[patch mlxsw.wiki] ACLs: extend chains section for explicit creation and deletion and add templates section

Jiri Pirko jiri at resnulli.us
Tue Jul 24 22:03:26 AEST 2018 

From: Jiri Pirko <jiri at mellanox.com>

Signed-off-by: Jiri Pirko <jiri at mellanox.com>
---
 ACLs.md | 81 ++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 78 insertions(+), 3 deletions(-)

diff --git a/ACLs.md b/ACLs.md
index 794d29cecdc6..8cd274d004ca 100644
--- a/ACLs.md
+++ b/ACLs.md
@@ -6,9 +6,10 @@
     4. [Pass Action Example Usage](#pass-action-example-usage)
     5. [Trap Action Example Usage](#trap-action-example-usage)
     6. [Multi-table/Multi-chain Support](#multi-tablemulti-chain-support)
-    7. [Mirred Action Example Usage](#mirred-action-example-usage)
-    8. [Shared Blocks Support](#shared-blocks-support)
-    9. [More Examples](#more-examples)
+    7. [Chain Templates Support](#chain-templates-support)
+    8. [Mirred Action Example Usage](#mirred-action-example-usage)
+    9. [Shared Blocks Support](#shared-blocks-support)
+   10. [More Examples](#more-examples)
 2. [Further Resources](#further-resources)
 
 TC Flower
@@ -151,6 +152,80 @@ to use the action `goto chain`:
 $ tc filter add dev enp3s0np1 parent ffff: protocol ip pref 10 flower skip_sw dst_ip 192.168.101.1 action goto chain 100
 ```
 
+If chain does not exist before the filter addition, it is implicitly created.
+Also, after the last filter is removed, implicitly created chain is destroyed.
+However, if user wants, he can explicitly create or destroy chain.
+
+To create `chain 11`, one has to run following command:
+
+```
+$ tc chain add dev enp3s0np1 ingress chain 11
+```
+
+If you list the existing commands now, you will see newly created `chain 11` in the output:
+
+```
+$ tc chain show dev enp3s0np1 ingress
+chain parent ffff: chain 11
+```
+
+And you can destroy the chain by running following command:
+
+```
+$ tc chain del dev enp3s0np1 ingress chain 11
+```
+
+Note that this will delete both implicitly and explicitly created chains along
+with any possible existing filters.
+
+#### Chain Templates Support
+
+For filter insertions to chains, the driver needs to hold a magic ball.
+With the first inserted rule into HW it needs to guess all the fields that
+are going to be used for the matching. If later on this guess proves
+to be wrong and user adds a filter with a different field to match,
+there's a problem. `mlxsw' resolves it now with couple of predefined
+patterns. Those try to cover as many match fields as possible.
+This approach is far from optimal, both performance-wise and
+scale-wise. Also, there are combinations of filters that in
+certain order won't succeed to be inserted.
+
+Most of the time, when user inserts filters in chain, he knows
+how the filters are going to look like in advance - what type and
+option will they have. For example, he knows that he will only
+insert filters of type flower matching destination IP address.
+He can specify a template that would cover all the filters he is
+going to insert in the chain.
+
+The template is passed along during the chain creation like this:
+
+```
+$ tc chain add dev enp3s0np1 ingress proto ip chain 11 flower dst_ip 0.0.0.0/16
+```
+
+The template is then shown in an output of chain list:
+
+```
+$ tc chain show dev enp3s0np1 ingress
+chain parent ffff: flower chain 11
+  eth_type ipv4
+  dst_ip 0.0.0.0/16
+```
+
+Addition of a filter that fits the template will be successful:
+
+```
+$ tc filter add dev enp3s0np1 ingress proto ip chain 11 flower dst_ip 10.0.0.1/8 action drop
+```
+
+Addition of filters that does not fit the template would fail:
+
+```
+$ tc filter add dev enp3s0np1 ingress proto ip chain 11 flower dst_ip 10.0.0.1/24 action drop
+Error: cls_flower: Mask does not fit the template.
+We have an error talking to the kernel, -1
+```
+
 #### Mirred Action Example Usage
 
 ```
-- 
2.17.0

More information about the Linux-mlxsw mailing list