Commit c9588e28 authored by Jiri Pirko's avatar Jiri Pirko Committed by David S. Miller
Browse files

mlxsw: spectrum_acl: Track rules that forbid egress block bind 



Some matches and actions are not supported on egress. Track such rules
and forbid a bind of block which contains them to egress.

With this patch, the kernel tells the user he cannot do that:
$ tc qdisc add dev ens16np1 ingress_block 22 clsact
$ tc filter add block 22 protocol 802.1q pref 2 handle 101 flower vlan_id 100 skip_sw action pass
$ tc qdisc add dev ens16np2 egress_block 22 clsact
Error: mlxsw_spectrum: Block cannot be bound to egress because it contains unsupported rules.

Signed-off-by: default avatarJiri Pirko <jiri@mellanox.com>
Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 185556f0

drivers/net/ethernet/mellanox/mlxsw/spectrum.c

+1 −1
Original line number Diff line number Diff line
@@ -1625,7 +1625,7 @@ mlxsw_sp_setup_tc_block_flower_bind(struct mlxsw_sp_port *mlxsw_sp_port, 
	}

	flow_block_cb_incref(block_cb);

	err = mlxsw_sp_acl_block_bind(mlxsw_sp, acl_block,

				      mlxsw_sp_port, ingress);

				      mlxsw_sp_port, ingress, f->extack);

	if (err)

		goto err_block_bind;

drivers/net/ethernet/mellanox/mlxsw/spectrum.h

+5 −2
Original line number Diff line number Diff line
@@ -623,7 +623,8 @@ struct mlxsw_sp_acl_rule_info { 
	unsigned int priority;

	struct mlxsw_afk_element_values values;

	struct mlxsw_afa_block *act_block;

	u8 action_created:1;

	u8 action_created:1,

	   egress_bind_blocker:1;

	unsigned int counter_index;

};
@@ -642,6 +643,7 @@ struct mlxsw_sp_acl_block { 
	struct mlxsw_sp *mlxsw_sp;

	unsigned int rule_count;

	unsigned int disable_count;

	unsigned int egress_blocker_rule_count;

	struct net *net;

};
@@ -657,7 +659,8 @@ void mlxsw_sp_acl_block_destroy(struct mlxsw_sp_acl_block *block); 
int mlxsw_sp_acl_block_bind(struct mlxsw_sp *mlxsw_sp,

			    struct mlxsw_sp_acl_block *block,

			    struct mlxsw_sp_port *mlxsw_sp_port,

			    bool ingress);

			    bool ingress,

			    struct netlink_ext_ack *extack);

int mlxsw_sp_acl_block_unbind(struct mlxsw_sp *mlxsw_sp,

			      struct mlxsw_sp_acl_block *block,

			      struct mlxsw_sp_port *mlxsw_sp_port,

drivers/net/ethernet/mellanox/mlxsw/spectrum_acl.c

+13 −4
Original line number Diff line number Diff line
@@ -239,7 +239,8 @@ mlxsw_sp_acl_block_lookup(struct mlxsw_sp_acl_block *block, 
int mlxsw_sp_acl_block_bind(struct mlxsw_sp *mlxsw_sp,

			    struct mlxsw_sp_acl_block *block,

			    struct mlxsw_sp_port *mlxsw_sp_port,

			    bool ingress)

			    bool ingress,

			    struct netlink_ext_ack *extack)

{

	struct mlxsw_sp_acl_block_binding *binding;

	int err;
@@ -247,6 +248,11 @@ int mlxsw_sp_acl_block_bind(struct mlxsw_sp *mlxsw_sp, 
	if (WARN_ON(mlxsw_sp_acl_block_lookup(block, mlxsw_sp_port, ingress)))

		return -EEXIST;



	if (!ingress && block->egress_blocker_rule_count) {

		NL_SET_ERR_MSG_MOD(extack, "Block cannot be bound to egress because it contains unsupported rules");

		return -EOPNOTSUPP;

	}



	binding = kzalloc(sizeof(*binding), GFP_KERNEL);

	if (!binding)

		return -ENOMEM;
@@ -672,6 +678,7 @@ int mlxsw_sp_acl_rule_add(struct mlxsw_sp *mlxsw_sp, 
{

	struct mlxsw_sp_acl_ruleset *ruleset = rule->ruleset;

	const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops;

	struct mlxsw_sp_acl_block *block = ruleset->ht_key.block;

	int err;



	err = ops->rule_add(mlxsw_sp, ruleset->priv, rule->priv, rule->rulei);
@@ -689,14 +696,14 @@ int mlxsw_sp_acl_rule_add(struct mlxsw_sp *mlxsw_sp, 
		 * one, to be directly bound to device. The rest of the

		 * rulesets are bound by "Goto action set".

		 */

		err = mlxsw_sp_acl_ruleset_block_bind(mlxsw_sp, ruleset,

						      ruleset->ht_key.block);

		err = mlxsw_sp_acl_ruleset_block_bind(mlxsw_sp, ruleset, block);

		if (err)

			goto err_ruleset_block_bind;

	}



	list_add_tail(&rule->list, &mlxsw_sp->acl->rules);

	ruleset->ht_key.block->rule_count++;

	block->rule_count++;

	block->egress_blocker_rule_count += rule->rulei->egress_bind_blocker;

	return 0;



err_ruleset_block_bind:
@@ -712,7 +719,9 @@ void mlxsw_sp_acl_rule_del(struct mlxsw_sp *mlxsw_sp, 
{

	struct mlxsw_sp_acl_ruleset *ruleset = rule->ruleset;

	const struct mlxsw_sp_acl_profile_ops *ops = ruleset->ht_key.ops;

	struct mlxsw_sp_acl_block *block = ruleset->ht_key.block;



	block->egress_blocker_rule_count -= rule->rulei->egress_bind_blocker;

	ruleset->ht_key.block->rule_count--;

	list_del(&rule->list);

	if (!ruleset->ht_key.chain_index &&

drivers/net/ethernet/mellanox/mlxsw/spectrum_flower.c

+11 −0
Original line number Diff line number Diff line
@@ -83,6 +83,11 @@ static int mlxsw_sp_flower_parse_actions(struct mlxsw_sp *mlxsw_sp, 
				return -EOPNOTSUPP;

			}



			/* Forbid block with this rulei to be bound

			 * to egress in future.

			 */

			rulei->egress_bind_blocker = 1;



			fid = mlxsw_sp_acl_dummy_fid(mlxsw_sp);

			fid_index = mlxsw_sp_fid_index(fid);

			err = mlxsw_sp_acl_rulei_act_fid_set(mlxsw_sp, rulei,
@@ -395,6 +400,12 @@ static int mlxsw_sp_flower_parse(struct mlxsw_sp *mlxsw_sp, 
			NL_SET_ERR_MSG_MOD(f->common.extack, "vlan_id key is not supported on egress");

			return -EOPNOTSUPP;

		}



		/* Forbid block with this rulei to be bound

		 * to egress in future.

		 */

		rulei->egress_bind_blocker = 1;



		if (match.mask->vlan_id != 0)

			mlxsw_sp_acl_rulei_keymask_u32(rulei,

						       MLXSW_AFK_ELEMENT_VID,

CRA Git | Maintained and supported by SUSTech CRA and CCSE