From 491757372f98acbc6aa346730a55ed4cd2bfd676 Mon Sep 17 00:00:00 2001
From: Dekel Peled <dekelp@nvidia.com>
Date: Thu, 15 Oct 2020 17:05:57 +0300
Subject: [PATCH] net/mlx5: enforce limitation on IPv6 next protocol

Due to PRM requirement, the IPv6 header item 'proto' field, indicating
the next header protocol, should not be set as extension header.
This patch adds the relevant validation, and documents the limitation.

Signed-off-by: Dekel Peled <dekelp@nvidia.com>
Acked-by: Ori Kam <orika@nvidia.com>
---
 doc/guides/nics/mlx5.rst     |  7 +++++++
 drivers/net/mlx5/mlx5_flow.c | 14 ++++++++++++--
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/doc/guides/nics/mlx5.rst b/doc/guides/nics/mlx5.rst
index 9205674d3c..125b987eb8 100644
--- a/doc/guides/nics/mlx5.rst
+++ b/doc/guides/nics/mlx5.rst
@@ -311,6 +311,13 @@ Limitations
   - The E-Switch Sample flow must have the eswitch_manager VPORT destination (PF or ECPF) and no additional actions.
   - For ConnectX-5, the ``RTE_FLOW_ACTION_TYPE_SAMPLE`` is typically used as first action in the E-Switch egress flow if with header modify or encapsulation actions.
 
+- IPv6 header item 'proto' field, indicating the next header protocol, should
+  not be set as extension header.
+  In case the next header is an extension header, it should not be specified in
+  IPv6 header item 'proto' field.
+  The last extension header item 'next header' field can specify the following
+  header protocol type.
+
 Statistics
 ----------
 
diff --git a/drivers/net/mlx5/mlx5_flow.c b/drivers/net/mlx5/mlx5_flow.c
index 1116ebb119..a51a0a82bb 100644
--- a/drivers/net/mlx5/mlx5_flow.c
+++ b/drivers/net/mlx5/mlx5_flow.c
@@ -1977,9 +1977,9 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_item *item,
 					  RTE_FLOW_ERROR_TYPE_ITEM, item,
 					  "IPv6 cannot follow L2/VLAN layer "
 					  "which ether type is not IPv6");
+	if (mask && mask->hdr.proto == UINT8_MAX && spec)
+		next_proto = spec->hdr.proto;
 	if (item_flags & MLX5_FLOW_LAYER_IPV6_ENCAP) {
-		if (mask && spec)
-			next_proto = mask->hdr.proto & spec->hdr.proto;
 		if (next_proto == IPPROTO_IPIP || next_proto == IPPROTO_IPV6)
 			return rte_flow_error_set(error, EINVAL,
 						  RTE_FLOW_ERROR_TYPE_ITEM,
@@ -1987,6 +1987,16 @@ mlx5_flow_validate_item_ipv6(const struct rte_flow_item *item,
 						  "multiple tunnel "
 						  "not supported");
 	}
+	if (next_proto == IPPROTO_HOPOPTS  ||
+	    next_proto == IPPROTO_ROUTING  ||
+	    next_proto == IPPROTO_FRAGMENT ||
+	    next_proto == IPPROTO_ESP	   ||
+	    next_proto == IPPROTO_AH	   ||
+	    next_proto == IPPROTO_DSTOPTS)
+		return rte_flow_error_set(error, EINVAL,
+					  RTE_FLOW_ERROR_TYPE_ITEM, item,
+					  "IPv6 proto (next header) should "
+					  "not be set as extension header");
 	if (item_flags & MLX5_FLOW_LAYER_IPIP)
 		return rte_flow_error_set(error, EINVAL,
 					  RTE_FLOW_ERROR_TYPE_ITEM, item,
-- 
2.20.1