From: Simei Su <simei.su@intel.com>
To: qi.z.zhang@intel.com
Cc: dev@dpdk.org, beilei.xing@intel.com, xuan.ding@intel.com,
Simei Su <simei.su@intel.com>
Subject: [dpdk-dev] [PATCH] net/ice: fix full mask issue for ACL rule
Date: Wed, 11 Nov 2020 19:30:05 +0800 [thread overview]
Message-ID: <20201111113005.50620-1-simei.su@intel.com> (raw)
A rule with an imperfect match(wildcarding) will be routed through
ACL. A perfect match should be rejected by ACL.
Fixes: 40d466fa9f76 ("net/ice: support ACL filter in DCF")
Signed-off-by: Simei Su <simei.su@intel.com>
---
drivers/net/ice/ice_acl_filter.c | 44 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 44 insertions(+)
diff --git a/drivers/net/ice/ice_acl_filter.c b/drivers/net/ice/ice_acl_filter.c
index 8ca88d2..f7dbe53 100644
--- a/drivers/net/ice/ice_acl_filter.c
+++ b/drivers/net/ice/ice_acl_filter.c
@@ -664,6 +664,14 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
eth_mask = item->mask;
if (eth_spec && eth_mask) {
+ if (rte_is_broadcast_ether_addr(ð_mask->src) ||
+ rte_is_broadcast_ether_addr(ð_mask->dst)) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item, "Invalid mac addr mask");
+ return -rte_errno;
+ }
+
if (!rte_is_zero_ether_addr(ð_spec->src) &&
!rte_is_zero_ether_addr(ð_mask->src)) {
input_set |= ICE_INSET_SMAC;
@@ -710,6 +718,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
return -rte_errno;
}
+ if (ipv4_mask->hdr.src_addr == UINT32_MAX ||
+ ipv4_mask->hdr.dst_addr == UINT32_MAX) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item,
+ "Invalid IPv4 mask.");
+ return -rte_errno;
+ }
+
if (ipv4_mask->hdr.src_addr) {
filter->input.ip.v4.src_ip =
ipv4_spec->hdr.src_addr;
@@ -754,6 +771,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
return -rte_errno;
}
+ if (tcp_mask->hdr.src_port == UINT16_MAX ||
+ tcp_mask->hdr.dst_port == UINT16_MAX) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item,
+ "Invalid TCP mask");
+ return -rte_errno;
+ }
+
if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
tcp_mask->hdr.src_port) {
input_set |= ICE_INSET_TCP_SRC_PORT;
@@ -791,6 +817,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
return -rte_errno;
}
+ if (udp_mask->hdr.src_port == UINT16_MAX ||
+ udp_mask->hdr.dst_port == UINT16_MAX) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item,
+ "Invalid UDP mask");
+ return -rte_errno;
+ }
+
if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
udp_mask->hdr.src_port) {
input_set |= ICE_INSET_UDP_SRC_PORT;
@@ -818,6 +853,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
flow_type = ICE_FLTR_PTYPE_NONF_IPV4_SCTP;
if (sctp_spec && sctp_mask) {
+ if (sctp_mask->hdr.src_port == UINT16_MAX ||
+ sctp_mask->hdr.dst_port == UINT16_MAX) {
+ rte_flow_error_set(error, EINVAL,
+ RTE_FLOW_ERROR_TYPE_ITEM,
+ item,
+ "Invalid SCTP mask");
+ return -rte_errno;
+ }
+
if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
sctp_mask->hdr.src_port) {
input_set |= ICE_INSET_SCTP_SRC_PORT;
--
2.9.5
next reply other threads:[~2020-11-11 11:38 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-11-11 11:30 Simei Su [this message]
2020-11-11 12:37 ` Zhang, Qi Z
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20201111113005.50620-1-simei.su@intel.com \
--to=simei.su@intel.com \
--cc=beilei.xing@intel.com \
--cc=dev@dpdk.org \
--cc=qi.z.zhang@intel.com \
--cc=xuan.ding@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).