Friday, November 1, 2019 3:25 PM, Jerin Jacob: > Subject: Re: [dpdk-dev] [PATCH v2 0/3] ethdev: configure SR-IOV VF from > host > > On Fri, Nov 1, 2019 at 6:03 AM Thomas Monjalon <tho...@monjalon.net> > wrote: > > > > 30/10/2019 10:15, Jerin Jacob: > > > On Wed, Oct 30, 2019 at 2:26 PM Thomas Monjalon > <tho...@monjalon.net> wrote: > > > > > > > > 30/10/2019 05:08, Jerin Jacob: > > > > > On Wed, Oct 30, 2019 at 12:21 AM Thomas Monjalon > <tho...@monjalon.net> wrote: > > > > > > > > > > > > In a virtual environment, the network controller may have to > > > > > > configure some SR-IOV VF parameters for security reasons. > > > > > > > > > > Just to understand, Could you explain more details/examples for > > > > > security reasons? > > > > > > > > Examples are setting the MAC address or the promiscuous mode. > > > > These settings should be decided by the hypervisor, and not freely > > > > set by the VM. > > > > > > What is hypervisor here, rte_flow based DPDK application over using > > > port representor? > > > > Yes, something like that. An example is OpenStack/OVS. > > So it is more of an orchestration primitive. Not the security primitive as > mentioned above,
Yes this feature is to support deployment w/ OpenStack and DPDK vSwitch using switchdev (representors). One must configure the guest VF permanent MAC. w/ OVS kernel this is not an issue as all drivers bind to their kernel module. w/ DPDK standard API is needed. w/ Switchdev, even though the VF are promisc, all traffic is validated by the vSwitch running on the HV. Only after flow validation vSwitch will insert rule for device to directly fwd the packet to its target location. Because in case the kernel will approve the data set from > the guest. Right? The exact behavior is device specific. But the kernel/user space driver on the HV is required to listen to events of recv mode change from VF and act upon. All recv mode modification by guest should be validated by kernel, however this is a completely diff issue than what discussed here.
