From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E5FBC3A59D for ; Tue, 20 Aug 2019 18:35:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 035A122DA9 for ; Tue, 20 Aug 2019 18:35:42 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730092AbfHTSfk (ORCPT ); Tue, 20 Aug 2019 14:35:40 -0400 Received: from correo.us.es ([193.147.175.20]:42398 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728682AbfHTSfj (ORCPT ); Tue, 20 Aug 2019 14:35:39 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id B927EDA738 for ; Tue, 20 Aug 2019 20:35:36 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id AAC28DA7B6 for ; Tue, 20 Aug 2019 20:35:36 +0200 (CEST) Received: by antivirus1-rhel7.int (Postfix, from userid 99) id 89E7BD2B1F; Tue, 20 Aug 2019 20:35:36 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 7DB6FDA8E8; Tue, 20 Aug 2019 20:35:34 +0200 (CEST) Received: from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int (F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); Tue, 20 Aug 2019 20:35:34 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int) Received: from us.es (unknown [47.60.43.0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: 1984lsi) by entrada.int (Postfix) with ESMTPSA id 40B0D4265A2F; Tue, 20 Aug 2019 20:35:34 +0200 (CEST) Date: Tue, 20 Aug 2019 20:35:33 +0200 X-SMTPAUTHUS: auth mail.us.es From: Pablo Neira Ayuso To: Edward Cree Cc: netfilter-devel@vger.kernel.org, davem@davemloft.net, netdev@vger.kernel.org, jakub.kicinski@netronome.com, jiri@resnulli.us, vladbu@mellanox.com Subject: Re: [PATCH net-next 1/2] net: flow_offload: mangle 128-bit packet field with one action Message-ID: <20190820183533.ykh7mnurpmegxb27@salvia> References: <20190820105225.13943-1-pablo@netfilter.org> <20190820144453.ckme6oj2c4hmofhu@salvia> <20190820173344.3nrzfjboyztz3lji@salvia> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) X-Virus-Scanned: ClamAV using ClamSMTP Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org On Tue, Aug 20, 2019 at 07:15:10PM +0100, Edward Cree wrote: > On 20/08/2019 18:33, Pablo Neira Ayuso wrote: > > I can update tc pedit to generate one single action for offset > > consecutive packet editions, if that is the concern, I'll send a v2. > IMHO the fix belongs in TC userland (i.e. iproute2), to turn a > single action on the commandline for an ipv6 addr into four pedit > actions before the kernel ever sees it. > Similarly if nftables wants to use this it should generate four > separate pedit actions, probably in the kernel netfilter code as (I > assume) your uAPI talks in terms of named fields rather than the > u32ish offsets and masks of tc pedit. The driver flow_offload API does not necessarily need to map 1:1 to the netlink control plane / UAPI. The driver flow_offload API is detached from UAPI and it is internal to drivers. > The TC (well, flow_offload now I suppose) API should be kept narrow, > not widened for things that can already be expressed adequately.  > Your array of words inside a pedit action looks like a kind of loop > unrolling but for data structures, which doesn't look sensible to > me. With one action that says "mangle an IPv6 at offset ip6 daddr field" the driver has more global view on what is going on, rather than having four actions to mangle four 32-bit words at some offset. If this patch adds some loops here is because I did not want to make too smart changes on the drivers. The only reason I can find why mangling is restricted to 32-bits word is tc pedit. The existing flow_offload API was modeled after tc actions, which was exposing tc pedit implementation details to hardware. Please, allow for incremental updates on the flow_offload API to get it better now. Later we'll have way more drivers it will become harder to update this.