| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 20 Oct 2015 20:54:45 +0000 From: "Rose, Gregory V" <gregory.v.rose@...el.com> To: Or Gerlitz <gerlitz.or@...il.com> CC: David Miller <davem@...emloft.net>, "Kirsher, Jeffrey T" <jeffrey.t.kirsher@...el.com>, "Singhai, Anjali" <anjali.singhai@...el.com>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, "nhorman@...hat.com" <nhorman@...hat.com>, "sassmann@...hat.com" <sassmann@...hat.com>, "jogreene@...hat.com" <jogreene@...hat.com> Subject: RE: [net-next 11/17] i40e: Add promiscuous on VLAN support > -----Original Message----- > From: Or Gerlitz [mailto:gerlitz.or@...il.com] > Sent: Tuesday, October 20, 2015 8:47 AM > To: Rose, Gregory V > Cc: David Miller; Kirsher, Jeffrey T; Singhai, Anjali; > netdev@...r.kernel.org; nhorman@...hat.com; sassmann@...hat.com; > jogreene@...hat.com > Subject: Re: [net-next 11/17] i40e: Add promiscuous on VLAN support > > On Tue, Oct 20, 2015 at 6:31 PM, Rose, Gregory V > <gregory.v.rose@...el.com> wrote: > > >> > NFV use cases require the ability to steer packets to VSIs by VLAN > >> > tag alone while being in promiscuous mode for multicast and unicast > >> > MAC addresses. These two new functions support that ability. > >> > > >> > Change-ID: Ifef704b07e0ee8a39d3c351dbd5dc83bb2f63c45 > >> > Signed-off-by: Greg Rose <gregory.v.rose@...el.com> > >> > Tested-by: Andrew Bowers <andrewx.bowers@...el.com> > >> > Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@...el.com> > > > The patch(es) that use these functions are not yet prepared. We will > wait until they're ready to submit these patches. Sorry for the confusion > but I was out on vacation and didn't have a chance to coordinate this with > Jeff. > > > We needed the VF trust code in the kernel before we could add in these > additional patches. We can work with Anjali to get those now that the VF > trust feature is in the kernel. > > Can you please explain your design for supporting VF promiscuous mode? Sure. Up until now Intel SR-IOV VF drivers have not been allowed to enter promiscuous mode due to security issues. Now that the PF driver supports the netdev op to set a VF as "trusted" we will add code to the VF driver to request promiscuous mode if asked to enter promiscuous mode by the OS network stack, IFF_PROMISC. If the VF has been configured as trusted through the PF driver then the PF driver will go ahead and configure the VF for promiscuous mode operation. It will be full promiscuous mode unless the user has configured VLAN filters. In that case the promiscuous mode will affect MAC addresses but will still use VLAN tags to steer traffic to the correct VF(s). This will allow a VF to accept any packet on a VLAN regardless of the MAC destination address and amounts to VLAN tag packet steering. There are NFV use cases for this type of operation. I hope this answers your question. If not I'd be happy to provide more details. - Greg
Powered by blists - more mailing lists