Re: [PATCH v4] ixgbe: Drop flow control frames from VFs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Vlad Zolotarov <vladz@cloudius-systems.com>
To: "Zhang, Helin" <helin.zhang@intel.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>
Subject: Re: [PATCH v4] ixgbe: Drop flow control frames from VFs
Date: Fri, 23 Oct 2015 11:27:06 +0300	[thread overview]
Message-ID: <5629EF5A.6040401@cloudius-systems.com> (raw)
In-Reply-To: <F35DEAC7BCE34641BA9FAC6BCA4A12E70A91C6E3@SHSMSX104.ccr.corp.intel.com>



On 10/23/15 10:14, Zhang, Helin wrote:
>
> From: Vladislav Zolotarov [mailto:vladz@cloudius-systems.com]
> Sent: Friday, October 23, 2015 2:57 PM
> To: Zhang, Helin
> Cc: Lu, Wenzhuo; dev@dpdk.org
> Subject: RE: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames from VFs
>
>
> On Oct 23, 2015 9:30 AM, "Zhang, Helin" <helin.zhang@intel.com> wrote:
>>
>>
>> From: Vladislav Zolotarov [mailto:vladz@cloudius-systems.com]
>> Sent: Friday, October 23, 2015 2:24 PM
>> To: Zhang, Helin
>> Cc: Lu, Wenzhuo; dev@dpdk.org
>> Subject: Re: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames from VFs
>>
>>
>> On Oct 23, 2015 9:02 AM, "Zhang, Helin" <helin.zhang@intel.com> wrote:
>>>
>>>
>>>> -----Original Message-----
>>>> From: Lu, Wenzhuo
>>>> Sent: Friday, October 23, 2015 1:52 PM
>>>> To: dev@dpdk.org
>>>> Cc: Zhang, Helin; Lu, Wenzhuo
>>>> Subject: [PATCH v4] ixgbe: Drop flow control frames from VFs
>>>>
>>>> This patch will drop flow control frames from being transmitted from VSIs.
>>>> With this patch in place a malicious VF cannot send flow control or PFC packets
>>>> out on the wire.
>> The whole idea of this (and similar i40e patches sent before) is really confusing.
>> If u want to disable FC feature for VFs then go and disable the feature. Why keep (not malicious) user think that he/she has enabled the feature while u silently block it?
>>
>> Helin: I don't think disabling FC is equal to filtering out any pause frames. How about the software application constructs a pause frame and then tries to send it out?
> But not disabling FC for the user and silently preventing it is bogus. First, the conventional user should not be affected. I think this patch (and all its clones) should be extended to, first, disable the FC Tx feature for the relevant devices and only then adding any anti malicious filtering.
>   
> Helin: Disabling FC will disable both PF and VF FC, I don't find out where can disable VF FC only. Am I wrong?

There are flow_ctrl_get/set callbacks in eth_dev_ops which are used for 
configuring FC.
I see that they are not set for either ixgbevf or i40evf, so here we are 
all set for these.

>
>>>> V2:
>>>> Reword the comments.
>>>>
>>>> V3:
>>>> Move the check of set_ethertype_anti_spoofing to the top of the function, to
>>>> avoid occupying an ethertype_filter entity without using it.
>>>>
>>>> V4:
>>>> Remove the useless braces and return.
>>>>
>>>> Signed-off-by: Wenzhuo Lu <wenzhuo.lu@intel.com>
>>> Acked-by: Helin Zhang <helin.zhang@intel.com>
>>>

next prev parent reply	other threads:[~2015-10-23  8:27 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-10-10  2:56 [PATCH] ixgbe: workaround for Security issue in SR-IOV mode Wenzhuo Lu
2015-10-22  7:34 ` [PATCH v2] ixgbe: Drop flow control frames from VFs Wenzhuo Lu
2015-10-23  2:49   ` Zhang, Helin
2015-10-23  3:26     ` Lu, Wenzhuo
2015-10-23  5:05 ` [PATCH v3] " Wenzhuo Lu
2015-10-23  5:52 ` [PATCH v4] " Wenzhuo Lu
2015-10-23  6:02   ` Zhang, Helin
2015-10-23  6:24     ` Vladislav Zolotarov
2015-10-23  6:30       ` Zhang, Helin
2015-10-23  6:57         ` Vladislav Zolotarov
2015-10-23  7:14           ` Zhang, Helin
2015-10-23  8:27             ` Vlad Zolotarov [this message]
2015-10-23  8:32               ` Zhang, Helin
2015-10-23  9:00                 ` Vlad Zolotarov
2015-10-26  0:47                   ` Zhang, Helin
2015-10-28 16:42     ` Thomas Monjalon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5629EF5A.6040401@cloudius-systems.com \
    --to=vladz@cloudius-systems.com \
    --cc=dev@dpdk.org \
    --cc=helin.zhang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.