Julian, We have had some long discussion here about the security issues involved in allowing promiscuous mode to be enabled in both our PF and VF drivers. The risks are considered high and is the reason as to why we didn't enable or even have the capability to do so. Alex added the compile time option on the igb driver to enable it but that was part of a science experiment that was never disable afterward. Our ixgbe driver does do this. So as you have seen our VF driver also don't enable it. So while this is fine for you to do in your driver it's not for the upstream versions of the driver. We may also be disabling it in our igb driver as we don't really want it there either. The multicast address mechanism that you are calling out came from having to overcome a limitation of filter addresses in the HW.
So the long story short is that we will be considering adding support for this due to the security risks that this would enable. I hope you can see the issues involved for us. Thanks. Cheers, John > -----Original Message----- > From: Julian Stecklina [mailto:[email protected]] > Sent: Thursday, August 05, 2010 11:44 AM > To: [email protected] > Subject: Re: [E1000-devel] igbvf doesn't support promiscuous mode? > > Alexander Duyck <[email protected]> writes: > > > Your patch didn't come through, but I'm not too worried since what > you > > mention already exists in our standalone igb driver on e1000.sf.net. > > You should find that there is an option to enable the feature you are > > asking for by doing a "make CFLAGS_EXTRA=-DIGB_ENABLE_VF_PROMISC" to > > build with the PF support necessary. > > I've found it. Thanks! > > Is there any reason not to merge the igbvf-part of promiscuous mode > support upstream? It won't do harm and allows the PF driver (which does > not need to be the stock Linux PF driver) to make the final decision. > In > short: It would make our lives a bit easier here[1]. ;) > > Just curious: Why does the PF driver in 2.6.35 handle multicast > promiscuous mode? Is someone using it? > > > We never enabled this feature primarily due to security issues. The > > first being that a VF being able to enable promisc is undesirable in > a > > virtualized environment. The second being that any interfaces that > > don't use exact unicast filters will have their traffic also sent out > > on the network port in the case of VF to VF/PF communication. > > I didn't think of the second issue, but your obviously right. This > shouldn't be a problem for us, since we enforce exact filtering for VFs > that aren't promiscuous. > > [1] http://hypervisor.org/ (new release coming soonish) > > Regards > -- > Julian Stecklina | Operating Systems Group @ TU Dresden | +49 (351) > 463-42133 > > > ----------------------------------------------------------------------- > ------- > The Palm PDK Hot Apps Program offers developers who use the > Plug-In Development Kit to bring their C/C++ apps to Palm for a share > of $1 Million in cash or HP Products. Visit us here for more details: > http://p.sf.net/sfu/dev2dev-palm > _______________________________________________ > E1000-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/e1000-devel > To learn more about Intel® Ethernet, visit > http://communities.intel.com/community/wired ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
