diff options
| author | Vladimir Oltean <vladimir.oltean@nxp.com> | 2020-04-17 22:03:08 +0300 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2020-04-19 01:54:11 +0300 |
| commit | 89f9ffd3eb670bad1260bc579f5e13b8f2d5b3e0 (patch) | |
| tree | adfa379d4e88640497c60ae6c355cfaa7c66683a /drivers/net/ethernet/microchip | |
| parent | f89370d413b38251dc3fd0e71d107da846c1012c (diff) | |
| download | linux-89f9ffd3eb670bad1260bc579f5e13b8f2d5b3e0.tar.xz | |
net: mscc: ocelot: deal with problematic MAC_ETYPE VCAP IS2 rules
By default, the VCAP IS2 will produce a single match for each frame, on
the most specific classification.
Example: a ping packet (ICMP over IPv4 over Ethernet) sent from an IP
address of 10.0.0.1 and a MAC address of 96:18:82:00:04:01 will match
this rule:
tc filter add dev swp0 ingress protocol ipv4 \
flower skip_sw src_ip 10.0.0.1 action drop
but not this one:
tc filter add dev swp0 ingress \
flower skip_sw src_mac 96:18:82:00:04:01 action drop
Currently the driver does not really warn the user in any way about
this, and the behavior is rather strange anyway.
The current patch is a workaround to force matches on MAC_ETYPE keys
(DMAC and SMAC) for all packets irrespective of higher layer protocol.
The setting is made at the port level.
Of course this breaks all other non-src_mac and non-dst_mac matches, so
rule exclusivity checks have been added to the driver, in order to never
have rules of both types on any ingress port.
The bits that discard higher-level protocol information are set only
once a MAC_ETYPE rule is added to a filter block, and only for the ports
that are bound to that filter block. Then all further non-MAC_ETYPE
rules added to that filter block should be denied by the ports bound to
it.
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'drivers/net/ethernet/microchip')
0 files changed, 0 insertions, 0 deletions