[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130624094804.00003b32@unknown>
Date: Mon, 24 Jun 2013 09:48:04 -0700
From: Greg Rose <gregory.v.rose@...el.com>
To: Stephen Hemminger <stephen@...workplumber.org>
CC: Pawit Pornkitprasan <p.pawit@...il.com>, <netdev@...r.kernel.org>,
"Ryousei Takano" <takano-ryousei@...t.go.jp>,
Amir Vadai <amirv@...lanox.com>
Subject: Re: PROBLEM: Bridging does not work with Mellanox ConnectX-2
(mlx4_en) card in SR-IOV mode
On Mon, 24 Jun 2013 08:42:59 -0700
Stephen Hemminger <stephen@...workplumber.org> wrote:
> On Mon, 24 Jun 2013 16:55:00 +0900
> Pawit Pornkitprasan <p.pawit@...il.com> wrote:
>
> > [1.] One line summary of the problem:
> > Bridging does not work with Mellanox ConnectX-2 (mlx4_en) card in
> > SR-IOV mode
>
> For security reasons, SR-IOV cards to not support promiscuous mode
> required for bridging. Also the hardware usually can't do fanout to
> multiple VF's for same unicast packet. --
Stephen, technically you're correct but there is a bit of further
clarification required here. In the case of Intel adapters that
support SR-IOV we do allow MAC promiscuous mode when the physical
function device is bridged. This, along with the bridge FDB features
allow for VMs using the SW bridge with virtual interfaces to
communicate with VMs using SR-IOV virtual functions. However, we leave
the VLAN filtering enabled in the device so that VMs can be isolated
from one another. So it's not actually promiscuous mode since VLAN
filtering remains enabled, but it does enable promiscuous capture of
MAC addresses.
This feature is something just recently added to Intel adapters to get
around the security problem you mention.
- Greg
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists