| Message ID | 1564648859-17369-1-git-send-email-xiangxia.m.yue@gmail.com |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | David Ahern |
| Headers | show |
| Series | [net-next] net/mlx5e: Allow dropping specific tunnel packets | expand |
On 2019-08-01 11:40 AM, xiangxia.m.yue@gmail.com wrote: > From: Tonghao Zhang <xiangxia.m.yue@gmail.com> > > In some case, we don't want to allow specific tunnel packets > to host that can avoid to take up high CPU (e.g network attacks). > But other tunnel packets which not matched in hardware will be > sent to host too. > > $ tc filter add dev vxlan_sys_4789 \ > protocol ip chain 0 parent ffff: prio 1 handle 1 \ > flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \ > enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \ > action tunnel_key unset pipe action drop > > Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com> > --- > drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > index f3ed028..25d423e 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > @@ -2485,7 +2485,8 @@ static bool actions_match_supported(struct mlx5e_priv *priv, > > if (flow_flag_test(flow, EGRESS) && > !((actions & MLX5_FLOW_CONTEXT_ACTION_DECAP) || > - (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP))) > + (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP) || > + (actions & MLX5_FLOW_CONTEXT_ACTION_DROP))) > return false; > > if (actions & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR) > thanks! Reviewed-by: Roi Dayan <roid@mellanox.com>
From: xiangxia.m.yue@gmail.com Date: Thu, 1 Aug 2019 16:40:59 +0800 > From: Tonghao Zhang <xiangxia.m.yue@gmail.com> > > In some case, we don't want to allow specific tunnel packets > to host that can avoid to take up high CPU (e.g network attacks). > But other tunnel packets which not matched in hardware will be > sent to host too. > > $ tc filter add dev vxlan_sys_4789 \ > protocol ip chain 0 parent ffff: prio 1 handle 1 \ > flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \ > enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \ > action tunnel_key unset pipe action drop > > Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com> Saeed, please pick this up. Thank you.
On Thu, 2019-08-01 at 16:40 +0800, xiangxia.m.yue@gmail.com wrote: > From: Tonghao Zhang <xiangxia.m.yue@gmail.com> > > In some case, we don't want to allow specific tunnel packets > to host that can avoid to take up high CPU (e.g network attacks). > But other tunnel packets which not matched in hardware will be > sent to host too. > > $ tc filter add dev vxlan_sys_4789 \ > protocol ip chain 0 parent ffff: prio 1 handle 1 \ > flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \ > enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \ > action tunnel_key unset pipe action drop > > Signed-off-by: Tonghao Zhang <xiangxia.m.yue@gmail.com> Applied to net-next-mlx5. Thanks!
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c index f3ed028..25d423e 100644 --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c @@ -2485,7 +2485,8 @@ static bool actions_match_supported(struct mlx5e_priv *priv, if (flow_flag_test(flow, EGRESS) && !((actions & MLX5_FLOW_CONTEXT_ACTION_DECAP) || - (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP))) + (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP) || + (actions & MLX5_FLOW_CONTEXT_ACTION_DROP))) return false; if (actions & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR)