1 // SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0 2 /* Copyright (c) 2017-2018 Mellanox Technologies. All rights reserved */ 3 4 #include <linux/kernel.h> 5 #include <linux/errno.h> 6 #include <linux/netdevice.h> 7 #include <net/net_namespace.h> 8 #include <net/flow_dissector.h> 9 #include <net/pkt_cls.h> 10 #include <net/tc_act/tc_gact.h> 11 #include <net/tc_act/tc_mirred.h> 12 #include <net/tc_act/tc_vlan.h> 13 14 #include "spectrum.h" 15 #include "core_acl_flex_keys.h" 16 17 static int mlxsw_sp_flower_parse_actions(struct mlxsw_sp *mlxsw_sp, 18 struct mlxsw_sp_acl_block *block, 19 struct mlxsw_sp_acl_rule_info *rulei, 20 struct flow_action *flow_action, 21 struct netlink_ext_ack *extack) 22 { 23 const struct flow_action_entry *act; 24 int err, i; 25 26 if (!flow_action_has_entries(flow_action)) 27 return 0; 28 29 /* Count action is inserted first */ 30 err = mlxsw_sp_acl_rulei_act_count(mlxsw_sp, rulei, extack); 31 if (err) 32 return err; 33 34 flow_action_for_each(i, act, flow_action) { 35 switch (act->id) { 36 case FLOW_ACTION_ACCEPT: 37 err = mlxsw_sp_acl_rulei_act_terminate(rulei); 38 if (err) { 39 NL_SET_ERR_MSG_MOD(extack, "Cannot append terminate action"); 40 return err; 41 } 42 break; 43 case FLOW_ACTION_DROP: 44 err = mlxsw_sp_acl_rulei_act_drop(rulei); 45 if (err) { 46 NL_SET_ERR_MSG_MOD(extack, "Cannot append drop action"); 47 return err; 48 } 49 break; 50 case FLOW_ACTION_TRAP: 51 err = mlxsw_sp_acl_rulei_act_trap(rulei); 52 if (err) { 53 NL_SET_ERR_MSG_MOD(extack, "Cannot append trap action"); 54 return err; 55 } 56 break; 57 case FLOW_ACTION_GOTO: { 58 u32 chain_index = act->chain_index; 59 struct mlxsw_sp_acl_ruleset *ruleset; 60 u16 group_id; 61 62 ruleset = mlxsw_sp_acl_ruleset_lookup(mlxsw_sp, block, 63 chain_index, 64 MLXSW_SP_ACL_PROFILE_FLOWER); 65 if (IS_ERR(ruleset)) 66 return PTR_ERR(ruleset); 67 68 group_id = mlxsw_sp_acl_ruleset_group_id(ruleset); 69 err = mlxsw_sp_acl_rulei_act_jump(rulei, group_id); 70 if (err) { 71 NL_SET_ERR_MSG_MOD(extack, "Cannot append jump action"); 72 return err; 73 } 74 } 75 break; 76 case FLOW_ACTION_REDIRECT: { 77 struct net_device *out_dev; 78 struct mlxsw_sp_fid *fid; 79 u16 fid_index; 80 81 fid = mlxsw_sp_acl_dummy_fid(mlxsw_sp); 82 fid_index = mlxsw_sp_fid_index(fid); 83 err = mlxsw_sp_acl_rulei_act_fid_set(mlxsw_sp, rulei, 84 fid_index, extack); 85 if (err) 86 return err; 87 88 out_dev = act->dev; 89 err = mlxsw_sp_acl_rulei_act_fwd(mlxsw_sp, rulei, 90 out_dev, extack); 91 if (err) 92 return err; 93 } 94 break; 95 case FLOW_ACTION_MIRRED: { 96 struct net_device *out_dev = act->dev; 97 98 err = mlxsw_sp_acl_rulei_act_mirror(mlxsw_sp, rulei, 99 block, out_dev, 100 extack); 101 if (err) 102 return err; 103 } 104 break; 105 case FLOW_ACTION_VLAN_MANGLE: { 106 u16 proto = be16_to_cpu(act->vlan.proto); 107 u8 prio = act->vlan.prio; 108 u16 vid = act->vlan.vid; 109 110 return mlxsw_sp_acl_rulei_act_vlan(mlxsw_sp, rulei, 111 act->id, vid, 112 proto, prio, extack); 113 } 114 default: 115 NL_SET_ERR_MSG_MOD(extack, "Unsupported action"); 116 dev_err(mlxsw_sp->bus_info->dev, "Unsupported action\n"); 117 return -EOPNOTSUPP; 118 } 119 } 120 return 0; 121 } 122 123 static void mlxsw_sp_flower_parse_ipv4(struct mlxsw_sp_acl_rule_info *rulei, 124 struct tc_cls_flower_offload *f) 125 { 126 struct flow_match_ipv4_addrs match; 127 128 flow_rule_match_ipv4_addrs(f->rule, &match); 129 130 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_SRC_IP_0_31, 131 (char *) &match.key->src, 132 (char *) &match.mask->src, 4); 133 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_DST_IP_0_31, 134 (char *) &match.key->dst, 135 (char *) &match.mask->dst, 4); 136 } 137 138 static void mlxsw_sp_flower_parse_ipv6(struct mlxsw_sp_acl_rule_info *rulei, 139 struct tc_cls_flower_offload *f) 140 { 141 struct flow_match_ipv6_addrs match; 142 143 flow_rule_match_ipv6_addrs(f->rule, &match); 144 145 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_SRC_IP_96_127, 146 &match.key->src.s6_addr[0x0], 147 &match.mask->src.s6_addr[0x0], 4); 148 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_SRC_IP_64_95, 149 &match.key->src.s6_addr[0x4], 150 &match.mask->src.s6_addr[0x4], 4); 151 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_SRC_IP_32_63, 152 &match.key->src.s6_addr[0x8], 153 &match.mask->src.s6_addr[0x8], 4); 154 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_SRC_IP_0_31, 155 &match.key->src.s6_addr[0xC], 156 &match.mask->src.s6_addr[0xC], 4); 157 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_DST_IP_96_127, 158 &match.key->dst.s6_addr[0x0], 159 &match.mask->dst.s6_addr[0x0], 4); 160 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_DST_IP_64_95, 161 &match.key->dst.s6_addr[0x4], 162 &match.mask->dst.s6_addr[0x4], 4); 163 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_DST_IP_32_63, 164 &match.key->dst.s6_addr[0x8], 165 &match.mask->dst.s6_addr[0x8], 4); 166 mlxsw_sp_acl_rulei_keymask_buf(rulei, MLXSW_AFK_ELEMENT_DST_IP_0_31, 167 &match.key->dst.s6_addr[0xC], 168 &match.mask->dst.s6_addr[0xC], 4); 169 } 170 171 static int mlxsw_sp_flower_parse_ports(struct mlxsw_sp *mlxsw_sp, 172 struct mlxsw_sp_acl_rule_info *rulei, 173 struct tc_cls_flower_offload *f, 174 u8 ip_proto) 175 { 176 const struct flow_rule *rule = tc_cls_flower_offload_flow_rule(f); 177 struct flow_match_ports match; 178 179 if (!flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_PORTS)) 180 return 0; 181 182 if (ip_proto != IPPROTO_TCP && ip_proto != IPPROTO_UDP) { 183 NL_SET_ERR_MSG_MOD(f->common.extack, "Only UDP and TCP keys are supported"); 184 dev_err(mlxsw_sp->bus_info->dev, "Only UDP and TCP keys are supported\n"); 185 return -EINVAL; 186 } 187 188 flow_rule_match_ports(rule, &match); 189 mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_DST_L4_PORT, 190 ntohs(match.key->dst), 191 ntohs(match.mask->dst)); 192 mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_SRC_L4_PORT, 193 ntohs(match.key->src), 194 ntohs(match.mask->src)); 195 return 0; 196 } 197 198 static int mlxsw_sp_flower_parse_tcp(struct mlxsw_sp *mlxsw_sp, 199 struct mlxsw_sp_acl_rule_info *rulei, 200 struct tc_cls_flower_offload *f, 201 u8 ip_proto) 202 { 203 const struct flow_rule *rule = tc_cls_flower_offload_flow_rule(f); 204 struct flow_match_tcp match; 205 206 if (!flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_TCP)) 207 return 0; 208 209 if (ip_proto != IPPROTO_TCP) { 210 NL_SET_ERR_MSG_MOD(f->common.extack, "TCP keys supported only for TCP"); 211 dev_err(mlxsw_sp->bus_info->dev, "TCP keys supported only for TCP\n"); 212 return -EINVAL; 213 } 214 215 flow_rule_match_tcp(rule, &match); 216 217 mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_TCP_FLAGS, 218 ntohs(match.key->flags), 219 ntohs(match.mask->flags)); 220 return 0; 221 } 222 223 static int mlxsw_sp_flower_parse_ip(struct mlxsw_sp *mlxsw_sp, 224 struct mlxsw_sp_acl_rule_info *rulei, 225 struct tc_cls_flower_offload *f, 226 u16 n_proto) 227 { 228 const struct flow_rule *rule = tc_cls_flower_offload_flow_rule(f); 229 struct flow_match_ip match; 230 231 if (!flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_IP)) 232 return 0; 233 234 if (n_proto != ETH_P_IP && n_proto != ETH_P_IPV6) { 235 NL_SET_ERR_MSG_MOD(f->common.extack, "IP keys supported only for IPv4/6"); 236 dev_err(mlxsw_sp->bus_info->dev, "IP keys supported only for IPv4/6\n"); 237 return -EINVAL; 238 } 239 240 flow_rule_match_ip(rule, &match); 241 242 mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_IP_TTL_, 243 match.key->ttl, match.mask->ttl); 244 245 mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_IP_ECN, 246 match.key->tos & 0x3, 247 match.mask->tos & 0x3); 248 249 mlxsw_sp_acl_rulei_keymask_u32(rulei, MLXSW_AFK_ELEMENT_IP_DSCP, 250 match.key->tos >> 2, 251 match.mask->tos >> 2); 252 253 return 0; 254 } 255 256 static int mlxsw_sp_flower_parse(struct mlxsw_sp *mlxsw_sp, 257 struct mlxsw_sp_acl_block *block, 258 struct mlxsw_sp_acl_rule_info *rulei, 259 struct tc_cls_flower_offload *f) 260 { 261 struct flow_rule *rule = tc_cls_flower_offload_flow_rule(f); 262 struct flow_dissector *dissector = rule->match.dissector; 263 u16 n_proto_mask = 0; 264 u16 n_proto_key = 0; 265 u16 addr_type = 0; 266 u8 ip_proto = 0; 267 int err; 268 269 if (dissector->used_keys & 270 ~(BIT(FLOW_DISSECTOR_KEY_CONTROL) | 271 BIT(FLOW_DISSECTOR_KEY_BASIC) | 272 BIT(FLOW_DISSECTOR_KEY_ETH_ADDRS) | 273 BIT(FLOW_DISSECTOR_KEY_IPV4_ADDRS) | 274 BIT(FLOW_DISSECTOR_KEY_IPV6_ADDRS) | 275 BIT(FLOW_DISSECTOR_KEY_PORTS) | 276 BIT(FLOW_DISSECTOR_KEY_TCP) | 277 BIT(FLOW_DISSECTOR_KEY_IP) | 278 BIT(FLOW_DISSECTOR_KEY_VLAN))) { 279 dev_err(mlxsw_sp->bus_info->dev, "Unsupported key\n"); 280 NL_SET_ERR_MSG_MOD(f->common.extack, "Unsupported key"); 281 return -EOPNOTSUPP; 282 } 283 284 mlxsw_sp_acl_rulei_priority(rulei, f->common.prio); 285 286 if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_CONTROL)) { 287 struct flow_match_control match; 288 289 flow_rule_match_control(rule, &match); 290 addr_type = match.key->addr_type; 291 } 292 293 if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_BASIC)) { 294 struct flow_match_basic match; 295 296 flow_rule_match_basic(rule, &match); 297 n_proto_key = ntohs(match.key->n_proto); 298 n_proto_mask = ntohs(match.mask->n_proto); 299 300 if (n_proto_key == ETH_P_ALL) { 301 n_proto_key = 0; 302 n_proto_mask = 0; 303 } 304 mlxsw_sp_acl_rulei_keymask_u32(rulei, 305 MLXSW_AFK_ELEMENT_ETHERTYPE, 306 n_proto_key, n_proto_mask); 307 308 ip_proto = match.key->ip_proto; 309 mlxsw_sp_acl_rulei_keymask_u32(rulei, 310 MLXSW_AFK_ELEMENT_IP_PROTO, 311 match.key->ip_proto, 312 match.mask->ip_proto); 313 } 314 315 if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_ETH_ADDRS)) { 316 struct flow_match_eth_addrs match; 317 318 flow_rule_match_eth_addrs(rule, &match); 319 mlxsw_sp_acl_rulei_keymask_buf(rulei, 320 MLXSW_AFK_ELEMENT_DMAC_32_47, 321 match.key->dst, 322 match.mask->dst, 2); 323 mlxsw_sp_acl_rulei_keymask_buf(rulei, 324 MLXSW_AFK_ELEMENT_DMAC_0_31, 325 match.key->dst + 2, 326 match.mask->dst + 2, 4); 327 mlxsw_sp_acl_rulei_keymask_buf(rulei, 328 MLXSW_AFK_ELEMENT_SMAC_32_47, 329 match.key->src, 330 match.mask->src, 2); 331 mlxsw_sp_acl_rulei_keymask_buf(rulei, 332 MLXSW_AFK_ELEMENT_SMAC_0_31, 333 match.key->src + 2, 334 match.mask->src + 2, 4); 335 } 336 337 if (flow_rule_match_key(rule, FLOW_DISSECTOR_KEY_VLAN)) { 338 struct flow_match_vlan match; 339 340 flow_rule_match_vlan(rule, &match); 341 if (mlxsw_sp_acl_block_is_egress_bound(block)) { 342 NL_SET_ERR_MSG_MOD(f->common.extack, "vlan_id key is not supported on egress"); 343 return -EOPNOTSUPP; 344 } 345 if (match.mask->vlan_id != 0) 346 mlxsw_sp_acl_rulei_keymask_u32(rulei, 347 MLXSW_AFK_ELEMENT_VID, 348 match.key->vlan_id, 349 match.mask->vlan_id); 350 if (match.mask->vlan_priority != 0) 351 mlxsw_sp_acl_rulei_keymask_u32(rulei, 352 MLXSW_AFK_ELEMENT_PCP, 353 match.key->vlan_priority, 354 match.mask->vlan_priority); 355 } 356 357 if (addr_type == FLOW_DISSECTOR_KEY_IPV4_ADDRS) 358 mlxsw_sp_flower_parse_ipv4(rulei, f); 359 360 if (addr_type == FLOW_DISSECTOR_KEY_IPV6_ADDRS) 361 mlxsw_sp_flower_parse_ipv6(rulei, f); 362 363 err = mlxsw_sp_flower_parse_ports(mlxsw_sp, rulei, f, ip_proto); 364 if (err) 365 return err; 366 err = mlxsw_sp_flower_parse_tcp(mlxsw_sp, rulei, f, ip_proto); 367 if (err) 368 return err; 369 370 err = mlxsw_sp_flower_parse_ip(mlxsw_sp, rulei, f, n_proto_key & n_proto_mask); 371 if (err) 372 return err; 373 374 return mlxsw_sp_flower_parse_actions(mlxsw_sp, block, rulei, 375 &f->rule->action, 376 f->common.extack); 377 } 378 379 int mlxsw_sp_flower_replace(struct mlxsw_sp *mlxsw_sp, 380 struct mlxsw_sp_acl_block *block, 381 struct tc_cls_flower_offload *f) 382 { 383 struct mlxsw_sp_acl_rule_info *rulei; 384 struct mlxsw_sp_acl_ruleset *ruleset; 385 struct mlxsw_sp_acl_rule *rule; 386 int err; 387 388 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, 389 f->common.chain_index, 390 MLXSW_SP_ACL_PROFILE_FLOWER, NULL); 391 if (IS_ERR(ruleset)) 392 return PTR_ERR(ruleset); 393 394 rule = mlxsw_sp_acl_rule_create(mlxsw_sp, ruleset, f->cookie, NULL, 395 f->common.extack); 396 if (IS_ERR(rule)) { 397 err = PTR_ERR(rule); 398 goto err_rule_create; 399 } 400 401 rulei = mlxsw_sp_acl_rule_rulei(rule); 402 err = mlxsw_sp_flower_parse(mlxsw_sp, block, rulei, f); 403 if (err) 404 goto err_flower_parse; 405 406 err = mlxsw_sp_acl_rulei_commit(rulei); 407 if (err) 408 goto err_rulei_commit; 409 410 err = mlxsw_sp_acl_rule_add(mlxsw_sp, rule); 411 if (err) 412 goto err_rule_add; 413 414 mlxsw_sp_acl_ruleset_put(mlxsw_sp, ruleset); 415 return 0; 416 417 err_rule_add: 418 err_rulei_commit: 419 err_flower_parse: 420 mlxsw_sp_acl_rule_destroy(mlxsw_sp, rule); 421 err_rule_create: 422 mlxsw_sp_acl_ruleset_put(mlxsw_sp, ruleset); 423 return err; 424 } 425 426 void mlxsw_sp_flower_destroy(struct mlxsw_sp *mlxsw_sp, 427 struct mlxsw_sp_acl_block *block, 428 struct tc_cls_flower_offload *f) 429 { 430 struct mlxsw_sp_acl_ruleset *ruleset; 431 struct mlxsw_sp_acl_rule *rule; 432 433 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, 434 f->common.chain_index, 435 MLXSW_SP_ACL_PROFILE_FLOWER, NULL); 436 if (IS_ERR(ruleset)) 437 return; 438 439 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); 440 if (rule) { 441 mlxsw_sp_acl_rule_del(mlxsw_sp, rule); 442 mlxsw_sp_acl_rule_destroy(mlxsw_sp, rule); 443 } 444 445 mlxsw_sp_acl_ruleset_put(mlxsw_sp, ruleset); 446 } 447 448 int mlxsw_sp_flower_stats(struct mlxsw_sp *mlxsw_sp, 449 struct mlxsw_sp_acl_block *block, 450 struct tc_cls_flower_offload *f) 451 { 452 struct mlxsw_sp_acl_ruleset *ruleset; 453 struct mlxsw_sp_acl_rule *rule; 454 u64 packets; 455 u64 lastuse; 456 u64 bytes; 457 int err; 458 459 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, 460 f->common.chain_index, 461 MLXSW_SP_ACL_PROFILE_FLOWER, NULL); 462 if (WARN_ON(IS_ERR(ruleset))) 463 return -EINVAL; 464 465 rule = mlxsw_sp_acl_rule_lookup(mlxsw_sp, ruleset, f->cookie); 466 if (!rule) 467 return -EINVAL; 468 469 err = mlxsw_sp_acl_rule_get_stats(mlxsw_sp, rule, &packets, &bytes, 470 &lastuse); 471 if (err) 472 goto err_rule_get_stats; 473 474 flow_stats_update(&f->stats, bytes, packets, lastuse); 475 476 mlxsw_sp_acl_ruleset_put(mlxsw_sp, ruleset); 477 return 0; 478 479 err_rule_get_stats: 480 mlxsw_sp_acl_ruleset_put(mlxsw_sp, ruleset); 481 return err; 482 } 483 484 int mlxsw_sp_flower_tmplt_create(struct mlxsw_sp *mlxsw_sp, 485 struct mlxsw_sp_acl_block *block, 486 struct tc_cls_flower_offload *f) 487 { 488 struct mlxsw_sp_acl_ruleset *ruleset; 489 struct mlxsw_sp_acl_rule_info rulei; 490 int err; 491 492 memset(&rulei, 0, sizeof(rulei)); 493 err = mlxsw_sp_flower_parse(mlxsw_sp, block, &rulei, f); 494 if (err) 495 return err; 496 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, 497 f->common.chain_index, 498 MLXSW_SP_ACL_PROFILE_FLOWER, 499 &rulei.values.elusage); 500 501 /* keep the reference to the ruleset */ 502 return PTR_ERR_OR_ZERO(ruleset); 503 } 504 505 void mlxsw_sp_flower_tmplt_destroy(struct mlxsw_sp *mlxsw_sp, 506 struct mlxsw_sp_acl_block *block, 507 struct tc_cls_flower_offload *f) 508 { 509 struct mlxsw_sp_acl_ruleset *ruleset; 510 511 ruleset = mlxsw_sp_acl_ruleset_get(mlxsw_sp, block, 512 f->common.chain_index, 513 MLXSW_SP_ACL_PROFILE_FLOWER, NULL); 514 if (IS_ERR(ruleset)) 515 return; 516 /* put the reference to the ruleset kept in create */ 517 mlxsw_sp_acl_ruleset_put(mlxsw_sp, ruleset); 518 mlxsw_sp_acl_ruleset_put(mlxsw_sp, ruleset); 519 } 520