> -----Original Message-----
> From: Xiaoyu Min <jack...@mellanox.com>
> Sent: Wednesday, July 24, 2019 14:32
> To: Shahaf Shuler <shah...@mellanox.com>; Yongseok Koh
> <ys...@mellanox.com>; Slava Ovsiienko <viachesl...@mellanox.com>
> Cc: dev@dpdk.org; Jack Min <jack...@mellanox.com>
> Subject: [Suspected-Phishing][PATCH] net/mlx5: fix RSS expand for IP-in-IP
>
> The RSS expand function for IP-in-IP tunnel type is missed, which leads to
> create following flow failed:
>
> flow create 0 ingress pattern eth / ipv4 proto is 4 /
> ipv4 / udp / end actions rss queues 0 1 end level 2
> types ip ipv4-other udp ipv4 ipv4-frag end /
> mark id 221 / count / end
>
> In order to make RSS expand function working correctly, now the way to
> check whether a IP tunnel existing is to check whether there is the second
> IPv4/IPv6 item and whether the first IPv4/IPv6 item's next protocl is
> IPPROTO_IPIP/IPPROTO_IPV6.
> For example:
> ... pattern eth / ipv4 proto is 4 / ipv4 / ....
>
> Fixes: 5e33bebdd8d3 ("net/mlx5: support IP-in-IP tunnel")
> Cc: jack...@mellanox.com
>
> Signed-off-by: Xiaoyu Min <jack...@mellanox.com>
Acked-by: Viacheslav Ovsiienko <viachesl...@mellanox.com>
> ---
> drivers/net/mlx5/mlx5_flow.c | 8 +++-
> drivers/net/mlx5/mlx5_flow_dv.c | 79 ++++++++++++++++++++-------------
> 2 files changed, 53 insertions(+), 34 deletions(-)
>
> diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
> index 3d2d5fc53a..f117369fa9 100644
> --- a/drivers/net/mlx5/mlx5_flow.c
> +++ b/drivers/net/mlx5/mlx5_flow.c
> @@ -127,7 +127,9 @@ static const struct rte_flow_expand_node
> mlx5_support_expansion[] = {
> .next = RTE_FLOW_EXPAND_RSS_NEXT
> (MLX5_EXPANSION_OUTER_IPV4_UDP,
> MLX5_EXPANSION_OUTER_IPV4_TCP,
> - MLX5_EXPANSION_GRE),
> + MLX5_EXPANSION_GRE,
> + MLX5_EXPANSION_IPV4,
> + MLX5_EXPANSION_IPV6),
> .type = RTE_FLOW_ITEM_TYPE_IPV4,
> .rss_types = ETH_RSS_IPV4 | ETH_RSS_FRAG_IPV4 |
> ETH_RSS_NONFRAG_IPV4_OTHER,
> @@ -145,7 +147,9 @@ static const struct rte_flow_expand_node
> mlx5_support_expansion[] = {
> [MLX5_EXPANSION_OUTER_IPV6] = {
> .next = RTE_FLOW_EXPAND_RSS_NEXT
> (MLX5_EXPANSION_OUTER_IPV6_UDP,
> - MLX5_EXPANSION_OUTER_IPV6_TCP),
> + MLX5_EXPANSION_OUTER_IPV6_TCP,
> + MLX5_EXPANSION_IPV4,
> + MLX5_EXPANSION_IPV6),
> .type = RTE_FLOW_ITEM_TYPE_IPV6,
> .rss_types = ETH_RSS_IPV6 | ETH_RSS_FRAG_IPV6 |
> ETH_RSS_NONFRAG_IPV6_OTHER,
> diff --git a/drivers/net/mlx5/mlx5_flow_dv.c
> b/drivers/net/mlx5/mlx5_flow_dv.c index f1d32bdff0..2ff8c673b0 100644
> --- a/drivers/net/mlx5/mlx5_flow_dv.c
> +++ b/drivers/net/mlx5/mlx5_flow_dv.c
> @@ -146,36 +146,20 @@ struct field_modify_info modify_tcp[] = { };
>
> static void
> -mlx5_flow_tunnel_ip_check(const struct rte_flow_item *item, uint64_t
> *flags)
> +mlx5_flow_tunnel_ip_check(const struct rte_flow_item *item
> __rte_unused,
> + uint8_t next_protocol, uint64_t *item_flags,
> + int *tunnel)
> {
> - uint8_t next_protocol = 0xFF;
> -
> - if (item->mask != NULL) {
> - switch (item->type) {
> - case RTE_FLOW_ITEM_TYPE_IPV4:
> - next_protocol =
> - ((const struct rte_flow_item_ipv4 *)
> - (item->spec))->hdr.next_proto_id;
> - next_protocol &=
> - ((const struct rte_flow_item_ipv4 *)
> - (item->mask))->hdr.next_proto_id;
> - break;
> - case RTE_FLOW_ITEM_TYPE_IPV6:
> - next_protocol =
> - ((const struct rte_flow_item_ipv6 *)
> - (item->spec))->hdr.proto;
> - next_protocol &=
> - ((const struct rte_flow_item_ipv6 *)
> - (item->mask))->hdr.proto;
> - break;
> - default:
> - break;
> - }
> + assert(item->type == RTE_FLOW_ITEM_TYPE_IPV4 ||
> + item->type == RTE_FLOW_ITEM_TYPE_IPV6);
> + if (next_protocol == IPPROTO_IPIP) {
> + *item_flags |= MLX5_FLOW_LAYER_IPIP;
> + *tunnel = 1;
> + }
> + if (next_protocol == IPPROTO_IPV6) {
> + *item_flags |= MLX5_FLOW_LAYER_IPV6_ENCAP;
> + *tunnel = 1;
> }
> - if (next_protocol == IPPROTO_IPIP)
> - *flags |= MLX5_FLOW_LAYER_IPIP;
> - if (next_protocol == IPPROTO_IPV6)
> - *flags |= MLX5_FLOW_LAYER_IPV6_ENCAP;
> }
>
> /**
> @@ -2902,6 +2886,8 @@ flow_dv_validate(struct rte_eth_dev *dev, const
> struct rte_flow_attr *attr,
>
> MLX5_FLOW_LAYER_OUTER_VLAN;
> break;
> case RTE_FLOW_ITEM_TYPE_IPV4:
> + mlx5_flow_tunnel_ip_check(items, next_protocol,
> + &item_flags, &tunnel);
> ret = mlx5_flow_validate_item_ipv4(items,
> item_flags,
> NULL, error);
> if (ret < 0)
> @@ -2921,9 +2907,10 @@ flow_dv_validate(struct rte_eth_dev *dev, const
> struct rte_flow_attr *attr,
> /* Reset for inner layer. */
> next_protocol = 0xff;
> }
> - mlx5_flow_tunnel_ip_check(items, &last_item);
> break;
> case RTE_FLOW_ITEM_TYPE_IPV6:
> + mlx5_flow_tunnel_ip_check(items, next_protocol,
> + &item_flags, &tunnel);
> ret = mlx5_flow_validate_item_ipv6(items,
> item_flags,
> NULL, error);
> if (ret < 0)
> @@ -2943,7 +2930,6 @@ flow_dv_validate(struct rte_eth_dev *dev, const
> struct rte_flow_attr *attr,
> /* Reset for inner layer. */
> next_protocol = 0xff;
> }
> - mlx5_flow_tunnel_ip_check(items, &last_item);
> break;
> case RTE_FLOW_ITEM_TYPE_TCP:
> ret = mlx5_flow_validate_item_tcp
> @@ -4686,6 +4672,7 @@ flow_dv_translate(struct rte_eth_dev *dev,
> uint32_t modify_action_position = UINT32_MAX;
> void *match_mask = matcher.mask.buf;
> void *match_value = dev_flow->dv.value.buf;
> + uint8_t next_protocol = 0xff;
>
> flow->group = attr->group;
> if (attr->transfer)
> @@ -5007,6 +4994,8 @@ flow_dv_translate(struct rte_eth_dev *dev,
>
> MLX5_FLOW_LAYER_OUTER_VLAN);
> break;
> case RTE_FLOW_ITEM_TYPE_IPV4:
> + mlx5_flow_tunnel_ip_check(items, next_protocol,
> + &item_flags, &tunnel);
> flow_dv_translate_item_ipv4(match_mask,
> match_value,
> items, tunnel, attr->group);
> matcher.priority = MLX5_PRIORITY_MAP_L3; @@ -
> 5017,9 +5006,23 @@ flow_dv_translate(struct rte_eth_dev *dev,
> MLX5_IPV4_IBV_RX_HASH);
> last_item = tunnel ?
> MLX5_FLOW_LAYER_INNER_L3_IPV4 :
>
> MLX5_FLOW_LAYER_OUTER_L3_IPV4;
> - mlx5_flow_tunnel_ip_check(items, &last_item);
> + if (items->mask != NULL &&
> + ((const struct rte_flow_item_ipv4 *)
> + items->mask)->hdr.next_proto_id) {
> + next_protocol =
> + ((const struct rte_flow_item_ipv4 *)
> + (items->spec))->hdr.next_proto_id;
> + next_protocol &=
> + ((const struct rte_flow_item_ipv4 *)
> + (items->mask))->hdr.next_proto_id;
> + } else {
> + /* Reset for inner layer. */
> + next_protocol = 0xff;
> + }
> break;
> case RTE_FLOW_ITEM_TYPE_IPV6:
> + mlx5_flow_tunnel_ip_check(items, next_protocol,
> + &item_flags, &tunnel);
> flow_dv_translate_item_ipv6(match_mask,
> match_value,
> items, tunnel, attr->group);
> matcher.priority = MLX5_PRIORITY_MAP_L3; @@ -
> 5030,7 +5033,19 @@ flow_dv_translate(struct rte_eth_dev *dev,
> MLX5_IPV6_IBV_RX_HASH);
> last_item = tunnel ?
> MLX5_FLOW_LAYER_INNER_L3_IPV6 :
>
> MLX5_FLOW_LAYER_OUTER_L3_IPV6;
> - mlx5_flow_tunnel_ip_check(items, &last_item);
> + if (items->mask != NULL &&
> + ((const struct rte_flow_item_ipv6 *)
> + items->mask)->hdr.proto) {
> + next_protocol =
> + ((const struct rte_flow_item_ipv6 *)
> + items->spec)->hdr.proto;
> + next_protocol &=
> + ((const struct rte_flow_item_ipv6 *)
> + items->mask)->hdr.proto;
> + } else {
> + /* Reset for inner layer. */
> + next_protocol = 0xff;
> + }
> break;
> case RTE_FLOW_ITEM_TYPE_TCP:
> flow_dv_translate_item_tcp(match_mask,
> match_value,
> --
> 2.21.0
