From patchwork Mon Dec 11 20:38:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Herbert X-Patchwork-Id: 847210 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=quantonium-net.20150623.gappssmtp.com header.i=@quantonium-net.20150623.gappssmtp.com header.b="dtumsYFu"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3ywZYf1JN0z9t34 for ; Tue, 12 Dec 2017 07:39:02 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752470AbdLKUjA (ORCPT ); Mon, 11 Dec 2017 15:39:00 -0500 Received: from mail-pf0-f177.google.com ([209.85.192.177]:38092 "EHLO mail-pf0-f177.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752439AbdLKUi6 (ORCPT ); Mon, 11 Dec 2017 15:38:58 -0500 Received: by mail-pf0-f177.google.com with SMTP id u25so12439102pfg.5 for ; Mon, 11 Dec 2017 12:38:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=quantonium-net.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=V8PLMGNjIf5eRyBocGWnniBFv9fhXVBQk/9pg2Yfar0=; b=dtumsYFuHIlrjJcWtYXdaqUWM9GinARkn3xyd05x2DTxHY8C8HEiQXDbwCU5syrXdo q+fNhRtPfUQg23nzqKCan4wosDvMbfhA3IpASepfCaQVGKCNePudDwJ8qev+fEog7sOR sKtN+APfJ0fYWzVRbL9VANDckNFhFy8/q1iKEcBc8D1WdTNYpIFa9UeecjBHrj5dyC0N irIqKWsXWVs4e2F+4Macr+C+KsbhhTW2dLNKow5icAxcGrjjzmDUjja20hCHZuk/WSo0 xIKK9ue/2xe2BDHgbo/pTiTtVOYvD02UU6Xq0jflh4mAxYNa1c71SXEuNGhHMvKRKbt+ Pq+w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=V8PLMGNjIf5eRyBocGWnniBFv9fhXVBQk/9pg2Yfar0=; b=ILATBIf+nvwCCGWqYe2/JOTjAvV4k9Atm/WpFLw+aSkV6/i6RDjXcJuAXWVxxPsKVP pe+Lyfk/NO8GwA7rHQkZLxm5PHzp5D6YzZtd0gDHMA1nkDGVeTcEc+XxMiY4zAE6QN4P 15cOjmhz/bTSgff2aEofquvWLO0yDb82wjCEo/WiyrmnhEYxBwupI1ms2YlWThNkTKjt skGQAAmNQwkfnPfwPz9NsU4B/tuNIQm34z+KngLDRjh3Z/oggUl9NLx/BqSpibv5hGo5 w84rK3zcb1mHJYhqd7IzIphFrDB620LSKNbivxe5BHYdXqDTGA3TK0eYWTUWmdzfOcV4 faQg== X-Gm-Message-State: AKGB3mKGAI+J4mJLYlptdvGDXIGJa7PjjTkkuMRLnPRIVmhs3iy80cSY NbsU1N35wgkcFa+ZHRuzdveo8GFS X-Google-Smtp-Source: ACJfBovKGK8VMR+95R8Wq8Vzo3mv5tmZgKkm0KpqAWAiWuAx8GHdtNfgdBIiNNFZLuNuQrflhDLVVQ== X-Received: by 10.84.234.193 with SMTP id i1mr1505903plt.206.1513024737201; Mon, 11 Dec 2017 12:38:57 -0800 (PST) Received: from localhost.localdomain (67-207-98-108.static.wiline.com. [67.207.98.108]) by smtp.gmail.com with ESMTPSA id t6sm26426790pfl.76.2017.12.11.12.38.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 11 Dec 2017 12:38:56 -0800 (PST) From: Tom Herbert To: davem@davemloft.net Cc: netdev@vger.kernel.org, roopa@cumulusnetworks.com, rohit@quantonium.net, Tom Herbert Subject: [PATCH v3 net-next 0/9] net: Generic network resolver backend and ILA resolver Date: Mon, 11 Dec 2017 12:38:28 -0800 Message-Id: <20171211203837.2540-1-tom@quantonium.net> X-Mailer: git-send-email 2.11.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This patch implements generic in-kernel network resolver. The idea is that an LWT "resolver" route is set in the kernel to cover some prefix. When a packet hits the route a netlink message is fired to request resolution and pending resolutions are tracked in a table. Route resolution works in the following manner: Initial configuration: 0. An ila-rslv LWT route is set for some network prefix. The route includes an optional timeout to expire resolution. Resolution process 1. Packet is sent to the a destination in the prefix being resolved 2. A lookup is performed on the destination address in a table of outstanding resolutions requests. If no entry is found: a. A new entry is created for the destination with a timeout value as set in the resolver route b. A netlink "RTM_ADDR_RESOLVE" message is sent to kick the resolution protocol or processing 3. The packet is forwarded per the resolver route When an address is resolved 4. At some point a route is is set that resolves the outstanding request (for instance a host route is set for the destination). The entry is removed for the table. Subsequent packets to the destination will hit the new route rather than the resolver route since prefix is longer 5. Resolution entries may timeout and entry removed from the table. A subsequent packet to the destination will kick off a new resolution as in #2 6. The resolved route might also be timed out or removed, in which case subsequent packets to the same destination can trigger the resolution process DOS mitigations: - The number of outstanding resolutions is limited by the size of the table - Timeout of pending entries limits the number of netlink resolution messages - Packets are not queued that are pending resolution. In the current model that can be forwarded to a router that has all reachability information (ILA use case for example) Possible future work - An optional method to queue packets for pending resolution - More DOS mitigations. It might make sense to limit the number of resolutions per source address etc. This patch set implements an ILA host side resolver. That uses the generic resolver described above. This uses LWT to implement the hook to a userspace resolver and tracks pending unresolved address using the backend net resolver. This patch set contains: - A generic resolver backend infrastructure. This primary does two things: track unresolved addresses and implement a timeout for resolution not happening. These mechanisms provides rate limiting control over resolution requests (for instance in ILA it use used to rate limit requests to userspace to resolve addresses). - The ILA resolver. This is implements to path from the kernel ILA implementation to a userspace daemon that an identifier address needs to be resolved. - Routing messages are used over netlink to indicate resolution requests. - Add net to ila build_state - Add flush command to ila_xlat - Fix uses for rhashtable for latest fixes v3: - Removed rhashtable changes to their own patch set - Restructure ILA code to be more amenbale to changes - Remove extra call back functions in resolution interface Changes from initial RFC: - Added net argument to LWT build_state - Made resolve timeout an attribute of the LWT encap route - Changed ILA notifications to be regular routing messages of event RTM_ADDR_RESOLVE, family RTNL_FAMILY_ILA, and group RTNLGRP_ILA_NOTIFY Tom Herbert (9): lwt: Add net to build_state argument ila: Fix use of rhashtable walk in ila_xlat.c ila: Call library function alloc_bucket_locks ila: create main ila source file ila: Flush netlink command to clear xlat table net: Generic resolver backend ila: Resolver mechanism resolver: add netlink control ila: add netlink control ILA resolver include/net/lwtunnel.h | 6 +- include/net/resolver.h | 67 +++++ include/uapi/linux/ila.h | 21 ++ include/uapi/linux/lwtunnel.h | 1 + include/uapi/linux/rtnetlink.h | 8 +- net/Kconfig | 1 + net/Makefile | 1 + net/core/lwt_bpf.c | 2 +- net/core/lwtunnel.c | 6 +- net/ipv4/fib_semantics.c | 13 +- net/ipv4/ip_tunnel_core.c | 4 +- net/ipv6/Kconfig | 1 + net/ipv6/ila/Makefile | 2 +- net/ipv6/ila/ila.h | 46 +++- net/ipv6/ila/ila_common.c | 30 --- net/ipv6/ila/ila_lwt.c | 10 +- net/ipv6/ila/ila_main.c | 161 ++++++++++++ net/ipv6/ila/ila_resolver.c | 310 +++++++++++++++++++++++ net/ipv6/ila/ila_xlat.c | 280 ++++++++++----------- net/ipv6/route.c | 2 +- net/ipv6/seg6_iptunnel.c | 2 +- net/ipv6/seg6_local.c | 5 +- net/mpls/mpls_iptunnel.c | 2 +- net/resolver/Kconfig | 7 + net/resolver/Makefile | 8 + net/resolver/resolver.c | 559 +++++++++++++++++++++++++++++++++++++++++ 26 files changed, 1356 insertions(+), 199 deletions(-) create mode 100644 include/net/resolver.h create mode 100644 net/ipv6/ila/ila_main.c create mode 100644 net/ipv6/ila/ila_resolver.c create mode 100644 net/resolver/Kconfig create mode 100644 net/resolver/Makefile create mode 100644 net/resolver/resolver.c