> -----Original Message----- > From: Vlad Zolotarov [mailto:vladz at cloudius-systems.com] > Sent: Friday, October 23, 2015 4:27 PM > To: Zhang, Helin > Cc: Lu, Wenzhuo; dev at dpdk.org > Subject: Re: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames from VFs > > > > On 10/23/15 10:14, Zhang, Helin wrote: > > > > From: Vladislav Zolotarov [mailto:vladz at cloudius-systems.com] > > Sent: Friday, October 23, 2015 2:57 PM > > To: Zhang, Helin > > Cc: Lu, Wenzhuo; dev at dpdk.org > > Subject: RE: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames > > from VFs > > > > > > On Oct 23, 2015 9:30 AM, "Zhang, Helin" <helin.zhang at intel.com> wrote: > >> > >> > >> From: Vladislav Zolotarov [mailto:vladz at cloudius-systems.com] > >> Sent: Friday, October 23, 2015 2:24 PM > >> To: Zhang, Helin > >> Cc: Lu, Wenzhuo; dev at dpdk.org > >> Subject: Re: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames > >> from VFs > >> > >> > >> On Oct 23, 2015 9:02 AM, "Zhang, Helin" <helin.zhang at intel.com> wrote: > >>> > >>> > >>>> -----Original Message----- > >>>> From: Lu, Wenzhuo > >>>> Sent: Friday, October 23, 2015 1:52 PM > >>>> To: dev at dpdk.org > >>>> Cc: Zhang, Helin; Lu, Wenzhuo > >>>> Subject: [PATCH v4] ixgbe: Drop flow control frames from VFs > >>>> > >>>> This patch will drop flow control frames from being transmitted from > >>>> VSIs. > >>>> With this patch in place a malicious VF cannot send flow control or > >>>> PFC packets out on the wire. > >> The whole idea of this (and similar i40e patches sent before) is really > confusing. > >> If u want to disable FC feature for VFs then go and disable the feature. > >> Why > keep (not malicious) user think that he/she has enabled the feature while u > silently block it? > >> > >> Helin: I don't think disabling FC is equal to filtering out any pause > >> frames. How > about the software application constructs a pause frame and then tries to > send it > out? > > But not disabling FC for the user and silently preventing it is bogus. > > First, the > conventional user should not be affected. I think this patch (and all its > clones) > should be extended to, first, disable the FC Tx feature for the relevant > devices > and only then adding any anti malicious filtering. > > > > Helin: Disabling FC will disable both PF and VF FC, I don't find out where > > can > disable VF FC only. Am I wrong? > > There are flow_ctrl_get/set callbacks in eth_dev_ops which are used for > configuring FC. > I see that they are not set for either ixgbevf or i40evf, so here we are all > set for > these. Helin: The behaviors rely on the hardware capability, but not the SW. I meant I don't think it can support disabling VF FC. Please correct me in case I am wrong!
> > > > >>>> V2: > >>>> Reword the comments. > >>>> > >>>> V3: > >>>> Move the check of set_ethertype_anti_spoofing to the top of the function, > to > >>>> avoid occupying an ethertype_filter entity without using it. > >>>> > >>>> V4: > >>>> Remove the useless braces and return. > >>>> > >>>> Signed-off-by: Wenzhuo Lu <wenzhuo.lu at intel.com> > >>> Acked-by: Helin Zhang <helin.zhang at intel.com> > >>>
