diff mbox series

net/ice: fix full mask issue for ACL rule

Message ID	20201111113005.50620-1-simei.su@intel.com (mailing list archive)
State	Accepted, archived
Delegated to:	Qi Zhang
Headers	IronPort-SDR: 6UeGRVre5mNLCWNLHvxcxtkJTUVWeOL4TddHKKBgjBbZ45RqAp7kQaPnqV+OwoNqtmfZhy4kxX 1e9uO4JAaYcg== IronPort-SDR: sp6QxCYuPC4zQFDrV5EYPm3J9GrsDyWX2cQbX1BROuYLIIqbou1k0fr4mEMUDaNdsKHSqpa4Gy 9bLETNf1Ns8g== From: Simei Su <simei.su@intel.com> To: qi.z.zhang@intel.com Cc: dev@dpdk.org, beilei.xing@intel.com, xuan.ding@intel.com, Simei Su <simei.su@intel.com> Date: Wed, 11 Nov 2020 19:30:05 +0800 Message-Id: <20201111113005.50620-1-simei.su@intel.com> Subject: [dpdk-dev] [PATCH] net/ice: fix full mask issue for ACL rule Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	net/ice: fix full mask issue for ACL rule \| net/ice: fix full mask issue for ACL rule

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/Intel-compilation	success	Compilation OK
ci/iol-broadcom-Functional	success	Functional Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-testing	success	Testing PASS
ci/travis-robot	success	Travis build: passed
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS

Commit Message

Simei Su Nov. 11, 2020, 11:30 a.m. UTC

  A rule with an imperfect match(wildcarding) will be routed through
ACL. A perfect match should be rejected by ACL.

Fixes: 40d466fa9f76 ("net/ice: support ACL filter in DCF")

Signed-off-by: Simei Su <simei.su@intel.com>
---
 drivers/net/ice/ice_acl_filter.c | 44 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

Comments

Qi Zhang Nov. 11, 2020, 12:37 p.m. UTC | #1

> -----Original Message-----
> From: Su, Simei <simei.su@intel.com>
> Sent: Wednesday, November 11, 2020 7:30 PM
> To: Zhang, Qi Z <qi.z.zhang@intel.com>
> Cc: dev@dpdk.org; Xing, Beilei <beilei.xing@intel.com>; Ding, Xuan
> <xuan.ding@intel.com>; Su, Simei <simei.su@intel.com>
> Subject: [PATCH] net/ice: fix full mask issue for ACL rule
> 
> A rule with an imperfect match(wildcarding) will be routed through ACL. A
> perfect match should be rejected by ACL.
> 
> Fixes: 40d466fa9f76 ("net/ice: support ACL filter in DCF")
> 
> Signed-off-by: Simei Su <simei.su@intel.com>

Acked-by: Qi Zhang <qi.z.zhang@intel.com>

Applied to dpdk-next-net-intel.

Thanks
Qi

diff mbox series

Patch

diff --git a/drivers/net/ice/ice_acl_filter.c b/drivers/net/ice/ice_acl_filter.c
index 8ca88d2..f7dbe53 100644
--- a/drivers/net/ice/ice_acl_filter.c
+++ b/drivers/net/ice/ice_acl_filter.c
@@ -664,6 +664,14 @@  ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 			eth_mask = item->mask;
 
 			if (eth_spec && eth_mask) {
+				if (rte_is_broadcast_ether_addr(&eth_mask->src) ||
+				    rte_is_broadcast_ether_addr(&eth_mask->dst)) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item, "Invalid mac addr mask");
+					return -rte_errno;
+				}
+
 				if (!rte_is_zero_ether_addr(&eth_spec->src) &&
 				    !rte_is_zero_ether_addr(&eth_mask->src)) {
 					input_set |= ICE_INSET_SMAC;
@@ -710,6 +718,15 @@  ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (ipv4_mask->hdr.src_addr == UINT32_MAX ||
+				    ipv4_mask->hdr.dst_addr == UINT32_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid IPv4 mask.");
+					return -rte_errno;
+				}
+
 				if (ipv4_mask->hdr.src_addr) {
 					filter->input.ip.v4.src_ip =
 						ipv4_spec->hdr.src_addr;
@@ -754,6 +771,15 @@  ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (tcp_mask->hdr.src_port == UINT16_MAX ||
+				    tcp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid TCP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    tcp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_TCP_SRC_PORT;
@@ -791,6 +817,15 @@  ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (udp_mask->hdr.src_port == UINT16_MAX ||
+				    udp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid UDP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    udp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_UDP_SRC_PORT;
@@ -818,6 +853,15 @@  ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 				flow_type = ICE_FLTR_PTYPE_NONF_IPV4_SCTP;
 
 			if (sctp_spec && sctp_mask) {
+				if (sctp_mask->hdr.src_port == UINT16_MAX ||
+				    sctp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid SCTP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    sctp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_SCTP_SRC_PORT;