[2/2] net/mlx5: fix isolated mode when repr matching is disabled
Checks
Commit Message
In HW steering mode, when running on an E-Switch setup,
mlx5 PMD provides an ability to enable or disable
representor matching (through `repr_matching_en` device argument).
If representor matching is enabled, any ingress or egress flow rule,
created on any port representor will match traffic related
to that specific port.
If it is disabled, flow rule created on one of the ports,
will match traffic related to all ports.
As a result, when representor matching is disabled,
PMD cannot correctly create control flow rules for receiving
default traffic according to port configuration.
Since each port representor in the same switch domain,
can have different port configuration and flow rules
do not differentiate between ports, these flow rules cannot be
correctly applied.
In that case, each port works in de facto isolated mode.
This patch makes sure that if representor matching is disabled,
port is forced into isolated mode. Disabling flow isolated is forbidden.
Fixes: 483181f7b6dd ("net/mlx5: support device control of representor matching")
Cc: stable@dpdk.org
Signed-off-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
Acked-by: Ori Kam <orika@nvidia.com>
---
doc/guides/nics/mlx5.rst | 3 +++
drivers/net/mlx5/linux/mlx5_os.c | 16 ++++++++++++++++
drivers/net/mlx5/mlx5_flow.c | 4 ++++
3 files changed, 23 insertions(+)
Comments
> -----Original Message-----
> From: Dariusz Sosnowski <dsosnowski@nvidia.com>
> Sent: Sunday, February 26, 2023 4:18 AM
> To: Matan Azrad <matan@nvidia.com>; Slava Ovsiienko
> <viacheslavo@nvidia.com>
> Cc: dev@dpdk.org; stable@dpdk.org; Ori Kam <orika@nvidia.com>
> Subject: [PATCH 2/2] net/mlx5: fix isolated mode when repr matching is disabled
>
> In HW steering mode, when running on an E-Switch setup,
> mlx5 PMD provides an ability to enable or disable representor matching (through
> `repr_matching_en` device argument).
> If representor matching is enabled, any ingress or egress flow rule, created on
> any port representor will match traffic related to that specific port.
> If it is disabled, flow rule created on one of the ports, will match traffic related
> to all ports.
>
> As a result, when representor matching is disabled, PMD cannot correctly create
> control flow rules for receiving default traffic according to port configuration.
> Since each port representor in the same switch domain, can have different port
> configuration and flow rules do not differentiate between ports, these flow
> rules cannot be correctly applied.
> In that case, each port works in de facto isolated mode.
>
> This patch makes sure that if representor matching is disabled, port is forced
> into isolated mode. Disabling flow isolated is forbidden.
>
> Fixes: 483181f7b6dd ("net/mlx5: support device control of representor
> matching")
> Cc: stable@dpdk.org
>
> Signed-off-by: Dariusz Sosnowski <dsosnowski@nvidia.com>
> Acked-by: Ori Kam <orika@nvidia.com>
Acked-by: Suanming Mou <suanmingm@nvidia.com>
Thanks.
@@ -1137,6 +1137,9 @@ for an additional list of options shared with other mlx5 drivers.
- 0. If representor matching is disabled, then there will be no implicit
item added. As a result, ingress flow rules will match traffic
coming to any port, not only the port on which flow rule is created.
+ Because of that, default flow rules for ingress traffic cannot be created
+ and port starts in isolated mode by default. Port cannot be switched back
+ to non-isolated mode.
- 1. If representor matching is enabled (default setting),
then each ingress pattern template has an implicit REPRESENTED_PORT
@@ -1613,6 +1613,22 @@ mlx5_dev_spawn(struct rte_device *dpdk_dev,
err = EINVAL;
goto error;
}
+ /*
+ * If representor matching is disabled, PMD cannot create default flow rules
+ * to receive traffic for all ports, since implicit source port match is not added.
+ * Isolated mode is forced.
+ */
+ if (priv->sh->config.dv_esw_en && !priv->sh->config.repr_matching) {
+ err = mlx5_flow_isolate(eth_dev, 1, NULL);
+ if (err < 0) {
+ err = -err;
+ goto error;
+ }
+ DRV_LOG(WARNING, "port %u ingress traffic is restricted to defined "
+ "flow rules (isolated mode) since representor "
+ "matching is disabled",
+ eth_dev->data->port_id);
+ }
return eth_dev;
#else
DRV_LOG(ERR, "DV support is missing for HWS.");
@@ -8077,6 +8077,10 @@ mlx5_flow_isolate(struct rte_eth_dev *dev,
"port must be stopped first");
return -rte_errno;
}
+ if (!enable && !priv->sh->config.repr_matching)
+ return rte_flow_error_set(error, ENOTSUP, RTE_FLOW_ERROR_TYPE_UNSPECIFIED, NULL,
+ "isolated mode cannot be disabled when "
+ "representor matching is disabled");
priv->isolated = !!enable;
if (enable)
dev->dev_ops = &mlx5_dev_ops_isolate;