Re: [PATCH v2 1/3] net/mlx5e: Implicitly decap the tunnel packet when necessary

[Paul Blakey]

On 5/6/2020 5:16 AM, xiangxia.m....@gmail.com wrote:
> From: Tonghao Zhang <xiangxia.m....@gmail.com>
>
> The commit 0a7fcb78cc21 ("net/mlx5e: Support inner header rewrite with
> goto action"), will decapsulate the tunnel packets if there is a goto
> action in chain 0. But in some case, we don't want do that, for example:
>
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0    \
>       flower enc_dst_ip 2.2.2.100 enc_dst_port 4789                   \
>       action goto chain 2
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2    \
>       flower dst_mac 00:11:22:33:44:55 enc_src_ip 2.2.2.200           \
>       enc_dst_ip 2.2.2.100 enc_dst_port 4789 enc_key_id 100           \
>       action tunnel_key unset action mirred egress redirect dev enp130s0f0_0
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2    \
>       flower dst_mac 00:11:22:33:44:66 enc_src_ip 2.2.2.200           \
>       enc_dst_ip 2.2.2.100 enc_dst_port 4789 enc_key_id 200           \
>       action tunnel_key unset action mirred egress redirect dev enp130s0f0_1
>
> In this patch, if there is a pedit action in chain, do the decapsulation 
> action.
> if there are pedit and goto actions, do the decapsulation and id mapping 
> action.


We can't do the decap only if there is a pedit action, we must be consistent for
the matches.
Consider the following rules:

tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0        \
        flower dst_ip 1.1.1.1 enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100 \
        enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55      \
        action pedit ex munge ip dst set 3.1.1.1                        \
        action goto chain 1

# this will do DECAP + REWRITE (originally inner ip, now outter ip after decap) 
+ GOTO

tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0        \
        flower dst_ip 1.1.1.2 enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100 \
        enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55      \
        action goto chain 1
# this will just GOTO

tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 1          \
        flower src_ip 1.1.1.192 enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100 \
        enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55        \
        action pedit ex munge ip dst set 3.1.1.192                        \
        action goto chain 1

With your change,  Match src_ip 1.1.1.192 here, should match inner headers or 
outter headers? 
As we might have come from the decaped path (inner dst_ip 1.1.1.1) or not 
(inner dst_ip 1.1.1.2), depending on inner dst ip.


Alos, in tc the packet is already decapsulated by the tunnel device before it 
gets to tc ingress classification,
tunnel key unset just remove the tunnel info metadata so we can't match against 
it. It doesn't decapsulate it.
This flow:
$ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2      \
        flower action mirred egress redirect dev enp130s0f0_0

passes decapsulated packets to enp130s0f0_0, without specifying tunnel key 
unset.
We want to follow this implicit decapsulation.
 


[...]

> 9 test units:
> [1]:
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 0    \
>       flower enc_dst_ip 2.2.2.100 enc_dst_port 4789                   \
>       action goto chain 2
> $ tc filter add dev $VXLAN protocol ip parent ffff: prio 1 chain 2    \
>       flower enc_src_ip 2.2.2.200 enc_dst_ip 2.2.2.100                \
>       enc_dst_port 4789 enc_key_id 100 dst_mac 00:11:22:33:44:55      \
>       action tunnel_key unset \
>       action mirred egress redirect dev enp130s0f0_0
> [2]:
> $ tc filter add dev $VXLAN protocol ip