• Yoshiki Komachi's avatar
    cls_flower: Fix inability to match GRE/IPIP packets · 6de6e46d
    Yoshiki Komachi authored
    When a packet of a new flow arrives in openvswitch kernel module, it dissects
    the packet and passes the extracted flow key to ovs-vswtichd daemon. If hw-
    offload configuration is enabled, the daemon creates a new TC flower entry to
    bypass openvswitch kernel module for the flow (TC flower can also offload flows
    to NICs but this time that does not matter).
    
    In this processing flow, I found the following issue in cases of GRE/IPIP
    packets.
    
    When ovs_flow_key_extract() in openvswitch module parses a packet of a new
    GRE (or IPIP) flow received on non-tunneling vports, it extracts information
    of the outer IP header for ip_proto/src_ip/dst_ip match keys.
    
    This means ovs-vswitchd creates a TC flower entry with IP protocol/addresses
    match keys whose values are those of the outer IP header. OTOH, TC flower,
    which uses flow_dissector (different parser from openvswitch module), extracts
    information of the inner IP header.
    
    The following flow is an example to describe the issue in more detail.
    
       <----------- Outer IP -----------------> <---------- Inner IP ---------->
      +----------+--------------+--------------+----------+----------+----------+
      | ip_proto | src_ip       | dst_ip       | ip_proto | src_ip   | dst_ip   |
      | 47 (GRE) | 192.168.10.1 | 192.168.10.2 | 6 (TCP)  | 10.0.0.1 | 10.0.0.2 |
      +----------+--------------+--------------+----------+----------+----------+
    
    In this case, TC flower entry and extracted information are shown as below:
    
      - ovs-vswitchd creates TC flower entry with:
          - ip_proto: 47
          - src_ip: 192.168.10.1
          - dst_ip: 192.168.10.2
    
      - TC flower extracts below for IP header matches:
          - ip_proto: 6
          - src_ip: 10.0.0.1
          - dst_ip: 10.0.0.2
    
    Thus, GRE or IPIP packets never match the TC flower entry, as each
    dissector behaves differently.
    
    IMHO, the behavior of TC flower (flow dissector) does not look correct,
    as ip_proto/src_ip/dst_ip in TC flower match means the outermost IP
    header information except for GRE/IPIP cases. This patch adds a new
    flow_dissector flag FLOW_DISSECTOR_F_STOP_BEFORE_ENCAP which skips
    dissection of the encapsulated inner GRE/IPIP header in TC flower
    classifier.
    Signed-off-by: default avatarYoshiki Komachi <komachi.yoshiki@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    6de6e46d
flow_dissector.h 9.94 KB