RE: [PATCH v2] net/ice: add MAC anti-spoof option

["Morten Brørup" <mb@smartsharesystems.com>]

> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Monday, 17 November 2025 06.22
> 
> Hi Morten Brørup,
> 
> Thanks for your mail and review. PFB my answers.
> 
> " This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an option
> to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis."
> 
> [Ans]: Source prune is disabled by default and option to enable the
> same has been already committed:[
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74f
> 36086].

Sorry, there was a typo... I meant to write:
Please disable anti-spoof filtering by default, and provide an option to enable it.
Like source-prune.

> I also wanted to shorten the name to "anti-spoof" but I found something
> called " vsi->vlan_anti_spoof_on" in the same file.
> Hence, to distinguish between them, used "mac-anti-spoof".

OK. Then "mac-anti-spoof" is a good choice.

Is support for "vlan-anti-spoof" in the pipeline?

What are your thoughts about the generic Ethdev APIs I suggested, instead of driver specific devargs?

> 
> Thank you.
> 
> Regards,
> Anurag M
> 
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 16 November 2025 13:14
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson,
> Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> 
> +TO: Ethdev maintainers, regarding new Ethdev APIs
> 
> > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > Sent: Sunday, 16 November 2025 04.58
> >
> > VRRP advertisement packets are dropped as TX-errors upon transmission
> > from a vsi of ice PF due to MAC anti-spoof check which is enabled by
> > default.
> > There is no way to disable this check in the Tx direction to avoid
> > these packets being dropped.
> >
> > This patch introduces devargs "mac-anti-spoof" to allow user to
> > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx
> > direction to avoid getting dropped as TX-errors upon packet
> > transmission when their source MAC address matches one of the MAC
> > addresses assigned to that same NIC port.
> >
> > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > ---
> 
> This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an option
> to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis.
> 
> Let's make something generic instead, to replace those silly devargs.
> We have individual Ethdev APIs to enable/disable various Rx filtering,
> e.g. "promiscuous", "all multicast".
> Obviously, we don't want to introduce new APIs for every semi-exotic
> filter any NIC may offer, like "source prune" and "anti spoof", but we
> could introduce a set of generic Ethdev APIs to support filters such as
> these, using a bitfield enum. E.g.:
> 
> /* Enable one or more filters. */
> int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> 
> /* Disable one or more filters. */
> int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> 
> /* Get bit field of filters enabled. */
> int64_t rte_ethdev_filter_get(uin16_t port_id);
> 
> /* Get bit field of filters supported by device. */ int64_t
> rte_ethdev_filter_capa(uin16_t port_id); /**/
> 
> /** Destination MAC must match NIC's MAC address.
>  * (This is the inverse of Promiscuous.)
>  * Default enabled.
>  */
> #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> /** Multicast Hash.
>  * (This is the inverse of All Multicast.)
>  * Default enabled.
>  */
> #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> /** Source Prune.
>  * [Insert description here.]
>  */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> /* Add new Rx filters here, in increasing order. */
> /* Add new Tx filters here, in decreasing order. */
> /** Anti-Spoof.
>  * [Insert description here.]
>  */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> /** Used for error return values which are negative. */
> #define RTE_ETH_FILTER_ERROR           RTE_BIT64(63)