Public bug reported: Some NFV test cases require the source MAC address be filled by the Application, so when the packets come to the SRIOV eswitch, the source MAC address is not the VF's MAC address, if the SRIOV NIC's MAC anti- spoofing check is enabled, the packets will be droped, which is not desired.
The solution is disable the MAC-anti-spoofing check. I noticed the following bp introduce the ability to control SRIOV MAC-anti-spoofing check: https://specs.openstack.org/openstack/neutron-specs/specs/liberty/sriov-spoofchk.html And the implementation was done by the following submit: https://review.openstack.org/#/c/192065/ But the implementation is not compatible if port_security extension driver is not configured. For example, I use Mellanox SRIOV NICs, MAC-anti-spoofing check is disabled by default(http://www.mellanox.com/related-docs/prod_software/Mellanox_EN_for_Linux_User_Manual_v3_40.pdf ), so before the Liberty, VF's MAC-anti-spoofing check is DISABLED, the NFV application can specify the source MAC of the outband packets. After Liberty, the sriov-nic-agent will enable the MAC-anti-spoofing check, NO MATTER the port_security extension driver is configured or not, see the following code, spoofcheck has default value, and the value is True, that's means spoof check will always be enabled unless port_security_enabled be clearly assigned False: def treat_devices_added_updated(self, devices): .... spoofcheck = device_details.get('port_security_enabled', True) .... As my understanding, when port_security extension is not configured, there is no ability to control the SRIOV MAC-anti-spoofing check, and the behavior of the NICs should leave as it is. It's not reasonable to enable the MAC-anti-spoofing check by default. When port_security extension is not configured, the behavior should compatible with the version before Liberty. ** Affects: neutron Importance: Undecided Status: New ** Tags: sriov-pci-pt -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to neutron. https://bugs.launchpad.net/bugs/1654960 Title: SRIOV VF MAC-anti-spoofing check behavior not compatible when port_security extension not configured Status in neutron: New Bug description: Some NFV test cases require the source MAC address be filled by the Application, so when the packets come to the SRIOV eswitch, the source MAC address is not the VF's MAC address, if the SRIOV NIC's MAC anti- spoofing check is enabled, the packets will be droped, which is not desired. The solution is disable the MAC-anti-spoofing check. I noticed the following bp introduce the ability to control SRIOV MAC-anti-spoofing check: https://specs.openstack.org/openstack/neutron-specs/specs/liberty/sriov-spoofchk.html And the implementation was done by the following submit: https://review.openstack.org/#/c/192065/ But the implementation is not compatible if port_security extension driver is not configured. For example, I use Mellanox SRIOV NICs, MAC-anti-spoofing check is disabled by default(http://www.mellanox.com/related-docs/prod_software/Mellanox_EN_for_Linux_User_Manual_v3_40.pdf ), so before the Liberty, VF's MAC-anti-spoofing check is DISABLED, the NFV application can specify the source MAC of the outband packets. After Liberty, the sriov-nic-agent will enable the MAC-anti-spoofing check, NO MATTER the port_security extension driver is configured or not, see the following code, spoofcheck has default value, and the value is True, that's means spoof check will always be enabled unless port_security_enabled be clearly assigned False: def treat_devices_added_updated(self, devices): .... spoofcheck = device_details.get('port_security_enabled', True) .... As my understanding, when port_security extension is not configured, there is no ability to control the SRIOV MAC-anti-spoofing check, and the behavior of the NICs should leave as it is. It's not reasonable to enable the MAC-anti-spoofing check by default. When port_security extension is not configured, the behavior should compatible with the version before Liberty. To manage notifications about this bug go to: https://bugs.launchpad.net/neutron/+bug/1654960/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
