[ovs-dev] [PATCH v3 08/10] netdev-offload-tc: Add conntrack support

Roi Dayan roid at mellanox.com
Tue Dec 3 13:45:32 UTC 2019


From: Paul Blakey <paulb at mellanox.com>

Zone and ct_state first.

Signed-off-by: Paul Blakey <paulb at mellanox.com>
---
 lib/dpif-netlink.c      |   2 +
 lib/netdev-offload-tc.c | 136 ++++++++++++++++++++++++++++++++++++++++++++----
 lib/tc.c                | 122 +++++++++++++++++++++++++++++++++++++++++++
 lib/tc.h                |  11 ++++
 4 files changed, 261 insertions(+), 10 deletions(-)

diff --git a/lib/dpif-netlink.c b/lib/dpif-netlink.c
index f0e870543ae5..3889f92d5c5c 100644
--- a/lib/dpif-netlink.c
+++ b/lib/dpif-netlink.c
@@ -1639,6 +1639,8 @@ dpif_netlink_netdev_match_to_dpif_flow(struct match *match,
         .support = {
             .max_vlan_headers = 2,
             .recirc = true,
+            .ct_state = true,
+            .ct_zone = true,
         },
     };
     size_t offset;
diff --git a/lib/netdev-offload-tc.c b/lib/netdev-offload-tc.c
index 7af5ad683bb7..7e422ff1b898 100644
--- a/lib/netdev-offload-tc.c
+++ b/lib/netdev-offload-tc.c
@@ -595,6 +595,35 @@ parse_tc_flower_to_match(struct tc_flower *flower,
             match_set_tp_dst_masked(match, key->sctp_dst, mask->sctp_dst);
             match_set_tp_src_masked(match, key->sctp_src, mask->sctp_src);
         }
+
+        if (mask->ct_state) {
+            uint8_t ct_statev = 0, ct_statem = 0;
+
+            if (mask->ct_state & TCA_FLOWER_KEY_CT_FLAGS_NEW) {
+                if (key->ct_state & TCA_FLOWER_KEY_CT_FLAGS_NEW) {
+                    ct_statev |= OVS_CS_F_NEW;
+                }
+                ct_statem |= OVS_CS_F_NEW;
+            }
+
+            if (mask->ct_state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED) {
+                if (key->ct_state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED) {
+                    ct_statev |= OVS_CS_F_ESTABLISHED;
+                }
+                ct_statem |= OVS_CS_F_ESTABLISHED;
+            }
+
+            if (mask->ct_state & TCA_FLOWER_KEY_CT_FLAGS_TRACKED) {
+                if (key->ct_state & TCA_FLOWER_KEY_CT_FLAGS_TRACKED) {
+                    ct_statev |= OVS_CS_F_TRACKED;
+                }
+                ct_statem |= OVS_CS_F_TRACKED;
+            }
+
+            match_set_ct_state_masked(match, ct_statev, ct_statem);
+        }
+
+        match_set_ct_zone_masked(match, key->ct_zone, mask->ct_zone);
     }
 
     if (flower->tunnel) {
@@ -746,6 +775,27 @@ parse_tc_flower_to_match(struct tc_flower *flower,
                 nl_msg_put_u32(buf, OVS_ACTION_ATTR_OUTPUT, odp_to_u32(outport));
             }
             break;
+            case TC_ACT_CT: {
+                size_t ct_offset;
+
+                if (action->ct.clear) {
+                    nl_msg_put_flag(buf, OVS_ACTION_ATTR_CT_CLEAR);
+                    break;
+                }
+
+                ct_offset = nl_msg_start_nested(buf, OVS_ACTION_ATTR_CT);
+
+                if (action->ct.commit) {
+                    nl_msg_put_flag(buf, OVS_CT_ATTR_COMMIT);
+                }
+
+                if (action->ct.zone) {
+                    nl_msg_put_u16(buf, OVS_CT_ATTR_ZONE, action->ct.zone);
+                }
+
+                nl_msg_end_nested(buf, ct_offset);
+            }
+            break;
             case TC_ACT_GOTO: {
                 nl_msg_put_u32(buf, OVS_ACTION_ATTR_RECIRC, action->chain);
             }
@@ -835,6 +885,34 @@ parse_mpls_set_action(struct tc_flower *flower, struct tc_action *action,
 }
 
 static int
+parse_put_flow_ct_action(struct tc_flower *flower,
+                         struct tc_action *action,
+                         const struct nlattr *ct,
+                         size_t ct_len)
+{
+        const struct nlattr *ct_attr;
+        size_t ct_left;
+        int err;
+
+        NL_ATTR_FOR_EACH_UNSAFE (ct_attr, ct_left, ct, ct_len) {
+            switch (nl_attr_type(ct_attr)) {
+                case OVS_CT_ATTR_COMMIT: {
+                        action->ct.commit = true;
+                }
+                break;
+                case OVS_CT_ATTR_ZONE: {
+                    action->ct.zone = nl_attr_get_u16(ct_attr);
+                }
+                break;
+            }
+        }
+
+        action->type = TC_ACT_CT;
+        flower->action_count++;
+        return 0;
+}
+
+static int
 parse_put_flow_set_masked_action(struct tc_flower *flower,
                                  struct tc_action *action,
                                  const struct nlattr *set,
@@ -1016,16 +1094,6 @@ test_key_and_mask(struct match *match)
         return EOPNOTSUPP;
     }
 
-    if (mask->ct_state) {
-        VLOG_DBG_RL(&rl, "offloading attribute ct_state isn't supported");
-        return EOPNOTSUPP;
-    }
-
-    if (mask->ct_zone) {
-        VLOG_DBG_RL(&rl, "offloading attribute ct_zone isn't supported");
-        return EOPNOTSUPP;
-    }
-
     if (mask->ct_mark) {
         VLOG_DBG_RL(&rl, "offloading attribute ct_mark isn't supported");
         return EOPNOTSUPP;
@@ -1386,6 +1454,42 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match,
         }
     }
 
+    if (mask->ct_state) {
+        if (mask->ct_state & OVS_CS_F_NEW) {
+            if (key->ct_state & OVS_CS_F_NEW) {
+                flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_NEW;
+            }
+            flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_NEW;
+        }
+
+        if (mask->ct_state & OVS_CS_F_ESTABLISHED) {
+            if (key->ct_state & OVS_CS_F_ESTABLISHED) {
+                flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED;
+            }
+            flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED;
+        }
+
+        if (mask->ct_state & OVS_CS_F_TRACKED) {
+            if (key->ct_state & OVS_CS_F_TRACKED) {
+                flower.key.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_TRACKED;
+            }
+            flower.mask.ct_state |= TCA_FLOWER_KEY_CT_FLAGS_TRACKED;
+        }
+
+        if (flower.key.ct_state & TCA_FLOWER_KEY_CT_FLAGS_ESTABLISHED) {
+            flower.key.ct_state &= ~(TCA_FLOWER_KEY_CT_FLAGS_NEW);
+            flower.mask.ct_state &= ~(TCA_FLOWER_KEY_CT_FLAGS_NEW);
+        }
+
+        mask->ct_state = 0;
+    }
+
+    if (mask->ct_zone) {
+        flower.key.ct_zone = key->ct_zone;
+        flower.mask.ct_zone = mask->ct_zone;
+        mask->ct_zone = 0;
+    }
+
     err = test_key_and_mask(match);
     if (err) {
         return err;
@@ -1453,6 +1557,18 @@ netdev_tc_flow_put(struct netdev *netdev, struct match *match,
             if (err) {
                 return err;
             }
+        } else if (nl_attr_type(nla) == OVS_ACTION_ATTR_CT) {
+            const struct nlattr *ct = nl_attr_get(nla);
+            const size_t ct_len = nl_attr_get_size(nla);
+
+            err = parse_put_flow_ct_action(&flower, action, ct, ct_len);
+            if (err) {
+                return err;
+            }
+        } else if (nl_attr_type(nla) == OVS_ACTION_ATTR_CT_CLEAR) {
+            action->type = TC_ACT_CT;
+            action->ct.clear = true;
+            flower.action_count++;
         } else if (nl_attr_type(nla) == OVS_ACTION_ATTR_RECIRC) {
             if (!recirc_id_sharing_support(info->dpif)) {
                 return EOPNOTSUPP;
diff --git a/lib/tc.c b/lib/tc.c
index 48d10da7055f..b76214edef4d 100644
--- a/lib/tc.c
+++ b/lib/tc.c
@@ -30,6 +30,7 @@
 #include <linux/tc_act/tc_skbedit.h>
 #include <linux/tc_act/tc_tunnel_key.h>
 #include <linux/tc_act/tc_vlan.h>
+#include <linux/tc_act/tc_ct.h>
 #include <linux/gen_stats.h>
 #include <net/if.h>
 #include <unistd.h>
@@ -399,6 +400,10 @@ static const struct nl_policy tca_flower_policy[] = {
     [TCA_FLOWER_KEY_ENC_OPTS] = { .type = NL_A_NESTED, .optional = true, },
     [TCA_FLOWER_KEY_ENC_OPTS_MASK] = { .type = NL_A_NESTED,
                                        .optional = true, },
+    [TCA_FLOWER_KEY_CT_STATE] = { .type = NL_A_U16, .optional = true, },
+    [TCA_FLOWER_KEY_CT_STATE_MASK] = { .type = NL_A_U16, .optional = true, },
+    [TCA_FLOWER_KEY_CT_ZONE] = { .type = NL_A_U16, .optional = true, },
+    [TCA_FLOWER_KEY_CT_ZONE_MASK] = { .type = NL_A_U16, .optional = true, },
 };
 
 static void
@@ -703,6 +708,27 @@ nl_parse_flower_tunnel(struct nlattr **attrs, struct tc_flower *flower)
 }
 
 static void
+nl_parse_flower_ct_match(struct nlattr **attrs, struct tc_flower *flower) {
+    struct tc_flower_key *key = &flower->key;
+    struct tc_flower_key *mask = &flower->mask;
+    struct nlattr *attr_key, *attr_mask;
+
+    attr_key = attrs[TCA_FLOWER_KEY_CT_STATE];
+    attr_mask = attrs[TCA_FLOWER_KEY_CT_STATE_MASK];
+    if (attr_mask) {
+        key->ct_state = nl_attr_get_u16(attr_key);
+        mask->ct_state = nl_attr_get_u16(attr_mask);
+    }
+
+    attr_key = attrs[TCA_FLOWER_KEY_CT_ZONE];
+    attr_mask = attrs[TCA_FLOWER_KEY_CT_ZONE_MASK];
+    if (attrs[TCA_FLOWER_KEY_CT_ZONE_MASK]) {
+        key->ct_zone = nl_attr_get_u16(attr_key);
+        mask->ct_zone = nl_attr_get_u16(attr_mask);
+    }
+}
+
+static void
 nl_parse_flower_ip(struct nlattr **attrs, struct tc_flower *flower) {
     uint8_t ip_proto = 0;
     struct tc_flower_key *key = &flower->key;
@@ -799,6 +825,8 @@ nl_parse_flower_ip(struct nlattr **attrs, struct tc_flower *flower) {
         key->ip_tos = nl_attr_get_u8(attrs[TCA_FLOWER_KEY_IP_TOS]);
         mask->ip_tos = nl_attr_get_u8(attrs[TCA_FLOWER_KEY_IP_TOS_MASK]);
     }
+
+    nl_parse_flower_ct_match(attrs, flower);
 }
 
 static enum tc_offloaded_state
@@ -1219,6 +1247,54 @@ nl_parse_act_mirred(struct nlattr *options, struct tc_flower *flower)
     return 0;
 }
 
+static const struct nl_policy ct_policy[] = {
+    [TCA_CT_PARMS] = { .type = NL_A_UNSPEC,
+                              .min_len = sizeof(struct tc_ct),
+                              .optional = false, },
+    [TCA_CT_ACTION] = { .type = NL_A_U16,
+                         .optional = true, },
+    [TCA_CT_ZONE] = { .type = NL_A_U16,
+                      .optional = true, },
+};
+
+static int
+nl_parse_act_ct(struct nlattr *options, struct tc_flower *flower)
+{
+    struct nlattr *ct_attrs[ARRAY_SIZE(ct_policy)];
+    const struct nlattr *ct_parms;
+    struct tc_action *action;
+    const struct tc_ct *ct;
+    uint16_t ct_action = 0;
+
+    if (!nl_parse_nested(options, ct_policy, ct_attrs,
+                         ARRAY_SIZE(ct_policy))) {
+        VLOG_ERR_RL(&error_rl, "failed to parse ct action options");
+        return EPROTO;
+    }
+
+    ct_parms = ct_attrs[TCA_CT_PARMS];
+    ct = nl_attr_get_unspec(ct_parms, sizeof *ct);
+
+    if (ct_attrs[TCA_CT_ACTION]) {
+        ct_action = nl_attr_get_u16(ct_attrs[TCA_CT_ACTION]);
+    }
+
+    action = &flower->actions[flower->action_count++];
+    action->ct.clear = ct_action & TCA_CT_ACT_CLEAR;
+    if (!action->ct.clear) {
+        struct nlattr *zone = ct_attrs[TCA_CT_ZONE];
+
+        action->ct.commit = ct_action & TCA_CT_ACT_COMMIT;
+        action->ct.force = ct_action & TCA_CT_ACT_FORCE;
+
+        action->ct.zone = zone ? nl_attr_get_u16(zone) : 0;
+
+    }
+    action->type = TC_ACT_CT;
+
+    return 0;
+}
+
 static const struct nl_policy vlan_policy[] = {
     [TCA_VLAN_PARMS] = { .type = NL_A_UNSPEC,
                          .min_len = sizeof(struct tc_vlan),
@@ -1449,6 +1525,8 @@ nl_parse_single_action(struct nlattr *action, struct tc_flower *flower)
         nl_parse_act_csum(act_options, flower);
     } else if (!strcmp(act_kind, "skbedit")) {
         /* Added for TC rule only (not in OvS rule) so ignore. */
+    } else if (!strcmp(act_kind, "ct")) {
+        nl_parse_act_ct(act_options, flower);
     } else {
         VLOG_ERR_RL(&error_rl, "unknown tc action kind: %s", act_kind);
         err = EINVAL;
@@ -1904,6 +1982,40 @@ nl_msg_put_act_gact(struct ofpbuf *request, uint32_t chain)
 }
 
 static void
+nl_msg_put_act_ct(struct ofpbuf *request, struct tc_action *action)
+{
+    uint16_t ct_action = 0;
+    size_t offset;
+
+    nl_msg_put_string(request, TCA_ACT_KIND, "ct");
+    offset = nl_msg_start_nested(request, TCA_ACT_OPTIONS | NLA_F_NESTED);
+    {
+        struct tc_ct ct = {
+                .action = TC_ACT_PIPE,
+        };
+
+        if (!action->ct.clear) {
+            if (action->ct.zone) {
+                nl_msg_put_u16(request, TCA_CT_ZONE, action->ct.zone);
+            }
+
+            if (action->ct.commit) {
+                ct_action = TCA_CT_ACT_COMMIT;
+                if (action->ct.force) {
+                    ct_action |= TCA_CT_ACT_FORCE;
+                }
+            }
+        } else {
+            ct_action = TCA_CT_ACT_CLEAR;
+        }
+
+        nl_msg_put_u16(request, TCA_CT_ACTION, ct_action);
+        nl_msg_put_unspec(request, TCA_CT_PARMS, &ct, sizeof ct);
+    }
+    nl_msg_end_nested(request, offset);
+}
+
+static void
 nl_msg_put_act_skbedit_to_host(struct ofpbuf *request)
 {
     size_t offset;
@@ -2260,6 +2372,13 @@ nl_msg_put_flower_acts(struct ofpbuf *request, struct tc_flower *flower)
                 nl_msg_end_nested(request, act_offset);
             }
             break;
+            case TC_ACT_CT: {
+                act_offset = nl_msg_start_nested(request, act_index++);
+                nl_msg_put_act_ct(request, action);
+                nl_msg_put_act_cookie(request, &flower->act_cookie);
+                nl_msg_end_nested(request, act_offset);
+            }
+            break;
             }
         }
     }
@@ -2427,6 +2546,9 @@ nl_msg_put_flower_options(struct ofpbuf *request, struct tc_flower *flower)
             FLOWER_PUT_MASKED_VALUE(sctp_src, TCA_FLOWER_KEY_SCTP_SRC);
             FLOWER_PUT_MASKED_VALUE(sctp_dst, TCA_FLOWER_KEY_SCTP_DST);
         }
+
+        FLOWER_PUT_MASKED_VALUE(ct_state, TCA_FLOWER_KEY_CT_STATE);
+        FLOWER_PUT_MASKED_VALUE(ct_zone, TCA_FLOWER_KEY_CT_ZONE);
     }
 
     if (host_eth_type == ETH_P_IP) {
diff --git a/lib/tc.h b/lib/tc.h
index 9154fd889ef9..8200c20ac4fc 100644
--- a/lib/tc.h
+++ b/lib/tc.h
@@ -116,6 +116,9 @@ struct tc_flower_key {
     uint8_t ip_ttl;
     uint8_t ip_tos;
 
+    uint16_t ct_state;
+    uint16_t ct_zone;
+
     struct {
         ovs_be32 ipv4_src;
         ovs_be32 ipv4_dst;
@@ -157,6 +160,7 @@ enum tc_action_type {
     TC_ACT_MPLS_PUSH,
     TC_ACT_MPLS_SET,
     TC_ACT_GOTO,
+    TC_ACT_CT,
 };
 
 struct tc_action {
@@ -200,6 +204,13 @@ struct tc_action {
             } ipv6;
             struct tun_metadata data;
         } encap;
+
+        struct {
+            uint16_t zone;
+            bool clear;
+            bool force;
+            bool commit;
+        } ct;
      };
 
      enum tc_action_type type;
-- 
2.8.4



More information about the dev mailing list