From patchwork Tue Nov 26 08:45:38 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Kevin 'ldir' Darbyshire-Bryant X-Patchwork-Id: 1200848 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=darbyshire-bryant.me.uk Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="ZsxQWJb6"; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=darbyshire-bryant.me.uk header.i=@darbyshire-bryant.me.uk header.b="g3MTuAft"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47Mcvb40Wzz9sP3 for ; Tue, 26 Nov 2019 19:46:34 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:Cc:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:Subject:MIME-Version:Message-Id:Date:To :From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=OHl+EgXGaBgfe9PPjYHd7ub10ZxjPuNSme9+V0uilJs=; b=ZsxQWJb60N+2FV vDT82DjRnWm20cr8BmHI/EmN6188y3beHEpHl8r7rAOI10TuuHWq1Ch4K2/aWJlUKHEgZvWhRNMqq Dxg7TOvS4HqoZPCekvydirve+QhfPhOyFze2qq3S7iGplsTR4gfrZ5augUiwWbz2V5I1nWamJm0Gt OvSHXtDlPkvoVSGvpqmr/sg33B5TPIRBxU0izhy77cYSl6E9Tg2lPL2L7PFhILZfT94qkRJ4Hl6q3 XTw4cws7jhaRa6gSTWVcYrJ3U2jSHMkUIrghJOKZ9Mna8ojgy3SokeYSs6zaYRL2VKk5q0eAVL4SK 64JPTZAMAsMbhUWlqLcA==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.92.3 #3 (Red Hat Linux)) id 1iZWUA-0002ja-B3; Tue, 26 Nov 2019 08:46:14 +0000 Received: from mail-wm1-x32d.google.com ([2a00:1450:4864:20::32d]) by bombadil.infradead.org with esmtps (Exim 4.92.3 #3 (Red Hat Linux)) id 1iZWU6-0002in-Ps for openwrt-devel@lists.openwrt.org; Tue, 26 Nov 2019 08:46:13 +0000 Received: by mail-wm1-x32d.google.com with SMTP id y5so2255051wmi.5 for ; Tue, 26 Nov 2019 00:46:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=darbyshire-bryant.me.uk; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TZoUtfc0SwqN/dOl5cMg0NH2OLmuEO1sVW29ADU8Ipo=; b=g3MTuAftPLoTvO1QxUv+lAbWjXalXACMKF0+sqhy6AY45/58KMUCWoTeZWIQP75pcY 0KgpADNXgVu9WrmHRVzRk4Mw6uFurDxj300bMrrtZDr5rG6ZyCQ2QFK2jws88+JdQ6of R7HbcaRmYhYJOQIsNLkVYo26vf44ug5q22Odc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=TZoUtfc0SwqN/dOl5cMg0NH2OLmuEO1sVW29ADU8Ipo=; b=N3iC/NJsGlnz2iDbkzJxUKrl8tEaSBWh8TIN3cKXTJNextDsF4yEhmVfGqxDnJPJJV 1MK06hZd/YP+hBTBA4pmKxTsY1ZsRI3SaeqpnLxzOxrUXh4ksUkQs4NTL5BuhsdKwkjd ioY1H4ZyyzXwdQN7uKSSjk/8EPlO2BZhdiC/+J+AI3Sk39RuTorpEdZCZxci98qcEqYh ukCcyH48qMDbsPfQmiSibI4fRCVNYwwqzn/wlHjGgkmTBEpOYs/POAECYYuSwhYQBXPy WNFfWwoM6sxXDKM2Vef+/1oz1RBIgoTPCKnngnEKt/t4WQW65ZFss1E83XD836a7yUE4 NxyA== X-Gm-Message-State: APjAAAVhl4YX69wPpXJfuVvvRlLTTQKAYLKwdAD6PUdXevbUuYDX3laL QKoni1dLYNUvgn93L/6FTXHCYpapn58FCQ== X-Google-Smtp-Source: APXvYqxHKc36lU8uiaMo1TLIzqjYArCl0McOXQj9krRGGGhUcotGetgj7ad2L90ux6jxT5duREsAgA== X-Received: by 2002:a1c:a906:: with SMTP id s6mr3100135wme.125.1574757966155; Tue, 26 Nov 2019 00:46:06 -0800 (PST) Received: from Kevins-MBP.lan.darbyshire-bryant.me.uk ([2a02:c7f:1243:8e00:dd25:1f58:88cd:5281]) by smtp.gmail.com with ESMTPSA id t134sm2323144wmt.24.2019.11.26.00.46.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 26 Nov 2019 00:46:04 -0800 (PST) From: Kevin Darbyshire-Bryant To: openwrt-devel@lists.openwrt.org Date: Tue, 26 Nov 2019 08:45:38 +0000 Message-Id: <20191126084537.30505-1-ldir@darbyshire-bryant.me.uk> X-Mailer: git-send-email 2.21.0 (Apple Git-122.2) MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20191126_004610_848428_52D548C4 X-CRM114-Status: GOOD ( 18.68 ) X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:32d listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain Subject: [OpenWrt-Devel] [PATCH] kernel: act_ctinfo: update backport X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Darbyshire-Bryant Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org Since the original backports from kernel 5.3 a few things have been tweaked by kernel bumps & other upstream changes. Update the backport to reflect upstream as closely as possible and remove the bitrot. Functions remain the same, error reporting improved. Signed-off-by: Kevin Darbyshire-Bryant --- ...et-sched-Introduce-act_ctinfo-action.patch | 142 ++++++++++++++---- ...et-sched-Introduce-act_ctinfo-action.patch | 140 ++++++++++++----- 2 files changed, 210 insertions(+), 72 deletions(-) diff --git a/target/linux/generic/backport-4.14/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch b/target/linux/generic/backport-4.14/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch index d2cb0532c9..1053742e6e 100644 --- a/target/linux/generic/backport-4.14/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch +++ b/target/linux/generic/backport-4.14/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch @@ -1,47 +1,110 @@ -From e3777dd42dc6f1b9cb099836707a3e7971dcf4df Mon Sep 17 00:00:00 2001 +From a06ece503d941eefa92ba48dc981ccaa4093330b Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Wed, 13 Mar 2019 20:54:49 +0000 -Subject: [PATCH] net: sched: Introduce act_ctinfo action +Subject: [PATCH] net: sched: Backport Introduce act_ctinfo action +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit -ctinfo is a new tc filter action module. It is designed to restore DSCPs -stored in conntrack marks +ctinfo is a new tc filter action module. It is designed to restore +information contained in firewall conntrack marks to other packet fields +and is typically used on packet ingress paths. At present it has two +independent sub-functions or operating modes, DSCP restoration mode & +skb mark restoration mode. -The feature is intended for use and has been found useful for restoring -ingress classifications based on egress classifications across links -that bleach or otherwise change DSCP, typically home ISP Internet links. -Restoring DSCP on ingress on the WAN link allows qdiscs such as CAKE to -shape inbound packets according to policies that are easier to implement -on egress. +The DSCP restore mode: + +This mode copies DSCP values that have been placed in the firewall +conntrack mark back into the IPv4/v6 diffserv fields of relevant +packets. + +The DSCP restoration is intended for use and has been found useful for +restoring ingress classifications based on egress classifications across +links that bleach or otherwise change DSCP, typically home ISP Internet +links. Restoring DSCP on ingress on the WAN link allows qdiscs such as +but by no means limited to CAKE to shape inbound packets according to +policies that are easier to set & mark on egress. Ingress classification is traditionally a challenging task since iptables rules haven't yet run and tc filter/eBPF programs are pre-NAT lookups, hence are unable to see internal IPv4 addresses as used on the -typical home masquerading gateway. - -ctinfo understands the following parameters: +typical home masquerading gateway. Thus marking the connection in some +manner on egress for later restoration of classification on ingress is +easier to implement. -dscp mask[/statemask] +Parameters related to DSCP restore mode: -mask - a 32 bit mask of at least 6 contiguous bits where conndscp will -place the DSCP in conntrack mark. The DSCP is left-shifted by the -number of unset lower bits of the mask before storing into the mark -field. +dscpmask - a 32 bit mask of 6 contiguous bits and indicate bits of the +conntrack mark field contain the DSCP value to be restored. statemask - a 32 bit mask of (usually) 1 bit length, outside the area -specified by mask. This represents a conditional operation flag the -DSCP is only restored if the flag is set. This is useful to implement a -'one shot' iptables based classification where the 'complicated' -iptables rules are only run once to classify the connection on initial -(egress) packet and subsequent packets are all marked/restored with the -same DSCP. A mask of zero disables the conditional behaviour. +specified by dscpmask. This represents a conditional operation flag +whereby the DSCP is only restored if the flag is set. This is useful to +implement a 'one shot' iptables based classification where the +'complicated' iptables rules are only run once to classify the +connection on initial (egress) packet and subsequent packets are all +marked/restored with the same DSCP. A mask of zero disables the +conditional behaviour ie. the conntrack mark DSCP bits are always +restored to the ip diffserv field (assuming the conntrack entry is found +& the skb is an ipv4/ipv6 type) + +e.g. dscpmask 0xfc000000 statemask 0x01000000 + +|----0xFC----conntrack mark----000000---| +| Bits 31-26 | bit 25 | bit24 |~~~ Bit 0| +| DSCP | unused | flag |unused | +|-----------------------0x01---000000---| + | | + | | + ---| Conditional flag + v only restore if set +|-ip diffserv-| +| 6 bits | +|-------------| + +The skb mark restore mode (cpmark): + +This mode copies the firewall conntrack mark to the skb's mark field. +It is completely the functional equivalent of the existing act_connmark +action with the additional feature of being able to apply a mask to the +restored value. + +Parameters related to skb mark restore mode: + +mask - a 32 bit mask applied to the firewall conntrack mark to mask out +bits unwanted for restoration. This can be useful where the conntrack +mark is being used for different purposes by different applications. If +not specified and by default the whole mark field is copied (i.e. +default mask of 0xffffffff) -optional parameters: +e.g. mask 0x00ffffff to mask out the top 8 bits being used by the +aforementioned DSCP restore mode. + +|----0x00----conntrack mark----ffffff---| +| Bits 31-24 | | +| DSCP & flag| some value here | +|---------------------------------------| + | + | + v +|------------skb mark-------------------| +| | | +| zeroed | | +|---------------------------------------| + +Overall parameters: zone - conntrack zone control - action related control (reclassify | pipe | drop | continue | -ok | goto chain +ok | goto chain ) + +Signed-off-by: Kevin Darbyshire-Bryant +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Cong Wang +Signed-off-by: David S. Miller +Backport Signed-off-by: Kevin Darbyshire-Bryant --- include/net/tc_act/tc_ctinfo.h | 33 +++ @@ -49,8 +112,8 @@ Signed-off-by: Kevin Darbyshire-Bryant include/uapi/linux/tc_act/tc_ctinfo.h | 29 ++ net/sched/Kconfig | 13 + net/sched/Makefile | 1 + - net/sched/act_ctinfo.c | 394 ++++++++++++++++++++++++++ - 6 files changed, 472 insertions(+), 1 deletion(-) + net/sched/act_ctinfo.c | 407 ++++++++++++++++++++++++++ + 6 files changed, 485 insertions(+), 1 deletion(-) create mode 100644 include/net/tc_act/tc_ctinfo.h create mode 100644 include/uapi/linux/tc_act/tc_ctinfo.h create mode 100644 net/sched/act_ctinfo.c @@ -169,7 +232,7 @@ Signed-off-by: Kevin Darbyshire-Bryant obj-$(CONFIG_NET_IFE_SKBMARK) += act_meta_mark.o --- /dev/null +++ b/net/sched/act_ctinfo.c -@@ -0,0 +1,394 @@ +@@ -0,0 +1,407 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* net/sched/act_ctinfo.c netfilter ctinfo connmark actions + * @@ -337,15 +400,20 @@ Signed-off-by: Kevin Darbyshire-Bryant + u8 dscpmaskshift; + int ret = 0, err; + -+ if (!nla) ++ if (!nla) { ++ NL_SET_ERR_MSG_MOD(extack, "ctinfo requires attributes to be passed"); + return -EINVAL; ++ } + + err = nla_parse_nested(tb, TCA_CTINFO_MAX, nla, ctinfo_policy, NULL); + if (err < 0) + return err; + -+ if (!tb[TCA_CTINFO_ACT]) ++ if (!tb[TCA_CTINFO_ACT]) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "Missing required TCA_CTINFO_ACT attribute"); + return -EINVAL; ++ } + actparm = nla_data(tb[TCA_CTINFO_ACT]); + + /* do some basic validation here before dynamically allocating things */ @@ -354,13 +422,21 @@ Signed-off-by: Kevin Darbyshire-Bryant + dscpmask = nla_get_u32(tb[TCA_CTINFO_PARMS_DSCP_MASK]); + /* need contiguous 6 bit mask */ + dscpmaskshift = dscpmask ? __ffs(dscpmask) : 0; -+ if ((~0 & (dscpmask >> dscpmaskshift)) != 0x3f) ++ if ((~0 & (dscpmask >> dscpmaskshift)) != 0x3f) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ tb[TCA_CTINFO_PARMS_DSCP_MASK], ++ "dscp mask must be 6 contiguous bits"); + return -EINVAL; ++ } + dscpstatemask = tb[TCA_CTINFO_PARMS_DSCP_STATEMASK] ? + nla_get_u32(tb[TCA_CTINFO_PARMS_DSCP_STATEMASK]) : 0; + /* mask & statemask must not overlap */ -+ if (dscpmask & dscpstatemask) ++ if (dscpmask & dscpstatemask) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ tb[TCA_CTINFO_PARMS_DSCP_STATEMASK], ++ "dscp statemask must not overlap dscp mask"); + return -EINVAL; ++ } + } + /* done the validation:now to the actual action allocation */ + err = tcf_idr_check(tn, actparm->index, a, bind); diff --git a/target/linux/generic/backport-4.19/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch b/target/linux/generic/backport-4.19/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch index 909c68e1b5..8e04dce309 100644 --- a/target/linux/generic/backport-4.19/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch +++ b/target/linux/generic/backport-4.19/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch @@ -1,29 +1,41 @@ -From c17877e414155b9b97d10416ff62b102d25019a1 Mon Sep 17 00:00:00 2001 +From 6d8071bbbdcd9d3a2fbb49e55b51617906e3b816 Mon Sep 17 00:00:00 2001 From: Kevin Darbyshire-Bryant Date: Wed, 13 Mar 2019 20:54:49 +0000 -Subject: [PATCH] net: sched: Introduce act_ctinfo action +Subject: [PATCH] net: sched: Backport Introduce act_ctinfo action +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit -ctinfo is a new tc filter action module. It is designed to restore DSCPs -stored in conntrack marks into the ipv4/v6 diffserv field. +ctinfo is a new tc filter action module. It is designed to restore +information contained in firewall conntrack marks to other packet fields +and is typically used on packet ingress paths. At present it has two +independent sub-functions or operating modes, DSCP restoration mode & +skb mark restoration mode. -The feature is intended for use and has been found useful for restoring -ingress classifications based on egress classifications across links -that bleach or otherwise change DSCP, typically home ISP Internet links. -Restoring DSCP on ingress on the WAN link allows qdiscs such as CAKE to -shape inbound packets according to policies that are easier to indicate -on egress. +The DSCP restore mode: + +This mode copies DSCP values that have been placed in the firewall +conntrack mark back into the IPv4/v6 diffserv fields of relevant +packets. + +The DSCP restoration is intended for use and has been found useful for +restoring ingress classifications based on egress classifications across +links that bleach or otherwise change DSCP, typically home ISP Internet +links. Restoring DSCP on ingress on the WAN link allows qdiscs such as +but by no means limited to CAKE to shape inbound packets according to +policies that are easier to set & mark on egress. Ingress classification is traditionally a challenging task since iptables rules haven't yet run and tc filter/eBPF programs are pre-NAT lookups, hence are unable to see internal IPv4 addresses as used on the -typical home masquerading gateway. +typical home masquerading gateway. Thus marking the connection in some +manner on egress for later restoration of classification on ingress is +easier to implement. -ctinfo understands the following parameters: +Parameters related to DSCP restore mode: -dscp dscpmask[/statemask] - -dscpmask - a 32 bit mask of at least 6 contiguous bits and indicates -where ctinfo will find the DSCP bits stored in the conntrack mark. +dscpmask - a 32 bit mask of 6 contiguous bits and indicate bits of the +conntrack mark field contain the DSCP value to be restored. statemask - a 32 bit mask of (usually) 1 bit length, outside the area specified by dscpmask. This represents a conditional operation flag @@ -36,14 +48,7 @@ conditional behaviour ie. the conntrack mark DSCP bits are always restored to the ip diffserv field (assuming the conntrack entry is found & the skb is an ipv4/ipv6 type) -optional parameters: - -zone - conntrack zone - -control - action related control (reclassify | pipe | drop | continue | -ok | goto chain ) - -e.g. dscp 0xfc000000/0x01000000 +e.g. dscpmask 0xfc000000 statemask 0x01000000 |----0xFC----conntrack mark----000000---| | Bits 31-26 | bit 25 | bit24 |~~~ Bit 0| @@ -57,6 +62,49 @@ e.g. dscp 0xfc000000/0x01000000 | 6 bits | |-------------| +The skb mark restore mode (cpmark): + +This mode copies the firewall conntrack mark to the skb's mark field. +It is completely the functional equivalent of the existing act_connmark +action with the additional feature of being able to apply a mask to the +restored value. + +Parameters related to skb mark restore mode: + +mask - a 32 bit mask applied to the firewall conntrack mark to mask out +bits unwanted for restoration. This can be useful where the conntrack +mark is being used for different purposes by different applications. If +not specified and by default the whole mark field is copied (i.e. +default mask of 0xffffffff) + +e.g. mask 0x00ffffff to mask out the top 8 bits being used by the +aforementioned DSCP restore mode. + +|----0x00----conntrack mark----ffffff---| +| Bits 31-24 | | +| DSCP & flag| some value here | +|---------------------------------------| + | + | + v +|------------skb mark-------------------| +| | | +| zeroed | | +|---------------------------------------| + +Overall parameters: + +zone - conntrack zone + +control - action related control (reclassify | pipe | drop | continue | +ok | goto chain ) + +Signed-off-by: Kevin Darbyshire-Bryant +Reviewed-by: Toke Høiland-Jørgensen +Acked-by: Cong Wang +Signed-off-by: David S. Miller + +Backport Signed-off-by: Kevin Darbyshire-Bryant --- include/net/tc_act/tc_ctinfo.h | 33 ++ @@ -64,9 +112,9 @@ Signed-off-by: Kevin Darbyshire-Bryant include/uapi/linux/tc_act/tc_ctinfo.h | 29 ++ net/sched/Kconfig | 17 + net/sched/Makefile | 1 + - net/sched/act_ctinfo.c | 395 ++++++++++++++++++++++ + net/sched/act_ctinfo.c | 409 ++++++++++++++++++++++ tools/testing/selftests/tc-testing/config | 1 + - 7 files changed, 478 insertions(+), 1 deletion(-) + 7 files changed, 492 insertions(+), 1 deletion(-) create mode 100644 include/net/tc_act/tc_ctinfo.h create mode 100644 include/uapi/linux/tc_act/tc_ctinfo.h create mode 100644 net/sched/act_ctinfo.c @@ -189,7 +237,7 @@ Signed-off-by: Kevin Darbyshire-Bryant obj-$(CONFIG_NET_IFE_SKBMARK) += act_meta_mark.o --- /dev/null +++ b/net/sched/act_ctinfo.c -@@ -0,0 +1,395 @@ +@@ -0,0 +1,409 @@ +// SPDX-License-Identifier: GPL-2.0+ +/* net/sched/act_ctinfo.c netfilter ctinfo connmark actions + * @@ -347,24 +395,29 @@ Signed-off-by: Kevin Darbyshire-Bryant + struct netlink_ext_ack *extack) +{ + struct tc_action_net *tn = net_generic(net, ctinfo_net_id); ++ u32 dscpmask = 0, dscpstatemask, index; + struct nlattr *tb[TCA_CTINFO_MAX + 1]; + struct tcf_ctinfo_params *cp_new; +/* struct tcf_chain *goto_ch = NULL; */ -+ u32 dscpmask = 0, dscpstatemask; + struct tc_ctinfo *actparm; + struct tcf_ctinfo *ci; + u8 dscpmaskshift; + int ret = 0, err; + -+ if (!nla) ++ if (!nla) { ++ NL_SET_ERR_MSG_MOD(extack, "ctinfo requires attributes to be passed"); + return -EINVAL; ++ } + -+ err = nla_parse_nested(tb, TCA_CTINFO_MAX, nla, ctinfo_policy, NULL); ++ err = nla_parse_nested(tb, TCA_CTINFO_MAX, nla, ctinfo_policy, extack); + if (err < 0) + return err; + -+ if (!tb[TCA_CTINFO_ACT]) ++ if (!tb[TCA_CTINFO_ACT]) { ++ NL_SET_ERR_MSG_MOD(extack, ++ "Missing required TCA_CTINFO_ACT attribute"); + return -EINVAL; ++ } + actparm = nla_data(tb[TCA_CTINFO_ACT]); + + /* do some basic validation here before dynamically allocating things */ @@ -373,22 +426,31 @@ Signed-off-by: Kevin Darbyshire-Bryant + dscpmask = nla_get_u32(tb[TCA_CTINFO_PARMS_DSCP_MASK]); + /* need contiguous 6 bit mask */ + dscpmaskshift = dscpmask ? __ffs(dscpmask) : 0; -+ if ((~0 & (dscpmask >> dscpmaskshift)) != 0x3f) ++ if ((~0 & (dscpmask >> dscpmaskshift)) != 0x3f) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ tb[TCA_CTINFO_PARMS_DSCP_MASK], ++ "dscp mask must be 6 contiguous bits"); + return -EINVAL; ++ } + dscpstatemask = tb[TCA_CTINFO_PARMS_DSCP_STATEMASK] ? + nla_get_u32(tb[TCA_CTINFO_PARMS_DSCP_STATEMASK]) : 0; + /* mask & statemask must not overlap */ -+ if (dscpmask & dscpstatemask) ++ if (dscpmask & dscpstatemask) { ++ NL_SET_ERR_MSG_ATTR(extack, ++ tb[TCA_CTINFO_PARMS_DSCP_STATEMASK], ++ "dscp statemask must not overlap dscp mask"); + return -EINVAL; ++ } + } + + /* done the validation:now to the actual action allocation */ -+ err = tcf_idr_check_alloc(tn, &actparm->index, a, bind); ++ index = actparm->index; ++ err = tcf_idr_check_alloc(tn, &index, a, bind); + if (!err) { -+ ret = tcf_idr_create(tn, actparm->index, est, a, ++ ret = tcf_idr_create(tn, index, est, a, + &act_ctinfo_ops, bind, false); + if (ret) { -+ tcf_idr_cleanup(tn, actparm->index); ++ tcf_idr_cleanup(tn, index); + return ret; + } + ret = ACT_P_CREATED; @@ -587,11 +649,11 @@ Signed-off-by: Kevin Darbyshire-Bryant +MODULE_LICENSE("GPL"); --- a/tools/testing/selftests/tc-testing/config +++ b/tools/testing/selftests/tc-testing/config -@@ -37,6 +37,7 @@ CONFIG_NET_ACT_SKBEDIT=m - CONFIG_NET_ACT_CSUM=m +@@ -38,6 +38,7 @@ CONFIG_NET_ACT_CSUM=m CONFIG_NET_ACT_VLAN=m CONFIG_NET_ACT_BPF=m -+CONFIG_NET_ACT_CONNDSCP=m CONFIG_NET_ACT_CONNMARK=m ++CONFIG_NET_ACT_CONNCTINFO=m CONFIG_NET_ACT_SKBMOD=m CONFIG_NET_ACT_IFE=m + CONFIG_NET_ACT_TUNNEL_KEY=m