From: "Mandal, Anurag" <anurag.mandal@intel.com>
To: "mb@smartsharesystems.com" <mb@smartsharesystems.com>,
"Richardson, Bruce" <bruce.richardson@intel.com>
Cc: "Burakov, Anatoly" <anatoly.burakov@intel.com>,
"dev@dpdk.org" <dev@dpdk.org>
Subject: RE: [PATCH v5] net/ice: add MAC anti-spoof option
Date: Mon, 5 Jan 2026 11:30:45 +0000 [thread overview]
Message-ID: <CY5PR11MB61160E26A3AFEA280405C580E486A@CY5PR11MB6116.namprd11.prod.outlook.com> (raw)
In-Reply-To: <20251230114828.6156-1-anurag.mandal@intel.com>
> -----Original Message-----
> From: Mandal, Anurag <anurag.mandal@intel.com>
> Sent: 30 December 2025 17:18
> To: dev@dpdk.org
> Cc: Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; mb@smartsharesystems.com; Mandal,
> Anurag <anurag.mandal@intel.com>
> Subject: [PATCH v5] net/ice: add MAC anti-spoof option
>
> VRRP advertisement packets are dropped as TX-errors upon transmission
> from a vsi of ice PF due to MAC anti-spoof check, which is enabled by default.
> There is no way to disable this security check in the Tx direction to avoid these
> packets being dropped.
>
> This patch introduces devargs "mac-anti-spoof" to allow user to disable MAC
> anti-spoof check. Disable MAC Anti-spoof check in the Tx direction to send
> outgoing packets even when their destination MAC address matches one of
> the MAC addresses assigned to that same NIC port and avoid getting dropped
> as TX-errors.
>
> Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> ---
> V5: Addressed CI failures
> - Removed ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
> flag as that is causing CI failures and observed
> MAC Anti-spoof check is enabled by default
> irrespective of that flag.
> V4: Addressed ASan CI failures & Morten Brørup's feedback
> - set the default value of the devargs to 1
> - enabled MAC anti-spoof check by default
> - provided devargs option to disbale the same
>
> V3: Addressed Morten Brørup's feedback
> - set the default value of the devargs to 0
> - disabled MAC anti-spoof check by default
> - provided devargs option to enable the same
> - synchronized with source prune
>
> V2: Addressed Bruce Richardson's feedback
> - changed devargs name to "mac-anti-spoof"
> - changed devargs member name to "mac_anti_spoof"
> - changed macro name to "ICE_MAC_ANTI_SPOOF_ARG"
> - set the default value of the devargs to 1
> - added NOTICE log msg when MAC Anti-spoof is disabled
> - added more code comments to provide clarity
> - fixed typo error with ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
>
> doc/guides/nics/ice.rst | 12 ++++++++
> drivers/net/intel/ice/ice_ethdev.c | 44 +++++++++++++++++++++++++++++-
> drivers/net/intel/ice/ice_ethdev.h | 1 +
> 3 files changed, 56 insertions(+), 1 deletion(-)
>
> diff --git a/doc/guides/nics/ice.rst b/doc/guides/nics/ice.rst index
> 6cc27cefa7..c3e9cfaee3 100644
> --- a/doc/guides/nics/ice.rst
> +++ b/doc/guides/nics/ice.rst
> @@ -194,6 +194,18 @@ Runtime Configuration
>
> -a 80:00.0,source-prune=1
>
> +- ``MAC Anti-spoof Disable`` (default ``1``)
> +
> + Disable MAC Anti-spoof check in the Tx direction to send outgoing
> + packets when their destination MAC address matches one of the MAC
> + addresses assigned to that same NIC port.By default, these outgoing
> + packets are dropped due to MAC Anti-spoof check.
> +
> + MAC Anti-spoof can be disabled by resetting the devargs parameter
> + ``mac-anti-spoof``, for example::
> +
> + -a 80:00.0,mac-anti-spoof=0
> +
> - ``Protocol extraction for per queue``
>
> Configure the RX queues to do protocol extraction into mbuf for protocol
> diff --git a/drivers/net/intel/ice/ice_ethdev.c
> b/drivers/net/intel/ice/ice_ethdev.c
> index c1d92435d1..7251b111e0 100644
> --- a/drivers/net/intel/ice/ice_ethdev.c
> +++ b/drivers/net/intel/ice/ice_ethdev.c
> @@ -42,6 +42,7 @@
> #define ICE_DDP_LOAD_SCHED_ARG "ddp_load_sched_topo"
> #define ICE_TM_LEVELS_ARG "tm_sched_levels"
> #define ICE_SOURCE_PRUNE_ARG "source-prune"
> +#define ICE_MAC_ANTI_SPOOF_ARG "mac-anti-spoof"
> #define ICE_LINK_STATE_ON_CLOSE "link_state_on_close"
>
> #define ICE_CYCLECOUNTER_MASK 0xffffffffffffffffULL @@ -60,6 +61,7 @@
> static const char * const ice_valid_args[] = {
> ICE_DDP_LOAD_SCHED_ARG,
> ICE_TM_LEVELS_ARG,
> ICE_SOURCE_PRUNE_ARG,
> + ICE_MAC_ANTI_SPOOF_ARG,
> ICE_LINK_STATE_ON_CLOSE,
> NULL
> };
> @@ -1761,13 +1763,46 @@ ice_setup_vsi(struct ice_pf *pf, enum
> ice_vsi_type type)
> /* Source Prune */
> if (ad->devargs.source_prune != 1) {
> /* Disable source prune to support VRRP
> - * when source-prune devarg is not set
> + * when source-prune devargs is not set
> */
> vsi_ctx.info.sw_flags =
> ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
> vsi_ctx.info.sw_flags |=
> ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> }
> + /* MAC Anti-spoof */
> + /* By default, Source Prune in Rx is disabled
> + * and MAC Anti-spoof check in Tx is enabled.
> + *
> + * Source Prune is disabled by setting local
> + * loopback with ICE_AQ_VSI_SW_FLAG_LOCAL_LB
> + * flag in the Rx direction.
> + * ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to
> + * prevent transmitted packets from being
> + * looped back in some circumstances.
> + *
> + * MAC Anti-spoof check can be disabled by
> + * clearing ICE_AQ_VSI_SW_FLAG_SRC_PRUNE
> + * flag and setting Tx loopback with
> + * ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the
> + * Tx direction.
> + */
> + if (ad->devargs.mac_anti_spoof == 0) {
> + /* Disable mac anti-spoof check in the
> + * Tx direction to avoid outgoing
> + * packets getting dropped as
> + * TX-errors for VRRP support when
> + * mac-anti-spoof devargs is not set
> + */
> + vsi_ctx.info.sw_flags &=
> + ~ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
> + PMD_INIT_LOG(NOTICE,
> + "Disabling MAC Anti-spoof check "
> + "in the Tx direction does not "
> + "affect Source Prune in the Rx direction");
> + vsi_ctx.info.sw_flags |=
> + ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
> + }
> cfg = ICE_AQ_VSI_PROP_SW_VALID;
> vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
> vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
> @@ -2398,6 +2433,7 @@ static int ice_parse_devargs(struct rte_eth_dev
> *dev)
> return -EINVAL;
> }
>
> + ad->devargs.mac_anti_spoof = 1; /* enabled by default */
> ad->devargs.proto_xtr_dflt = PROTO_XTR_NONE;
> memset(ad->devargs.proto_xtr, PROTO_XTR_NONE,
> sizeof(ad->devargs.proto_xtr)); @@ -2467,6 +2503,11 @@ static
> int ice_parse_devargs(struct rte_eth_dev *dev)
> if (ret)
> goto bail;
>
> + ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_ARG,
> + &parse_bool, &ad-
> >devargs.mac_anti_spoof);
> + if (ret)
> + goto bail;
> +
> ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
> &parse_link_state_on_close, &ad-
> >devargs.link_state_on_close);
>
> @@ -7732,6 +7773,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
> ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
> ICE_TM_LEVELS_ARG "=<N>"
> ICE_SOURCE_PRUNE_ARG "=<0|1>"
> + ICE_MAC_ANTI_SPOOF_ARG "=<0|1>"
> ICE_RX_LOW_LATENCY_ARG "=<0|1>"
> ICE_LINK_STATE_ON_CLOSE
> "=<down|up|initial>");
>
> diff --git a/drivers/net/intel/ice/ice_ethdev.h
> b/drivers/net/intel/ice/ice_ethdev.h
> index 72ed65f13b..5fe4688d57 100644
> --- a/drivers/net/intel/ice/ice_ethdev.h
> +++ b/drivers/net/intel/ice/ice_ethdev.h
> @@ -617,6 +617,7 @@ struct ice_devargs {
> uint8_t ddp_load_sched;
> uint8_t tm_exposed_levels;
> uint8_t source_prune;
> + uint8_t mac_anti_spoof;
> int link_state_on_close;
> int xtr_field_offs;
> uint8_t xtr_flag_offs[PROTO_XTR_MAX];
> --
> 2.34.1
Hi Morten Brørup/Bruce,
Kindly review this patch. No CI errors reported.
Thank you.
Regards,
Anurag M
next prev parent reply other threads:[~2026-01-05 11:30 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-13 10:59 [PATCH] net/ice: add MAC anti-spoof disable option Anurag Mandal
2025-11-13 11:35 ` Bruce Richardson
2025-11-16 3:57 ` [PATCH v2] net/ice: add MAC anti-spoof option Anurag Mandal
2025-11-16 7:43 ` Morten Brørup
2025-11-17 5:22 ` Mandal, Anurag
2025-11-17 9:05 ` Morten Brørup
2025-12-02 8:17 ` Mandal, Anurag
2025-12-02 9:00 ` Morten Brørup
2025-12-02 9:14 ` Mandal, Anurag
2025-12-02 14:25 ` Thomas Monjalon
2025-12-02 17:10 ` Morten Brørup
2025-12-03 10:41 ` [PATCH v3] " Anurag Mandal
2025-12-03 11:41 ` Morten Brørup
2025-12-03 14:36 ` Mandal, Anurag
2025-12-03 14:47 ` Morten Brørup
2025-12-11 15:22 ` Bruce Richardson
2025-12-17 11:52 ` Bruce Richardson
2025-12-17 12:37 ` Morten Brørup
2025-12-17 13:46 ` Bruce Richardson
2025-12-17 14:13 ` Morten Brørup
2025-12-17 14:18 ` Mandal, Anurag
2025-12-17 14:22 ` Mandal, Anurag
2025-12-18 5:38 ` Mandal, Anurag
2025-12-17 20:11 ` [PATCH v4] " Anurag Mandal
[not found] ` <6943d80b.050a0220.a065.15daSMTPIN_ADDED_MISSING@mx.google.com>
2025-12-19 1:06 ` [PATCH] [v4] " Mandal, Anurag
2025-12-19 21:59 ` [PATCH v4] " Patrick Robb
2025-12-29 9:11 ` Mandal, Anurag
2025-12-30 11:48 ` [PATCH v5] " Anurag Mandal
2026-01-05 11:30 ` Mandal, Anurag [this message]
2026-01-05 12:48 ` Morten Brørup
2026-01-05 13:00 ` Bruce Richardson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CY5PR11MB61160E26A3AFEA280405C580E486A@CY5PR11MB6116.namprd11.prod.outlook.com \
--to=anurag.mandal@intel.com \
--cc=anatoly.burakov@intel.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=mb@smartsharesystems.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).