lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20260128222718.1679581-1-joe@dama.to>
Date: Wed, 28 Jan 2026 14:27:17 -0800
From: Joe Damato <joe@...a.to>
To: netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Michael Chan <michael.chan@...adcom.com>,
	Pavan Chebbi <pavan.chebbi@...adcom.com>,
	Andrew Lunn <andrew+netdev@...n.ch>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>,
	Paolo Abeni <pabeni@...hat.com>
Cc: shruti.parab@...adcom.com,
	Joe Damato <joe@...a.to>
Subject: [PATCH net-next] bnxt_en: Allow ntuple filters for drops

It appears that in commit 7efd79c0e689 ("bnxt_en: Add drop action
support for ntuple"), bnxt gained support for ntuple filters for packet
drops.

However, support for this does not seem to work in recent kernels or
against net-next:

  % sudo ethtool -U eth0 flow-type udp4 src-ip 1.1.1.1 action -1
    rmgr: Cannot insert RX class rule: Operation not supported
    Cannot insert classification rule

The issue is that the existing code uses ethtool_get_flow_spec_ring_vf,
which will return a non-zero value if the ring_cookie is set to
RX_CLS_FLOW_DISC, which then causes bnxt_add_ntuple_cls_rule to return
-EOPNOTSUPP because it thinks the user is trying to set an ntuple filter
for a vf.

Fix this by first checking that the ring_cookie is not RX_CLS_FLOW_DISC.

After this patch, ntuple filters for drops can be added:

  % sudo ethtool -U eth0 flow-type udp4 src-ip 1.1.1.1 action -1
  Added rule with ID 0

  % ethtool -n eth0
  44 RX rings available
  Total 1 rules

  Filter: 0
  	Rule Type: UDP over IPv4
  	Src IP addr: 1.1.1.1 mask: 0.0.0.0
  	Dest IP addr: 0.0.0.0 mask: 255.255.255.255
  	TOS: 0x0 mask: 0xff
  	Src port: 0 mask: 0xffff
  	Dest port: 0 mask: 0xffff
  	Action: Drop

Signed-off-by: Joe Damato <joe@...a.to>
---
 drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index 6b15fedbb16f..fd32231bf8e0 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -1353,10 +1353,12 @@ static int bnxt_add_ntuple_cls_rule(struct bnxt *bp,
 	if (!bp->vnic_info)
 		return -EAGAIN;
 
-	vf = ethtool_get_flow_spec_ring_vf(fs->ring_cookie);
-	ring = ethtool_get_flow_spec_ring(fs->ring_cookie);
-	if ((fs->flow_type & (FLOW_MAC_EXT | FLOW_EXT)) || vf)
-		return -EOPNOTSUPP;
+	if (fs->ring_cookie != RX_CLS_FLOW_DISC) {
+		vf = ethtool_get_flow_spec_ring_vf(fs->ring_cookie);
+		ring = ethtool_get_flow_spec_ring(fs->ring_cookie);
+		if ((fs->flow_type & (FLOW_MAC_EXT | FLOW_EXT)) || vf)
+			return -EOPNOTSUPP;
+	}
 
 	if (flow_type == IP_USER_FLOW) {
 		if (!bnxt_verify_ntuple_ip4_flow(&fs->h_u.usr_ip4_spec,

base-commit: 239f09e258b906deced5c2a7c1ac8aed301b558b
-- 
2.47.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ