-
Steen Hegelund authored
This adds the following TC flower filter keys to Sparx5 for IS2: - ipv4_addr (sip and dip) - ipv6_addr (sip and dip) - control (IPv4 fragments) - portnum (tcp and udp port numbers) - basic (L3 and L4 protocol) - vlan (outer vlan tag info) - tcp (tcp flags) - ip (tos field) as well as an 128 bit keyfield interface on the VCAP API to set the IPv6 addresses. IS2 supports the classified VLAN information which amounts to the outer VLAN info in case of multiple tags. Here are some examples of the tc flower filter operations that are now supported for the IS2 VCAP: - IPv4 Addresses tc filter add dev eth12 ingress chain 8000000 prio 12 handle 12 \ protocol ip flower skip_sw dst_ip 1.0.1.1 src_ip 2.0.2.2 \ action trap action goto chain 81000000 - IPv6 Addresses tc filter add dev eth12 ingress chain 8000000 prio 13 handle 13 \ protocol ipv6 flower skip_sw dst_ip 1::1:1 src_ip 2::2:2 \ action trap action goto chain 81000000 - IPv4 fragments tc filter add dev eth12 ingress chain 8000000 prio 14 handle 14 \ protocol ip flower skip_sw dst_ip 3.0.3.3 src_ip 2.0.2.2 \ ip_flags frag/nofirstfrag action trap action goto chain 81000000 - TCP and UDP portnumbers tc filter add dev eth12 ingress chain 8000000 prio 21 handle 21 \ protocol ip flower skip_sw dst_ip 8.8.8.8 src_ip 2.0.2.2 \ ip_proto tcp dst_port 100 src_port 12000 action trap action goto chain 81000000 tc filter add dev eth12 ingress chain 8000000 prio 23 handle 23 \ protocol ipv6 flower skip_sw dst_ip 5::5:5 src_ip 2::2:2 \ ip_proto tcp dst_port 300 src_port 13000 action trap action goto chain 81000000 - Layer 3 and Layer 4 protocol info tc filter add dev eth12 ingress chain 8000000 prio 28 handle 28 \ protocol ipv4 flower skip_sw dst_ip 9.0.9.9 src_ip 2.0.2.2 \ ip_proto icmp action trap action goto chain 81000000 - VLAN tag info (outer tag) tc filter add dev eth12 ingress chain 8000000 prio 29 handle 29 \ protocol 802.1q flower skip_sw vlan_id 600 vlan_prio 6 \ vlan_ethtype ipv4 action trap action goto chain 81000000 tc filter add dev eth12 ingress chain 8000000 prio 31 handle 31 \ protocol 802.1q flower skip_sw vlan_id 600 vlan_prio 5 \ vlan_ethtype ipv6 action trap action goto chain 81000000 - TCP flags tc filter add dev eth12 ingress chain 8000000 prio 15 handle 15 \ protocol ip flower skip_sw dst_ip 4.0.4.4 src_ip 2.0.2.2 \ ip_proto tcp tcp_flags 0x2a/0x3f action trap action goto chain 81000000 - IP info (IPv4 TOS field) tc filter add dev eth12 ingress chain 8000000 prio 16 handle 16 \ protocol ip flower skip_sw ip_tos 0x35 dst_ip 5.0.5.5 \ src_ip 2.0.2.2 action trap action goto chain 81000000 Notes: - The "protocol all" selection is not supported yet. - The MAC address rule now needs to use non-ip and non "protocol all". Here is an example: tc filter add dev eth12 ingress chain 8000000 prio 10 handle 10 \ protocol 0xbeef flower skip_sw \ dst_mac 0a:0b:0c:0d:0e:0f \ src_mac 2:0:0:0:0:1 \ action trap action goto chain 81000000 - The VLAN rules use classified VLAN information, and to get the classification information into the frame metadata, the ingress port need to be added to a bridge with the VID and vlan filtering enabled, like this (using VID 600 and four ports eth12, eth13, eth14 and eth15): ip link add name br5 type bridge ip link set dev br5 up ip link set eth12 master br5 ip link set eth13 master br5 ip link set eth14 master br5 ip link set eth15 master br5 sysctl -w net.ipv6.conf.eth12.disable_ipv6=1 sysctl -w net.ipv6.conf.eth13.disable_ipv6=1 sysctl -w net.ipv6.conf.eth14.disable_ipv6=1 sysctl -w net.ipv6.conf.eth15.disable_ipv6=1 sysctl -w net.ipv6.conf.br5.disable_ipv6=1 ip link set dev br5 type bridge vlan_filtering 1 bridge vlan add dev eth12 vid 600 bridge vlan add dev eth13 vid 600 bridge vlan add dev eth14 vid 600 bridge vlan add dev eth15 vid 600 bridge vlan add dev br5 vid 600 self Signed-off-by:Steen Hegelund <steen.hegelund@microchip.com> Tested-by:
Casper Andersson <casper.casan@gmail.com> Signed-off-by:
David S. Miller <davem@davemloft.net>
d6c2964d
