| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <aXqrIXo7GFQR7UyP@devvm20253.cco0.facebook.com>
Date: Wed, 28 Jan 2026 17:01:15 -0800
From: Joe Damato <joe@...a.to>
To: Michael Chan <michael.chan@...adcom.com>
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
Pavan Chebbi <pavan.chebbi@...adcom.com>,
Andrew Lunn <andrew+netdev@...n.ch>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
shruti.parab@...adcom.com
Subject: Re: [PATCH net-next] bnxt_en: Allow ntuple filters for drops
On Wed, Jan 28, 2026 at 03:09:21PM -0800, Michael Chan wrote:
> On Wed, Jan 28, 2026 at 2:27 PM Joe Damato <joe@...a.to> wrote:
> >
> > It appears that in commit 7efd79c0e689 ("bnxt_en: Add drop action
> > support for ntuple"), bnxt gained support for ntuple filters for packet
> > drops.
> >
> > However, support for this does not seem to work in recent kernels or
> > against net-next:
> >
> > % sudo ethtool -U eth0 flow-type udp4 src-ip 1.1.1.1 action -1
> > rmgr: Cannot insert RX class rule: Operation not supported
> > Cannot insert classification rule
> >
> > The issue is that the existing code uses ethtool_get_flow_spec_ring_vf,
> > which will return a non-zero value if the ring_cookie is set to
> > RX_CLS_FLOW_DISC, which then causes bnxt_add_ntuple_cls_rule to return
> > -EOPNOTSUPP because it thinks the user is trying to set an ntuple filter
> > for a vf.
> >
> > Fix this by first checking that the ring_cookie is not RX_CLS_FLOW_DISC.
>
> Please add the Fixes tag. It looks like the drop action never worked
> properly because of the vf check.
I haven't been able to verify, but based on reading the code it looks like
this path may not have worked since the code was introduced.
In that case, a fixes tag isn't needed because this is essentially new
functionality.
> > ---
> > drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 10 ++++++----
> > 1 file changed, 6 insertions(+), 4 deletions(-)
> >
> > diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
> > index 6b15fedbb16f..fd32231bf8e0 100644
> > --- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
> > +++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
> > @@ -1353,10 +1353,12 @@ static int bnxt_add_ntuple_cls_rule(struct bnxt *bp,
> > if (!bp->vnic_info)
> > return -EAGAIN;
> >
> > - vf = ethtool_get_flow_spec_ring_vf(fs->ring_cookie);
> > - ring = ethtool_get_flow_spec_ring(fs->ring_cookie);
> > - if ((fs->flow_type & (FLOW_MAC_EXT | FLOW_EXT)) || vf)
> > - return -EOPNOTSUPP;
> > + if (fs->ring_cookie != RX_CLS_FLOW_DISC) {
> > + vf = ethtool_get_flow_spec_ring_vf(fs->ring_cookie);
> > + ring = ethtool_get_flow_spec_ring(fs->ring_cookie);
> > + if ((fs->flow_type & (FLOW_MAC_EXT | FLOW_EXT)) || vf)
>
> I think the FLOW_MAC_EXT and FLOW_EXT checks should be done unconditionally.
OK, I'll change the patch so that -EOPNOTSUPP is returned unconditionally if
(FLOW_MAC_EXT | FLOW_EXT) are set and then do the RX_CLS_FLOW_DISC flow check
before calling ethtool_get_flow_spec_ring_vf.
> Alternatively, we can also change ethtool_get_flow_spec_ring_vf() to
> check that the cookie is not RX_CLS_FLOW_DISC or RX_CLS_FLOW_WAKE.
That's up to the maintainers.
The existing drivers I checked which use ethtool_get_flow_spec_ring_vf all
explicitly check RX_CLS_FLOW_DISC, so it seems to be an established pattern.
I think we should fix this in the broadcom driver first and if there is a
desire from the maintainers to handle this in ethtool_get_flow_spec_ring_vf,
that can be done as a separate series which updates all of the drivers to
remove the redundant check.
Powered by blists - more mailing lists