From: Greg Rose <gregory.v.rose@intel.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: Pawit Pornkitprasan <p.pawit@gmail.com>, <netdev@vger.kernel.org>,
"Ryousei Takano" <takano-ryousei@aist.go.jp>,
Amir Vadai <amirv@mellanox.com>
Subject: Re: PROBLEM: Bridging does not work with Mellanox ConnectX-2 (mlx4_en) card in SR-IOV mode
Date: Mon, 24 Jun 2013 09:48:04 -0700 [thread overview]
Message-ID: <20130624094804.00003b32@unknown> (raw)
In-Reply-To: <20130624084259.4c2211a4@nehalam.linuxnetplumber.net>
On Mon, 24 Jun 2013 08:42:59 -0700
Stephen Hemminger <stephen@networkplumber.org> wrote:
> On Mon, 24 Jun 2013 16:55:00 +0900
> Pawit Pornkitprasan <p.pawit@gmail.com> wrote:
>
> > [1.] One line summary of the problem:
> > Bridging does not work with Mellanox ConnectX-2 (mlx4_en) card in
> > SR-IOV mode
>
> For security reasons, SR-IOV cards to not support promiscuous mode
> required for bridging. Also the hardware usually can't do fanout to
> multiple VF's for same unicast packet. --
Stephen, technically you're correct but there is a bit of further
clarification required here. In the case of Intel adapters that
support SR-IOV we do allow MAC promiscuous mode when the physical
function device is bridged. This, along with the bridge FDB features
allow for VMs using the SW bridge with virtual interfaces to
communicate with VMs using SR-IOV virtual functions. However, we leave
the VLAN filtering enabled in the device so that VMs can be isolated
from one another. So it's not actually promiscuous mode since VLAN
filtering remains enabled, but it does enable promiscuous capture of
MAC addresses.
This feature is something just recently added to Intel adapters to get
around the security problem you mention.
- Greg
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2013-06-24 16:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-24 7:55 PROBLEM: Bridging does not work with Mellanox ConnectX-2 (mlx4_en) card in SR-IOV mode Pawit Pornkitprasan
2013-06-24 15:42 ` Stephen Hemminger
2013-06-24 16:48 ` Greg Rose [this message]
2013-06-24 19:42 ` Or Gerlitz
2013-06-24 22:45 ` Pawit Pornkitprasan
2013-06-25 0:46 ` Pawit Pornkitprasan
2013-06-25 5:36 ` Or Gerlitz
2013-06-25 6:13 ` John Fastabend
2013-06-25 13:44 ` Michael S. Tsirkin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130624094804.00003b32@unknown \
--to=gregory.v.rose@intel.com \
--cc=amirv@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=p.pawit@gmail.com \
--cc=stephen@networkplumber.org \
--cc=takano-ryousei@aist.go.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.