From: Andrew Rybchenko <arybchenko@solarflare.com>
To: <dev@dpdk.org>
Cc: Roman Zhukov <Roman.Zhukov@oktetlabs.ru>
Subject: [dpdk-dev] [PATCH v2 13/14] net/sfc: avoid creation of ineffective flow rules
Date: Tue, 6 Mar 2018 15:24:58 +0000 [thread overview]
Message-ID: <1520349899-31810-14-git-send-email-arybchenko@solarflare.com> (raw)
In-Reply-To: <1520349899-31810-1-git-send-email-arybchenko@solarflare.com>
From: Roman Zhukov <Roman.Zhukov@oktetlabs.ru>
Despite being versatile, the hardware support for filtering has a number
of special properties which must be taken into account. Namely, there is
a known set of valid filters which don't take any effect despite being
accepted by the hardware.
The combinations of match flags and field values which can describe the
exceptional filters are as follows:
- ETHER_TYPE or ETHER_TYPE | LOC_MAC with IPv4 or IPv6 EtherType
- ETHER_TYPE | IP_PROTO or ETHER_TYPE | IP_PROTO | LOC_MAC with UDP or
TCP IP protocol value
- The same combinations with OUTER_VID and/or INNER_VID
These exceptional filters can be expressed in terms of RTE flow rules.
If the user creates such a flow rule, no traffic will hit the underlying
filter, and no errors will be reported.
This patch adds a means to prevent such ineffective flow rules from
being created.
Signed-off-by: Roman Zhukov <Roman.Zhukov@oktetlabs.ru>
Signed-off-by: Andrew Rybchenko <arybchenko@solarflare.com>
Reviewed-by: Ivan Malov <ivan.malov@oktetlabs.ru>
---
doc/guides/nics/sfc_efx.rst | 17 ++++++++++
drivers/net/sfc/sfc_flow.c | 78 +++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 95 insertions(+)
diff --git a/doc/guides/nics/sfc_efx.rst b/doc/guides/nics/sfc_efx.rst
index 539ce90..f41ccdb 100644
--- a/doc/guides/nics/sfc_efx.rst
+++ b/doc/guides/nics/sfc_efx.rst
@@ -193,6 +193,23 @@ in the mask of destination address. If destinaton address in the spec is
multicast, it matches all multicast (and broadcast) packets, oherwise it
matches unicast packets that are not filtered by other flow rules.
+Exceptions to flow rules
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+There is a list of exceptional flow rule patterns which will not be
+accepted by the PMD. A pattern will be rejected if at least one of the
+conditions is met:
+
+- Filtering by IPv4 or IPv6 EtherType without pattern items of internet
+ layer and above.
+
+- The last item is IPV4 or IPV6, and it's empty.
+
+- Filtering by TCP or UDP IP transport protocol without pattern items of
+ transport layer and above.
+
+- The last item is TCP or UDP, and it's empty.
+
Supported NICs
--------------
diff --git a/drivers/net/sfc/sfc_flow.c b/drivers/net/sfc/sfc_flow.c
index 7b26653..2b8bef8 100644
--- a/drivers/net/sfc/sfc_flow.c
+++ b/drivers/net/sfc/sfc_flow.c
@@ -1919,6 +1919,77 @@ sfc_flow_spec_filters_complete(struct sfc_adapter *sa,
return 0;
}
+/**
+ * Check that set of match flags is referred to by a filter. Filter is
+ * described by match flags with the ability to add OUTER_VID and INNER_VID
+ * flags.
+ *
+ * @param match_flags[in]
+ * Set of match flags.
+ * @param flags_pattern[in]
+ * Pattern of filter match flags.
+ */
+static boolean_t
+sfc_flow_is_match_with_vids(efx_filter_match_flags_t match_flags,
+ efx_filter_match_flags_t flags_pattern)
+{
+ if ((match_flags & flags_pattern) != flags_pattern)
+ return B_FALSE;
+
+ switch (match_flags & ~flags_pattern) {
+ case 0:
+ case EFX_FILTER_MATCH_OUTER_VID:
+ case EFX_FILTER_MATCH_OUTER_VID | EFX_FILTER_MATCH_INNER_VID:
+ return B_TRUE;
+ default:
+ return B_FALSE;
+ }
+}
+
+/**
+ * Check whether the spec maps to a hardware filter which is known to be
+ * ineffective despite being valid.
+ *
+ * @param spec[in]
+ * SFC flow specification.
+ */
+static boolean_t
+sfc_flow_is_match_flags_exception(struct sfc_flow_spec *spec)
+{
+ unsigned int i;
+ uint16_t ether_type;
+ uint8_t ip_proto;
+ efx_filter_match_flags_t match_flags;
+
+ for (i = 0; i < spec->count; i++) {
+ match_flags = spec->filters[i].efs_match_flags;
+
+ if (sfc_flow_is_match_with_vids(match_flags,
+ EFX_FILTER_MATCH_ETHER_TYPE) ||
+ sfc_flow_is_match_with_vids(match_flags,
+ EFX_FILTER_MATCH_ETHER_TYPE |
+ EFX_FILTER_MATCH_LOC_MAC)) {
+ ether_type = spec->filters[i].efs_ether_type;
+ if (ether_type == EFX_ETHER_TYPE_IPV4 ||
+ ether_type == EFX_ETHER_TYPE_IPV6)
+ return B_TRUE;
+ } else if (sfc_flow_is_match_with_vids(match_flags,
+ EFX_FILTER_MATCH_ETHER_TYPE |
+ EFX_FILTER_MATCH_IP_PROTO) ||
+ sfc_flow_is_match_with_vids(match_flags,
+ EFX_FILTER_MATCH_ETHER_TYPE |
+ EFX_FILTER_MATCH_IP_PROTO |
+ EFX_FILTER_MATCH_LOC_MAC)) {
+ ip_proto = spec->filters[i].efs_ip_proto;
+ if (ip_proto == EFX_IPPROTO_TCP ||
+ ip_proto == EFX_IPPROTO_UDP)
+ return B_TRUE;
+ }
+ }
+
+ return B_FALSE;
+}
+
static int
sfc_flow_validate_match_flags(struct sfc_adapter *sa,
struct rte_flow *flow,
@@ -1938,6 +2009,13 @@ sfc_flow_validate_match_flags(struct sfc_adapter *sa,
return rc;
}
+ if (sfc_flow_is_match_flags_exception(&flow->spec)) {
+ rte_flow_error_set(error, ENOTSUP,
+ RTE_FLOW_ERROR_TYPE_UNSPECIFIED, NULL,
+ "The flow rule pattern is unsupported");
+ return -rte_errno;
+ }
+
return 0;
}
--
2.7.4
next prev parent reply other threads:[~2018-03-06 15:27 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-27 12:45 [dpdk-dev] [PATCH 00/14] net/sfc: support flow API for tunnels Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 01/14] net/sfc/base: support filters for encapsulated packets Andrew Rybchenko
2018-03-06 15:13 ` Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 02/14] net/sfc/base: support VNI/VSID and inner frame local MAC Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 03/14] net/sfc/base: support VXLAN filter creation Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 04/14] net/sfc/base: distinguish filters for encapsulated packets Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 05/14] net/sfc: add VXLAN in flow API filters support Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 06/14] net/sfc: add NVGRE " Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 07/14] net/sfc: add GENEVE " Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 08/14] net/sfc: add inner frame ETH " Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 09/14] net/sfc: add infrastructure to make many filters from flow Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 10/14] net/sfc: multiply of specs with an unknown EtherType Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 11/14] net/sfc: multiply of specs w/o inner frame destination MAC Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 12/14] net/sfc: multiply of specs with an unknown " Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 13/14] net/sfc: avoid creation of ineffective flow rules Andrew Rybchenko
2018-02-27 12:45 ` [dpdk-dev] [PATCH 14/14] doc: add net/sfc flow API support for tunnels Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 00/14] net/sfc: support flow API " Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 01/14] net/sfc/base: support filters for encapsulated packets Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 02/14] net/sfc/base: support VNI/VSID and inner frame local MAC Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 03/14] net/sfc/base: support VXLAN filter creation Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 04/14] net/sfc/base: distinguish filters for encapsulated packets Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 05/14] net/sfc: add VXLAN in flow API filters support Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 06/14] net/sfc: add NVGRE " Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 07/14] net/sfc: add GENEVE " Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 08/14] net/sfc: add inner frame ETH " Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 09/14] net/sfc: add infrastructure to make many filters from flow Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 10/14] net/sfc: multiply of specs with an unknown EtherType Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 11/14] net/sfc: multiply of specs w/o inner frame destination MAC Andrew Rybchenko
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 12/14] net/sfc: multiply of specs with an unknown " Andrew Rybchenko
2018-03-06 15:24 ` Andrew Rybchenko [this message]
2018-03-06 15:24 ` [dpdk-dev] [PATCH v2 14/14] doc: add net/sfc flow API support for tunnels Andrew Rybchenko
2018-03-09 10:37 ` [dpdk-dev] [PATCH v2 00/14] net/sfc: support flow API " Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1520349899-31810-14-git-send-email-arybchenko@solarflare.com \
--to=arybchenko@solarflare.com \
--cc=Roman.Zhukov@oktetlabs.ru \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).