[ovs-dev] [PATCH v3] netdev-linux: set correct action for packets that passed policer

Wed, 03 Aug 2022 03:33:18 -0700 

Referenced commit changed policer action type from TC_ACT_UNSPEC (continue)
to TC_ACT_PIPE. However, since neither TC hardware offload layer nor mlx5
driver at the time validated action type and always assumed 'continue', the
breakage wasn't caught until later validation code was added. The change
also broke valid configuration when sending from offload-capable device to
non-offload capable. For example, when sending from mlx5 VF to OvS bridge
netdevice the traffic that passed matchall classifier with policer could no
longer match the following flower rule in software:

filter protocol all pref 1 matchall chain 0
filter protocol all pref 1 matchall chain 0 handle 0x1
  in_hw (rule hit 7863)
        action order 1:  police 0x1 rate 32Mbit burst 1000Kb mtu 64Kb action 
drop/pipe overhead 0b
        ref 1 bind 1  installed 17 sec firstused 17 sec
        Action statistics:
        Sent 152199634 bytes 102550 pkt (dropped 1315, overlimits 1315 requeues 
0)
        Sent software 74612172 bytes 51275 pkt
        Sent hardware 77587462 bytes 51275 pkt
        backlog 0b 0p requeues 0
        used_hw_stats delayed

filter protocol ip pref 3 flower chain 0
filter protocol ip pref 3 flower chain 0 handle 0x1
  dst_mac aa:94:1f:f2:f8:44
  src_mac e4:00:01:08:00:02
  eth_type ipv4
  ip_flags nofrag
  not_in_hw
        action order 1: skbedit  ptype host pipe
         index 1 ref 1 bind 1 installed 6 sec used 6 sec
        Action statistics:
        Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
        backlog 0b 0p requeues 0

        action order 2: mirred (Ingress Redirect to device br-ovs) stolen
        index 1 ref 1 bind 1 installed 6 sec used 6 sec
        Action statistics:
        Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
        backlog 0b 0p requeues 0
        cookie 401a9c8b3d403c62240d3eb5e21c1604
        no_percpu

Fix the issue by restoring matchall and basic policers action type to
'continue'.

Fixes: c2567e533f8a ("add port-based ingress policing based packet-per-second 
rate-limiting")
Signed-off-by: Vlad Buslov <vla...@nvidia.com>
---

Notes:
    Changes V2 -> V3:
    
    - Refactored the fix to set action TC_ACT_UNSPEC only for matchall/basic
    classifiers.
    
    Changes V1 -> V2:
    
    - Rebase on latest master.

 lib/netdev-linux.c | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/lib/netdev-linux.c b/lib/netdev-linux.c
index 9e63b124221d..b74ec06dcd50 100644
--- a/lib/netdev-linux.c
+++ b/lib/netdev-linux.c
@@ -2621,16 +2621,17 @@ nl_msg_act_police_start_nest(struct ofpbuf *request, 
uint32_t prio,
 
 static void
 nl_msg_act_police_end_nest(struct ofpbuf *request, size_t offset,
-                           size_t act_offset)
+                           size_t act_offset, uint32_t notexceed_act)
 {
-    nl_msg_put_u32(request, TCA_POLICE_RESULT, TC_ACT_PIPE);
+    nl_msg_put_u32(request, TCA_POLICE_RESULT, notexceed_act);
     nl_msg_end_nested(request, offset);
     nl_msg_end_nested(request, act_offset);
 }
 
 static void
 nl_msg_put_act_police(struct ofpbuf *request, struct tc_police *police,
-                      uint64_t pkts_rate, uint64_t pkts_burst)
+                      uint64_t pkts_rate, uint64_t pkts_burst,
+                      uint32_t notexceed_act)
 {
     size_t offset, act_offset;
     uint32_t prio = 0;
@@ -2652,7 +2653,7 @@ nl_msg_put_act_police(struct ofpbuf *request, struct 
tc_police *police,
         nl_msg_put_u64(request, TCA_POLICE_PKTBURST64, pkt_burst_ticks);
     }
     nl_msg_put_unspec(request, TCA_POLICE_TBF, police, sizeof *police);
-    nl_msg_act_police_end_nest(request, offset, act_offset);
+    nl_msg_act_police_end_nest(request, offset, act_offset, notexceed_act);
 }
 
 static int
@@ -2686,7 +2687,7 @@ tc_add_matchall_policer(struct netdev *netdev, uint32_t 
kbits_rate,
     basic_offset = nl_msg_start_nested(&request, TCA_OPTIONS);
     action_offset = nl_msg_start_nested(&request, TCA_MATCHALL_ACT);
     nl_msg_put_act_police(&request, &pol_act, kpkts_rate * 1000,
-                          kpkts_burst * 1000);
+                          kpkts_burst * 1000, TC_ACT_UNSPEC);
     nl_msg_end_nested(&request, action_offset);
     nl_msg_end_nested(&request, basic_offset);
 
@@ -5655,7 +5656,7 @@ tc_add_policer(struct netdev *netdev, uint32_t kbits_rate,
     police_offset = nl_msg_start_nested(&request, TCA_BASIC_ACT);
     tc_policer_init(&tc_police, kbits_rate, kbits_burst);
     nl_msg_put_act_police(&request, &tc_police, kpkts_rate * 1000ULL,
-                          kpkts_burst * 1000ULL);
+                          kpkts_burst * 1000ULL, TC_ACT_UNSPEC);
     nl_msg_end_nested(&request, police_offset);
     nl_msg_end_nested(&request, basic_offset);
 
@@ -5689,7 +5690,8 @@ tc_add_policer_action(uint32_t index, uint32_t kbits_rate,
     }
 
     offset = nl_msg_start_nested(&request, TCA_ACT_TAB);
-    nl_msg_put_act_police(&request, &tc_police, pkts_rate, pkts_burst);
+    nl_msg_put_act_police(&request, &tc_police, pkts_rate, pkts_burst,
+                          TC_ACT_PIPE);
     nl_msg_end_nested(&request, offset);
 
     error = tc_transact(&request, NULL);
-- 
2.36.1

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to