[PATCH] net/ice: add MAC anti-spoof disable option

[PATCH] net/ice: add MAC anti-spoof disable option

[Anurag Mandal]

VRRP advertisement packets are dropped as TX-errors upon transmission from
a vsi of ice PF due to MAC anti-spoof check. There is no way to disable
this check in the Tx direction to avoid these packets being dropped.

This patch introduces devarg "mac-anti-spoof-disable" to allow user to
disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx
direction to avoid getting dropped as TX-errors upon packet transmission
when their source MAC address matches one of the MAC addresses assigned
to that same NIC port.

Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
---
 doc/guides/nics/ice.rst            | 11 +++++++++++
 drivers/net/intel/ice/ice_ethdev.c | 22 ++++++++++++++++++++++
 drivers/net/intel/ice/ice_ethdev.h |  1 +
 3 files changed, 34 insertions(+)

diff --git a/doc/guides/nics/ice.rst b/doc/guides/nics/ice.rst
index 6cc27cefa7..bc86de0081 100644
--- a/doc/guides/nics/ice.rst
+++ b/doc/guides/nics/ice.rst
@@ -194,6 +194,17 @@ Runtime Configuration
 
     -a 80:00.0,source-prune=1
 
+- ``MAC Anti-spoof Disable`` (default ``0``)
+
+  Disable MAC Anti-spoof check in the Tx direction to avoid getting dropped
+  as TX-errors upon packet transmission when their source MAC address
+  matches one of the MAC addresses assigned to that same NIC port.
+
+  MAC Anti-spoof can be disabled by setting the devargs parameter ``mac-anti-spoof-disable``,
+  for example::
+
+    -a 80:00.0,mac-anti-spoof-disable=1
+
 - ``Protocol extraction for per queue``
 
   Configure the RX queues to do protocol extraction into mbuf for protocol
diff --git a/drivers/net/intel/ice/ice_ethdev.c b/drivers/net/intel/ice/ice_ethdev.c
index c1d92435d1..a0eae74bbb 100644
--- a/drivers/net/intel/ice/ice_ethdev.c
+++ b/drivers/net/intel/ice/ice_ethdev.c
@@ -42,6 +42,7 @@
 #define ICE_DDP_LOAD_SCHED_ARG    "ddp_load_sched_topo"
 #define ICE_TM_LEVELS_ARG         "tm_sched_levels"
 #define ICE_SOURCE_PRUNE_ARG      "source-prune"
+#define ICE_MAC_ANTI_SPOOF_DISABLE "mac-anti-spoof-disable"
 #define ICE_LINK_STATE_ON_CLOSE   "link_state_on_close"
 
 #define ICE_CYCLECOUNTER_MASK  0xffffffffffffffffULL
@@ -60,6 +61,7 @@ static const char * const ice_valid_args[] = {
 	ICE_DDP_LOAD_SCHED_ARG,
 	ICE_TM_LEVELS_ARG,
 	ICE_SOURCE_PRUNE_ARG,
+	ICE_MAC_ANTI_SPOOF_DISABLE,
 	ICE_LINK_STATE_ON_CLOSE,
 	NULL
 };
@@ -1768,6 +1770,20 @@ ice_setup_vsi(struct ice_pf *pf, enum ice_vsi_type type)
 			vsi_ctx.info.sw_flags |=
 				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
 		}
+		/* MAC Anti-Spoof */
+		if (ad->devargs.mac_anti_spoof_disable == 1) {
+			/* Disable mac anti-spoof check in the
+			 * Tx direction to avoid getting dropped
+			 * as TX-errors for VRRP support when
+			 * mac-anti-spoof-disable devarg is set
+			 */
+			vsi_ctx.info.sw_flags &=
+				~ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
+			vsi_ctx.info.sw_flags |=
+				ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
+			vsi_ctx.info.sec_flags =
+				ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+		}
 		cfg = ICE_AQ_VSI_PROP_SW_VALID;
 		vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
 		vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
@@ -2467,6 +2483,11 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
 	if (ret)
 		goto bail;
 
+	ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_DISABLE,
+				 &parse_bool, &ad->devargs.mac_anti_spoof_disable);
+	if (ret)
+		goto bail;
+
 	ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
 				 &parse_link_state_on_close, &ad->devargs.link_state_on_close);
 
@@ -7732,6 +7753,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
 			      ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
 			      ICE_TM_LEVELS_ARG "=<N>"
 			      ICE_SOURCE_PRUNE_ARG "=<0|1>"
+			      ICE_MAC_ANTI_SPOOF_DISABLE "=<0|1>"
 			      ICE_RX_LOW_LATENCY_ARG "=<0|1>"
 			      ICE_LINK_STATE_ON_CLOSE "=<down|up|initial>");
 
diff --git a/drivers/net/intel/ice/ice_ethdev.h b/drivers/net/intel/ice/ice_ethdev.h
index 72ed65f13b..9b36627d12 100644
--- a/drivers/net/intel/ice/ice_ethdev.h
+++ b/drivers/net/intel/ice/ice_ethdev.h
@@ -617,6 +617,7 @@ struct ice_devargs {
 	uint8_t ddp_load_sched;
 	uint8_t tm_exposed_levels;
 	uint8_t source_prune;
+	uint8_t mac_anti_spoof_disable;
 	int link_state_on_close;
 	int xtr_field_offs;
 	uint8_t xtr_flag_offs[PROTO_XTR_MAX];
-- 
2.34.1

Re: [PATCH] net/ice: add MAC anti-spoof disable option

[Bruce Richardson]

On Thu, Nov 13, 2025 at 10:59:14AM +0000, Anurag Mandal wrote:
> VRRP advertisement packets are dropped as TX-errors upon transmission from
> a vsi of ice PF due to MAC anti-spoof check. There is no way to disable
> this check in the Tx direction to avoid these packets being dropped.
> 
> This patch introduces devarg "mac-anti-spoof-disable" to allow user to
> disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx
> direction to avoid getting dropped as TX-errors upon packet transmission
> when their source MAC address matches one of the MAC addresses assigned
> to that same NIC port.
> 
> Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>

See feedback inline below.

/Bruce

> ---
>  doc/guides/nics/ice.rst            | 11 +++++++++++
>  drivers/net/intel/ice/ice_ethdev.c | 22 ++++++++++++++++++++++
>  drivers/net/intel/ice/ice_ethdev.h |  1 +
>  3 files changed, 34 insertions(+)
> 
> diff --git a/doc/guides/nics/ice.rst b/doc/guides/nics/ice.rst
> index 6cc27cefa7..bc86de0081 100644
> --- a/doc/guides/nics/ice.rst
> +++ b/doc/guides/nics/ice.rst
> @@ -194,6 +194,17 @@ Runtime Configuration
>  
>      -a 80:00.0,source-prune=1
>  
> +- ``MAC Anti-spoof Disable`` (default ``0``)
> +
> +  Disable MAC Anti-spoof check in the Tx direction to avoid getting dropped
> +  as TX-errors upon packet transmission when their source MAC address
> +  matches one of the MAC addresses assigned to that same NIC port.
> +
> +  MAC Anti-spoof can be disabled by setting the devargs parameter ``mac-anti-spoof-disable``,
> +  for example::
> +
> +    -a 80:00.0,mac-anti-spoof-disable=1
> +

I dislike as a point of principle having options with "disable" in the
name, because it means that the normal logic for on/off is reversed. For
example, in this case to enable anti-spoof you set it to 0. Also, having
disable in the name makes the name longer!

How about having this setting called "mac-anti-spoof" and setting the
default to 1.

>  - ``Protocol extraction for per queue``
>  
>    Configure the RX queues to do protocol extraction into mbuf for protocol
> diff --git a/drivers/net/intel/ice/ice_ethdev.c b/drivers/net/intel/ice/ice_ethdev.c
> index c1d92435d1..a0eae74bbb 100644
> --- a/drivers/net/intel/ice/ice_ethdev.c
> +++ b/drivers/net/intel/ice/ice_ethdev.c
> @@ -42,6 +42,7 @@
>  #define ICE_DDP_LOAD_SCHED_ARG    "ddp_load_sched_topo"
>  #define ICE_TM_LEVELS_ARG         "tm_sched_levels"
>  #define ICE_SOURCE_PRUNE_ARG      "source-prune"
> +#define ICE_MAC_ANTI_SPOOF_DISABLE "mac-anti-spoof-disable"
>  #define ICE_LINK_STATE_ON_CLOSE   "link_state_on_close"
>  
>  #define ICE_CYCLECOUNTER_MASK  0xffffffffffffffffULL
> @@ -60,6 +61,7 @@ static const char * const ice_valid_args[] = {
>  	ICE_DDP_LOAD_SCHED_ARG,
>  	ICE_TM_LEVELS_ARG,
>  	ICE_SOURCE_PRUNE_ARG,
> +	ICE_MAC_ANTI_SPOOF_DISABLE,
>  	ICE_LINK_STATE_ON_CLOSE,
>  	NULL
>  };
> @@ -1768,6 +1770,20 @@ ice_setup_vsi(struct ice_pf *pf, enum ice_vsi_type type)
>  			vsi_ctx.info.sw_flags |=
>  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
>  		}
> +		/* MAC Anti-Spoof */
> +		if (ad->devargs.mac_anti_spoof_disable == 1) {
> +			/* Disable mac anti-spoof check in the
> +			 * Tx direction to avoid getting dropped
> +			 * as TX-errors for VRRP support when
> +			 * mac-anti-spoof-disable devarg is set
> +			 */
> +			vsi_ctx.info.sw_flags &=
> +				~ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;

If the source prune feature conflicts with the anti-spoof one in some way,
then we need to check at devargs processing time for conflicts and warn the
user. Also, if the user specifies on flag which changes the default of the
other, a logging message should be emitted (e.g. at INFO or NOTICE level)

> +			vsi_ctx.info.sw_flags |=
> +				ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
> +			vsi_ctx.info.sec_flags =
> +				ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;

This seems strange to me. When anti-spoof disable flag is set, we turn on
the ENA (enable, right?) MAC_ANTI_SPOOF flag?

> +		}
>  		cfg = ICE_AQ_VSI_PROP_SW_VALID;
>  		vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
>  		vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
> @@ -2467,6 +2483,11 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
>  	if (ret)
>  		goto bail;
>  
> +	ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_DISABLE,
> +				 &parse_bool, &ad->devargs.mac_anti_spoof_disable);
> +	if (ret)
> +		goto bail;
> +
>  	ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
>  				 &parse_link_state_on_close, &ad->devargs.link_state_on_close);
>  
> @@ -7732,6 +7753,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
>  			      ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
>  			      ICE_TM_LEVELS_ARG "=<N>"
>  			      ICE_SOURCE_PRUNE_ARG "=<0|1>"
> +			      ICE_MAC_ANTI_SPOOF_DISABLE "=<0|1>"
>  			      ICE_RX_LOW_LATENCY_ARG "=<0|1>"
>  			      ICE_LINK_STATE_ON_CLOSE "=<down|up|initial>");
>  
> diff --git a/drivers/net/intel/ice/ice_ethdev.h b/drivers/net/intel/ice/ice_ethdev.h
> index 72ed65f13b..9b36627d12 100644
> --- a/drivers/net/intel/ice/ice_ethdev.h
> +++ b/drivers/net/intel/ice/ice_ethdev.h
> @@ -617,6 +617,7 @@ struct ice_devargs {
>  	uint8_t ddp_load_sched;
>  	uint8_t tm_exposed_levels;
>  	uint8_t source_prune;
> +	uint8_t mac_anti_spoof_disable;
>  	int link_state_on_close;
>  	int xtr_field_offs;
>  	uint8_t xtr_flag_offs[PROTO_XTR_MAX];
> -- 
> 2.34.1
> 

[PATCH v2] net/ice: add MAC anti-spoof option

[Anurag Mandal]

VRRP advertisement packets are dropped as TX-errors upon transmission from
a vsi of ice PF due to MAC anti-spoof check which is enabled by default.
There is no way to disable this check in the Tx direction to avoid
these packets being dropped.

This patch introduces devargs "mac-anti-spoof" to allow user to
disable MAC anti-spoof check. Disable MAC Anti-spoof check
in the Tx direction to avoid getting dropped as TX-errors upon packet
transmission when their source MAC address matches one of the MAC
addresses assigned to that same NIC port.

Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
---
V2: Addressed Bruce Richardson's feedback
 - changed devargs name to "mac-anti-spoof"
 - changed devargs member name to "mac_anti_spoof"
 - changed macro name to "ICE_MAC_ANTI_SPOOF_ARG"
 - set the default value of the devargs to 1
 - added NOTICE log msg when MAC Anti-spoof is disabled
 - added more code comments to provide clarity
 - fixed typo error with ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF

 doc/guides/nics/ice.rst            | 11 +++++++
 drivers/net/intel/ice/ice_ethdev.c | 50 +++++++++++++++++++++++++++++-
 drivers/net/intel/ice/ice_ethdev.h |  1 +
 3 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/doc/guides/nics/ice.rst b/doc/guides/nics/ice.rst
index 6cc27cefa7..f7dae93435 100644
--- a/doc/guides/nics/ice.rst
+++ b/doc/guides/nics/ice.rst
@@ -194,6 +194,17 @@ Runtime Configuration
 
     -a 80:00.0,source-prune=1
 
+- ``MAC Anti-spoof Disable`` (default ``1``)
+
+  Disable MAC Anti-spoof check in the Tx direction to avoid getting dropped
+  as TX-errors upon packet transmission when their source MAC address
+  matches one of the MAC addresses assigned to that same NIC port.
+
+  MAC Anti-spoof can be disabled by setting the devargs parameter ``mac-anti-spoof``,
+  for example::
+
+    -a 80:00.0,mac-anti-spoof=0
+
 - ``Protocol extraction for per queue``
 
   Configure the RX queues to do protocol extraction into mbuf for protocol
diff --git a/drivers/net/intel/ice/ice_ethdev.c b/drivers/net/intel/ice/ice_ethdev.c
index c1d92435d1..885ded3473 100644
--- a/drivers/net/intel/ice/ice_ethdev.c
+++ b/drivers/net/intel/ice/ice_ethdev.c
@@ -42,6 +42,7 @@
 #define ICE_DDP_LOAD_SCHED_ARG    "ddp_load_sched_topo"
 #define ICE_TM_LEVELS_ARG         "tm_sched_levels"
 #define ICE_SOURCE_PRUNE_ARG      "source-prune"
+#define ICE_MAC_ANTI_SPOOF_ARG    "mac-anti-spoof"
 #define ICE_LINK_STATE_ON_CLOSE   "link_state_on_close"
 
 #define ICE_CYCLECOUNTER_MASK  0xffffffffffffffffULL
@@ -60,6 +61,7 @@ static const char * const ice_valid_args[] = {
 	ICE_DDP_LOAD_SCHED_ARG,
 	ICE_TM_LEVELS_ARG,
 	ICE_SOURCE_PRUNE_ARG,
+	ICE_MAC_ANTI_SPOOF_ARG,
 	ICE_LINK_STATE_ON_CLOSE,
 	NULL
 };
@@ -1761,13 +1763,52 @@ ice_setup_vsi(struct ice_pf *pf, enum ice_vsi_type type)
 		/* Source Prune */
 		if (ad->devargs.source_prune != 1) {
 			/* Disable source prune to support VRRP
-			 * when source-prune devarg is not set
+			 * when source-prune devargs is not set
 			 */
 			vsi_ctx.info.sw_flags =
 				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
 			vsi_ctx.info.sw_flags |=
 				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
 		}
+		/* MAC Anti-spoof */
+		/* MAC anti-spoof check is enabled by default */
+		vsi_ctx.info.sec_flags =
+			ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+
+		/* By default, Source Prune is disabled and
+		 * MAC Anti-spoof check is enabled.
+		 *
+		 * Source Prune is disabled by setting local
+		 * loopback with ICE_AQ_VSI_SW_FLAG_LOCAL_LB
+		 * flag in the Rx direction.
+		 * ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to
+		 * prevent transmitted packets from being
+		 * looped back in some circumstances.
+		 *
+		 * MAC Anti-spoof check can be disabled by
+		 * clearing ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
+		 * ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
+		 * flags and setting Tx loopback with
+		 * ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the
+		 * Tx direction.
+		 */
+		if (ad->devargs.mac_anti_spoof == 0) {
+			/* Disable mac anti-spoof check in the
+			 * Tx direction to avoid getting dropped
+			 * as TX-errors for VRRP support when
+			 * mac-anti-spoof devargs is reset
+			 */
+			vsi_ctx.info.sw_flags &=
+				~ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
+			PMD_INIT_LOG(NOTICE,
+				     "Disabling MAC Anti-spoof check "
+				     "in Tx direction does not affect "
+				     "Source Prune in Rx direction");
+			vsi_ctx.info.sw_flags |=
+				ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
+			vsi_ctx.info.sec_flags &=
+				~ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+		}
 		cfg = ICE_AQ_VSI_PROP_SW_VALID;
 		vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
 		vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
@@ -2398,6 +2439,7 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
 		return -EINVAL;
 	}
 
+	ad->devargs.mac_anti_spoof = 1; /* enabled by default */
 	ad->devargs.proto_xtr_dflt = PROTO_XTR_NONE;
 	memset(ad->devargs.proto_xtr, PROTO_XTR_NONE,
 	       sizeof(ad->devargs.proto_xtr));
@@ -2467,6 +2509,11 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
 	if (ret)
 		goto bail;
 
+	ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_ARG,
+				 &parse_bool, &ad->devargs.mac_anti_spoof);
+	if (ret)
+		goto bail;
+
 	ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
 				 &parse_link_state_on_close, &ad->devargs.link_state_on_close);
 
@@ -7732,6 +7779,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
 			      ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
 			      ICE_TM_LEVELS_ARG "=<N>"
 			      ICE_SOURCE_PRUNE_ARG "=<0|1>"
+			      ICE_MAC_ANTI_SPOOF_ARG "=<0|1>"
 			      ICE_RX_LOW_LATENCY_ARG "=<0|1>"
 			      ICE_LINK_STATE_ON_CLOSE "=<down|up|initial>");
 
diff --git a/drivers/net/intel/ice/ice_ethdev.h b/drivers/net/intel/ice/ice_ethdev.h
index 72ed65f13b..5fe4688d57 100644
--- a/drivers/net/intel/ice/ice_ethdev.h
+++ b/drivers/net/intel/ice/ice_ethdev.h
@@ -617,6 +617,7 @@ struct ice_devargs {
 	uint8_t ddp_load_sched;
 	uint8_t tm_exposed_levels;
 	uint8_t source_prune;
+	uint8_t mac_anti_spoof;
 	int link_state_on_close;
 	int xtr_field_offs;
 	uint8_t xtr_flag_offs[PROTO_XTR_MAX];
-- 
2.34.1

RE: [PATCH v2] net/ice: add MAC anti-spoof option

[Morten Brørup]

+TO: Ethdev maintainers, regarding new Ethdev APIs

> From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> Sent: Sunday, 16 November 2025 04.58
> 
> VRRP advertisement packets are dropped as TX-errors upon transmission
> from
> a vsi of ice PF due to MAC anti-spoof check which is enabled by
> default.
> There is no way to disable this check in the Tx direction to avoid
> these packets being dropped.
> 
> This patch introduces devargs "mac-anti-spoof" to allow user to
> disable MAC anti-spoof check. Disable MAC Anti-spoof check
> in the Tx direction to avoid getting dropped as TX-errors upon packet
> transmission when their source MAC address matches one of the MAC
> addresses assigned to that same NIC port.
> 
> Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> ---

This is the same story as with Source Prune.
Please disable source-prune filtering by default, and provide an option to enable it.
Also, suggest shortening the devargs name to simply "anti-spoof", like "source-prune"; they both operate on MAC basis.

Let's make something generic instead, to replace those silly devargs.
We have individual Ethdev APIs to enable/disable various Rx filtering, e.g. "promiscuous", "all multicast".
Obviously, we don't want to introduce new APIs for every semi-exotic filter any NIC may offer, like "source prune" and "anti spoof", but we could introduce a set of generic Ethdev APIs to support filters such as these, using a bitfield enum. E.g.:

/* Enable one or more filters. */
int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);

/* Disable one or more filters. */
int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);

/* Get bit field of filters enabled. */
int64_t rte_ethdev_filter_get(uin16_t port_id);

/* Get bit field of filters supported by device. */
int64_t rte_ethdev_filter_capa(uin16_t port_id); /**/

/** Destination MAC must match NIC's MAC address.
 * (This is the inverse of Promiscuous.)
 * Default enabled.
 */
#define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
/** Multicast Hash.
 * (This is the inverse of All Multicast.)
 * Default enabled.
 */
#define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
/** Source Prune.
 * [Insert description here.]
 */
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
/* Add new Rx filters here, in increasing order. */
/* Add new Tx filters here, in decreasing order. */
/** Anti-Spoof.
 * [Insert description here.]
 */
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
/** Used for error return values which are negative. */
#define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)

RE: [PATCH v2] net/ice: add MAC anti-spoof option

[Mandal, Anurag]

Hi Morten Brørup,

Thanks for your mail and review. PFB my answers.

" This is the same story as with Source Prune.
Please disable source-prune filtering by default, and provide an option to enable it.
Also, suggest shortening the devargs name to simply "anti-spoof", like "source-prune"; they both operate on MAC basis."

[Ans]: Source prune is disabled by default and option to enable the same has been already committed:[ https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74f36086].
I also wanted to shorten the name to "anti-spoof" but I found something called " vsi->vlan_anti_spoof_on" in the same file. 
Hence, to distinguish between them, used "mac-anti-spoof".

Thank you.

Regards,
Anurag M

-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com> 
Sent: 16 November 2025 13:14
To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru
Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option

+TO: Ethdev maintainers, regarding new Ethdev APIs

> From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> Sent: Sunday, 16 November 2025 04.58
> 
> VRRP advertisement packets are dropped as TX-errors upon transmission 
> from a vsi of ice PF due to MAC anti-spoof check which is enabled by 
> default.
> There is no way to disable this check in the Tx direction to avoid 
> these packets being dropped.
> 
> This patch introduces devargs "mac-anti-spoof" to allow user to 
> disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx 
> direction to avoid getting dropped as TX-errors upon packet 
> transmission when their source MAC address matches one of the MAC 
> addresses assigned to that same NIC port.
> 
> Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> ---

This is the same story as with Source Prune.
Please disable source-prune filtering by default, and provide an option to enable it.
Also, suggest shortening the devargs name to simply "anti-spoof", like "source-prune"; they both operate on MAC basis.

Let's make something generic instead, to replace those silly devargs.
We have individual Ethdev APIs to enable/disable various Rx filtering, e.g. "promiscuous", "all multicast".
Obviously, we don't want to introduce new APIs for every semi-exotic filter any NIC may offer, like "source prune" and "anti spoof", but we could introduce a set of generic Ethdev APIs to support filters such as these, using a bitfield enum. E.g.:

/* Enable one or more filters. */
int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);

/* Disable one or more filters. */
int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);

/* Get bit field of filters enabled. */
int64_t rte_ethdev_filter_get(uin16_t port_id);

/* Get bit field of filters supported by device. */ int64_t rte_ethdev_filter_capa(uin16_t port_id); /**/

/** Destination MAC must match NIC's MAC address.
 * (This is the inverse of Promiscuous.)
 * Default enabled.
 */
#define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
/** Multicast Hash.
 * (This is the inverse of All Multicast.)
 * Default enabled.
 */
#define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
/** Source Prune.
 * [Insert description here.]
 */
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
/* Add new Rx filters here, in increasing order. */
/* Add new Tx filters here, in decreasing order. */
/** Anti-Spoof.
 * [Insert description here.]
 */
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
/** Used for error return values which are negative. */
#define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)

RE: [PATCH v2] net/ice: add MAC anti-spoof option

[Morten Brørup]

> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Monday, 17 November 2025 06.22
> 
> Hi Morten Brørup,
> 
> Thanks for your mail and review. PFB my answers.
> 
> " This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an option
> to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis."
> 
> [Ans]: Source prune is disabled by default and option to enable the
> same has been already committed:[
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74f
> 36086].

Sorry, there was a typo... I meant to write:
Please disable anti-spoof filtering by default, and provide an option to enable it.
Like source-prune.

> I also wanted to shorten the name to "anti-spoof" but I found something
> called " vsi->vlan_anti_spoof_on" in the same file.
> Hence, to distinguish between them, used "mac-anti-spoof".

OK. Then "mac-anti-spoof" is a good choice.

Is support for "vlan-anti-spoof" in the pipeline?

What are your thoughts about the generic Ethdev APIs I suggested, instead of driver specific devargs?

> 
> Thank you.
> 
> Regards,
> Anurag M
> 
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 16 November 2025 13:14
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson,
> Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> 
> +TO: Ethdev maintainers, regarding new Ethdev APIs
> 
> > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > Sent: Sunday, 16 November 2025 04.58
> >
> > VRRP advertisement packets are dropped as TX-errors upon transmission
> > from a vsi of ice PF due to MAC anti-spoof check which is enabled by
> > default.
> > There is no way to disable this check in the Tx direction to avoid
> > these packets being dropped.
> >
> > This patch introduces devargs "mac-anti-spoof" to allow user to
> > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx
> > direction to avoid getting dropped as TX-errors upon packet
> > transmission when their source MAC address matches one of the MAC
> > addresses assigned to that same NIC port.
> >
> > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > ---
> 
> This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an option
> to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis.
> 
> Let's make something generic instead, to replace those silly devargs.
> We have individual Ethdev APIs to enable/disable various Rx filtering,
> e.g. "promiscuous", "all multicast".
> Obviously, we don't want to introduce new APIs for every semi-exotic
> filter any NIC may offer, like "source prune" and "anti spoof", but we
> could introduce a set of generic Ethdev APIs to support filters such as
> these, using a bitfield enum. E.g.:
> 
> /* Enable one or more filters. */
> int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> 
> /* Disable one or more filters. */
> int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> 
> /* Get bit field of filters enabled. */
> int64_t rte_ethdev_filter_get(uin16_t port_id);
> 
> /* Get bit field of filters supported by device. */ int64_t
> rte_ethdev_filter_capa(uin16_t port_id); /**/
> 
> /** Destination MAC must match NIC's MAC address.
>  * (This is the inverse of Promiscuous.)
>  * Default enabled.
>  */
> #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> /** Multicast Hash.
>  * (This is the inverse of All Multicast.)
>  * Default enabled.
>  */
> #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> /** Source Prune.
>  * [Insert description here.]
>  */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> /* Add new Rx filters here, in increasing order. */
> /* Add new Tx filters here, in decreasing order. */
> /** Anti-Spoof.
>  * [Insert description here.]
>  */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> /** Used for error return values which are negative. */
> #define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)

RE: [PATCH v2] net/ice: add MAC anti-spoof option

[Mandal, Anurag]

Hi Morten Brørup,

Apologies for late reply but as the patch was deferred from DPDK 25.11. Hence, I was waiting.
PFB my answers.

Q1: " Please disable anti-spoof filtering by default, and provide an option to enable it.
Like source-prune."
[Ans]: MAC anti-spoof is enabled by default in kernel ice driver. 
Hence, it seems a better idea to make it enabled by default to keep it in sync with kernel and in terms of security.

Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
[Ans]: Not sure but " vlan_anti_spoof_on" is present in code.

Q3: " What are your thoughts about the generic Ethdev APIs I suggested, instead of driver specific devargs?"
[Ans]: It is unlikely that a user would want these mac anti-spoof/src prune to be set/reset dynamically. Hence,  it seems devargs likely be a better solution.
Generic Ethdev APIs is a good idea but should be taken separately as it will have much beyond scope than this and would need significant effort.
Also, that again bring the dynamic nature into the picture.

Thank you.

Regards,
Anurag M

-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com> 
Sent: 17 November 2025 14:36
To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru
Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option

> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Monday, 17 November 2025 06.22
> 
> Hi Morten Brørup,
> 
> Thanks for your mail and review. PFB my answers.
> 
> " This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an 
> option to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like 
> "source-prune"; they both operate on MAC basis."
> 
> [Ans]: Source prune is disabled by default and option to enable the 
> same has been already committed:[ 
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> f
> 36086].

Sorry, there was a typo... I meant to write:
Please disable anti-spoof filtering by default, and provide an option to enable it.
Like source-prune.

> I also wanted to shorten the name to "anti-spoof" but I found 
> something called " vsi->vlan_anti_spoof_on" in the same file.
> Hence, to distinguish between them, used "mac-anti-spoof".

OK. Then "mac-anti-spoof" is a good choice.

Is support for "vlan-anti-spoof" in the pipeline?

What are your thoughts about the generic Ethdev APIs I suggested, instead of driver specific devargs?

> 
> Thank you.
> 
> Regards,
> Anurag M
> 
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 16 November 2025 13:14
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; 
> Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly 
> <anatoly.burakov@intel.com>; thomas@monjalon.net; 
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> 
> +TO: Ethdev maintainers, regarding new Ethdev APIs
> 
> > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > Sent: Sunday, 16 November 2025 04.58
> >
> > VRRP advertisement packets are dropped as TX-errors upon 
> > transmission from a vsi of ice PF due to MAC anti-spoof check which 
> > is enabled by default.
> > There is no way to disable this check in the Tx direction to avoid 
> > these packets being dropped.
> >
> > This patch introduces devargs "mac-anti-spoof" to allow user to 
> > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx 
> > direction to avoid getting dropped as TX-errors upon packet 
> > transmission when their source MAC address matches one of the MAC 
> > addresses assigned to that same NIC port.
> >
> > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > ---
> 
> This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an 
> option to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like 
> "source-prune"; they both operate on MAC basis.
> 
> Let's make something generic instead, to replace those silly devargs.
> We have individual Ethdev APIs to enable/disable various Rx filtering, 
> e.g. "promiscuous", "all multicast".
> Obviously, we don't want to introduce new APIs for every semi-exotic 
> filter any NIC may offer, like "source prune" and "anti spoof", but we 
> could introduce a set of generic Ethdev APIs to support filters such 
> as these, using a bitfield enum. E.g.:
> 
> /* Enable one or more filters. */
> int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> 
> /* Disable one or more filters. */
> int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> 
> /* Get bit field of filters enabled. */ int64_t 
> rte_ethdev_filter_get(uin16_t port_id);
> 
> /* Get bit field of filters supported by device. */ int64_t 
> rte_ethdev_filter_capa(uin16_t port_id); /**/
> 
> /** Destination MAC must match NIC's MAC address.
>  * (This is the inverse of Promiscuous.)
>  * Default enabled.
>  */
> #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> /** Multicast Hash.
>  * (This is the inverse of All Multicast.)
>  * Default enabled.
>  */
> #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> /** Source Prune.
>  * [Insert description here.]
>  */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> /* Add new Rx filters here, in increasing order. */
> /* Add new Tx filters here, in decreasing order. */
> /** Anti-Spoof.
>  * [Insert description here.]
>  */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> /** Used for error return values which are negative. */
> #define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)

RE: [PATCH v2] net/ice: add MAC anti-spoof option

[Morten Brørup]

+TO: Stephen Hemminger, might have some kernel-related insights on this.

> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Tuesday, 2 December 2025 09.17
> 
> Hi Morten Brørup,
> 
> Apologies for late reply but as the patch was deferred from DPDK 25.11.
> Hence, I was waiting.
> PFB my answers.
> 
> Q1: " Please disable anti-spoof filtering by default, and provide an
> option to enable it.
> Like source-prune."
> [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> Hence, it seems a better idea to make it enabled by default to keep it
> in sync with kernel and in terms of security.

Mac-source-prune is disabled by default in DPDK, although it is enabled by default in the kernel.
Mac-anti-spoof should behave the same way, i.e. disabled by default in DPDK.

Also, consider that the kernel is mainly designed for client/server applications, while DPDK is mainly designed for packet forwarding purposes.
With that in mind, default enabled makes sense for the kernel, and default disabled makes sense for DPDK.

> 
> Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.

OK.

> 
> Q3: " What are your thoughts about the generic Ethdev APIs I suggested,
> instead of driver specific devargs?"
> [Ans]: It is unlikely that a user would want these mac anti-spoof/src
> prune to be set/reset dynamically. Hence,  it seems devargs likely be a
> better solution.
> Generic Ethdev APIs is a good idea but should be taken separately as it
> will have much beyond scope than this and would need significant
> effort.
> Also, that again bring the dynamic nature into the picture.

Good point about not needing the dynamic ability. I agree with that.
But devargs are somewhat difficult to work with for applications not built for specific ethdev drivers. E.g. our application detects available hardware at runtime, and configures it appropriately. Generic APIs are much easier to work with than individual driver-specific devargs.
So I prefer not to introduce more driver specific devargs.

I acknowledge that my Ethdev API extension idea is feature creep, so I will not make it a hard requirement for this patch.
And when mac-anti-spoof is disabled by default (which I do consider a hard requirement!), the devarg parameter is reduced to something that enables some exotic filter, which I don't object to.

> 
> Thank you.
> 
> Regards,
> Anurag M
> 
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 17 November 2025 14:36
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson,
> Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> 
> > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > Sent: Monday, 17 November 2025 06.22
> >
> > Hi Morten Brørup,
> >
> > Thanks for your mail and review. PFB my answers.
> >
> > " This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis."
> >
> > [Ans]: Source prune is disabled by default and option to enable the
> > same has been already committed:[
> >
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > f
> > 36086].
> 
> Sorry, there was a typo... I meant to write:
> Please disable anti-spoof filtering by default, and provide an option
> to enable it.
> Like source-prune.
> 
> > I also wanted to shorten the name to "anti-spoof" but I found
> > something called " vsi->vlan_anti_spoof_on" in the same file.
> > Hence, to distinguish between them, used "mac-anti-spoof".
> 
> OK. Then "mac-anti-spoof" is a good choice.
> 
> Is support for "vlan-anti-spoof" in the pipeline?
> 
> What are your thoughts about the generic Ethdev APIs I suggested,
> instead of driver specific devargs?
> 
> >
> > Thank you.
> >
> > Regards,
> > Anurag M
> >
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 16 November 2025 13:14
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > andrew.rybchenko@oktetlabs.ru
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> >
> > +TO: Ethdev maintainers, regarding new Ethdev APIs
> >
> > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > Sent: Sunday, 16 November 2025 04.58
> > >
> > > VRRP advertisement packets are dropped as TX-errors upon
> > > transmission from a vsi of ice PF due to MAC anti-spoof check which
> > > is enabled by default.
> > > There is no way to disable this check in the Tx direction to avoid
> > > these packets being dropped.
> > >
> > > This patch introduces devargs "mac-anti-spoof" to allow user to
> > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the
> Tx
> > > direction to avoid getting dropped as TX-errors upon packet
> > > transmission when their source MAC address matches one of the MAC
> > > addresses assigned to that same NIC port.
> > >
> > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > ---
> >
> > This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis.
> >
> > Let's make something generic instead, to replace those silly devargs.
> > We have individual Ethdev APIs to enable/disable various Rx
> filtering,
> > e.g. "promiscuous", "all multicast".
> > Obviously, we don't want to introduce new APIs for every semi-exotic
> > filter any NIC may offer, like "source prune" and "anti spoof", but
> we
> > could introduce a set of generic Ethdev APIs to support filters such
> > as these, using a bitfield enum. E.g.:
> >
> > /* Enable one or more filters. */
> > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> >
> > /* Disable one or more filters. */
> > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> >
> > /* Get bit field of filters enabled. */ int64_t
> > rte_ethdev_filter_get(uin16_t port_id);
> >
> > /* Get bit field of filters supported by device. */ int64_t
> > rte_ethdev_filter_capa(uin16_t port_id); /**/
> >
> > /** Destination MAC must match NIC's MAC address.
> >  * (This is the inverse of Promiscuous.)
> >  * Default enabled.
> >  */
> > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > /** Multicast Hash.
> >  * (This is the inverse of All Multicast.)
> >  * Default enabled.
> >  */
> > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > /** Source Prune.
> >  * [Insert description here.]
> >  */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > /* Add new Rx filters here, in increasing order. */
> > /* Add new Tx filters here, in decreasing order. */
> > /** Anti-Spoof.
> >  * [Insert description here.]
> >  */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > /** Used for error return values which are negative. */
> > #define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)

RE: [PATCH v2] net/ice: add MAC anti-spoof option

[Mandal, Anurag]

Hi Morten Brørup,

Ok. I will make Mac-anti-spoof disabled by default, gave option to enable it  and send a new patch.

Thank you.

Regards,
Anurag M

-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com> 
Sent: 02 December 2025 14:31
To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru; Stephen Hemminger <stephen@networkplumber.org>
Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option

+TO: Stephen Hemminger, might have some kernel-related insights on this.

> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Tuesday, 2 December 2025 09.17
> 
> Hi Morten Brørup,
> 
> Apologies for late reply but as the patch was deferred from DPDK 25.11.
> Hence, I was waiting.
> PFB my answers.
> 
> Q1: " Please disable anti-spoof filtering by default, and provide an 
> option to enable it.
> Like source-prune."
> [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> Hence, it seems a better idea to make it enabled by default to keep it 
> in sync with kernel and in terms of security.

Mac-source-prune is disabled by default in DPDK, although it is enabled by default in the kernel.
Mac-anti-spoof should behave the same way, i.e. disabled by default in DPDK.

Also, consider that the kernel is mainly designed for client/server applications, while DPDK is mainly designed for packet forwarding purposes.
With that in mind, default enabled makes sense for the kernel, and default disabled makes sense for DPDK.

> 
> Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.

OK.

> 
> Q3: " What are your thoughts about the generic Ethdev APIs I 
> suggested, instead of driver specific devargs?"
> [Ans]: It is unlikely that a user would want these mac anti-spoof/src 
> prune to be set/reset dynamically. Hence,  it seems devargs likely be 
> a better solution.
> Generic Ethdev APIs is a good idea but should be taken separately as 
> it will have much beyond scope than this and would need significant 
> effort.
> Also, that again bring the dynamic nature into the picture.

Good point about not needing the dynamic ability. I agree with that.
But devargs are somewhat difficult to work with for applications not built for specific ethdev drivers. E.g. our application detects available hardware at runtime, and configures it appropriately. Generic APIs are much easier to work with than individual driver-specific devargs.
So I prefer not to introduce more driver specific devargs.

I acknowledge that my Ethdev API extension idea is feature creep, so I will not make it a hard requirement for this patch.
And when mac-anti-spoof is disabled by default (which I do consider a hard requirement!), the devarg parameter is reduced to something that enables some exotic filter, which I don't object to.

> 
> Thank you.
> 
> Regards,
> Anurag M
> 
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 17 November 2025 14:36
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; 
> Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly 
> <anatoly.burakov@intel.com>; thomas@monjalon.net; 
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> 
> > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > Sent: Monday, 17 November 2025 06.22
> >
> > Hi Morten Brørup,
> >
> > Thanks for your mail and review. PFB my answers.
> >
> > " This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an 
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis."
> >
> > [Ans]: Source prune is disabled by default and option to enable the 
> > same has been already committed:[
> >
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > f
> > 36086].
> 
> Sorry, there was a typo... I meant to write:
> Please disable anti-spoof filtering by default, and provide an option 
> to enable it.
> Like source-prune.
> 
> > I also wanted to shorten the name to "anti-spoof" but I found 
> > something called " vsi->vlan_anti_spoof_on" in the same file.
> > Hence, to distinguish between them, used "mac-anti-spoof".
> 
> OK. Then "mac-anti-spoof" is a good choice.
> 
> Is support for "vlan-anti-spoof" in the pipeline?
> 
> What are your thoughts about the generic Ethdev APIs I suggested, 
> instead of driver specific devargs?
> 
> >
> > Thank you.
> >
> > Regards,
> > Anurag M
> >
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 16 November 2025 13:14
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; 
> > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly 
> > <anatoly.burakov@intel.com>; thomas@monjalon.net; 
> > andrew.rybchenko@oktetlabs.ru
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> >
> > +TO: Ethdev maintainers, regarding new Ethdev APIs
> >
> > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > Sent: Sunday, 16 November 2025 04.58
> > >
> > > VRRP advertisement packets are dropped as TX-errors upon 
> > > transmission from a vsi of ice PF due to MAC anti-spoof check 
> > > which is enabled by default.
> > > There is no way to disable this check in the Tx direction to avoid 
> > > these packets being dropped.
> > >
> > > This patch introduces devargs "mac-anti-spoof" to allow user to 
> > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the
> Tx
> > > direction to avoid getting dropped as TX-errors upon packet 
> > > transmission when their source MAC address matches one of the MAC 
> > > addresses assigned to that same NIC port.
> > >
> > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > ---
> >
> > This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an 
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis.
> >
> > Let's make something generic instead, to replace those silly devargs.
> > We have individual Ethdev APIs to enable/disable various Rx
> filtering,
> > e.g. "promiscuous", "all multicast".
> > Obviously, we don't want to introduce new APIs for every semi-exotic 
> > filter any NIC may offer, like "source prune" and "anti spoof", but
> we
> > could introduce a set of generic Ethdev APIs to support filters such 
> > as these, using a bitfield enum. E.g.:
> >
> > /* Enable one or more filters. */
> > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> >
> > /* Disable one or more filters. */
> > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> >
> > /* Get bit field of filters enabled. */ int64_t 
> > rte_ethdev_filter_get(uin16_t port_id);
> >
> > /* Get bit field of filters supported by device. */ int64_t 
> > rte_ethdev_filter_capa(uin16_t port_id); /**/
> >
> > /** Destination MAC must match NIC's MAC address.
> >  * (This is the inverse of Promiscuous.)
> >  * Default enabled.
> >  */
> > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > /** Multicast Hash.
> >  * (This is the inverse of All Multicast.)
> >  * Default enabled.
> >  */
> > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > /** Source Prune.
> >  * [Insert description here.]
> >  */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > /* Add new Rx filters here, in increasing order. */
> > /* Add new Tx filters here, in decreasing order. */
> > /** Anti-Spoof.
> >  * [Insert description here.]
> >  */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > /** Used for error return values which are negative. */
> > #define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)

Re: [PATCH v2] net/ice: add MAC anti-spoof option

[Thomas Monjalon]

Hello,

Top posting makes this thread difficult to follow.

My quick understanding is that it is an offload feature,
and I don't understand why it is not handled as such in ethdev API.


02/12/2025 10:14, Mandal, Anurag:
> Hi Morten Brørup,
> 
> Ok. I will make Mac-anti-spoof disabled by default, gave option to enable it  and send a new patch.
> 
> Thank you.
> 
> Regards,
> Anurag M
> 
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com> 
> Sent: 02 December 2025 14:31
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru; Stephen Hemminger <stephen@networkplumber.org>
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> 
> +TO: Stephen Hemminger, might have some kernel-related insights on this.
> 
> > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > Sent: Tuesday, 2 December 2025 09.17
> > 
> > Hi Morten Brørup,
> > 
> > Apologies for late reply but as the patch was deferred from DPDK 25.11.
> > Hence, I was waiting.
> > PFB my answers.
> > 
> > Q1: " Please disable anti-spoof filtering by default, and provide an 
> > option to enable it.
> > Like source-prune."
> > [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> > Hence, it seems a better idea to make it enabled by default to keep it 
> > in sync with kernel and in terms of security.
> 
> Mac-source-prune is disabled by default in DPDK, although it is enabled by default in the kernel.
> Mac-anti-spoof should behave the same way, i.e. disabled by default in DPDK.
> 
> Also, consider that the kernel is mainly designed for client/server applications, while DPDK is mainly designed for packet forwarding purposes.
> With that in mind, default enabled makes sense for the kernel, and default disabled makes sense for DPDK.
> 
> > 
> > Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> > [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.
> 
> OK.
> 
> > 
> > Q3: " What are your thoughts about the generic Ethdev APIs I 
> > suggested, instead of driver specific devargs?"
> > [Ans]: It is unlikely that a user would want these mac anti-spoof/src 
> > prune to be set/reset dynamically. Hence,  it seems devargs likely be 
> > a better solution.
> > Generic Ethdev APIs is a good idea but should be taken separately as 
> > it will have much beyond scope than this and would need significant 
> > effort.
> > Also, that again bring the dynamic nature into the picture.
> 
> Good point about not needing the dynamic ability. I agree with that.
> But devargs are somewhat difficult to work with for applications not built for specific ethdev drivers. E.g. our application detects available hardware at runtime, and configures it appropriately. Generic APIs are much easier to work with than individual driver-specific devargs.
> So I prefer not to introduce more driver specific devargs.
> 
> I acknowledge that my Ethdev API extension idea is feature creep, so I will not make it a hard requirement for this patch.
> And when mac-anti-spoof is disabled by default (which I do consider a hard requirement!), the devarg parameter is reduced to something that enables some exotic filter, which I don't object to.
> 
> > 
> > Thank you.
> > 
> > Regards,
> > Anurag M
> > 
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 17 November 2025 14:36
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; 
> > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly 
> > <anatoly.burakov@intel.com>; thomas@monjalon.net; 
> > andrew.rybchenko@oktetlabs.ru
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> > 
> > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > Sent: Monday, 17 November 2025 06.22
> > >
> > > Hi Morten Brørup,
> > >
> > > Thanks for your mail and review. PFB my answers.
> > >
> > > " This is the same story as with Source Prune.
> > > Please disable source-prune filtering by default, and provide an 
> > > option to enable it.
> > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > like
> > > "source-prune"; they both operate on MAC basis."
> > >
> > > [Ans]: Source prune is disabled by default and option to enable the 
> > > same has been already committed:[
> > >
> > https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > > f
> > > 36086].
> > 
> > Sorry, there was a typo... I meant to write:
> > Please disable anti-spoof filtering by default, and provide an option 
> > to enable it.
> > Like source-prune.
> > 
> > > I also wanted to shorten the name to "anti-spoof" but I found 
> > > something called " vsi->vlan_anti_spoof_on" in the same file.
> > > Hence, to distinguish between them, used "mac-anti-spoof".
> > 
> > OK. Then "mac-anti-spoof" is a good choice.
> > 
> > Is support for "vlan-anti-spoof" in the pipeline?
> > 
> > What are your thoughts about the generic Ethdev APIs I suggested, 
> > instead of driver specific devargs?
> > 
> > >
> > > Thank you.
> > >
> > > Regards,
> > > Anurag M
> > >
> > > -----Original Message-----
> > > From: Morten Brørup <mb@smartsharesystems.com>
> > > Sent: 16 November 2025 13:14
> > > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; 
> > > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly 
> > > <anatoly.burakov@intel.com>; thomas@monjalon.net; 
> > > andrew.rybchenko@oktetlabs.ru
> > > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> > >
> > > +TO: Ethdev maintainers, regarding new Ethdev APIs
> > >
> > > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > > Sent: Sunday, 16 November 2025 04.58
> > > >
> > > > VRRP advertisement packets are dropped as TX-errors upon 
> > > > transmission from a vsi of ice PF due to MAC anti-spoof check 
> > > > which is enabled by default.
> > > > There is no way to disable this check in the Tx direction to avoid 
> > > > these packets being dropped.
> > > >
> > > > This patch introduces devargs "mac-anti-spoof" to allow user to 
> > > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the
> > Tx
> > > > direction to avoid getting dropped as TX-errors upon packet 
> > > > transmission when their source MAC address matches one of the MAC 
> > > > addresses assigned to that same NIC port.
> > > >
> > > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > > ---
> > >
> > > This is the same story as with Source Prune.
> > > Please disable source-prune filtering by default, and provide an 
> > > option to enable it.
> > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > like
> > > "source-prune"; they both operate on MAC basis.
> > >
> > > Let's make something generic instead, to replace those silly devargs.
> > > We have individual Ethdev APIs to enable/disable various Rx
> > filtering,
> > > e.g. "promiscuous", "all multicast".
> > > Obviously, we don't want to introduce new APIs for every semi-exotic 
> > > filter any NIC may offer, like "source prune" and "anti spoof", but
> > we
> > > could introduce a set of generic Ethdev APIs to support filters such 
> > > as these, using a bitfield enum. E.g.:
> > >
> > > /* Enable one or more filters. */
> > > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> > >
> > > /* Disable one or more filters. */
> > > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> > >
> > > /* Get bit field of filters enabled. */ int64_t 
> > > rte_ethdev_filter_get(uin16_t port_id);
> > >
> > > /* Get bit field of filters supported by device. */ int64_t 
> > > rte_ethdev_filter_capa(uin16_t port_id); /**/
> > >
> > > /** Destination MAC must match NIC's MAC address.
> > >  * (This is the inverse of Promiscuous.)
> > >  * Default enabled.
> > >  */
> > > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > > /** Multicast Hash.
> > >  * (This is the inverse of All Multicast.)
> > >  * Default enabled.
> > >  */
> > > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > > /** Source Prune.
> > >  * [Insert description here.]
> > >  */
> > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > > /* Add new Rx filters here, in increasing order. */
> > > /* Add new Tx filters here, in decreasing order. */
> > > /** Anti-Spoof.
> > >  * [Insert description here.]
> > >  */
> > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > > /** Used for error return values which are negative. */
> > > #define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)
> 
> 

RE: [PATCH v2] net/ice: add MAC anti-spoof option

[Morten Brørup]

> From: Thomas Monjalon [mailto:thomas@monjalon.net]
> Sent: Tuesday, 2 December 2025 15.25
> 
> Hello,
> 
> Top posting makes this thread difficult to follow.
> 
> My quick understanding is that it is an offload feature,
> and I don't understand why it is not handled as such in ethdev API.

Yes, it is. Similar to e.g. "promiscuous mode" is an Rx offload to control which packets are filtered or let through at Rx.

I consider the RTE_ETH_RX_OFFLOAD_xxx and RTE_ETH_TX_OFFLOAD_xxx flags relatively scarce, so I'm very skeptical about using them for relatively exotic offloads like mac-anti-spoof.

We have dedicated Ethdev APIs to control "promiscuous mode", but I'm not sure we want dedicated Ethdev APIs for every filter an NIC vendor can come up with.

Which is why I suggested a generic filter API as an alternative idea.

Maybe we should just consider them offloads, and use RTE_ETH_RX_OFFLOAD_xxx and RTE_ETH_TX_OFFLOAD_xxx flags. Then we can rely on the existing infrastructure for those. My suggested filter API is really just an extension of these.

-Morten

> 
> 
> 02/12/2025 10:14, Mandal, Anurag:
> > Hi Morten Brørup,
> >
> > Ok. I will make Mac-anti-spoof disabled by default, gave option to
> enable it  and send a new patch.
> >
> > Thank you.
> >
> > Regards,
> > Anurag M
> >
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 02 December 2025 14:31
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru; Stephen Hemminger
> <stephen@networkplumber.org>
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> >
> > +TO: Stephen Hemminger, might have some kernel-related insights on
> this.
> >
> > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > Sent: Tuesday, 2 December 2025 09.17
> > >
> > > Hi Morten Brørup,
> > >
> > > Apologies for late reply but as the patch was deferred from DPDK
> 25.11.
> > > Hence, I was waiting.
> > > PFB my answers.
> > >
> > > Q1: " Please disable anti-spoof filtering by default, and provide
> an
> > > option to enable it.
> > > Like source-prune."
> > > [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> > > Hence, it seems a better idea to make it enabled by default to keep
> it
> > > in sync with kernel and in terms of security.
> >
> > Mac-source-prune is disabled by default in DPDK, although it is
> enabled by default in the kernel.
> > Mac-anti-spoof should behave the same way, i.e. disabled by default
> in DPDK.
> >
> > Also, consider that the kernel is mainly designed for client/server
> applications, while DPDK is mainly designed for packet forwarding
> purposes.
> > With that in mind, default enabled makes sense for the kernel, and
> default disabled makes sense for DPDK.
> >
> > >
> > > Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> > > [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.
> >
> > OK.
> >
> > >
> > > Q3: " What are your thoughts about the generic Ethdev APIs I
> > > suggested, instead of driver specific devargs?"
> > > [Ans]: It is unlikely that a user would want these mac anti-
> spoof/src
> > > prune to be set/reset dynamically. Hence,  it seems devargs likely
> be
> > > a better solution.
> > > Generic Ethdev APIs is a good idea but should be taken separately
> as
> > > it will have much beyond scope than this and would need significant
> > > effort.
> > > Also, that again bring the dynamic nature into the picture.
> >
> > Good point about not needing the dynamic ability. I agree with that.
> > But devargs are somewhat difficult to work with for applications not
> built for specific ethdev drivers. E.g. our application detects
> available hardware at runtime, and configures it appropriately. Generic
> APIs are much easier to work with than individual driver-specific
> devargs.
> > So I prefer not to introduce more driver specific devargs.
> >
> > I acknowledge that my Ethdev API extension idea is feature creep, so
> I will not make it a hard requirement for this patch.
> > And when mac-anti-spoof is disabled by default (which I do consider a
> hard requirement!), the devarg parameter is reduced to something that
> enables some exotic filter, which I don't object to.
> >
> > >
> > > Thank you.
> > >
> > > Regards,
> > > Anurag M
> > >
> > > -----Original Message-----
> > > From: Morten Brørup <mb@smartsharesystems.com>
> > > Sent: 17 November 2025 14:36
> > > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > > andrew.rybchenko@oktetlabs.ru
> > > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> > >
> > > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > > Sent: Monday, 17 November 2025 06.22
> > > >
> > > > Hi Morten Brørup,
> > > >
> > > > Thanks for your mail and review. PFB my answers.
> > > >
> > > > " This is the same story as with Source Prune.
> > > > Please disable source-prune filtering by default, and provide an
> > > > option to enable it.
> > > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > > like
> > > > "source-prune"; they both operate on MAC basis."
> > > >
> > > > [Ans]: Source prune is disabled by default and option to enable
> the
> > > > same has been already committed:[
> > > >
> > >
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > > > f
> > > > 36086].
> > >
> > > Sorry, there was a typo... I meant to write:
> > > Please disable anti-spoof filtering by default, and provide an
> option
> > > to enable it.
> > > Like source-prune.
> > >
> > > > I also wanted to shorten the name to "anti-spoof" but I found
> > > > something called " vsi->vlan_anti_spoof_on" in the same file.
> > > > Hence, to distinguish between them, used "mac-anti-spoof".
> > >
> > > OK. Then "mac-anti-spoof" is a good choice.
> > >
> > > Is support for "vlan-anti-spoof" in the pipeline?
> > >
> > > What are your thoughts about the generic Ethdev APIs I suggested,
> > > instead of driver specific devargs?
> > >
> > > >
> > > > Thank you.
> > > >
> > > > Regards,
> > > > Anurag M
> > > >
> > > > -----Original Message-----
> > > > From: Morten Brørup <mb@smartsharesystems.com>
> > > > Sent: 16 November 2025 13:14
> > > > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > > > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > > > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > > > andrew.rybchenko@oktetlabs.ru
> > > > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> > > >
> > > > +TO: Ethdev maintainers, regarding new Ethdev APIs
> > > >
> > > > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > > > Sent: Sunday, 16 November 2025 04.58
> > > > >
> > > > > VRRP advertisement packets are dropped as TX-errors upon
> > > > > transmission from a vsi of ice PF due to MAC anti-spoof check
> > > > > which is enabled by default.
> > > > > There is no way to disable this check in the Tx direction to
> avoid
> > > > > these packets being dropped.
> > > > >
> > > > > This patch introduces devargs "mac-anti-spoof" to allow user to
> > > > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in
> the
> > > Tx
> > > > > direction to avoid getting dropped as TX-errors upon packet
> > > > > transmission when their source MAC address matches one of the
> MAC
> > > > > addresses assigned to that same NIC port.
> > > > >
> > > > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > > > ---
> > > >
> > > > This is the same story as with Source Prune.
> > > > Please disable source-prune filtering by default, and provide an
> > > > option to enable it.
> > > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > > like
> > > > "source-prune"; they both operate on MAC basis.
> > > >
> > > > Let's make something generic instead, to replace those silly
> devargs.
> > > > We have individual Ethdev APIs to enable/disable various Rx
> > > filtering,
> > > > e.g. "promiscuous", "all multicast".
> > > > Obviously, we don't want to introduce new APIs for every semi-
> exotic
> > > > filter any NIC may offer, like "source prune" and "anti spoof",
> but
> > > we
> > > > could introduce a set of generic Ethdev APIs to support filters
> such
> > > > as these, using a bitfield enum. E.g.:
> > > >
> > > > /* Enable one or more filters. */
> > > > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> > > >
> > > > /* Disable one or more filters. */
> > > > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> > > >
> > > > /* Get bit field of filters enabled. */ int64_t
> > > > rte_ethdev_filter_get(uin16_t port_id);
> > > >
> > > > /* Get bit field of filters supported by device. */ int64_t
> > > > rte_ethdev_filter_capa(uin16_t port_id); /**/
> > > >
> > > > /** Destination MAC must match NIC's MAC address.
> > > >  * (This is the inverse of Promiscuous.)
> > > >  * Default enabled.
> > > >  */
> > > > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > > > /** Multicast Hash.
> > > >  * (This is the inverse of All Multicast.)
> > > >  * Default enabled.
> > > >  */
> > > > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > > > /** Source Prune.
> > > >  * [Insert description here.]
> > > >  */
> > > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > > > /* Add new Rx filters here, in increasing order. */
> > > > /* Add new Tx filters here, in decreasing order. */
> > > > /** Anti-Spoof.
> > > >  * [Insert description here.]
> > > >  */
> > > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > > > /** Used for error return values which are negative. */
> > > > #define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)
> >
> >
> 
> 
> 
> 

[PATCH v3] net/ice: add MAC anti-spoof option

[Anurag Mandal]

MAC anti-spoof is disabled by default to support VRRP advertisement
packets from a vsi of ice PF. There is no way to enable this security
check in the Tx direction itself.

This patch introduces devargs "mac-anti-spoof" to allow user to
enable MAC anti-spoof check. Enable MAC Anti-spoof check in the
Tx direction to automatically drop outgoing packets as TX-errors
when their destination MAC address matches one of the MAC
addresses assigned to that same NIC port.

Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
---
V3: Addressed Morten Brørup's feedback
 - set the default value of the devargs to 0
 - disabled MAC anti-spoof check by default
 - provided devargs option to enable the same
 - synchronized with source prune

V2: Addressed Bruce Richardson's feedback
 - changed devargs name to "mac-anti-spoof"
 - changed devargs member name to "mac_anti_spoof"
 - changed macro name to "ICE_MAC_ANTI_SPOOF_ARG"
 - set the default value of the devargs to 1
 - added NOTICE log msg when MAC Anti-spoof is disabled
 - added more code comments to provide clarity
 - fixed typo error with ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF

 doc/guides/nics/ice.rst            | 11 +++++++++
 drivers/net/intel/ice/ice_ethdev.c | 38 ++++++++++++++++++++++++++++--
 drivers/net/intel/ice/ice_ethdev.h |  1 +
 3 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/ice.rst b/doc/guides/nics/ice.rst
index 6cc27cefa7..ee8d443c97 100644
--- a/doc/guides/nics/ice.rst
+++ b/doc/guides/nics/ice.rst
@@ -194,6 +194,17 @@ Runtime Configuration
 
     -a 80:00.0,source-prune=1
 
+- ``MAC Anti-spoof Enable`` (default ``0``)
+
+  Enable MAC Anti-spoof check in the Tx direction to drop outgoing
+  packets when their destination MAC address matches one of the
+  MAC addresses assigned to that same NIC port.
+
+  MAC Anti-spoof can be enabled by setting the devargs parameter ``mac-anti-spoof``,
+  for example::
+
+    -a 80:00.0,mac-anti-spoof=1
+
 - ``Protocol extraction for per queue``
 
   Configure the RX queues to do protocol extraction into mbuf for protocol
diff --git a/drivers/net/intel/ice/ice_ethdev.c b/drivers/net/intel/ice/ice_ethdev.c
index c1d92435d1..fbecd00d35 100644
--- a/drivers/net/intel/ice/ice_ethdev.c
+++ b/drivers/net/intel/ice/ice_ethdev.c
@@ -42,6 +42,7 @@
 #define ICE_DDP_LOAD_SCHED_ARG    "ddp_load_sched_topo"
 #define ICE_TM_LEVELS_ARG         "tm_sched_levels"
 #define ICE_SOURCE_PRUNE_ARG      "source-prune"
+#define ICE_MAC_ANTI_SPOOF_ARG    "mac-anti-spoof"
 #define ICE_LINK_STATE_ON_CLOSE   "link_state_on_close"
 
 #define ICE_CYCLECOUNTER_MASK  0xffffffffffffffffULL
@@ -60,6 +61,7 @@ static const char * const ice_valid_args[] = {
 	ICE_DDP_LOAD_SCHED_ARG,
 	ICE_TM_LEVELS_ARG,
 	ICE_SOURCE_PRUNE_ARG,
+	ICE_MAC_ANTI_SPOOF_ARG,
 	ICE_LINK_STATE_ON_CLOSE,
 	NULL
 };
@@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum ice_vsi_type type)
 		/* Source Prune */
 		if (ad->devargs.source_prune != 1) {
 			/* Disable source prune to support VRRP
-			 * when source-prune devarg is not set
+			 * when source-prune devargs is not set
 			 */
 			vsi_ctx.info.sw_flags =
 				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
-			vsi_ctx.info.sw_flags |=
+		} else { /* Enable Source Prune in Rx */
+			vsi_ctx.info.sw_flags =
 				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
 		}
+		/* MAC Anti-spoof */
+		/* By default, Source Prune in Rx and
+		 * MAC Anti-spoof check in Tx are disabled.
+		 *
+		 * Source Prune is disabled by setting local
+		 * loopback with ICE_AQ_VSI_SW_FLAG_LOCAL_LB
+		 * flag in the Rx direction.
+		 *
+		 * MAC Anti-spoof check can be disabled by
+		 * setting Tx loopback with
+		 * ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the
+		 * Tx direction.
+		 */
+		if (ad->devargs.mac_anti_spoof != 1) {
+			/* Disable mac anti-spoof check in the
+			 * Tx direction to avoid getting dropped
+			 * as TX-errors for VRRP support when
+			 * mac-anti-spoof devargs is not set
+			 */
+			vsi_ctx.info.sw_flags |=
+				ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
+		} else { /* Enable MAC Anti-spoof check in Tx */
+			vsi_ctx.info.sec_flags =
+				ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+		}
 		cfg = ICE_AQ_VSI_PROP_SW_VALID;
 		vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
 		vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
@@ -2467,6 +2495,11 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
 	if (ret)
 		goto bail;
 
+	ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_ARG,
+				 &parse_bool, &ad->devargs.mac_anti_spoof);
+	if (ret)
+		goto bail;
+
 	ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
 				 &parse_link_state_on_close, &ad->devargs.link_state_on_close);
 
@@ -7732,6 +7765,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
 			      ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
 			      ICE_TM_LEVELS_ARG "=<N>"
 			      ICE_SOURCE_PRUNE_ARG "=<0|1>"
+			      ICE_MAC_ANTI_SPOOF_ARG "=<0|1>"
 			      ICE_RX_LOW_LATENCY_ARG "=<0|1>"
 			      ICE_LINK_STATE_ON_CLOSE "=<down|up|initial>");
 
diff --git a/drivers/net/intel/ice/ice_ethdev.h b/drivers/net/intel/ice/ice_ethdev.h
index 72ed65f13b..5fe4688d57 100644
--- a/drivers/net/intel/ice/ice_ethdev.h
+++ b/drivers/net/intel/ice/ice_ethdev.h
@@ -617,6 +617,7 @@ struct ice_devargs {
 	uint8_t ddp_load_sched;
 	uint8_t tm_exposed_levels;
 	uint8_t source_prune;
+	uint8_t mac_anti_spoof;
 	int link_state_on_close;
 	int xtr_field_offs;
 	uint8_t xtr_flag_offs[PROTO_XTR_MAX];
-- 
2.34.1

RE: [PATCH v3] net/ice: add MAC anti-spoof option

[Morten Brørup]

> @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum
> ice_vsi_type type)
>  		/* Source Prune */
>  		if (ad->devargs.source_prune != 1) {
>  			/* Disable source prune to support VRRP
> -			 * when source-prune devarg is not set
> +			 * when source-prune devargs is not set
>  			 */
>  			vsi_ctx.info.sw_flags =
>  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> -			vsi_ctx.info.sw_flags |=
> +		} else { /* Enable Source Prune in Rx */
> +			vsi_ctx.info.sw_flags =
>  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
>  		}

This looks like a bug fix related to Source Prune?

RE: [PATCH v3] net/ice: add MAC anti-spoof option

[Mandal, Anurag]

Hi Morten Brørup,

From: Morten Brørup <mb@smartsharesystems.com> 
Sent: 03 December 2025 17:11
> @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum 
> ice_vsi_type type)
>  		/* Source Prune */
>  		if (ad->devargs.source_prune != 1) {
>  			/* Disable source prune to support VRRP
> -			 * when source-prune devarg is not set
> +			 * when source-prune devargs is not set
>  			 */
>  			vsi_ctx.info.sw_flags =
>  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> -			vsi_ctx.info.sw_flags |=
> +		} else { /* Enable Source Prune in Rx */
> +			vsi_ctx.info.sw_flags =
>  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
>  		}

This looks like a bug fix related to Source Prune?

Ans: Not exactly. 
Initially, Source Prune was disabled, and MAC Anti-spoof check was enabled by default. This was done by following:-
Source Prune is disabled by setting local loopback with ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted packets from being looped back in some circumstances.
Now, MAC Anti-spoof check can be disabled by clearing both ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx loopback with
ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.

As we moved to making both source prune and mac anti-spoof check disabled by default, I thought no point to set ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and then clearing it to disable mac anti-spoof. 

Thank you.

Regards,
Anurag M

-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com> 
Sent: 03 December 2025 17:11
To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org
Cc: Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>
Subject: RE: [PATCH v3] net/ice: add MAC anti-spoof option

> @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum 
> ice_vsi_type type)
>  		/* Source Prune */
>  		if (ad->devargs.source_prune != 1) {
>  			/* Disable source prune to support VRRP
> -			 * when source-prune devarg is not set
> +			 * when source-prune devargs is not set
>  			 */
>  			vsi_ctx.info.sw_flags =
>  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> -			vsi_ctx.info.sw_flags |=
> +		} else { /* Enable Source Prune in Rx */
> +			vsi_ctx.info.sw_flags =
>  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
>  		}

This looks like a bug fix related to Source Prune?

RE: [PATCH v3] net/ice: add MAC anti-spoof option

[Morten Brørup]

> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Wednesday, 3 December 2025 15.36
> 
> Hi Morten Brørup,
> 
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 03 December 2025 17:11
> > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum
> > ice_vsi_type type)
> >  		/* Source Prune */
> >  		if (ad->devargs.source_prune != 1) {
> >  			/* Disable source prune to support VRRP
> > -			 * when source-prune devarg is not set
> > +			 * when source-prune devargs is not set
> >  			 */
> >  			vsi_ctx.info.sw_flags =
> >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > -			vsi_ctx.info.sw_flags |=
> > +		} else { /* Enable Source Prune in Rx */
> > +			vsi_ctx.info.sw_flags =
> >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> >  		}
> 
> This looks like a bug fix related to Source Prune?
> 
> Ans: Not exactly.
> Initially, Source Prune was disabled, and MAC Anti-spoof check was
> enabled by default. This was done by following:-
> Source Prune is disabled by setting local loopback with
> ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted packets
> from being looped back in some circumstances.
> Now, MAC Anti-spoof check can be disabled by clearing both
> ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
> ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx loopback
> with
> ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> 
> As we moved to making both source prune and mac anti-spoof check
> disabled by default, I thought no point to set
> ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and then
> clearing it to disable mac anti-spoof.

OK. Thank you for elaborating.

> 
> Thank you.
> 
> Regards,
> Anurag M

Note to maintainers:
This devarg is like the Source Prune devarg.
If we want to elevate these exotic features into proper Ethdev APIs, it should be done for both devargs in a separate patch.

Acked-by: Morten Brørup <mb@smartsharesystems.com>

Re: [PATCH v3] net/ice: add MAC anti-spoof option

[Bruce Richardson]

On Wed, Dec 03, 2025 at 03:47:08PM +0100, Morten Brørup wrote:
> > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > Sent: Wednesday, 3 December 2025 15.36
> > 
> > Hi Morten Brørup,
> > 
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 03 December 2025 17:11
> > > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum
> > > ice_vsi_type type)
> > >  		/* Source Prune */
> > >  		if (ad->devargs.source_prune != 1) {
> > >  			/* Disable source prune to support VRRP
> > > -			 * when source-prune devarg is not set
> > > +			 * when source-prune devargs is not set
> > >  			 */
> > >  			vsi_ctx.info.sw_flags =
> > >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > > -			vsi_ctx.info.sw_flags |=
> > > +		} else { /* Enable Source Prune in Rx */
> > > +			vsi_ctx.info.sw_flags =
> > >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> > >  		}
> > 
> > This looks like a bug fix related to Source Prune?
> > 
> > Ans: Not exactly.
> > Initially, Source Prune was disabled, and MAC Anti-spoof check was
> > enabled by default. This was done by following:-
> > Source Prune is disabled by setting local loopback with
> > ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted packets
> > from being looped back in some circumstances.
> > Now, MAC Anti-spoof check can be disabled by clearing both
> > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
> > ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx loopback
> > with
> > ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> > 
> > As we moved to making both source prune and mac anti-spoof check
> > disabled by default, I thought no point to set
> > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and then
> > clearing it to disable mac anti-spoof.
> 
> OK. Thank you for elaborating.
> 
> > 
> > Thank you.
> > 
> > Regards,
> > Anurag M
> 
> Note to maintainers:
> This devarg is like the Source Prune devarg.
> If we want to elevate these exotic features into proper Ethdev APIs, it should be done for both devargs in a separate patch.
> 
> Acked-by: Morten Brørup <mb@smartsharesystems.com>
> 
Applied to dpdk-next-net-intel.

Thanks,
/Bruce

Re: [PATCH v3] net/ice: add MAC anti-spoof option

[Bruce Richardson]

On Thu, Dec 11, 2025 at 03:22:32PM +0000, Bruce Richardson wrote:
> On Wed, Dec 03, 2025 at 03:47:08PM +0100, Morten Brørup wrote:
> > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > Sent: Wednesday, 3 December 2025 15.36
> > > 
> > > Hi Morten Brørup,
> > > 
> > > From: Morten Brørup <mb@smartsharesystems.com>
> > > Sent: 03 December 2025 17:11
> > > > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum
> > > > ice_vsi_type type)
> > > >  		/* Source Prune */
> > > >  		if (ad->devargs.source_prune != 1) {
> > > >  			/* Disable source prune to support VRRP
> > > > -			 * when source-prune devarg is not set
> > > > +			 * when source-prune devargs is not set
> > > >  			 */
> > > >  			vsi_ctx.info.sw_flags =
> > > >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > > > -			vsi_ctx.info.sw_flags |=
> > > > +		} else { /* Enable Source Prune in Rx */
> > > > +			vsi_ctx.info.sw_flags =
> > > >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> > > >  		}
> > > 
> > > This looks like a bug fix related to Source Prune?
> > > 
> > > Ans: Not exactly.
> > > Initially, Source Prune was disabled, and MAC Anti-spoof check was
> > > enabled by default. This was done by following:-
> > > Source Prune is disabled by setting local loopback with
> > > ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted packets
> > > from being looped back in some circumstances.
> > > Now, MAC Anti-spoof check can be disabled by clearing both
> > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
> > > ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx loopback
> > > with
> > > ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> > > 
> > > As we moved to making both source prune and mac anti-spoof check
> > > disabled by default, I thought no point to set
> > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and then
> > > clearing it to disable mac anti-spoof.
> > 
> > OK. Thank you for elaborating.
> > 
> > > 
> > > Thank you.
> > > 
> > > Regards,
> > > Anurag M
> > 
> > Note to maintainers:
> > This devarg is like the Source Prune devarg.
> > If we want to elevate these exotic features into proper Ethdev APIs, it should be done for both devargs in a separate patch.
> > 
> > Acked-by: Morten Brørup <mb@smartsharesystems.com>
> > 
> Applied to dpdk-next-net-intel.
> 
Unfortunately, this patch causes changes in the driver behaviour leading to
CI failures. These issues can be seen with testpmd where packets are
looping back inside a nic port unexpectedly. Therefore, this patch needs to
be dropped from next-net-intel.

Can you please do a new version adding the feature you require while still
keeping the existing default behaviour.  I'm going to move the patch status
from accepted to "changes requested" in patchwork, in anticipation of a new
version.

Regards,
/Bruce

RE: [PATCH v3] net/ice: add MAC anti-spoof option

[Morten Brørup]

> From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> Sent: Wednesday, 17 December 2025 12.53
> 
> On Thu, Dec 11, 2025 at 03:22:32PM +0000, Bruce Richardson wrote:
> > On Wed, Dec 03, 2025 at 03:47:08PM +0100, Morten Brørup wrote:
> > > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > > Sent: Wednesday, 3 December 2025 15.36
> > > >
> > > > Hi Morten Brørup,
> > > >
> > > > From: Morten Brørup <mb@smartsharesystems.com>
> > > > Sent: 03 December 2025 17:11
> > > > > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum
> > > > > ice_vsi_type type)
> > > > >  		/* Source Prune */
> > > > >  		if (ad->devargs.source_prune != 1) {
> > > > >  			/* Disable source prune to support VRRP
> > > > > -			 * when source-prune devarg is not set
> > > > > +			 * when source-prune devargs is not set
> > > > >  			 */
> > > > >  			vsi_ctx.info.sw_flags =
> > > > >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > > > > -			vsi_ctx.info.sw_flags |=
> > > > > +		} else { /* Enable Source Prune in Rx */
> > > > > +			vsi_ctx.info.sw_flags =
> > > > >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> > > > >  		}
> > > >
> > > > This looks like a bug fix related to Source Prune?
> > > >
> > > > Ans: Not exactly.
> > > > Initially, Source Prune was disabled, and MAC Anti-spoof check
> was
> > > > enabled by default. This was done by following:-
> > > > Source Prune is disabled by setting local loopback with
> > > > ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted
> packets
> > > > from being looped back in some circumstances.
> > > > Now, MAC Anti-spoof check can be disabled by clearing both
> > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
> > > > ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx
> loopback
> > > > with
> > > > ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> > > >
> > > > As we moved to making both source prune and mac anti-spoof check
> > > > disabled by default, I thought no point to set
> > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and then
> > > > clearing it to disable mac anti-spoof.
> > >
> > > OK. Thank you for elaborating.
> > >
> > > >
> > > > Thank you.
> > > >
> > > > Regards,
> > > > Anurag M
> > >
> > > Note to maintainers:
> > > This devarg is like the Source Prune devarg.
> > > If we want to elevate these exotic features into proper Ethdev
> APIs, it should be done for both devargs in a separate patch.
> > >
> > > Acked-by: Morten Brørup <mb@smartsharesystems.com>
> > >
> > Applied to dpdk-next-net-intel.
> >
> Unfortunately, this patch causes changes in the driver behaviour
> leading to
> CI failures. These issues can be seen with testpmd where packets are
> looping back inside a nic port unexpectedly.

Can you please elaborate "packets are looping back"?

If the packets egress on one physical port, they certainly shouldn't ingress back on the same physical port.

However, if they egress on one virtual port, and are internally switched to ingress on another virtual port on the same physical port, I would consider that expected behavior - the same would happen if those ports were physical and connected to the same physical switch.

If they are ingressing on the same virtual port they were sent on, that would seem like a bug in the NICs virtual switch. A physical switch normally wouldn't transmit packets back out on the port they ingressed on.

> Therefore, this patch
> needs to
> be dropped from next-net-intel.
> 
> Can you please do a new version adding the feature you require while
> still
> keeping the existing default behaviour.  I'm going to move the patch
> status
> from accepted to "changes requested" in patchwork, in anticipation of a
> new
> version.
> 
> Regards,
> /Bruce

This sounds like the CI needs to be fixed.
Why does the CI expect this kind of filtering to be enabled by default?
I wouldn't expect other NICs to perform similar filtering.

-Morten

Re: [PATCH v3] net/ice: add MAC anti-spoof option

[Bruce Richardson]

On Wed, Dec 17, 2025 at 01:37:16PM +0100, Morten Brørup wrote:
> > From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> > Sent: Wednesday, 17 December 2025 12.53
> > 
> > On Thu, Dec 11, 2025 at 03:22:32PM +0000, Bruce Richardson wrote:
> > > On Wed, Dec 03, 2025 at 03:47:08PM +0100, Morten Brørup wrote:
> > > > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > > > Sent: Wednesday, 3 December 2025 15.36
> > > > >
> > > > > Hi Morten Brørup,
> > > > >
> > > > > From: Morten Brørup <mb@smartsharesystems.com>
> > > > > Sent: 03 December 2025 17:11
> > > > > > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf, enum
> > > > > > ice_vsi_type type)
> > > > > >  		/* Source Prune */
> > > > > >  		if (ad->devargs.source_prune != 1) {
> > > > > >  			/* Disable source prune to support VRRP
> > > > > > -			 * when source-prune devarg is not set
> > > > > > +			 * when source-prune devargs is not set
> > > > > >  			 */
> > > > > >  			vsi_ctx.info.sw_flags =
> > > > > >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > > > > > -			vsi_ctx.info.sw_flags |=
> > > > > > +		} else { /* Enable Source Prune in Rx */
> > > > > > +			vsi_ctx.info.sw_flags =
> > > > > >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> > > > > >  		}
> > > > >
> > > > > This looks like a bug fix related to Source Prune?
> > > > >
> > > > > Ans: Not exactly.
> > > > > Initially, Source Prune was disabled, and MAC Anti-spoof check
> > was
> > > > > enabled by default. This was done by following:-
> > > > > Source Prune is disabled by setting local loopback with
> > > > > ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted
> > packets
> > > > > from being looped back in some circumstances.
> > > > > Now, MAC Anti-spoof check can be disabled by clearing both
> > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
> > > > > ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx
> > loopback
> > > > > with
> > > > > ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> > > > >
> > > > > As we moved to making both source prune and mac anti-spoof check
> > > > > disabled by default, I thought no point to set
> > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and then
> > > > > clearing it to disable mac anti-spoof.
> > > >
> > > > OK. Thank you for elaborating.
> > > >
> > > > >
> > > > > Thank you.
> > > > >
> > > > > Regards,
> > > > > Anurag M
> > > >
> > > > Note to maintainers:
> > > > This devarg is like the Source Prune devarg.
> > > > If we want to elevate these exotic features into proper Ethdev
> > APIs, it should be done for both devargs in a separate patch.
> > > >
> > > > Acked-by: Morten Brørup <mb@smartsharesystems.com>
> > > >
> > > Applied to dpdk-next-net-intel.
> > >
> > Unfortunately, this patch causes changes in the driver behaviour
> > leading to
> > CI failures. These issues can be seen with testpmd where packets are
> > looping back inside a nic port unexpectedly.
> 
> Can you please elaborate "packets are looping back"?
> 

When testpmd is configured for mac forwarding, sending in a single packet
leads to a constant stream of packets being handled by testpmd.

> If the packets egress on one physical port, they certainly shouldn't ingress back on the same physical port.
> 
> However, if they egress on one virtual port, and are internally switched to ingress on another virtual port on the same physical port, I would consider that expected behavior - the same would happen if those ports were physical and connected to the same physical switch.
> 
> If they are ingressing on the same virtual port they were sent on, that would seem like a bug in the NICs virtual switch. A physical switch normally wouldn't transmit packets back out on the port they ingressed on.
> 

Not exactly sure what is happening internally, it needs some investigation.

> > Therefore, this patch
> > needs to
> > be dropped from next-net-intel.
> > 
> > Can you please do a new version adding the feature you require while
> > still
> > keeping the existing default behaviour.  I'm going to move the patch
> > status
> > from accepted to "changes requested" in patchwork, in anticipation of a
> > new
> > version.
> > 
> > Regards,
> > /Bruce
> 
> This sounds like the CI needs to be fixed.
> Why does the CI expect this kind of filtering to be enabled by default?
> I wouldn't expect other NICs to perform similar filtering.
> 
It could well be a testing issue, or a combination of incorrect default
behaviour and a sub-optimal test case. However, until that is fully
root-caused, I'm backing out the patch for safety.

/Bruce

RE: [PATCH v3] net/ice: add MAC anti-spoof option

[Morten Brørup]

> From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> Sent: Wednesday, 17 December 2025 14.46
> 
> On Wed, Dec 17, 2025 at 01:37:16PM +0100, Morten Brørup wrote:
> > > From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> > > Sent: Wednesday, 17 December 2025 12.53
> > >
> > > On Thu, Dec 11, 2025 at 03:22:32PM +0000, Bruce Richardson wrote:
> > > > On Wed, Dec 03, 2025 at 03:47:08PM +0100, Morten Brørup wrote:
> > > > > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > > > > Sent: Wednesday, 3 December 2025 15.36
> > > > > >
> > > > > > Hi Morten Brørup,
> > > > > >
> > > > > > From: Morten Brørup <mb@smartsharesystems.com>
> > > > > > Sent: 03 December 2025 17:11
> > > > > > > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf,
> enum
> > > > > > > ice_vsi_type type)
> > > > > > >  		/* Source Prune */
> > > > > > >  		if (ad->devargs.source_prune != 1) {
> > > > > > >  			/* Disable source prune to support VRRP
> > > > > > > -			 * when source-prune devarg is not set
> > > > > > > +			 * when source-prune devargs is not set
> > > > > > >  			 */
> > > > > > >  			vsi_ctx.info.sw_flags =
> > > > > > >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > > > > > > -			vsi_ctx.info.sw_flags |=
> > > > > > > +		} else { /* Enable Source Prune in Rx */
> > > > > > > +			vsi_ctx.info.sw_flags =
> > > > > > >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> > > > > > >  		}
> > > > > >
> > > > > > This looks like a bug fix related to Source Prune?
> > > > > >
> > > > > > Ans: Not exactly.
> > > > > > Initially, Source Prune was disabled, and MAC Anti-spoof
> check
> > > was
> > > > > > enabled by default. This was done by following:-
> > > > > > Source Prune is disabled by setting local loopback with
> > > > > > ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted
> > > packets
> > > > > > from being looped back in some circumstances.
> > > > > > Now, MAC Anti-spoof check can be disabled by clearing both
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
> > > > > > ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx
> > > loopback
> > > > > > with
> > > > > > ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> > > > > >
> > > > > > As we moved to making both source prune and mac anti-spoof
> check
> > > > > > disabled by default, I thought no point to set
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and
> then
> > > > > > clearing it to disable mac anti-spoof.
> > > > >
> > > > > OK. Thank you for elaborating.
> > > > >
> > > > > >
> > > > > > Thank you.
> > > > > >
> > > > > > Regards,
> > > > > > Anurag M
> > > > >
> > > > > Note to maintainers:
> > > > > This devarg is like the Source Prune devarg.
> > > > > If we want to elevate these exotic features into proper Ethdev
> > > APIs, it should be done for both devargs in a separate patch.
> > > > >
> > > > > Acked-by: Morten Brørup <mb@smartsharesystems.com>
> > > > >
> > > > Applied to dpdk-next-net-intel.
> > > >
> > > Unfortunately, this patch causes changes in the driver behaviour
> > > leading to
> > > CI failures. These issues can be seen with testpmd where packets
> are
> > > looping back inside a nic port unexpectedly.
> >
> > Can you please elaborate "packets are looping back"?
> >
> 
> When testpmd is configured for mac forwarding, sending in a single
> packet
> leads to a constant stream of packets being handled by testpmd.
> 
> > If the packets egress on one physical port, they certainly shouldn't
> ingress back on the same physical port.
> >
> > However, if they egress on one virtual port, and are internally
> switched to ingress on another virtual port on the same physical port,
> I would consider that expected behavior - the same would happen if
> those ports were physical and connected to the same physical switch.
> >
> > If they are ingressing on the same virtual port they were sent on,
> that would seem like a bug in the NICs virtual switch. A physical
> switch normally wouldn't transmit packets back out on the port they
> ingressed on.
> >
> 
> Not exactly sure what is happening internally, it needs some
> investigation.

Sure sounds like it.
Let's hope it's only testpmd, and not a broader issue with the NIC/driver.

> 
> > > Therefore, this patch
> > > needs to
> > > be dropped from next-net-intel.
> > >
> > > Can you please do a new version adding the feature you require
> while
> > > still
> > > keeping the existing default behaviour.  I'm going to move the
> patch
> > > status
> > > from accepted to "changes requested" in patchwork, in anticipation
> of a
> > > new
> > > version.
> > >
> > > Regards,
> > > /Bruce
> >
> > This sounds like the CI needs to be fixed.
> > Why does the CI expect this kind of filtering to be enabled by
> default?
> > I wouldn't expect other NICs to perform similar filtering.
> >
> It could well be a testing issue, or a combination of incorrect default
> behaviour and a sub-optimal test case. However, until that is fully
> root-caused, I'm backing out the patch for safety.

A new patch with reverted default behavior seems like the proper short-term solution.
While investigating, we can live with the wrong default behavior, as a "well known bug".
And the configurability will be helpful for root-causing.

> 
> /Bruce

RE: [PATCH v3] net/ice: add MAC anti-spoof option

[Mandal, Anurag]

Thank you.

Regards,
Anurag M

-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com> 
Sent: 17 December 2025 19:44
To: Richardson, Bruce <bruce.richardson@intel.com>
Cc: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Burakov, Anatoly <anatoly.burakov@intel.com>
Subject: RE: [PATCH v3] net/ice: add MAC anti-spoof option

> From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> Sent: Wednesday, 17 December 2025 14.46
> 
> On Wed, Dec 17, 2025 at 01:37:16PM +0100, Morten Brørup wrote:
> > > From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> > > Sent: Wednesday, 17 December 2025 12.53
> > >
> > > On Thu, Dec 11, 2025 at 03:22:32PM +0000, Bruce Richardson wrote:
> > > > On Wed, Dec 03, 2025 at 03:47:08PM +0100, Morten Brørup wrote:
> > > > > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > > > > Sent: Wednesday, 3 December 2025 15.36
> > > > > >
> > > > > > Hi Morten Brørup,
> > > > > >
> > > > > > From: Morten Brørup <mb@smartsharesystems.com>
> > > > > > Sent: 03 December 2025 17:11
> > > > > > > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf,
> enum
> > > > > > > ice_vsi_type type)
> > > > > > >  		/* Source Prune */
> > > > > > >  		if (ad->devargs.source_prune != 1) {
> > > > > > >  			/* Disable source prune to support VRRP
> > > > > > > -			 * when source-prune devarg is not set
> > > > > > > +			 * when source-prune devargs is not set
> > > > > > >  			 */
> > > > > > >  			vsi_ctx.info.sw_flags =
> > > > > > >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > > > > > > -			vsi_ctx.info.sw_flags |=
> > > > > > > +		} else { /* Enable Source Prune in Rx */
> > > > > > > +			vsi_ctx.info.sw_flags =
> > > > > > >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> > > > > > >  		}
> > > > > >
> > > > > > This looks like a bug fix related to Source Prune?
> > > > > >
> > > > > > Ans: Not exactly.
> > > > > > Initially, Source Prune was disabled, and MAC Anti-spoof
> check
> > > was
> > > > > > enabled by default. This was done by following:- Source 
> > > > > > Prune is disabled by setting local loopback with 
> > > > > > ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted
> > > packets
> > > > > > from being looped back in some circumstances.
> > > > > > Now, MAC Anti-spoof check can be disabled by clearing both 
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and 
> > > > > > ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx
> > > loopback
> > > > > > with
> > > > > > ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> > > > > >
> > > > > > As we moved to making both source prune and mac anti-spoof
> check
> > > > > > disabled by default, I thought no point to set 
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and
> then
> > > > > > clearing it to disable mac anti-spoof.
> > > > >
> > > > > OK. Thank you for elaborating.
> > > > >
> > > > > >
> > > > > > Thank you.
> > > > > >
> > > > > > Regards,
> > > > > > Anurag M
> > > > >
> > > > > Note to maintainers:
> > > > > This devarg is like the Source Prune devarg.
> > > > > If we want to elevate these exotic features into proper Ethdev
> > > APIs, it should be done for both devargs in a separate patch.
> > > > >
> > > > > Acked-by: Morten Brørup <mb@smartsharesystems.com>
> > > > >
> > > > Applied to dpdk-next-net-intel.
> > > >
> > > Unfortunately, this patch causes changes in the driver behaviour 
> > > leading to CI failures. These issues can be seen with testpmd 
> > > where packets
> are
> > > looping back inside a nic port unexpectedly.
> >
> > Can you please elaborate "packets are looping back"?
> >
> 
> When testpmd is configured for mac forwarding, sending in a single 
> packet leads to a constant stream of packets being handled by testpmd.
> 
> > If the packets egress on one physical port, they certainly shouldn't
> ingress back on the same physical port.
> >
> > However, if they egress on one virtual port, and are internally
> switched to ingress on another virtual port on the same physical port, 
> I would consider that expected behavior - the same would happen if 
> those ports were physical and connected to the same physical switch.
> >
> > If they are ingressing on the same virtual port they were sent on,
> that would seem like a bug in the NICs virtual switch. A physical 
> switch normally wouldn't transmit packets back out on the port they 
> ingressed on.
> >
> 
> Not exactly sure what is happening internally, it needs some 
> investigation.

Sure sounds like it.
Let's hope it's only testpmd, and not a broader issue with the NIC/driver.

> 
> > > Therefore, this patch
> > > needs to
> > > be dropped from next-net-intel.
> > >
> > > Can you please do a new version adding the feature you require
> while
> > > still
> > > keeping the existing default behaviour.  I'm going to move the
> patch
> > > status
> > > from accepted to "changes requested" in patchwork, in anticipation
> of a
> > > new
> > > version.
> > >
> > > Regards,
> > > /Bruce
> >
> > This sounds like the CI needs to be fixed.
> > Why does the CI expect this kind of filtering to be enabled by
> default?
> > I wouldn't expect other NICs to perform similar filtering.
> >
> It could well be a testing issue, or a combination of incorrect 
> default behaviour and a sub-optimal test case. However, until that is 
> fully root-caused, I'm backing out the patch for safety.

> A new patch with reverted default behavior seems like the proper short-term solution.
> While investigating, we can live with the wrong default behavior, as a "well known bug".
> And the configurability will be helpful for root-causing.

> 
> /Bruce

Hi Morten & Bruce,

Please note, when I sent the patch[v2] with MAC Anti Spoof enabled by default which is the current behaviour without the concerned patch , then no CI issues were reported.
PFB the reference.
https://patches.dpdk.org/project/dpdk/patch/20251116035749.45922-1-anurag.mandal@intel.com/

Root Cause of the CI failure:-
Source Prune is disabled by default while doing that we used to set ICE_AQ_VSI_SW_FLAG_SRC_PRUNE flag as well which is added to prevent transmitted packets from being looped back in some circumstances like the one CI reporting.

Now, if we make MAC anti-spoof disabled by default , we have to clear/not set that ICE_AQ_VSI_SW_FLAG_SRC_PRUNE  flag and  set ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag.

Hence, my initial solution in patch v2 was to keep source prune disabled and mac anti-spoof enabled by default.

Please let me know the way forward.

Thanks,
Anurag

RE: [PATCH v3] net/ice: add MAC anti-spoof option

[Mandal, Anurag]

-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com>
Sent: 17 December 2025 19:44
To: Richardson, Bruce <bruce.richardson@intel.com>
Cc: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Burakov, Anatoly <anatoly.burakov@intel.com>
Subject: RE: [PATCH v3] net/ice: add MAC anti-spoof option

> From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> Sent: Wednesday, 17 December 2025 14.46
> 
> On Wed, Dec 17, 2025 at 01:37:16PM +0100, Morten Brørup wrote:
> > > From: Bruce Richardson [mailto:bruce.richardson@intel.com]
> > > Sent: Wednesday, 17 December 2025 12.53
> > >
> > > On Thu, Dec 11, 2025 at 03:22:32PM +0000, Bruce Richardson wrote:
> > > > On Wed, Dec 03, 2025 at 03:47:08PM +0100, Morten Brørup wrote:
> > > > > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > > > > Sent: Wednesday, 3 December 2025 15.36
> > > > > >
> > > > > > Hi Morten Brørup,
> > > > > >
> > > > > > From: Morten Brørup <mb@smartsharesystems.com>
> > > > > > Sent: 03 December 2025 17:11
> > > > > > > @@ -1761,13 +1763,39 @@ ice_setup_vsi(struct ice_pf *pf,
> enum
> > > > > > > ice_vsi_type type)
> > > > > > >  		/* Source Prune */
> > > > > > >  		if (ad->devargs.source_prune != 1) {
> > > > > > >  			/* Disable source prune to support VRRP
> > > > > > > -			 * when source-prune devarg is not set
> > > > > > > +			 * when source-prune devargs is not set
> > > > > > >  			 */
> > > > > > >  			vsi_ctx.info.sw_flags =
> > > > > > >  				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> > > > > > > -			vsi_ctx.info.sw_flags |=
> > > > > > > +		} else { /* Enable Source Prune in Rx */
> > > > > > > +			vsi_ctx.info.sw_flags =
> > > > > > >  				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> > > > > > >  		}
> > > > > >
> > > > > > This looks like a bug fix related to Source Prune?
> > > > > >
> > > > > > Ans: Not exactly.
> > > > > > Initially, Source Prune was disabled, and MAC Anti-spoof
> check
> > > was
> > > > > > enabled by default. This was done by following:- Source 
> > > > > > Prune is disabled by setting local loopback with 
> > > > > > ICE_AQ_VSI_SW_FLAG_LOCAL_LB flag in the Rx direction.
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to prevent transmitted
> > > packets
> > > > > > from being looped back in some circumstances.
> > > > > > Now, MAC Anti-spoof check can be disabled by clearing both 
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and 
> > > > > > ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF flags and setting Tx
> > > loopback
> > > > > > with
> > > > > > ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the Tx direction.
> > > > > >
> > > > > > As we moved to making both source prune and mac anti-spoof
> check
> > > > > > disabled by default, I thought no point to set 
> > > > > > ICE_AQ_VSI_SW_FLAG_SRC_PRUNE during source prune disable and
> then
> > > > > > clearing it to disable mac anti-spoof.
> > > > >
> > > > > OK. Thank you for elaborating.
> > > > >
> > > > > >
> > > > > > Thank you.
> > > > > >
> > > > > > Regards,
> > > > > > Anurag M
> > > > >
> > > > > Note to maintainers:
> > > > > This devarg is like the Source Prune devarg.
> > > > > If we want to elevate these exotic features into proper Ethdev
> > > APIs, it should be done for both devargs in a separate patch.
> > > > >
> > > > > Acked-by: Morten Brørup <mb@smartsharesystems.com>
> > > > >
> > > > Applied to dpdk-next-net-intel.
> > > >
> > > Unfortunately, this patch causes changes in the driver behaviour 
> > > leading to CI failures. These issues can be seen with testpmd 
> > > where packets
> are
> > > looping back inside a nic port unexpectedly.
> >
> > Can you please elaborate "packets are looping back"?
> >
> 
> When testpmd is configured for mac forwarding, sending in a single 
> packet leads to a constant stream of packets being handled by testpmd.
> 
> > If the packets egress on one physical port, they certainly shouldn't
> ingress back on the same physical port.
> >
> > However, if they egress on one virtual port, and are internally
> switched to ingress on another virtual port on the same physical port, 
> I would consider that expected behavior - the same would happen if 
> those ports were physical and connected to the same physical switch.
> >
> > If they are ingressing on the same virtual port they were sent on,
> that would seem like a bug in the NICs virtual switch. A physical 
> switch normally wouldn't transmit packets back out on the port they 
> ingressed on.
> >
> 
> Not exactly sure what is happening internally, it needs some 
> investigation.

Sure sounds like it.
Let's hope it's only testpmd, and not a broader issue with the NIC/driver.

> 
> > > Therefore, this patch
> > > needs to
> > > be dropped from next-net-intel.
> > >
> > > Can you please do a new version adding the feature you require
> while
> > > still
> > > keeping the existing default behaviour.  I'm going to move the
> patch
> > > status
> > > from accepted to "changes requested" in patchwork, in anticipation
> of a
> > > new
> > > version.
> > >
> > > Regards,
> > > /Bruce
> >
> > This sounds like the CI needs to be fixed.
> > Why does the CI expect this kind of filtering to be enabled by
> default?
> > I wouldn't expect other NICs to perform similar filtering.
> >
> It could well be a testing issue, or a combination of incorrect 
> default behaviour and a sub-optimal test case. However, until that is 
> fully root-caused, I'm backing out the patch for safety.

> A new patch with reverted default behavior seems like the proper short-term solution.
> While investigating, we can live with the wrong default behavior, as a "well known bug".
> And the configurability will be helpful for root-causing.

> 
> /Bruce

Hi Morten & Bruce,

Please note, when I sent the patch[v2] with MAC Anti Spoof enabled by default which is the current behaviour without the concerned patch , then no CI issues were reported.
PFB the reference.
https://patches.dpdk.org/project/dpdk/patch/20251116035749.45922-1-anurag.mandal@intel.com/

Root Cause of the CI failure:-
Source Prune is disabled by default while doing that we used to set ICE_AQ_VSI_SW_FLAG_SRC_PRUNE flag as well which is added to prevent transmitted packets from being looped back in some circumstances like the one CI reporting.

Now, if we make MAC anti-spoof disabled by default , we have to clear/not set that ICE_AQ_VSI_SW_FLAG_SRC_PRUNE  flag and  set ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag.

Hence, my initial solution in patch v2 was to keep source prune disabled and mac anti-spoof enabled by default.

Please let me know the way forward.

Thanks,
Anurag

[PATCH v4] net/ice: add MAC anti-spoof option

[Anurag Mandal]

VRRP advertisement packets are dropped as TX-errors upon transmission from
a vsi of ice PF due to MAC anti-spoof check, which is enabled by default.
There is no way to disable this security check in the Tx direction to
avoid these packets being dropped.

This patch introduces devargs "mac-anti-spoof" to allow user to
disable MAC anti-spoof check. Disable MAC Anti-spoof check in the
Tx direction to automatically send outgoing packets even when
their destination MAC address matches one of the MAC
addresses assigned to that same NIC port and avoid getting
dropped as TX-errors.

Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
---
V4: Addressed ASan CI failures & Morten Brørup's feedback
 - set the default value of the devargs to 1
 - enabled MAC anti-spoof check by default
 - provided devargs option to disbale the same

V3: Addressed Morten Brørup's feedback
 - set the default value of the devargs to 0
 - disabled MAC anti-spoof check by default
 - provided devargs option to enable the same
 - synchronized with source prune

V2: Addressed Bruce Richardson's feedback
 - changed devargs name to "mac-anti-spoof"
 - changed devargs member name to "mac_anti_spoof"
 - changed macro name to "ICE_MAC_ANTI_SPOOF_ARG"
 - set the default value of the devargs to 1
 - added NOTICE log msg when MAC Anti-spoof is disabled
 - added more code comments to provide clarity
 - fixed typo error with ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF

 doc/guides/nics/ice.rst            | 12 +++++++
 drivers/net/intel/ice/ice_ethdev.c | 50 +++++++++++++++++++++++++++++-
 drivers/net/intel/ice/ice_ethdev.h |  1 +
 3 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/doc/guides/nics/ice.rst b/doc/guides/nics/ice.rst
index 6cc27cefa7..c3e9cfaee3 100644
--- a/doc/guides/nics/ice.rst
+++ b/doc/guides/nics/ice.rst
@@ -194,6 +194,18 @@ Runtime Configuration
 
     -a 80:00.0,source-prune=1
 
+- ``MAC Anti-spoof Disable`` (default ``1``)
+
+  Disable MAC Anti-spoof check in the Tx direction to send outgoing
+  packets when their destination MAC address matches one of the
+  MAC addresses assigned to that same NIC port.By default, these
+  outgoing packets are dropped due to MAC Anti-spoof check.
+
+  MAC Anti-spoof can be disabled by resetting the devargs parameter ``mac-anti-spoof``,
+  for example::
+
+    -a 80:00.0,mac-anti-spoof=0
+
 - ``Protocol extraction for per queue``
 
   Configure the RX queues to do protocol extraction into mbuf for protocol
diff --git a/drivers/net/intel/ice/ice_ethdev.c b/drivers/net/intel/ice/ice_ethdev.c
index c1d92435d1..af44dc0bbe 100644
--- a/drivers/net/intel/ice/ice_ethdev.c
+++ b/drivers/net/intel/ice/ice_ethdev.c
@@ -42,6 +42,7 @@
 #define ICE_DDP_LOAD_SCHED_ARG    "ddp_load_sched_topo"
 #define ICE_TM_LEVELS_ARG         "tm_sched_levels"
 #define ICE_SOURCE_PRUNE_ARG      "source-prune"
+#define ICE_MAC_ANTI_SPOOF_ARG    "mac-anti-spoof"
 #define ICE_LINK_STATE_ON_CLOSE   "link_state_on_close"
 
 #define ICE_CYCLECOUNTER_MASK  0xffffffffffffffffULL
@@ -60,6 +61,7 @@ static const char * const ice_valid_args[] = {
 	ICE_DDP_LOAD_SCHED_ARG,
 	ICE_TM_LEVELS_ARG,
 	ICE_SOURCE_PRUNE_ARG,
+	ICE_MAC_ANTI_SPOOF_ARG,
 	ICE_LINK_STATE_ON_CLOSE,
 	NULL
 };
@@ -1761,13 +1763,52 @@ ice_setup_vsi(struct ice_pf *pf, enum ice_vsi_type type)
 		/* Source Prune */
 		if (ad->devargs.source_prune != 1) {
 			/* Disable source prune to support VRRP
-			 * when source-prune devarg is not set
+			 * when source-prune devargs is not set
 			 */
 			vsi_ctx.info.sw_flags =
 				ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
 			vsi_ctx.info.sw_flags |=
 				ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
 		}
+		/* MAC Anti-spoof */
+		/* MAC Anti-spoof check in Tx is enabled by default */
+		vsi_ctx.info.sec_flags =
+			ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+		/* By default, Source Prune in Rx is disabled
+		 * and MAC Anti-spoof check in Tx is enabled.
+		 *
+		 * Source Prune is disabled by setting local
+		 * loopback with ICE_AQ_VSI_SW_FLAG_LOCAL_LB
+		 * flag in the Rx direction.
+		 * ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to
+		 * prevent transmitted packets from being
+		 * looped back in some circumstances.
+		 *
+		 * MAC Anti-spoof check can be disabled by
+		 * clearing ICE_AQ_VSI_SW_FLAG_SRC_PRUNE &
+		 * ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
+		 * flags and setting Tx loopback with
+		 * ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the
+		 * Tx direction.
+		 */
+		if (ad->devargs.mac_anti_spoof == 0) {
+			/* Disable mac anti-spoof check in the
+			 * Tx direction to avoid outgoing
+			 * packets getting dropped as
+			 * TX-errors for VRRP support when
+			 * mac-anti-spoof devargs is not set
+			 */
+			vsi_ctx.info.sw_flags &=
+				~ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
+			PMD_INIT_LOG(NOTICE,
+				     "Disabling MAC Anti-spoof check "
+				     "in the Tx direction does not "
+				     "affect Source Prune in the Rx direction");
+			vsi_ctx.info.sw_flags |=
+				ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
+			vsi_ctx.info.sec_flags &=
+				~ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+		}
 		cfg = ICE_AQ_VSI_PROP_SW_VALID;
 		vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
 		vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
@@ -2398,6 +2439,7 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
 		return -EINVAL;
 	}
 
+	ad->devargs.mac_anti_spoof = 1; /* enabled by default */
 	ad->devargs.proto_xtr_dflt = PROTO_XTR_NONE;
 	memset(ad->devargs.proto_xtr, PROTO_XTR_NONE,
 	       sizeof(ad->devargs.proto_xtr));
@@ -2467,6 +2509,11 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
 	if (ret)
 		goto bail;
 
+	ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_ARG,
+				 &parse_bool, &ad->devargs.mac_anti_spoof);
+	if (ret)
+		goto bail;
+
 	ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
 				 &parse_link_state_on_close, &ad->devargs.link_state_on_close);
 
@@ -7732,6 +7779,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
 			      ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
 			      ICE_TM_LEVELS_ARG "=<N>"
 			      ICE_SOURCE_PRUNE_ARG "=<0|1>"
+			      ICE_MAC_ANTI_SPOOF_ARG "=<0|1>"
 			      ICE_RX_LOW_LATENCY_ARG "=<0|1>"
 			      ICE_LINK_STATE_ON_CLOSE "=<down|up|initial>");
 
diff --git a/drivers/net/intel/ice/ice_ethdev.h b/drivers/net/intel/ice/ice_ethdev.h
index 72ed65f13b..5fe4688d57 100644
--- a/drivers/net/intel/ice/ice_ethdev.h
+++ b/drivers/net/intel/ice/ice_ethdev.h
@@ -617,6 +617,7 @@ struct ice_devargs {
 	uint8_t ddp_load_sched;
 	uint8_t tm_exposed_levels;
 	uint8_t source_prune;
+	uint8_t mac_anti_spoof;
 	int link_state_on_close;
 	int xtr_field_offs;
 	uint8_t xtr_flag_offs[PROTO_XTR_MAX];
-- 
2.34.1