net/sfc: avoid creation of ineffective flow rules

Despite being versatile, the hardware support for filtering has a number
of special properties which must be taken into account. Namely, there is
a known set of valid filters which don't take any effect despite being
accepted by the hardware.

The combinations of match flags and field values which can describe the
exceptional filters are as follows:
- ETHER_TYPE or ETHER_TYPE | LOC_MAC with IPv4 or IPv6 EtherType
- ETHER_TYPE | IP_PROTO or ETHER_TYPE | IP_PROTO | LOC_MAC with UDP or
TCP IP protocol value
- The same combinations with OUTER_VID and/or INNER_VID

These exceptional filters can be expressed in terms of RTE flow rules.
If the user creates such a flow rule, no traffic will hit the underlying
filter, and no errors will be reported.

This patch adds a means to prevent such ineffective flow rules from
being created.

Signed-off-by: Roman Zhukov <roman.zhukov@oktetlabs.ru>
Signed-off-by: Andrew Rybchenko <arybchenko@solarflare.com>
Reviewed-by: Ivan Malov <ivan.malov@oktetlabs.ru>
This commit is contained in:
Roman Zhukov 2018-03-06 15:24:58 +00:00 committed by Ferruh Yigit
parent 5448324dc5
commit 096dba799b
2 changed files with 95 additions and 0 deletions

View File

@ -193,6 +193,23 @@ in the mask of destination address. If destinaton address in the spec is
multicast, it matches all multicast (and broadcast) packets, oherwise it
matches unicast packets that are not filtered by other flow rules.
Exceptions to flow rules
~~~~~~~~~~~~~~~~~~~~~~~~
There is a list of exceptional flow rule patterns which will not be
accepted by the PMD. A pattern will be rejected if at least one of the
conditions is met:
- Filtering by IPv4 or IPv6 EtherType without pattern items of internet
layer and above.
- The last item is IPV4 or IPV6, and it's empty.
- Filtering by TCP or UDP IP transport protocol without pattern items of
transport layer and above.
- The last item is TCP or UDP, and it's empty.
Supported NICs
--------------

View File

@ -1919,6 +1919,77 @@ sfc_flow_spec_filters_complete(struct sfc_adapter *sa,
return 0;
}
/**
* Check that set of match flags is referred to by a filter. Filter is
* described by match flags with the ability to add OUTER_VID and INNER_VID
* flags.
*
* @param match_flags[in]
* Set of match flags.
* @param flags_pattern[in]
* Pattern of filter match flags.
*/
static boolean_t
sfc_flow_is_match_with_vids(efx_filter_match_flags_t match_flags,
efx_filter_match_flags_t flags_pattern)
{
if ((match_flags & flags_pattern) != flags_pattern)
return B_FALSE;
switch (match_flags & ~flags_pattern) {
case 0:
case EFX_FILTER_MATCH_OUTER_VID:
case EFX_FILTER_MATCH_OUTER_VID | EFX_FILTER_MATCH_INNER_VID:
return B_TRUE;
default:
return B_FALSE;
}
}
/**
* Check whether the spec maps to a hardware filter which is known to be
* ineffective despite being valid.
*
* @param spec[in]
* SFC flow specification.
*/
static boolean_t
sfc_flow_is_match_flags_exception(struct sfc_flow_spec *spec)
{
unsigned int i;
uint16_t ether_type;
uint8_t ip_proto;
efx_filter_match_flags_t match_flags;
for (i = 0; i < spec->count; i++) {
match_flags = spec->filters[i].efs_match_flags;
if (sfc_flow_is_match_with_vids(match_flags,
EFX_FILTER_MATCH_ETHER_TYPE) ||
sfc_flow_is_match_with_vids(match_flags,
EFX_FILTER_MATCH_ETHER_TYPE |
EFX_FILTER_MATCH_LOC_MAC)) {
ether_type = spec->filters[i].efs_ether_type;
if (ether_type == EFX_ETHER_TYPE_IPV4 ||
ether_type == EFX_ETHER_TYPE_IPV6)
return B_TRUE;
} else if (sfc_flow_is_match_with_vids(match_flags,
EFX_FILTER_MATCH_ETHER_TYPE |
EFX_FILTER_MATCH_IP_PROTO) ||
sfc_flow_is_match_with_vids(match_flags,
EFX_FILTER_MATCH_ETHER_TYPE |
EFX_FILTER_MATCH_IP_PROTO |
EFX_FILTER_MATCH_LOC_MAC)) {
ip_proto = spec->filters[i].efs_ip_proto;
if (ip_proto == EFX_IPPROTO_TCP ||
ip_proto == EFX_IPPROTO_UDP)
return B_TRUE;
}
}
return B_FALSE;
}
static int
sfc_flow_validate_match_flags(struct sfc_adapter *sa,
struct rte_flow *flow,
@ -1938,6 +2009,13 @@ sfc_flow_validate_match_flags(struct sfc_adapter *sa,
return rc;
}
if (sfc_flow_is_match_flags_exception(&flow->spec)) {
rte_flow_error_set(error, ENOTSUP,
RTE_FLOW_ERROR_TYPE_UNSPECIFIED, NULL,
"The flow rule pattern is unsupported");
return -rte_errno;
}
return 0;
}