DPDK patches and discussions
 help / color / mirror / Atom feed
From: Simei Su <simei.su@intel.com>
To: qi.z.zhang@intel.com
Cc: dev@dpdk.org, beilei.xing@intel.com, xuan.ding@intel.com,
	Simei Su <simei.su@intel.com>
Subject: [dpdk-dev] [PATCH] net/ice: fix full mask issue for ACL rule
Date: Wed, 11 Nov 2020 19:30:05 +0800	[thread overview]
Message-ID: <20201111113005.50620-1-simei.su@intel.com> (raw)

A rule with an imperfect match(wildcarding) will be routed through
ACL. A perfect match should be rejected by ACL.

Fixes: 40d466fa9f76 ("net/ice: support ACL filter in DCF")

Signed-off-by: Simei Su <simei.su@intel.com>
---
 drivers/net/ice/ice_acl_filter.c | 44 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/drivers/net/ice/ice_acl_filter.c b/drivers/net/ice/ice_acl_filter.c
index 8ca88d2..f7dbe53 100644
--- a/drivers/net/ice/ice_acl_filter.c
+++ b/drivers/net/ice/ice_acl_filter.c
@@ -664,6 +664,14 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 			eth_mask = item->mask;
 
 			if (eth_spec && eth_mask) {
+				if (rte_is_broadcast_ether_addr(&eth_mask->src) ||
+				    rte_is_broadcast_ether_addr(&eth_mask->dst)) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item, "Invalid mac addr mask");
+					return -rte_errno;
+				}
+
 				if (!rte_is_zero_ether_addr(&eth_spec->src) &&
 				    !rte_is_zero_ether_addr(&eth_mask->src)) {
 					input_set |= ICE_INSET_SMAC;
@@ -710,6 +718,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (ipv4_mask->hdr.src_addr == UINT32_MAX ||
+				    ipv4_mask->hdr.dst_addr == UINT32_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid IPv4 mask.");
+					return -rte_errno;
+				}
+
 				if (ipv4_mask->hdr.src_addr) {
 					filter->input.ip.v4.src_ip =
 						ipv4_spec->hdr.src_addr;
@@ -754,6 +771,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (tcp_mask->hdr.src_port == UINT16_MAX ||
+				    tcp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid TCP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    tcp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_TCP_SRC_PORT;
@@ -791,6 +817,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (udp_mask->hdr.src_port == UINT16_MAX ||
+				    udp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid UDP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    udp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_UDP_SRC_PORT;
@@ -818,6 +853,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 				flow_type = ICE_FLTR_PTYPE_NONF_IPV4_SCTP;
 
 			if (sctp_spec && sctp_mask) {
+				if (sctp_mask->hdr.src_port == UINT16_MAX ||
+				    sctp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid SCTP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    sctp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_SCTP_SRC_PORT;
-- 
2.9.5


             reply	other threads:[~2020-11-11 11:38 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-11 11:30 Simei Su [this message]
2020-11-11 12:37 ` Zhang, Qi Z

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201111113005.50620-1-simei.su@intel.com \
    --to=simei.su@intel.com \
    --cc=beilei.xing@intel.com \
    --cc=dev@dpdk.org \
    --cc=qi.z.zhang@intel.com \
    --cc=xuan.ding@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).