Netdev Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Jamal Hadi Salim <email@example.com>
To: Ido Schimmel <firstname.lastname@example.org>
Cc: Boris Sukholitko <email@example.com>,
firstname.lastname@example.org, Jiri Pirko <email@example.com>,
Cong Wang <firstname.lastname@example.org>,
"David S . Miller" <email@example.com>,
Jakub Kicinski <firstname.lastname@example.org>,
Vladimir Oltean <email@example.com>,
Vadym Kochan <firstname.lastname@example.org>,
Ilya Lifshits <email@example.com>,
tom Herbert <firstname.lastname@example.org>,
Felipe Magno de Almeida <email@example.com>,
Pedro Tammela <firstname.lastname@example.org>
Subject: Re: [PATCH net-next] net/sched: cls_flower: Add orig_ethtype
Date: Fri, 3 Sep 2021 18:52:26 -0400 [thread overview]
Message-ID: <email@example.com> (raw)
On 2021-09-02 2:48 a.m., Ido Schimmel wrote:
> On Tue, Aug 31, 2021 at 09:18:16AM -0400, Jamal Hadi Salim wrote:
>> You have _not_ been unlucky - it is a design issue with flow dissector
>> and the wrapping around flower. Just waiting to happen for more
>> other use cases..
> I agree. I think the fundamental problem is that flower does not set
> 'FLOW_DISSECTOR_F_STOP_AT_ENCAP' and simply lets the flow dissector
> parse as deep as possible. For example, 'dst_ip' will match on the
> inner most destination IP which is not intuitive and probably different
> than what most hardware implementations do.
> This behavior is also very error prone because it means that if the
> kernel learns to dissect a new tunnel protocol, filters can be suddenly
> broken (match on outer field now matches on inner field).
indeed, lots of ambiguity with multiple appearing headers of the same
type (eg ethernet/ethernet/ethernet or ip/ip/udp/vxlan/ip/...).
> I don't think that changing the default behavior is a solution as it can
> break user space. Maybe adding a 'stop_encap' flag to flower that user
> space will have to set?
Yes, this would work for the case of one simple rule that Boris posted
(small addition to user space).
For the rest of the data he was trying to match (ip headers) further
parsing would be needed before matching.
Unfortunately, there is a lot of _ambiguity_ in those kind of
scenarios. Today's approach in TC is you pop some header then advance
the packet cursor - and the next rule picks up where the first one left
off (i.e something like action "pppoe pop" would be needed).
The suggestion i made to Boris was to make it parse everything pppoe has
to offer in one rule - but that would not be advancing any skb data
pointers and would possibly require that one extra change i suggested
to set protocol to tp->protocol; such an approach is probably closest
to what hardware would do (i.e parse everything you need then match).
I am not sure which approach is less intrusive; imo, the challenge here
is perhaps the flow dissector is getting messy as a generic parser.
Maybe Tom and co can post patches for Panda which handles these
issues much more smoothly... Tom?
On your point on the hardware: interesting, guess I never thought of
possible inconsistencies. IIUC, as it stands today the software version
may end up having very different result than a supposedly equivalent
Would it make sense to make the hardware parsing also programmable
from software so there is consistency?
next prev parent reply other threads:[~2021-09-03 22:52 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-30 8:08 Boris Sukholitko
2021-08-30 9:00 ` Vladimir Oltean
2021-08-30 9:04 ` Vladimir Oltean
2021-08-30 9:18 ` Boris Sukholitko
2021-08-30 9:21 ` Vladimir Oltean
2021-08-30 9:42 ` Boris Sukholitko
2021-08-30 10:13 ` Vladimir Oltean
2021-08-31 1:48 ` Jamal Hadi Salim
2021-08-31 12:04 ` Boris Sukholitko
2021-08-31 13:18 ` Jamal Hadi Salim
2021-08-31 14:03 ` Boris Sukholitko
2021-09-02 6:48 ` Ido Schimmel
2021-09-03 22:52 ` Jamal Hadi Salim [this message]
2021-09-04 14:08 ` Tom Herbert
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--subject='Re: [PATCH net-next] net/sched: cls_flower: Add orig_ethtype' \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).