> On Fri, 2015-03-06 at 06:04 +0000, Hiroshi Shimamoto wrote: > > > From: Hiroshi Shimamoto <h-shimam...@ct.jp.nec.com> > > > > > > Disable hardware VLAN filtering if netdev->features VLAN flag is > > dropped. > > > > > > In SR-IOV case, there is a use case which needs to disable VLAN > > filter. > > > For example, we need to make a network function with VF in > > virtualized > > > environment. That network function may be a software switch, a > > router > > > or etc. It means that that network function will be an end point > > which > > > terminates many VLANs. > > > > > > In the current implementation, VLAN filtering always be turned on > > and > > > VF can receive only 63 VLANs. It means that only 63 VLANs can be > > terminated > > > in one NIC. > > > > > > With this patch, if the user turns VLAN filtering off on the host, > > VF > > > can receive every VLAN packet. > > > > > > This VLAN filtering can be turned on or off when SR-IOV is disabled, > > if not > > > the operation is rejected. > > > > Hi, > > > > any comment about this? > > I added a warning message and prevent operation during SR-IOV is > > enabled. > > Yes, the warning message you added says nothing of the huge security > hole this exposes. We need a message the correctly expresses the > dangers in turning this off.
hm okay. Do you mean I should add a message like "this causes SECURITY issue", right? > > Also it does not appear that you addressed Ben Hutchings concerns, as I > asked. Correct me if I am wrong and you did address Ben's concerns. I think Ben's suggestion is to prevent turn VLAN filtering back on during VFs are used because that breaks guest's behavior. I added the code that make it impossible. We cannot turn on (or off) if the NIC has VFs. thanks, Hiroshi
