From: Hiroshi Shimamoto
> My concern is what is the real issue that VF multicast promiscuous mode can
> cause.
> I think there is the 4k entries to filter multicast address, and the current
> ixgbe/ixgbevf
> can turn all bits on from VM. That is almost same as enabling multicast
> promiscuous mode.
> I mean that we can receive all multicast addresses by an onerous operation in
> untrusted VM.
> I think we should clarify what is real security issue in this context.
If you are worried about passing un-enabled multicasts to users then
what about doing a software hash of received multicasts and checking
against an actual list of multicasts enabled for that hash entry.
Under normal conditions there is likely to be only a single address to check.
It may (or may not) be best to use the same hash as any hashing hardware
filter uses.
David
