lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <C5551D9AAB213A418B7FD5E4A6F30A078942ABD6@ORSMSX108.amr.corp.intel.com>
Date:	Tue, 20 Oct 2015 20:54:45 +0000
From:	"Rose, Gregory V" <gregory.v.rose@...el.com>
To:	Or Gerlitz <gerlitz.or@...il.com>
CC:	David Miller <davem@...emloft.net>,
	"Kirsher, Jeffrey T" <jeffrey.t.kirsher@...el.com>,
	"Singhai, Anjali" <anjali.singhai@...el.com>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	"nhorman@...hat.com" <nhorman@...hat.com>,
	"sassmann@...hat.com" <sassmann@...hat.com>,
	"jogreene@...hat.com" <jogreene@...hat.com>
Subject: RE: [net-next 11/17] i40e: Add promiscuous on VLAN support

> -----Original Message-----
> From: Or Gerlitz [mailto:gerlitz.or@...il.com]
> Sent: Tuesday, October 20, 2015 8:47 AM
> To: Rose, Gregory V
> Cc: David Miller; Kirsher, Jeffrey T; Singhai, Anjali;
> netdev@...r.kernel.org; nhorman@...hat.com; sassmann@...hat.com;
> jogreene@...hat.com
> Subject: Re: [net-next 11/17] i40e: Add promiscuous on VLAN support
> 
> On Tue, Oct 20, 2015 at 6:31 PM, Rose, Gregory V
> <gregory.v.rose@...el.com> wrote:
> 
> >> > NFV use cases require the ability to steer packets to VSIs by VLAN
> >> > tag alone while being in promiscuous mode for multicast and unicast
> >> > MAC addresses.  These two new functions support that ability.
> >> >
> >> > Change-ID: Ifef704b07e0ee8a39d3c351dbd5dc83bb2f63c45
> >> > Signed-off-by: Greg Rose <gregory.v.rose@...el.com>
> >> > Tested-by: Andrew Bowers <andrewx.bowers@...el.com>
> >> > Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@...el.com>
> 
> > The patch(es) that use these functions are not yet prepared.  We will
> wait until they're ready to submit these patches.  Sorry for the confusion
> but I was out on vacation and didn't have a chance to coordinate this with
> Jeff.
> 
> > We needed the VF trust code in the kernel before we could add in these
> additional patches.  We can work with Anjali to get those now that the VF
> trust feature is in the kernel.
> 
> Can you please explain your design for supporting VF promiscuous mode?

Sure.

Up until now Intel SR-IOV VF drivers have not been allowed to enter promiscuous mode due to security issues.  Now that the PF driver supports the netdev op to set a VF as "trusted" we will add code to the VF driver to request promiscuous mode if asked to enter promiscuous mode by the OS network stack, IFF_PROMISC. If the VF has been configured as trusted through the PF driver then the PF driver will go ahead and configure the VF for promiscuous mode operation.  It will be full promiscuous mode unless the user has configured VLAN filters.  In that case the promiscuous mode will affect MAC addresses but will still use VLAN tags to steer traffic to the correct VF(s).

This will allow a VF to accept any packet on a VLAN regardless of the MAC destination address and amounts to VLAN tag packet steering.  There are NFV use cases for this type of operation.

I hope this answers your question.  If not I'd be happy to provide more details.

- Greg

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ