From patchwork Mon Nov 28 12:51:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Amir Vadai X-Patchwork-Id: 699962 X-Patchwork-Delegate: shemminger@vyatta.com Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tS65Y20t4z9vFb for ; Mon, 28 Nov 2016 23:52:17 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754676AbcK1MwP (ORCPT ); Mon, 28 Nov 2016 07:52:15 -0500 Received: from mail-wm0-f68.google.com ([74.125.82.68]:34552 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754655AbcK1MwL (ORCPT ); Mon, 28 Nov 2016 07:52:11 -0500 Received: by mail-wm0-f68.google.com with SMTP id g23so18851404wme.1 for ; Mon, 28 Nov 2016 04:52:10 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=7PhC2A7DlSWRBOMfJ+XhQ5ATsZYwH9DLbrw0854Y1zY=; b=Bgk//OtiLpDgaskDwJldWjzdUE2s1UE1vk3OYQeYMbhXmv7T/xqrjL0TZpW2aRDgi7 GJ5Su9PW6RXUQaEZWu447tZcr2cuM/I4dTHL1G/WjKbDDYJMGARvTGzY6v3cFG7pUuLi qSTFt53w6MwTUSrfo6hAtOsQqghHQJ4E+wydB5Kf7S7p+zAqqLTT5jQgvpEvhLZlssWX WTwVHqYDvcJL12cQaFwCBtQthk4M4CfbgoRgmh2ycfrLkWkeucIJaW4iS4NNCsWRABz2 Up23kXm83ygYy21hKpGiSY+Bw2oDE1w3a62K69Gvrxh/XOcR7a6HlPP7AbT4VLSKk+vp oI1Q== X-Gm-Message-State: AKaTC03e3oFFEn8YBrc2jvL7gmGr337zW60z2/YsMJqkVtTWkpMe8/oZLaEMBsz/FEU1rA== X-Received: by 10.28.113.76 with SMTP id m73mr17932421wmc.114.1480337529307; Mon, 28 Nov 2016 04:52:09 -0800 (PST) Received: from office.vadai.me ([192.116.94.216]) by smtp.gmail.com with ESMTPSA id m145sm28662110wma.3.2016.11.28.04.52.06 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Nov 2016 04:52:08 -0800 (PST) From: Amir Vadai To: Stephen Hemminger Cc: netdev@vger.kernel.org, "David S. Miller" , Jiri Benc , Or Gerlitz , Hadar Har-Zion , Roi Dayan , Amir Vadai Subject: [PATCH iproute2 V2 2/2] tc/act_tunnel: Introduce ip tunnel action Date: Mon, 28 Nov 2016 14:51:36 +0200 Message-Id: <20161128125136.3393-3-amir@vadai.me> X-Mailer: git-send-email 2.10.2 In-Reply-To: <20161128125136.3393-1-amir@vadai.me> References: <20161128125136.3393-1-amir@vadai.me> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This action could be used before redirecting packets to a shared tunnel device, or when redirecting packets arriving from a such a device. The 'unset' action is optional. It is used to explicitly unset the metadata created by the tunnel device during decap. If not used, the metadata will be released automatically by the kernel. The 'set' operation, will set the metadata with the specified values for the encap. For example, the following flower filter will forward all ICMP packets destined to 11.11.11.2 through the shared vxlan device 'vxlan0'. Before redirecting, a metadata for the vxlan tunnel is created using the tunnel_key action and it's arguments: $ tc filter add dev net0 protocol ip parent ffff: \ flower \ ip_proto 1 \ dst_ip 11.11.11.2 \ action tunnel_key set \ src_ip 11.11.0.1 \ dst_ip 11.11.0.2 \ id 11 \ action mirred egress redirect dev vxlan0 Signed-off-by: Amir Vadai --- include/linux/tc_act/tc_tunnel_key.h | 42 ++++++ man/man8/tc-tunnel_key.8 | 113 +++++++++++++++ tc/Makefile | 1 + tc/m_tunnel_key.c | 259 +++++++++++++++++++++++++++++++++++ 4 files changed, 415 insertions(+) create mode 100644 include/linux/tc_act/tc_tunnel_key.h create mode 100644 man/man8/tc-tunnel_key.8 create mode 100644 tc/m_tunnel_key.c diff --git a/include/linux/tc_act/tc_tunnel_key.h b/include/linux/tc_act/tc_tunnel_key.h new file mode 100644 index 000000000000..f9ddf5369a45 --- /dev/null +++ b/include/linux/tc_act/tc_tunnel_key.h @@ -0,0 +1,42 @@ +/* + * Copyright (c) 2016, Amir Vadai + * Copyright (c) 2016, Mellanox Technologies. All rights reserved. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + */ + +#ifndef __LINUX_TC_TUNNEL_KEY_H +#define __LINUX_TC_TUNNEL_KEY_H + +#include + +#define TCA_ACT_TUNNEL_KEY 17 + +#define TCA_TUNNEL_KEY_ACT_SET 1 +#define TCA_TUNNEL_KEY_ACT_RELEASE 2 + +struct tc_tunnel_key { + tc_gen; + int t_action; +}; + +enum { + TCA_TUNNEL_KEY_UNSPEC, + TCA_TUNNEL_KEY_TM, + TCA_TUNNEL_KEY_PARMS, + TCA_TUNNEL_KEY_ENC_IPV4_SRC, /* be32 */ + TCA_TUNNEL_KEY_ENC_IPV4_DST, /* be32 */ + TCA_TUNNEL_KEY_ENC_IPV6_SRC, /* struct in6_addr */ + TCA_TUNNEL_KEY_ENC_IPV6_DST, /* struct in6_addr */ + TCA_TUNNEL_KEY_ENC_KEY_ID, /* be64 */ + TCA_TUNNEL_KEY_PAD, + __TCA_TUNNEL_KEY_MAX, +}; + +#define TCA_TUNNEL_KEY_MAX (__TCA_TUNNEL_KEY_MAX - 1) + +#endif + diff --git a/man/man8/tc-tunnel_key.8 b/man/man8/tc-tunnel_key.8 new file mode 100644 index 000000000000..d0c333d27158 --- /dev/null +++ b/man/man8/tc-tunnel_key.8 @@ -0,0 +1,113 @@ +.TH "Tunnel metadata manipulation action in tc" 8 "10 Nov 2016" "iproute2" "Linux" + +.SH NAME +tunnel_key - Tunnel metadata manipulation +.SH SYNOPSIS +.in +8 +.ti -8 +.BR tc " ... " "action tunnel_key" " { " unset " | " +.IR SET " }" + +.ti -8 +.IR SET " := " +.BR set " " src_ip +.IR ADDRESS +.BR dst_ip +.IR ADDRESS +.BI id " KEY_ID" + +.SH DESCRIPTION +The +.B tunnel_key +action combined with a shared IP tunnel device, allows to perform IP tunnel en- +or decapsulation on a packet, reflected by +the operation modes +.IR UNSET " and " SET . +The +.I UNSET +mode is optional - even without using it, the metadata information will be +released automatically when packet processing will be finished. +.IR UNSET +function could be used in cases when traffic is forwarded between two tunnels, +where the metadata from the first tunnel will be used for encapsulation done by +the second tunnel. +It must be used for offloaded filters, such that hardware drivers can +realize they need to program the HW to do decapsulation. +.IR SET +mode requires the source and destination ip +.I ADDRESS +and the tunnel key id +.I KEY_ID +which will be used by the ip tunnel shared device to create the tunnel header. The +.B tunnel_key +action is useful only in combination with a +.B mirred redirect +action to a shared IP tunnel device which will use the metadata (for +.I SET +) and unset the metadata created by it (for +.I UNSET +). + +.SH OPTIONS +.TP +.B unset +Decapsulation mode, no further arguments allowed. This function is not +mandatory and might be used only in some specific use cases. +.TP +.B set +Encapsulation mode. Requires +.B id +, +.B src_ip +and +.B dst_ip +options. +.RS +.TP +.B id +Tunnel ID (for example VNI in VXLAN tunnel) +.TP +.B src_ip +Outer header source IP address (IPv4 or IPv6) +.TP +.B dst_ip +Outer header destination IP address (IPv4 or IPv6) +.RE +.SH EXAMPLES +The following example encapsulates incoming ICMP packets on eth0 into a vxlan +tunnel by setting metadata to VNI 11, source IP 11.11.0.1 and destination IP +11.11.0.2 by forwarding the skb with the metadata to device vxlan0, which will +prepare the VXLAN headers: + +.RS +.EX +#tc qdisc add dev eth0 handle ffff: ingress +#tc filter add dev eth0 protocol ip parent ffff: \\ + flower \\ + ip_proto icmp \\ + action tunnel_key set \\ + src_ip 11.11.0.1 \\ + dst_ip 11.11.0.2 \\ + id 11 \\ + action mirred egress redirect dev vxlan0 +.EE +.RE + +Here is an example of the +.B unset +function: Incoming VXLAN packets on vxlan0 with specific outer IP's and VNI 11 +in the metadata are decapsulated and redirected to eth0: + +.RS +.EX +#tc qdisc add dev eth0 handle ffff: ingress +#tc filter add dev vxlan0 protocol ip parent ffff: \ + flower \\ + enc_src_ip 11.11.0.2 enc_dst_ip 11.11.0.1 enc_key_id 11 \ + action tunnel_key unset \ + action mirred egress redirect dev eth0 +.EE +.RE + +.SH SEE ALSO +.BR tc (8) diff --git a/tc/Makefile b/tc/Makefile index dfa875b5edaf..f6f41ca2bb3d 100644 --- a/tc/Makefile +++ b/tc/Makefile @@ -50,6 +50,7 @@ TCMODULES += m_simple.o TCMODULES += m_vlan.o TCMODULES += m_connmark.o TCMODULES += m_bpf.o +TCMODULES += m_tunnel_key.o TCMODULES += p_ip.o TCMODULES += p_icmp.o TCMODULES += p_tcp.o diff --git a/tc/m_tunnel_key.c b/tc/m_tunnel_key.c new file mode 100644 index 000000000000..33dd6e84b97a --- /dev/null +++ b/tc/m_tunnel_key.c @@ -0,0 +1,259 @@ +/* + * m_tunnel_key.c ip tunnel manipulation module + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + * + * Authors: Amir Vadai + */ + +#include +#include +#include +#include +#include +#include "utils.h" +#include "rt_names.h" +#include "tc_util.h" +#include + +static void explain(void) +{ + fprintf(stderr, "Usage: tunnel_key unset\n"); + fprintf(stderr, " tunnel_key set id TUNNELID src_ip IP dst_ip IP\n"); +} + +static void usage(void) +{ + explain(); + exit(-1); +} + +static int tunnel_key_parse_ip_addr(char *str, int addr4_type, int addr6_type, + struct nlmsghdr *n) +{ + int ret; + inet_prefix addr; + + ret = get_addr(&addr, str, AF_UNSPEC); + if (ret) + return -1; + + addattr_l(n, MAX_MSG, addr.family == AF_INET ? addr4_type : addr6_type, + addr.data, addr.bytelen); + + return 0; +} + +static int tunnel_key_parse_key_id(char *str, int type, struct nlmsghdr *n) +{ + int ret; + __be32 key_id; + + ret = get_be32(&key_id, str, 10); + if (ret) + return -1; + + addattr32(n, MAX_MSG, type, key_id); + + return 0; +} + +static int parse_tunnel_key(struct action_util *a, int *argc_p, char ***argv_p, + int tca_id, struct nlmsghdr *n) +{ + struct tc_tunnel_key parm = { .action = TC_ACT_PIPE }; + char **argv = *argv_p; + int argc = *argc_p; + struct rtattr *tail; + int action = 0; + int ret; + int has_src_ip = 0; + int has_dst_ip = 0; + int has_key_id = 0; + + if (matches(*argv, "tunnel_key") != 0) + return -1; + + tail = NLMSG_TAIL(n); + addattr_l(n, MAX_MSG, tca_id, NULL, 0); + + NEXT_ARG(); + + while (argc > 0) { + if (matches(*argv, "unset") == 0) { + if (action) { + fprintf(stderr, "unexpected \"%s\" - action already specified\n", + *argv); + explain(); + return -1; + } + action = TCA_TUNNEL_KEY_ACT_RELEASE; + } else if (matches(*argv, "set") == 0) { + if (action) { + fprintf(stderr, "unexpected \"%s\" - action already specified\n", + *argv); + explain(); + return -1; + } + action = TCA_TUNNEL_KEY_ACT_SET; + } else if (matches(*argv, "src_ip") == 0) { + NEXT_ARG(); + ret = tunnel_key_parse_ip_addr(*argv, + TCA_TUNNEL_KEY_ENC_IPV4_SRC, + TCA_TUNNEL_KEY_ENC_IPV6_SRC, + n); + if (ret < 0) { + fprintf(stderr, "Illegal \"src_ip\"\n"); + return -1; + } + has_src_ip = 1; + } else if (matches(*argv, "dst_ip") == 0) { + NEXT_ARG(); + ret = tunnel_key_parse_ip_addr(*argv, + TCA_TUNNEL_KEY_ENC_IPV4_DST, + TCA_TUNNEL_KEY_ENC_IPV6_DST, + n); + if (ret < 0) { + fprintf(stderr, "Illegal \"dst_ip\"\n"); + return -1; + } + has_dst_ip = 1; + } else if (matches(*argv, "id") == 0) { + NEXT_ARG(); + ret = tunnel_key_parse_key_id(*argv, TCA_TUNNEL_KEY_ENC_KEY_ID, n); + if (ret < 0) { + fprintf(stderr, "Illegal \"id\"\n"); + return -1; + } + has_key_id = 1; + } else if (matches(*argv, "help") == 0) { + usage(); + } else { + break; + } + NEXT_ARG_FWD(); + } + + if (argc && !action_a2n(*argv, &parm.action, false)) + NEXT_ARG_FWD(); + + if (argc) { + if (matches(*argv, "index") == 0) { + NEXT_ARG(); + if (get_u32(&parm.index, *argv, 10)) { + fprintf(stderr, "tunnel_key: Illegal \"index\"\n"); + return -1; + } + + NEXT_ARG_FWD(); + } + } + + if (action == TCA_TUNNEL_KEY_ACT_SET && + (!has_src_ip || !has_dst_ip || !has_key_id)) { + fprintf(stderr, "set needs tunnel_key parameters\n"); + explain(); + return -1; + } + + parm.t_action = action; + addattr_l(n, MAX_MSG, TCA_TUNNEL_KEY_PARMS, &parm, sizeof(parm)); + tail->rta_len = (char *)NLMSG_TAIL(n) - (char *)tail; + + *argc_p = argc; + *argv_p = argv; + + return 0; +} + +static void tunnel_key_print_ip_addr(FILE *f, char *name, + struct rtattr *attr) +{ + int family; + size_t len; + + if (!attr) + return; + + len = RTA_PAYLOAD(attr); + + if (len == 4) + family = AF_INET; + else if (len == 16) + family = AF_INET6; + else + return; + + fprintf(f, "\n\t%s %s", name, rt_addr_n2a_rta(family, attr)); +} + +static void tunnel_key_print_key_id(FILE *f, char *name, + struct rtattr *attr) +{ + if (!attr) + return; + fprintf(f, "\n\t%s %d", name, ntohl(rta_getattr_u32(attr))); +} + +static int print_tunnel_key(struct action_util *au, FILE *f, struct rtattr *arg) +{ + struct rtattr *tb[TCA_TUNNEL_KEY_MAX + 1]; + struct tc_tunnel_key *parm; + + if (!arg) + return -1; + + parse_rtattr_nested(tb, TCA_TUNNEL_KEY_MAX, arg); + + if (!tb[TCA_TUNNEL_KEY_PARMS]) { + fprintf(f, "[NULL tunnel_key parameters]"); + return -1; + } + parm = RTA_DATA(tb[TCA_TUNNEL_KEY_PARMS]); + + fprintf(f, "tunnel_key"); + + switch (parm->t_action) { + case TCA_TUNNEL_KEY_ACT_RELEASE: + fprintf(f, " unset"); + break; + case TCA_TUNNEL_KEY_ACT_SET: + fprintf(f, " set"); + tunnel_key_print_ip_addr(f, "src_ip", + tb[TCA_TUNNEL_KEY_ENC_IPV4_SRC]); + tunnel_key_print_ip_addr(f, "dst_ip", + tb[TCA_TUNNEL_KEY_ENC_IPV4_DST]); + tunnel_key_print_ip_addr(f, "src_ip", + tb[TCA_TUNNEL_KEY_ENC_IPV6_SRC]); + tunnel_key_print_ip_addr(f, "dst_ip", + tb[TCA_TUNNEL_KEY_ENC_IPV6_DST]); + tunnel_key_print_key_id(f, "key_id", + tb[TCA_TUNNEL_KEY_ENC_KEY_ID]); + break; + } + fprintf(f, " %s", action_n2a(parm->action)); + + fprintf(f, "\n\tindex %d ref %d bind %d", parm->index, parm->refcnt, + parm->bindcnt); + + if (show_stats) { + if (tb[TCA_TUNNEL_KEY_TM]) { + struct tcf_t *tm = RTA_DATA(tb[TCA_TUNNEL_KEY_TM]); + + print_tm(f, tm); + } + } + + fprintf(f, "\n "); + + return 0; +} + +struct action_util tunnel_key_action_util = { + .id = "tunnel_key", + .parse_aopt = parse_tunnel_key, + .print_aopt = print_tunnel_key, +};