net/mlx5: enforce limitation on IPv6 next protocol

Due to PRM requirement, the IPv6 header item 'proto' field, indicating
the next header protocol, should not be set as extension header.
This patch adds the relevant validation, and documents the limitation.

Signed-off-by: Dekel Peled <dekelp@nvidia.com>
Acked-by: Ori Kam <orika@nvidia.com>

diff --git a/doc/guides/nics/mlx5.rst b/doc/guides/nics/mlx5.rst
index 9205674..125b987 100644 (file)
--- a/doc/guides/nics/mlx5.rst
+++ b/doc/guides/nics/mlx5.rst
@@ -311,6 +311,13 @@ Limitations
   - The E-Switch Sample flow must have the eswitch_manager VPORT destination (PF or ECPF) and no additional actions.
   - For ConnectX-5, the ``RTE_FLOW_ACTION_TYPE_SAMPLE`` is typically used as first action in the E-Switch egress flow if with header modify or encapsulation actions.
 
+- IPv6 header item 'proto' field, indicating the next header protocol, should
+  not be set as extension header.
+  In case the next header is an extension header, it should not be specified in
+  IPv6 header item 'proto' field.
+  The last extension header item 'next header' field can specify the following
+  header protocol type.
+
 Statistics
 ----------
 

diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 1116ebb..a51a0a8 100644 (file)
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -1977,9 +1977,9 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_item *item,
                                          RTE_FLOW_ERROR_TYPE_ITEM, item,
                                          "IPv6 cannot follow L2/VLAN layer "
                                          "which ether type is not IPv6");
+       if (mask && mask->hdr.proto == UINT8_MAX && spec)
+               next_proto = spec->hdr.proto;
        if (item_flags & MLX5_FLOW_LAYER_IPV6_ENCAP) {
-               if (mask && spec)
-                       next_proto = mask->hdr.proto & spec->hdr.proto;
                if (next_proto == IPPROTO_IPIP || next_proto == IPPROTO_IPV6)
                        return rte_flow_error_set(error, EINVAL,
                                                  RTE_FLOW_ERROR_TYPE_ITEM,
@@ -1987,6 +1987,16 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_item *item,
                                                  "multiple tunnel "
                                                  "not supported");
        }
+       if (next_proto == IPPROTO_HOPOPTS  ||
+           next_proto == IPPROTO_ROUTING  ||
+           next_proto == IPPROTO_FRAGMENT ||
+           next_proto == IPPROTO_ESP      ||
+           next_proto == IPPROTO_AH       ||
+           next_proto == IPPROTO_DSTOPTS)
+               return rte_flow_error_set(error, EINVAL,
+                                         RTE_FLOW_ERROR_TYPE_ITEM, item,
+                                         "IPv6 proto (next header) should "
+                                         "not be set as extension header");
        if (item_flags & MLX5_FLOW_LAYER_IPIP)
                return rte_flow_error_set(error, EINVAL,
                                          RTE_FLOW_ERROR_TYPE_ITEM, item,