ice: Add function to program ethertype based filter rule on VSIs

This patch adds function to program VSI with ethertype based filter rule, so that all flow control frames would be disallowed from being transmitted to the client, in order to prevent malicious VSI, especially VF from sending out PAUSE or PFC frames, and then control other VSIs traffic. Signed-off-by: Akeem G Abodunrin <akeem.g.abodunrin@intel.com> Signed-off-by: Anirudh Venkataramanan <anirudh.venkataramanan@intel.com> Tested-by: Andrew Bowers <andrewx.bowers@intel.com> Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
author: Akeem G Abodunrin <akeem.g.abodunrin@intel.com> 2019-04-16 13:21:24 -0400
committer: Jeff Kirsher <jeffrey.t.kirsher@intel.com> 2019-05-04 17:36:28 -0400
commit: d95276ced00060dc3d4d157b1eba61eb7830eb02 (patch)
tree: cd6da561ae6274675c7c9ea3db2c985a7d8d88ab /drivers/net/ethernet/intel/ice/ice_lib.c
parent: 8f529ff912073f778e3cd74e87fb69a36499fc2f (diff)
1 files changed, 55 insertions, 0 deletions
diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c
index 7a88bf639376..fbf1eba0cc2a 100644
--- a/drivers/net/ethernet/intel/ice/ice_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_lib.c
@@ -2251,6 +2251,46 @@ clear_reg_idx:
 }
 /**
+ * ice_vsi_add_rem_eth_mac - Program VSI ethertype based filter with rule
+ * @vsi: the VSI being configured
+ * @add_rule: boolean value to add or remove ethertype filter rule
+ */
+static void
+ice_vsi_add_rem_eth_mac(struct ice_vsi *vsi, bool add_rule)
+{
+        struct ice_fltr_list_entry *list;
+        struct ice_pf *pf = vsi->back;
+        LIST_HEAD(tmp_add_list);
+        enum ice_status status;
+        list = devm_kzalloc(&pf->pdev->dev, sizeof(*list), GFP_KERNEL);
+        if (!list)
+                return;
+        list->fltr_info.lkup_type = ICE_SW_LKUP_ETHERTYPE;
+        list->fltr_info.fltr_act = ICE_DROP_PACKET;
+        list->fltr_info.flag = ICE_FLTR_TX;
+        list->fltr_info.src_id = ICE_SRC_ID_VSI;
+        list->fltr_info.vsi_handle = vsi->idx;
+        list->fltr_info.l_data.ethertype_mac.ethertype = vsi->ethtype;
+        INIT_LIST_HEAD(&list->list_entry);
+        list_add(&list->list_entry, &tmp_add_list);
+        if (add_rule)
+                status = ice_add_eth_mac(&pf->hw, &tmp_add_list);
+        else
+                status = ice_remove_eth_mac(&pf->hw, &tmp_add_list);
+        if (status)
+                dev_err(&pf->pdev->dev,
+                        "Failure Adding or Removing Ethertype on VSI %i error: %d\n",
+                        vsi->vsi_num, status);
+        ice_free_fltr_list(&pf->pdev->dev, &tmp_add_list);
+}
+/**
 * ice_vsi_setup - Set up a VSI by a given type
 * @pf: board private structure
 * @pi: pointer to the port_info instance
@@ -2285,6 +2325,9 @@ ice_vsi_setup(struct ice_pf *pf, struct ice_port_info *pi,
        vsi->port_info = pi;
        vsi->vsw = pf->first_sw;
+        if (vsi->type == ICE_VSI_PF)
+                vsi->ethtype = ETH_P_PAUSE;
        if (vsi->type == ICE_VSI_VF)
                vsi->vf_id = vf_id;
@@ -2382,6 +2425,15 @@ ice_vsi_setup(struct ice_pf *pf, struct ice_port_info *pi,
                goto unroll_vector_base;
        }
+        /* Add switch rule to drop all Tx Flow Control Frames, of look up
+         * type ETHERTYPE from VSIs, and restrict malicious VF from sending
+         * out PAUSE or PFC frames. If enabled, FW can still send FC frames.
+         * The rule is added once for PF VSI in order to create appropriate
+         * recipe, since VSI/VSI list is ignored with drop action...
+         */
+        if (vsi->type == ICE_VSI_PF)
+                ice_vsi_add_rem_eth_mac(vsi, true);
        return vsi;
 unroll_vector_base:
@@ -2740,6 +2792,9 @@ int ice_vsi_release(struct ice_vsi *vsi)
                pf->num_avail_hw_msix += pf->num_vf_msix;
        }
+        if (vsi->type == ICE_VSI_PF)
+                ice_vsi_add_rem_eth_mac(vsi, false);
        ice_remove_vsi_fltr(&pf->hw, vsi->idx);
        ice_rm_vsi_lan_cfg(vsi->port_info, vsi->idx);
        ice_vsi_delete(vsi);
author	Akeem G Abodunrin <akeem.g.abodunrin@intel.com>	2019-04-16 13:21:24 -0400
committer	Jeff Kirsher <jeffrey.t.kirsher@intel.com>	2019-05-04 17:36:28 -0400
commit	d95276ced00060dc3d4d157b1eba61eb7830eb02 (patch)
tree	cd6da561ae6274675c7c9ea3db2c985a7d8d88ab /drivers/net/ethernet/intel/ice/ice_lib.c
parent	8f529ff912073f778e3cd74e87fb69a36499fc2f (diff)

diff --git a/drivers/net/ethernet/intel/ice/ice_lib.c b/drivers/net/ethernet/intel/ice/ice_lib.c index 7a88bf639376..fbf1eba0cc2a 100644 --- a/drivers/net/ethernet/intel/ice/ice_lib.c +++ b/drivers/net/ethernet/intel/ice/ice_lib.c
@@ -2251,6 +2251,46 @@ clear_reg_idx:
2251	}	2251	}
2252		2252
2253	/**	2253	/**
		2254	* ice_vsi_add_rem_eth_mac - Program VSI ethertype based filter with rule
		2255	* @vsi: the VSI being configured
		2256	* @add_rule: boolean value to add or remove ethertype filter rule
		2257	*/
		2258	static void
		2259	ice_vsi_add_rem_eth_mac(struct ice_vsi *vsi, bool add_rule)
		2260	{
		2261	struct ice_fltr_list_entry *list;
		2262	struct ice_pf *pf = vsi->back;
		2263	LIST_HEAD(tmp_add_list);
		2264	enum ice_status status;
		2265
		2266	list = devm_kzalloc(&pf->pdev->dev, sizeof(*list), GFP_KERNEL);
		2267	if (!list)
		2268	return;
		2269
		2270	list->fltr_info.lkup_type = ICE_SW_LKUP_ETHERTYPE;
		2271	list->fltr_info.fltr_act = ICE_DROP_PACKET;
		2272	list->fltr_info.flag = ICE_FLTR_TX;
		2273	list->fltr_info.src_id = ICE_SRC_ID_VSI;
		2274	list->fltr_info.vsi_handle = vsi->idx;
		2275	list->fltr_info.l_data.ethertype_mac.ethertype = vsi->ethtype;
		2276
		2277	INIT_LIST_HEAD(&list->list_entry);
		2278	list_add(&list->list_entry, &tmp_add_list);
		2279
		2280	if (add_rule)
		2281	status = ice_add_eth_mac(&pf->hw, &tmp_add_list);
		2282	else
		2283	status = ice_remove_eth_mac(&pf->hw, &tmp_add_list);
		2284
		2285	if (status)
		2286	dev_err(&pf->pdev->dev,
		2287	"Failure Adding or Removing Ethertype on VSI %i error: %d\n",
		2288	vsi->vsi_num, status);
		2289
		2290	ice_free_fltr_list(&pf->pdev->dev, &tmp_add_list);
		2291	}
		2292
		2293	/**
2254	* ice_vsi_setup - Set up a VSI by a given type	2294	* ice_vsi_setup - Set up a VSI by a given type
2255	* @pf: board private structure	2295	* @pf: board private structure
2256	* @pi: pointer to the port_info instance	2296	* @pi: pointer to the port_info instance
@@ -2285,6 +2325,9 @@ ice_vsi_setup(struct ice_pf pf, struct ice_port_info pi,
2285		2325
2286	vsi->port_info = pi;	2326	vsi->port_info = pi;
2287	vsi->vsw = pf->first_sw;	2327	vsi->vsw = pf->first_sw;
		2328	if (vsi->type == ICE_VSI_PF)
		2329	vsi->ethtype = ETH_P_PAUSE;
		2330
2288	if (vsi->type == ICE_VSI_VF)	2331	if (vsi->type == ICE_VSI_VF)
2289	vsi->vf_id = vf_id;	2332	vsi->vf_id = vf_id;
2290		2333
@@ -2382,6 +2425,15 @@ ice_vsi_setup(struct ice_pf pf, struct ice_port_info pi,
2382	goto unroll_vector_base;	2425	goto unroll_vector_base;
2383	}	2426	}
2384		2427
		2428	/* Add switch rule to drop all Tx Flow Control Frames, of look up
		2429	* type ETHERTYPE from VSIs, and restrict malicious VF from sending
		2430	* out PAUSE or PFC frames. If enabled, FW can still send FC frames.
		2431	* The rule is added once for PF VSI in order to create appropriate
		2432	* recipe, since VSI/VSI list is ignored with drop action...
		2433	*/
		2434	if (vsi->type == ICE_VSI_PF)
		2435	ice_vsi_add_rem_eth_mac(vsi, true);
		2436
2385	return vsi;	2437	return vsi;
2386		2438
2387	unroll_vector_base:	2439	unroll_vector_base:
@@ -2740,6 +2792,9 @@ int ice_vsi_release(struct ice_vsi *vsi)
2740	pf->num_avail_hw_msix += pf->num_vf_msix;	2792	pf->num_avail_hw_msix += pf->num_vf_msix;
2741	}	2793	}
2742		2794
		2795	if (vsi->type == ICE_VSI_PF)
		2796	ice_vsi_add_rem_eth_mac(vsi, false);
		2797
2743	ice_remove_vsi_fltr(&pf->hw, vsi->idx);	2798	ice_remove_vsi_fltr(&pf->hw, vsi->idx);
2744	ice_rm_vsi_lan_cfg(vsi->port_info, vsi->idx);	2799	ice_rm_vsi_lan_cfg(vsi->port_info, vsi->idx);
2745	ice_vsi_delete(vsi);	2800	ice_vsi_delete(vsi);