A flow rule must not include multiple tunnel layers. An attempt to create such a rule, for example: testpmd> flow create .../ vxlan / eth / ipv4 proto is 4 / end <actions> results in an unclear error. In the current implementation there is a check for multiple IPIP tunnels, but not for combination of IPIP and a different kind of tunnel, such as VXLAN. The fix is to enhance the above check to use MLX5_FLOW_LAYER_TUNNEL that consists of all the tunnel masks. The error message will be "multiple tunnel not supported". Fixes: 5e33bebdd8d3 ("net/mlx5: support IP-in-IP tunnel") Cc: stable@dpdk.org Signed-off-by: Lior Margalit <lmargalit@nvidia.com> Acked-by: Ori Kam <orika@nvidia.com> --- drivers/net/mlx5/mlx5_flow.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c index e5e062d09a..c5c767aaee 100644 --- a/drivers/net/mlx5/mlx5_flow.c +++ b/drivers/net/mlx5/mlx5_flow.c @@ -2124,7 +2124,7 @@ mlx5_flow_validate_item_ipv4(const struct rte_flow_item *item, RTE_FLOW_ERROR_TYPE_ITEM, item, "IPv4 cannot follow L2/VLAN layer " "which ether type is not IPv4"); - if (item_flags & MLX5_FLOW_LAYER_IPIP) { + if (item_flags & MLX5_FLOW_LAYER_TUNNEL) { if (mask && spec) next_proto = mask->hdr.next_proto_id & spec->hdr.next_proto_id; @@ -2232,7 +2232,7 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_item *item, "which ether type is not IPv6"); if (mask && mask->hdr.proto == UINT8_MAX && spec) next_proto = spec->hdr.proto; - if (item_flags & MLX5_FLOW_LAYER_IPV6_ENCAP) { + if (item_flags & MLX5_FLOW_LAYER_TUNNEL) { if (next_proto == IPPROTO_IPIP || next_proto == IPPROTO_IPV6) return rte_flow_error_set(error, EINVAL, RTE_FLOW_ERROR_TYPE_ITEM, -- 2.21.0
From: Lior Margalit
> A flow rule must not include multiple tunnel layers.
> An attempt to create such a rule, for example:
> testpmd> flow create .../ vxlan / eth / ipv4 proto is 4 / end <actions>
> results in an unclear error.
>
> In the current implementation there is a check for multiple IPIP tunnels, but
> not for combination of IPIP and a different kind of tunnel, such as VXLAN.
> The fix is to enhance the above check to use MLX5_FLOW_LAYER_TUNNEL
> that consists of all the tunnel masks. The error message will be "multiple
> tunnel not supported".
>
> Fixes: 5e33bebdd8d3 ("net/mlx5: support IP-in-IP tunnel")
> Cc: stable@dpdk.org
>
> Signed-off-by: Lior Margalit <lmargalit@nvidia.com>
> Acked-by: Ori Kam <orika@nvidia.com>
Acked-by: Matan Azrad <matan@nvidia.com>
Hi,
> -----Original Message-----
> From: dev <dev-bounces@dpdk.org> On Behalf Of Lior Margalit
> Sent: Wednesday, June 16, 2021 10:01 AM
> To: dev@dpdk.org; Slava Ovsiienko <viacheslavo@nvidia.com>; Matan Azrad
> <matan@nvidia.com>
> Cc: Ori Kam <orika@nvidia.com>; Lior Margalit <lmargalit@nvidia.com>;
> stable@dpdk.org
> Subject: [dpdk-dev] [PATCH v1] net/mlx5: fix IPIP multi tunnel validation
>
> A flow rule must not include multiple tunnel layers.
> An attempt to create such a rule, for example:
> testpmd> flow create .../ vxlan / eth / ipv4 proto is 4 / end <actions>
> results in an unclear error.
>
> In the current implementation there is a check for
> multiple IPIP tunnels, but not for combination of IPIP
> and a different kind of tunnel, such as VXLAN. The fix
> is to enhance the above check to use MLX5_FLOW_LAYER_TUNNEL
> that consists of all the tunnel masks. The error message
> will be "multiple tunnel not supported".
>
> Fixes: 5e33bebdd8d3 ("net/mlx5: support IP-in-IP tunnel")
> Cc: stable@dpdk.org
>
Patch applied to next-net-mlx,
Kindest regards,
Raslan Darawsheh