From patchwork Wed Nov 11 11:30:05 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Simei Su <simei.su@intel.com>
X-Patchwork-Id: 84005
X-Patchwork-Delegate: qi.z.zhang@intel.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id D73C9A09D9;
	Wed, 11 Nov 2020 12:38:41 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 00AECF64;
	Wed, 11 Nov 2020 12:38:40 +0100 (CET)
Received: from mga17.intel.com (mga17.intel.com [192.55.52.151])
 by dpdk.org (Postfix) with ESMTP id 604952AB
 for <dev@dpdk.org>; Wed, 11 Nov 2020 12:38:38 +0100 (CET)
IronPort-SDR: 
 6UeGRVre5mNLCWNLHvxcxtkJTUVWeOL4TddHKKBgjBbZ45RqAp7kQaPnqV+OwoNqtmfZhy4kxX
 1e9uO4JAaYcg==
X-IronPort-AV: E=McAfee;i="6000,8403,9801"; a="149981204"
X-IronPort-AV: E=Sophos;i="5.77,469,1596524400"; d="scan'208";a="149981204"
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga004.fm.intel.com ([10.253.24.48])
 by fmsmga107.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 11 Nov 2020 03:38:32 -0800
IronPort-SDR: 
 sp6QxCYuPC4zQFDrV5EYPm3J9GrsDyWX2cQbX1BROuYLIIqbou1k0fr4mEMUDaNdsKHSqpa4Gy
 9bLETNf1Ns8g==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.77,469,1596524400"; d="scan'208";a="356595175"
Received: from unknown (HELO npg-dpdk-cvl-simeisu-118d193.sh.intel.com)
 ([10.67.119.195])
 by fmsmga004.fm.intel.com with ESMTP; 11 Nov 2020 03:38:31 -0800
From: Simei Su <simei.su@intel.com>
To: qi.z.zhang@intel.com
Cc: dev@dpdk.org, beilei.xing@intel.com, xuan.ding@intel.com,
 Simei Su <simei.su@intel.com>
Date: Wed, 11 Nov 2020 19:30:05 +0800
Message-Id: <20201111113005.50620-1-simei.su@intel.com>
X-Mailer: git-send-email 2.9.5
Subject: [dpdk-dev] [PATCH] net/ice: fix full mask issue for ACL rule
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

A rule with an imperfect match(wildcarding) will be routed through
ACL. A perfect match should be rejected by ACL.

Fixes: 40d466fa9f76 ("net/ice: support ACL filter in DCF")

Signed-off-by: Simei Su <simei.su@intel.com>
Acked-by: Qi Zhang <qi.z.zhang@intel.com>
---
 drivers/net/ice/ice_acl_filter.c | 44 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/drivers/net/ice/ice_acl_filter.c b/drivers/net/ice/ice_acl_filter.c
index 8ca88d2..f7dbe53 100644
--- a/drivers/net/ice/ice_acl_filter.c
+++ b/drivers/net/ice/ice_acl_filter.c
@@ -664,6 +664,14 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 			eth_mask = item->mask;
 
 			if (eth_spec && eth_mask) {
+				if (rte_is_broadcast_ether_addr(&eth_mask->src) ||
+				    rte_is_broadcast_ether_addr(&eth_mask->dst)) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item, "Invalid mac addr mask");
+					return -rte_errno;
+				}
+
 				if (!rte_is_zero_ether_addr(&eth_spec->src) &&
 				    !rte_is_zero_ether_addr(&eth_mask->src)) {
 					input_set |= ICE_INSET_SMAC;
@@ -710,6 +718,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (ipv4_mask->hdr.src_addr == UINT32_MAX ||
+				    ipv4_mask->hdr.dst_addr == UINT32_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid IPv4 mask.");
+					return -rte_errno;
+				}
+
 				if (ipv4_mask->hdr.src_addr) {
 					filter->input.ip.v4.src_ip =
 						ipv4_spec->hdr.src_addr;
@@ -754,6 +771,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (tcp_mask->hdr.src_port == UINT16_MAX ||
+				    tcp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid TCP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    tcp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_TCP_SRC_PORT;
@@ -791,6 +817,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 					return -rte_errno;
 				}
 
+				if (udp_mask->hdr.src_port == UINT16_MAX ||
+				    udp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid UDP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    udp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_UDP_SRC_PORT;
@@ -818,6 +853,15 @@ ice_acl_parse_pattern(__rte_unused struct ice_adapter *ad,
 				flow_type = ICE_FLTR_PTYPE_NONF_IPV4_SCTP;
 
 			if (sctp_spec && sctp_mask) {
+				if (sctp_mask->hdr.src_port == UINT16_MAX ||
+				    sctp_mask->hdr.dst_port == UINT16_MAX) {
+					rte_flow_error_set(error, EINVAL,
+						RTE_FLOW_ERROR_TYPE_ITEM,
+						item,
+						"Invalid SCTP mask");
+					return -rte_errno;
+				}
+
 				if (l3 == RTE_FLOW_ITEM_TYPE_IPV4 &&
 				    sctp_mask->hdr.src_port) {
 					input_set |= ICE_INSET_SCTP_SRC_PORT;