[PATCH v2] ixgbe: make VLAN filter conditional

[PATCH v2] ixgbe: make VLAN filter conditional

[Hiroshi Shimamoto]

From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>

Disable hardware VLAN filtering if netdev->features VLAN flag is dropped.

In SR-IOV case, there is a use case which needs to disable VLAN filter.
For example, we need to make a network function with VF in virtualized
environment. That network function may be a software switch, a router
or etc. It means that that network function will be an end point which
terminates many VLANs.

In the current implementation, VLAN filtering always be turned on and
VF can receive only 63 VLANs. It means that only 63 VLANs can be terminated
in one NIC.

With this patch, if the user turns VLAN filtering off on the host, VF
can receive every VLAN packet.

This VLAN filtering can be turned on or off when SR-IOV is disabled, if not
the operation is rejected.

Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
Reviewed-by: Hayato Momma <h-momma@ce.jp.nec.com>
CC: Choi, Sy Jong <sy.jong.choi@intel.com>
---
 drivers/net/ethernet/intel/ixgbe/ixgbe_main.c  | 23 +++++++++++++++++++++++
 drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c |  4 ++++
 2 files changed, 27 insertions(+)

diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
index f690f5d..9593366 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c
@@ -4081,6 +4081,10 @@ void ixgbe_set_rx_mode(struct net_device *netdev)
 		hw->addr_ctrl.user_set_promisc = false;
 	}
 
+	/* Disable hardware VLAN filter if the feature flag is dropped */
+	if (!(netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
+		vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);
+
 	/*
 	 * Write addresses to available RAR registers, if there is not
 	 * sufficient space to store all the addresses then enable
@@ -7734,6 +7738,26 @@ static int ixgbe_set_features(struct net_device *netdev,
 	netdev_features_t changed = netdev->features ^ features;
 	bool need_reset = false;
 
+	if (changed & NETIF_F_HW_VLAN_CTAG_FILTER) {
+		int vlan_filter = features & NETIF_F_HW_VLAN_CTAG_FILTER;
+
+		/* Prevent controlling VLAN filter if VFs exist */
+		if (adapter->num_vfs > 0) {
+			e_dev_info("%s HW VLAN filter is not allowed when "
+				   "SR-IOV enabled.\n",
+				   vlan_filter ? "Enabling" : "Disabling");
+			return -EINVAL;
+		}
+		if (!vlan_filter) {
+			e_dev_warn("Disabling HW VLAN filter. All VFs cannot "
+				   "set VLAN filter from VF driver.\n");
+			e_dev_warn("All VLAN packets are delivered to "
+				   "every VF.\n");
+		}
+		/* reset if HW VLAN filter is changed */
+		need_reset = true;
+	}
+
 	/* Make sure RSC matches LRO, reset if change */
 	if (!(features & NETIF_F_LRO)) {
 		if (adapter->flags2 & IXGBE_FLAG2_RSC_ENABLED)
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
index 288f39f..9ad45738 100644
--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
+++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_sriov.c
@@ -839,6 +839,10 @@ static int ixgbe_set_vf_vlan_msg(struct ixgbe_adapter *adapter,
 	u32 bits;
 	u8 tcs = netdev_get_num_tc(adapter->netdev);
 
+	/* Ignore if VLAN filter is disabled */
+	if (!(adapter->netdev->features & NETIF_F_HW_VLAN_CTAG_FILTER))
+		return 0;
+
 	if (adapter->vfinfo[vf].pf_vlan || tcs) {
 		e_warn(drv,
 		       "VF %d attempted to override administratively set VLAN configuration\n"
-- 
2.1.0

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel&#174; Ethernet, visit http://communities.intel.com/community/wired

RE: [PATCH v2] ixgbe: make VLAN filter conditional

[Hiroshi Shimamoto]

> From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> 
> Disable hardware VLAN filtering if netdev->features VLAN flag is dropped.
> 
> In SR-IOV case, there is a use case which needs to disable VLAN filter.
> For example, we need to make a network function with VF in virtualized
> environment. That network function may be a software switch, a router
> or etc. It means that that network function will be an end point which
> terminates many VLANs.
> 
> In the current implementation, VLAN filtering always be turned on and
> VF can receive only 63 VLANs. It means that only 63 VLANs can be terminated
> in one NIC.
> 
> With this patch, if the user turns VLAN filtering off on the host, VF
> can receive every VLAN packet.
> 
> This VLAN filtering can be turned on or off when SR-IOV is disabled, if not
> the operation is rejected.

Hi,

any comment about this?
I added a warning message and prevent operation during SR-IOV is enabled.


thanks,
Hiroshi

Re: [PATCH v2] ixgbe: make VLAN filter conditional

[Jeff Kirsher]

[-- Attachment #1: Type: text/plain, Size: 1419 bytes --]

On Fri, 2015-03-06 at 06:04 +0000, Hiroshi Shimamoto wrote:
> > From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> > 
> > Disable hardware VLAN filtering if netdev->features VLAN flag is
> dropped.
> > 
> > In SR-IOV case, there is a use case which needs to disable VLAN
> filter.
> > For example, we need to make a network function with VF in
> virtualized
> > environment. That network function may be a software switch, a
> router
> > or etc. It means that that network function will be an end point
> which
> > terminates many VLANs.
> > 
> > In the current implementation, VLAN filtering always be turned on
> and
> > VF can receive only 63 VLANs. It means that only 63 VLANs can be
> terminated
> > in one NIC.
> > 
> > With this patch, if the user turns VLAN filtering off on the host,
> VF
> > can receive every VLAN packet.
> > 
> > This VLAN filtering can be turned on or off when SR-IOV is disabled,
> if not
> > the operation is rejected.
> 
> Hi,
> 
> any comment about this?
> I added a warning message and prevent operation during SR-IOV is
> enabled.

Yes, the warning message you added says nothing of the huge security
hole this exposes.  We need a message the correctly expresses the
dangers in turning this off.

Also it does not appear that you addressed Ben Hutchings concerns, as I
asked.  Correct me if I am wrong and you did address Ben's concerns.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [PATCH v2] ixgbe: make VLAN filter conditional

[Hiroshi Shimamoto]

> On Fri, 2015-03-06 at 06:04 +0000, Hiroshi Shimamoto wrote:
> > > From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> > >
> > > Disable hardware VLAN filtering if netdev->features VLAN flag is
> > dropped.
> > >
> > > In SR-IOV case, there is a use case which needs to disable VLAN
> > filter.
> > > For example, we need to make a network function with VF in
> > virtualized
> > > environment. That network function may be a software switch, a
> > router
> > > or etc. It means that that network function will be an end point
> > which
> > > terminates many VLANs.
> > >
> > > In the current implementation, VLAN filtering always be turned on
> > and
> > > VF can receive only 63 VLANs. It means that only 63 VLANs can be
> > terminated
> > > in one NIC.
> > >
> > > With this patch, if the user turns VLAN filtering off on the host,
> > VF
> > > can receive every VLAN packet.
> > >
> > > This VLAN filtering can be turned on or off when SR-IOV is disabled,
> > if not
> > > the operation is rejected.
> >
> > Hi,
> >
> > any comment about this?
> > I added a warning message and prevent operation during SR-IOV is
> > enabled.
> 
> Yes, the warning message you added says nothing of the huge security
> hole this exposes.  We need a message the correctly expresses the
> dangers in turning this off.

hm okay.
Do you mean I should add a message like "this causes SECURITY issue", right?

> 
> Also it does not appear that you addressed Ben Hutchings concerns, as I
> asked.  Correct me if I am wrong and you did address Ben's concerns.

I think Ben's suggestion is to prevent turn VLAN filtering back on during
VFs are used because that breaks guest's behavior.
I added the code that make it impossible. We cannot turn on (or off) if
the NIC has VFs.

thanks,
Hiroshi
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
E1000-devel mailing list
E1000-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/e1000-devel
To learn more about Intel&#174; Ethernet, visit http://communities.intel.com/community/wired

Re: [PATCH v2] ixgbe: make VLAN filter conditional

[Jeff Kirsher]

[-- Attachment #1: Type: text/plain, Size: 2561 bytes --]

On Fri, 2015-03-06 at 09:46 +0000, Hiroshi Shimamoto wrote:
> > On Fri, 2015-03-06 at 06:04 +0000, Hiroshi Shimamoto wrote:
> > > > From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
> > > >
> > > > Disable hardware VLAN filtering if netdev->features VLAN flag is
> > > dropped.
> > > >
> > > > In SR-IOV case, there is a use case which needs to disable VLAN
> > > filter.
> > > > For example, we need to make a network function with VF in
> > > virtualized
> > > > environment. That network function may be a software switch, a
> > > router
> > > > or etc. It means that that network function will be an end point
> > > which
> > > > terminates many VLANs.
> > > >
> > > > In the current implementation, VLAN filtering always be turned on
> > > and
> > > > VF can receive only 63 VLANs. It means that only 63 VLANs can be
> > > terminated
> > > > in one NIC.
> > > >
> > > > With this patch, if the user turns VLAN filtering off on the host,
> > > VF
> > > > can receive every VLAN packet.
> > > >
> > > > This VLAN filtering can be turned on or off when SR-IOV is disabled,
> > > if not
> > > > the operation is rejected.
> > >
> > > Hi,
> > >
> > > any comment about this?
> > > I added a warning message and prevent operation during SR-IOV is
> > > enabled.
> > 
> > Yes, the warning message you added says nothing of the huge security
> > hole this exposes.  We need a message the correctly expresses the
> > dangers in turning this off.
> 
> hm okay.
> Do you mean I should add a message like "this causes SECURITY issue", right?

Correct, you will need to notify the user that by turning off VLAN
filtering, this opens up serious security issues.  The message should
well inform the user of the potential dangers, so that if someone gets
hacked or information gets stolen because they turning off VLAN
filtering, that is was due to their choice to turn off this feature and
not a design flaw in the driver.

> > 
> > Also it does not appear that you addressed Ben Hutchings concerns, as I
> > asked.  Correct me if I am wrong and you did address Ben's concerns.
> 
> I think Ben's suggestion is to prevent turn VLAN filtering back on during
> VFs are used because that breaks guest's behavior.
> I added the code that make it impossible. We cannot turn on (or off) if
> the NIC has VFs.

And notify them that one they turn it off, then cannot turn it back on
if the NIC has VFs, so they will remain exposed and will continue to
have serious security issues.

> 
> thanks,
> Hiroshi



[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]