Commit b9455fef authored by Ido Schimmel's avatar Ido Schimmel Committed by Jakub Kicinski

ipv4: fib_rules: Add DSCP selector support

Implement support for the new DSCP selector that allows IPv4 FIB rules
to match on the entire DSCP field, unlike the existing TOS selector that
only matches on the three lower DSCP bits.

Differentiate between both selectors by adding a new bit in the IPv4 FIB
rule structure (in an existing one byte hole) that is only set when the
'FRA_DSCP' attribute is specified by user space. Reject rules that use
both selectors.
Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
Reviewed-by: default avatarGuillaume Nault <gnault@redhat.com>
Reviewed-by: default avatarDavid Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240911093748.3662015-3-idosch@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent c951a29f
...@@ -37,6 +37,7 @@ struct fib4_rule { ...@@ -37,6 +37,7 @@ struct fib4_rule {
u8 dst_len; u8 dst_len;
u8 src_len; u8 src_len;
dscp_t dscp; dscp_t dscp;
u8 dscp_full:1; /* DSCP or TOS selector */
__be32 src; __be32 src;
__be32 srcmask; __be32 srcmask;
__be32 dst; __be32 dst;
...@@ -186,7 +187,15 @@ INDIRECT_CALLABLE_SCOPE int fib4_rule_match(struct fib_rule *rule, ...@@ -186,7 +187,15 @@ INDIRECT_CALLABLE_SCOPE int fib4_rule_match(struct fib_rule *rule,
((daddr ^ r->dst) & r->dstmask)) ((daddr ^ r->dst) & r->dstmask))
return 0; return 0;
if (r->dscp && !fib_dscp_masked_match(r->dscp, fl4)) /* When DSCP selector is used we need to match on the entire DSCP field
* in the flow information structure. When TOS selector is used we need
* to mask the upper three DSCP bits prior to matching to maintain
* legacy behavior.
*/
if (r->dscp_full && r->dscp != inet_dsfield_to_dscp(fl4->flowi4_tos))
return 0;
else if (!r->dscp_full && r->dscp &&
!fib_dscp_masked_match(r->dscp, fl4))
return 0; return 0;
if (rule->ip_proto && (rule->ip_proto != fl4->flowi4_proto)) if (rule->ip_proto && (rule->ip_proto != fl4->flowi4_proto))
...@@ -217,6 +226,20 @@ static struct fib_table *fib_empty_table(struct net *net) ...@@ -217,6 +226,20 @@ static struct fib_table *fib_empty_table(struct net *net)
return NULL; return NULL;
} }
static int fib4_nl2rule_dscp(const struct nlattr *nla, struct fib4_rule *rule4,
struct netlink_ext_ack *extack)
{
if (rule4->dscp) {
NL_SET_ERR_MSG(extack, "Cannot specify both TOS and DSCP");
return -EINVAL;
}
rule4->dscp = inet_dsfield_to_dscp(nla_get_u8(nla) << 2);
rule4->dscp_full = true;
return 0;
}
static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb, static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
struct fib_rule_hdr *frh, struct fib_rule_hdr *frh,
struct nlattr **tb, struct nlattr **tb,
...@@ -238,6 +261,10 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb, ...@@ -238,6 +261,10 @@ static int fib4_rule_configure(struct fib_rule *rule, struct sk_buff *skb,
} }
rule4->dscp = inet_dsfield_to_dscp(frh->tos); rule4->dscp = inet_dsfield_to_dscp(frh->tos);
if (tb[FRA_DSCP] &&
fib4_nl2rule_dscp(tb[FRA_DSCP], rule4, extack) < 0)
goto errout;
/* split local/main if they are not already split */ /* split local/main if they are not already split */
err = fib_unmerge(net); err = fib_unmerge(net);
if (err) if (err)
...@@ -320,9 +347,19 @@ static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh, ...@@ -320,9 +347,19 @@ static int fib4_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh,
if (frh->dst_len && (rule4->dst_len != frh->dst_len)) if (frh->dst_len && (rule4->dst_len != frh->dst_len))
return 0; return 0;
if (frh->tos && inet_dscp_to_dsfield(rule4->dscp) != frh->tos) if (frh->tos &&
(rule4->dscp_full ||
inet_dscp_to_dsfield(rule4->dscp) != frh->tos))
return 0; return 0;
if (tb[FRA_DSCP]) {
dscp_t dscp;
dscp = inet_dsfield_to_dscp(nla_get_u8(tb[FRA_DSCP]) << 2);
if (!rule4->dscp_full || rule4->dscp != dscp)
return 0;
}
#ifdef CONFIG_IP_ROUTE_CLASSID #ifdef CONFIG_IP_ROUTE_CLASSID
if (tb[FRA_FLOW] && (rule4->tclassid != nla_get_u32(tb[FRA_FLOW]))) if (tb[FRA_FLOW] && (rule4->tclassid != nla_get_u32(tb[FRA_FLOW])))
return 0; return 0;
...@@ -344,7 +381,15 @@ static int fib4_rule_fill(struct fib_rule *rule, struct sk_buff *skb, ...@@ -344,7 +381,15 @@ static int fib4_rule_fill(struct fib_rule *rule, struct sk_buff *skb,
frh->dst_len = rule4->dst_len; frh->dst_len = rule4->dst_len;
frh->src_len = rule4->src_len; frh->src_len = rule4->src_len;
frh->tos = inet_dscp_to_dsfield(rule4->dscp);
if (rule4->dscp_full) {
frh->tos = 0;
if (nla_put_u8(skb, FRA_DSCP,
inet_dscp_to_dsfield(rule4->dscp) >> 2))
goto nla_put_failure;
} else {
frh->tos = inet_dscp_to_dsfield(rule4->dscp);
}
if ((rule4->dst_len && if ((rule4->dst_len &&
nla_put_in_addr(skb, FRA_DST, rule4->dst)) || nla_put_in_addr(skb, FRA_DST, rule4->dst)) ||
...@@ -366,7 +411,8 @@ static size_t fib4_rule_nlmsg_payload(struct fib_rule *rule) ...@@ -366,7 +411,8 @@ static size_t fib4_rule_nlmsg_payload(struct fib_rule *rule)
{ {
return nla_total_size(4) /* dst */ return nla_total_size(4) /* dst */
+ nla_total_size(4) /* src */ + nla_total_size(4) /* src */
+ nla_total_size(4); /* flow */ + nla_total_size(4) /* flow */
+ nla_total_size(1); /* dscp */
} }
static void fib4_rule_flush_cache(struct fib_rules_ops *ops) static void fib4_rule_flush_cache(struct fib_rules_ops *ops)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment