On Tue, Aug 8, 2023 at 4:09 PM Xuan Zhuo <[email protected]> wrote: > > ## Background > > For cloud, the ip restriction is important. Because the user of the vm is > untrustworthy. One user may use the ip of another to config the netdevice to > receive and send packets. So we need to restrict the ip traffic of the > device(or port). > > ## Implement > Now we have these choice: > > 1. introduce the switch(as the part of pf or as a separate device under all PF > and VFs ), the switch support rx/tx filter > 2. the virtio-net device support the ip restriction
I think they are not contradictory, we can have both. I'd suggest starting from 2 as it's simple without new dependencies. One question though, besides ip restriction, how did you implement the trust and spoof checking? Thanks > > > Parav wrote: > > I understood that you for some reason do not need restrictions for the PF. > > I do not know why you don't need it. :) > > Most cloud setups that I came across so far, needs it, but ok... > > PF is used by the administrator, so the ip restriction for the PF is > not important. But we can have this feature. > > > The design for the switch object needs to cover the PF as well, even though > > it may not be done initially. > > (hint: an abstraction of switch port to be done, instead of doing things > > directly on the group member id). > > > > We are seeing use cases reducing of having switch located on the PF for its > > VFs. > > So for you, we should introduce a switching PF? > > > So please reconsider. > > I remember you mentioned in past in other thread, that mac etc is > > controlled from the infrastructure side. > > YES. > > > So, I repeatedly ask if you _really_ need to have the switch object as part > > of the owner PF or not. > > For me, that are all ok. > Could you explain the difference between these? > So I would to know which one is better and which one is simper? > > > Which sort of contradicts with locating the administrative switch on the > > owner PF. > > Why? > > For us, all is on the DPU. > > > > > If it does, flow filters vq that is being worked with Heng, Satananda, David > > and others seems right direction to implement simple->complex switch object > > progressively. > > Great!! > > > Thanks. > > This publicly archived list offers a means to provide input to the > OASIS Virtual I/O Device (VIRTIO) TC. > > In order to verify user consent to the Feedback License terms and > to minimize spam in the list archive, subscription is required > before posting. > > Subscribe: [email protected] > Unsubscribe: [email protected] > List help: [email protected] > List archive: https://lists.oasis-open.org/archives/virtio-comment/ > Feedback License: https://www.oasis-open.org/who/ipr/feedback_license.pdf > List Guidelines: https://www.oasis-open.org/policies-guidelines/mailing-lists > Committee: https://www.oasis-open.org/committees/virtio/ > Join OASIS: https://www.oasis-open.org/join/ > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
