Devlink Trap¶
Background¶
Devices capable of offloading the kernel's datapath and perform functions such as bridging and routing must also be able to send specific packets to the kernel (i.e., the CPU) for processing.
For example, a device acting as a multicast-aware bridge must be able to send IGMP membership reports to the kernel for processing by the bridge module. Without processing such packets, the bridge module could never populate its MDB.
As another example, consider a device acting as router which has received an IP
packet with a TTL of 1. Upon routing the packet the device must send it to the
kernel so that it will route it as well and generate an ICMP Time Exceeded
error datagram. Without letting the kernel route such packets itself, utilities
such as traceroute
could never work.
The fundamental ability of sending certain packets to the kernel for processing is called "packet trapping".
Overview¶
The devlink-trap
mechanism allows capable device drivers to register their
supported packet traps with devlink
and report trapped packets to
devlink
for further analysis.
Upon receiving trapped packets, devlink
will perform a per-trap packets and
bytes accounting and potentially report the packet to user space via a netlink
event along with all the provided metadata (e.g., trap reason, timestamp, input
port). This is especially useful for drop traps (see Trap Types)
as it allows users to obtain further visibility into packet drops that would
otherwise be invisible.
The following diagram provides a general overview of devlink-trap
:
Netlink event: Packet w/ metadata
Or a summary of recent drops
^
|
Userspace |
+---------------------------------------------------+
Kernel |
|
+-------+--------+
| |
| drop_monitor |
| |
+-------^--------+
|
| Non-control traps
|
+----+----+
| | Kernel's Rx path
| devlink | (non-drop traps)
| |
+----^----+ ^
| |
+-----------+
|
+-------+-------+
| |
| Device driver |
| |
+-------^-------+
Kernel |
+---------------------------------------------------+
Hardware |
| Trapped packet
|
+--+---+
| |
| ASIC |
| |
+------+
Trap Types¶
The devlink-trap
mechanism supports the following packet trap types:
drop
: Trapped packets were dropped by the underlying device. Packets are only processed bydevlink
and not injected to the kernel's Rx path. The trap action (see Trap Actions) can be changed.
exception
: Trapped packets were not forwarded as intended by the underlying device due to an exception (e.g., TTL error, missing neighbour entry) and trapped to the control plane for resolution. Packets are processed bydevlink
and injected to the kernel's Rx path. Changing the action of such traps is not allowed, as it can easily break the control plane.
control
: Trapped packets were trapped by the device because these are control packets required for the correct functioning of the control plane. For example, ARP request and IGMP query packets. Packets are injected to the kernel's Rx path, but not reported to the kernel's drop monitor. Changing the action of such traps is not allowed, as it can easily break the control plane.
Trap Actions¶
The devlink-trap
mechanism supports the following packet trap actions:
trap
: The sole copy of the packet is sent to the CPU.
drop
: The packet is dropped by the underlying device and a copy is not sent to the CPU.
mirror
: The packet is forwarded by the underlying device and a copy is sent to the CPU.
Generic Packet Traps¶
Generic packet traps are used to describe traps that trap well-defined packets or packets that are trapped due to well-defined conditions (e.g., TTL error). Such traps can be shared by multiple device drivers and their description must be added to the following table:
Name |
Type |
Description |
|
|
Traps incoming packets that the device decided to drop because of a multicast source MAC |
|
|
Traps incoming packets that the device decided to drop in case of VLAN tag mismatch: The ingress bridge port is not configured with a PVID and the packet is untagged or prio-tagged |
|
|
Traps incoming packets that the device decided to drop in case they are tagged with a VLAN that is not configured on the ingress bridge port |
|
|
Traps incoming packets that the device decided to drop in case the STP state of the ingress bridge port is not "forwarding" |
|
|
Traps packets that the device decided to drop in case they need to be flooded (e.g., unknown unicast, unregistered multicast) and there are no ports the packets should be flooded to |
|
|
Traps packets that the device decided to drop in case after layer 2 forwarding the only port from which they should be transmitted through is the port from which they were received |
|
|
Traps packets that the device decided to drop in case they hit a blackhole route |
|
|
Traps unicast packets that should be forwarded by the device whose TTL was decremented to 0 or less |
|
|
Traps packets that the device decided to drop because they could not be enqueued to a transmission queue which is full |
|
|
Traps packets that the device decided to drop because they need to undergo a layer 3 lookup, but are not IP or MPLS packets |
|
|
Traps packets that the device decided to drop because they need to be routed and they have a unicast destination IP and a multicast destination MAC |
|
|
Traps packets that the device decided to drop because they need to be routed and their destination IP is the loopback address (i.e., 127.0.0.0/8 and ::1/128) |
|
|
Traps packets that the device decided to drop because they need to be routed and their source IP is multicast (i.e., 224.0.0.0/8 and ff::/8) |
|
|
Traps packets that the device decided to drop because they need to be routed and their source IP is the loopback address (i.e., 127.0.0.0/8 and ::1/128) |
|
|
Traps packets that the device decided to drop because they need to be routed and their IP header is corrupted: wrong checksum, wrong IP version or too short Internet Header Length (IHL) |
|
|
Traps packets that the device decided to drop because they need to be routed and their source IP is limited broadcast (i.e., 255.255.255.255/32) |
|
|
Traps IPv6 packets that the device decided to drop because they need to be routed and their IPv6 multicast destination IP has a reserved scope (i.e., ffx0::/16) |
|
|
Traps IPv6 packets that the device decided to drop because they need to be routed and their IPv6 multicast destination IP has an interface-local scope (i.e., ffx1::/16) |
|
|
Traps packets that should have been routed by the device, but were bigger than the MTU of the egress interface |
|
|
Traps packets that did not have a matching IP neighbour after routing |
|
|
Traps multicast IP packets that failed reverse-path forwarding (RPF) check during multicast routing |
|
|
Traps packets that hit reject routes (i.e., "unreachable", "prohibit") |
|
|
Traps unicast IPv4 packets that did not match any route |
|
|
Traps unicast IPv6 packets that did not match any route |
|
|
Traps packets that the device decided to drop because they are not supposed to be routed. For example, IGMP queries can be flooded by the device in layer 2 and reach the router. Such packets should not be routed and instead dropped |
|
|
Traps NVE and IPinIP packets that the device decided to drop because of failure during decapsulation (e.g., packet being too short, reserved bits set in VXLAN header) |
|
|
Traps NVE packets that the device decided to drop because their overlay source MAC is multicast |
|
|
Traps packets dropped during processing of ingress flow action drop |
|
|
Traps packets dropped during processing of egress flow action drop |
|
|
Traps STP packets |
|
|
Traps LACP packets |
|
|
Traps LLDP packets |
|
|
Traps IGMP Membership Query packets |
|
|
Traps IGMP Version 1 Membership Report packets |
|
|
Traps IGMP Version 2 Membership Report packets |
|
|
Traps IGMP Version 3 Membership Report packets |
|
|
Traps IGMP Version 2 Leave Group packets |
|
|
Traps MLD Multicast Listener Query packets |
|
|
Traps MLD Version 1 Multicast Listener Report packets |
|
|
Traps MLD Version 2 Multicast Listener Report packets |
|
|
Traps MLD Version 1 Multicast Listener Done packets |
|
|
Traps IPv4 DHCP packets |
|
|
Traps IPv6 DHCP packets |
|
|
Traps ARP request packets |
|
|
Traps ARP response packets |
|
|
Traps NVE-decapsulated ARP packets that reached the overlay network. This is required, for example, when the address that needs to be resolved is a local address |
|
|
Traps IPv6 Neighbour Solicitation packets |
|
|
Traps IPv6 Neighbour Advertisement packets |
|
|
Traps IPv4 BFD packets |
|
|
Traps IPv6 BFD packets |
|
|
Traps IPv4 OSPF packets |
|
|
Traps IPv6 OSPF packets |
|
|
Traps IPv4 BGP packets |
|
|
Traps IPv6 BGP packets |
|
|
Traps IPv4 VRRP packets |
|
|
Traps IPv6 VRRP packets |
|
|
Traps IPv4 PIM packets |
|
|
Traps IPv6 PIM packets |
|
|
Traps unicast packets that need to be routed through the same layer 3 interface from which they were received. Such packets are routed by the kernel, but also cause it to potentially generate ICMP redirect packets |
|
|
Traps unicast packets that hit a local route and need to be locally delivered |
|
|
Traps packets that should be routed through an external interface (e.g., management interface) that does not belong to the same device (e.g., switch ASIC) as the ingress interface |
|
|
Traps unicast IPv6 packets that need to be routed and have a destination IP address with a link-local scope (i.e., fe80::/10). The trap allows device drivers to avoid programming link-local routes, but still receive packets for local delivery |
|
|
Traps IPv6 packets that their destination IP address is the "All Nodes Address" (i.e., ff02::1) |
|
|
Traps IPv6 packets that their destination IP address is the "All Routers Address" (i.e., ff02::2) |
|
|
Traps IPv6 Router Solicitation packets |
|
|
Traps IPv6 Router Advertisement packets |
|
|
Traps IPv6 Redirect Message packets |
|
|
Traps IPv4 packets that need to be routed and include the Router Alert option. Such packets need to be locally delivered to raw sockets that have the IP_ROUTER_ALERT socket option set |
|
|
Traps IPv6 packets that need to be routed and include the Router Alert option in their Hop-by-Hop extension header. Such packets need to be locally delivered to raw sockets that have the IPV6_ROUTER_ALERT socket option set |
|
|
Traps PTP time-critical event messages (Sync, Delay_req, Pdelay_Req and Pdelay_Resp) |
|
|
Traps PTP general messages (Announce, Follow_Up, Delay_Resp, Pdelay_Resp_Follow_Up, management and signaling) |
|
|
Traps packets sampled during processing of flow action sample (e.g., via tc's sample action) |
|
|
Traps packets logged during processing of flow action trap (e.g., via tc's trap action) |
|
|
Traps packets dropped due to the RED (Random Early Detection) algorithm (i.e., early drops) |
|
|
Traps packets dropped due to an error in the VXLAN header parsing which might be because of packet truncation or the I flag is not set. |
|
|
Traps packets dropped due to an error in the LLC+SNAP header parsing |
|
|
Traps packets dropped due to an error in the VLAN header parsing. Could include unexpected packet truncation. |
|
|
Traps packets dropped due to an error in the PPPoE+PPP header parsing. This could include finding a session ID of 0xFFFF (which is reserved and not for use), a PPPoE length which is larger than the frame received or any common error on this type of header |
|
|
Traps packets dropped due to an error in the MPLS header parsing which could include unexpected header truncation |
|
|
Traps packets dropped due to an error in the ARP header parsing |
|
|
Traps packets dropped due to an error in the first IP header parsing. This packet trap could include packets which do not pass an IP checksum check, a header length check (a minimum of 20 bytes), which might suffer from packet truncation thus the total length field exceeds the received packet length etc |
|
|
Traps packets dropped due to an error in the parsing of the last IP header (the inner one in case of an IP over IP tunnel). The same common error checking is performed here as for the ip_1_parsing trap |
|
|
Traps packets dropped due to an error in the GRE header parsing |
|
|
Traps packets dropped due to an error in the UDP header parsing. This packet trap could include checksum errorrs, an improper UDP length detected (smaller than 8 bytes) or detection of header truncation. |
|
|
Traps packets dropped due to an error in the TCP header parsing. This could include TCP checksum errors, improper combination of SYN, FIN and/or RESET etc. |
|
|
Traps packets dropped due to an error in the IPSEC header parsing |
|
|
Traps packets dropped due to an error in the SCTP header parsing. This would mean that port number 0 was used or that the header is truncated. |
|
|
Traps packets dropped due to an error in the DCCP header parsing |
|
|
Traps packets dropped due to an error in the GTP header parsing |
|
|
Traps packets dropped due to an error in the ESP header parsing |
|
|
Traps packets that the device decided to drop in case they hit a blackhole nexthop |
|
|
Traps incoming packets that the device decided to drop because the destination MAC is not configured in the MAC table and the interface is not in promiscuous mode |
|
|
Traps "Extensible Authentication Protocol over LAN" (EAPOL) packets specified in IEEE 802.1X |
|
|
Traps packets that the device decided to drop because they failed the locked bridge port check. That is, packets that were received via a locked port and whose {SMAC, VID} does not correspond to an FDB entry pointing to the port |
Driver-specific Packet Traps¶
Device drivers can register driver-specific packet traps, but these must be clearly documented. Such traps can correspond to device-specific exceptions and help debug packet drops caused by these exceptions. The following list includes links to the description of driver-specific traps registered by various device drivers:
Generic Packet Trap Groups¶
Generic packet trap groups are used to aggregate logically related packet
traps. These groups allow the user to batch operations such as setting the trap
action of all member traps. In addition, devlink-trap
can report aggregated
per-group packets and bytes statistics, in case per-trap statistics are too
narrow. The description of these groups must be added to the following table:
Name |
Description |
|
Contains packet traps for packets that were dropped by the device during layer 2 forwarding (i.e., bridge) |
|
Contains packet traps for packets that were dropped by the device during layer 3 forwarding |
|
Contains packet traps for packets that hit an exception (e.g., TTL error) during layer 3 forwarding |
|
Contains packet traps for packets that were dropped by the device due to an enqueue decision |
|
Contains packet traps for packets that were dropped by the device during tunnel encapsulation / decapsulation |
|
Contains packet traps for packets that were dropped by the device during ACL processing |
|
Contains packet traps for STP packets |
|
Contains packet traps for LACP packets |
|
Contains packet traps for LLDP packets |
|
Contains packet traps for IGMP and MLD packets required for multicast snooping |
|
Contains packet traps for DHCP packets |
|
Contains packet traps for neighbour discovery packets (e.g., ARP, IPv6 ND) |
|
Contains packet traps for BFD packets |
|
Contains packet traps for OSPF packets |
|
Contains packet traps for BGP packets |
|
Contains packet traps for VRRP packets |
|
Contains packet traps for PIM packets |
|
Contains a packet trap for unicast loopback packets (i.e.,
|
|
Contains packet traps for packets that should be locally delivered after
routing, but do not match more specific packet traps (e.g.,
|
|
Contains packet traps for packets that should be routed through an external interface (e.g., management interface) that does not belong to the same device (e.g., switch ASIC) as the ingress interface |
|
Contains packet traps for various IPv6 control packets (e.g., Router Advertisements) |
|
Contains packet traps for PTP time-critical event messages (Sync, Delay_req, Pdelay_Req and Pdelay_Resp) |
|
Contains packet traps for PTP general messages (Announce, Follow_Up, Delay_Resp, Pdelay_Resp_Follow_Up, management and signaling) |
|
Contains packet traps for packets that were sampled by the device during ACL processing |
|
Contains packet traps for packets that were trapped (logged) by the device during ACL processing |
|
Contains packet traps for packets that were marked by the device during parsing as erroneous |
|
Contains packet traps for "Extensible Authentication Protocol over LAN" (EAPOL) packets specified in IEEE 802.1X |
Packet Trap Policers¶
As previously explained, the underlying device can trap certain packets to the CPU for processing. In most cases, the underlying device is capable of handling packet rates that are several orders of magnitude higher compared to those that can be handled by the CPU.
Therefore, in order to prevent the underlying device from overwhelming the CPU, devices usually include packet trap policers that are able to police the trapped packets to rates that can be handled by the CPU.
The devlink-trap
mechanism allows capable device drivers to register their
supported packet trap policers with devlink
. The device driver can choose
to associate these policers with supported packet trap groups (see
Generic Packet Trap Groups) during its initialization, thereby exposing
its default control plane policy to user space.
Device drivers should allow user space to change the parameters of the policers (e.g., rate, burst size) as well as the association between the policers and trap groups by implementing the relevant callbacks.
If possible, device drivers should implement a callback that allows user space to retrieve the number of packets that were dropped by the policer because its configured policy was violated.
Testing¶
See tools/testing/selftests/drivers/net/netdevsim/devlink_trap.sh
for a
test covering the core infrastructure. Test cases should be added for any new
functionality.
Device drivers should focus their tests on device-specific functionality, such as the triggering of supported packet traps.