> -----Original Message----- > From: Vlad Zolotarov [mailto:vladz at cloudius-systems.com] > Sent: Friday, October 23, 2015 5:00 PM > To: Zhang, Helin > Cc: Lu, Wenzhuo; dev at dpdk.org > Subject: Re: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames from VFs > > > > On 10/23/15 11:32, Zhang, Helin wrote: > > > >> -----Original Message----- > >> From: Vlad Zolotarov [mailto:vladz at cloudius-systems.com] > >> Sent: Friday, October 23, 2015 4:27 PM > >> To: Zhang, Helin > >> Cc: Lu, Wenzhuo; dev at dpdk.org > >> Subject: Re: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames > >> from VFs > >> > >> > >> > >> On 10/23/15 10:14, Zhang, Helin wrote: > >>> From: Vladislav Zolotarov [mailto:vladz at cloudius-systems.com] > >>> Sent: Friday, October 23, 2015 2:57 PM > >>> To: Zhang, Helin > >>> Cc: Lu, Wenzhuo; dev at dpdk.org > >>> Subject: RE: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames > >>> from VFs > >>> > >>> > >>> On Oct 23, 2015 9:30 AM, "Zhang, Helin" <helin.zhang at intel.com> wrote: > >>>> > >>>> From: Vladislav Zolotarov [mailto:vladz at cloudius-systems.com] > >>>> Sent: Friday, October 23, 2015 2:24 PM > >>>> To: Zhang, Helin > >>>> Cc: Lu, Wenzhuo; dev at dpdk.org > >>>> Subject: Re: [dpdk-dev] [PATCH v4] ixgbe: Drop flow control frames > >>>> from VFs > >>>> > >>>> > >>>> On Oct 23, 2015 9:02 AM, "Zhang, Helin" <helin.zhang at intel.com> wrote: > >>>>> > >>>>>> -----Original Message----- > >>>>>> From: Lu, Wenzhuo > >>>>>> Sent: Friday, October 23, 2015 1:52 PM > >>>>>> To: dev at dpdk.org > >>>>>> Cc: Zhang, Helin; Lu, Wenzhuo > >>>>>> Subject: [PATCH v4] ixgbe: Drop flow control frames from VFs > >>>>>> > >>>>>> This patch will drop flow control frames from being transmitted from > VSIs. > >>>>>> With this patch in place a malicious VF cannot send flow control > >>>>>> or PFC packets out on the wire. > >>>> The whole idea of this (and similar i40e patches sent before) is > >>>> really > >> confusing. > >>>> If u want to disable FC feature for VFs then go and disable the > >>>> feature. Why > >> keep (not malicious) user think that he/she has enabled the feature > >> while u silently block it? > >>>> Helin: I don't think disabling FC is equal to filtering out any > >>>> pause frames. How > >> about the software application constructs a pause frame and then > >> tries to send it out? > >>> But not disabling FC for the user and silently preventing it is > >>> bogus. First, the > >> conventional user should not be affected. I think this patch (and all > >> its clones) should be extended to, first, disable the FC Tx feature > >> for the relevant devices and only then adding any anti malicious filtering. > >>> Helin: Disabling FC will disable both PF and VF FC, I don't find out > >>> where can > >> disable VF FC only. Am I wrong? > >> > >> There are flow_ctrl_get/set callbacks in eth_dev_ops which are used > >> for configuring FC. > >> I see that they are not set for either ixgbevf or i40evf, so here we > >> are all set for these. > > Helin: The behaviors rely on the hardware capability, but not the SW. > > I meant I don't think it can support disabling VF FC. Please correct me in > > case I > am wrong! > > I see. After a shallow sweep on the x540 and xl710 specs it seems that u r > right. > However I was talking about the SW interface only and since it is not enabled > for > the devices in question my whole objection is removed. > > thanks, > vlad
Vlad, thank you very much! The best way for this issue is to do that in hardware, but now we need a fix/workaround. It is really good to have the discussion with you, and clarify a lot. I think it can also remove a lot of questions from others. Thank you! Regards, Helin > > > > > > >>>>>> V2: > >>>>>> Reword the comments. > >>>>>> > >>>>>> V3: > >>>>>> Move the check of set_ethertype_anti_spoofing to the top of the > >>>>>> function, > >> to > >>>>>> avoid occupying an ethertype_filter entity without using it. > >>>>>> > >>>>>> V4: > >>>>>> Remove the useless braces and return. > >>>>>> > >>>>>> Signed-off-by: Wenzhuo Lu <wenzhuo.lu at intel.com> > >>>>> Acked-by: Helin Zhang <helin.zhang at intel.com> > >>>>>
