[v2] net/ice: add MAC anti-spoof option
Checks
Commit Message
VRRP advertisement packets are dropped as TX-errors upon transmission from
a vsi of ice PF due to MAC anti-spoof check which is enabled by default.
There is no way to disable this check in the Tx direction to avoid
these packets being dropped.
This patch introduces devargs "mac-anti-spoof" to allow user to
disable MAC anti-spoof check. Disable MAC Anti-spoof check
in the Tx direction to avoid getting dropped as TX-errors upon packet
transmission when their source MAC address matches one of the MAC
addresses assigned to that same NIC port.
Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
---
V2: Addressed Bruce Richardson's feedback
- changed devargs name to "mac-anti-spoof"
- changed devargs member name to "mac_anti_spoof"
- changed macro name to "ICE_MAC_ANTI_SPOOF_ARG"
- set the default value of the devargs to 1
- added NOTICE log msg when MAC Anti-spoof is disabled
- added more code comments to provide clarity
- fixed typo error with ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
doc/guides/nics/ice.rst | 11 +++++++
drivers/net/intel/ice/ice_ethdev.c | 50 +++++++++++++++++++++++++++++-
drivers/net/intel/ice/ice_ethdev.h | 1 +
3 files changed, 61 insertions(+), 1 deletion(-)
Comments
+TO: Ethdev maintainers, regarding new Ethdev APIs
> From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> Sent: Sunday, 16 November 2025 04.58
>
> VRRP advertisement packets are dropped as TX-errors upon transmission
> from
> a vsi of ice PF due to MAC anti-spoof check which is enabled by
> default.
> There is no way to disable this check in the Tx direction to avoid
> these packets being dropped.
>
> This patch introduces devargs "mac-anti-spoof" to allow user to
> disable MAC anti-spoof check. Disable MAC Anti-spoof check
> in the Tx direction to avoid getting dropped as TX-errors upon packet
> transmission when their source MAC address matches one of the MAC
> addresses assigned to that same NIC port.
>
> Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> ---
This is the same story as with Source Prune.
Please disable source-prune filtering by default, and provide an option to enable it.
Also, suggest shortening the devargs name to simply "anti-spoof", like "source-prune"; they both operate on MAC basis.
Let's make something generic instead, to replace those silly devargs.
We have individual Ethdev APIs to enable/disable various Rx filtering, e.g. "promiscuous", "all multicast".
Obviously, we don't want to introduce new APIs for every semi-exotic filter any NIC may offer, like "source prune" and "anti spoof", but we could introduce a set of generic Ethdev APIs to support filters such as these, using a bitfield enum. E.g.:
/* Enable one or more filters. */
int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
/* Disable one or more filters. */
int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
/* Get bit field of filters enabled. */
int64_t rte_ethdev_filter_get(uin16_t port_id);
/* Get bit field of filters supported by device. */
int64_t rte_ethdev_filter_capa(uin16_t port_id); /**/
/** Destination MAC must match NIC's MAC address.
* (This is the inverse of Promiscuous.)
* Default enabled.
*/
#define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
/** Multicast Hash.
* (This is the inverse of All Multicast.)
* Default enabled.
*/
#define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
/** Source Prune.
* [Insert description here.]
*/
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
/* Add new Rx filters here, in increasing order. */
/* Add new Tx filters here, in decreasing order. */
/** Anti-Spoof.
* [Insert description here.]
*/
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
/** Used for error return values which are negative. */
#define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
Hi Morten Brørup,
Thanks for your mail and review. PFB my answers.
" This is the same story as with Source Prune.
Please disable source-prune filtering by default, and provide an option to enable it.
Also, suggest shortening the devargs name to simply "anti-spoof", like "source-prune"; they both operate on MAC basis."
[Ans]: Source prune is disabled by default and option to enable the same has been already committed:[ https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74f36086].
I also wanted to shorten the name to "anti-spoof" but I found something called " vsi->vlan_anti_spoof_on" in the same file.
Hence, to distinguish between them, used "mac-anti-spoof".
Thank you.
Regards,
Anurag M
-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com>
Sent: 16 November 2025 13:14
To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru
Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
+TO: Ethdev maintainers, regarding new Ethdev APIs
> From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> Sent: Sunday, 16 November 2025 04.58
>
> VRRP advertisement packets are dropped as TX-errors upon transmission
> from a vsi of ice PF due to MAC anti-spoof check which is enabled by
> default.
> There is no way to disable this check in the Tx direction to avoid
> these packets being dropped.
>
> This patch introduces devargs "mac-anti-spoof" to allow user to
> disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx
> direction to avoid getting dropped as TX-errors upon packet
> transmission when their source MAC address matches one of the MAC
> addresses assigned to that same NIC port.
>
> Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> ---
This is the same story as with Source Prune.
Please disable source-prune filtering by default, and provide an option to enable it.
Also, suggest shortening the devargs name to simply "anti-spoof", like "source-prune"; they both operate on MAC basis.
Let's make something generic instead, to replace those silly devargs.
We have individual Ethdev APIs to enable/disable various Rx filtering, e.g. "promiscuous", "all multicast".
Obviously, we don't want to introduce new APIs for every semi-exotic filter any NIC may offer, like "source prune" and "anti spoof", but we could introduce a set of generic Ethdev APIs to support filters such as these, using a bitfield enum. E.g.:
/* Enable one or more filters. */
int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
/* Disable one or more filters. */
int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
/* Get bit field of filters enabled. */
int64_t rte_ethdev_filter_get(uin16_t port_id);
/* Get bit field of filters supported by device. */ int64_t rte_ethdev_filter_capa(uin16_t port_id); /**/
/** Destination MAC must match NIC's MAC address.
* (This is the inverse of Promiscuous.)
* Default enabled.
*/
#define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
/** Multicast Hash.
* (This is the inverse of All Multicast.)
* Default enabled.
*/
#define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
/** Source Prune.
* [Insert description here.]
*/
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
/* Add new Rx filters here, in increasing order. */
/* Add new Tx filters here, in decreasing order. */
/** Anti-Spoof.
* [Insert description here.]
*/
#define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
/** Used for error return values which are negative. */
#define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Monday, 17 November 2025 06.22
>
> Hi Morten Brørup,
>
> Thanks for your mail and review. PFB my answers.
>
> " This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an option
> to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis."
>
> [Ans]: Source prune is disabled by default and option to enable the
> same has been already committed:[
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74f
> 36086].
Sorry, there was a typo... I meant to write:
Please disable anti-spoof filtering by default, and provide an option to enable it.
Like source-prune.
> I also wanted to shorten the name to "anti-spoof" but I found something
> called " vsi->vlan_anti_spoof_on" in the same file.
> Hence, to distinguish between them, used "mac-anti-spoof".
OK. Then "mac-anti-spoof" is a good choice.
Is support for "vlan-anti-spoof" in the pipeline?
What are your thoughts about the generic Ethdev APIs I suggested, instead of driver specific devargs?
>
> Thank you.
>
> Regards,
> Anurag M
>
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 16 November 2025 13:14
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson,
> Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
>
> +TO: Ethdev maintainers, regarding new Ethdev APIs
>
> > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > Sent: Sunday, 16 November 2025 04.58
> >
> > VRRP advertisement packets are dropped as TX-errors upon transmission
> > from a vsi of ice PF due to MAC anti-spoof check which is enabled by
> > default.
> > There is no way to disable this check in the Tx direction to avoid
> > these packets being dropped.
> >
> > This patch introduces devargs "mac-anti-spoof" to allow user to
> > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx
> > direction to avoid getting dropped as TX-errors upon packet
> > transmission when their source MAC address matches one of the MAC
> > addresses assigned to that same NIC port.
> >
> > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > ---
>
> This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an option
> to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis.
>
> Let's make something generic instead, to replace those silly devargs.
> We have individual Ethdev APIs to enable/disable various Rx filtering,
> e.g. "promiscuous", "all multicast".
> Obviously, we don't want to introduce new APIs for every semi-exotic
> filter any NIC may offer, like "source prune" and "anti spoof", but we
> could introduce a set of generic Ethdev APIs to support filters such as
> these, using a bitfield enum. E.g.:
>
> /* Enable one or more filters. */
> int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
>
> /* Disable one or more filters. */
> int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
>
> /* Get bit field of filters enabled. */
> int64_t rte_ethdev_filter_get(uin16_t port_id);
>
> /* Get bit field of filters supported by device. */ int64_t
> rte_ethdev_filter_capa(uin16_t port_id); /**/
>
> /** Destination MAC must match NIC's MAC address.
> * (This is the inverse of Promiscuous.)
> * Default enabled.
> */
> #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> /** Multicast Hash.
> * (This is the inverse of All Multicast.)
> * Default enabled.
> */
> #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> /** Source Prune.
> * [Insert description here.]
> */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> /* Add new Rx filters here, in increasing order. */
> /* Add new Tx filters here, in decreasing order. */
> /** Anti-Spoof.
> * [Insert description here.]
> */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> /** Used for error return values which are negative. */
> #define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
Hi Morten Brørup,
Apologies for late reply but as the patch was deferred from DPDK 25.11. Hence, I was waiting.
PFB my answers.
Q1: " Please disable anti-spoof filtering by default, and provide an option to enable it.
Like source-prune."
[Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
Hence, it seems a better idea to make it enabled by default to keep it in sync with kernel and in terms of security.
Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
[Ans]: Not sure but " vlan_anti_spoof_on" is present in code.
Q3: " What are your thoughts about the generic Ethdev APIs I suggested, instead of driver specific devargs?"
[Ans]: It is unlikely that a user would want these mac anti-spoof/src prune to be set/reset dynamically. Hence, it seems devargs likely be a better solution.
Generic Ethdev APIs is a good idea but should be taken separately as it will have much beyond scope than this and would need significant effort.
Also, that again bring the dynamic nature into the picture.
Thank you.
Regards,
Anurag M
-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com>
Sent: 17 November 2025 14:36
To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru
Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Monday, 17 November 2025 06.22
>
> Hi Morten Brørup,
>
> Thanks for your mail and review. PFB my answers.
>
> " This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an
> option to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis."
>
> [Ans]: Source prune is disabled by default and option to enable the
> same has been already committed:[
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> f
> 36086].
Sorry, there was a typo... I meant to write:
Please disable anti-spoof filtering by default, and provide an option to enable it.
Like source-prune.
> I also wanted to shorten the name to "anti-spoof" but I found
> something called " vsi->vlan_anti_spoof_on" in the same file.
> Hence, to distinguish between them, used "mac-anti-spoof".
OK. Then "mac-anti-spoof" is a good choice.
Is support for "vlan-anti-spoof" in the pipeline?
What are your thoughts about the generic Ethdev APIs I suggested, instead of driver specific devargs?
>
> Thank you.
>
> Regards,
> Anurag M
>
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 16 November 2025 13:14
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
>
> +TO: Ethdev maintainers, regarding new Ethdev APIs
>
> > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > Sent: Sunday, 16 November 2025 04.58
> >
> > VRRP advertisement packets are dropped as TX-errors upon
> > transmission from a vsi of ice PF due to MAC anti-spoof check which
> > is enabled by default.
> > There is no way to disable this check in the Tx direction to avoid
> > these packets being dropped.
> >
> > This patch introduces devargs "mac-anti-spoof" to allow user to
> > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the Tx
> > direction to avoid getting dropped as TX-errors upon packet
> > transmission when their source MAC address matches one of the MAC
> > addresses assigned to that same NIC port.
> >
> > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > ---
>
> This is the same story as with Source Prune.
> Please disable source-prune filtering by default, and provide an
> option to enable it.
> Also, suggest shortening the devargs name to simply "anti-spoof", like
> "source-prune"; they both operate on MAC basis.
>
> Let's make something generic instead, to replace those silly devargs.
> We have individual Ethdev APIs to enable/disable various Rx filtering,
> e.g. "promiscuous", "all multicast".
> Obviously, we don't want to introduce new APIs for every semi-exotic
> filter any NIC may offer, like "source prune" and "anti spoof", but we
> could introduce a set of generic Ethdev APIs to support filters such
> as these, using a bitfield enum. E.g.:
>
> /* Enable one or more filters. */
> int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
>
> /* Disable one or more filters. */
> int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
>
> /* Get bit field of filters enabled. */ int64_t
> rte_ethdev_filter_get(uin16_t port_id);
>
> /* Get bit field of filters supported by device. */ int64_t
> rte_ethdev_filter_capa(uin16_t port_id); /**/
>
> /** Destination MAC must match NIC's MAC address.
> * (This is the inverse of Promiscuous.)
> * Default enabled.
> */
> #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> /** Multicast Hash.
> * (This is the inverse of All Multicast.)
> * Default enabled.
> */
> #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> /** Source Prune.
> * [Insert description here.]
> */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> /* Add new Rx filters here, in increasing order. */
> /* Add new Tx filters here, in decreasing order. */
> /** Anti-Spoof.
> * [Insert description here.]
> */
> #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> /** Used for error return values which are negative. */
> #define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
+TO: Stephen Hemminger, might have some kernel-related insights on this.
> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Tuesday, 2 December 2025 09.17
>
> Hi Morten Brørup,
>
> Apologies for late reply but as the patch was deferred from DPDK 25.11.
> Hence, I was waiting.
> PFB my answers.
>
> Q1: " Please disable anti-spoof filtering by default, and provide an
> option to enable it.
> Like source-prune."
> [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> Hence, it seems a better idea to make it enabled by default to keep it
> in sync with kernel and in terms of security.
Mac-source-prune is disabled by default in DPDK, although it is enabled by default in the kernel.
Mac-anti-spoof should behave the same way, i.e. disabled by default in DPDK.
Also, consider that the kernel is mainly designed for client/server applications, while DPDK is mainly designed for packet forwarding purposes.
With that in mind, default enabled makes sense for the kernel, and default disabled makes sense for DPDK.
>
> Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.
OK.
>
> Q3: " What are your thoughts about the generic Ethdev APIs I suggested,
> instead of driver specific devargs?"
> [Ans]: It is unlikely that a user would want these mac anti-spoof/src
> prune to be set/reset dynamically. Hence, it seems devargs likely be a
> better solution.
> Generic Ethdev APIs is a good idea but should be taken separately as it
> will have much beyond scope than this and would need significant
> effort.
> Also, that again bring the dynamic nature into the picture.
Good point about not needing the dynamic ability. I agree with that.
But devargs are somewhat difficult to work with for applications not built for specific ethdev drivers. E.g. our application detects available hardware at runtime, and configures it appropriately. Generic APIs are much easier to work with than individual driver-specific devargs.
So I prefer not to introduce more driver specific devargs.
I acknowledge that my Ethdev API extension idea is feature creep, so I will not make it a hard requirement for this patch.
And when mac-anti-spoof is disabled by default (which I do consider a hard requirement!), the devarg parameter is reduced to something that enables some exotic filter, which I don't object to.
>
> Thank you.
>
> Regards,
> Anurag M
>
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 17 November 2025 14:36
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson,
> Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
>
> > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > Sent: Monday, 17 November 2025 06.22
> >
> > Hi Morten Brørup,
> >
> > Thanks for your mail and review. PFB my answers.
> >
> > " This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis."
> >
> > [Ans]: Source prune is disabled by default and option to enable the
> > same has been already committed:[
> >
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > f
> > 36086].
>
> Sorry, there was a typo... I meant to write:
> Please disable anti-spoof filtering by default, and provide an option
> to enable it.
> Like source-prune.
>
> > I also wanted to shorten the name to "anti-spoof" but I found
> > something called " vsi->vlan_anti_spoof_on" in the same file.
> > Hence, to distinguish between them, used "mac-anti-spoof".
>
> OK. Then "mac-anti-spoof" is a good choice.
>
> Is support for "vlan-anti-spoof" in the pipeline?
>
> What are your thoughts about the generic Ethdev APIs I suggested,
> instead of driver specific devargs?
>
> >
> > Thank you.
> >
> > Regards,
> > Anurag M
> >
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 16 November 2025 13:14
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > andrew.rybchenko@oktetlabs.ru
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> >
> > +TO: Ethdev maintainers, regarding new Ethdev APIs
> >
> > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > Sent: Sunday, 16 November 2025 04.58
> > >
> > > VRRP advertisement packets are dropped as TX-errors upon
> > > transmission from a vsi of ice PF due to MAC anti-spoof check which
> > > is enabled by default.
> > > There is no way to disable this check in the Tx direction to avoid
> > > these packets being dropped.
> > >
> > > This patch introduces devargs "mac-anti-spoof" to allow user to
> > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the
> Tx
> > > direction to avoid getting dropped as TX-errors upon packet
> > > transmission when their source MAC address matches one of the MAC
> > > addresses assigned to that same NIC port.
> > >
> > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > ---
> >
> > This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis.
> >
> > Let's make something generic instead, to replace those silly devargs.
> > We have individual Ethdev APIs to enable/disable various Rx
> filtering,
> > e.g. "promiscuous", "all multicast".
> > Obviously, we don't want to introduce new APIs for every semi-exotic
> > filter any NIC may offer, like "source prune" and "anti spoof", but
> we
> > could introduce a set of generic Ethdev APIs to support filters such
> > as these, using a bitfield enum. E.g.:
> >
> > /* Enable one or more filters. */
> > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> >
> > /* Disable one or more filters. */
> > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> >
> > /* Get bit field of filters enabled. */ int64_t
> > rte_ethdev_filter_get(uin16_t port_id);
> >
> > /* Get bit field of filters supported by device. */ int64_t
> > rte_ethdev_filter_capa(uin16_t port_id); /**/
> >
> > /** Destination MAC must match NIC's MAC address.
> > * (This is the inverse of Promiscuous.)
> > * Default enabled.
> > */
> > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > /** Multicast Hash.
> > * (This is the inverse of All Multicast.)
> > * Default enabled.
> > */
> > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > /** Source Prune.
> > * [Insert description here.]
> > */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > /* Add new Rx filters here, in increasing order. */
> > /* Add new Tx filters here, in decreasing order. */
> > /** Anti-Spoof.
> > * [Insert description here.]
> > */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > /** Used for error return values which are negative. */
> > #define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
Hi Morten Brørup,
Ok. I will make Mac-anti-spoof disabled by default, gave option to enable it and send a new patch.
Thank you.
Regards,
Anurag M
-----Original Message-----
From: Morten Brørup <mb@smartsharesystems.com>
Sent: 02 December 2025 14:31
To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru; Stephen Hemminger <stephen@networkplumber.org>
Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
+TO: Stephen Hemminger, might have some kernel-related insights on this.
> From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> Sent: Tuesday, 2 December 2025 09.17
>
> Hi Morten Brørup,
>
> Apologies for late reply but as the patch was deferred from DPDK 25.11.
> Hence, I was waiting.
> PFB my answers.
>
> Q1: " Please disable anti-spoof filtering by default, and provide an
> option to enable it.
> Like source-prune."
> [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> Hence, it seems a better idea to make it enabled by default to keep it
> in sync with kernel and in terms of security.
Mac-source-prune is disabled by default in DPDK, although it is enabled by default in the kernel.
Mac-anti-spoof should behave the same way, i.e. disabled by default in DPDK.
Also, consider that the kernel is mainly designed for client/server applications, while DPDK is mainly designed for packet forwarding purposes.
With that in mind, default enabled makes sense for the kernel, and default disabled makes sense for DPDK.
>
> Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.
OK.
>
> Q3: " What are your thoughts about the generic Ethdev APIs I
> suggested, instead of driver specific devargs?"
> [Ans]: It is unlikely that a user would want these mac anti-spoof/src
> prune to be set/reset dynamically. Hence, it seems devargs likely be
> a better solution.
> Generic Ethdev APIs is a good idea but should be taken separately as
> it will have much beyond scope than this and would need significant
> effort.
> Also, that again bring the dynamic nature into the picture.
Good point about not needing the dynamic ability. I agree with that.
But devargs are somewhat difficult to work with for applications not built for specific ethdev drivers. E.g. our application detects available hardware at runtime, and configures it appropriately. Generic APIs are much easier to work with than individual driver-specific devargs.
So I prefer not to introduce more driver specific devargs.
I acknowledge that my Ethdev API extension idea is feature creep, so I will not make it a hard requirement for this patch.
And when mac-anti-spoof is disabled by default (which I do consider a hard requirement!), the devarg parameter is reduced to something that enables some exotic filter, which I don't object to.
>
> Thank you.
>
> Regards,
> Anurag M
>
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 17 November 2025 14:36
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
>
> > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > Sent: Monday, 17 November 2025 06.22
> >
> > Hi Morten Brørup,
> >
> > Thanks for your mail and review. PFB my answers.
> >
> > " This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis."
> >
> > [Ans]: Source prune is disabled by default and option to enable the
> > same has been already committed:[
> >
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > f
> > 36086].
>
> Sorry, there was a typo... I meant to write:
> Please disable anti-spoof filtering by default, and provide an option
> to enable it.
> Like source-prune.
>
> > I also wanted to shorten the name to "anti-spoof" but I found
> > something called " vsi->vlan_anti_spoof_on" in the same file.
> > Hence, to distinguish between them, used "mac-anti-spoof".
>
> OK. Then "mac-anti-spoof" is a good choice.
>
> Is support for "vlan-anti-spoof" in the pipeline?
>
> What are your thoughts about the generic Ethdev APIs I suggested,
> instead of driver specific devargs?
>
> >
> > Thank you.
> >
> > Regards,
> > Anurag M
> >
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 16 November 2025 13:14
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > andrew.rybchenko@oktetlabs.ru
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> >
> > +TO: Ethdev maintainers, regarding new Ethdev APIs
> >
> > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > Sent: Sunday, 16 November 2025 04.58
> > >
> > > VRRP advertisement packets are dropped as TX-errors upon
> > > transmission from a vsi of ice PF due to MAC anti-spoof check
> > > which is enabled by default.
> > > There is no way to disable this check in the Tx direction to avoid
> > > these packets being dropped.
> > >
> > > This patch introduces devargs "mac-anti-spoof" to allow user to
> > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the
> Tx
> > > direction to avoid getting dropped as TX-errors upon packet
> > > transmission when their source MAC address matches one of the MAC
> > > addresses assigned to that same NIC port.
> > >
> > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > ---
> >
> > This is the same story as with Source Prune.
> > Please disable source-prune filtering by default, and provide an
> > option to enable it.
> > Also, suggest shortening the devargs name to simply "anti-spoof",
> like
> > "source-prune"; they both operate on MAC basis.
> >
> > Let's make something generic instead, to replace those silly devargs.
> > We have individual Ethdev APIs to enable/disable various Rx
> filtering,
> > e.g. "promiscuous", "all multicast".
> > Obviously, we don't want to introduce new APIs for every semi-exotic
> > filter any NIC may offer, like "source prune" and "anti spoof", but
> we
> > could introduce a set of generic Ethdev APIs to support filters such
> > as these, using a bitfield enum. E.g.:
> >
> > /* Enable one or more filters. */
> > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> >
> > /* Disable one or more filters. */
> > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> >
> > /* Get bit field of filters enabled. */ int64_t
> > rte_ethdev_filter_get(uin16_t port_id);
> >
> > /* Get bit field of filters supported by device. */ int64_t
> > rte_ethdev_filter_capa(uin16_t port_id); /**/
> >
> > /** Destination MAC must match NIC's MAC address.
> > * (This is the inverse of Promiscuous.)
> > * Default enabled.
> > */
> > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > /** Multicast Hash.
> > * (This is the inverse of All Multicast.)
> > * Default enabled.
> > */
> > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > /** Source Prune.
> > * [Insert description here.]
> > */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > /* Add new Rx filters here, in increasing order. */
> > /* Add new Tx filters here, in decreasing order. */
> > /** Anti-Spoof.
> > * [Insert description here.]
> > */
> > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > /** Used for error return values which are negative. */
> > #define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
Hello,
Top posting makes this thread difficult to follow.
My quick understanding is that it is an offload feature,
and I don't understand why it is not handled as such in ethdev API.
02/12/2025 10:14, Mandal, Anurag:
> Hi Morten Brørup,
>
> Ok. I will make Mac-anti-spoof disabled by default, gave option to enable it and send a new patch.
>
> Thank you.
>
> Regards,
> Anurag M
>
> -----Original Message-----
> From: Morten Brørup <mb@smartsharesystems.com>
> Sent: 02 December 2025 14:31
> To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org; Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly <anatoly.burakov@intel.com>; thomas@monjalon.net; andrew.rybchenko@oktetlabs.ru; Stephen Hemminger <stephen@networkplumber.org>
> Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
>
> +TO: Stephen Hemminger, might have some kernel-related insights on this.
>
> > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > Sent: Tuesday, 2 December 2025 09.17
> >
> > Hi Morten Brørup,
> >
> > Apologies for late reply but as the patch was deferred from DPDK 25.11.
> > Hence, I was waiting.
> > PFB my answers.
> >
> > Q1: " Please disable anti-spoof filtering by default, and provide an
> > option to enable it.
> > Like source-prune."
> > [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> > Hence, it seems a better idea to make it enabled by default to keep it
> > in sync with kernel and in terms of security.
>
> Mac-source-prune is disabled by default in DPDK, although it is enabled by default in the kernel.
> Mac-anti-spoof should behave the same way, i.e. disabled by default in DPDK.
>
> Also, consider that the kernel is mainly designed for client/server applications, while DPDK is mainly designed for packet forwarding purposes.
> With that in mind, default enabled makes sense for the kernel, and default disabled makes sense for DPDK.
>
> >
> > Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> > [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.
>
> OK.
>
> >
> > Q3: " What are your thoughts about the generic Ethdev APIs I
> > suggested, instead of driver specific devargs?"
> > [Ans]: It is unlikely that a user would want these mac anti-spoof/src
> > prune to be set/reset dynamically. Hence, it seems devargs likely be
> > a better solution.
> > Generic Ethdev APIs is a good idea but should be taken separately as
> > it will have much beyond scope than this and would need significant
> > effort.
> > Also, that again bring the dynamic nature into the picture.
>
> Good point about not needing the dynamic ability. I agree with that.
> But devargs are somewhat difficult to work with for applications not built for specific ethdev drivers. E.g. our application detects available hardware at runtime, and configures it appropriately. Generic APIs are much easier to work with than individual driver-specific devargs.
> So I prefer not to introduce more driver specific devargs.
>
> I acknowledge that my Ethdev API extension idea is feature creep, so I will not make it a hard requirement for this patch.
> And when mac-anti-spoof is disabled by default (which I do consider a hard requirement!), the devarg parameter is reduced to something that enables some exotic filter, which I don't object to.
>
> >
> > Thank you.
> >
> > Regards,
> > Anurag M
> >
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 17 November 2025 14:36
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > andrew.rybchenko@oktetlabs.ru
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> >
> > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > Sent: Monday, 17 November 2025 06.22
> > >
> > > Hi Morten Brørup,
> > >
> > > Thanks for your mail and review. PFB my answers.
> > >
> > > " This is the same story as with Source Prune.
> > > Please disable source-prune filtering by default, and provide an
> > > option to enable it.
> > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > like
> > > "source-prune"; they both operate on MAC basis."
> > >
> > > [Ans]: Source prune is disabled by default and option to enable the
> > > same has been already committed:[
> > >
> > https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > > f
> > > 36086].
> >
> > Sorry, there was a typo... I meant to write:
> > Please disable anti-spoof filtering by default, and provide an option
> > to enable it.
> > Like source-prune.
> >
> > > I also wanted to shorten the name to "anti-spoof" but I found
> > > something called " vsi->vlan_anti_spoof_on" in the same file.
> > > Hence, to distinguish between them, used "mac-anti-spoof".
> >
> > OK. Then "mac-anti-spoof" is a good choice.
> >
> > Is support for "vlan-anti-spoof" in the pipeline?
> >
> > What are your thoughts about the generic Ethdev APIs I suggested,
> > instead of driver specific devargs?
> >
> > >
> > > Thank you.
> > >
> > > Regards,
> > > Anurag M
> > >
> > > -----Original Message-----
> > > From: Morten Brørup <mb@smartsharesystems.com>
> > > Sent: 16 November 2025 13:14
> > > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > > andrew.rybchenko@oktetlabs.ru
> > > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> > >
> > > +TO: Ethdev maintainers, regarding new Ethdev APIs
> > >
> > > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > > Sent: Sunday, 16 November 2025 04.58
> > > >
> > > > VRRP advertisement packets are dropped as TX-errors upon
> > > > transmission from a vsi of ice PF due to MAC anti-spoof check
> > > > which is enabled by default.
> > > > There is no way to disable this check in the Tx direction to avoid
> > > > these packets being dropped.
> > > >
> > > > This patch introduces devargs "mac-anti-spoof" to allow user to
> > > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in the
> > Tx
> > > > direction to avoid getting dropped as TX-errors upon packet
> > > > transmission when their source MAC address matches one of the MAC
> > > > addresses assigned to that same NIC port.
> > > >
> > > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > > ---
> > >
> > > This is the same story as with Source Prune.
> > > Please disable source-prune filtering by default, and provide an
> > > option to enable it.
> > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > like
> > > "source-prune"; they both operate on MAC basis.
> > >
> > > Let's make something generic instead, to replace those silly devargs.
> > > We have individual Ethdev APIs to enable/disable various Rx
> > filtering,
> > > e.g. "promiscuous", "all multicast".
> > > Obviously, we don't want to introduce new APIs for every semi-exotic
> > > filter any NIC may offer, like "source prune" and "anti spoof", but
> > we
> > > could introduce a set of generic Ethdev APIs to support filters such
> > > as these, using a bitfield enum. E.g.:
> > >
> > > /* Enable one or more filters. */
> > > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> > >
> > > /* Disable one or more filters. */
> > > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> > >
> > > /* Get bit field of filters enabled. */ int64_t
> > > rte_ethdev_filter_get(uin16_t port_id);
> > >
> > > /* Get bit field of filters supported by device. */ int64_t
> > > rte_ethdev_filter_capa(uin16_t port_id); /**/
> > >
> > > /** Destination MAC must match NIC's MAC address.
> > > * (This is the inverse of Promiscuous.)
> > > * Default enabled.
> > > */
> > > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > > /** Multicast Hash.
> > > * (This is the inverse of All Multicast.)
> > > * Default enabled.
> > > */
> > > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > > /** Source Prune.
> > > * [Insert description here.]
> > > */
> > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > > /* Add new Rx filters here, in increasing order. */
> > > /* Add new Tx filters here, in decreasing order. */
> > > /** Anti-Spoof.
> > > * [Insert description here.]
> > > */
> > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > > /** Used for error return values which are negative. */
> > > #define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
>
>
> From: Thomas Monjalon [mailto:thomas@monjalon.net]
> Sent: Tuesday, 2 December 2025 15.25
>
> Hello,
>
> Top posting makes this thread difficult to follow.
>
> My quick understanding is that it is an offload feature,
> and I don't understand why it is not handled as such in ethdev API.
Yes, it is. Similar to e.g. "promiscuous mode" is an Rx offload to control which packets are filtered or let through at Rx.
I consider the RTE_ETH_RX_OFFLOAD_xxx and RTE_ETH_TX_OFFLOAD_xxx flags relatively scarce, so I'm very skeptical about using them for relatively exotic offloads like mac-anti-spoof.
We have dedicated Ethdev APIs to control "promiscuous mode", but I'm not sure we want dedicated Ethdev APIs for every filter an NIC vendor can come up with.
Which is why I suggested a generic filter API as an alternative idea.
Maybe we should just consider them offloads, and use RTE_ETH_RX_OFFLOAD_xxx and RTE_ETH_TX_OFFLOAD_xxx flags. Then we can rely on the existing infrastructure for those. My suggested filter API is really just an extension of these.
-Morten
>
>
> 02/12/2025 10:14, Mandal, Anurag:
> > Hi Morten Brørup,
> >
> > Ok. I will make Mac-anti-spoof disabled by default, gave option to
> enable it and send a new patch.
> >
> > Thank you.
> >
> > Regards,
> > Anurag M
> >
> > -----Original Message-----
> > From: Morten Brørup <mb@smartsharesystems.com>
> > Sent: 02 December 2025 14:31
> > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> <anatoly.burakov@intel.com>; thomas@monjalon.net;
> andrew.rybchenko@oktetlabs.ru; Stephen Hemminger
> <stephen@networkplumber.org>
> > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> >
> > +TO: Stephen Hemminger, might have some kernel-related insights on
> this.
> >
> > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > Sent: Tuesday, 2 December 2025 09.17
> > >
> > > Hi Morten Brørup,
> > >
> > > Apologies for late reply but as the patch was deferred from DPDK
> 25.11.
> > > Hence, I was waiting.
> > > PFB my answers.
> > >
> > > Q1: " Please disable anti-spoof filtering by default, and provide
> an
> > > option to enable it.
> > > Like source-prune."
> > > [Ans]: MAC anti-spoof is enabled by default in kernel ice driver.
> > > Hence, it seems a better idea to make it enabled by default to keep
> it
> > > in sync with kernel and in terms of security.
> >
> > Mac-source-prune is disabled by default in DPDK, although it is
> enabled by default in the kernel.
> > Mac-anti-spoof should behave the same way, i.e. disabled by default
> in DPDK.
> >
> > Also, consider that the kernel is mainly designed for client/server
> applications, while DPDK is mainly designed for packet forwarding
> purposes.
> > With that in mind, default enabled makes sense for the kernel, and
> default disabled makes sense for DPDK.
> >
> > >
> > > Q2: " Is support for "vlan-anti-spoof" in the pipeline?"
> > > [Ans]: Not sure but " vlan_anti_spoof_on" is present in code.
> >
> > OK.
> >
> > >
> > > Q3: " What are your thoughts about the generic Ethdev APIs I
> > > suggested, instead of driver specific devargs?"
> > > [Ans]: It is unlikely that a user would want these mac anti-
> spoof/src
> > > prune to be set/reset dynamically. Hence, it seems devargs likely
> be
> > > a better solution.
> > > Generic Ethdev APIs is a good idea but should be taken separately
> as
> > > it will have much beyond scope than this and would need significant
> > > effort.
> > > Also, that again bring the dynamic nature into the picture.
> >
> > Good point about not needing the dynamic ability. I agree with that.
> > But devargs are somewhat difficult to work with for applications not
> built for specific ethdev drivers. E.g. our application detects
> available hardware at runtime, and configures it appropriately. Generic
> APIs are much easier to work with than individual driver-specific
> devargs.
> > So I prefer not to introduce more driver specific devargs.
> >
> > I acknowledge that my Ethdev API extension idea is feature creep, so
> I will not make it a hard requirement for this patch.
> > And when mac-anti-spoof is disabled by default (which I do consider a
> hard requirement!), the devarg parameter is reduced to something that
> enables some exotic filter, which I don't object to.
> >
> > >
> > > Thank you.
> > >
> > > Regards,
> > > Anurag M
> > >
> > > -----Original Message-----
> > > From: Morten Brørup <mb@smartsharesystems.com>
> > > Sent: 17 November 2025 14:36
> > > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > > andrew.rybchenko@oktetlabs.ru
> > > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> > >
> > > > From: Mandal, Anurag [mailto:anurag.mandal@intel.com]
> > > > Sent: Monday, 17 November 2025 06.22
> > > >
> > > > Hi Morten Brørup,
> > > >
> > > > Thanks for your mail and review. PFB my answers.
> > > >
> > > > " This is the same story as with Source Prune.
> > > > Please disable source-prune filtering by default, and provide an
> > > > option to enable it.
> > > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > > like
> > > > "source-prune"; they both operate on MAC basis."
> > > >
> > > > [Ans]: Source prune is disabled by default and option to enable
> the
> > > > same has been already committed:[
> > > >
> > >
> https://github.com/DPDK/dpdk/commit/980c840a646a2c8ae49a291c17baf20a74
> > > > f
> > > > 36086].
> > >
> > > Sorry, there was a typo... I meant to write:
> > > Please disable anti-spoof filtering by default, and provide an
> option
> > > to enable it.
> > > Like source-prune.
> > >
> > > > I also wanted to shorten the name to "anti-spoof" but I found
> > > > something called " vsi->vlan_anti_spoof_on" in the same file.
> > > > Hence, to distinguish between them, used "mac-anti-spoof".
> > >
> > > OK. Then "mac-anti-spoof" is a good choice.
> > >
> > > Is support for "vlan-anti-spoof" in the pipeline?
> > >
> > > What are your thoughts about the generic Ethdev APIs I suggested,
> > > instead of driver specific devargs?
> > >
> > > >
> > > > Thank you.
> > > >
> > > > Regards,
> > > > Anurag M
> > > >
> > > > -----Original Message-----
> > > > From: Morten Brørup <mb@smartsharesystems.com>
> > > > Sent: 16 November 2025 13:14
> > > > To: Mandal, Anurag <anurag.mandal@intel.com>; dev@dpdk.org;
> > > > Richardson, Bruce <bruce.richardson@intel.com>; Burakov, Anatoly
> > > > <anatoly.burakov@intel.com>; thomas@monjalon.net;
> > > > andrew.rybchenko@oktetlabs.ru
> > > > Subject: RE: [PATCH v2] net/ice: add MAC anti-spoof option
> > > >
> > > > +TO: Ethdev maintainers, regarding new Ethdev APIs
> > > >
> > > > > From: Anurag Mandal [mailto:anurag.mandal@intel.com]
> > > > > Sent: Sunday, 16 November 2025 04.58
> > > > >
> > > > > VRRP advertisement packets are dropped as TX-errors upon
> > > > > transmission from a vsi of ice PF due to MAC anti-spoof check
> > > > > which is enabled by default.
> > > > > There is no way to disable this check in the Tx direction to
> avoid
> > > > > these packets being dropped.
> > > > >
> > > > > This patch introduces devargs "mac-anti-spoof" to allow user to
> > > > > disable MAC anti-spoof check. Disable MAC Anti-spoof check in
> the
> > > Tx
> > > > > direction to avoid getting dropped as TX-errors upon packet
> > > > > transmission when their source MAC address matches one of the
> MAC
> > > > > addresses assigned to that same NIC port.
> > > > >
> > > > > Signed-off-by: Anurag Mandal <anurag.mandal@intel.com>
> > > > > ---
> > > >
> > > > This is the same story as with Source Prune.
> > > > Please disable source-prune filtering by default, and provide an
> > > > option to enable it.
> > > > Also, suggest shortening the devargs name to simply "anti-spoof",
> > > like
> > > > "source-prune"; they both operate on MAC basis.
> > > >
> > > > Let's make something generic instead, to replace those silly
> devargs.
> > > > We have individual Ethdev APIs to enable/disable various Rx
> > > filtering,
> > > > e.g. "promiscuous", "all multicast".
> > > > Obviously, we don't want to introduce new APIs for every semi-
> exotic
> > > > filter any NIC may offer, like "source prune" and "anti spoof",
> but
> > > we
> > > > could introduce a set of generic Ethdev APIs to support filters
> such
> > > > as these, using a bitfield enum. E.g.:
> > > >
> > > > /* Enable one or more filters. */
> > > > int rte_ethdev_filter_enable(uin16_t port_id, uint64_t filter);
> > > >
> > > > /* Disable one or more filters. */
> > > > int rte_ethdev_filter_disable(uin16_t port_id, uint64_t filter);
> > > >
> > > > /* Get bit field of filters enabled. */ int64_t
> > > > rte_ethdev_filter_get(uin16_t port_id);
> > > >
> > > > /* Get bit field of filters supported by device. */ int64_t
> > > > rte_ethdev_filter_capa(uin16_t port_id); /**/
> > > >
> > > > /** Destination MAC must match NIC's MAC address.
> > > > * (This is the inverse of Promiscuous.)
> > > > * Default enabled.
> > > > */
> > > > #define RTE_ETH_FILTER_RX_NON_PROMISC RTE_BIT64(0)
> > > > /** Multicast Hash.
> > > > * (This is the inverse of All Multicast.)
> > > > * Default enabled.
> > > > */
> > > > #define RTE_ETH_FILTER_RX_MULTICAST RTE_BIT64(1)
> > > > /** Source Prune.
> > > > * [Insert description here.]
> > > > */
> > > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(2)
> > > > /* Add new Rx filters here, in increasing order. */
> > > > /* Add new Tx filters here, in decreasing order. */
> > > > /** Anti-Spoof.
> > > > * [Insert description here.]
> > > > */
> > > > #define RTE_ETH_FILTER_RX_SOURCE_PRUNE RTE_BIT64(62)
> > > > /** Used for error return values which are negative. */
> > > > #define RTE_ETH_FILTER_ERROR RTE_BIT64(63)
> >
> >
>
>
>
>
@@ -194,6 +194,17 @@ Runtime Configuration
-a 80:00.0,source-prune=1
+- ``MAC Anti-spoof Disable`` (default ``1``)
+
+ Disable MAC Anti-spoof check in the Tx direction to avoid getting dropped
+ as TX-errors upon packet transmission when their source MAC address
+ matches one of the MAC addresses assigned to that same NIC port.
+
+ MAC Anti-spoof can be disabled by setting the devargs parameter ``mac-anti-spoof``,
+ for example::
+
+ -a 80:00.0,mac-anti-spoof=0
+
- ``Protocol extraction for per queue``
Configure the RX queues to do protocol extraction into mbuf for protocol
@@ -42,6 +42,7 @@
#define ICE_DDP_LOAD_SCHED_ARG "ddp_load_sched_topo"
#define ICE_TM_LEVELS_ARG "tm_sched_levels"
#define ICE_SOURCE_PRUNE_ARG "source-prune"
+#define ICE_MAC_ANTI_SPOOF_ARG "mac-anti-spoof"
#define ICE_LINK_STATE_ON_CLOSE "link_state_on_close"
#define ICE_CYCLECOUNTER_MASK 0xffffffffffffffffULL
@@ -60,6 +61,7 @@ static const char * const ice_valid_args[] = {
ICE_DDP_LOAD_SCHED_ARG,
ICE_TM_LEVELS_ARG,
ICE_SOURCE_PRUNE_ARG,
+ ICE_MAC_ANTI_SPOOF_ARG,
ICE_LINK_STATE_ON_CLOSE,
NULL
};
@@ -1761,13 +1763,52 @@ ice_setup_vsi(struct ice_pf *pf, enum ice_vsi_type type)
/* Source Prune */
if (ad->devargs.source_prune != 1) {
/* Disable source prune to support VRRP
- * when source-prune devarg is not set
+ * when source-prune devargs is not set
*/
vsi_ctx.info.sw_flags =
ICE_AQ_VSI_SW_FLAG_LOCAL_LB;
vsi_ctx.info.sw_flags |=
ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
}
+ /* MAC Anti-spoof */
+ /* MAC anti-spoof check is enabled by default */
+ vsi_ctx.info.sec_flags =
+ ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+
+ /* By default, Source Prune is disabled and
+ * MAC Anti-spoof check is enabled.
+ *
+ * Source Prune is disabled by setting local
+ * loopback with ICE_AQ_VSI_SW_FLAG_LOCAL_LB
+ * flag in the Rx direction.
+ * ICE_AQ_VSI_SW_FLAG_SRC_PRUNE is added to
+ * prevent transmitted packets from being
+ * looped back in some circumstances.
+ *
+ * MAC Anti-spoof check can be disabled by
+ * clearing ICE_AQ_VSI_SW_FLAG_SRC_PRUNE and
+ * ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF
+ * flags and setting Tx loopback with
+ * ICE_AQ_VSI_SW_FLAG_ALLOW_LB flag in the
+ * Tx direction.
+ */
+ if (ad->devargs.mac_anti_spoof == 0) {
+ /* Disable mac anti-spoof check in the
+ * Tx direction to avoid getting dropped
+ * as TX-errors for VRRP support when
+ * mac-anti-spoof devargs is reset
+ */
+ vsi_ctx.info.sw_flags &=
+ ~ICE_AQ_VSI_SW_FLAG_SRC_PRUNE;
+ PMD_INIT_LOG(NOTICE,
+ "Disabling MAC Anti-spoof check "
+ "in Tx direction does not affect "
+ "Source Prune in Rx direction");
+ vsi_ctx.info.sw_flags |=
+ ICE_AQ_VSI_SW_FLAG_ALLOW_LB;
+ vsi_ctx.info.sec_flags &=
+ ~ICE_AQ_VSI_SEC_FLAG_ENA_MAC_ANTI_SPOOF;
+ }
cfg = ICE_AQ_VSI_PROP_SW_VALID;
vsi_ctx.info.valid_sections |= rte_cpu_to_le_16(cfg);
vsi_ctx.info.sw_flags2 = ICE_AQ_VSI_SW_FLAG_LAN_ENA;
@@ -2398,6 +2439,7 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
return -EINVAL;
}
+ ad->devargs.mac_anti_spoof = 1; /* enabled by default */
ad->devargs.proto_xtr_dflt = PROTO_XTR_NONE;
memset(ad->devargs.proto_xtr, PROTO_XTR_NONE,
sizeof(ad->devargs.proto_xtr));
@@ -2467,6 +2509,11 @@ static int ice_parse_devargs(struct rte_eth_dev *dev)
if (ret)
goto bail;
+ ret = rte_kvargs_process(kvlist, ICE_MAC_ANTI_SPOOF_ARG,
+ &parse_bool, &ad->devargs.mac_anti_spoof);
+ if (ret)
+ goto bail;
+
ret = rte_kvargs_process(kvlist, ICE_LINK_STATE_ON_CLOSE,
&parse_link_state_on_close, &ad->devargs.link_state_on_close);
@@ -7732,6 +7779,7 @@ RTE_PMD_REGISTER_PARAM_STRING(net_ice,
ICE_DDP_LOAD_SCHED_ARG "=<0|1>"
ICE_TM_LEVELS_ARG "=<N>"
ICE_SOURCE_PRUNE_ARG "=<0|1>"
+ ICE_MAC_ANTI_SPOOF_ARG "=<0|1>"
ICE_RX_LOW_LATENCY_ARG "=<0|1>"
ICE_LINK_STATE_ON_CLOSE "=<down|up|initial>");
@@ -617,6 +617,7 @@ struct ice_devargs {
uint8_t ddp_load_sched;
uint8_t tm_exposed_levels;
uint8_t source_prune;
+ uint8_t mac_anti_spoof;
int link_state_on_close;
int xtr_field_offs;
uint8_t xtr_flag_offs[PROTO_XTR_MAX];