Hey Tudor,

I think you're correct in that the existence of the "trusted" state make 
something like this possible.  However any final patch would have to would have 
to take at least the following factors in to account:

- You would have to create a new version of the mailbox protocol (i.e. 1.3) 
between the PF and VF drivers to implement the new message.
- This wouldn't be possible if VLAN stripping was enabled since without the LAN 
ID the promiscuous VF wouldn't be able to tell what LAN ID the traffic was 
from. Off the top of my head I'm not sure what the solution would be, maybe 
only allow a VF to become promiscuous if VLAN stripping is disabled and block 
its enablement while any VF is in promiscuous mode?  This would have to be 
looked at in much more detail.
- Due the replication of the packets I would expect this to have a negative 
impact on performance due to the increased bus usage. 

Thanks,
-Don

> -----Original Message-----
> From: Tudor Cornea [mailto:tcor...@ixiacom.com]
> Sent: Wednesday, March 02, 2016 8:34 AM
> To: e1000-devel@lists.sourceforge.net
> Subject: [E1000-devel] allowing promiscuous mode between VF interfaces
> for ixgbe
> 
> Hi,
> 
> I have started playing around with an Intel 10 Gigabit controller.
> The full model name is the following:
> Ethernet controller: Intel Corporation Ethernet Controller 10-Gigabit X540-
> AT2
> 
> I have configured the NIC card to run in SR-IOV mode, and been trying to
> send some packets between two VM guests.
> 
> I have stumbled upon, what I believe is a limitation of the current ixgbe
> driver.
> Notably, the fact that the ixgbe driver does not allow promiscuous mode
> between two VF interfaces.
> 
> If I were to run, say a VNF inside a VM that requires reading all packets, I
> would not able to achieve this using the current ixgbe driver.
> 
> By looking into the Intel x540 datasheet [1], it seems that the Intel NIC
> supports this behavior.
> The restriction is in the driver, which does not expose a way to configure
> promiscuous mode for a VF.
> 
> I would like to discuss the possibility of adding support for at least 
> allowing a
> person having administrative rights to the hypervisor to alter the existing
> behavior.
> 
> My idea revolves around using the IFLA_VF_TRUST on the host, in order to
> dictate if a VF should be trusted or not.
> This has been integrated upstream by Hiroshi Shimamoto's patch series
> recently [2].
> 
> An administrator will go to the hypervisor, and set the specific VF to be in
> trusted mode
> 
> E.g:
> 
> ip/ip link set enp5s0f0 vf 1 trust on
> 
> >From the guest VM, another user will set the IFF_PROMISC flag for the
> >VF interface
> 
> E.g:
> 
> ifconfig eth1 promisc
> 
> At this point, the ixgbevf driver will send a request through the internal
> Mailbox mechanism to the ixgbe driver, which will, in turn configure the
> VMOLR register, so that the VF can receive the required packets.
> 
> It will only do so, if the VF is trusted by the administrator handling the
> hypervisor.
> 
> I am attaching the patch set to this mail thread
> 
> [1]
> http://www.intel.com/content/www/us/en/embedded/products/networkin
> g/ethernet-x540-datasheet.html
> [2] http://lists.osuosl.org/pipermail/intel-wired-lan/Week-of-Mon-
> 20150518/000647.html
> 
> Regards,
> Tudor

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel® Ethernet, visit 
http://communities.intel.com/community/wired

Reply via email to