Sorry, typo in the message. Should be: So the long story short is that we will _not_ be considering adding support for this due to the security risks that this would enable. I hope you can see the issues involved for us.
Cheers, John > -----Original Message----- > From: Ronciak, John [mailto:[email protected]] > Sent: Thursday, August 05, 2010 2:56 PM > To: Julian Stecklina; [email protected] > Subject: Re: [E1000-devel] igbvf doesn't support promiscuous mode? > > Julian, > > We have had some long discussion here about the security issues > involved in allowing promiscuous mode to be enabled in both our PF and > VF drivers. The risks are considered high and is the reason as to why > we didn't enable or even have the capability to do so. Alex added the > compile time option on the igb driver to enable it but that was part of > a science experiment that was never disable afterward. Our ixgbe > driver does do this. So as you have seen our VF driver also don't > enable it. So while this is fine for you to do in your driver it's not > for the upstream versions of the driver. We may also be disabling it > in our igb driver as we don't really want it there either. The > multicast address mechanism that you are calling out came from having > to overcome a limitation of filter addresses in the HW. > > So the long story short is that we will be considering adding support > for this due to the security risks that this would enable. I hope you > can see the issues involved for us. > > Thanks. > > Cheers, > John > > > > -----Original Message----- > > From: Julian Stecklina [mailto:[email protected]] > > Sent: Thursday, August 05, 2010 11:44 AM > > To: [email protected] > > Subject: Re: [E1000-devel] igbvf doesn't support promiscuous mode? > > > > Alexander Duyck <[email protected]> writes: > > > > > Your patch didn't come through, but I'm not too worried since what > > you > > > mention already exists in our standalone igb driver on > e1000.sf.net. > > > You should find that there is an option to enable the feature you > > > are asking for by doing a "make > > > CFLAGS_EXTRA=-DIGB_ENABLE_VF_PROMISC" to build with the PF support > necessary. > > > > I've found it. Thanks! > > > > Is there any reason not to merge the igbvf-part of promiscuous mode > > support upstream? It won't do harm and allows the PF driver (which > > does not need to be the stock Linux PF driver) to make the final > decision. > > In > > short: It would make our lives a bit easier here[1]. ;) > > > > Just curious: Why does the PF driver in 2.6.35 handle multicast > > promiscuous mode? Is someone using it? > > > > > We never enabled this feature primarily due to security issues. > The > > > first being that a VF being able to enable promisc is undesirable > in > > a > > > virtualized environment. The second being that any interfaces that > > > don't use exact unicast filters will have their traffic also sent > > > out on the network port in the case of VF to VF/PF communication. > > > > I didn't think of the second issue, but your obviously right. This > > shouldn't be a problem for us, since we enforce exact filtering for > > VFs that aren't promiscuous. > > > > [1] http://hypervisor.org/ (new release coming soonish) > > > > Regards > > -- > > Julian Stecklina | Operating Systems Group @ TU Dresden | +49 (351) > > 463-42133 > > > > > > --------------------------------------------------------------------- > - > > - > > ------- > > The Palm PDK Hot Apps Program offers developers who use the Plug-In > > Development Kit to bring their C/C++ apps to Palm for a share of $1 > > Million in cash or HP Products. Visit us here for more details: > > http://p.sf.net/sfu/dev2dev-palm > > _______________________________________________ > > E1000-devel mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/e1000-devel > > To learn more about Intel® Ethernet, visit > > http://communities.intel.com/community/wired > > ----------------------------------------------------------------------- > ------- > This SF.net email is sponsored by > > Make an app they can't live without > Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM- > dev2dev _______________________________________________ > E1000-devel mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/e1000-devel > To learn more about Intel® Ethernet, visit > http://communities.intel.com/community/wired ------------------------------------------------------------------------------ This SF.net email is sponsored by Make an app they can't live without Enter the BlackBerry Developer Challenge http://p.sf.net/sfu/RIM-dev2dev _______________________________________________ E1000-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/e1000-devel To learn more about Intel® Ethernet, visit http://communities.intel.com/community/wired
