Previous patch added validation of the IPv6 next proto field, in order
to overcome a known limitation.
One of the values checked is IPPROTO_HOPOPTS, which is defined as 0.
If proto field is not specified for matching, or mask=0, as in the
following, a wrong validation takes place.
flow create 0 ingress pattern eth / ipv6 has_frag_ext is 0 / end actions
drop / end
Fix the validation only on proto asked by the user.
Fixes: 92be60e1b541 ("net/mlx5: enforce limitation on IPv6 next proto")
Signed-off-by: Eli Britstein <el...@nvidia.com>
Acked-by: Dekel Peled <dek...@nvidia.com>
Acked-by: Matan Azrad <ma...@nvidia.com>
---
drivers/net/mlx5/mlx5_flow.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 22fb4ee60a..d7243a878b 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -1979,8 +1979,8 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_item
*item,
RTE_FLOW_ERROR_TYPE_ITEM, item,
"IPv6 cannot follow L2/VLAN layer "
"which ether type is not IPv6");
- if (mask && spec)
- next_proto = mask->hdr.proto & spec->hdr.proto;
+ if (mask && mask->hdr.proto == UINT8_MAX && spec)
+ next_proto = spec->hdr.proto;
if (item_flags & MLX5_FLOW_LAYER_IPV6_ENCAP) {
if (next_proto == IPPROTO_IPIP || next_proto == IPPROTO_IPV6)
return rte_flow_error_set(error, EINVAL,
--
2.28.0.546.g385c171
