On Wed, Nov 22, 2017 at 9:43 AM, Boris Lukashev
<blukas...@sempervictus.com> wrote:
> Good afternoon all, and happy Thanksgiving as applicable. Sofar on IRC
> suggested i reach out to this ML with my inquiry regarding VFIO for
> the x540 ixgbe driver.
>
> Our use case is to run a SecurityOnion instance in a VM atop a
> hardened physical node on 4.9 LTS. The relevant hardware is an Intel
> x540 dual port NIC, of which one port needs to produce a VF that has
> full promiscuous unicast access from the PF. A bunch of searching,
> reading, and parsing Linus' tree later, i figured out that the
> relevant functionality was only recently added to the kernel - after
> the merge window for our LTS (with which we're a bit stuck here since
> grsec doesn't publish their patches anymore). So i took a stab at
> backporting to our revision -
> https://github.com/sempervictus/linux-unofficial_grsec/tree/v4.9.63-even_more_unofficial_grsec%2Bixgbe_and_mtu-backport.
Looking at that tree I don't see how you could be enabling promiscuous
mode on a VF since the kernel doesn't even seem to support it on the
PF side. You need to look at backporting at least the following
commit:
commit 07eea570acccbc0f9402357d652868571fdbb2b9
Author: Don Skidmore <donald.c.skidm...@intel.com>
Date: Thu Dec 15 21:18:32 2016 -0500
ixgbe: Add PF support for VF promiscuous mode
This patch extends the xcast mailbox message to include support for
unicast promiscuous mode. To allow a VF to enter this mode the PF
must be in promiscuous mode.
A later patch will add the support needed in the VF driver (ixgbevf)
Signed-off-by: Don Skidmore <donald.c.skidm...@intel.com>
Tested-by: Andrew Bowers <andrewx.bow...@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirs...@intel.com>
I'm sure there may be other patches that are missing but at least that
is a start for what you need in order to support promiscuous mode on a
VF.
> However, even with the host running a slightly expanded version of the
> tree i linked, and the VF in trusted mode, set to promisc, it still
> only pulls the multicast/broadcast traffic. Even without the VM and
> potential interference from nwfilter, the VF simply doesnt show the
> traffic seen on the PF via tcpdump.
If you are missing the patch I called out above that would make sense
since you never actually get the VF into promiscuous mode. In addition
you have the have the PF in promiscuous mode for any of the VFs to
have access to it. What should happen is that the packets being routed
to the PF that don't match any of it's unicast/multicast filters of
the PF will be routed to the VF once promiscuous mode is enabled.
> I'm assuming that i'm doing something wrong here in my portage
> efforts, or missing some action in userspace needed to enable the 1.3
> API functions. Could someone familiar with SRIOV/VFIO for ixgbe please
> take a look and lend a hand? I seem to have stumbled into a somewhat
> poorly documented/rapidly evolving set of functions on the Intel side
> of things (generally use Mellanox for this stuff in the OpenStack
> world), and am rather stumped at the moment.
>
> Thanks for all the Open Source stuff you guys do, and any assistance
> you may be able lend.
>
> --
> Boris Lukashev
> Systems Architect
> Semper Victus
Hope this helps to get you going in the right direction.
- Alex
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel® Ethernet, visit
http://communities.intel.com/community/wired
