Re: Exposing device ACL setting through devlink

Fri, 18 Sep 2020 16:20:57 -0700 


On 9/18/20 2:20 AM, Jiri Pirko wrote:

Thu, Sep 17, 2020 at 10:31:10PM CEST, tlfal...@linux.ibm.com wrote:

On 9/10/20 2:00 AM, Jiri Pirko wrote:

Tue, Sep 08, 2020 at 08:27:13PM CEST, tlfal...@linux.ibm.com wrote:

On 9/4/20 5:37 PM, Jakub Kicinski wrote:

On Fri, 4 Sep 2020 10:31:41 +0200 Jiri Pirko wrote:

Thu, Sep 03, 2020 at 07:59:45PM CEST, tlfal...@linux.ibm.com wrote:

Hello, I am trying to expose MAC/VLAN ACL and pvid settings for IBM
VNIC devices to administrators through devlink (originally through
sysfs files, but that was rejected in favor of devlink). Could you
give any tips on how you might go about doing this?

Tom, I believe you need to provide more info about what exactly do you
need to setup. But from what you wrote, it seems like you are looking
for bridge/tc offload. The infra is already in place and drivers are
implementing it. See mlxsw for example.

I think Tom's use case is effectively exposing the the VF which VLANs
and what MAC addrs it can use. Plus it's pvid. See:

https://www.spinics.net/lists/netdev/msg679750.html

Thanks, Jakub,

Right now, the use-case is to expose the allowed VLAN's and MAC addresses and
the VF's PVID. Other use-cases may be explored later on though.

Who is configuring those?

What does mean "allowed MAC address"? Does it mean a MAC address that VF
can use to send packet as a source MAC?

What does mean "allowed VLAN"? VF is sending vlan tagged frames and only
some VIDs are allowed.

Pardon my ignorance, this may be routine in the nic world. However I
find the desc very vague. Please explain in details, then we can try to
find fitting solution.

Thanks!

These MAC or VLAN ACL settings are configured on the Power Hypervisor.

The rules for a VF can be to allow or deny all MAC addresses or VLAN ID's or
to allow a specified list of MAC address and VLAN ID's. The interface allows
or denies frames based on whether the ID in the VLAN tag or the source MAC
address is included in the list of allowed VLAN ID's or MAC addresses
specified during creation of the VF.

At which point are you doing this ACL? Sounds to me, like this is the
job of "a switch" which connects VFs and physical port. Then, you just
need to configure this switch to pass/drop packets according to match.
And that is what there is already implemented with TC-flower/u32 + actions
and bridge offload.


Yes, this the filtering is done on a virtual switch in Power firmware. I 
am really just trying to report the ACL list's configured at the 
firmware level to users on the guest OS.


Tom


Thanks for your help,

Tom























					Reply via email to