mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-19 17:11:03 +00:00
dbe69e4337
Core:
- BPF:
- add syscall program type and libbpf support for generating
instructions and bindings for in-kernel BPF loaders (BPF loaders
for BPF), this is a stepping stone for signed BPF programs
- infrastructure to migrate TCP child sockets from one listener
to another in the same reuseport group/map to improve flexibility
of service hand-off/restart
- add broadcast support to XDP redirect
- allow bypass of the lockless qdisc to improving performance
(for pktgen: +23% with one thread, +44% with 2 threads)
- add a simpler version of "DO_ONCE()" which does not require
jump labels, intended for slow-path usage
- virtio/vsock: introduce SOCK_SEQPACKET support
- add getsocketopt to retrieve netns cookie
- ip: treat lowest address of a IPv4 subnet as ordinary unicast address
allowing reclaiming of precious IPv4 addresses
- ipv6: use prandom_u32() for ID generation
- ip: add support for more flexible field selection for hashing
across multi-path routes (w/ offload to mlxsw)
- icmp: add support for extended RFC 8335 PROBE (ping)
- seg6: add support for SRv6 End.DT46 behavior
- mptcp:
- DSS checksum support (RFC 8684) to detect middlebox meddling
- support Connection-time 'C' flag
- time stamping support
- sctp: packetization Layer Path MTU Discovery (RFC 8899)
- xfrm: speed up state addition with seq set
- WiFi:
- hidden AP discovery on 6 GHz and other HE 6 GHz improvements
- aggregation handling improvements for some drivers
- minstrel improvements for no-ack frames
- deferred rate control for TXQs to improve reaction times
- switch from round robin to virtual time-based airtime scheduler
- add trace points:
- tcp checksum errors
- openvswitch - action execution, upcalls
- socket errors via sk_error_report
Device APIs:
- devlink: add rate API for hierarchical control of max egress rate
of virtual devices (VFs, SFs etc.)
- don't require RCU read lock to be held around BPF hooks
in NAPI context
- page_pool: generic buffer recycling
New hardware/drivers:
- mobile:
- iosm: PCIe Driver for Intel M.2 Modem
- support for Qualcomm MSM8998 (ipa)
- WiFi: Qualcomm QCN9074 and WCN6855 PCI devices
- sparx5: Microchip SparX-5 family of Enterprise Ethernet switches
- Mellanox BlueField Gigabit Ethernet (control NIC of the DPU)
- NXP SJA1110 Automotive Ethernet 10-port switch
- Qualcomm QCA8327 switch support (qca8k)
- Mikrotik 10/25G NIC (atl1c)
Driver changes:
- ACPI support for some MDIO, MAC and PHY devices from Marvell and NXP
(our first foray into MAC/PHY description via ACPI)
- HW timestamping (PTP) support: bnxt_en, ice, sja1105, hns3, tja11xx
- Mellanox/Nvidia NIC (mlx5)
- NIC VF offload of L2 bridging
- support IRQ distribution to Sub-functions
- Marvell (prestera):
- add flower and match all
- devlink trap
- link aggregation
- Netronome (nfp): connection tracking offload
- Intel 1GE (igc): add AF_XDP support
- Marvell DPU (octeontx2): ingress ratelimit offload
- Google vNIC (gve): new ring/descriptor format support
- Qualcomm mobile (rmnet & ipa): inline checksum offload support
- MediaTek WiFi (mt76)
- mt7915 MSI support
- mt7915 Tx status reporting
- mt7915 thermal sensors support
- mt7921 decapsulation offload
- mt7921 enable runtime pm and deep sleep
- Realtek WiFi (rtw88)
- beacon filter support
- Tx antenna path diversity support
- firmware crash information via devcoredump
- Qualcomm 60GHz WiFi (wcn36xx)
- Wake-on-WLAN support with magic packets and GTK rekeying
- Micrel PHY (ksz886x/ksz8081): add cable test support
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE6jPA+I1ugmIBA4hXMUZtbf5SIrsFAmDb+fUACgkQMUZtbf5S
Irs2Jg//aqN0Q8CgIvYCVhPxQw1tY7pTAbgyqgBZ01vwjyvtIOgJiWzSfFEU84mX
M8fcpFX5eTKrOyJ9S6UFfQ/JG114n3hjAxFFT4Hxk2gC1Tg0vHuFQTDHcUl28bUE
mTm61e1YpdorILnv2k5JVQ/wu0vs5QKDrjcYcrcPnh+j93wvnPOgAfDBV95nZzjS
OTt4q2fR8GzLcSYWWsclMbDNkzyTG50RW/0Yd6aGjr5QGvXfrMeXfUJNz533PMf/
w5lNyjRKv+x9mdTZJzU0+msNUrZgUdRz7W8Ey8lD3hJZRE+D6/uU7FtsE8Mi3+uc
HWxeZUyzA3YF1MfVl/eesbxyPT7S/OkLzk4O5B35FbqP0YltaP+bOjq1/nM3ce1/
io9Dx9pIl/2JANUgRCAtLi8Z2dkvRoqTaBxZ/nPudCCljFwDwl6joTMJ7Ow22i5Y
5aIkcXFmZq4LbJDiHvbTlqT7yiuaEvu2UK/23bSIg/K3nF4eAmkY9Y1EgiMf60OF
78Ttw0wk2tUegwaS5MZnCniKBKDyl9gM2F6rbZ/IxQRR2LTXFc1B6gC+ynUxgXfh
Ub8O++6qGYGYZ0XvQH4pzco79p3qQWBTK5beIp2eu6BOAjBVIXq4AibUfoQLACsu
hX7jMPYd0kc3WFgUnKgQP8EnjFSwbf4XiaE7fIXvWBY8hzCw2h4=
=LvtX
-----END PGP SIGNATURE-----
Merge tag 'net-next-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
Pull networking updates from Jakub Kicinski:
"Core:
- BPF:
- add syscall program type and libbpf support for generating
instructions and bindings for in-kernel BPF loaders (BPF loaders
for BPF), this is a stepping stone for signed BPF programs
- infrastructure to migrate TCP child sockets from one listener to
another in the same reuseport group/map to improve flexibility
of service hand-off/restart
- add broadcast support to XDP redirect
- allow bypass of the lockless qdisc to improving performance (for
pktgen: +23% with one thread, +44% with 2 threads)
- add a simpler version of "DO_ONCE()" which does not require jump
labels, intended for slow-path usage
- virtio/vsock: introduce SOCK_SEQPACKET support
- add getsocketopt to retrieve netns cookie
- ip: treat lowest address of a IPv4 subnet as ordinary unicast
address allowing reclaiming of precious IPv4 addresses
- ipv6: use prandom_u32() for ID generation
- ip: add support for more flexible field selection for hashing
across multi-path routes (w/ offload to mlxsw)
- icmp: add support for extended RFC 8335 PROBE (ping)
- seg6: add support for SRv6 End.DT46 behavior
- mptcp:
- DSS checksum support (RFC 8684) to detect middlebox meddling
- support Connection-time 'C' flag
- time stamping support
- sctp: packetization Layer Path MTU Discovery (RFC 8899)
- xfrm: speed up state addition with seq set
- WiFi:
- hidden AP discovery on 6 GHz and other HE 6 GHz improvements
- aggregation handling improvements for some drivers
- minstrel improvements for no-ack frames
- deferred rate control for TXQs to improve reaction times
- switch from round robin to virtual time-based airtime scheduler
- add trace points:
- tcp checksum errors
- openvswitch - action execution, upcalls
- socket errors via sk_error_report
Device APIs:
- devlink: add rate API for hierarchical control of max egress rate
of virtual devices (VFs, SFs etc.)
- don't require RCU read lock to be held around BPF hooks in NAPI
context
- page_pool: generic buffer recycling
New hardware/drivers:
- mobile:
- iosm: PCIe Driver for Intel M.2 Modem
- support for Qualcomm MSM8998 (ipa)
- WiFi: Qualcomm QCN9074 and WCN6855 PCI devices
- sparx5: Microchip SparX-5 family of Enterprise Ethernet switches
- Mellanox BlueField Gigabit Ethernet (control NIC of the DPU)
- NXP SJA1110 Automotive Ethernet 10-port switch
- Qualcomm QCA8327 switch support (qca8k)
- Mikrotik 10/25G NIC (atl1c)
Driver changes:
- ACPI support for some MDIO, MAC and PHY devices from Marvell and
NXP (our first foray into MAC/PHY description via ACPI)
- HW timestamping (PTP) support: bnxt_en, ice, sja1105, hns3, tja11xx
- Mellanox/Nvidia NIC (mlx5)
- NIC VF offload of L2 bridging
- support IRQ distribution to Sub-functions
- Marvell (prestera):
- add flower and match all
- devlink trap
- link aggregation
- Netronome (nfp): connection tracking offload
- Intel 1GE (igc): add AF_XDP support
- Marvell DPU (octeontx2): ingress ratelimit offload
- Google vNIC (gve): new ring/descriptor format support
- Qualcomm mobile (rmnet & ipa): inline checksum offload support
- MediaTek WiFi (mt76)
- mt7915 MSI support
- mt7915 Tx status reporting
- mt7915 thermal sensors support
- mt7921 decapsulation offload
- mt7921 enable runtime pm and deep sleep
- Realtek WiFi (rtw88)
- beacon filter support
- Tx antenna path diversity support
- firmware crash information via devcoredump
- Qualcomm WiFi (wcn36xx)
- Wake-on-WLAN support with magic packets and GTK rekeying
- Micrel PHY (ksz886x/ksz8081): add cable test support"
* tag 'net-next-5.14' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next: (2168 commits)
tcp: change ICSK_CA_PRIV_SIZE definition
tcp_yeah: check struct yeah size at compile time
gve: DQO: Fix off by one in gve_rx_dqo()
stmmac: intel: set PCI_D3hot in suspend
stmmac: intel: Enable PHY WOL option in EHL
net: stmmac: option to enable PHY WOL with PMT enabled
net: say "local" instead of "static" addresses in ndo_dflt_fdb_{add,del}
net: use netdev_info in ndo_dflt_fdb_{add,del}
ptp: Set lookup cookie when creating a PTP PPS source.
net: sock: add trace for socket errors
net: sock: introduce sk_error_report
net: dsa: replay the local bridge FDB entries pointing to the bridge dev too
net: dsa: ensure during dsa_fdb_offload_notify that dev_hold and dev_put are on the same dev
net: dsa: include fdb entries pointing to bridge in the host fdb list
net: dsa: include bridge addresses which are local in the host fdb list
net: dsa: sync static FDB entries on foreign interfaces to hardware
net: dsa: install the host MDB and FDB entries in the master's RX filter
net: dsa: reference count the FDB addresses at the cross-chip notifier level
net: dsa: introduce a separate cross-chip notifier type for host FDBs
net: dsa: reference count the MDB entries at the cross-chip notifier level
...
627 lines
25 KiB
ReStructuredText
627 lines
25 KiB
ReStructuredText
.. SPDX-License-Identifier: GPL-2.0
|
|
|
|
============
|
|
Devlink Trap
|
|
============
|
|
|
|
Background
|
|
==========
|
|
|
|
Devices capable of offloading the kernel's datapath and perform functions such
|
|
as bridging and routing must also be able to send specific packets to the
|
|
kernel (i.e., the CPU) for processing.
|
|
|
|
For example, a device acting as a multicast-aware bridge must be able to send
|
|
IGMP membership reports to the kernel for processing by the bridge module.
|
|
Without processing such packets, the bridge module could never populate its
|
|
MDB.
|
|
|
|
As another example, consider a device acting as router which has received an IP
|
|
packet with a TTL of 1. Upon routing the packet the device must send it to the
|
|
kernel so that it will route it as well and generate an ICMP Time Exceeded
|
|
error datagram. Without letting the kernel route such packets itself, utilities
|
|
such as ``traceroute`` could never work.
|
|
|
|
The fundamental ability of sending certain packets to the kernel for processing
|
|
is called "packet trapping".
|
|
|
|
Overview
|
|
========
|
|
|
|
The ``devlink-trap`` mechanism allows capable device drivers to register their
|
|
supported packet traps with ``devlink`` and report trapped packets to
|
|
``devlink`` for further analysis.
|
|
|
|
Upon receiving trapped packets, ``devlink`` will perform a per-trap packets and
|
|
bytes accounting and potentially report the packet to user space via a netlink
|
|
event along with all the provided metadata (e.g., trap reason, timestamp, input
|
|
port). This is especially useful for drop traps (see :ref:`Trap-Types`)
|
|
as it allows users to obtain further visibility into packet drops that would
|
|
otherwise be invisible.
|
|
|
|
The following diagram provides a general overview of ``devlink-trap``::
|
|
|
|
Netlink event: Packet w/ metadata
|
|
Or a summary of recent drops
|
|
^
|
|
|
|
|
Userspace |
|
|
+---------------------------------------------------+
|
|
Kernel |
|
|
|
|
|
+-------+--------+
|
|
| |
|
|
| drop_monitor |
|
|
| |
|
|
+-------^--------+
|
|
|
|
|
| Non-control traps
|
|
|
|
|
+----+----+
|
|
| | Kernel's Rx path
|
|
| devlink | (non-drop traps)
|
|
| |
|
|
+----^----+ ^
|
|
| |
|
|
+-----------+
|
|
|
|
|
+-------+-------+
|
|
| |
|
|
| Device driver |
|
|
| |
|
|
+-------^-------+
|
|
Kernel |
|
|
+---------------------------------------------------+
|
|
Hardware |
|
|
| Trapped packet
|
|
|
|
|
+--+---+
|
|
| |
|
|
| ASIC |
|
|
| |
|
|
+------+
|
|
|
|
.. _Trap-Types:
|
|
|
|
Trap Types
|
|
==========
|
|
|
|
The ``devlink-trap`` mechanism supports the following packet trap types:
|
|
|
|
* ``drop``: Trapped packets were dropped by the underlying device. Packets
|
|
are only processed by ``devlink`` and not injected to the kernel's Rx path.
|
|
The trap action (see :ref:`Trap-Actions`) can be changed.
|
|
* ``exception``: Trapped packets were not forwarded as intended by the
|
|
underlying device due to an exception (e.g., TTL error, missing neighbour
|
|
entry) and trapped to the control plane for resolution. Packets are
|
|
processed by ``devlink`` and injected to the kernel's Rx path. Changing the
|
|
action of such traps is not allowed, as it can easily break the control
|
|
plane.
|
|
* ``control``: Trapped packets were trapped by the device because these are
|
|
control packets required for the correct functioning of the control plane.
|
|
For example, ARP request and IGMP query packets. Packets are injected to
|
|
the kernel's Rx path, but not reported to the kernel's drop monitor.
|
|
Changing the action of such traps is not allowed, as it can easily break
|
|
the control plane.
|
|
|
|
.. _Trap-Actions:
|
|
|
|
Trap Actions
|
|
============
|
|
|
|
The ``devlink-trap`` mechanism supports the following packet trap actions:
|
|
|
|
* ``trap``: The sole copy of the packet is sent to the CPU.
|
|
* ``drop``: The packet is dropped by the underlying device and a copy is not
|
|
sent to the CPU.
|
|
* ``mirror``: The packet is forwarded by the underlying device and a copy is
|
|
sent to the CPU.
|
|
|
|
Generic Packet Traps
|
|
====================
|
|
|
|
Generic packet traps are used to describe traps that trap well-defined packets
|
|
or packets that are trapped due to well-defined conditions (e.g., TTL error).
|
|
Such traps can be shared by multiple device drivers and their description must
|
|
be added to the following table:
|
|
|
|
.. list-table:: List of Generic Packet Traps
|
|
:widths: 5 5 90
|
|
|
|
* - Name
|
|
- Type
|
|
- Description
|
|
* - ``source_mac_is_multicast``
|
|
- ``drop``
|
|
- Traps incoming packets that the device decided to drop because of a
|
|
multicast source MAC
|
|
* - ``vlan_tag_mismatch``
|
|
- ``drop``
|
|
- Traps incoming packets that the device decided to drop in case of VLAN
|
|
tag mismatch: The ingress bridge port is not configured with a PVID and
|
|
the packet is untagged or prio-tagged
|
|
* - ``ingress_vlan_filter``
|
|
- ``drop``
|
|
- Traps incoming packets that the device decided to drop in case they are
|
|
tagged with a VLAN that is not configured on the ingress bridge port
|
|
* - ``ingress_spanning_tree_filter``
|
|
- ``drop``
|
|
- Traps incoming packets that the device decided to drop in case the STP
|
|
state of the ingress bridge port is not "forwarding"
|
|
* - ``port_list_is_empty``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop in case they need to be
|
|
flooded (e.g., unknown unicast, unregistered multicast) and there are
|
|
no ports the packets should be flooded to
|
|
* - ``port_loopback_filter``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop in case after layer 2
|
|
forwarding the only port from which they should be transmitted through
|
|
is the port from which they were received
|
|
* - ``blackhole_route``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop in case they hit a
|
|
blackhole route
|
|
* - ``ttl_value_is_too_small``
|
|
- ``exception``
|
|
- Traps unicast packets that should be forwarded by the device whose TTL
|
|
was decremented to 0 or less
|
|
* - ``tail_drop``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they could not be
|
|
enqueued to a transmission queue which is full
|
|
* - ``non_ip``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they need to
|
|
undergo a layer 3 lookup, but are not IP or MPLS packets
|
|
* - ``uc_dip_over_mc_dmac``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they need to be
|
|
routed and they have a unicast destination IP and a multicast destination
|
|
MAC
|
|
* - ``dip_is_loopback_address``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they need to be
|
|
routed and their destination IP is the loopback address (i.e., 127.0.0.0/8
|
|
and ::1/128)
|
|
* - ``sip_is_mc``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they need to be
|
|
routed and their source IP is multicast (i.e., 224.0.0.0/8 and ff::/8)
|
|
* - ``sip_is_loopback_address``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they need to be
|
|
routed and their source IP is the loopback address (i.e., 127.0.0.0/8 and ::1/128)
|
|
* - ``ip_header_corrupted``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they need to be
|
|
routed and their IP header is corrupted: wrong checksum, wrong IP version
|
|
or too short Internet Header Length (IHL)
|
|
* - ``ipv4_sip_is_limited_bc``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they need to be
|
|
routed and their source IP is limited broadcast (i.e., 255.255.255.255/32)
|
|
* - ``ipv6_mc_dip_reserved_scope``
|
|
- ``drop``
|
|
- Traps IPv6 packets that the device decided to drop because they need to
|
|
be routed and their IPv6 multicast destination IP has a reserved scope
|
|
(i.e., ffx0::/16)
|
|
* - ``ipv6_mc_dip_interface_local_scope``
|
|
- ``drop``
|
|
- Traps IPv6 packets that the device decided to drop because they need to
|
|
be routed and their IPv6 multicast destination IP has an interface-local scope
|
|
(i.e., ffx1::/16)
|
|
* - ``mtu_value_is_too_small``
|
|
- ``exception``
|
|
- Traps packets that should have been routed by the device, but were bigger
|
|
than the MTU of the egress interface
|
|
* - ``unresolved_neigh``
|
|
- ``exception``
|
|
- Traps packets that did not have a matching IP neighbour after routing
|
|
* - ``mc_reverse_path_forwarding``
|
|
- ``exception``
|
|
- Traps multicast IP packets that failed reverse-path forwarding (RPF)
|
|
check during multicast routing
|
|
* - ``reject_route``
|
|
- ``exception``
|
|
- Traps packets that hit reject routes (i.e., "unreachable", "prohibit")
|
|
* - ``ipv4_lpm_miss``
|
|
- ``exception``
|
|
- Traps unicast IPv4 packets that did not match any route
|
|
* - ``ipv6_lpm_miss``
|
|
- ``exception``
|
|
- Traps unicast IPv6 packets that did not match any route
|
|
* - ``non_routable_packet``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop because they are not
|
|
supposed to be routed. For example, IGMP queries can be flooded by the
|
|
device in layer 2 and reach the router. Such packets should not be
|
|
routed and instead dropped
|
|
* - ``decap_error``
|
|
- ``exception``
|
|
- Traps NVE and IPinIP packets that the device decided to drop because of
|
|
failure during decapsulation (e.g., packet being too short, reserved
|
|
bits set in VXLAN header)
|
|
* - ``overlay_smac_is_mc``
|
|
- ``drop``
|
|
- Traps NVE packets that the device decided to drop because their overlay
|
|
source MAC is multicast
|
|
* - ``ingress_flow_action_drop``
|
|
- ``drop``
|
|
- Traps packets dropped during processing of ingress flow action drop
|
|
* - ``egress_flow_action_drop``
|
|
- ``drop``
|
|
- Traps packets dropped during processing of egress flow action drop
|
|
* - ``stp``
|
|
- ``control``
|
|
- Traps STP packets
|
|
* - ``lacp``
|
|
- ``control``
|
|
- Traps LACP packets
|
|
* - ``lldp``
|
|
- ``control``
|
|
- Traps LLDP packets
|
|
* - ``igmp_query``
|
|
- ``control``
|
|
- Traps IGMP Membership Query packets
|
|
* - ``igmp_v1_report``
|
|
- ``control``
|
|
- Traps IGMP Version 1 Membership Report packets
|
|
* - ``igmp_v2_report``
|
|
- ``control``
|
|
- Traps IGMP Version 2 Membership Report packets
|
|
* - ``igmp_v3_report``
|
|
- ``control``
|
|
- Traps IGMP Version 3 Membership Report packets
|
|
* - ``igmp_v2_leave``
|
|
- ``control``
|
|
- Traps IGMP Version 2 Leave Group packets
|
|
* - ``mld_query``
|
|
- ``control``
|
|
- Traps MLD Multicast Listener Query packets
|
|
* - ``mld_v1_report``
|
|
- ``control``
|
|
- Traps MLD Version 1 Multicast Listener Report packets
|
|
* - ``mld_v2_report``
|
|
- ``control``
|
|
- Traps MLD Version 2 Multicast Listener Report packets
|
|
* - ``mld_v1_done``
|
|
- ``control``
|
|
- Traps MLD Version 1 Multicast Listener Done packets
|
|
* - ``ipv4_dhcp``
|
|
- ``control``
|
|
- Traps IPv4 DHCP packets
|
|
* - ``ipv6_dhcp``
|
|
- ``control``
|
|
- Traps IPv6 DHCP packets
|
|
* - ``arp_request``
|
|
- ``control``
|
|
- Traps ARP request packets
|
|
* - ``arp_response``
|
|
- ``control``
|
|
- Traps ARP response packets
|
|
* - ``arp_overlay``
|
|
- ``control``
|
|
- Traps NVE-decapsulated ARP packets that reached the overlay network.
|
|
This is required, for example, when the address that needs to be
|
|
resolved is a local address
|
|
* - ``ipv6_neigh_solicit``
|
|
- ``control``
|
|
- Traps IPv6 Neighbour Solicitation packets
|
|
* - ``ipv6_neigh_advert``
|
|
- ``control``
|
|
- Traps IPv6 Neighbour Advertisement packets
|
|
* - ``ipv4_bfd``
|
|
- ``control``
|
|
- Traps IPv4 BFD packets
|
|
* - ``ipv6_bfd``
|
|
- ``control``
|
|
- Traps IPv6 BFD packets
|
|
* - ``ipv4_ospf``
|
|
- ``control``
|
|
- Traps IPv4 OSPF packets
|
|
* - ``ipv6_ospf``
|
|
- ``control``
|
|
- Traps IPv6 OSPF packets
|
|
* - ``ipv4_bgp``
|
|
- ``control``
|
|
- Traps IPv4 BGP packets
|
|
* - ``ipv6_bgp``
|
|
- ``control``
|
|
- Traps IPv6 BGP packets
|
|
* - ``ipv4_vrrp``
|
|
- ``control``
|
|
- Traps IPv4 VRRP packets
|
|
* - ``ipv6_vrrp``
|
|
- ``control``
|
|
- Traps IPv6 VRRP packets
|
|
* - ``ipv4_pim``
|
|
- ``control``
|
|
- Traps IPv4 PIM packets
|
|
* - ``ipv6_pim``
|
|
- ``control``
|
|
- Traps IPv6 PIM packets
|
|
* - ``uc_loopback``
|
|
- ``control``
|
|
- Traps unicast packets that need to be routed through the same layer 3
|
|
interface from which they were received. Such packets are routed by the
|
|
kernel, but also cause it to potentially generate ICMP redirect packets
|
|
* - ``local_route``
|
|
- ``control``
|
|
- Traps unicast packets that hit a local route and need to be locally
|
|
delivered
|
|
* - ``external_route``
|
|
- ``control``
|
|
- Traps packets that should be routed through an external interface (e.g.,
|
|
management interface) that does not belong to the same device (e.g.,
|
|
switch ASIC) as the ingress interface
|
|
* - ``ipv6_uc_dip_link_local_scope``
|
|
- ``control``
|
|
- Traps unicast IPv6 packets that need to be routed and have a destination
|
|
IP address with a link-local scope (i.e., fe80::/10). The trap allows
|
|
device drivers to avoid programming link-local routes, but still receive
|
|
packets for local delivery
|
|
* - ``ipv6_dip_all_nodes``
|
|
- ``control``
|
|
- Traps IPv6 packets that their destination IP address is the "All Nodes
|
|
Address" (i.e., ff02::1)
|
|
* - ``ipv6_dip_all_routers``
|
|
- ``control``
|
|
- Traps IPv6 packets that their destination IP address is the "All Routers
|
|
Address" (i.e., ff02::2)
|
|
* - ``ipv6_router_solicit``
|
|
- ``control``
|
|
- Traps IPv6 Router Solicitation packets
|
|
* - ``ipv6_router_advert``
|
|
- ``control``
|
|
- Traps IPv6 Router Advertisement packets
|
|
* - ``ipv6_redirect``
|
|
- ``control``
|
|
- Traps IPv6 Redirect Message packets
|
|
* - ``ipv4_router_alert``
|
|
- ``control``
|
|
- Traps IPv4 packets that need to be routed and include the Router Alert
|
|
option. Such packets need to be locally delivered to raw sockets that
|
|
have the IP_ROUTER_ALERT socket option set
|
|
* - ``ipv6_router_alert``
|
|
- ``control``
|
|
- Traps IPv6 packets that need to be routed and include the Router Alert
|
|
option in their Hop-by-Hop extension header. Such packets need to be
|
|
locally delivered to raw sockets that have the IPV6_ROUTER_ALERT socket
|
|
option set
|
|
* - ``ptp_event``
|
|
- ``control``
|
|
- Traps PTP time-critical event messages (Sync, Delay_req, Pdelay_Req and
|
|
Pdelay_Resp)
|
|
* - ``ptp_general``
|
|
- ``control``
|
|
- Traps PTP general messages (Announce, Follow_Up, Delay_Resp,
|
|
Pdelay_Resp_Follow_Up, management and signaling)
|
|
* - ``flow_action_sample``
|
|
- ``control``
|
|
- Traps packets sampled during processing of flow action sample (e.g., via
|
|
tc's sample action)
|
|
* - ``flow_action_trap``
|
|
- ``control``
|
|
- Traps packets logged during processing of flow action trap (e.g., via
|
|
tc's trap action)
|
|
* - ``early_drop``
|
|
- ``drop``
|
|
- Traps packets dropped due to the RED (Random Early Detection) algorithm
|
|
(i.e., early drops)
|
|
* - ``vxlan_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the VXLAN header parsing which
|
|
might be because of packet truncation or the I flag is not set.
|
|
* - ``llc_snap_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the LLC+SNAP header parsing
|
|
* - ``vlan_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the VLAN header parsing. Could
|
|
include unexpected packet truncation.
|
|
* - ``pppoe_ppp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the PPPoE+PPP header parsing.
|
|
This could include finding a session ID of 0xFFFF (which is reserved and
|
|
not for use), a PPPoE length which is larger than the frame received or
|
|
any common error on this type of header
|
|
* - ``mpls_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the MPLS header parsing which
|
|
could include unexpected header truncation
|
|
* - ``arp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the ARP header parsing
|
|
* - ``ip_1_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the first IP header parsing.
|
|
This packet trap could include packets which do not pass an IP checksum
|
|
check, a header length check (a minimum of 20 bytes), which might suffer
|
|
from packet truncation thus the total length field exceeds the received
|
|
packet length etc
|
|
* - ``ip_n_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the parsing of the last IP
|
|
header (the inner one in case of an IP over IP tunnel). The same common
|
|
error checking is performed here as for the ip_1_parsing trap
|
|
* - ``gre_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the GRE header parsing
|
|
* - ``udp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the UDP header parsing.
|
|
This packet trap could include checksum errorrs, an improper UDP
|
|
length detected (smaller than 8 bytes) or detection of header
|
|
truncation.
|
|
* - ``tcp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the TCP header parsing.
|
|
This could include TCP checksum errors, improper combination of SYN, FIN
|
|
and/or RESET etc.
|
|
* - ``ipsec_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the IPSEC header parsing
|
|
* - ``sctp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the SCTP header parsing.
|
|
This would mean that port number 0 was used or that the header is
|
|
truncated.
|
|
* - ``dccp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the DCCP header parsing
|
|
* - ``gtp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the GTP header parsing
|
|
* - ``esp_parsing``
|
|
- ``drop``
|
|
- Traps packets dropped due to an error in the ESP header parsing
|
|
* - ``blackhole_nexthop``
|
|
- ``drop``
|
|
- Traps packets that the device decided to drop in case they hit a
|
|
blackhole nexthop
|
|
* - ``dmac_filter``
|
|
- ``drop``
|
|
- Traps incoming packets that the device decided to drop because
|
|
the destination MAC is not configured in the MAC table and
|
|
the interface is not in promiscuous mode
|
|
|
|
Driver-specific Packet Traps
|
|
============================
|
|
|
|
Device drivers can register driver-specific packet traps, but these must be
|
|
clearly documented. Such traps can correspond to device-specific exceptions and
|
|
help debug packet drops caused by these exceptions. The following list includes
|
|
links to the description of driver-specific traps registered by various device
|
|
drivers:
|
|
|
|
* Documentation/networking/devlink/netdevsim.rst
|
|
* Documentation/networking/devlink/mlxsw.rst
|
|
* Documentation/networking/devlink/prestera.rst
|
|
|
|
.. _Generic-Packet-Trap-Groups:
|
|
|
|
Generic Packet Trap Groups
|
|
==========================
|
|
|
|
Generic packet trap groups are used to aggregate logically related packet
|
|
traps. These groups allow the user to batch operations such as setting the trap
|
|
action of all member traps. In addition, ``devlink-trap`` can report aggregated
|
|
per-group packets and bytes statistics, in case per-trap statistics are too
|
|
narrow. The description of these groups must be added to the following table:
|
|
|
|
.. list-table:: List of Generic Packet Trap Groups
|
|
:widths: 10 90
|
|
|
|
* - Name
|
|
- Description
|
|
* - ``l2_drops``
|
|
- Contains packet traps for packets that were dropped by the device during
|
|
layer 2 forwarding (i.e., bridge)
|
|
* - ``l3_drops``
|
|
- Contains packet traps for packets that were dropped by the device during
|
|
layer 3 forwarding
|
|
* - ``l3_exceptions``
|
|
- Contains packet traps for packets that hit an exception (e.g., TTL
|
|
error) during layer 3 forwarding
|
|
* - ``buffer_drops``
|
|
- Contains packet traps for packets that were dropped by the device due to
|
|
an enqueue decision
|
|
* - ``tunnel_drops``
|
|
- Contains packet traps for packets that were dropped by the device during
|
|
tunnel encapsulation / decapsulation
|
|
* - ``acl_drops``
|
|
- Contains packet traps for packets that were dropped by the device during
|
|
ACL processing
|
|
* - ``stp``
|
|
- Contains packet traps for STP packets
|
|
* - ``lacp``
|
|
- Contains packet traps for LACP packets
|
|
* - ``lldp``
|
|
- Contains packet traps for LLDP packets
|
|
* - ``mc_snooping``
|
|
- Contains packet traps for IGMP and MLD packets required for multicast
|
|
snooping
|
|
* - ``dhcp``
|
|
- Contains packet traps for DHCP packets
|
|
* - ``neigh_discovery``
|
|
- Contains packet traps for neighbour discovery packets (e.g., ARP, IPv6
|
|
ND)
|
|
* - ``bfd``
|
|
- Contains packet traps for BFD packets
|
|
* - ``ospf``
|
|
- Contains packet traps for OSPF packets
|
|
* - ``bgp``
|
|
- Contains packet traps for BGP packets
|
|
* - ``vrrp``
|
|
- Contains packet traps for VRRP packets
|
|
* - ``pim``
|
|
- Contains packet traps for PIM packets
|
|
* - ``uc_loopback``
|
|
- Contains a packet trap for unicast loopback packets (i.e.,
|
|
``uc_loopback``). This trap is singled-out because in cases such as
|
|
one-armed router it will be constantly triggered. To limit the impact on
|
|
the CPU usage, a packet trap policer with a low rate can be bound to the
|
|
group without affecting other traps
|
|
* - ``local_delivery``
|
|
- Contains packet traps for packets that should be locally delivered after
|
|
routing, but do not match more specific packet traps (e.g.,
|
|
``ipv4_bgp``)
|
|
* - ``external_delivery``
|
|
- Contains packet traps for packets that should be routed through an
|
|
external interface (e.g., management interface) that does not belong to
|
|
the same device (e.g., switch ASIC) as the ingress interface
|
|
* - ``ipv6``
|
|
- Contains packet traps for various IPv6 control packets (e.g., Router
|
|
Advertisements)
|
|
* - ``ptp_event``
|
|
- Contains packet traps for PTP time-critical event messages (Sync,
|
|
Delay_req, Pdelay_Req and Pdelay_Resp)
|
|
* - ``ptp_general``
|
|
- Contains packet traps for PTP general messages (Announce, Follow_Up,
|
|
Delay_Resp, Pdelay_Resp_Follow_Up, management and signaling)
|
|
* - ``acl_sample``
|
|
- Contains packet traps for packets that were sampled by the device during
|
|
ACL processing
|
|
* - ``acl_trap``
|
|
- Contains packet traps for packets that were trapped (logged) by the
|
|
device during ACL processing
|
|
* - ``parser_error_drops``
|
|
- Contains packet traps for packets that were marked by the device during
|
|
parsing as erroneous
|
|
|
|
Packet Trap Policers
|
|
====================
|
|
|
|
As previously explained, the underlying device can trap certain packets to the
|
|
CPU for processing. In most cases, the underlying device is capable of handling
|
|
packet rates that are several orders of magnitude higher compared to those that
|
|
can be handled by the CPU.
|
|
|
|
Therefore, in order to prevent the underlying device from overwhelming the CPU,
|
|
devices usually include packet trap policers that are able to police the
|
|
trapped packets to rates that can be handled by the CPU.
|
|
|
|
The ``devlink-trap`` mechanism allows capable device drivers to register their
|
|
supported packet trap policers with ``devlink``. The device driver can choose
|
|
to associate these policers with supported packet trap groups (see
|
|
:ref:`Generic-Packet-Trap-Groups`) during its initialization, thereby exposing
|
|
its default control plane policy to user space.
|
|
|
|
Device drivers should allow user space to change the parameters of the policers
|
|
(e.g., rate, burst size) as well as the association between the policers and
|
|
trap groups by implementing the relevant callbacks.
|
|
|
|
If possible, device drivers should implement a callback that allows user space
|
|
to retrieve the number of packets that were dropped by the policer because its
|
|
configured policy was violated.
|
|
|
|
Testing
|
|
=======
|
|
|
|
See ``tools/testing/selftests/drivers/net/netdevsim/devlink_trap.sh`` for a
|
|
test covering the core infrastructure. Test cases should be added for any new
|
|
functionality.
|
|
|
|
Device drivers should focus their tests on device-specific functionality, such
|
|
as the triggering of supported packet traps.
|