#15 Promiscuous Mode in VF

open
nobody
Next_Release_(example)
1
2013-11-23
2013-11-23
Alan Deikman
No

This is with 82599s with Ubuntu 12.04. The version of ixgbe/ixgbevf is 3.11.33.

What we want to do but have been unable to do so far is to create Virtual Machines with with a VF that will accept all packets that come down the wire that match one or more VLAN tags. In other words, promiscuous mode for a VLAN. This would allow us to implement an L2 bridge function inside a VM instead of inside the hypervisor.

Some details about the requirements include: We do not need to see traffic generated by other VMs. We do not need to see bad packets (runts, FCS err, etc) in the VM. We do not need to have packets replicated.

The first question is 1) is this functionality supported by the Niantic SR-IOV hardware?

If so, 2) How is this activated via the ixgbevf driver?

Related

Feature Requests: #15

Discussion

  • Greg Rose
    Greg Rose
    2013-11-25

    Promiscuous mode is not supported in 82599 VFs. It is a HW limitation.

    • Greg

    From: Alan Deikman [mailto:alanobject@users.sf.net]
    Sent: Friday, November 22, 2013 4:32 PM
    To: Ticket 15
    Subject: [e1000:feature-requests] #15 Promiscuous Mode in VF


    [feature-requests:#15]http://sourceforge.net/p/e1000/feature-requests/15/ Promiscuous Mode in VF

    Status: open
    Labels: VF ixgbevf
    Created: Sat Nov 23, 2013 12:32 AM UTC by Alan Deikman
    Last Updated: Sat Nov 23, 2013 12:32 AM UTC
    Owner: nobody

    This is with 82599s with Ubuntu 12.04. The version of ixgbe/ixgbevf is 3.11.33.

    What we want to do but have been unable to do so far is to create Virtual Machines with with a VF that will accept all packets that come down the wire that match one or more VLAN tags. In other words, promiscuous mode for a VLAN. This would allow us to implement an L2 bridge function inside a VM instead of inside the hypervisor.

    Some details about the requirements include: We do not need to see traffic generated by other VMs. We do not need to see bad packets (runts, FCS err, etc) in the VM. We do not need to have packets replicated.

    The first question is 1) is this functionality supported by the Niantic SR-IOV hardware?

    If so, 2) How is this activated via the ixgbevf driver?


    Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/e1000/feature-requests/15/

    To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

     
    • We tried by disabling it in ixgbe_set_rx_mode function in the ixgbe driver. And it seems to be working fine (sends tagged packets unfiltered and unstripped). Could this cause any issue I am not aware of?

          if (netdev->flags & IFF_PROMISC) {
                  hw->addr_ctrl.user_set_promisc = true;
                  fctrl |= (IXGBE_FCTRL_UPE | IXGBE_FCTRL_MPE);
                  vmolr |= IXGBE_VMOLR_MPE;
                  /* Only disable hardware filter vlans in promiscuous mode
                   * if SR-IOV and VMDQ are disabled - otherwise ensure
                   * that hardware VLAN filters remain enabled.
                   */
      

      if 0

                  if ((adapter->flags & (IXGBE_FLAG_VMDQ_ENABLED |
                                         IXGBE_FLAG_SRIOV_ENABLED)))
                          vlnctrl |= (IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);
      

      endif

       
      • Greg Rose
        Greg Rose
        2014-03-25

        Yes, it can cause a security issue if SR-IOV or VMDQ is enabled and you have VM guests on a VLAN. They will lose VLAN isolation.

        • Greg

        From: SURYA NIMMAGADDA [mailto:nscsekhar@users.sf.net]
        Sent: Monday, March 24, 2014 6:25 PM
        To: [e1000:feature-requests]
        Subject: [e1000:feature-requests] Re: #15 Promiscuous Mode in VF

        We tried by disabling it in ixgbe_set_rx_mode function in the ixgbe driver. And it seems to be working fine (sends tagged packets unfiltered and unstripped). Could this cause any issue I am not aware of?

        if (netdev->flags & IFF_PROMISC) {
        
                hw->addr_ctrl.user_set_promisc = true;
        
                fctrl |= (IXGBE_FCTRL_UPE | IXGBE_FCTRL_MPE);
        
                vmolr |= IXGBE_VMOLR_MPE;
        
                /* Only disable hardware filter vlans in promiscuous mode
        
                 * if SR-IOV and VMDQ are disabled - otherwise ensure
        
                 * that hardware VLAN filters remain enabled.
        
                 */
        

        if 0

                if ((adapter->flags & (IXGBE_FLAG_VMDQ_ENABLED |
        
                                       IXGBE_FLAG_SRIOV_ENABLED)))
        
                        vlnctrl |= (IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);
        

        endif


        [feature-requests:#15]http://sourceforge.net/p/e1000/feature-requests/15/ Promiscuous Mode in VF

        Status: open
        Labels: VF ixgbevf
        Created: Sat Nov 23, 2013 12:32 AM UTC by Alan Deikman
        Last Updated: Sat Nov 23, 2013 12:32 AM UTC
        Owner: nobody

        This is with 82599s with Ubuntu 12.04. The version of ixgbe/ixgbevf is 3.11.33.

        What we want to do but have been unable to do so far is to create Virtual Machines with with a VF that will accept all packets that come down the wire that match one or more VLAN tags. In other words, promiscuous mode for a VLAN. This would allow us to implement an L2 bridge function inside a VM instead of inside the hypervisor.

        Some details about the requirements include: We do not need to see traffic generated by other VMs. We do not need to see bad packets (runts, FCS err, etc) in the VM. We do not need to have packets replicated.

        The first question is 1) is this functionality supported by the Niantic SR-IOV hardware?

        If so, 2) How is this activated via the ixgbevf driver?


        Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/e1000/feature-requests/15/

        To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/

         

        Related

        Feature Requests: #15

        Attachments