From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <helin.zhang@intel.com>
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by dpdk.org (Postfix) with ESMTP id C7F8EC3F0
 for <dev@dpdk.org>; Fri, 23 Oct 2015 04:49:31 +0200 (CEST)
Received: from orsmga001.jf.intel.com ([10.7.209.18])
 by fmsmga102.fm.intel.com with ESMTP; 22 Oct 2015 19:49:30 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.20,185,1444719600"; d="scan'208";a="800761422"
Received: from fmsmsx108.amr.corp.intel.com ([10.18.124.206])
 by orsmga001.jf.intel.com with ESMTP; 22 Oct 2015 19:49:31 -0700
Received: from fmsmsx112.amr.corp.intel.com (10.18.116.6) by
 FMSMSX108.amr.corp.intel.com (10.18.124.206) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Thu, 22 Oct 2015 19:49:30 -0700
Received: from shsmsx102.ccr.corp.intel.com (10.239.4.154) by
 FMSMSX112.amr.corp.intel.com (10.18.116.6) with Microsoft SMTP Server (TLS)
 id 14.3.248.2; Thu, 22 Oct 2015 19:49:29 -0700
Received: from shsmsx104.ccr.corp.intel.com ([169.254.5.194]) by
 shsmsx102.ccr.corp.intel.com ([169.254.2.253]) with mapi id 14.03.0248.002;
 Fri, 23 Oct 2015 10:49:28 +0800
From: "Zhang, Helin" <helin.zhang@intel.com>
To: "Lu, Wenzhuo" <wenzhuo.lu@intel.com>, "dev@dpdk.org" <dev@dpdk.org>
Thread-Topic: [PATCH v2] ixgbe: Drop flow control frames from VFs
Thread-Index: AQHRDJwhlVoqYyJBQE2ZyLnWCPU6+J54YHDQ
Date: Fri, 23 Oct 2015 02:49:28 +0000
Message-ID: <F35DEAC7BCE34641BA9FAC6BCA4A12E70A91C4CF@SHSMSX104.ccr.corp.intel.com>
References: <1444445798-23929-1-git-send-email-wenzhuo.lu@intel.com>
 <1445499249-22588-1-git-send-email-wenzhuo.lu@intel.com>
In-Reply-To: <1445499249-22588-1-git-send-email-wenzhuo.lu@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [10.239.127.40]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [dpdk-dev] [PATCH v2] ixgbe: Drop flow control frames from VFs
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Oct 2015 02:49:32 -0000



> -----Original Message-----
> From: Lu, Wenzhuo
> Sent: Thursday, October 22, 2015 3:34 PM
> To: dev@dpdk.org
> Cc: Zhang, Helin; Lu, Wenzhuo
> Subject: [PATCH v2] ixgbe: Drop flow control frames from VFs
>=20
> This patch will drop flow control frames from being transmitted from VSIs=
.
> With this patch in place a malicious VF cannot send flow control or PFC p=
ackets
> out on the wire.
>=20
> V2:
> Reword the comments.
>=20
> Signed-off-by: Wenzhuo Lu <wenzhuo.lu@intel.com>
> ---
>  drivers/net/ixgbe/ixgbe_pf.c | 43
> +++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 43 insertions(+)
>=20
> diff --git a/drivers/net/ixgbe/ixgbe_pf.c b/drivers/net/ixgbe/ixgbe_pf.c =
index
> fd1c4ca..b33f4e9 100644
> --- a/drivers/net/ixgbe/ixgbe_pf.c
> +++ b/drivers/net/ixgbe/ixgbe_pf.c
> @@ -55,6 +55,7 @@
>  #define IXGBE_MAX_VFTA     (128)
>  #define IXGBE_VF_MSG_SIZE_DEFAULT 1
>  #define IXGBE_VF_GET_QUEUE_MSG_SIZE 5
> +#define IXGBE_ETHERTYPE_FLOW_CTRL 0x8808
>=20
>  static inline uint16_t
>  dev_num_vf(struct rte_eth_dev *eth_dev) @@ -166,6 +167,46 @@ void
> ixgbe_pf_host_uninit(struct rte_eth_dev *eth_dev)
>  	*vfinfo =3D NULL;
>  }
>=20
> +static void
> +ixgbe_add_tx_flow_control_drop_filter(struct rte_eth_dev *eth_dev) {
> +	struct ixgbe_hw *hw =3D
> +		IXGBE_DEV_PRIVATE_TO_HW(eth_dev->data->dev_private);
> +	struct ixgbe_filter_info *filter_info =3D
> +		IXGBE_DEV_PRIVATE_TO_FILTER_INFO(eth_dev->data->dev_private);
> +	uint16_t vf_num;
> +	int i;
> +
> +	/* occupy an entity of ether type filter */
> +	for (i =3D 0; i < IXGBE_MAX_ETQF_FILTERS; i++) {
> +		if (!(filter_info->ethertype_mask & (1 << i))) {
> +			filter_info->ethertype_mask |=3D 1 << i;
> +			filter_info->ethertype_filters[i] =3D
> +				IXGBE_ETHERTYPE_FLOW_CTRL;
> +			break;
> +		}
> +	}
> +	if (i =3D=3D IXGBE_MAX_ETQF_FILTERS) {
> +		RTE_LOG(ERR, PMD, "Cannot find an unused ether type filter"
> +				" entity for flow control.\n");
> +		return;
> +	}
> +
> +	if (hw->mac.ops.set_ethertype_anti_spoofing) {
> +		IXGBE_WRITE_REG(hw, IXGBE_ETQF(i),
> +				(IXGBE_ETQF_FILTER_EN |
> +				IXGBE_ETQF_TX_ANTISPOOF |
> +				IXGBE_ETHERTYPE_FLOW_CTRL));
> +
> +		vf_num =3D dev_num_vf(eth_dev);
> +		for (i =3D 0; i < vf_num; i++) {
> +			hw->mac.ops.set_ethertype_anti_spoofing(hw, true, i);
> +		}
> +	}
ixgbe_set_ethertype_anti_spoofing() is exposed by ixgbe_api.h, and can be u=
sed directly.
I think we need a return value for above function, and then the caller can =
check it.
If it fails, does it need to return out, or just skip the failure?
In addition, is this operation only for x550, right? If yes, it may need a =
check above.

Regards,
Helin

> +
> +	return;
> +}
> +
>  int ixgbe_pf_host_configure(struct rte_eth_dev *eth_dev)  {
>  	uint32_t vtctl, fcrth;
> @@ -262,6 +303,8 @@ int ixgbe_pf_host_configure(struct rte_eth_dev
> *eth_dev)
>  		IXGBE_WRITE_REG(hw, IXGBE_FCRTH_82599(i), fcrth);
>  	}
>=20
> +	ixgbe_add_tx_flow_control_drop_filter(eth_dev);
> +
>  	return 0;
>  }
>=20
> --
> 1.9.3