From 9f89b0cc0eda2ef52d8850b0610f3e2e09fd7c1c Mon Sep 17 00:00:00 2001 From: Or Gerlitz Date: Thu, 19 Jul 2018 14:02:14 +0300 Subject: [PATCH 1/2] tc/act_tunnel_key: Enable setup of tos and ttl Allow to set tos and ttl for the tunnel. For example, here's encap rule that sets tos to the tunnel: tc filter add dev eth0_0 protocol ip parent ffff: prio 10 flower \ src_mac e4:11:22:33:44:50 dst_mac e4:11:22:33:44:70 \ action tunnel_key set src_ip 192.168.10.1 dst_ip 192.168.10.2 id 100 dst_port 4789 tos 0x30 \ action mirred egress redirect dev vxlan_sys_4789 Signed-off-by: Or Gerlitz Reviewed-by: Roi Dayan Acked-by: Jiri Pirko Signed-off-by: David Ahern --- man/man8/tc-tunnel_key.8 | 8 ++++++ tc/m_tunnel_key.c | 53 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/man/man8/tc-tunnel_key.8 b/man/man8/tc-tunnel_key.8 index 7d4b30e4..1e093624 100644 --- a/man/man8/tc-tunnel_key.8 +++ b/man/man8/tc-tunnel_key.8 @@ -16,6 +16,8 @@ tunnel_key - Tunnel metadata manipulation .IR ADDRESS .BI id " KEY_ID" .BI dst_port " UDP_PORT" +.BI tos " TOS" +.BI ttl " TTL" .RB "[ " csum " | " nocsum " ]" .SH DESCRIPTION @@ -89,6 +91,12 @@ is specified in the form CLASS:TYPE:DATA, where CLASS is represented as a variable length hexadecimal value. Additionally multiple options may be listed using a comma delimiter. .TP +.B tos +Outer header TOS +.TP +.B ttl +Outer header TTL +.TP .RB [ no ] csum Controlls outer UDP checksum. When set to .B csum diff --git a/tc/m_tunnel_key.c b/tc/m_tunnel_key.c index 5a0e3fc3..e9e71e41 100644 --- a/tc/m_tunnel_key.c +++ b/tc/m_tunnel_key.c @@ -190,6 +190,22 @@ static int tunnel_key_parse_geneve_opts(char *str, struct nlmsghdr *n) return 0; } +static int tunnel_key_parse_tos_ttl(char *str, int type, struct nlmsghdr *n) +{ + int ret; + __u8 val; + + ret = get_u8(&val, str, 10); + if (ret) + ret = get_u8(&val, str, 16); + if (ret) + return -1; + + addattr8(n, MAX_MSG, type, val); + + return 0; +} + static int parse_tunnel_key(struct action_util *a, int *argc_p, char ***argv_p, int tca_id, struct nlmsghdr *n) { @@ -273,6 +289,22 @@ static int parse_tunnel_key(struct action_util *a, int *argc_p, char ***argv_p, fprintf(stderr, "Illegal \"geneve_opts\"\n"); return -1; } + } else if (matches(*argv, "tos") == 0) { + NEXT_ARG(); + ret = tunnel_key_parse_tos_ttl(*argv, + TCA_TUNNEL_KEY_ENC_TOS, n); + if (ret < 0) { + fprintf(stderr, "Illegal \"tos\"\n"); + return -1; + } + } else if (matches(*argv, "ttl") == 0) { + NEXT_ARG(); + ret = tunnel_key_parse_tos_ttl(*argv, + TCA_TUNNEL_KEY_ENC_TTL, n); + if (ret < 0) { + fprintf(stderr, "Illegal \"ttl\"\n"); + return -1; + } } else if (matches(*argv, "csum") == 0) { csum = 1; } else if (matches(*argv, "nocsum") == 0) { @@ -435,6 +467,23 @@ static void tunnel_key_print_key_opt(const char *name, struct rtattr *attr) tb[TCA_TUNNEL_KEY_ENC_OPTS_GENEVE]); } +static void tunnel_key_print_tos_ttl(FILE *f, char *name, + struct rtattr *attr) +{ + if (!attr) + return; + + if (matches(name, "tos") == 0 && rta_getattr_u8(attr) != 0) { + print_string(PRINT_FP, NULL, "%s", _SL_); + print_uint(PRINT_ANY, "tos", "\ttos 0x%x", + rta_getattr_u8(attr)); + } else if (matches(name, "ttl") == 0 && rta_getattr_u8(attr) != 0) { + print_string(PRINT_FP, NULL, "%s", _SL_); + print_uint(PRINT_ANY, "ttl", "\tttl %u", + rta_getattr_u8(attr)); + } +} + static int print_tunnel_key(struct action_util *au, FILE *f, struct rtattr *arg) { struct rtattr *tb[TCA_TUNNEL_KEY_MAX + 1]; @@ -476,6 +525,10 @@ static int print_tunnel_key(struct action_util *au, FILE *f, struct rtattr *arg) tb[TCA_TUNNEL_KEY_ENC_OPTS]); tunnel_key_print_flag(f, "nocsum", "csum", tb[TCA_TUNNEL_KEY_NO_CSUM]); + tunnel_key_print_tos_ttl(f, "tos", + tb[TCA_TUNNEL_KEY_ENC_TOS]); + tunnel_key_print_tos_ttl(f, "ttl", + tb[TCA_TUNNEL_KEY_ENC_TTL]); break; } print_action_control(f, " ", parm->action, ""); From 761ec9e29ff867452057f59dc6ca430688b409ea Mon Sep 17 00:00:00 2001 From: Or Gerlitz Date: Thu, 19 Jul 2018 14:02:15 +0300 Subject: [PATCH 2/2] tc/flower: Add match on encapsulating tos/ttl Add matching on tos/ttl of the IP tunnel headers. For example, here's decap rule that matches on the tunnel tos: tc filter add dev vxlan_sys_4789 protocol ip parent ffff: prio 10 flower \ enc_src_ip 192.168.10.2 enc_dst_ip 192.168.10.1 enc_key_id 100 enc_dst_port 4789 enc_tos 0x30 \ src_mac e4:11:22:33:44:70 dst_mac e4:11:22:33:44:50 \ action tunnel_key unset \ action mirred egress redirect dev eth0_0 Signed-off-by: Or Gerlitz Reviewed-by: Roi Dayan Acked-by: Jiri Pirko Signed-off-by: David Ahern --- man/man8/tc-flower.8 | 14 +++++++++++++- tc/f_flower.c | 27 +++++++++++++++++++++++++++ 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/man/man8/tc-flower.8 b/man/man8/tc-flower.8 index bfa66d8a..305d7efe 100644 --- a/man/man8/tc-flower.8 +++ b/man/man8/tc-flower.8 @@ -76,6 +76,10 @@ flower \- flow based traffic control filter .IR ipv4_address " | " ipv6_address " } | " .B enc_dst_port .IR port_number " | " +.B enc_tos +.IR TOS " | " +.B enc_ttl +.IR TTL " | " .BR ip_flags .IR IP_FLAGS .SH DESCRIPTION @@ -275,6 +279,10 @@ bits is assumed. .BI enc_src_ip " PREFIX" .TQ .BI enc_dst_port " NUMBER" +.TQ +.BI enc_tos " NUMBER" +.TQ +.BI enc_ttl " NUMBER" Match on IP tunnel metadata. Key id .I NUMBER is a 32 bit tunnel key id (e.g. VNI for VXLAN tunnel). @@ -283,7 +291,11 @@ must be a valid IPv4 or IPv6 address optionally followed by a slash and the prefix length. If the prefix is missing, \fBtc\fR assumes a full-length host match. Dst port .I NUMBER -is a 16 bit UDP dst port. +is a 16 bit UDP dst port. Tos +.I NUMBER +is an 8 bit tos (dscp+ecn) value, ttl +.I NUMBER +is an 8 bit time-to-live value. .TP .BI ip_flags " IP_FLAGS" .I IP_FLAGS diff --git a/tc/f_flower.c b/tc/f_flower.c index 40b40265..a4cf06aa 100644 --- a/tc/f_flower.c +++ b/tc/f_flower.c @@ -77,6 +77,8 @@ static void explain(void) " enc_dst_ip [ IPV4-ADDR | IPV6-ADDR ] |\n" " enc_src_ip [ IPV4-ADDR | IPV6-ADDR ] |\n" " enc_key_id [ KEY-ID ] |\n" + " enc_tos MASKED-IP_TOS |\n" + " enc_ttl MASKED-IP_TTL |\n" " ip_flags IP-FLAGS | \n" " enc_dst_port [ port_number ] }\n" " FILTERID := X:Y:Z\n" @@ -1019,6 +1021,26 @@ static int flower_parse_opt(struct filter_util *qu, char *handle, fprintf(stderr, "Illegal \"enc_dst_port\"\n"); return -1; } + } else if (matches(*argv, "enc_tos") == 0) { + NEXT_ARG(); + ret = flower_parse_ip_tos_ttl(*argv, + TCA_FLOWER_KEY_ENC_IP_TOS, + TCA_FLOWER_KEY_ENC_IP_TOS_MASK, + n); + if (ret < 0) { + fprintf(stderr, "Illegal \"enc_tos\"\n"); + return -1; + } + } else if (matches(*argv, "enc_ttl") == 0) { + NEXT_ARG(); + ret = flower_parse_ip_tos_ttl(*argv, + TCA_FLOWER_KEY_ENC_IP_TTL, + TCA_FLOWER_KEY_ENC_IP_TTL_MASK, + n); + if (ret < 0) { + fprintf(stderr, "Illegal \"enc_ttl\"\n"); + return -1; + } } else if (matches(*argv, "action") == 0) { NEXT_ARG(); ret = parse_action(&argc, &argv, TCA_FLOWER_ACT, n); @@ -1542,6 +1564,11 @@ static int flower_print_opt(struct filter_util *qu, FILE *f, flower_print_port("enc_dst_port", tb[TCA_FLOWER_KEY_ENC_UDP_DST_PORT]); + flower_print_ip_attr("enc_tos", tb[TCA_FLOWER_KEY_ENC_IP_TOS], + tb[TCA_FLOWER_KEY_ENC_IP_TOS_MASK]); + flower_print_ip_attr("enc_ttl", tb[TCA_FLOWER_KEY_ENC_IP_TTL], + tb[TCA_FLOWER_KEY_ENC_IP_TTL_MASK]); + flower_print_matching_flags("ip_flags", FLOWER_IP_FLAGS, tb[TCA_FLOWER_KEY_FLAGS], tb[TCA_FLOWER_KEY_FLAGS_MASK]);