those?
>>>
>>> What does mean "allowed MAC address"? Does it mean a MAC address that VF
>>> can use to send packet as a source MAC?
>>>
>>> What does mean "allowed VLAN"? VF is sending vlan tagged frames and only
>>> some VIDs are allowed.
>>>
>>> Pardon my ignorance, this may be routine in the nic world. However I
>>> find the desc very vague. Please explain in details, then we can try to
>>> find fitting solution.
>>>
>>> Thanks!
>> These MAC or VLAN ACL settings are configured on the Power Hypervisor.
>>
>> The rules for a VF can be to allow or deny all MAC addresses or VLAN ID's or
>> to allow a specified list of MAC address and VLAN ID's. The interface allows
>> or denies frames based on whether the ID in the VLAN tag or the source MAC
>> address is included in the list of allowed VLAN ID's or MAC addresses
>> specified during creation of the VF.
> At which point are you doing this ACL? Sounds to me, like this is the
> job of "a switch" which connects VFs and physical port. Then, you just
> need to configure this switch to pass/drop packets according to match.
> And that is what there is already implemented with TC-flower/u32 + actions
> and bridge offload.
>
Yes, this the filtering is done on a virtual switch in Power firmware. I 
am really just trying to report the ACL list's configured at the 
firmware level to users on the guest OS.

Tom

>> Thanks for your help,
>>
>> Tom
>>

Re: Exposing device ACL setting through devlink

[Jiri Pirko]

Sat, Sep 19, 2020 at 01:20:34AM CEST, tlfalcon@linux.ibm.com wrote:
>
>On 9/18/20 2:20 AM, Jiri Pirko wrote:
>> Thu, Sep 17, 2020 at 10:31:10PM CEST, tlfalcon@linux.ibm.com wrote:
>> > On 9/10/20 2:00 AM, Jiri Pirko wrote:
>> > > Tue, Sep 08, 2020 at 08:27:13PM CEST, tlfalcon@linux.ibm.com wrote:
>> > > > On 9/4/20 5:37 PM, Jakub Kicinski wrote:
>> > > > > On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
>> > > > > > Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>> > > > > > > Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
>> > > > > > > VNIC devices to administrators through devlink (originally through
>> > > > > > > sysfs files, but that was rejected in favor of devlink). Could you
>> > > > > > > give any tips on how you might go about doing this?
>> > > > > > Tom, I believe you need to provide more info about what exactly do you
>> > > > > > need to setup. But from what you wrote, it seems like you are looking
>> > > > > > for bridge/tc offload. The infra is already in place and drivers are
>> > > > > > implementing it. See mlxsw for example.
>> > > > > I think Tom's use case is effectively exposing the the VF which VLANs
>> > > > > and what MAC addrs it can use. Plus it's pvid. See:
>> > > > > 
>> > > > > https://www.spinics.net/lists/netdev/msg679750.html
>> > > > Thanks, Jakub,
>> > > > 
>> > > > Right now, the use-case is to expose the allowed VLAN's and MAC addresses and
>> > > > the VF's PVID. Other use-cases may be explored later on though.
>> > > Who is configuring those?
>> > > 
>> > > What does mean "allowed MAC address"? Does it mean a MAC address that VF
>> > > can use to send packet as a source MAC?
>> > > 
>> > > What does mean "allowed VLAN"? VF is sending vlan tagged frames and only
>> > > some VIDs are allowed.
>> > > 
>> > > Pardon my ignorance, this may be routine in the nic world. However I
>> > > find the desc very vague. Please explain in details, then we can try to
>> > > find fitting solution.
>> > > 
>> > > Thanks!
>> > These MAC or VLAN ACL settings are configured on the Power Hypervisor.
>> > 
>> > The rules for a VF can be to allow or deny all MAC addresses or VLAN ID's or
>> > to allow a specified list of MAC address and VLAN ID's. The interface allows
>> > or denies frames based on whether the ID in the VLAN tag or the source MAC
>> > address is included in the list of allowed VLAN ID's or MAC addresses
>> > specified during creation of the VF.
>> At which point are you doing this ACL? Sounds to me, like this is the
>> job of "a switch" which connects VFs and physical port. Then, you just
>> need to configure this switch to pass/drop packets according to match.
>> And that is what there is already implemented with TC-flower/u32 + actions
>> and bridge offload.
>> 
>Yes, this the filtering is done on a virtual switch in Power firmware. I am
>really just trying to report the ACL list's configured at the firmware level
>to users on the guest OS.

We have means to model switches properly in linux and offload to them.
I advise you to do that.


>
>Tom
>
>> > Thanks for your help,
>> > 
>> > Tom
>> > 

Re: Exposing device ACL setting through devlink

[Thomas Falcon]

On 9/20/20 10:21 AM, Jiri Pirko wrote:
> Sat, Sep 19, 2020 at 01:20:34AM CEST, tlfalcon@linux.ibm.com wrote:
>> On 9/18/20 2:20 AM, Jiri Pirko wrote:
>>> Thu, Sep 17, 2020 at 10:31:10PM CEST, tlfalcon@linux.ibm.com wrote:
>>>> On 9/10/20 2:00 AM, Jiri Pirko wrote:
>>>>> Tue, Sep 08, 2020 at 08:27:13PM CEST, tlfalcon@linux.ibm.com wrote:
>>>>>> On 9/4/20 5:37 PM, Jakub Kicinski wrote:
>>>>>>> On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:
>>>>>>>> Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfalcon@linux.ibm.com wrote:
>>>>>>>>> Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
>>>>>>>>> VNIC devices to administrators through devlink (originally through
>>>>>>>>> sysfs files, but that was rejected in favor of devlink). Could you
>>>>>>>>> give any tips on how you might go about doing this?
>>>>>>>> Tom, I believe you need to provide more info about what exactly do you
>>>>>>>> need to setup. But from what you wrote, it seems like you are looking
>>>>>>>> for bridge/tc offload. The infra is already in place and drivers are
>>>>>>>> implementing it. See mlxsw for example.
>>>>>>> I think Tom's use case is effectively exposing the the VF which VLANs
>>>>>>> and what MAC addrs it can use. Plus it's pvid. See:
>>>>>>>
>>>>>>> https://www.spinics.net/lists/netdev/msg679750.html
>>>>>> Thanks, Jakub,
>>>>>>
>>>>>> Right now, the use-case is to expose the allowed VLAN's and MAC addresses and
>>>>>> the VF's PVID. Other use-cases may be explored later on though.
>>>>> Who is configuring those?
>>>>>
>>>>> What does mean "allowed MAC address"? Does it mean a MAC address that VF
>>>>> can use to send packet as a source MAC?
>>>>>
>>>>> What does mean "allowed VLAN"? VF is sending vlan tagged frames and only
>>>>> some VIDs are allowed.
>>>>>
>>>>> Pardon my ignorance, this may be routine in the nic world. However I
>>>>> find the desc very vague. Please explain in details, then we can try to
>>>>> find fitting solution.
>>>>>
>>>>> Thanks!
>>>> These MAC or VLAN ACL settings are configured on the Power Hypervisor.
>>>>
>>>> The rules for a VF can be to allow or deny all MAC addresses or VLAN ID's or
>>>> to allow a specified list of MAC address and VLAN ID's. The interface allows
>>>> or denies frames based on whether the ID in the VLAN tag or the source MAC
>>>> address is included in the list of allowed VLAN ID's or MAC addresses
>>>> specified during creation of the VF.
>>> At which point are you doing this ACL? Sounds to me, like this is the
>>> job of "a switch" which connects VFs and physical port. Then, you just
>>> need to configure this switch to pass/drop packets according to match.
>>> And that is what there is already implemented with TC-flower/u32 + actions
>>> and bridge offload.
>>>
>> Yes, this the filtering is done on a virtual switch in Power firmware. I am
>> really just trying to report the ACL list's configured at the firmware level
>> to users on the guest OS.
> We have means to model switches properly in linux and offload to them.
> I advise you to do that.

I will look into that, thank you!

Tom


>
>
>> Tom
>>
>>>> Thanks for your help,
>>>>
>>>> Tom
>>>>

Re: Exposing device ACL setting through devlink

[Jakub Kicinski]

On Sun, 20 Sep 2020 17:21:36 +0200 Jiri Pirko wrote:
> >Yes, this the filtering is done on a virtual switch in Power firmware. I am
> >really just trying to report the ACL list's configured at the firmware level
> >to users on the guest OS.  
> 
> We have means to model switches properly in linux and offload to them.
> I advise you to do that.

I think it may have gotten lost in the conversation, but Tom is after
exposing the information to the client side of the switch. AFAIU we
don't have anything like that right now, perhaps the way to go is to
expose enum devlink_port_function_attr on the client side?

Still - it feels hacky when I think about it. 

IMHO kernel device APIs are not the place to expose network config.
It's not like MVRP results pop up as a netdev attribute. 

Tomorrow Amazon, Google, and all other cloud providers will want to
expose some other info, and we'll have to worry about how to make it
common, drawing the lines, reviewing etc.

Tom, is there no way higher layer (cloud) APIs can be used to
communicate this information to the guest?

Re: Exposing device ACL setting through devlink

[Thomas Falcon]

On 9/21/20 3:37 PM, Jakub Kicinski wrote:
> On Sun, 20 Sep 2020 17:21:36 +0200 Jiri Pirko wrote:
>>> Yes, this the filtering is done on a virtual switch in Power firmware. I am
>>> really just trying to report the ACL list's configured at the firmware level
>>> to users on the guest OS.
>> We have means to model switches properly in linux and offload to them.
>> I advise you to do that.
> I think it may have gotten lost in the conversation, but Tom is after
> exposing the information to the client side of the switch. AFAIU we
> don't have anything like that right now, perhaps the way to go is to
> expose enum devlink_port_function_attr on the client side?
>
> Still - it feels hacky when I think about it.
>
> IMHO kernel device APIs are not the place to expose network config.
> It's not like MVRP results pop up as a netdev attribute.
>
> Tomorrow Amazon, Google, and all other cloud providers will want to
> expose some other info, and we'll have to worry about how to make it
> common, drawing the lines, reviewing etc.
>
> Tom, is there no way higher layer (cloud) APIs can be used to
> communicate this information to the guest?

None that I know of, Jakub. As far as I know, this information can only 
be retrieved through the device driver if the user only has access to 
the guest.

Tom