Hey Tudor, I think you're correct in that the existence of the "trusted" state make something like this possible. However any final patch would have to would have to take at least the following factors in to account:
- You would have to create a new version of the mailbox protocol (i.e. 1.3) between the PF and VF drivers to implement the new message. - This wouldn't be possible if VLAN stripping was enabled since without the LAN ID the promiscuous VF wouldn't be able to tell what LAN ID the traffic was from. Off the top of my head I'm not sure what the solution would be, maybe only allow a VF to become promiscuous if VLAN stripping is disabled and block its enablement while any VF is in promiscuous mode? This would have to be looked at in much more detail. - Due the replication of the packets I would expect this to have a negative impact on performance due to the increased bus usage. Thanks, -Don > -----Original Message----- > From: Tudor Cornea [mailto:tcor...@ixiacom.com] > Sent: Wednesday, March 02, 2016 8:34 AM > To: e1000-devel@lists.sourceforge.net > Subject: [E1000-devel] allowing promiscuous mode between VF interfaces > for ixgbe > > Hi, > > I have started playing around with an Intel 10 Gigabit controller. > The full model name is the following: > Ethernet controller: Intel Corporation Ethernet Controller 10-Gigabit X540- > AT2 > > I have configured the NIC card to run in SR-IOV mode, and been trying to > send some packets between two VM guests. > > I have stumbled upon, what I believe is a limitation of the current ixgbe > driver. > Notably, the fact that the ixgbe driver does not allow promiscuous mode > between two VF interfaces. > > If I were to run, say a VNF inside a VM that requires reading all packets, I > would not able to achieve this using the current ixgbe driver. > > By looking into the Intel x540 datasheet [1], it seems that the Intel NIC > supports this behavior. > The restriction is in the driver, which does not expose a way to configure > promiscuous mode for a VF. > > I would like to discuss the possibility of adding support for at least > allowing a > person having administrative rights to the hypervisor to alter the existing > behavior. > > My idea revolves around using the IFLA_VF_TRUST on the host, in order to > dictate if a VF should be trusted or not. > This has been integrated upstream by Hiroshi Shimamoto's patch series > recently [2]. > > An administrator will go to the hypervisor, and set the specific VF to be in > trusted mode > > E.g: > > ip/ip link set enp5s0f0 vf 1 trust on > > >From the guest VM, another user will set the IFF_PROMISC flag for the > >VF interface > > E.g: > > ifconfig eth1 promisc > > At this point, the ixgbevf driver will send a request through the internal > Mailbox mechanism to the ixgbe driver, which will, in turn configure the > VMOLR register, so that the VF can receive the required packets. > > It will only do so, if the VF is trusted by the administrator handling the > hypervisor. > > I am attaching the patch set to this mail thread > > [1] > http://www.intel.com/content/www/us/en/embedded/products/networkin > g/ethernet-x540-datasheet.html > [2] http://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon- > 20150518/000647.html > > Regards, > Tudor ------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140 _______________________________________________ E1000-devel mailing list E1000-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired