git.baikalelectronics.ru Git - kernel.git/commit

author	Vladimir Oltean <vladimir.oltean@nxp.com>
	Fri, 17 Apr 2020 19:03:08 +0000 (22:03 +0300)
committer	David S. Miller <davem@davemloft.net>
	Sat, 18 Apr 2020 22:54:11 +0000 (15:54 -0700)
commit	792dd6795c3356f58b9fedd32ea4a83b871e419f
tree	adfa379d4e88640497c60ae6c355cfaa7c66683a	tree \| snapshot
parent	8f6e24fe2d6af92195068bed9f7f7934aa50973c	commit \| diff

net: mscc: ocelot: deal with problematic MAC_ETYPE VCAP IS2 rules

By default, the VCAP IS2 will produce a single match for each frame, on
the most specific classification.

Example: a ping packet (ICMP over IPv4 over Ethernet) sent from an IP
address of 10.0.0.1 and a MAC address of 96:18:82:00:04:01 will match
this rule:

tc filter add dev swp0 ingress protocol ipv4 \
flower skip_sw src_ip 10.0.0.1 action drop

but not this one:

tc filter add dev swp0 ingress \
flower skip_sw src_mac 96:18:82:00:04:01 action drop

Currently the driver does not really warn the user in any way about
this, and the behavior is rather strange anyway.

The current patch is a workaround to force matches on MAC_ETYPE keys
(DMAC and SMAC) for all packets irrespective of higher layer protocol.
The setting is made at the port level.

Of course this breaks all other non-src_mac and non-dst_mac matches, so
rule exclusivity checks have been added to the driver, in order to never
have rules of both types on any ingress port.

The bits that discard higher-level protocol information are set only
once a MAC_ETYPE rule is added to a filter block, and only for the ports
that are bound to that filter block. Then all further non-MAC_ETYPE
rules added to that filter block should be denied by the ports bound to
it.

Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

drivers/net/ethernet/mscc/ocelot_ace.c		diff \| blob \| history
drivers/net/ethernet/mscc/ocelot_ace.h		diff \| blob \| history
drivers/net/ethernet/mscc/ocelot_flower.c		diff \| blob \| history