ixgbe: add flow control ethertype to the anti-spoofing filter

This patch makes sure that flow control packets initiated by the VF are dropped and reported as spoofed. Flow control packets can be used to limit the throughput or as DOS attack when generated from a VF. Flow control is not supported per VF hence any pause frames generated from a VF are considered malicious. Also cleaned up indentation and some redundant comments. Signed-off-by: N Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: N Krishneil Singh <krishneil.k.singh@intel.com> Signed-off-by: N Jeff Kirsher <jeffrey.t.kirsher@intel.com>

ixgbe: add flow control ethertype to the anti-spoofing filter
This patch makes sure that flow control packets initiated by the VF are dropped and reported as spoofed. Flow control packets can be used to limit the throughput or as DOS attack when generated from a VF. Flow control is not supported per VF hence any pause frames generated from a VF are considered malicious. Also cleaned up indentation and some redundant comments. Signed-off-by: N Emil Tantilov <emil.s.tantilov@intel.com> Tested-by: N Krishneil Singh <krishneil.k.singh@intel.com> Signed-off-by: N Jeff Kirsher <jeffrey.t.kirsher@intel.com>
f079fa00 · Emil Tantilov · Jeff Kirsher · 06a24dd6 · f079fa00 · f079fa00
Showing with 15 addition and 5 deletion

drivers/net/ethernet/intel/ixgbe/ixgbe_main.c drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +11 -5

drivers/net/ethernet/intel/ixgbe/ixgbe_type.h drivers/net/ethernet/intel/ixgbe/ixgbe_type.h +4 -0

未找到文件。
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -3723,14 +3723,20 @@ static void ixgbe_configure_virtualization(struct ixgbe_adapter *adapter)
 	hw->mac.ops.set_mac_anti_spoofing(hw, (adapter->num_vfs != 0),
 					  adapter->num_vfs);

-	/* Ensure LLDP is set for Ethertype Antispoofing if we will be
+	/* Ensure LLDP and FC is set for Ethertype Antispoofing if we will be
 	 * calling set_ethertype_anti_spoofing for each VF in loop below
 	 */
-	if (hw->mac.ops.set_ethertype_anti_spoofing)
+	if (hw->mac.ops.set_ethertype_anti_spoofing) {
 		IXGBE_WRITE_REG(hw, IXGBE_ETQF(IXGBE_ETQF_FILTER_LLDP),
-				(IXGBE_ETQF_FILTER_EN    | /* enable filter */
-				 IXGBE_ETQF_TX_ANTISPOOF | /* tx antispoof */
-				 IXGBE_ETH_P_LLDP));	   /* LLDP eth type */
+				(IXGBE_ETQF_FILTER_EN    |
+				 IXGBE_ETQF_TX_ANTISPOOF |
+				 IXGBE_ETH_P_LLDP));
+
+		IXGBE_WRITE_REG(hw, IXGBE_ETQF(IXGBE_ETQF_FILTER_FC),
+				(IXGBE_ETQF_FILTER_EN |
+				 IXGBE_ETQF_TX_ANTISPOOF |
+				 ETH_P_PAUSE));
+	}

 	/* For VFs that have spoof checking turned off */
 	for (i = 0; i < adapter->num_vfs; i++) {

--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_type.h
@@ -1752,6 +1752,9 @@ enum {
 *    FCoE (0x8906):         Filter 2
 *    1588 (0x88f7):         Filter 3
 *    FIP  (0x8914):         Filter 4
+ *    LLDP (0x88CC):         Filter 5
+ *    LACP (0x8809):         Filter 6
+ *    FC   (0x8808):         Filter 7
 */
 #define IXGBE_ETQF_FILTER_EAPOL          0
 #define IXGBE_ETQF_FILTER_FCOE           2
@@ -1759,6 +1762,7 @@ enum {
 #define IXGBE_ETQF_FILTER_FIP            4
 #define IXGBE_ETQF_FILTER_LLDP		 5
 #define IXGBE_ETQF_FILTER_LACP		 6
+#define IXGBE_ETQF_FILTER_FC		 7

 /* VLAN Control Bit Masks */
 #define IXGBE_VLNCTRL_VET       0x0000FFFF  /* bits 0-15 */