From patchwork Thu Jul 25 13:17:27 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ido Schimmel <idosch@nvidia.com>
X-Patchwork-Id: 1964754
Return-Path: 
 <netfilter-devel+bounces-3050-incoming=patchwork.ozlabs.org@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
 header.s=selector2 header.b=dH48yCh9;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=147.75.80.249; helo=am.mirrors.kernel.org;
 envelope-from=netfilter-devel+bounces-3050-incoming=patchwork.ozlabs.org@vger.kernel.org;
 receiver=patchwork.ozlabs.org)
Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [147.75.80.249])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVBKw62lNz1yXx
	for <incoming@patchwork.ozlabs.org>; Thu, 25 Jul 2024 23:19:00 +1000 (AEST)
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by am.mirrors.kernel.org (Postfix) with ESMTPS id 91BBB1F2254C
	for <incoming@patchwork.ozlabs.org>; Thu, 25 Jul 2024 13:18:57 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id B17EB19B3CC;
	Thu, 25 Jul 2024 13:18:48 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="dH48yCh9"
X-Original-To: netfilter-devel@vger.kernel.org
Received: from NAM11-BN8-obe.outbound.protection.outlook.com
 (mail-bn8nam11on2059.outbound.protection.outlook.com [40.107.236.59])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id ACCB1224D2;
	Thu, 25 Jul 2024 13:18:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.107.236.59
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721913528; cv=fail;
 b=o2m0w1fa0ALo8MRtwRuJbRzD94a1qJ3oAmMx3KXOBp2x85E+3qlud5oHib/36NVCz5Zhj8Oh8L6gLyNGdJBbaBkEKVJWqhTcSnP/yuKT8MKJlwlU4LT2+97FZNw2affYUvEmw4fuoe/dM9ritOO81jfST5Lx0jGAaAgFFHdONHM=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721913528; c=relaxed/simple;
	bh=QYBJReG9HT8EC0dk40BK1Q1cc7BB17M1hx4EEkN7IOQ=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=JjopNyC6JnGcTMh4V7aFWSQPgUVaIv+O7M8o/WyNTcGF7oKSMHqIGiq+K0x4O4DaEQMahIm/pwNjwjSqjmtVyaikmQ6llFNI2oMbZpBAl7I2EEu3SccsX/AqECr4tSuULUp3BbPeIF4Oa9FrNQPZ+brdLAG/wBKTiPIM/z70kV4=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=dH48yCh9; arc=fail smtp.client-ip=40.107.236.59
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=npgGzmsuKjfA16PrsApoacgfxSbA6PtjxIPf88lAWnsTIhe67rJhqwzh0Tf6T4oBRX9L0WlM6I4pr2a0r/fKlPztZqbQB17T11l/J2h5cQei9cgDPOpk2LCqogRzv+Ync4rNuDCBQuqBxMHWfzBP/j09QBqBw4FFFF0C7JJ2EEcEXp/n/10eo2HSzBnz7OxdNMyL6eyrX5H0btRxMR+N+PQYI1PbafOY7tr8s5VvdWDx5ykxKvlmCmI12x2QH5RJPm6AtLXxW0ramg9VVGlOj/hPok2GffbdeP9hbczRGhsCrZrL2FevdZDR+JZsarY4m6vq+2XnZWnouyCDLjwuyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=Zr2CyH0AzhParzFpZ76RXVQ9krFZXUBh2Xxr+llPRSU=;
 b=l9q7swY2gU4JtzL7N++ePg4XbpUJV0awbFkV4EEHnwPC7H9LEo1Sn2eYnv9XYSf2F30TMtPyyZEmqHIyqBALWAni5LsPt8Ow6stowQRrf9u9nAB7dNdRQbf1Hb0pgnSw5bY01q6a8SDTgPJROoCbS2Xm+4W8ksEvsyo6gSRK3vDaC3tA4yunP5AYHRHFeEq4qXGfbOh01x6We1hqXLMgLF55lHmokPRLciy/43Z6snxZSDpx62n9E0vMV6eEu0TvXW4IsxmmXpeDLLvG9ytDbeCnmu9cnEVfXIgBiiSF1TRYCu9IiM7JWyOJp2I76ODHWylRahk+hVYc8NUn5z6XDA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Zr2CyH0AzhParzFpZ76RXVQ9krFZXUBh2Xxr+llPRSU=;
 b=dH48yCh9ROTPRlK8Vw4XCFBlVaZl11gBQ3eR8FFYdTqfLlS2X/V1JpflCNxgAw0hufz/E0GfxBdNKz9u6cEsHbXdb0ovbuZL5cVZiEjGfUcdB/BNhdzCnexEq49DJnbNlAVU0ny2ADkfE1BFt+yVUzKx8a5vPqC20WpxCqni2z059txIYfCwDJp51QHeqFUQCLDGJjRqgQFmXKReRTJaR8k/YA2K+ORsn3wGrH9lnTzumCYyGvndH9f0tkiE+v/Q8ho/xsgLMyWer1MhtsI5HYQHNUZ6aaTT4bvlh71EmNRwEa4/SDER1Uia5RvrAkxofhj/8RH6ZQs4iFrHbZ5LYQ==
Received: from BN9PR03CA0338.namprd03.prod.outlook.com (2603:10b6:408:f6::13)
 by PH0PR12MB7886.namprd12.prod.outlook.com (2603:10b6:510:26e::22) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.17; Thu, 25 Jul
 2024 13:18:43 +0000
Received: from BN3PEPF0000B06D.namprd21.prod.outlook.com
 (2603:10b6:408:f6:cafe::e5) by BN9PR03CA0338.outlook.office365.com
 (2603:10b6:408:f6::13) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.29 via Frontend
 Transport; Thu, 25 Jul 2024 13:18:43 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 BN3PEPF0000B06D.mail.protection.outlook.com (10.167.243.72) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7828.11 via Frontend Transport; Thu, 25 Jul 2024 13:18:42 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Thu, 25 Jul
 2024 06:18:28 -0700
Received: from dev-r-vrt-155.mtr.labs.mlnx (10.126.231.35) by
 rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.4; Thu, 25 Jul 2024 06:18:24 -0700
From: Ido Schimmel <idosch@nvidia.com>
To: <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>
CC: <davem@davemloft.net>, <kuba@kernel.org>, <pabeni@redhat.com>,
	<edumazet@google.com>, <dsahern@kernel.org>, <gnault@redhat.com>,
	<pablo@netfilter.org>, <kadlec@netfilter.org>, <fw@strlen.de>, Ido Schimmel
	<idosch@nvidia.com>
Subject: [RFC PATCH net-next 1/3] ipv4: Mask upper DSCP bits and ECN bits in
 NETLINK_FIB_LOOKUP family
Date: Thu, 25 Jul 2024 16:17:27 +0300
Message-ID: <20240725131729.1729103-2-idosch@nvidia.com>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240725131729.1729103-1-idosch@nvidia.com>
References: <20240725131729.1729103-1-idosch@nvidia.com>
Precedence: bulk
X-Mailing-List: netfilter-devel@vger.kernel.org
List-Id: <netfilter-devel.vger.kernel.org>
List-Subscribe: <mailto:netfilter-devel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netfilter-devel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To
 rnnvmail201.nvidia.com (10.129.68.8)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN3PEPF0000B06D:EE_|PH0PR12MB7886:EE_
X-MS-Office365-Filtering-Correlation-Id: 7a032c15-ec72-4d49-d679-08dcacac4e70
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|1800799024|36860700013|376014|82310400026|7416014;
X-Microsoft-Antispam-Message-Info: 
 mfdoSRhY4skPf5mbusjORbA3no/eLP/WNYOWv1JLfp3Py9Mz4fwPmV9SmgpgXUsYjvPSnMoAHAtmzwfrujFClty2ZUEySPmi9VDsdnvSzDH4BYBKazPvvBwH420kJ6cmkWyYa0M4Z1LXqtBKtVcc2Q2king1dJg9NEffsgTiOFnVLYA41W5D9TvXfKvorkzc6M5Rk7rkegR2tvEJ5frUXSQZi4xWGRV6R+SFRriM8N2220Ba9RuT+2H5Elykyu7micLZTEd8XQK0EkgcK6I6WRzyplnIV3DyVkHkHIdBs4bRhIGUEIeZj8GHKTJz4h6Qn0DhPJ/BIizzZiuocoN0iymmxqMOXlkyRRpY8FCN06Q/is02MVtZQI5xkc55nA55FVtfWZeiKLwElrSzS//PpkX776kJpy0ZONy2UwVNBS+wHeqkoG0V2aRGFIR+SuWd8bs3cZb/5IBzegufi3qeGGlCo0WjfFa5dj3JhuSV39FlreMfh4VVwb3QDWIQLZSZeVQZURt9/F2aRpvXS+56UYnqTuO41oFaE3QPNDgtBJwN7LAUMTpXwybL6CUbJnAjEM7jnyNEjdRIilzT1+dTSd/r3XCCSL9z11NylWrst8ZZSyIJzWttpbozHnuMiScppjrlXXOZpFi3YftI/t6eOcChBLbEfYdPM+qG9YkNOmV8g8zZQeOaYITBW1UcBmNaCxCkzKda0FUsh001G+Dlf3sHF7KtZCpXG5JgSGoM1wFvwFnCMVbfIdJ0kj7A9kyAIz7fVkC0tPnqxpL12ikQbuDtyrYc7+0eK0ZRVkXtg9ITQlzZIwX+0Y0RZYOfe8aBnpt0S9M4NaJ36iMOxgeQYxg9aDagHTlFB7bWGCXsHsqRBwNEF8i4UQ3fJfRbzoESSinGsfWCPupWU/09+TWl/YnkaigWuNhdWqh5+HxEQPlRjz4YJ5uBEmdcA+J85WeyjO+zLrIcx1PeQMcjidlMcEB9UapIRgtmgvuO1hvy78c8Bosjl4T+/PJIU1n/N60i/rnNHnVNfovwIqGdYyn6qbya9nbSyMPeWY2HuZfYHELihGZ/CCDhWO84636q7ouFbSRmYlet1E2ClYXsSV/yCy5GsFw/hJVS6+m6cr0LB0d+xbmLVg4/v7hYF4dMS31RuueRTma9j7fjvLJstn4/TbVpSGJxeu4Xz5rAKcm3C4J1896oiBRwdpDtx5A4hH1FQoG5+cd+JNC1enehmcwuafXPZ1IRjVK561H0S/lHcW4UJ22cuHhEHGTK2iTSs6bOHHXkElnygnSheL7OzOT7qMIxwDGYGrU7AF/SRO8N3Oe3p7maI0aR8SM3Bpv9/tToUUvf7pLQH26U5dvTAIMhEiH4OOMq9sORLzPANhUcj8zqnHp6y6foyIDfmmY6N2h68BSX4NHrGghNBppXVp6Cpooho+nIHwUF9p1ZcZYJInKsKrFnrGH5Jc5ydUK87+Hm
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(376014)(82310400026)(7416014);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jul 2024 13:18:42.8106
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 7a032c15-ec72-4d49-d679-08dcacac4e70
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	BN3PEPF0000B06D.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR12MB7886

The NETLINK_FIB_LOOKUP netlink family can be used to perform a FIB
lookup according to user provided parameters and communicate the result
back to user space.

However, unlike other users of the FIB lookup API, the upper DSCP bits
and the ECN bits of the DS field are not masked, which can result in the
wrong result being returned.

Solve this by masking the upper DSCP bits and the ECN bits using
IPTOS_RT_MASK.

The structure that communicates the request and the response is not
exported to user space, so it is unlikely that this netlink family is
actually in use [1].

[1] https://lore.kernel.org/netdev/ZpqpB8vJU%2FQ6LSqa@debian/

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
---
 net/ipv4/fib_frontend.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 7ad2cafb9276..da540ddb7af6 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -1343,7 +1343,7 @@ static void nl_fib_lookup(struct net *net, struct fib_result_nl *frn)
 	struct flowi4           fl4 = {
 		.flowi4_mark = frn->fl_mark,
 		.daddr = frn->fl_addr,
-		.flowi4_tos = frn->fl_tos,
+		.flowi4_tos = frn->fl_tos & IPTOS_RT_MASK,
 		.flowi4_scope = frn->fl_scope,
 	};
 	struct fib_table *tb;

From patchwork Thu Jul 25 13:17:28 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ido Schimmel <idosch@nvidia.com>
X-Patchwork-Id: 1964755
Return-Path: 
 <netfilter-devel+bounces-3051-incoming=patchwork.ozlabs.org@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
 header.s=selector2 header.b=EogQx50/;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=139.178.88.99; helo=sv.mirrors.kernel.org;
 envelope-from=netfilter-devel+bounces-3051-incoming=patchwork.ozlabs.org@vger.kernel.org;
 receiver=patchwork.ozlabs.org)
Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org [139.178.88.99])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVBL05FGwz1yXx
	for <incoming@patchwork.ozlabs.org>; Thu, 25 Jul 2024 23:19:04 +1000 (AEST)
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by sv.mirrors.kernel.org (Postfix) with ESMTPS id 760F2281A3E
	for <incoming@patchwork.ozlabs.org>; Thu, 25 Jul 2024 13:19:03 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 787C719B3DA;
	Thu, 25 Jul 2024 13:18:53 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="EogQx50/"
X-Original-To: netfilter-devel@vger.kernel.org
Received: from NAM02-BN1-obe.outbound.protection.outlook.com
 (mail-bn1nam02on2074.outbound.protection.outlook.com [40.107.212.74])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 68FD8224D2;
	Thu, 25 Jul 2024 13:18:51 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.107.212.74
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721913533; cv=fail;
 b=T1oMjACfgOuOgNKhTo7tPHn0suQ73WS77M9UO4qJAAsg24TFiWAcaUE5NyON7xLvF991CeFuZner6RRawAa+X8BmPgwyDPctFK/eOb1tbOTJtI0KNQfVLP3Tk59kNDJY7x0bn6IMm9ADL4gdxcpLNmSSAolstg8nMm6E3cK3ICw=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721913533; c=relaxed/simple;
	bh=RIj00VnVstEK+lxpS/BXoSEBNRg1AeMEGTcR10s7k5M=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=QBF5WRBZEPAeCiPrZLJYJunZvcaAuA7kPmZlDULHUJpwondmhhS6xZZobxshdGjkXkLkpkagwJlOT/DzotQTjm6p3CvkKQVVBPXex9leXQfWaXrKtD025lyZhIZRHkYltM53WxH9cRuGUTlX1to6VJUTpUzs0OLa2ROokSt7UDE=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=EogQx50/; arc=fail smtp.client-ip=40.107.212.74
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=xcskGvF38kozE+p5oiswAkdbcmx2BDUaJGV3OsJUjQ4RPaGb5VxbV8sauCb+ZHKWq1OXlYBfRKd1+AcCnKtLS20sk5062V/Kq2j2wh+EWieEab34DBUk+zeiCXiRh1/SjHDczHEfjyzEf7/LOk+XAd2NRRHTtjaWEjfOndX0kVoOAOBZEzcH7T1E4CDIMzKx09okWBtcUzYZRUBhGISyWHrZHWowVVuSNuHMsxt6ZQJoSiKJSNeV2bwp3VasnIw3WgAypLct6pfpMNKFJQWR7bYCQtCY1/mO2RAqjMfqBthY2zHUcUEP4pTBf2ttA3RYJPtFSGtwE+Hj4ABUkp3C8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=XNtOdNl+b/HhsOPxv1j7oWqlV9demS7KHTYmL+v+XMY=;
 b=H75jWanvnA8v2WTNB1wfOS3f9AAu0g87cXZqsL2Bn4y5hG79ZonYkc/PbnB1ayqy3UstTRENxIkgeKAG3b5WRShSZ+hMgwO7LjM92ZV6JS4tl2vgIJ5Huut0c9qseEPLwBn4hr//fZIgYfWM2z/jrRqk+rwu7TrqadWG1uPGZvMvHMdiBeCEaOVz3VSKS7tCjVDy700P+EKRoVhsnqaQRkbF8EZiY1ZLzZbvhoV0pwL7UrkLA18mBpKBom6Ik22mJZDZXvC8cubXSRWKtlaxK8U3fiyoKI+x//nj9KjJkRfrl/COT3dC6MjO9faLNSKdoekOm5udcpir9rkzkMgMfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.160) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=XNtOdNl+b/HhsOPxv1j7oWqlV9demS7KHTYmL+v+XMY=;
 b=EogQx50/KsF84dqN6M0ytnu20jPK3FJ4MjDz9DE+8onmZablvzqEG6qALn4BdmLoytoGxwkRXfbuzD97u59YnBu/oDnBdJlRTIFMNUN5MDTAvbpJQWf2q1SAd6opi0fKpMAwlc+OrK3ydNwAIT6iMFG8nuq1PFPqLadrSDnHip2X5Q0wtHvQjnZaPVmtMzHv/Wp9VNGF/VwhWptWtsNf6zhRGBkQFccRVbZOJxUbrEPvOaiw3FoGEGA2fE1h8x0CDvaw5jij7QSYrtF3/4+roU79BNRxoe0f3btaGx2gkut/Zg+4MVyPlzWr7Dj7uCiI1G9lnXiB9JcbwhRc5IjyRQ==
Received: from PH7P220CA0032.NAMP220.PROD.OUTLOOK.COM (2603:10b6:510:32b::31)
 by LV8PR12MB9449.namprd12.prod.outlook.com (2603:10b6:408:204::9) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.28; Thu, 25 Jul
 2024 13:18:46 +0000
Received: from SJ5PEPF000001C9.namprd05.prod.outlook.com
 (2603:10b6:510:32b:cafe::cb) by PH7P220CA0032.outlook.office365.com
 (2603:10b6:510:32b::31) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.29 via Frontend
 Transport; Thu, 25 Jul 2024 13:18:25 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.160 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.160) by
 SJ5PEPF000001C9.mail.protection.outlook.com (10.167.242.37) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7784.11 via Frontend Transport; Thu, 25 Jul 2024 13:18:45 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
 (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Thu, 25 Jul
 2024 06:18:32 -0700
Received: from dev-r-vrt-155.mtr.labs.mlnx (10.126.231.35) by
 rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.4; Thu, 25 Jul 2024 06:18:28 -0700
From: Ido Schimmel <idosch@nvidia.com>
To: <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>
CC: <davem@davemloft.net>, <kuba@kernel.org>, <pabeni@redhat.com>,
	<edumazet@google.com>, <dsahern@kernel.org>, <gnault@redhat.com>,
	<pablo@netfilter.org>, <kadlec@netfilter.org>, <fw@strlen.de>, Ido Schimmel
	<idosch@nvidia.com>
Subject: [RFC PATCH net-next 2/3] netfilter: nft_fib: Mask upper DSCP bits
 before FIB lookup
Date: Thu, 25 Jul 2024 16:17:28 +0300
Message-ID: <20240725131729.1729103-3-idosch@nvidia.com>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240725131729.1729103-1-idosch@nvidia.com>
References: <20240725131729.1729103-1-idosch@nvidia.com>
Precedence: bulk
X-Mailing-List: netfilter-devel@vger.kernel.org
List-Id: <netfilter-devel.vger.kernel.org>
List-Subscribe: <mailto:netfilter-devel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netfilter-devel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To
 rnnvmail201.nvidia.com (10.129.68.8)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: SJ5PEPF000001C9:EE_|LV8PR12MB9449:EE_
X-MS-Office365-Filtering-Correlation-Id: 71f28b52-edaf-4934-7e2f-08dcacac5005
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|82310400026|1800799024|36860700013|376014|7416014;
X-Microsoft-Antispam-Message-Info: 
 GvJH8CQVTENwSoqNisqwmIpy8MzoMNJlkyk9BjmH8ofHuD8w9Q2MxREIOKuJGM/bnWwhEh5DU/UPCT2YIm15GLTU1zRBuUf/HSFKSYSdUJE0EU5HZptKgH7zLd/+AzYwaS0sia2yLbUIMR7XpN18JLZ/l3tAYAoR2rI+DT2096LSAAeDPNrEwvc02fprpfhVeF1uqiw1hU7w00zxpa1SweKh72J2UZU0GuBp8VWhxg7rmoF4LYLw372HL8y8afexEN2t9JXdDbedwdPY9dLUygqfIvpWbUPF4ELOU+85ecpEZLQPbuffnCb7c0DSfqy+IHOLesJQQI4ld9kw/lWV6PPpwNQJaftDzZfo5BMe3sgkr87DC1dZPXeYiyGJchTZqyHKTz3s+t4zEQAWlgW844tuwZfI/qn3rf1oJMKIoievhzGjGfxuPYMJG6/1vP+7sv7Ac3bCMIOuMwf7vi/VPco1vsA9ylSRb336xy17qMaEWWtGFww2cRo/fGXRWEFpZn9tpoLSsBedTlq6nlEaukfjXQn+NQZSImC20QrCNF5x/CT2jA3m9MRe+2pvu53yUfPKlDbCJVmKtLXnTy7Za0Q4Iks/shJx+LKBqqXZ8+vAzWLi4kcQXOcDrklVBjf/eemCcvTv2X8JYER2cq08qGvO606uAtKphFtaixWvEG2TG/oCAnS5CkctCcJ5QO7hn6IYTPRrTZnmoiTQFbT+JNEcSSJHgikN7Tn/8j66N7Rmi6z56cklqsCn6NRLNJ/Uk2DfreDbV/nrD8UkV1mIkowUAgYunzRC23G2lIkFOPrs5drvJSjw3czvpAkhldm9vaN9bGfynQLpLaMz+w8QmAmEsilaKV2pg7pXLI2dbCsMUZyfgy7vVulOIatcTWj3fD3UIaMFgJfthZkJkDtSv2D8rKldyxrxCuC2KLLE5w4CoNki/fHp9hlr8b41ZJp1VHdAmt75/3yaPppa4Tt8qsvz0R2k4E8HTCzimYTFOYmpb2mb/eQp44gDjv4p+Q1cRX8yUYVVNV/mRvqU115uYsn4xqzoJ2D1WV5PYX6AtQuunMAU3NcFiXA+oMMLcmHFR2b4xYMKEdjvLE4gfxvWZfuvDpwO4EMVPgz71R6/7O0hwbBRstoOepzZggy1FrC0cafS64SUx6ekMGLaFs56gZwUp9ixq9zBkg1AaRcPZOlDCV+ISlmNoea/SitAvhDEzxbcIJn4cN3X1tUx37CvyklS9Ig+dwKke2E9rUQw3afvCADiMt+FBt/tSjmaZ7NNdjzvV9iVs8Cqv7tNI2Bo1tT3kpgnWJ2t6d3gFr5r44o/HHtPHApOAGuc9W1BWQtXb7t/XRBbUlhfdgQ/5kdnbEaA2vGKvzKtM/5TLMIyZczbrvaC7HKZ4WMunkt+V4LlYRk03CHyHgO9VozRoNKbB/Wdp0h8ywxuPAmVMNJPngo7sH1C/c5Y5kv6lfMQL3B9
X-Forefront-Antispam-Report: 
	CIP:216.228.117.160;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge1.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(1800799024)(36860700013)(376014)(7416014);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jul 2024 13:18:45.5407
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 71f28b52-edaf-4934-7e2f-08dcacac5005
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.160];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	SJ5PEPF000001C9.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV8PR12MB9449

As part of its functionality, the nftables FIB expression module
performs a FIB lookup, but unlike other users of the FIB lookup API, it
does so without masking the upper DSCP bits. In particular, this differs
from the equivalent iptables match ("rpfilter") that does mask the upper
DSCP bits before the FIB lookup.

Align the module to other users of the FIB lookup API and mask the upper
DSCP bits using IPTOS_RT_MASK before the lookup.

No regressions in nft_fib.sh:

 # ./nft_fib.sh
 PASS: fib expression did not cause unwanted packet drops
 PASS: fib expression did drop packets for 1.1.1.1
 PASS: fib expression did drop packets for 1c3::c01d
 PASS: fib expression forward check with policy based routing

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
---
 net/ipv4/netfilter/nft_fib_ipv4.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
index 9eee535c64dd..df94bc28c3d7 100644
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -22,8 +22,6 @@ static __be32 get_saddr(__be32 addr)
 	return addr;
 }
 
-#define DSCP_BITS     0xfc
-
 void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
 			const struct nft_pktinfo *pkt)
 {
@@ -110,7 +108,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
 	if (priv->flags & NFTA_FIB_F_MARK)
 		fl4.flowi4_mark = pkt->skb->mark;
 
-	fl4.flowi4_tos = iph->tos & DSCP_BITS;
+	fl4.flowi4_tos = iph->tos & IPTOS_RT_MASK;
 
 	if (priv->flags & NFTA_FIB_F_DADDR) {
 		fl4.daddr = iph->daddr;

From patchwork Thu Jul 25 13:17:29 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ido Schimmel <idosch@nvidia.com>
X-Patchwork-Id: 1964756
Return-Path: 
 <netfilter-devel+bounces-3052-incoming=patchwork.ozlabs.org@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
 header.s=selector2 header.b=lK/yHxIp;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org
 (client-ip=2604:1380:45d1:ec00::1; helo=ny.mirrors.kernel.org;
 envelope-from=netfilter-devel+bounces-3052-incoming=patchwork.ozlabs.org@vger.kernel.org;
 receiver=patchwork.ozlabs.org)
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org
 [IPv6:2604:1380:45d1:ec00::1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4WVBL85fdsz1yXx
	for <incoming@patchwork.ozlabs.org>; Thu, 25 Jul 2024 23:19:12 +1000 (AEST)
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 992F51C214E2
	for <incoming@patchwork.ozlabs.org>; Thu, 25 Jul 2024 13:19:10 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id EEF2E19B3CC;
	Thu, 25 Jul 2024 13:18:59 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b="lK/yHxIp"
X-Original-To: netfilter-devel@vger.kernel.org
Received: from NAM10-MW2-obe.outbound.protection.outlook.com
 (mail-mw2nam10on2077.outbound.protection.outlook.com [40.107.94.77])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D39F1224D2;
	Thu, 25 Jul 2024 13:18:57 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=fail smtp.client-ip=40.107.94.77
ARC-Seal: i=2; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1721913539; cv=fail;
 b=HwJTNjgefyOt5JutS/VF6xzlUWsyNIuuQc92JPRAR4GCUt7nyCC7hcn7OGiac861yy3teex6JUOWLecFiOvTYAN9MaSGKMLK9nGc9Fr3HzgbSgY2wSIkwssCTRRsIpB8VEw+aYRvBNWI4PVsWBvVL5JHd67MNO3DafHOs0xi/Jg=
ARC-Message-Signature: i=2; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1721913539; c=relaxed/simple;
	bh=SHNI49nLPzrFwO3696vHUh36WwSCV7cSxQhn1mNykCQ=;
	h=From:To:CC:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version:Content-Type;
 b=rV6cEaAdw0xlzQQQtgV0pkhBeo4vM+Ps3S11TkAQSo/udp6q5lXZ+M5x/5GWa2qWydL6KsLzsasQhGEZgOqXIE/sdz9g4r3zUTKNqHJFj27FbSoWEp8DOaYRQ1R98Lmc2c6F01NWd6kqVoj4l77SK9oAXwSyeVxi1OL4AUcNcdE=
ARC-Authentication-Results: i=2; smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com;
 spf=fail smtp.mailfrom=nvidia.com;
 dkim=pass (2048-bit key) header.d=Nvidia.com header.i=@Nvidia.com
 header.b=lK/yHxIp; arc=fail smtp.client-ip=40.107.94.77
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=reject dis=none) header.from=nvidia.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=fail smtp.mailfrom=nvidia.com
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none;
 b=FNolPBfrCHzOA3dBCywGk+Rvu8KnKaW1KS5ST/4sWyuQd08OkUJrM8BUPfoAzPZq5M5SudNtrfnlufeOvKkAUjH1YCu/xBxp5izkjs38l+ryDf5mBdS314d5c+pw45UBf8Q2IX5B9CdOGZwcaphNX4ZuPk3OC+qxeMErZk9DG6do32nA+0eAC80KJSTrL1FSG7gluAr4ImvbCe1zw9BOIbTflnNTaCpCHoBNI2KBiJu48+xtkjR8XVvrTKS4HathcSo8Di6slf+xY7PJB8FUyxuqGkfDuyZ9C1OkbQ8xl8DVSibeItByZk9awbabbNhVXtrnrrlHjtTYGEdwZOxZMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector10001;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=8TBiWNrb5B+FutDGxOvnchnbGUshnNaWqYw0Y3VVQtA=;
 b=oc4zkwHxy6+rDHx9lpqarZpeWBtqlKIwiFAbrWAh4+M2FXk3sexV3urwwp2WjtoRynn+JECEIFtbCXu+5hlKCxz7MkWK0/ejf/q2vqWeWX2/NGVpwQ9rTxhJC7Io3Si2DLVYaFvGnd1r2+TiC7wYEv9dhOaNY+B2d2e9d7pBmHhuAExXkjPaYxmqC4mGvhggPx8g3ls+SaIFmWszYMOBgX+z9J+fsDB6WqEgxcOKbCGTDLYFGVSVy3TSriylPlQID7XDoYn3vabFH7784dLOL3hg8Sxae3KgTTHRQmxs11i9/r6Z7GnTF6/j7et+c9/YuY68kBp899EZg5QEosUrhQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.117.161) smtp.rcpttodomain=vger.kernel.org smtp.mailfrom=nvidia.com;
 dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=8TBiWNrb5B+FutDGxOvnchnbGUshnNaWqYw0Y3VVQtA=;
 b=lK/yHxIpdVudNhQzorCliMY729jSjFU2hoXFEQQ7krjWML7FCc/OMjB8+R9o6mfminLQH3LIuFU66RiuHkq4IYDUyWNSN0SmlLL7lpDuCqJRyl1yHfNHSnZcWMipIaqeVEb3YJR6SGtiYdyzwHxYX2YGms6g1wQ7QCePfRz9E+mPdAP2BTfLd9zk6I3pCDy0DHFpVBNON89JCGl5BEK7TcmUOQ1W0WJ3rO7NFT7IUWj3sT2s5FzKsu8oUbQdJtSeVgpCgpYQC9kr8XJus2CQPx66r+JkUbw01TScqOeu5n9+VMDz4cHk4TCIVmPRI8Yq4jCSuMWmPuTlC7w33d4RgQ==
Received: from BN9PR03CA0448.namprd03.prod.outlook.com (2603:10b6:408:113::33)
 by CY8PR12MB7195.namprd12.prod.outlook.com (2603:10b6:930:59::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.29; Thu, 25 Jul
 2024 13:18:54 +0000
Received: from BN3PEPF0000B06A.namprd21.prod.outlook.com
 (2603:10b6:408:113:cafe::21) by BN9PR03CA0448.outlook.office365.com
 (2603:10b6:408:113::33) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7784.28 via Frontend
 Transport; Thu, 25 Jul 2024 13:18:53 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
 smtp.mailfrom=nvidia.com; dkim=none (message not signed)
 header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.117.161 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
 BN3PEPF0000B06A.mail.protection.outlook.com (10.167.243.69) with Microsoft
 SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.7828.11 via Frontend Transport; Thu, 25 Jul 2024 13:18:53 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
 (10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.4; Thu, 25 Jul
 2024 06:18:37 -0700
Received: from dev-r-vrt-155.mtr.labs.mlnx (10.126.231.35) by
 rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1544.4; Thu, 25 Jul 2024 06:18:33 -0700
From: Ido Schimmel <idosch@nvidia.com>
To: <netdev@vger.kernel.org>, <netfilter-devel@vger.kernel.org>
CC: <davem@davemloft.net>, <kuba@kernel.org>, <pabeni@redhat.com>,
	<edumazet@google.com>, <dsahern@kernel.org>, <gnault@redhat.com>,
	<pablo@netfilter.org>, <kadlec@netfilter.org>, <fw@strlen.de>, Ido Schimmel
	<idosch@nvidia.com>
Subject: [RFC PATCH net-next 3/3] ipv4: Centralize TOS matching
Date: Thu, 25 Jul 2024 16:17:29 +0300
Message-ID: <20240725131729.1729103-4-idosch@nvidia.com>
X-Mailer: git-send-email 2.45.1
In-Reply-To: <20240725131729.1729103-1-idosch@nvidia.com>
References: <20240725131729.1729103-1-idosch@nvidia.com>
Precedence: bulk
X-Mailing-List: netfilter-devel@vger.kernel.org
List-Id: <netfilter-devel.vger.kernel.org>
List-Subscribe: <mailto:netfilter-devel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:netfilter-devel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To
 rnnvmail201.nvidia.com (10.129.68.8)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN3PEPF0000B06A:EE_|CY8PR12MB7195:EE_
X-MS-Office365-Filtering-Correlation-Id: f69a6125-79d5-4847-8940-08dcacac54f3
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: 
	BCL:0;ARA:13230040|82310400026|36860700013|376014|7416014|1800799024;
X-Microsoft-Antispam-Message-Info: 
 ShBK20uySv0giFVNYFkuEOc2BbGt58fI3b5AMfQiwhNB+twBXrTJ0E3tR5zclNctrXvkCl6MizgU4ObprV+7Ylz9ZdHPZeVWnD65DJoZn7/8LzeSoWO8hX/cFbp9G2hNnu6cb/nbAo5/rYHg2K8/mrp5OzIXLdLVzqNP2FnHH6Env7QiPNWVtI6i0bSpXHkc1yhYnedA394vcZILQbMIgYtQMrPz2Jx2zOICqWBeyCpUEIGHws3QtcLE2nDLPQ+CtAlO3/5PWA+0BQC7gM97GMYUQfmuKsckCADzB1CLTUV6zM0ngfGqp5Av9djnDbMRhAb2pbWm87tOrwWOSJmodjhS9740gB/rIb0JBNsGvSb8a4YSb1c9Psu2NrvmwOiG9ntrrVWWsWei06rtb1IyZZ35T9GzH7bE5qGh1NFlY41CG4/dEtpGGdO5CUM1zm6l0lOilQiyeI6ANC/9WnTsFvDHl6ohjWnrJN5k2I5RVmEMSOq3Zr6bscsQwJvyNfEYDz6kxnlbeQ6m8WJq+TXOj0jGOKcsd1lw62cjfwo2jzqoUsgywN91cGqQRlbQvKiGTI4J8uQOr21MO7wSHyH2KTM0KGuuSoOF4Lg2gsOMiLXo4LAn7xPNcNgVmdA2/mQiYbXP4dNUOIFcDkr01slRY/NFV928rgwmGVnnce9alebpn/44wMGKEsNBkezDP4iWCrHrzj3mHyTJEjOwxfQPD6CoCq8L7TEYVnj2ix0qyF7rmaaO2ReukkHLbB0pIW1ocFIfaawAiUizceZy+5pJIIevvY8hzlXSGznzmeDPXDh/6575tYW2Qoz6/tiENzhJ+U+1a73uciAR3Gr4+Jz8CtZ9WBgQZr65hUqM9D4Hfa4mW2OChQKl1cNEnDV1YnSjso46b6PJN/C+kW4/UEGt0WDhS5Hu0bLd8WZUqidtJwAt20gg4kQTKejYrsog3FEvIb3kbbG5cmlNfy/pBMiS5a7XBzC43fGHNggy9bvf5+QG4waJ/7IjDTEGr8OB0+Jqc//RUjbY++vsVORr+OuxwivXPN8EdvRWcb3+1zYbcAux2JGJu6nAVQ5VLSCiVhgFH7DN1wtwU7AsloT6wSKAVNC2leY4THogFa+uNJP4Bdlas9Gy6GvAxWoK04F98J5I2gVp1N/7WkEOfW1yRY5J53JyRzXhdCLYruMyyp3JGziZfgXNCxKJb27EbdiIkOpV7jEBhjYpuXh9rMPckzdTj6nguVMdlirjtFGTMk3fgdytyGp36XFCbE8mEuHkkPpIAP+sxqlSFU+guE2StU8439zP21KJJh0drfYI+CwqWpJtBXy6gJJiSHgTTjtvrVnkM4PB6J6CGGSLyZhRvP9W6lSwiNt9wNT4Iu2+YIjbh/bvoRdiBRg4Qn5jkHcJS4HEvyhQSefZfmR+kOVGypgC4gJSi3RjO2H8x5RQEIKCpY+Pdl5FGKafINuHeGs74g3F
X-Forefront-Antispam-Report: 
	CIP:216.228.117.161;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.nvidia.com;PTR:dc6edge2.nvidia.com;CAT:NONE;SFS:(13230040)(82310400026)(36860700013)(376014)(7416014)(1800799024);DIR:OUT;SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Jul 2024 13:18:53.7960
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 f69a6125-79d5-4847-8940-08dcacac54f3
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a;Ip=[216.228.117.161];Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	BN3PEPF0000B06A.namprd21.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY8PR12MB7195

The TOS field in the IPv4 flow information structure ('flowi4_tos') is
matched by the kernel against the TOS selector in IPv4 rules and routes.
The field is initialized differently by different call sites. Some treat
it as DSCP (RFC 2474) and initialize all six DSCP bits, some treat it as
RFC 1349 TOS and initialize it using RT_TOS() and some treat it as RFC
791 TOS and initialize it using IPTOS_RT_MASK.

What is common to all these call sites is that they all initialize the
lower three DSCP bits, which fits the TOS definition in the initial IPv4
specification (RFC 791).

Therefore, the kernel only allows configuring IPv4 FIB rules that match
on the lower three DSCP bits which are always guaranteed to be
initialized by all call sites:

 # ip -4 rule add tos 0x1c table 100
 # ip -4 rule add tos 0x3c table 100
 Error: Invalid tos.

While this works, it is unlikely to be very useful. RFC 791 that
initially defined the TOS and IP precedence fields was updated by RFC
2474 over twenty five years ago where these fields were replaced by a
single six bits DSCP field.

Extending FIB rules to match on DSCP can be done by adding a new DSCP
selector while maintaining the existing semantics of the TOS selector
for applications that rely on that.

A prerequisite for allowing FIB rules to match on DSCP is to adjust all
the call sites to initialize the high order DSCP bits and remove their
masking along the path to the core where the field is matched on.

However, making this change alone will result in a behavior change. For
example, a forwarded IPv4 packet with a DS field of 0xfc will no longer
match a FIB rule that was configured with 'tos 0x1c'.

This behavior change can be avoided by masking the upper three DSCP bits
in 'flowi4_tos' before comparing it against the TOS selectors in FIB
rules and routes.

Implement the above by adding a new function that checks whether a given
DSCP value matches the one specified in the IPv4 flow information
structure and invoke it from the three places that currently match on
'flowi4_tos'.

Use RT_TOS() for the masking of 'flowi4_tos' instead of IPTOS_RT_MASK
since the latter is not uAPI and we should be able to remove it at some
point.

No regressions in FIB tests:

 # ./fib_tests.sh
 [...]
 Tests passed: 218
 Tests failed:   0

And FIB rule tests:

 # ./fib_rule_tests.sh
 [...]
 Tests passed: 116
 Tests failed:   0

Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
---
 include/net/ip_fib.h     | 7 +++++++
 net/ipv4/fib_rules.c     | 2 +-
 net/ipv4/fib_semantics.c | 3 +--
 net/ipv4/fib_trie.c      | 3 +--
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index 72af2f223e59..967e4dc555fa 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -22,6 +22,8 @@
 #include <linux/percpu.h>
 #include <linux/notifier.h>
 #include <linux/refcount.h>
+#include <linux/ip.h>
+#include <linux/in_route.h>
 
 struct fib_config {
 	u8			fc_dst_len;
@@ -434,6 +436,11 @@ static inline bool fib4_rules_early_flow_dissect(struct net *net,
 
 #endif /* CONFIG_IP_MULTIPLE_TABLES */
 
+static inline bool fib_dscp_masked_match(dscp_t dscp, const struct flowi4 *fl4)
+{
+	return dscp == inet_dsfield_to_dscp(RT_TOS(fl4->flowi4_tos));
+}
+
 /* Exported by fib_frontend.c */
 extern const struct nla_policy rtm_ipv4_policy[];
 void ip_fib_init(void);
diff --git a/net/ipv4/fib_rules.c b/net/ipv4/fib_rules.c
index 5bdd1c016009..c26776b71e97 100644
--- a/net/ipv4/fib_rules.c
+++ b/net/ipv4/fib_rules.c
@@ -186,7 +186,7 @@ INDIRECT_CALLABLE_SCOPE int fib4_rule_match(struct fib_rule *rule,
 	    ((daddr ^ r->dst) & r->dstmask))
 		return 0;
 
-	if (r->dscp && r->dscp != inet_dsfield_to_dscp(fl4->flowi4_tos))
+	if (r->dscp && !fib_dscp_masked_match(r->dscp, fl4))
 		return 0;
 
 	if (rule->ip_proto && (rule->ip_proto != fl4->flowi4_proto))
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 2b57cd2b96e2..0f70341cb8b5 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -2066,8 +2066,7 @@ static void fib_select_default(const struct flowi4 *flp, struct fib_result *res)
 
 		if (fa->fa_slen != slen)
 			continue;
-		if (fa->fa_dscp &&
-		    fa->fa_dscp != inet_dsfield_to_dscp(flp->flowi4_tos))
+		if (fa->fa_dscp && !fib_dscp_masked_match(fa->fa_dscp, flp))
 			continue;
 		if (fa->tb_id != tb->tb_id)
 			continue;
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index 8f30e3f00b7f..09e31757e96c 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -1580,8 +1580,7 @@ int fib_table_lookup(struct fib_table *tb, const struct flowi4 *flp,
 			if (index >= (1ul << fa->fa_slen))
 				continue;
 		}
-		if (fa->fa_dscp &&
-		    inet_dscp_to_dsfield(fa->fa_dscp) != flp->flowi4_tos)
+		if (fa->fa_dscp && !fib_dscp_masked_match(fa->fa_dscp, flp))
 			continue;
 		/* Paired with WRITE_ONCE() in fib_release_info() */
 		if (READ_ONCE(fi->fib_dead))