Skip to content

Commit

Permalink
net/mlx5e: Allow dropping specific tunnel packets
Browse files Browse the repository at this point in the history 
In some case, we don't want to allow specific tunnel packets
to host that can avoid to take up high CPU (e.g network attacks).
But other tunnel packets which not matched in hardware will be
sent to host too.

    $ tc filter add dev vxlan_sys_4789 \
	    protocol ip chain 0 parent ffff: prio 1 handle 1 \
	    flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \
	    enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \
	    action tunnel_key unset pipe action drop

Signed-off-by: Tonghao Zhang <[email protected]>
Reviewed-by: Roi Dayan <[email protected]>
Signed-off-by: Saeed Mahameed <[email protected]>
  • Loading branch information
@xpu22
xpu22 authored and Saeed Mahameed committed Aug 1, 2019
1 parent c9e6c72 commit 6830b46
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2485,7 +2485,8 @@ static bool actions_match_supported(struct mlx5e_priv *priv,

if (flow_flag_test(flow, EGRESS) &&
!((actions & MLX5_FLOW_CONTEXT_ACTION_DECAP) ||
(actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP)))
(actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP) ||
(actions & MLX5_FLOW_CONTEXT_ACTION_DROP)))
return false;

if (actions & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR)
Expand Down

0 comments on commit 6830b46

Please sign in to comment.