From: John Fastabend <john.fastabend@gmail.com>
To: Yoann Juet <veilletechno-irts@univ-nantes.fr>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
Yoann Juet <yoann.juet@univ-nantes.fr>
Subject: Re: ixgbe: SR-IOV, macvlan filter on VFs
Date: Thu, 14 Aug 2014 07:47:29 -0700 [thread overview]
Message-ID: <53ECCC01.4050400@gmail.com> (raw)
In-Reply-To: <53ECA5C9.2020904@univ-nantes.fr>
On 08/14/2014 05:04 AM, Yoann Juet wrote:
> Hi all,
>
> We are trying to make VRRP with VMAC address work on VMs using SR-IOV.
> The well known Keepalived VRRP framework implements such a feature with
> a macvlan device per physical interface. In our setup, this means we get
> a new macvlan device per VF. To make it partially work, we first have to
> disable the ixgbe anti-spoofing feature on the PFs that are involved:
>
> ip link set dev <ethX> vf <x> spoofchk off
>
> Now, VIPs' Virtual Mac Address are known from clients (arp answers are
> transmitted). But this is not enough ; VIPs are still not reachable from
> clients as they are attached to a macvlan device. Each time a VMAC is
> set on a macvlan device, we get the following messages:
>
> [674943.437989] ixgbe 0000:04:00.0 eth2: VF 0 requested MACVLAN filter
> but is administratively denied
> [674943.458875] ixgbe 0000:04:00.0 eth2: VF 1 requested MACVLAN filter
> but is administratively denied
>
> Looks like macvlan on VF only works for outbound traffic from VMs.
> Inbound traffic is filtered. Is there a solution to disable macvlan
> filtering on a VF basis ?
>
> Thanks,
> Best Regards,
>
> --
hmm this should work I think.
Did you set the VF mac address at some point with,
ip link set dev DEVICE vf NUM mac ADDR
If not this how did you setup the virtual functions? Manually via
sriov_numvfs? Or via libvirt or other library. Basically there is a
check in the driver to see if the MAC was set via the physical function
and in this case the driver doesn't allow the VF to add/remove any
MAC addresses on the rx filters.
In the ixgbe driver if ixgbe_ndo_set_vf_mac is ever called it sets
the pf_set_mac bit (this is the check) and denies any further mac
updates. This function gets called when ever a netlink IFLA_VF_MAC
attribute is setup. This is what is invoked by the above 'ip link'
command.
Thanks,
John
--
John Fastabend Intel Corporation
next prev parent reply other threads:[~2014-08-14 14:47 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-14 12:04 ixgbe: SR-IOV, macvlan filter on VFs Yoann Juet
2014-08-14 14:47 ` John Fastabend [this message]
2014-08-14 15:27 ` Yoann Juet
2014-08-14 15:39 ` John Fastabend
2014-08-14 15:56 ` Yoann Juet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53ECCC01.4050400@gmail.com \
--to=john.fastabend@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=veilletechno-irts@univ-nantes.fr \
--cc=yoann.juet@univ-nantes.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).