All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets
@ 2019-08-01  8:40 xiangxia.m.yue
  2019-08-01 11:40 ` Roi Dayan
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: xiangxia.m.yue @ 2019-08-01  8:40 UTC (permalink / raw)
  To: roid, saeedm; +Cc: netdev, Tonghao Zhang

From: Tonghao Zhang <xiangxia.m.yue@gmail.com>

In some case, we don't want to allow specific tunnel packets
to host that can avoid to take up high CPU (e.g network attacks).
But other tunnel packets which not matched in hardware will be
sent to host too.

    $ tc filter add dev vxlan_sys_4789 \
	    protocol ip chain 0 parent ffff: prio 1 handle 1 \
	    flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \
	    enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \
	    action tunnel_key unset pipe action drop

Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
---
 drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index f3ed028..25d423e 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -2485,7 +2485,8 @@ static bool actions_match_supported(struct mlx5e_priv *priv,
 
 	if (flow_flag_test(flow, EGRESS) &&
 	    !((actions & MLX5_FLOW_CONTEXT_ACTION_DECAP) ||
-	      (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP)))
+	      (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP) ||
+	      (actions & MLX5_FLOW_CONTEXT_ACTION_DROP)))
 		return false;
 
 	if (actions & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR)
-- 
1.8.3.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets
  2019-08-01  8:40 [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets xiangxia.m.yue
@ 2019-08-01 11:40 ` Roi Dayan
  2019-08-01 16:48 ` David Miller
  2019-08-01 19:14 ` Saeed Mahameed
  2 siblings, 0 replies; 4+ messages in thread
From: Roi Dayan @ 2019-08-01 11:40 UTC (permalink / raw)
  To: xiangxia.m.yue, Saeed Mahameed; +Cc: netdev



On 2019-08-01 11:40 AM, xiangxia.m.yue@gmail.com wrote:
> From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
> 
> In some case, we don't want to allow specific tunnel packets
> to host that can avoid to take up high CPU (e.g network attacks).
> But other tunnel packets which not matched in hardware will be
> sent to host too.
> 
>     $ tc filter add dev vxlan_sys_4789 \
> 	    protocol ip chain 0 parent ffff: prio 1 handle 1 \
> 	    flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \
> 	    enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \
> 	    action tunnel_key unset pipe action drop
> 
> Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>
> ---
>  drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> index f3ed028..25d423e 100644
> --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
> @@ -2485,7 +2485,8 @@ static bool actions_match_supported(struct mlx5e_priv *priv,
>  
>  	if (flow_flag_test(flow, EGRESS) &&
>  	    !((actions & MLX5_FLOW_CONTEXT_ACTION_DECAP) ||
> -	      (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP)))
> +	      (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP) ||
> +	      (actions & MLX5_FLOW_CONTEXT_ACTION_DROP)))
>  		return false;
>  
>  	if (actions & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR)
> 

thanks!

Reviewed-by: Roi Dayan <roid@mellanox.com>

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets
  2019-08-01  8:40 [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets xiangxia.m.yue
  2019-08-01 11:40 ` Roi Dayan
@ 2019-08-01 16:48 ` David Miller
  2019-08-01 19:14 ` Saeed Mahameed
  2 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2019-08-01 16:48 UTC (permalink / raw)
  To: xiangxia.m.yue; +Cc: roid, saeedm, netdev

From: xiangxia.m.yue@gmail.com
Date: Thu,  1 Aug 2019 16:40:59 +0800

> From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
> 
> In some case, we don't want to allow specific tunnel packets
> to host that can avoid to take up high CPU (e.g network attacks).
> But other tunnel packets which not matched in hardware will be
> sent to host too.
> 
>     $ tc filter add dev vxlan_sys_4789 \
> 	    protocol ip chain 0 parent ffff: prio 1 handle 1 \
> 	    flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \
> 	    enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \
> 	    action tunnel_key unset pipe action drop
> 
> Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>

Saeed, please pick this up.

Thank you.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets
  2019-08-01  8:40 [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets xiangxia.m.yue
  2019-08-01 11:40 ` Roi Dayan
  2019-08-01 16:48 ` David Miller
@ 2019-08-01 19:14 ` Saeed Mahameed
  2 siblings, 0 replies; 4+ messages in thread
From: Saeed Mahameed @ 2019-08-01 19:14 UTC (permalink / raw)
  To: Roi Dayan, xiangxia.m.yue; +Cc: netdev

On Thu, 2019-08-01 at 16:40 +0800, xiangxia.m.yue@gmail.com wrote:
> From: Tonghao Zhang <xiangxia.m.yue@gmail.com>
> 
> In some case, we don't want to allow specific tunnel packets
> to host that can avoid to take up high CPU (e.g network attacks).
> But other tunnel packets which not matched in hardware will be
> sent to host too.
> 
>     $ tc filter add dev vxlan_sys_4789 \
> 	    protocol ip chain 0 parent ffff: prio 1 handle 1 \
> 	    flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \
> 	    enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \
> 	    action tunnel_key unset pipe action drop
> 
> Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com>

Applied to net-next-mlx5.

Thanks!

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-08-01 19:14 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-01  8:40 [PATCH net-next] net/mlx5e: Allow dropping specific tunnel packets xiangxia.m.yue
2019-08-01 11:40 ` Roi Dayan
2019-08-01 16:48 ` David Miller
2019-08-01 19:14 ` Saeed Mahameed

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.