Ubuntu
linux-bluefield package

net/sched: cls_api: Support hardware miss to tc action

Bug #2012571 reported by William Tu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-bluefield (Ubuntu)
Invalid
Undecided
Unassigned
Focal
Fix Released
Medium
William Tu
Jammy
Fix Committed
Undecided
Unassigned

Bug Description

* Explain the bug(s)

Currently tc miss interface only supports resuming from a specific tc chain.
If a packet modification is done before a missable action such as CT and
there is a miss in CT after it, this may cause a miss match when resuming
re-executing the same chain in software, and wrong packet count.
This use case for example is a stateless (static) nat.

* brief explanation of fixes

Add support for missing to a specific action instance, and support
of per action hardware stats to update what was actually done in hardware.

* How to test

Create OVS bridge with 2 devices mlx5 rep devices.
Enable HW offload and configure regular connection tracking OpenFlow rules
with packet modification before the CT action (such as statless nat):

e.g:

    ovs-ofctl del-flows br-ovs
    ovs-ofctl add-flow br-ovs arp,actions=normal
   ovs-ofctl add-flow br-ovs "in_port=1,table=0, ip,ct_state=-trk actions=mod_nw_dst=1.1.1.2,ct(table=1)"
    ovs-ofctl add-flow br-ovs "in_port=1,table=1, ip,ct_state=+trk+new actions=ct(commit),output:2"
    ovs-ofctl add-flow br-ovs "in_port=1,table=1, ip,ct_state=+trk+est, actions=output:2"
    ovs-ofctl add-flow br-ovs "in_port=2,table=0, ip,ct_state=-trk actions=ct(table=1)"
    ovs-ofctl add-flow br-ovs "in_port=2,table=1, ip,ct_state=+trk+est, actions=mod_nw_src=1.1.1.2,output:1"

Config VF1 ip 1.1.1.1, VF2 ip 1.1.1.2

For VF2, add route and static neighbour to floating (router) ip 5.5.5.5

Then run a TCP connection, e.g:

on mlx5 VF1 iperf -s #(which will listen on 1.1.1.2)
on mlx5 VF2 iperf -c 5.5.5.5 -t 10 #(this creates a packet from 1.1.1.1 -> 5.5.5.5, and nat will change this to 1.1.1.1->1.1.1.2)

Optional: In different terminal, while traffic is running, check for offload:
tcpdump -nnepi <RELEVANT_MLX5_REP> tcp
and see no iperf tcp packets.

Dump conntrack with relevant ip:
cat /proc/net/nf_conntrack | grep -i 1.1.1.1

See tuples were offloaded:
ipv4 2 tcp 6 src= 1.1.1.1 dst=1.1.1.2 sport=56394 dport=5001 packets=2 bytes=112 src=1.1.1.2 dst=1.1.1.1 sport=5001 dport=56394 packets=1777 bytes=665340 [HW_OFFLOAD] mark=0 zone=0 use=3

* What it could break.
offload for modifications + ct and tc packet count.

CVE References

Stefan Bader (smb)
Changed in linux-bluefield (Ubuntu Focal):
assignee: nobody → William Tu (wtu)
importance: Undecided → Medium
status: New → In Progress
Changed in linux-bluefield (Ubuntu):
status: New → Invalid
Bartlomiej Zolnierkiewicz (bzolnier)
Changed in linux-bluefield (Ubuntu Focal):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1061.67 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: kernel-spammed-focal-linux-bluefield verification-needed-focal
Revision history for this message
Bartlomiej Zolnierkiewicz (bzolnier) wrote :

This bug is awaiting verification that the linux-bluefield/5.4.0-1062.68 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Bartlomiej Zolnierkiewicz (bzolnier) wrote :

Patches to revert this functionality have been submitted using the same BugLink and applied in linux-bluefield/5.4.0-1062.68 to fix the regression.

Revision history for this message
Feysel Mohammed (feyselm) wrote :

Hello,

using 5.4.0-1062-bluefield, we see the tuples were offloaded and we also see the offload entries.

Thanks

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-bluefield - 5.4.0-1062.68

---------------
linux-bluefield (5.4.0-1062.68) focal; urgency=medium

  * focal/linux-bluefield: 5.4.0-1062.68 -proposed tracker (LP: #2016751)

  * CVE-2023-1829
    - [Config] bluefield: Make sure CONFIG_NET_CLS_TCINDEX is not available

  * net/sched: cls_api: Support hardware miss to tc action (LP: #2012571)
    - Revert "net/sched: flower: fix fl_change() error recovery path"
    - Revert "net/sched: flower: Support hardware miss to tc action"
    - Revert "net/sched: flower: Move filter handle initialization earlier"
    - Revert "net/sched: cls_api: Support hardware miss to tc action"
    - Revert "UBUNTU: SAUCE: net/sched: Provide act to offload action"

  [ Ubuntu: 5.4.0-148.165 ]

  * focal/linux: 5.4.0-148.165 -proposed tracker (LP: #2016777)
  * CVE-2023-1829
    - net/sched: Retire tcindex classifier
    - [Config]: Make sure CONFIG_NET_CLS_TCINDEX is not available

 -- Bartlomiej Zolnierkiewicz <email address hidden> Thu, 27 Apr 2023 16:48:23 +0200

Changed in linux-bluefield (Ubuntu Focal):
status: Fix Committed → Fix Released
Bartlomiej Zolnierkiewicz (bzolnier)
Changed in linux-bluefield (Ubuntu Jammy):
status: New → Fix Committed
Revision history for this message
Bartlomiej Zolnierkiewicz (bzolnier) wrote :

This bug is awaiting verification that the linux-bluefield/5.15.0-1019.21 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-jammy
Revision history for this message
Feysel Mohammed (feyselm) wrote :

Hello,

using 5.15.0-1019-bluefield, we see the tuples were offloaded and we also see the offload entries.

Thanks

tags: added: verification-done-jammy
removed: verification-needed-jammy
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.