On 2019-08-01 11:40 AM, xiangxia.m....@gmail.com wrote: > From: Tonghao Zhang <xiangxia.m....@gmail.com> > > In some case, we don't want to allow specific tunnel packets > to host that can avoid to take up high CPU (e.g network attacks). > But other tunnel packets which not matched in hardware will be > sent to host too. > > $ tc filter add dev vxlan_sys_4789 \ > protocol ip chain 0 parent ffff: prio 1 handle 1 \ > flower dst_ip 1.1.1.100 ip_proto tcp dst_port 80 \ > enc_dst_ip 2.2.2.100 enc_key_id 100 enc_dst_port 4789 \ > action tunnel_key unset pipe action drop > > Signed-off-by: Tonghao Zhang <xiangxia.m....@gmail.com> > --- > drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > index f3ed028..25d423e 100644 > --- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > +++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c > @@ -2485,7 +2485,8 @@ static bool actions_match_supported(struct mlx5e_priv > *priv, > > if (flow_flag_test(flow, EGRESS) && > !((actions & MLX5_FLOW_CONTEXT_ACTION_DECAP) || > - (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP))) > + (actions & MLX5_FLOW_CONTEXT_ACTION_VLAN_POP) || > + (actions & MLX5_FLOW_CONTEXT_ACTION_DROP))) > return false; > > if (actions & MLX5_FLOW_CONTEXT_ACTION_MOD_HDR) >
thanks! Reviewed-by: Roi Dayan <r...@mellanox.com>
