[ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
This adds an explicit drop action. This is used by OVS to drop packets for which it cannot determine what to do. An explicit action in the kernel allows passing the reason _why_ the packet is being dropped. We can then use perf tracing to match on the drop reason. e.g. trace all OVS dropped skbs # perf trace -e skb:kfree_skb --filter="reason >= 0x3" [..] 106.023 ping/2465 skb:kfree_skb(skbaddr: 0xa0e8765f2000, \ location:0xc0d9b462, protocol: 2048, reason: 196610) reason: 196610 --> 0x30002 (OVS_XLATE_RECURSION_TOO_DEEP) Signed-off-by: Eric Garver --- include/uapi/linux/openvswitch.h| 2 ++ net/openvswitch/actions.c | 13 + net/openvswitch/flow_netlink.c | 12 +++- .../testing/selftests/net/openvswitch/ovs-dpctl.py | 3 +++ 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/include/uapi/linux/openvswitch.h b/include/uapi/linux/openvswitch.h index e94870e77ee9..a967dbca3574 100644 --- a/include/uapi/linux/openvswitch.h +++ b/include/uapi/linux/openvswitch.h @@ -965,6 +965,7 @@ struct check_pkt_len_arg { * start of the packet or at the start of the l3 header depending on the value * of l3 tunnel flag in the tun_flags field of OVS_ACTION_ATTR_ADD_MPLS * argument. + * @OVS_ACTION_ATTR_DROP: Explicit drop action. * * Only a single header can be set with a single %OVS_ACTION_ATTR_SET. Not all * fields within a header are modifiable, e.g. the IPv4 protocol and fragment @@ -1002,6 +1003,7 @@ enum ovs_action_attr { OVS_ACTION_ATTR_CHECK_PKT_LEN, /* Nested OVS_CHECK_PKT_LEN_ATTR_*. */ OVS_ACTION_ATTR_ADD_MPLS, /* struct ovs_action_add_mpls. */ OVS_ACTION_ATTR_DEC_TTL, /* Nested OVS_DEC_TTL_ATTR_*. */ + OVS_ACTION_ATTR_DROP, /* u32 xlate_error. */ __OVS_ACTION_ATTR_MAX,/* Nothing past this will be accepted * from userspace. */ diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c index cab1e02b63e0..4ad9a45dc042 100644 --- a/net/openvswitch/actions.c +++ b/net/openvswitch/actions.c @@ -32,6 +32,7 @@ #include "vport.h" #include "flow_netlink.h" #include "openvswitch_trace.h" +#include "drop.h" struct deferred_action { struct sk_buff *skb; @@ -1477,6 +1478,18 @@ static int do_execute_actions(struct datapath *dp, struct sk_buff *skb, return dec_ttl_exception_handler(dp, skb, key, a); break; + + case OVS_ACTION_ATTR_DROP: + u32 reason = nla_get_u32(a); + + reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << + SKB_DROP_REASON_SUBSYS_SHIFT; + + if (reason == OVS_XLATE_OK) + break; + + kfree_skb_reason(skb, reason); + return 0; } if (unlikely(err)) { diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c index 41116361433d..23d39eae9a0d 100644 --- a/net/openvswitch/flow_netlink.c +++ b/net/openvswitch/flow_netlink.c @@ -39,6 +39,7 @@ #include #include "flow_netlink.h" +#include "drop.h" struct ovs_len_tbl { int len; @@ -61,6 +62,7 @@ static bool actions_may_change_flow(const struct nlattr *actions) case OVS_ACTION_ATTR_RECIRC: case OVS_ACTION_ATTR_TRUNC: case OVS_ACTION_ATTR_USERSPACE: + case OVS_ACTION_ATTR_DROP: break; case OVS_ACTION_ATTR_CT: @@ -2394,7 +2396,7 @@ static void ovs_nla_free_nested_actions(const struct nlattr *actions, int len) /* Whenever new actions are added, the need to update this * function should be considered. */ - BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 23); + BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 24); if (!actions) return; @@ -3182,6 +3184,7 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct ovs_action_add_mpls), [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, + [OVS_ACTION_ATTR_DROP] = sizeof(u32), }; const struct ovs_action_push_vlan *vlan; int type = nla_type(a); @@ -3453,6 +3456,13 @@ static int __ovs_nla_copy_actions(struct net *net, const struct nlattr *attr, skip_copy = true; break; + case OVS_ACTION_ATTR_DROP: + if (nla_get_u32(a) >= + u32_get_bits(OVS_XLATE_MAX, +~SKB_DROP_REASON_SUBSYS_MASK
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
Hi Eric, kernel test robot noticed the following build errors: [auto build test ERROR on net-next/main] url: https://github.com/intel-lab-lkp/linux/commits/Eric-Garver/net-openvswitch-add-drop-reasons/20230630-043307 base: net-next/main patch link: https://lore.kernel.org/r/20230629203005.2137107-3-eric%40garver.life patch subject: [PATCH net-next 2/2] net: openvswitch: add drop action config: mips-randconfig-r036-20230629 (https://download.01.org/0day-ci/archive/20230630/202306300645.towwst4x-...@intel.com/config) compiler: clang version 14.0.6 (https://github.com/llvm/llvm-project.git f28c006a5895fc0e329fe15fead81e37457cb1d1) reproduce: (https://download.01.org/0day-ci/archive/20230630/202306300645.towwst4x-...@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot | Closes: https://lore.kernel.org/oe-kbuild-all/202306300645.towwst4x-...@intel.com/ All errors (new ones prefixed by >>): >> net/openvswitch/actions.c:1483:4: error: expected expression u32 reason = nla_get_u32(a); ^ >> net/openvswitch/actions.c:1485:4: error: use of undeclared identifier >> 'reason' reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << ^ net/openvswitch/actions.c:1488:8: error: use of undeclared identifier 'reason' if (reason == OVS_XLATE_OK) ^ net/openvswitch/actions.c:1491:26: error: use of undeclared identifier 'reason' kfree_skb_reason(skb, reason); ^ 4 errors generated. vim +1483 net/openvswitch/actions.c 1285 1286 /* Execute a list of actions against 'skb'. */ 1287 static int do_execute_actions(struct datapath *dp, struct sk_buff *skb, 1288struct sw_flow_key *key, 1289const struct nlattr *attr, int len) 1290 { 1291 const struct nlattr *a; 1292 int rem; 1293 1294 for (a = attr, rem = len; rem > 0; 1295 a = nla_next(a, &rem)) { 1296 int err = 0; 1297 1298 if (trace_ovs_do_execute_action_enabled()) 1299 trace_ovs_do_execute_action(dp, skb, key, a, rem); 1300 1301 switch (nla_type(a)) { 1302 case OVS_ACTION_ATTR_OUTPUT: { 1303 int port = nla_get_u32(a); 1304 struct sk_buff *clone; 1305 1306 /* Every output action needs a separate clone 1307 * of 'skb', In case the output action is the 1308 * last action, cloning can be avoided. 1309 */ 1310 if (nla_is_last(a, rem)) { 1311 do_output(dp, skb, port, key); 1312 /* 'skb' has been used for output. 1313 */ 1314 return 0; 1315 } 1316 1317 clone = skb_clone(skb, GFP_ATOMIC); 1318 if (clone) 1319 do_output(dp, clone, port, key); 1320 OVS_CB(skb)->cutlen = 0; 1321 break; 1322 } 1323 1324 case OVS_ACTION_ATTR_TRUNC: { 1325 struct ovs_action_trunc *trunc = nla_data(a); 1326 1327 if (skb->len > trunc->max_len) 1328 OVS_CB(skb)->cutlen = skb->len - trunc->max_len; 1329 break; 1330 } 1331 1332 case OVS_ACTION_ATTR_USERSPACE: 1333 output_userspace(dp, skb, key, a, attr, 1334 len, OVS_CB(skb)->cutlen); 1335 OVS_CB(skb)->cutlen = 0; 1336 break; 1337 1338 case OVS_ACTION_ATTR_HASH: 1339 execute_hash(skb, key, a); 1340 break; 1341 1342 case OVS_ACTION_ATTR_PUSH_MPLS: { 1343 struct ovs_action_push_mpls *mpls = nla_data(a); 1344 1345 err = push_mpls(skb, key, mpls->mpls_lse, 1346 mpls->mpls_ethertype, skb->mac_len); 1347 break; 1348 } 1349 case OVS_ACTION_ATTR_ADD_MPLS: { 1350 struct ovs_action_add_mpls *mpls = nla_data(a); 1351
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
Hi Eric, kernel test robot noticed the following build errors: [auto build test ERROR on net-next/main] url: https://github.com/intel-lab-lkp/linux/commits/Eric-Garver/net-openvswitch-add-drop-reasons/20230630-043307 base: net-next/main patch link: https://lore.kernel.org/r/20230629203005.2137107-3-eric%40garver.life patch subject: [PATCH net-next 2/2] net: openvswitch: add drop action config: hexagon-randconfig-r045-20230629 (https://download.01.org/0day-ci/archive/20230630/202306300609.tdrdzscy-...@intel.com/config) compiler: clang version 17.0.0 (https://github.com/llvm/llvm-project.git 4a5ac14ee968ff0ad5d2cc1ffa0299048db4c88a) reproduce: (https://download.01.org/0day-ci/archive/20230630/202306300609.tdrdzscy-...@intel.com/reproduce) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot | Closes: https://lore.kernel.org/oe-kbuild-all/202306300609.tdrdzscy-...@intel.com/ All errors (new ones prefixed by >>): In file included from net/openvswitch/actions.c:8: In file included from include/linux/skbuff.h:17: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:12: In file included from include/linux/hardirq.h:11: In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/hexagon/include/asm/io.h:334: include/asm-generic/io.h:547:31: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 547 | val = __raw_readb(PCI_IOBASE + addr); | ~~ ^ include/asm-generic/io.h:560:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 560 | val = __le16_to_cpu((__le16 __force)__raw_readw(PCI_IOBASE + addr)); | ~~ ^ include/uapi/linux/byteorder/little_endian.h:37:51: note: expanded from macro '__le16_to_cpu' 37 | #define __le16_to_cpu(x) ((__force __u16)(__le16)(x)) | ^ In file included from net/openvswitch/actions.c:8: In file included from include/linux/skbuff.h:17: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:12: In file included from include/linux/hardirq.h:11: In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/hexagon/include/asm/io.h:334: include/asm-generic/io.h:573:61: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 573 | val = __le32_to_cpu((__le32 __force)__raw_readl(PCI_IOBASE + addr)); | ~~ ^ include/uapi/linux/byteorder/little_endian.h:35:51: note: expanded from macro '__le32_to_cpu' 35 | #define __le32_to_cpu(x) ((__force __u32)(__le32)(x)) | ^ In file included from net/openvswitch/actions.c:8: In file included from include/linux/skbuff.h:17: In file included from include/linux/bvec.h:10: In file included from include/linux/highmem.h:12: In file included from include/linux/hardirq.h:11: In file included from ./arch/hexagon/include/generated/asm/hardirq.h:1: In file included from include/asm-generic/hardirq.h:17: In file included from include/linux/irq.h:20: In file included from include/linux/io.h:13: In file included from arch/hexagon/include/asm/io.h:334: include/asm-generic/io.h:584:33: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 584 | __raw_writeb(value, PCI_IOBASE + addr); | ~~ ^ include/asm-generic/io.h:594:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 594 | __raw_writew((u16 __force)cpu_to_le16(value), PCI_IOBASE + addr); | ~~ ^ include/asm-generic/io.h:604:59: warning: performing pointer arithmetic on a null pointer has undefined behavior [-Wnull-pointer-arithmetic] 604 | __raw_writel((u32 __force)cpu_to_le32(value), PCI_IOBASE + addr); | ~~ ^ >> net/openvswitch/actions.c:1483:4: error: expected expression 1483 |
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Thu, Jun 29, 2023 at 04:30:05PM -0400, Eric Garver wrote: > This adds an explicit drop action. This is used by OVS to drop packets > for which it cannot determine what to do. An explicit action in the > kernel allows passing the reason _why_ the packet is being dropped. We > can then use perf tracing to match on the drop reason. > > e.g. trace all OVS dropped skbs > > # perf trace -e skb:kfree_skb --filter="reason >= 0x3" > [..] > 106.023 ping/2465 skb:kfree_skb(skbaddr: 0xa0e8765f2000, \ > location:0xc0d9b462, protocol: 2048, reason: 196610) > > reason: 196610 --> 0x30002 (OVS_XLATE_RECURSION_TOO_DEEP) > > Signed-off-by: Eric Garver ... > --- a/net/openvswitch/actions.c > +++ b/net/openvswitch/actions.c > @@ -32,6 +32,7 @@ > #include "vport.h" > #include "flow_netlink.h" > #include "openvswitch_trace.h" > +#include "drop.h" > > struct deferred_action { > struct sk_buff *skb; > @@ -1477,6 +1478,18 @@ static int do_execute_actions(struct datapath *dp, > struct sk_buff *skb, > return dec_ttl_exception_handler(dp, skb, >key, a); > break; > + > + case OVS_ACTION_ATTR_DROP: > + u32 reason = nla_get_u32(a); > + > + reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << > + SKB_DROP_REASON_SUBSYS_SHIFT; > + > + if (reason == OVS_XLATE_OK) > + break; > + > + kfree_skb_reason(skb, reason); > + return 0; > } Hi Eric, thanks for your patches. This is an interesting new feature. unfortunately clang-16 doesn't seem to like this very much. I think that it is due to the declaration of reason not being enclosed in a block - { }. net/openvswitch/actions.c:1483:4: error: expected expression u32 reason = nla_get_u32(a); ^ net/openvswitch/actions.c:1485:4: error: use of undeclared identifier 'reason' reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << ^ net/openvswitch/actions.c:1488:8: error: use of undeclared identifier 'reason' if (reason == OVS_XLATE_OK) ^ net/openvswitch/actions.c:1491:26: error: use of undeclared identifier 'reason' kfree_skb_reason(skb, reason); ^ 4 errors generated. net-next is currently closed. So please provide a v2 once it reposts, after 10th July. See: https://www.kernel.org/doc/html/next/process/maintainer-netdev.html#development-cycle -- pw-bot: changes-requested ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Fri, Jun 30, 2023 at 11:47:04AM +0200, Simon Horman wrote: > On Thu, Jun 29, 2023 at 04:30:05PM -0400, Eric Garver wrote: > > This adds an explicit drop action. This is used by OVS to drop packets > > for which it cannot determine what to do. An explicit action in the > > kernel allows passing the reason _why_ the packet is being dropped. We > > can then use perf tracing to match on the drop reason. > > > > e.g. trace all OVS dropped skbs > > > > # perf trace -e skb:kfree_skb --filter="reason >= 0x3" > > [..] > > 106.023 ping/2465 skb:kfree_skb(skbaddr: 0xa0e8765f2000, \ > > location:0xc0d9b462, protocol: 2048, reason: 196610) > > > > reason: 196610 --> 0x30002 (OVS_XLATE_RECURSION_TOO_DEEP) > > > > Signed-off-by: Eric Garver > > ... > > > --- a/net/openvswitch/actions.c > > +++ b/net/openvswitch/actions.c > > @@ -32,6 +32,7 @@ > > #include "vport.h" > > #include "flow_netlink.h" > > #include "openvswitch_trace.h" > > +#include "drop.h" > > > > struct deferred_action { > > struct sk_buff *skb; > > @@ -1477,6 +1478,18 @@ static int do_execute_actions(struct datapath *dp, > > struct sk_buff *skb, > > return dec_ttl_exception_handler(dp, skb, > > key, a); > > break; > > + > > + case OVS_ACTION_ATTR_DROP: > > + u32 reason = nla_get_u32(a); > > + > > + reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << > > + SKB_DROP_REASON_SUBSYS_SHIFT; > > + > > + if (reason == OVS_XLATE_OK) > > + break; > > + > > + kfree_skb_reason(skb, reason); > > + return 0; > > } > > Hi Eric, > > thanks for your patches. This is an interesting new feature. > > unfortunately clang-16 doesn't seem to like this very much. > I think that it is due to the declaration of reason not > being enclosed in a block - { }. > > net/openvswitch/actions.c:1483:4: error: expected expression > u32 reason = nla_get_u32(a); > ^ > net/openvswitch/actions.c:1485:4: error: use of undeclared identifier > 'reason' > reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << > ^ > net/openvswitch/actions.c:1488:8: error: use of undeclared identifier > 'reason' > if (reason == OVS_XLATE_OK) > ^ > net/openvswitch/actions.c:1491:26: error: use of undeclared identifier > 'reason' > kfree_skb_reason(skb, reason); > ^ > 4 errors generated. > > > net-next is currently closed. > So please provide a v2 once it reposts, after 10th July. oof. My bad. I'll fix the clang issue and post v2 in a couple weeks. Thanks. Eric. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Fri, Jun 30, 2023 at 08:29:58AM -0400, Eric Garver wrote: > On Fri, Jun 30, 2023 at 11:47:04AM +0200, Simon Horman wrote: > > On Thu, Jun 29, 2023 at 04:30:05PM -0400, Eric Garver wrote: > > > This adds an explicit drop action. This is used by OVS to drop packets > > > for which it cannot determine what to do. An explicit action in the > > > kernel allows passing the reason _why_ the packet is being dropped. We > > > can then use perf tracing to match on the drop reason. > > > > > > e.g. trace all OVS dropped skbs > > > > > > # perf trace -e skb:kfree_skb --filter="reason >= 0x3" > > > [..] > > > 106.023 ping/2465 skb:kfree_skb(skbaddr: 0xa0e8765f2000, \ > > > location:0xc0d9b462, protocol: 2048, reason: 196610) > > > > > > reason: 196610 --> 0x30002 (OVS_XLATE_RECURSION_TOO_DEEP) > > > > > > Signed-off-by: Eric Garver > > > > ... > > > > > --- a/net/openvswitch/actions.c > > > +++ b/net/openvswitch/actions.c > > > @@ -32,6 +32,7 @@ > > > #include "vport.h" > > > #include "flow_netlink.h" > > > #include "openvswitch_trace.h" > > > +#include "drop.h" > > > > > > struct deferred_action { > > > struct sk_buff *skb; > > > @@ -1477,6 +1478,18 @@ static int do_execute_actions(struct datapath *dp, > > > struct sk_buff *skb, > > > return dec_ttl_exception_handler(dp, skb, > > >key, a); > > > break; > > > + > > > + case OVS_ACTION_ATTR_DROP: > > > + u32 reason = nla_get_u32(a); > > > + > > > + reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << > > > + SKB_DROP_REASON_SUBSYS_SHIFT; > > > + > > > + if (reason == OVS_XLATE_OK) > > > + break; > > > + > > > + kfree_skb_reason(skb, reason); > > > + return 0; > > > } > > > > Hi Eric, > > > > thanks for your patches. This is an interesting new feature. > > > > unfortunately clang-16 doesn't seem to like this very much. > > I think that it is due to the declaration of reason not > > being enclosed in a block - { }. > > > > net/openvswitch/actions.c:1483:4: error: expected expression > > u32 reason = nla_get_u32(a); > > ^ > > net/openvswitch/actions.c:1485:4: error: use of undeclared identifier > > 'reason' > > reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << > > ^ > > net/openvswitch/actions.c:1488:8: error: use of undeclared identifier > > 'reason' > > if (reason == OVS_XLATE_OK) > > ^ > > net/openvswitch/actions.c:1491:26: error: use of undeclared identifier > > 'reason' > > kfree_skb_reason(skb, reason); > > ^ > > 4 errors generated. > > > > > > net-next is currently closed. > > So please provide a v2 once it reposts, after 10th July. > > oof. My bad. I'll fix the clang issue and post v2 in a couple weeks. Thanks Eric, much appreciated. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
Eric Garver writes: > This adds an explicit drop action. This is used by OVS to drop packets > for which it cannot determine what to do. An explicit action in the > kernel allows passing the reason _why_ the packet is being dropped. We > can then use perf tracing to match on the drop reason. > > e.g. trace all OVS dropped skbs > > # perf trace -e skb:kfree_skb --filter="reason >= 0x3" > [..] > 106.023 ping/2465 skb:kfree_skb(skbaddr: 0xa0e8765f2000, \ > location:0xc0d9b462, protocol: 2048, reason: 196610) > > reason: 196610 --> 0x30002 (OVS_XLATE_RECURSION_TOO_DEEP) > > Signed-off-by: Eric Garver > --- > include/uapi/linux/openvswitch.h| 2 ++ > net/openvswitch/actions.c | 13 + > net/openvswitch/flow_netlink.c | 12 +++- > .../testing/selftests/net/openvswitch/ovs-dpctl.py | 3 +++ > 4 files changed, 29 insertions(+), 1 deletion(-) > > diff --git a/include/uapi/linux/openvswitch.h > b/include/uapi/linux/openvswitch.h > index e94870e77ee9..a967dbca3574 100644 > --- a/include/uapi/linux/openvswitch.h > +++ b/include/uapi/linux/openvswitch.h > @@ -965,6 +965,7 @@ struct check_pkt_len_arg { > * start of the packet or at the start of the l3 header depending on the > value > * of l3 tunnel flag in the tun_flags field of OVS_ACTION_ATTR_ADD_MPLS > * argument. > + * @OVS_ACTION_ATTR_DROP: Explicit drop action. > * > * Only a single header can be set with a single %OVS_ACTION_ATTR_SET. Not > all > * fields within a header are modifiable, e.g. the IPv4 protocol and fragment > @@ -1002,6 +1003,7 @@ enum ovs_action_attr { > OVS_ACTION_ATTR_CHECK_PKT_LEN, /* Nested OVS_CHECK_PKT_LEN_ATTR_*. */ > OVS_ACTION_ATTR_ADD_MPLS, /* struct ovs_action_add_mpls. */ > OVS_ACTION_ATTR_DEC_TTL, /* Nested OVS_DEC_TTL_ATTR_*. */ > + OVS_ACTION_ATTR_DROP, /* u32 xlate_error. */ > > __OVS_ACTION_ATTR_MAX,/* Nothing past this will be accepted > * from userspace. */ > diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c > index cab1e02b63e0..4ad9a45dc042 100644 > --- a/net/openvswitch/actions.c > +++ b/net/openvswitch/actions.c > @@ -32,6 +32,7 @@ > #include "vport.h" > #include "flow_netlink.h" > #include "openvswitch_trace.h" > +#include "drop.h" > > struct deferred_action { > struct sk_buff *skb; > @@ -1477,6 +1478,18 @@ static int do_execute_actions(struct datapath *dp, > struct sk_buff *skb, > return dec_ttl_exception_handler(dp, skb, >key, a); > break; > + > + case OVS_ACTION_ATTR_DROP: > + u32 reason = nla_get_u32(a); > + > + reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << > + SKB_DROP_REASON_SUBSYS_SHIFT; > + > + if (reason == OVS_XLATE_OK) > + break; > + > + kfree_skb_reason(skb, reason); > + return 0; > } > > if (unlikely(err)) { > diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c > index 41116361433d..23d39eae9a0d 100644 > --- a/net/openvswitch/flow_netlink.c > +++ b/net/openvswitch/flow_netlink.c > @@ -39,6 +39,7 @@ > #include > > #include "flow_netlink.h" > +#include "drop.h" > > struct ovs_len_tbl { > int len; > @@ -61,6 +62,7 @@ static bool actions_may_change_flow(const struct nlattr > *actions) > case OVS_ACTION_ATTR_RECIRC: > case OVS_ACTION_ATTR_TRUNC: > case OVS_ACTION_ATTR_USERSPACE: > + case OVS_ACTION_ATTR_DROP: > break; > > case OVS_ACTION_ATTR_CT: > @@ -2394,7 +2396,7 @@ static void ovs_nla_free_nested_actions(const struct > nlattr *actions, int len) > /* Whenever new actions are added, the need to update this >* function should be considered. >*/ > - BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 23); > + BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 24); > > if (!actions) > return; > @@ -3182,6 +3184,7 @@ static int __ovs_nla_copy_actions(struct net *net, > const struct nlattr *attr, > [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, > [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct > ovs_action_add_mpls), > [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, > + [OVS_ACTION_ATTR_DROP] = sizeof(u32), > }; > const struct ovs_action_push_vlan *vlan; > int type = nla_type(a); > @@ -3453,6 +3456,13 @@ static int __ovs_nla_copy_actions(struct net *net, > const struct nlattr *attr, > skip_copy = true; > break; > > + case OVS_ACTION_AT
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Thu, Jul 06, 2023 at 08:54:16AM -0400, Aaron Conole wrote: > Eric Garver writes: > > > This adds an explicit drop action. This is used by OVS to drop packets > > for which it cannot determine what to do. An explicit action in the > > kernel allows passing the reason _why_ the packet is being dropped. We > > can then use perf tracing to match on the drop reason. > > > > e.g. trace all OVS dropped skbs > > > > # perf trace -e skb:kfree_skb --filter="reason >= 0x3" > > [..] > > 106.023 ping/2465 skb:kfree_skb(skbaddr: 0xa0e8765f2000, \ > > location:0xc0d9b462, protocol: 2048, reason: 196610) > > > > reason: 196610 --> 0x30002 (OVS_XLATE_RECURSION_TOO_DEEP) > > > > Signed-off-by: Eric Garver > > --- > > include/uapi/linux/openvswitch.h| 2 ++ > > net/openvswitch/actions.c | 13 + > > net/openvswitch/flow_netlink.c | 12 +++- > > .../testing/selftests/net/openvswitch/ovs-dpctl.py | 3 +++ > > 4 files changed, 29 insertions(+), 1 deletion(-) > > > > diff --git a/include/uapi/linux/openvswitch.h > > b/include/uapi/linux/openvswitch.h > > index e94870e77ee9..a967dbca3574 100644 > > --- a/include/uapi/linux/openvswitch.h > > +++ b/include/uapi/linux/openvswitch.h > > @@ -965,6 +965,7 @@ struct check_pkt_len_arg { > > * start of the packet or at the start of the l3 header depending on the > > value > > * of l3 tunnel flag in the tun_flags field of OVS_ACTION_ATTR_ADD_MPLS > > * argument. > > + * @OVS_ACTION_ATTR_DROP: Explicit drop action. > > * > > * Only a single header can be set with a single %OVS_ACTION_ATTR_SET. > > Not all > > * fields within a header are modifiable, e.g. the IPv4 protocol and > > fragment > > @@ -1002,6 +1003,7 @@ enum ovs_action_attr { > > OVS_ACTION_ATTR_CHECK_PKT_LEN, /* Nested OVS_CHECK_PKT_LEN_ATTR_*. */ > > OVS_ACTION_ATTR_ADD_MPLS, /* struct ovs_action_add_mpls. */ > > OVS_ACTION_ATTR_DEC_TTL, /* Nested OVS_DEC_TTL_ATTR_*. */ > > + OVS_ACTION_ATTR_DROP, /* u32 xlate_error. */ > > > > __OVS_ACTION_ATTR_MAX,/* Nothing past this will be accepted > >* from userspace. */ > > diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c > > index cab1e02b63e0..4ad9a45dc042 100644 > > --- a/net/openvswitch/actions.c > > +++ b/net/openvswitch/actions.c > > @@ -32,6 +32,7 @@ > > #include "vport.h" > > #include "flow_netlink.h" > > #include "openvswitch_trace.h" > > +#include "drop.h" > > > > struct deferred_action { > > struct sk_buff *skb; > > @@ -1477,6 +1478,18 @@ static int do_execute_actions(struct datapath *dp, > > struct sk_buff *skb, > > return dec_ttl_exception_handler(dp, skb, > > key, a); > > break; > > + > > + case OVS_ACTION_ATTR_DROP: > > + u32 reason = nla_get_u32(a); > > + > > + reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << > > + SKB_DROP_REASON_SUBSYS_SHIFT; > > + > > + if (reason == OVS_XLATE_OK) > > + break; > > + > > + kfree_skb_reason(skb, reason); > > + return 0; > > } > > > > if (unlikely(err)) { > > diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c > > index 41116361433d..23d39eae9a0d 100644 > > --- a/net/openvswitch/flow_netlink.c > > +++ b/net/openvswitch/flow_netlink.c > > @@ -39,6 +39,7 @@ > > #include > > > > #include "flow_netlink.h" > > +#include "drop.h" > > > > struct ovs_len_tbl { > > int len; > > @@ -61,6 +62,7 @@ static bool actions_may_change_flow(const struct nlattr > > *actions) > > case OVS_ACTION_ATTR_RECIRC: > > case OVS_ACTION_ATTR_TRUNC: > > case OVS_ACTION_ATTR_USERSPACE: > > + case OVS_ACTION_ATTR_DROP: > > break; > > > > case OVS_ACTION_ATTR_CT: > > @@ -2394,7 +2396,7 @@ static void ovs_nla_free_nested_actions(const struct > > nlattr *actions, int len) > > /* Whenever new actions are added, the need to update this > > * function should be considered. > > */ > > - BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 23); > > + BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 24); > > > > if (!actions) > > return; > > @@ -3182,6 +3184,7 @@ static int __ovs_nla_copy_actions(struct net *net, > > const struct nlattr *attr, > > [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, > > [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct > > ovs_action_add_mpls), > > [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, > > + [OVS_ACTION_ATTR_DROP] = sizeof(u32), > > }; > > const struct ovs_action_push_vlan *vlan; > > int type = nla_t
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On 7/6/23 15:57, Eric Garver wrote: > On Thu, Jul 06, 2023 at 08:54:16AM -0400, Aaron Conole wrote: >> Eric Garver writes: >> >>> This adds an explicit drop action. This is used by OVS to drop packets >>> for which it cannot determine what to do. An explicit action in the >>> kernel allows passing the reason _why_ the packet is being dropped. We >>> can then use perf tracing to match on the drop reason. >>> >>> e.g. trace all OVS dropped skbs >>> >>> # perf trace -e skb:kfree_skb --filter="reason >= 0x3" >>> [..] >>> 106.023 ping/2465 skb:kfree_skb(skbaddr: 0xa0e8765f2000, \ >>> location:0xc0d9b462, protocol: 2048, reason: 196610) >>> >>> reason: 196610 --> 0x30002 (OVS_XLATE_RECURSION_TOO_DEEP) >>> >>> Signed-off-by: Eric Garver >>> --- >>> include/uapi/linux/openvswitch.h| 2 ++ >>> net/openvswitch/actions.c | 13 + >>> net/openvswitch/flow_netlink.c | 12 +++- >>> .../testing/selftests/net/openvswitch/ovs-dpctl.py | 3 +++ >>> 4 files changed, 29 insertions(+), 1 deletion(-) >>> >>> diff --git a/include/uapi/linux/openvswitch.h >>> b/include/uapi/linux/openvswitch.h >>> index e94870e77ee9..a967dbca3574 100644 >>> --- a/include/uapi/linux/openvswitch.h >>> +++ b/include/uapi/linux/openvswitch.h >>> @@ -965,6 +965,7 @@ struct check_pkt_len_arg { >>> * start of the packet or at the start of the l3 header depending on the >>> value >>> * of l3 tunnel flag in the tun_flags field of OVS_ACTION_ATTR_ADD_MPLS >>> * argument. >>> + * @OVS_ACTION_ATTR_DROP: Explicit drop action. >>> * >>> * Only a single header can be set with a single %OVS_ACTION_ATTR_SET. >>> Not all >>> * fields within a header are modifiable, e.g. the IPv4 protocol and >>> fragment >>> @@ -1002,6 +1003,7 @@ enum ovs_action_attr { >>> OVS_ACTION_ATTR_CHECK_PKT_LEN, /* Nested OVS_CHECK_PKT_LEN_ATTR_*. */ >>> OVS_ACTION_ATTR_ADD_MPLS, /* struct ovs_action_add_mpls. */ >>> OVS_ACTION_ATTR_DEC_TTL, /* Nested OVS_DEC_TTL_ATTR_*. */ >>> + OVS_ACTION_ATTR_DROP, /* u32 xlate_error. */ >>> >>> __OVS_ACTION_ATTR_MAX,/* Nothing past this will be accepted >>>* from userspace. */ >>> diff --git a/net/openvswitch/actions.c b/net/openvswitch/actions.c >>> index cab1e02b63e0..4ad9a45dc042 100644 >>> --- a/net/openvswitch/actions.c >>> +++ b/net/openvswitch/actions.c >>> @@ -32,6 +32,7 @@ >>> #include "vport.h" >>> #include "flow_netlink.h" >>> #include "openvswitch_trace.h" >>> +#include "drop.h" >>> >>> struct deferred_action { >>> struct sk_buff *skb; >>> @@ -1477,6 +1478,18 @@ static int do_execute_actions(struct datapath *dp, >>> struct sk_buff *skb, >>> return dec_ttl_exception_handler(dp, skb, >>> key, a); >>> break; >>> + >>> + case OVS_ACTION_ATTR_DROP: >>> + u32 reason = nla_get_u32(a); >>> + >>> + reason |= SKB_DROP_REASON_SUBSYS_OPENVSWITCH << >>> + SKB_DROP_REASON_SUBSYS_SHIFT; >>> + >>> + if (reason == OVS_XLATE_OK) >>> + break; >>> + >>> + kfree_skb_reason(skb, reason); >>> + return 0; >>> } >>> >>> if (unlikely(err)) { >>> diff --git a/net/openvswitch/flow_netlink.c b/net/openvswitch/flow_netlink.c >>> index 41116361433d..23d39eae9a0d 100644 >>> --- a/net/openvswitch/flow_netlink.c >>> +++ b/net/openvswitch/flow_netlink.c >>> @@ -39,6 +39,7 @@ >>> #include >>> >>> #include "flow_netlink.h" >>> +#include "drop.h" >>> >>> struct ovs_len_tbl { >>> int len; >>> @@ -61,6 +62,7 @@ static bool actions_may_change_flow(const struct nlattr >>> *actions) >>> case OVS_ACTION_ATTR_RECIRC: >>> case OVS_ACTION_ATTR_TRUNC: >>> case OVS_ACTION_ATTR_USERSPACE: >>> + case OVS_ACTION_ATTR_DROP: >>> break; >>> >>> case OVS_ACTION_ATTR_CT: >>> @@ -2394,7 +2396,7 @@ static void ovs_nla_free_nested_actions(const struct >>> nlattr *actions, int len) >>> /* Whenever new actions are added, the need to update this >>> * function should be considered. >>> */ >>> - BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 23); >>> + BUILD_BUG_ON(OVS_ACTION_ATTR_MAX != 24); >>> >>> if (!actions) >>> return; >>> @@ -3182,6 +3184,7 @@ static int __ovs_nla_copy_actions(struct net *net, >>> const struct nlattr *attr, >>> [OVS_ACTION_ATTR_CHECK_PKT_LEN] = (u32)-1, >>> [OVS_ACTION_ATTR_ADD_MPLS] = sizeof(struct >>> ovs_action_add_mpls), >>> [OVS_ACTION_ATTR_DEC_TTL] = (u32)-1, >>> + [OVS_ACTION_ATTR_DROP] = sizeof(u32), >>> }; >>> const struct ovs_action_push_vlan
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Fri, 7 Jul 2023 12:30:38 +0200 Ilya Maximets wrote: > A wild idea: How about we do not define actual reasons? i.e. define a > subsystem and just call kfree_skb_reason(skb, SUBSYSTEM | value), where > 'value' is whatever userspace gives as long as it is within a subsystem > range? That already exists, right? Johannes added it in the last release for WiFi. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On 7/7/23 17:00, Jakub Kicinski wrote: > On Fri, 7 Jul 2023 12:30:38 +0200 Ilya Maximets wrote: >> A wild idea: How about we do not define actual reasons? i.e. define a >> subsystem and just call kfree_skb_reason(skb, SUBSYSTEM | value), where >> 'value' is whatever userspace gives as long as it is within a subsystem >> range? > > That already exists, right? Johannes added it in the last release for WiFi. I'm not sure. The SKB_DROP_REASON_SUBSYS_MAC80211_UNUSABLE behaves similarly to that on a surface. However, looking closer, any value that can be passed into ieee80211_rx_handlers_result() and ends up in the kfree_skb_reason() is kind of defined in net/mac80211/drop.h, unless I'm missing something (very possible, because I don't really know wifi code). The difference, I guess, is that for openvswitch values will be provided by the userpsace application via netlink interface. It'll be just a number not defined anywhere in the kernel. Only the subsystem itself will be defined in order to occupy the range. Garbage in, same garbage out, from the kernel's perspective. Best regards, Ilya Maximets. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On 7/7/23 17:29, Ilya Maximets wrote: > On 7/7/23 17:00, Jakub Kicinski wrote: >> On Fri, 7 Jul 2023 12:30:38 +0200 Ilya Maximets wrote: >>> A wild idea: How about we do not define actual reasons? i.e. define a >>> subsystem and just call kfree_skb_reason(skb, SUBSYSTEM | value), where >>> 'value' is whatever userspace gives as long as it is within a subsystem >>> range? >> >> That already exists, right? Johannes added it in the last release for WiFi. > > I'm not sure. The SKB_DROP_REASON_SUBSYS_MAC80211_UNUSABLE behaves similarly > to that on a surface. However, looking closer, any value that can be passed > into ieee80211_rx_handlers_result() and ends up in the kfree_skb_reason() is > kind of defined in net/mac80211/drop.h, unless I'm missing something (very > possible, because I don't really know wifi code). > > The difference, I guess, is that for openvswitch values will be provided by > the userpsace application via netlink interface. It'll be just a number not > defined anywhere in the kernel. Only the subsystem itself will be defined > in order to occupy the range. Garbage in, same garbage out, from the kernel's > perspective. To be clear, I think, not defining them in this particular case is better. Definition of every reason that userspace can come up with will add extra uAPI maintenance cost/issues with no practical benefits. Values are not going to be used for anything outside reporting a drop reason and subsystem offset is not part of uAPI anyway. > > Best regards, Ilya Maximets. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Fri, 7 Jul 2023 18:04:36 +0200 Ilya Maximets wrote: > >> That already exists, right? Johannes added it in the last release for > >> WiFi. > > > > I'm not sure. The SKB_DROP_REASON_SUBSYS_MAC80211_UNUSABLE behaves > > similarly > > to that on a surface. However, looking closer, any value that can be passed > > into ieee80211_rx_handlers_result() and ends up in the kfree_skb_reason() is > > kind of defined in net/mac80211/drop.h, unless I'm missing something (very > > possible, because I don't really know wifi code). > > > > The difference, I guess, is that for openvswitch values will be provided by > > the userpsace application via netlink interface. It'll be just a number not > > defined anywhere in the kernel. Only the subsystem itself will be defined > > in order to occupy the range. Garbage in, same garbage out, from the > > kernel's > > perspective. > > To be clear, I think, not defining them in this particular case is better. > Definition of every reason that userspace can come up with will add extra > uAPI maintenance cost/issues with no practical benefits. Values are not > going to be used for anything outside reporting a drop reason and subsystem > offset is not part of uAPI anyway. Ah, I see. No, please don't stuff user space defined values into the drop reason. The reasons are for debugging the kernel stack itself. IOW it'd be abuse not reuse. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On 7/8/23 00:06, Jakub Kicinski wrote: > On Fri, 7 Jul 2023 18:04:36 +0200 Ilya Maximets wrote: That already exists, right? Johannes added it in the last release for WiFi. >>> >>> I'm not sure. The SKB_DROP_REASON_SUBSYS_MAC80211_UNUSABLE behaves >>> similarly >>> to that on a surface. However, looking closer, any value that can be passed >>> into ieee80211_rx_handlers_result() and ends up in the kfree_skb_reason() is >>> kind of defined in net/mac80211/drop.h, unless I'm missing something (very >>> possible, because I don't really know wifi code). >>> >>> The difference, I guess, is that for openvswitch values will be provided by >>> the userpsace application via netlink interface. It'll be just a number not >>> defined anywhere in the kernel. Only the subsystem itself will be defined >>> in order to occupy the range. Garbage in, same garbage out, from the >>> kernel's >>> perspective. >> >> To be clear, I think, not defining them in this particular case is better. >> Definition of every reason that userspace can come up with will add extra >> uAPI maintenance cost/issues with no practical benefits. Values are not >> going to be used for anything outside reporting a drop reason and subsystem >> offset is not part of uAPI anyway. > > Ah, I see. No, please don't stuff user space defined values into > the drop reason. The reasons are for debugging the kernel stack > itself. IOW it'd be abuse not reuse. Makes sense. I wasn't sure that's a good solution from a kernel perspective either. It's better than defining all these reasons, IMO, but it's not good enough to be considered acceptable, I agree. How about we define just 2 reasons, e.g. OVS_DROP_REASON_EXPLICIT_ACTION and OVS_DROP_REASON_EXPLICIT_ACTION_WITH_ERROR (exact names can be different) ? One for an explicit drop action with a zero argument and one for an explicit drop with non-zero argument. The exact reason for the error can be retrieved by other means, i.e by looking at the datapath flow dump or OVS logs/traces. This way we can give a user who is catching packet drop traces a signal that there was something wrong with an OVS flow and they can look up exact details from the userspace / flow dump. The point being, most of the flows will have a zero as a drop action argument, i.e. a regular explicit packet drop. It will be hard to figure out which flow exactly we're hitting without looking at the full flow dump. And if the value is non-zero, then it should be immediately obvious which flow is to blame from the dump, as we should not have a lot of such flows. This would still allow us to avoid a maintenance burden of defining every case, which are fairly meaningless for the kernel itself, while having 99% of the information we may need. Jakub, do you think this will be acceptable? Eric, Adrian, Aaron, do you see any problems with such implementation? P.S. There is a plan to add more drop reasons for other places in openvswitch module to catch more regular types of drops like memory issues or upcall failures. So, the drop reason subsystem can be extended later. The explicit drop action is a bit of an odd case here. Best regards, Ilya Maximets. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Mon, 10 Jul 2023 18:51:19 +0200 Ilya Maximets wrote: > Makes sense. I wasn't sure that's a good solution from a kernel perspective > either. It's better than defining all these reasons, IMO, but it's not good > enough to be considered acceptable, I agree. > > How about we define just 2 reasons, e.g. OVS_DROP_REASON_EXPLICIT_ACTION and > OVS_DROP_REASON_EXPLICIT_ACTION_WITH_ERROR (exact names can be different) ? > One for an explicit drop action with a zero argument and one for an explicit > drop with non-zero argument. > > The exact reason for the error can be retrieved by other means, i.e by looking > at the datapath flow dump or OVS logs/traces. > > This way we can give a user who is catching packet drop traces a signal that > there was something wrong with an OVS flow and they can look up exact details > from the userspace / flow dump. > > The point being, most of the flows will have a zero as a drop action argument, > i.e. a regular explicit packet drop. It will be hard to figure out which flow > exactly we're hitting without looking at the full flow dump. And if the value > is non-zero, then it should be immediately obvious which flow is to blame from > the dump, as we should not have a lot of such flows. > > This would still allow us to avoid a maintenance burden of defining every > case, > which are fairly meaningless for the kernel itself, while having 99% of the > information we may need. > > Jakub, do you think this will be acceptable? As far as I understand what you're proposing, yes :) > Eric, Adrian, Aaron, do you see any problems with such implementation? > > P.S. There is a plan to add more drop reasons for other places in openvswitch > module to catch more regular types of drops like memory issues or upcall > failures. So, the drop reason subsystem can be extended later. > The explicit drop action is a bit of an odd case here. If you have more than ~4 OvS specific reasons, I wonder if it still makes sense to create a reason group/subsystem for OvS (a'la WiFi)? ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Mon, Jul 10, 2023 at 06:51:19PM +0200, Ilya Maximets wrote: > On 7/8/23 00:06, Jakub Kicinski wrote: > > On Fri, 7 Jul 2023 18:04:36 +0200 Ilya Maximets wrote: > That already exists, right? Johannes added it in the last release for > WiFi. > >>> > >>> I'm not sure. The SKB_DROP_REASON_SUBSYS_MAC80211_UNUSABLE behaves > >>> similarly > >>> to that on a surface. However, looking closer, any value that can be > >>> passed > >>> into ieee80211_rx_handlers_result() and ends up in the kfree_skb_reason() > >>> is > >>> kind of defined in net/mac80211/drop.h, unless I'm missing something (very > >>> possible, because I don't really know wifi code). > >>> > >>> The difference, I guess, is that for openvswitch values will be provided > >>> by > >>> the userpsace application via netlink interface. It'll be just a number > >>> not > >>> defined anywhere in the kernel. Only the subsystem itself will be defined > >>> in order to occupy the range. Garbage in, same garbage out, from the > >>> kernel's > >>> perspective. > >> > >> To be clear, I think, not defining them in this particular case is better. > >> Definition of every reason that userspace can come up with will add extra > >> uAPI maintenance cost/issues with no practical benefits. Values are not > >> going to be used for anything outside reporting a drop reason and subsystem > >> offset is not part of uAPI anyway. > > > > Ah, I see. No, please don't stuff user space defined values into > > the drop reason. The reasons are for debugging the kernel stack > > itself. IOW it'd be abuse not reuse. > > Makes sense. I wasn't sure that's a good solution from a kernel perspective > either. It's better than defining all these reasons, IMO, but it's not good > enough to be considered acceptable, I agree. > > How about we define just 2 reasons, e.g. OVS_DROP_REASON_EXPLICIT_ACTION and > OVS_DROP_REASON_EXPLICIT_ACTION_WITH_ERROR (exact names can be different) ? > One for an explicit drop action with a zero argument and one for an explicit > drop with non-zero argument. > > The exact reason for the error can be retrieved by other means, i.e by looking > at the datapath flow dump or OVS logs/traces. > > This way we can give a user who is catching packet drop traces a signal that > there was something wrong with an OVS flow and they can look up exact details > from the userspace / flow dump. > > The point being, most of the flows will have a zero as a drop action argument, > i.e. a regular explicit packet drop. It will be hard to figure out which flow > exactly we're hitting without looking at the full flow dump. And if the value > is non-zero, then it should be immediately obvious which flow is to blame from > the dump, as we should not have a lot of such flows. > > This would still allow us to avoid a maintenance burden of defining every > case, > which are fairly meaningless for the kernel itself, while having 99% of the > information we may need. > > Jakub, do you think this will be acceptable? > > Eric, Adrian, Aaron, do you see any problems with such implementation? I see no problems. I'm content with this approach. > P.S. There is a plan to add more drop reasons for other places in openvswitch > module to catch more regular types of drops like memory issues or upcall > failures. So, the drop reason subsystem can be extended later. > The explicit drop action is a bit of an odd case here. > > Best regards, Ilya Maximets. > ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On 7/10/23 19:01, Jakub Kicinski wrote: > On Mon, 10 Jul 2023 18:51:19 +0200 Ilya Maximets wrote: >> Makes sense. I wasn't sure that's a good solution from a kernel perspective >> either. It's better than defining all these reasons, IMO, but it's not good >> enough to be considered acceptable, I agree. >> >> How about we define just 2 reasons, e.g. OVS_DROP_REASON_EXPLICIT_ACTION and >> OVS_DROP_REASON_EXPLICIT_ACTION_WITH_ERROR (exact names can be different) ? >> One for an explicit drop action with a zero argument and one for an explicit >> drop with non-zero argument. >> >> The exact reason for the error can be retrieved by other means, i.e by >> looking >> at the datapath flow dump or OVS logs/traces. >> >> This way we can give a user who is catching packet drop traces a signal that >> there was something wrong with an OVS flow and they can look up exact details >> from the userspace / flow dump. >> >> The point being, most of the flows will have a zero as a drop action >> argument, >> i.e. a regular explicit packet drop. It will be hard to figure out which >> flow >> exactly we're hitting without looking at the full flow dump. And if the >> value >> is non-zero, then it should be immediately obvious which flow is to blame >> from >> the dump, as we should not have a lot of such flows. >> >> This would still allow us to avoid a maintenance burden of defining every >> case, >> which are fairly meaningless for the kernel itself, while having 99% of the >> information we may need. >> >> Jakub, do you think this will be acceptable? > > As far as I understand what you're proposing, yes :) OK. Just to spell it all out: Userspace will install a flow with an OVS_FLOW_CMD_NEW: match:ip,tcp,... actions:something,something,drop(0) match:ip,udp,... actions:something,something,drop(42) drop() here represents the OVS_ACTION_ATTR_DROP. Then, in net/openvswitch/actions.c:do_execute_actions(), while executing these actions: case OVS_ACTION_ATTR_DROP: kfree_skb_reason(skb, nla_get_u32(a) ? OVS_DROP_ACTION_WITH_ERROR : OVS_DROP_ACTION); Users can enable traces and catch the OVS_DROP_ACTION_WITH_ERROR. Later they can dump flows with OVS_FLOW_CMD_GET and see that the error value was 42. > >> Eric, Adrian, Aaron, do you see any problems with such implementation? >> >> P.S. There is a plan to add more drop reasons for other places in openvswitch >> module to catch more regular types of drops like memory issues or upcall >> failures. So, the drop reason subsystem can be extended later. >> The explicit drop action is a bit of an odd case here. > > If you have more than ~4 OvS specific reasons, I wonder if it still > makes sense to create a reason group/subsystem for OvS (a'la WiFi)? I believe, we will easily have more than 4 OVS-specific reasons. A few from the top of my head: - upcall failure (failed to send a packet to userspace) - reached the limit for deferred actions - reached the recursion limit So, creation of a reason group/subsystem seems reasonable to me. Best regards, Ilya Maximets. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On Mon, 10 Jul 2023 20:39:11 +0200 Ilya Maximets wrote: > > As far as I understand what you're proposing, yes :) > > OK. Just to spell it all out: > > Userspace will install a flow with an OVS_FLOW_CMD_NEW: > > match:ip,tcp,... actions:something,something,drop(0) > match:ip,udp,... actions:something,something,drop(42) > > drop() here represents the OVS_ACTION_ATTR_DROP. > > Then, in net/openvswitch/actions.c:do_execute_actions(), while executing > these actions: > > case OVS_ACTION_ATTR_DROP: > kfree_skb_reason(skb, nla_get_u32(a) ? OVS_DROP_ACTION_WITH_ERROR >: OVS_DROP_ACTION); > > Users can enable traces and catch the OVS_DROP_ACTION_WITH_ERROR. > Later they can dump flows with OVS_FLOW_CMD_GET and see that the > error value was 42. nod > >> Eric, Adrian, Aaron, do you see any problems with such implementation? > >> > >> P.S. There is a plan to add more drop reasons for other places in > >> openvswitch > >> module to catch more regular types of drops like memory issues or > >> upcall > >> failures. So, the drop reason subsystem can be extended later. > >> The explicit drop action is a bit of an odd case here. > > > > If you have more than ~4 OvS specific reasons, I wonder if it still > > makes sense to create a reason group/subsystem for OvS (a'la WiFi)? > > I believe, we will easily have more than 4 OVS-specific reasons. A few > from the top of my head: > - upcall failure (failed to send a packet to userspace) > - reached the limit for deferred actions > - reached the recursion limit > > So, creation of a reason group/subsystem seems reasonable to me. SG. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
Eric Garver writes: > On Mon, Jul 10, 2023 at 06:51:19PM +0200, Ilya Maximets wrote: >> On 7/8/23 00:06, Jakub Kicinski wrote: >> > On Fri, 7 Jul 2023 18:04:36 +0200 Ilya Maximets wrote: >> That already exists, right? Johannes added it in the last release for >> WiFi. >> >>> >> >>> I'm not sure. The SKB_DROP_REASON_SUBSYS_MAC80211_UNUSABLE behaves >> >>> similarly >> >>> to that on a surface. However, looking closer, any value that can be >> >>> passed >> >>> into ieee80211_rx_handlers_result() and ends up in the >> >>> kfree_skb_reason() is >> >>> kind of defined in net/mac80211/drop.h, unless I'm missing something >> >>> (very >> >>> possible, because I don't really know wifi code). >> >>> >> >>> The difference, I guess, is that for openvswitch values will be provided >> >>> by >> >>> the userpsace application via netlink interface. It'll be just a number >> >>> not >> >>> defined anywhere in the kernel. Only the subsystem itself will be >> >>> defined >> >>> in order to occupy the range. Garbage in, same garbage out, from the >> >>> kernel's >> >>> perspective. >> >> >> >> To be clear, I think, not defining them in this particular case is better. >> >> Definition of every reason that userspace can come up with will add extra >> >> uAPI maintenance cost/issues with no practical benefits. Values are not >> >> going to be used for anything outside reporting a drop reason and >> >> subsystem >> >> offset is not part of uAPI anyway. >> > >> > Ah, I see. No, please don't stuff user space defined values into >> > the drop reason. The reasons are for debugging the kernel stack >> > itself. IOW it'd be abuse not reuse. >> >> Makes sense. I wasn't sure that's a good solution from a kernel perspective >> either. It's better than defining all these reasons, IMO, but it's not good >> enough to be considered acceptable, I agree. >> >> How about we define just 2 reasons, e.g. OVS_DROP_REASON_EXPLICIT_ACTION and >> OVS_DROP_REASON_EXPLICIT_ACTION_WITH_ERROR (exact names can be different) ? >> One for an explicit drop action with a zero argument and one for an explicit >> drop with non-zero argument. >> >> The exact reason for the error can be retrieved by other means, i.e by >> looking >> at the datapath flow dump or OVS logs/traces. >> >> This way we can give a user who is catching packet drop traces a signal that >> there was something wrong with an OVS flow and they can look up exact details >> from the userspace / flow dump. >> >> The point being, most of the flows will have a zero as a drop action >> argument, >> i.e. a regular explicit packet drop. It will be hard to figure out which >> flow >> exactly we're hitting without looking at the full flow dump. And if the >> value >> is non-zero, then it should be immediately obvious which flow is to blame >> from >> the dump, as we should not have a lot of such flows. >> >> This would still allow us to avoid a maintenance burden of defining every >> case, >> which are fairly meaningless for the kernel itself, while having 99% of the >> information we may need. >> >> Jakub, do you think this will be acceptable? >> >> Eric, Adrian, Aaron, do you see any problems with such implementation? > > I see no problems. I'm content with this approach. +1 >> P.S. There is a plan to add more drop reasons for other places in openvswitch >> module to catch more regular types of drops like memory issues or upcall >> failures. So, the drop reason subsystem can be extended later. >> The explicit drop action is a bit of an odd case here. >> >> Best regards, Ilya Maximets. >> ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH net-next 2/2] net: openvswitch: add drop action
On 7/11/23 22:46, Aaron Conole wrote: Eric Garver writes: On Mon, Jul 10, 2023 at 06:51:19PM +0200, Ilya Maximets wrote: On 7/8/23 00:06, Jakub Kicinski wrote: On Fri, 7 Jul 2023 18:04:36 +0200 Ilya Maximets wrote: That already exists, right? Johannes added it in the last release for WiFi. I'm not sure. The SKB_DROP_REASON_SUBSYS_MAC80211_UNUSABLE behaves similarly to that on a surface. However, looking closer, any value that can be passed into ieee80211_rx_handlers_result() and ends up in the kfree_skb_reason() is kind of defined in net/mac80211/drop.h, unless I'm missing something (very possible, because I don't really know wifi code). The difference, I guess, is that for openvswitch values will be provided by the userpsace application via netlink interface. It'll be just a number not defined anywhere in the kernel. Only the subsystem itself will be defined in order to occupy the range. Garbage in, same garbage out, from the kernel's perspective. To be clear, I think, not defining them in this particular case is better. Definition of every reason that userspace can come up with will add extra uAPI maintenance cost/issues with no practical benefits. Values are not going to be used for anything outside reporting a drop reason and subsystem offset is not part of uAPI anyway. Ah, I see. No, please don't stuff user space defined values into the drop reason. The reasons are for debugging the kernel stack itself. IOW it'd be abuse not reuse. Makes sense. I wasn't sure that's a good solution from a kernel perspective either. It's better than defining all these reasons, IMO, but it's not good enough to be considered acceptable, I agree. How about we define just 2 reasons, e.g. OVS_DROP_REASON_EXPLICIT_ACTION and OVS_DROP_REASON_EXPLICIT_ACTION_WITH_ERROR (exact names can be different) ? One for an explicit drop action with a zero argument and one for an explicit drop with non-zero argument. The exact reason for the error can be retrieved by other means, i.e by looking at the datapath flow dump or OVS logs/traces. This way we can give a user who is catching packet drop traces a signal that there was something wrong with an OVS flow and they can look up exact details from the userspace / flow dump. The point being, most of the flows will have a zero as a drop action argument, i.e. a regular explicit packet drop. It will be hard to figure out which flow exactly we're hitting without looking at the full flow dump. And if the value is non-zero, then it should be immediately obvious which flow is to blame from the dump, as we should not have a lot of such flows. This would still allow us to avoid a maintenance burden of defining every case, which are fairly meaningless for the kernel itself, while having 99% of the information we may need. Jakub, do you think this will be acceptable? Eric, Adrian, Aaron, do you see any problems with such implementation? I see no problems. I'm content with this approach. +1 Sounds like a good plan. Thanks. P.S. There is a plan to add more drop reasons for other places in openvswitch module to catch more regular types of drops like memory issues or upcall failures. So, the drop reason subsystem can be extended later. The explicit drop action is a bit of an odd case here. Best regards, Ilya Maximets. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev