Yes, it can cause a security issue if SR-IOV or VMDQ is enabled and you have VM guests on a VLAN.  They will lose VLAN isolation.

 

- Greg

 

From: SURYA NIMMAGADDA [mailto:nscsekhar@users.sf.net]
Sent: Monday, March 24, 2014 6:25 PM
To: [e1000:feature-requests]
Subject: [e1000:feature-requests] Re: #15 Promiscuous Mode in VF

 

We tried by disabling it in ixgbe_set_rx_mode function in the ixgbe driver. And it seems to be working fine (sends tagged packets unfiltered and unstripped). Could this cause any issue I am not aware of?

    if (netdev->flags & IFF_PROMISC) {
            hw->addr_ctrl.user_set_promisc = true;
            fctrl |= (IXGBE_FCTRL_UPE | IXGBE_FCTRL_MPE);
            vmolr |= IXGBE_VMOLR_MPE;
            /* Only disable hardware filter vlans in promiscuous mode
             * if SR-IOV and VMDQ are disabled - otherwise ensure
             * that hardware VLAN filters remain enabled.
             */

if 0

            if ((adapter->flags & (IXGBE_FLAG_VMDQ_ENABLED |
                                   IXGBE_FLAG_SRIOV_ENABLED)))
                    vlnctrl |= (IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);

endif


[feature-requests:#15] Promiscuous Mode in VF

Status: open
Labels: VF ixgbevf
Created: Sat Nov 23, 2013 12:32 AM UTC by Alan Deikman
Last Updated: Sat Nov 23, 2013 12:32 AM UTC
Owner: nobody

This is with 82599s with Ubuntu 12.04. The version of ixgbe/ixgbevf is 3.11.33.

What we want to do but have been unable to do so far is to create Virtual Machines with with a VF that will accept all packets that come down the wire that match one or more VLAN tags. In other words, promiscuous mode for a VLAN. This would allow us to implement an L2 bridge function inside a VM instead of inside the hypervisor.

Some details about the requirements include: We do not need to see traffic generated by other VMs. We do not need to see bad packets (runts, FCS err, etc) in the VM. We do not need to have packets replicated.

The first question is 1) is this functionality supported by the Niantic SR-IOV hardware?

If so, 2) How is this activated via the ixgbevf driver?


Sent from sourceforge.net because you indicated interest in https://sourceforge.net/p/e1000/feature-requests/15/

To unsubscribe from further messages, please visit https://sourceforge.net/auth/subscriptions/