From: Slava Ovsiienko <viacheslavo@mellanox.com>
To: Jack Min <jackmin@mellanox.com>, Matan Azrad <matan@mellanox.com>,
Shahaf Shuler <shahafs@mellanox.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>, Ori Kam <orika@mellanox.com>,
"stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [dpdk-dev] [PATCH v2] net/mlx5: improve validation of item order
Date: Tue, 8 Oct 2019 09:43:17 +0000 [thread overview]
Message-ID: <AM4PR05MB3265C2C230B90AF708C658F6D29A0@AM4PR05MB3265.eurprd05.prod.outlook.com> (raw)
In-Reply-To: <099aca2cedb8654adc85923e5497ff8df1003bc5.1568191352.git.jackmin@mellanox.com>
> -----Original Message-----
> From: Xiaoyu Min <jackmin@mellanox.com>
> Sent: Wednesday, September 11, 2019 11:46
> To: Matan Azrad <matan@mellanox.com>; Shahaf Shuler
> <shahafs@mellanox.com>; Slava Ovsiienko <viacheslavo@mellanox.com>
> Cc: dev@dpdk.org; Ori Kam <orika@mellanox.com>; stable@dpdk.org
> Subject: [PATCH v2] net/mlx5: improve validation of item order
>
> The Item order validation between L2 and L3 is missing, which leading to the
> following flow rule is accepted:
>
> testpmd> flow create 0 ingress pattern ipv4 / eth / end actions drop /
> end
>
> Only the outer L3 layer should check whether the L2 layer is present, because
> the L3 layer could directly follow the tunnel layer without L2 layer.
>
> Meanwhile inner L2 layer should check whether there is inner L3 layer before
> it.
>
> Fixes: 23c1d42c7138 ("net/mlx5: split flow validation to dedicated function")
> Cc: stable@dpdk.org
>
> Signed-off-by: Xiaoyu Min <jackmin@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo@mellanox.com>
> ---
> drivers/net/mlx5/mlx5_flow.c | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index eb360525da..45bd9c8025 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -1224,6 +1224,11 @@ mlx5_flow_validate_item_eth(const struct
> rte_flow_item *item,
> return rte_flow_error_set(error, ENOTSUP,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "multiple L2 layers not supported");
> + if (tunnel && (item_flags & MLX5_FLOW_LAYER_INNER_L3))
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "inner L2 layer should not "
> + "follow inner L3 layers");
> if (!mask)
> mask = &rte_flow_item_eth_mask;
> ret = mlx5_flow_item_acceptable(item, (const uint8_t *)mask, @@ -
> 1270,6 +1275,8 @@ mlx5_flow_validate_item_vlan(const struct
> rte_flow_item *item,
> const uint64_t vlanm = tunnel ? MLX5_FLOW_LAYER_INNER_VLAN :
> MLX5_FLOW_LAYER_OUTER_VLAN;
>
> + const uint64_t l2m = tunnel ? MLX5_FLOW_LAYER_INNER_L2 :
> + MLX5_FLOW_LAYER_OUTER_L2;
> if (item_flags & vlanm)
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> @@ -1278,6 +1285,10 @@ mlx5_flow_validate_item_vlan(const struct
> rte_flow_item *item,
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "L2 layer cannot follow L3/L4
> layer");
> + else if ((item_flags & l2m) == 0)
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "no L2 layer before VLAN");
> if (!mask)
> mask = &rte_flow_item_vlan_mask;
> ret = mlx5_flow_item_acceptable(item, (const uint8_t *)mask, @@ -
> 1390,6 +1401,10 @@ mlx5_flow_validate_item_ipv4(const struct
> rte_flow_item *item,
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "L3 cannot follow an NVGRE
> layer.");
> + else if (!tunnel && !(item_flags & MLX5_FLOW_LAYER_OUTER_L2))
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "no L2 layer before IPV4");
> if (!mask)
> mask = &rte_flow_item_ipv4_mask;
> else if (mask->hdr.next_proto_id != 0 && @@ -1481,6 +1496,10 @@
> mlx5_flow_validate_item_ipv6(const struct rte_flow_item *item,
> return rte_flow_error_set(error, EINVAL,
> RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> "L3 cannot follow an NVGRE
> layer.");
> + else if (!tunnel && !(item_flags & MLX5_FLOW_LAYER_OUTER_L2))
> + return rte_flow_error_set(error, EINVAL,
> + RTE_FLOW_ERROR_TYPE_ITEM,
> item,
> + "no L2 layer before IPV6");
> if (!mask)
> mask = &rte_flow_item_ipv6_mask;
> ret = mlx5_flow_item_acceptable(item, (const uint8_t *)mask,
> --
> 2.23.0
next prev parent reply other threads:[~2019-10-08 9:43 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-11 5:25 [dpdk-dev] [PATCH] " Xiaoyu Min
2019-09-11 8:46 ` [dpdk-dev] [PATCH v2] " Xiaoyu Min
2019-10-08 9:43 ` Slava Ovsiienko [this message]
2019-10-08 11:53 ` Raslan Darawsheh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AM4PR05MB3265C2C230B90AF708C658F6D29A0@AM4PR05MB3265.eurprd05.prod.outlook.com \
--to=viacheslavo@mellanox.com \
--cc=dev@dpdk.org \
--cc=jackmin@mellanox.com \
--cc=matan@mellanox.com \
--cc=orika@mellanox.com \
--cc=shahafs@mellanox.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).