net/sfc: avoid creation of ineffective flow rules
Despite being versatile, the hardware support for filtering has a number of special properties which must be taken into account. Namely, there is a known set of valid filters which don't take any effect despite being accepted by the hardware. The combinations of match flags and field values which can describe the exceptional filters are as follows: - ETHER_TYPE or ETHER_TYPE | LOC_MAC with IPv4 or IPv6 EtherType - ETHER_TYPE | IP_PROTO or ETHER_TYPE | IP_PROTO | LOC_MAC with UDP or TCP IP protocol value - The same combinations with OUTER_VID and/or INNER_VID These exceptional filters can be expressed in terms of RTE flow rules. If the user creates such a flow rule, no traffic will hit the underlying filter, and no errors will be reported. This patch adds a means to prevent such ineffective flow rules from being created. Signed-off-by: Roman Zhukov <roman.zhukov@oktetlabs.ru> Signed-off-by: Andrew Rybchenko <arybchenko@solarflare.com> Reviewed-by: Ivan Malov <ivan.malov@oktetlabs.ru>
This commit is contained in:
parent
5448324dc5
commit
096dba799b
@ -193,6 +193,23 @@ in the mask of destination address. If destinaton address in the spec is
|
||||
multicast, it matches all multicast (and broadcast) packets, oherwise it
|
||||
matches unicast packets that are not filtered by other flow rules.
|
||||
|
||||
Exceptions to flow rules
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
There is a list of exceptional flow rule patterns which will not be
|
||||
accepted by the PMD. A pattern will be rejected if at least one of the
|
||||
conditions is met:
|
||||
|
||||
- Filtering by IPv4 or IPv6 EtherType without pattern items of internet
|
||||
layer and above.
|
||||
|
||||
- The last item is IPV4 or IPV6, and it's empty.
|
||||
|
||||
- Filtering by TCP or UDP IP transport protocol without pattern items of
|
||||
transport layer and above.
|
||||
|
||||
- The last item is TCP or UDP, and it's empty.
|
||||
|
||||
|
||||
Supported NICs
|
||||
--------------
|
||||
|
@ -1919,6 +1919,77 @@ sfc_flow_spec_filters_complete(struct sfc_adapter *sa,
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Check that set of match flags is referred to by a filter. Filter is
|
||||
* described by match flags with the ability to add OUTER_VID and INNER_VID
|
||||
* flags.
|
||||
*
|
||||
* @param match_flags[in]
|
||||
* Set of match flags.
|
||||
* @param flags_pattern[in]
|
||||
* Pattern of filter match flags.
|
||||
*/
|
||||
static boolean_t
|
||||
sfc_flow_is_match_with_vids(efx_filter_match_flags_t match_flags,
|
||||
efx_filter_match_flags_t flags_pattern)
|
||||
{
|
||||
if ((match_flags & flags_pattern) != flags_pattern)
|
||||
return B_FALSE;
|
||||
|
||||
switch (match_flags & ~flags_pattern) {
|
||||
case 0:
|
||||
case EFX_FILTER_MATCH_OUTER_VID:
|
||||
case EFX_FILTER_MATCH_OUTER_VID | EFX_FILTER_MATCH_INNER_VID:
|
||||
return B_TRUE;
|
||||
default:
|
||||
return B_FALSE;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Check whether the spec maps to a hardware filter which is known to be
|
||||
* ineffective despite being valid.
|
||||
*
|
||||
* @param spec[in]
|
||||
* SFC flow specification.
|
||||
*/
|
||||
static boolean_t
|
||||
sfc_flow_is_match_flags_exception(struct sfc_flow_spec *spec)
|
||||
{
|
||||
unsigned int i;
|
||||
uint16_t ether_type;
|
||||
uint8_t ip_proto;
|
||||
efx_filter_match_flags_t match_flags;
|
||||
|
||||
for (i = 0; i < spec->count; i++) {
|
||||
match_flags = spec->filters[i].efs_match_flags;
|
||||
|
||||
if (sfc_flow_is_match_with_vids(match_flags,
|
||||
EFX_FILTER_MATCH_ETHER_TYPE) ||
|
||||
sfc_flow_is_match_with_vids(match_flags,
|
||||
EFX_FILTER_MATCH_ETHER_TYPE |
|
||||
EFX_FILTER_MATCH_LOC_MAC)) {
|
||||
ether_type = spec->filters[i].efs_ether_type;
|
||||
if (ether_type == EFX_ETHER_TYPE_IPV4 ||
|
||||
ether_type == EFX_ETHER_TYPE_IPV6)
|
||||
return B_TRUE;
|
||||
} else if (sfc_flow_is_match_with_vids(match_flags,
|
||||
EFX_FILTER_MATCH_ETHER_TYPE |
|
||||
EFX_FILTER_MATCH_IP_PROTO) ||
|
||||
sfc_flow_is_match_with_vids(match_flags,
|
||||
EFX_FILTER_MATCH_ETHER_TYPE |
|
||||
EFX_FILTER_MATCH_IP_PROTO |
|
||||
EFX_FILTER_MATCH_LOC_MAC)) {
|
||||
ip_proto = spec->filters[i].efs_ip_proto;
|
||||
if (ip_proto == EFX_IPPROTO_TCP ||
|
||||
ip_proto == EFX_IPPROTO_UDP)
|
||||
return B_TRUE;
|
||||
}
|
||||
}
|
||||
|
||||
return B_FALSE;
|
||||
}
|
||||
|
||||
static int
|
||||
sfc_flow_validate_match_flags(struct sfc_adapter *sa,
|
||||
struct rte_flow *flow,
|
||||
@ -1938,6 +2009,13 @@ sfc_flow_validate_match_flags(struct sfc_adapter *sa,
|
||||
return rc;
|
||||
}
|
||||
|
||||
if (sfc_flow_is_match_flags_exception(&flow->spec)) {
|
||||
rte_flow_error_set(error, ENOTSUP,
|
||||
RTE_FLOW_ERROR_TYPE_UNSPECIFIED, NULL,
|
||||
"The flow rule pattern is unsupported");
|
||||
return -rte_errno;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user