From: Slava Ovsiienko <viacheslavo@mellanox.com>
To: Jack Min <jackmin@mellanox.com>, Matan Azrad <matan@mellanox.com>,
Shahaf Shuler <shahafs@mellanox.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>, Ori Kam <orika@mellanox.com>,
"stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v2] net/mlx5: improve validation of item order
Date: Tue, 8 Oct 2019 09:43:17 +0000 [thread overview]
Message-ID: <AM4PR05MB3265C2C230B90AF708C658F6D29A0@AM4PR05MB3265.eurprd05.prod.outlook.com> (raw)
In-Reply-To: <099aca2cedb8654adc85923e5497ff8df1003bc5.1568191352.git.jackmin@mellanox.com>
> -----Original Message-----
> From: Xiaoyu Min <jackmin@mellanox.com>
> Sent: Wednesday, September 11, 2019 11:46
> To: Matan Azrad <matan@mellanox.com>; Shahaf Shuler
> <shahafs@mellanox.com>; Slava Ovsiienko <viacheslavo@mellanox.com>
> Cc: dev@dpdk.org; Ori Kam <orika@mellanox.com>; stable@dpdk.org
> Subject: [PATCH v2] net/mlx5: improve validation of item order
>
> The Item order validation between L2 and L3 is missing, which leading to the
> following flow rule is accepted:
>
> testpmd> flow create 0 ingress pattern ipv4 / eth / end actions drop /
> end
>
> Only the outer L3 layer should check whether the L2 layer is present, because
> the L3 layer could directly follow the tunnel layer without L2 layer.
>
> Meanwhile inner L2 layer should check whether there is inner L3 layer before
> it.
>
> Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function")
> Cc: stable@dpdk.org
>
> Signed-off-by: Xiaoyu Min <jackmin@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
> ---
> drivers/net/mlx5/mlx5_flow.c | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index eb360525da..45bd9c8025 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -1224,6 +1224,11 @@ mlx5_flow_validate_item_eth(const struct
> rte_flow_item *item,
> return rte_flow_error_set(error, ENOTSUP,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "multiple L2 layers not supported");
> + if (tunnel && (item_flags & MLX5_FLOW_LAYER_INNER_L3))
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "inner L2 layer should not "
> + "follow inner L3 layers");
> if (!mask)
> mask = &rte_flow_item_eth_mask;
> ret = mlx5_flow_item_acceptable(item, (const uint8_t *)mask, @@ -
> 1270,6 +1275,8 @@ mlx5_flow_validate_item_vlan(const struct
> rte_flow_item *item,
> const uint64_t vlanm = tunnel ? MLX5_FLOW_LAYER_INNER_VLAN :
> MLX5_FLOW_LAYER_OUTER_VLAN;
>
> + const uint64_t l2m = tunnel ? MLX5_FLOW_LAYER_INNER_L2 :
> + MLX5_FLOW_LAYER_OUTER_L2;
> if (item_flags & vlanm)
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> @@ -1278,6 +1285,10 @@ mlx5_flow_validate_item_vlan(const struct
> rte_flow_item *item,
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "L2 layer cannot follow L3/L4
> layer");
> + else if ((item_flags & l2m) == 0)
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "no L2 layer before VLAN");
> if (!mask)
> mask = &rte_flow_item_vlan_mask;
> ret = mlx5_flow_item_acceptable(item, (const uint8_t *)mask, @@ -
> 1390,6 +1401,10 @@ mlx5_flow_validate_item_ipv4(const struct
> rte_flow_item *item,
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "L3 cannot follow an NVGRE
> layer.");
> + else if (!tunnel && !(item_flags & MLX5_FLOW_LAYER_OUTER_L2))
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "no L2 layer before IPV4");
> if (!mask)
> mask = &rte_flow_item_ipv4_mask;
> else if (mask->hdr.next_proto_id != 0 && @@ -1481,6 +1496,10 @@
> mlx5_flow_validate_item_ipv6(const struct rte_flow_item *item,
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "L3 cannot follow an NVGRE
> layer.");
> + else if (!tunnel && !(item_flags & MLX5_FLOW_LAYER_OUTER_L2))
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "no L2 layer before IPV6");
> if (!mask)
> mask = &rte_flow_item_ipv6_mask;
> ret = mlx5_flow_item_acceptable(item, (const uint8_t *)mask,
> --
> 2.23.0
next prev parent reply other threads:[~2019-10-08 9:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-11 5:25 [dpdk-dev] [PATCH] net/mlx5: improve validation of item order Xiaoyu Min
2019-09-11 8:46 ` [dpdk-dev] [PATCH v2] " Xiaoyu Min
2019-10-08 9:43 ` Slava Ovsiienko [this message]
2019-10-08 11:53 ` Raslan Darawsheh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AM4PR05MB3265C2C230B90AF708C658F6D29A0@AM4PR05MB3265.eurprd05.prod.outlook.com \
--to=viacheslavo@mellanox.com \
--cc=dev@dpdk.org \
--cc=jackmin@mellanox.com \
--cc=matan@mellanox.com \
--cc=orika@mellanox.com \
--cc=shahafs@mellanox.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.