RE: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
-Original Message-
From: Roopa Prabhu (roprabhu)
Sent: Thursday, September 15, 2011 6:47 AM
To: Michael S. Tsirkin
Cc: Sridhar Samudrala; net...@vger.kernel.org;
dragos.tatu...@gmail.com; a...@arndb.de; David Wang (dwang2);
Christian
Benvenuti (benve); ka...@trash.net; da...@davemloft.net;
eric.duma...@gmail.com; mc...@broadcom.com; kvm@vger.kernel.org
Subject: Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address
filtering support for passthru mode
The netlink patch is still in the works. I will post the patches after
I
clean it up a bit and also accommodate or find answers to most
questions
discussed for non-passthru case. Thought I will post the netlink
interface
here to see if anyone has any early comments. I have a
rtnl_link_ops-set_rx_filter defined.
[IFLA_RX_FILTER] = {
[IFLA_ADDRESS_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_VLAN_FILTER] = {
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
}
Some open questions:
- The VLAN filter above shows a VLAN list. It could also be a
bitmap or
the interface could provide both a bitmap and VLAN list for more
flexibility
. Like the below
[IFLA_RX_FILTER] = {
[IFLA_ADDRESS_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_VLAN_FILTER] = {
[IFLA_VLAN_BITMAP]
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
}
The simplest interface probably is to stick to a bitmap (knowing that in
the worst
case it will take 256 bytes, but we can compress it ...), because
sending
a vlan list may end up requiring much more than that (on interfaces
configured as trunks).
This regardless of whether the most common use case is that of a server
configured
with just few vlans or that of a switch configured with few trunks.
Another option would be a list of ranges, but that one would not work
well
in those cases where trunks are configured, for example, to carry big
numbers
of odd or even vlan IDs or other groups of vlans IDs that cannot be
grouped
into ranges. Probably an acceptable compromise, if we care about the
size
of this attribute, would be:
- to use a list of IDs for less than 256 vlans (or a list of ranges)
- to use a bitmap for more than 256 vlan.
I would recommend the two attributes (IFLA_VLAN_BITMAP and
IFLA_VLAN_LIST)
to be mutually exclusive to reduce the complexity of the merging and
error/misconfig detection code.
- Do you see any advantage in keeping Unicast and multicast
address
list
separate ? Something like the below :
[IFLA_RX_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_UC_ADDRESS_FILTER] = {
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_MC_ADDRESS_FILTER] = {
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_VLAN_FILTER] = {
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
}
I personally like the idea of grouping UC and MC addresses into two
distinct
attributes/groups.
The receiver (the kernel) would have to check them anyway (I suppose),
but
I like the idea of having the kernel being able to detect the case
where, for
example, the user configures a MC address thinking he is actually
configuring
a UC address.
Most probably the iproute2 commands used to configure/add/del UC and MC
address
will be assigned two different keywords.
BTW, once this code will be in, it will be possible for ip link show
to show
all UC/MC MAC addresses; right now ip link only shows dev-dev_addr.
This output is useful for debugging.
The output from ip maddr only shows the MC list and anyway I think the
best
place for the list of MAC addresses is ip link show.
Would ip link show also show the list of vlans?
Probably, best would be to add new flags (to ask for the extended
output) or
simply add the extra output (uc/mc/vlan lists) under the already
existent -s flag ?
- Is there any need to keep address and vlan filters separate. And
have
two rtnl_link_ops, set_rx_address_filter, set_rx_vlan_filter ?. I
don't
see
one .
[IFLA_RX_ADDRESS_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_RX_VLAN_FILTER] = {
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
I think both approaches are good.
Anyway, given that you can have/configure nested vlans, having
IFLA_RX_VLAN_FILTER
inside IFLA_RX_FILTER would be syntactically correct too.
/Chris
Thanks,
Roopa
On 9/12/11 10:02 AM, Roopa Prabhu ropra...@cisco.com wrote:
On 9/11/11 12:03 PM, Michael S. Tsirkin m...@redhat.com wrote:
On Sun, Sep 11
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
The netlink patch is still in the works. I will post the patches after I
clean it up a bit and also accommodate or find answers to most questions
discussed for non-passthru case. Thought I will post the netlink interface
here to see if anyone has any early comments. I have a
rtnl_link_ops-set_rx_filter defined.
[IFLA_RX_FILTER] = {
[IFLA_ADDRESS_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_VLAN_FILTER] = {
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
}
Some open questions:
- The VLAN filter above shows a VLAN list. It could also be a bitmap or
the interface could provide both a bitmap and VLAN list for more flexibility
. Like the below
[IFLA_RX_FILTER] = {
[IFLA_ADDRESS_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_VLAN_FILTER] = {
[IFLA_VLAN_BITMAP]
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
}
- Do you see any advantage in keeping Unicast and multicast address list
separate ? Something like the below :
[IFLA_RX_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_UC_ADDRESS_FILTER] = {
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_MC_ADDRESS_FILTER] = {
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_VLAN_FILTER] = {
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
}
- Is there any need to keep address and vlan filters separate. And have
two rtnl_link_ops, set_rx_address_filter, set_rx_vlan_filter ?. I don't see
one .
[IFLA_RX_ADDRESS_FILTER] = {
[IFLA_ADDRESS_FILTER_FLAGS]
[IFLA_ADDRESS_LIST] = {
[IFLA_ADDRESS_LIST_ENTRY]
}
}
[IFLA_RX_VLAN_FILTER] = {
[IFLA_VLAN_LIST] = {
[IFLA_VLAN]
}
}
Thanks,
Roopa
On 9/12/11 10:02 AM, Roopa Prabhu ropra...@cisco.com wrote:
On 9/11/11 12:03 PM, Michael S. Tsirkin m...@redhat.com wrote:
On Sun, Sep 11, 2011 at 06:18:01AM -0700, Roopa Prabhu wrote:
On 9/11/11 2:44 AM, Michael S. Tsirkin m...@redhat.com wrote:
Yes, but what I mean is, if the size of the single filter table
is limited, we need to decide how many addresses is
each guest allowed. If we let one guest ask for
as many as it wants, it can lock others out.
Yes true. In these cases ie when the number of unicast addresses being
registered is more than it can handle, The VF driver will put the VF in
promiscuous mode (Or at least its supposed to do. I think all drivers do
that).
Thanks,
Roopa
Right, so that works at least but likely performs worse
than a hardware filter. So we better allocate it in
some fair way, as a minimum. Maybe a way for
the admin to control that allocation is useful.
Yes I think we will have to do something like that. There is a maximum that hw
can support. Might need to consider that too. But there is no interface to get
that today. I think the virtualization case gets a little trickier. Virtio-net
allows upto 64 unicast addresses. But the lowerdev may allow only upto say 10
unicast addresses (I think intel supports 10 unicast addresses on the VF). Am
not sure if there is a good way to notify the guest of blocked addresses.
Maybe putting the lower dev in promiscuous mode could be a policy decision too
in this case.
One other thing, I had indicated that I will look up details on opening my
patch for non-passthru to enable hw filtering (without adding filtering
support in macvlan right away. Ie phase1). Turns out in current code in
macvlan_handle_frame, for non-passthru case, it does not fwd unicast pkts
destined to macs other than the ones in macvlan hash. So a filter or hash
lookup there for additional unicast addresses needs to be definitely added for
non-passthru.
Thanks,
Roopa
--
To unsubscribe from this list: send the line unsubscribe kvm in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/11/11 11:52 AM, Michael S. Tsirkin m...@redhat.com wrote: On Sun, Sep 11, 2011 at 06:18:02AM -0700, Roopa Prabhu wrote: On 9/11/11 2:38 AM, Michael S. Tsirkin m...@redhat.com wrote: On Fri, Sep 09, 2011 at 09:33:33AM -0700, Roopa Prabhu wrote: It's probably more interesting for a card without SRIOV support. If its an SRIOV card I am assuming people likely using PASSTHRU mode. Non-SRIOV cards will use any of the non-PASSTHRU mode. we will have to add filter lookup in macvlan to filter pkts for each guest. Any chance to enable hardware filters for that? NAFAIK. Am not sure how you would do it too. Its still a single device from where the host receives traffic from. Thanks, Roopa VMDQ cards might let you program mac addresses for individula rings. I tried to lookup more information on this. I dint find any concrete information. I am not sure if individual rings show up as separate netdev. Any more info on how a VMDQ nic is used with macvlan ?. I came across this http://www.linux-kvm.org/wiki/images/6/6a/KvmForum2008$kdf2008_7.pdf Thanks, Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/11/11 12:03 PM, Michael S. Tsirkin m...@redhat.com wrote: On Sun, Sep 11, 2011 at 06:18:01AM -0700, Roopa Prabhu wrote: On 9/11/11 2:44 AM, Michael S. Tsirkin m...@redhat.com wrote: Yes, but what I mean is, if the size of the single filter table is limited, we need to decide how many addresses is each guest allowed. If we let one guest ask for as many as it wants, it can lock others out. Yes true. In these cases ie when the number of unicast addresses being registered is more than it can handle, The VF driver will put the VF in promiscuous mode (Or at least its supposed to do. I think all drivers do that). Thanks, Roopa Right, so that works at least but likely performs worse than a hardware filter. So we better allocate it in some fair way, as a minimum. Maybe a way for the admin to control that allocation is useful. Yes I think we will have to do something like that. There is a maximum that hw can support. Might need to consider that too. But there is no interface to get that today. I think the virtualization case gets a little trickier. Virtio-net allows upto 64 unicast addresses. But the lowerdev may allow only upto say 10 unicast addresses (I think intel supports 10 unicast addresses on the VF). Am not sure if there is a good way to notify the guest of blocked addresses. Maybe putting the lower dev in promiscuous mode could be a policy decision too in this case. One other thing, I had indicated that I will look up details on opening my patch for non-passthru to enable hw filtering (without adding filtering support in macvlan right away. Ie phase1). Turns out in current code in macvlan_handle_frame, for non-passthru case, it does not fwd unicast pkts destined to macs other than the ones in macvlan hash. So a filter or hash lookup there for additional unicast addresses needs to be definitely added for non-passthru. Thanks, Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/11/11 9:30 PM, Sridhar Samudrala s...@us.ibm.com wrote: On 9/11/2011 6:18 AM, Roopa Prabhu wrote: On 9/11/11 2:44 AM, Michael S. Tsirkinm...@redhat.com wrote: AFAIK, though it might maintain a single filter table space in hw, hw does know which filter belongs to which VF. And the OS driver does not need to do anything special. The VF driver exposes a VF netdev. And any uc/mc addresses registered with a VF netdev are registered with the hw by the driver. And hw will filter and send only pkts that the VF has expressed interest in. No special filter partitioning in hw is required. Thanks, Roopa Yes, but what I mean is, if the size of the single filter table is limited, we need to decide how many addresses is each guest allowed. If we let one guest ask for as many as it wants, it can lock others out. Yes true. In these cases ie when the number of unicast addresses being registered is more than it can handle, The VF driver will put the VF in promiscuous mode (Or at least its supposed to do. I think all drivers do that). What does putting VF in promiscuous mode mean? How can the NIC decide which set of mac addresses are passed to the VF? Does it mean VF sees all the packets received by the NIC including packets destined for other VFs/PF? Yes I think so. After your question I looked at 2 other VF drivers and looks like they return error if num unicast addresses exceeds the number supported by hw and don't put the VF in promiscuous mode. But one could put the VF in promiscuous mode by changing IFF_FLAGS I think. The original in-kernel passthru mode code puts the VF in promiscuous mode by default. Am assuming that works well with other sriov cards you got a chance to try out with. Thanks, Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Fri, Sep 09, 2011 at 09:33:33AM -0700, Roopa Prabhu wrote: On 9/8/11 10:55 PM, Michael S. Tsirkin m...@redhat.com wrote: On Thu, Sep 08, 2011 at 07:53:11PM -0700, Roopa Prabhu wrote: Phase 1: Goal: Enable hardware filtering for all macvlan modes - In macvlan passthru mode the single guest virtio-nic connected will receive traffic that he requested for - In macvlan non-passthru mode all guest virtio-nics sharing the physical nic will see all other guest traffic but the filtering at guest virtio-nic I don't think guests currently filter anything. I was referring to Qemu-kvm virtio-net in virtion_net_receive-receive_filter. I think It only passes pkts that the guest OS is interested. It uses the filter table that I am passing to macvtap in this patch. This happens after userspace thread gets woken up and data is copied there. So relying on filtering at that level is going to be very inefficient on a system with multiple active guests. Further, and for that reason, vhost-net doesn't do filtering at all, relying on the backends to pass it correct packets. Ok thanks for the info. So in which case, phase 1 is best for PASSTHRU mode and for non-PASSTHRU when there is a single guest connected to a VF. For non-PASSTHRU multi guest sharing the same VF, Phase 1 is definitely better than putting the VF in promiscuous mode. But to address the concern you mention above, in phase 2 when we have more than one guest sharing the VF, It's probably more interesting for a card without SRIOV support. we will have to add filter lookup in macvlan to filter pkts for each guest. Any chance to enable hardware filters for that? This will need some performance tests too. Will start investigating the netlink interface comments for phase 1 first. Thanks! -Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Thu, Sep 08, 2011 at 08:00:53PM -0700, Roopa Prabhu wrote: On 9/8/11 12:33 PM, Michael S. Tsirkin m...@redhat.com wrote: On Thu, Sep 08, 2011 at 12:23:56PM -0700, Roopa Prabhu wrote: I think the main usecase for passthru mode is to assign a SR-IOV VF to a single guest. Yes and for the passthru usecase this patch should be enough to enable filtering in hw (eventually like I indicated before I need to fix vlan filtering too). So with filtering in hw, and in sriov VF case, VFs actually share a filtering table. How will that be partitioned? AFAIK, though it might maintain a single filter table space in hw, hw does know which filter belongs to which VF. And the OS driver does not need to do anything special. The VF driver exposes a VF netdev. And any uc/mc addresses registered with a VF netdev are registered with the hw by the driver. And hw will filter and send only pkts that the VF has expressed interest in. No special filter partitioning in hw is required. Thanks, Roopa Yes, but what I mean is, if the size of the single filter table is limited, we need to decide how many addresses is each guest allowed. If we let one guest ask for as many as it wants, it can lock others out. -- MST -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/11/11 2:44 AM, Michael S. Tsirkin m...@redhat.com wrote: AFAIK, though it might maintain a single filter table space in hw, hw does know which filter belongs to which VF. And the OS driver does not need to do anything special. The VF driver exposes a VF netdev. And any uc/mc addresses registered with a VF netdev are registered with the hw by the driver. And hw will filter and send only pkts that the VF has expressed interest in. No special filter partitioning in hw is required. Thanks, Roopa Yes, but what I mean is, if the size of the single filter table is limited, we need to decide how many addresses is each guest allowed. If we let one guest ask for as many as it wants, it can lock others out. Yes true. In these cases ie when the number of unicast addresses being registered is more than it can handle, The VF driver will put the VF in promiscuous mode (Or at least its supposed to do. I think all drivers do that). Thanks, Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/11/11 2:38 AM, Michael S. Tsirkin m...@redhat.com wrote: On Fri, Sep 09, 2011 at 09:33:33AM -0700, Roopa Prabhu wrote: On 9/8/11 10:55 PM, Michael S. Tsirkin m...@redhat.com wrote: On Thu, Sep 08, 2011 at 07:53:11PM -0700, Roopa Prabhu wrote: Phase 1: Goal: Enable hardware filtering for all macvlan modes - In macvlan passthru mode the single guest virtio-nic connected will receive traffic that he requested for - In macvlan non-passthru mode all guest virtio-nics sharing the physical nic will see all other guest traffic but the filtering at guest virtio-nic I don't think guests currently filter anything. I was referring to Qemu-kvm virtio-net in virtion_net_receive-receive_filter. I think It only passes pkts that the guest OS is interested. It uses the filter table that I am passing to macvtap in this patch. This happens after userspace thread gets woken up and data is copied there. So relying on filtering at that level is going to be very inefficient on a system with multiple active guests. Further, and for that reason, vhost-net doesn't do filtering at all, relying on the backends to pass it correct packets. Ok thanks for the info. So in which case, phase 1 is best for PASSTHRU mode and for non-PASSTHRU when there is a single guest connected to a VF. For non-PASSTHRU multi guest sharing the same VF, Phase 1 is definitely better than putting the VF in promiscuous mode. But to address the concern you mention above, in phase 2 when we have more than one guest sharing the VF, It's probably more interesting for a card without SRIOV support. If its an SRIOV card I am assuming people likely using PASSTHRU mode. Non-SRIOV cards will use any of the non-PASSTHRU mode. we will have to add filter lookup in macvlan to filter pkts for each guest. Any chance to enable hardware filters for that? NAFAIK. Am not sure how you would do it too. Its still a single device from where the host receives traffic from. Thanks, Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Sun, Sep 11, 2011 at 06:18:02AM -0700, Roopa Prabhu wrote: On 9/11/11 2:38 AM, Michael S. Tsirkin m...@redhat.com wrote: On Fri, Sep 09, 2011 at 09:33:33AM -0700, Roopa Prabhu wrote: On 9/8/11 10:55 PM, Michael S. Tsirkin m...@redhat.com wrote: On Thu, Sep 08, 2011 at 07:53:11PM -0700, Roopa Prabhu wrote: Phase 1: Goal: Enable hardware filtering for all macvlan modes - In macvlan passthru mode the single guest virtio-nic connected will receive traffic that he requested for - In macvlan non-passthru mode all guest virtio-nics sharing the physical nic will see all other guest traffic but the filtering at guest virtio-nic I don't think guests currently filter anything. I was referring to Qemu-kvm virtio-net in virtion_net_receive-receive_filter. I think It only passes pkts that the guest OS is interested. It uses the filter table that I am passing to macvtap in this patch. This happens after userspace thread gets woken up and data is copied there. So relying on filtering at that level is going to be very inefficient on a system with multiple active guests. Further, and for that reason, vhost-net doesn't do filtering at all, relying on the backends to pass it correct packets. Ok thanks for the info. So in which case, phase 1 is best for PASSTHRU mode and for non-PASSTHRU when there is a single guest connected to a VF. For non-PASSTHRU multi guest sharing the same VF, Phase 1 is definitely better than putting the VF in promiscuous mode. But to address the concern you mention above, in phase 2 when we have more than one guest sharing the VF, It's probably more interesting for a card without SRIOV support. If its an SRIOV card I am assuming people likely using PASSTHRU mode. Non-SRIOV cards will use any of the non-PASSTHRU mode. we will have to add filter lookup in macvlan to filter pkts for each guest. Any chance to enable hardware filters for that? NAFAIK. Am not sure how you would do it too. Its still a single device from where the host receives traffic from. Thanks, Roopa VMDQ cards might let you program mac addresses for individula rings. -- MST -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Sun, Sep 11, 2011 at 06:18:01AM -0700, Roopa Prabhu wrote: On 9/11/11 2:44 AM, Michael S. Tsirkin m...@redhat.com wrote: AFAIK, though it might maintain a single filter table space in hw, hw does know which filter belongs to which VF. And the OS driver does not need to do anything special. The VF driver exposes a VF netdev. And any uc/mc addresses registered with a VF netdev are registered with the hw by the driver. And hw will filter and send only pkts that the VF has expressed interest in. No special filter partitioning in hw is required. Thanks, Roopa Yes, but what I mean is, if the size of the single filter table is limited, we need to decide how many addresses is each guest allowed. If we let one guest ask for as many as it wants, it can lock others out. Yes true. In these cases ie when the number of unicast addresses being registered is more than it can handle, The VF driver will put the VF in promiscuous mode (Or at least its supposed to do. I think all drivers do that). Thanks, Roopa Right, so that works at least but likely performs worse than a hardware filter. So we better allocate it in some fair way, as a minimum. Maybe a way for the admin to control that allocation is useful. -- MST -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/11/2011 6:18 AM, Roopa Prabhu wrote: On 9/11/11 2:44 AM, Michael S. Tsirkinm...@redhat.com wrote: AFAIK, though it might maintain a single filter table space in hw, hw does know which filter belongs to which VF. And the OS driver does not need to do anything special. The VF driver exposes a VF netdev. And any uc/mc addresses registered with a VF netdev are registered with the hw by the driver. And hw will filter and send only pkts that the VF has expressed interest in. No special filter partitioning in hw is required. Thanks, Roopa Yes, but what I mean is, if the size of the single filter table is limited, we need to decide how many addresses is each guest allowed. If we let one guest ask for as many as it wants, it can lock others out. Yes true. In these cases ie when the number of unicast addresses being registered is more than it can handle, The VF driver will put the VF in promiscuous mode (Or at least its supposed to do. I think all drivers do that). What does putting VF in promiscuous mode mean? How can the NIC decide which set of mac addresses are passed to the VF? Does it mean VF sees all the packets received by the NIC including packets destined for other VFs/PF? Thanks Sridhar -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/8/11 9:25 PM, Sridhar Samudrala s...@us.ibm.com wrote: On 9/8/2011 8:00 PM, Roopa Prabhu wrote: On 9/8/11 12:33 PM, Michael S. Tsirkinm...@redhat.com wrote: On Thu, Sep 08, 2011 at 12:23:56PM -0700, Roopa Prabhu wrote: I think the main usecase for passthru mode is to assign a SR-IOV VF to a single guest. Yes and for the passthru usecase this patch should be enough to enable filtering in hw (eventually like I indicated before I need to fix vlan filtering too). So with filtering in hw, and in sriov VF case, VFs actually share a filtering table. How will that be partitioned? AFAIK, though it might maintain a single filter table space in hw, hw does know which filter belongs to which VF. And the OS driver does not need to do anything special. The VF driver exposes a VF netdev. And any uc/mc addresses registered with a VF netdev are registered with the hw by the driver. And hw will filter and send only pkts that the VF has expressed interest in. Does your NIC driver support adding multiple mac addresses to a VF? I have tried a few other SR-IOV NICs sometime back and they didn't support this feature. Yes our nic does. I thought Intel's also does (see ixgbevf_set_rx_mode). Though I have not really tried using it on an Intel card. I think most cards should at the least support multicast filters. If the lower dev does not support unicast filtering, dev_uc_add(lowerdev,..) puts the lower dev in promiscous mode. Though..i think I can chcek this before hand in macvlan_open and put the lowerdev in promiscuous mode if it does not support filtering. Currently, we don't have an interface to add multiple mac addresses to a netdev other than an indirect way of creating a macvlan /if on top of it. Yes I think so. I have been using only macvlan to test. Thanks, Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/8/11 10:55 PM, Michael S. Tsirkin m...@redhat.com wrote: On Thu, Sep 08, 2011 at 07:53:11PM -0700, Roopa Prabhu wrote: Phase 1: Goal: Enable hardware filtering for all macvlan modes - In macvlan passthru mode the single guest virtio-nic connected will receive traffic that he requested for - In macvlan non-passthru mode all guest virtio-nics sharing the physical nic will see all other guest traffic but the filtering at guest virtio-nic I don't think guests currently filter anything. I was referring to Qemu-kvm virtio-net in virtion_net_receive-receive_filter. I think It only passes pkts that the guest OS is interested. It uses the filter table that I am passing to macvtap in this patch. This happens after userspace thread gets woken up and data is copied there. So relying on filtering at that level is going to be very inefficient on a system with multiple active guests. Further, and for that reason, vhost-net doesn't do filtering at all, relying on the backends to pass it correct packets. Ok thanks for the info. So in which case, phase 1 is best for PASSTHRU mode and for non-PASSTHRU when there is a single guest connected to a VF. For non-PASSTHRU multi guest sharing the same VF, Phase 1 is definitely better than putting the VF in promiscuous mode. But to address the concern you mention above, in phase 2 when we have more than one guest sharing the VF, we will have to add filter lookup in macvlan to filter pkts for each guest. This will need some performance tests too. Will start investigating the netlink interface comments for phase 1 first. Thanks! -Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Wed, Sep 07, 2011 at 10:20:28PM -0700, Roopa Prabhu wrote: On 9/7/11 5:34 AM, Michael S. Tsirkin m...@redhat.com wrote: On Tue, Sep 06, 2011 at 03:35:40PM -0700, Roopa Prabhu wrote: This patch is an attempt at providing address filtering support for macvtap devices in PASSTHRU mode. Its still a work in progress. Briefly tested for basic functionality. Wanted to get some feedback on the direction before proceeding. Good work, thanks. Thanks. I have hopefully CC'ed all concerned people. kvm crowd might also be interested. Try using ./scripts/get_maintainer.pl as well. Thanks for the tip. Expanded CC list a bit more. PASSTHRU mode today sets the lowerdev in promiscous mode. In PASSTHRU mode there is a 1-1 mapping between macvtap device and physical nic or VF. And all filtering is done in lowerdev hw. The lowerdev does not need to be in promiscous mode as long as the guest filters are passed down to the lowerdev. This patch tries to remove the need for putting the lowerdev in promiscous mode. I have also referred to the thread below where TUNSETTXFILTER was mentioned in this context: http://patchwork.ozlabs.org/patch/69297/ This patch basically passes the addresses got by TUNSETTXFILTER to macvlan lowerdev. I have looked at previous work and discussions on this for qemu-kvm by Michael Tsirkin, Alex Williamson and Dragos Tatulea http://patchwork.ozlabs.org/patch/78595/ http://patchwork.ozlabs.org/patch/47160/ https://patchwork.kernel.org/patch/474481/ Redhat bugzilla by Michael Tsirkin: https://bugzilla.redhat.com/show_bug.cgi?id=655013 I used Michael's qemu-kvm patch for testing the changes with KVM I would like to cover both MAC and vlan filtering in this work. Open Questions/Issues: - There is a need for vlan filtering to complete the patch. It will require a new tap ioctl cmd for vlans. Some ideas on this are: a) TUNSETVLANFILTER: This will entail we send the whole vlan bitmap filter (similar to tun_filter for addresses). Passing the vlan id's to lower device will mean going thru the whole list of vlans every time. OR b) TUNSETVLAN with vlan id and flag to set/unset Does option 'b' sound ok ? - In this implementation we make the macvlan address list same as the address list that came in the filter with TUNSETTXFILTER. This will not cover cases where the macvlan device needs to have other addresses that are not necessarily in the filter. Is this a problem ? What cases do you have in mind? This patch targets only macvlan PASSTHRU mode and for PASSTHRU mode I don't see a problem with uc/mc address list being the same in all the stacked netdevs in the path. I called that out above to make sure I was not missing any case in PASSTHRU mode where this might be invalid. Otherwise I don't see a problem in the simple PASSTHRU use case this patch supports. - The patch currently only supports passing of IFF_PROMISC and IFF_MULTICAST filter flags to lowerdev This patch series implements the following 01/3 - macvlan: Add support for unicast filtering in macvlan 02/3 - macvlan: Add function to set addr filter on lower device in passthru mode 03/3 - macvtap: Add support for TUNSETTXFILTER Please comment. Thanks. Signed-off-by: Roopa Prabhu ropra...@cisco.com Signed-off-by: Christian Benvenuti be...@cisco.com Signed-off-by: David Wang dwa...@cisco.com The security isn't lower than with promisc, so I don't see a problem with this as such. There are more features we'll want down the road though, so let's see whether the interface will be able to satisfy them in a backwards compatible way before we set it in stone. Here's what I came up with: How will the filtering table be partitioned within guests? Since this patch supports macvlan PASSTHRU mode only, in which the lower device has 1-1 mapping to the guest nic, it does not require any partitioning of filtering table within guests. Unless I missed understanding something. If the lower device were being shared by multiple guest network interfaces (non PASSTHRU mode), only then we will need to maintain separate filter tables for each guest network interface in macvlan and forward the pkt to respective guest interface after a filter lookup. This could affect performance too I think. Not with hardware filtering support. Which is where we'd need to partition the host nic mac table between guests. I chose to support PASSTHRU Mode only at first because its simpler and all code additions are in control path only. I agree. It would be a bit silly to have a dedicated interface for passthough and a completely separate one for non passthrough. A way to limit what the guest can do would also be useful. How can this be done? selinux? I vaguely remember a thread on the same context.. had a suggestion to
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/8/11 10:42 AM, Sridhar Samudrala s...@us.ibm.com wrote: On Thu, 2011-09-08 at 09:19 -0700, Roopa Prabhu wrote: On 9/8/11 4:08 AM, Michael S. Tsirkin m...@redhat.com wrote: On Wed, Sep 07, 2011 at 10:20:28PM -0700, Roopa Prabhu wrote: On 9/7/11 5:34 AM, Michael S. Tsirkin m...@redhat.com wrote: On Tue, Sep 06, 2011 at 03:35:40PM -0700, Roopa Prabhu wrote: This patch is an attempt at providing address filtering support for macvtap devices in PASSTHRU mode. Its still a work in progress. Briefly tested for basic functionality. Wanted to get some feedback on the direction before proceeding. Good work, thanks. Thanks. I have hopefully CC'ed all concerned people. kvm crowd might also be interested. Try using ./scripts/get_maintainer.pl as well. Thanks for the tip. Expanded CC list a bit more. PASSTHRU mode today sets the lowerdev in promiscous mode. In PASSTHRU mode there is a 1-1 mapping between macvtap device and physical nic or VF. And all filtering is done in lowerdev hw. The lowerdev does not need to be in promiscous mode as long as the guest filters are passed down to the lowerdev. This patch tries to remove the need for putting the lowerdev in promiscous mode. I have also referred to the thread below where TUNSETTXFILTER was mentioned in this context: http://patchwork.ozlabs.org/patch/69297/ This patch basically passes the addresses got by TUNSETTXFILTER to macvlan lowerdev. I have looked at previous work and discussions on this for qemu-kvm by Michael Tsirkin, Alex Williamson and Dragos Tatulea http://patchwork.ozlabs.org/patch/78595/ http://patchwork.ozlabs.org/patch/47160/ https://patchwork.kernel.org/patch/474481/ Redhat bugzilla by Michael Tsirkin: https://bugzilla.redhat.com/show_bug.cgi?id=655013 I used Michael's qemu-kvm patch for testing the changes with KVM I would like to cover both MAC and vlan filtering in this work. Open Questions/Issues: - There is a need for vlan filtering to complete the patch. It will require a new tap ioctl cmd for vlans. Some ideas on this are: a) TUNSETVLANFILTER: This will entail we send the whole vlan bitmap filter (similar to tun_filter for addresses). Passing the vlan id's to lower device will mean going thru the whole list of vlans every time. OR b) TUNSETVLAN with vlan id and flag to set/unset Does option 'b' sound ok ? - In this implementation we make the macvlan address list same as the address list that came in the filter with TUNSETTXFILTER. This will not cover cases where the macvlan device needs to have other addresses that are not necessarily in the filter. Is this a problem ? What cases do you have in mind? This patch targets only macvlan PASSTHRU mode and for PASSTHRU mode I don't see a problem with uc/mc address list being the same in all the stacked netdevs in the path. I called that out above to make sure I was not missing any case in PASSTHRU mode where this might be invalid. Otherwise I don't see a problem in the simple PASSTHRU use case this patch supports. - The patch currently only supports passing of IFF_PROMISC and IFF_MULTICAST filter flags to lowerdev This patch series implements the following 01/3 - macvlan: Add support for unicast filtering in macvlan 02/3 - macvlan: Add function to set addr filter on lower device in passthru mode 03/3 - macvtap: Add support for TUNSETTXFILTER Please comment. Thanks. Signed-off-by: Roopa Prabhu ropra...@cisco.com Signed-off-by: Christian Benvenuti be...@cisco.com Signed-off-by: David Wang dwa...@cisco.com The security isn't lower than with promisc, so I don't see a problem with this as such. There are more features we'll want down the road though, so let's see whether the interface will be able to satisfy them in a backwards compatible way before we set it in stone. Here's what I came up with: How will the filtering table be partitioned within guests? Since this patch supports macvlan PASSTHRU mode only, in which the lower device has 1-1 mapping to the guest nic, it does not require any partitioning of filtering table within guests. Unless I missed understanding something. If the lower device were being shared by multiple guest network interfaces (non PASSTHRU mode), only then we will need to maintain separate filter tables for each guest network interface in macvlan and forward the pkt to respective guest interface after a filter lookup. This could affect performance too I think. Not with hardware filtering support. Which is where we'd need to partition the host nic mac table between guests. I need to understand this more. In non passthru case when a VF or physical nic is shared between guests, the nic does not really know about the guests, so I was thinking we do the same thing as we do for the passthru case (ie send all the address filters from macvlan to the physical nic). So at the hardware,
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Thu, Sep 08, 2011 at 09:19:32AM -0700, Roopa Prabhu wrote: There are more features we'll want down the road though, so let's see whether the interface will be able to satisfy them in a backwards compatible way before we set it in stone. Here's what I came up with: How will the filtering table be partitioned within guests? Since this patch supports macvlan PASSTHRU mode only, in which the lower device has 1-1 mapping to the guest nic, it does not require any partitioning of filtering table within guests. Unless I missed understanding something. If the lower device were being shared by multiple guest network interfaces (non PASSTHRU mode), only then we will need to maintain separate filter tables for each guest network interface in macvlan and forward the pkt to respective guest interface after a filter lookup. This could affect performance too I think. Not with hardware filtering support. Which is where we'd need to partition the host nic mac table between guests. I need to understand this more. In non passthru case when a VF or physical nic is shared between guests, For example, consider a VF given to each guest. Hardware supports a fixed total number of filters, which can be partitioned between VFs. the nic does not really know about the guests, so I was thinking we do the same thing as we do for the passthru case (ie send all the address filters from macvlan to the physical nic). So at the hardware, filtering is done for all guests sharing the nic. But if we want each virtio-net nic or guest to get exactly what it asked for macvlan/macvtap needs to maintain a copy of each guest filter and do a lookup and send only the requested traffic to the guest. Here is the performance hit that I was seeing. Please see my next comment for further details. It won't be any slower than attaching a non-passthrough macvlan to a device, will it? I chose to support PASSTHRU Mode only at first because its simpler and all code additions are in control path only. I agree. It would be a bit silly to have a dedicated interface for passthough and a completely separate one for non passthrough. Agree. The reason I did not focus on non-passthru case in the initial version was because I was thinking things to do in the non-passthru case will be just add-ons to the passthru case. But true Better to flush out the non-pasthru case details. After dwelling on this a bit more how about the below: Phase 1: Goal: Enable hardware filtering for all macvlan modes - In macvlan passthru mode the single guest virtio-nic connected will receive traffic that he requested for - In macvlan non-passthru mode all guest virtio-nics sharing the physical nic will see all other guest traffic but the filtering at guest virtio-nic I don't think guests currently filter anything. will make sure each guest eventually sees traffic he asked for. This is still better than putting the physical nic in promiscuous mode. (This is mainly what my patch does...but will need to remove the passthru check and see if there are any thing else needed for non-passthru case) I'm fine with sticking with passthrough, make non passthrough a separate phase. Phase 2: Goal: Enable filtering at macvlan so that each guest virtio-nic receives only what he requested for. - In this case, in addition to pushing the filters down to the physical nic we will have to maintain the same filter in macvlan and do a filter lookup before forwarding the traffic to a virtio-nic. But I am thinking phase 2 might be redundant given virtio-nic already does filtering for the guest. It does? Do you mean the filter that qemu does in userspace? In which case we might not need phase 2 at all. I might have been over complicating things. Please comment. And please correct if I missed something. A way to limit what the guest can do would also be useful. How can this be done? selinux? I vaguely remember a thread on the same context.. had a suggestion to maintain pre-approved address lists and allow guest filter registration of only those addresses for security. This seemed reasonable. Plus the ability to support additional address registration from guest could be made configurable (One of your ideas again from prior work). I am not an selinux expert, but I am thinking we can use it to only allow or disallow access or operations to the macvtap device. (?). I will check more on this. We'd have to have a way to revoke that as well. Yes true. Any thoughts on spoofing filtering? I can only think of checking addresses against an allowed address list. Don't know of any other ways. Any hints ? Hardware (esp SRIOV) often has ways to do this check, too. Yes correct. Hw sriov and even switch in 802.1Qbh has anti-spoofing feature. In which case I am thinking having It at
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/8/11 4:08 AM, Michael S. Tsirkin m...@redhat.com wrote: On Wed, Sep 07, 2011 at 10:20:28PM -0700, Roopa Prabhu wrote: On 9/7/11 5:34 AM, Michael S. Tsirkin m...@redhat.com wrote: On Tue, Sep 06, 2011 at 03:35:40PM -0700, Roopa Prabhu wrote: This patch is an attempt at providing address filtering support for macvtap devices in PASSTHRU mode. Its still a work in progress. Briefly tested for basic functionality. Wanted to get some feedback on the direction before proceeding. Good work, thanks. Thanks. I have hopefully CC'ed all concerned people. kvm crowd might also be interested. Try using ./scripts/get_maintainer.pl as well. Thanks for the tip. Expanded CC list a bit more. PASSTHRU mode today sets the lowerdev in promiscous mode. In PASSTHRU mode there is a 1-1 mapping between macvtap device and physical nic or VF. And all filtering is done in lowerdev hw. The lowerdev does not need to be in promiscous mode as long as the guest filters are passed down to the lowerdev. This patch tries to remove the need for putting the lowerdev in promiscous mode. I have also referred to the thread below where TUNSETTXFILTER was mentioned in this context: http://patchwork.ozlabs.org/patch/69297/ This patch basically passes the addresses got by TUNSETTXFILTER to macvlan lowerdev. I have looked at previous work and discussions on this for qemu-kvm by Michael Tsirkin, Alex Williamson and Dragos Tatulea http://patchwork.ozlabs.org/patch/78595/ http://patchwork.ozlabs.org/patch/47160/ https://patchwork.kernel.org/patch/474481/ Redhat bugzilla by Michael Tsirkin: https://bugzilla.redhat.com/show_bug.cgi?id=655013 I used Michael's qemu-kvm patch for testing the changes with KVM I would like to cover both MAC and vlan filtering in this work. Open Questions/Issues: - There is a need for vlan filtering to complete the patch. It will require a new tap ioctl cmd for vlans. Some ideas on this are: a) TUNSETVLANFILTER: This will entail we send the whole vlan bitmap filter (similar to tun_filter for addresses). Passing the vlan id's to lower device will mean going thru the whole list of vlans every time. OR b) TUNSETVLAN with vlan id and flag to set/unset Does option 'b' sound ok ? - In this implementation we make the macvlan address list same as the address list that came in the filter with TUNSETTXFILTER. This will not cover cases where the macvlan device needs to have other addresses that are not necessarily in the filter. Is this a problem ? What cases do you have in mind? This patch targets only macvlan PASSTHRU mode and for PASSTHRU mode I don't see a problem with uc/mc address list being the same in all the stacked netdevs in the path. I called that out above to make sure I was not missing any case in PASSTHRU mode where this might be invalid. Otherwise I don't see a problem in the simple PASSTHRU use case this patch supports. - The patch currently only supports passing of IFF_PROMISC and IFF_MULTICAST filter flags to lowerdev This patch series implements the following 01/3 - macvlan: Add support for unicast filtering in macvlan 02/3 - macvlan: Add function to set addr filter on lower device in passthru mode 03/3 - macvtap: Add support for TUNSETTXFILTER Please comment. Thanks. Signed-off-by: Roopa Prabhu ropra...@cisco.com Signed-off-by: Christian Benvenuti be...@cisco.com Signed-off-by: David Wang dwa...@cisco.com The security isn't lower than with promisc, so I don't see a problem with this as such. There are more features we'll want down the road though, so let's see whether the interface will be able to satisfy them in a backwards compatible way before we set it in stone. Here's what I came up with: How will the filtering table be partitioned within guests? Since this patch supports macvlan PASSTHRU mode only, in which the lower device has 1-1 mapping to the guest nic, it does not require any partitioning of filtering table within guests. Unless I missed understanding something. If the lower device were being shared by multiple guest network interfaces (non PASSTHRU mode), only then we will need to maintain separate filter tables for each guest network interface in macvlan and forward the pkt to respective guest interface after a filter lookup. This could affect performance too I think. Not with hardware filtering support. Which is where we'd need to partition the host nic mac table between guests. I need to understand this more. In non passthru case when a VF or physical nic is shared between guests, the nic does not really know about the guests, so I was thinking we do the same thing as we do for the passthru case (ie send all the address filters from macvlan to the physical nic). So at the hardware, filtering is done for all guests sharing the nic. But if we want each virtio-net nic or guest to get exactly what it asked for macvlan/macvtap
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Thu, Sep 08, 2011 at 12:23:56PM -0700, Roopa Prabhu wrote: I think the main usecase for passthru mode is to assign a SR-IOV VF to a single guest. Yes and for the passthru usecase this patch should be enough to enable filtering in hw (eventually like I indicated before I need to fix vlan filtering too). So with filtering in hw, and in sriov VF case, VFs actually share a filtering table. How will that be partitioned? -- MST -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Thu, 2011-09-08 at 09:19 -0700, Roopa Prabhu wrote: On 9/8/11 4:08 AM, Michael S. Tsirkin m...@redhat.com wrote: On Wed, Sep 07, 2011 at 10:20:28PM -0700, Roopa Prabhu wrote: On 9/7/11 5:34 AM, Michael S. Tsirkin m...@redhat.com wrote: On Tue, Sep 06, 2011 at 03:35:40PM -0700, Roopa Prabhu wrote: This patch is an attempt at providing address filtering support for macvtap devices in PASSTHRU mode. Its still a work in progress. Briefly tested for basic functionality. Wanted to get some feedback on the direction before proceeding. Good work, thanks. Thanks. I have hopefully CC'ed all concerned people. kvm crowd might also be interested. Try using ./scripts/get_maintainer.pl as well. Thanks for the tip. Expanded CC list a bit more. PASSTHRU mode today sets the lowerdev in promiscous mode. In PASSTHRU mode there is a 1-1 mapping between macvtap device and physical nic or VF. And all filtering is done in lowerdev hw. The lowerdev does not need to be in promiscous mode as long as the guest filters are passed down to the lowerdev. This patch tries to remove the need for putting the lowerdev in promiscous mode. I have also referred to the thread below where TUNSETTXFILTER was mentioned in this context: http://patchwork.ozlabs.org/patch/69297/ This patch basically passes the addresses got by TUNSETTXFILTER to macvlan lowerdev. I have looked at previous work and discussions on this for qemu-kvm by Michael Tsirkin, Alex Williamson and Dragos Tatulea http://patchwork.ozlabs.org/patch/78595/ http://patchwork.ozlabs.org/patch/47160/ https://patchwork.kernel.org/patch/474481/ Redhat bugzilla by Michael Tsirkin: https://bugzilla.redhat.com/show_bug.cgi?id=655013 I used Michael's qemu-kvm patch for testing the changes with KVM I would like to cover both MAC and vlan filtering in this work. Open Questions/Issues: - There is a need for vlan filtering to complete the patch. It will require a new tap ioctl cmd for vlans. Some ideas on this are: a) TUNSETVLANFILTER: This will entail we send the whole vlan bitmap filter (similar to tun_filter for addresses). Passing the vlan id's to lower device will mean going thru the whole list of vlans every time. OR b) TUNSETVLAN with vlan id and flag to set/unset Does option 'b' sound ok ? - In this implementation we make the macvlan address list same as the address list that came in the filter with TUNSETTXFILTER. This will not cover cases where the macvlan device needs to have other addresses that are not necessarily in the filter. Is this a problem ? What cases do you have in mind? This patch targets only macvlan PASSTHRU mode and for PASSTHRU mode I don't see a problem with uc/mc address list being the same in all the stacked netdevs in the path. I called that out above to make sure I was not missing any case in PASSTHRU mode where this might be invalid. Otherwise I don't see a problem in the simple PASSTHRU use case this patch supports. - The patch currently only supports passing of IFF_PROMISC and IFF_MULTICAST filter flags to lowerdev This patch series implements the following 01/3 - macvlan: Add support for unicast filtering in macvlan 02/3 - macvlan: Add function to set addr filter on lower device in passthru mode 03/3 - macvtap: Add support for TUNSETTXFILTER Please comment. Thanks. Signed-off-by: Roopa Prabhu ropra...@cisco.com Signed-off-by: Christian Benvenuti be...@cisco.com Signed-off-by: David Wang dwa...@cisco.com The security isn't lower than with promisc, so I don't see a problem with this as such. There are more features we'll want down the road though, so let's see whether the interface will be able to satisfy them in a backwards compatible way before we set it in stone. Here's what I came up with: How will the filtering table be partitioned within guests? Since this patch supports macvlan PASSTHRU mode only, in which the lower device has 1-1 mapping to the guest nic, it does not require any partitioning of filtering table within guests. Unless I missed understanding something. If the lower device were being shared by multiple guest network interfaces (non PASSTHRU mode), only then we will need to maintain separate filter tables for each guest network interface in macvlan and forward the pkt to respective guest interface after a filter lookup. This could affect performance too I think. Not with hardware filtering support. Which is where we'd need to partition the host nic mac table between guests. I need to understand this more. In non passthru case when a VF or physical nic is shared between guests, the nic does not really know about the guests, so I was thinking we do the same thing as we do for the passthru case (ie send all the
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/8/11 12:11 PM, Michael S. Tsirkin m...@redhat.com wrote: On Thu, Sep 08, 2011 at 09:19:32AM -0700, Roopa Prabhu wrote: There are more features we'll want down the road though, so let's see whether the interface will be able to satisfy them in a backwards compatible way before we set it in stone. Here's what I came up with: How will the filtering table be partitioned within guests? Since this patch supports macvlan PASSTHRU mode only, in which the lower device has 1-1 mapping to the guest nic, it does not require any partitioning of filtering table within guests. Unless I missed understanding something. If the lower device were being shared by multiple guest network interfaces (non PASSTHRU mode), only then we will need to maintain separate filter tables for each guest network interface in macvlan and forward the pkt to respective guest interface after a filter lookup. This could affect performance too I think. Not with hardware filtering support. Which is where we'd need to partition the host nic mac table between guests. I need to understand this more. In non passthru case when a VF or physical nic is shared between guests, For example, consider a VF given to each guest. Hardware supports a fixed total number of filters, which can be partitioned between VFs. O ok. But hw maintains VF filters separately for every VF as far as I know. Filters received on a VF are programmed for that VF only. Am assuming all hardware do this. Atleast our hardware does this. What I was referring to was a single VF shared between guests using macvtap (could be bridge mode for example). All guests sharing the VF will register filters with the VF via macvlan. Hw makes sure what ever the VF asked for is received at the VF. VF in hw does not know that it is shared by guests. Only at macvlan we might need to re-filter the pkts received on the VF and steer pkts to the individual guests based on what they asked for. the nic does not really know about the guests, so I was thinking we do the same thing as we do for the passthru case (ie send all the address filters from macvlan to the physical nic). So at the hardware, filtering is done for all guests sharing the nic. But if we want each virtio-net nic or guest to get exactly what it asked for macvlan/macvtap needs to maintain a copy of each guest filter and do a lookup and send only the requested traffic to the guest. Here is the performance hit that I was seeing. Please see my next comment for further details. It won't be any slower than attaching a non-passthrough macvlan to a device, will it? Am not sure. The filter lookup in macvlan is the one I am concerned about. Will need to try it out. I chose to support PASSTHRU Mode only at first because its simpler and all code additions are in control path only. I agree. It would be a bit silly to have a dedicated interface for passthough and a completely separate one for non passthrough. Agree. The reason I did not focus on non-passthru case in the initial version was because I was thinking things to do in the non-passthru case will be just add-ons to the passthru case. But true Better to flush out the non-pasthru case details. After dwelling on this a bit more how about the below: Phase 1: Goal: Enable hardware filtering for all macvlan modes - In macvlan passthru mode the single guest virtio-nic connected will receive traffic that he requested for - In macvlan non-passthru mode all guest virtio-nics sharing the physical nic will see all other guest traffic but the filtering at guest virtio-nic I don't think guests currently filter anything. I was referring to Qemu-kvm virtio-net in virtion_net_receive-receive_filter. I think It only passes pkts that the guest OS is interested. It uses the filter table that I am passing to macvtap in this patch. will make sure each guest eventually sees traffic he asked for. This is still better than putting the physical nic in promiscuous mode. (This is mainly what my patch does...but will need to remove the passthru check and see if there are any thing else needed for non-passthru case) I'm fine with sticking with passthrough, make non passthrough a separate phase. Ok. Phase 2: Goal: Enable filtering at macvlan so that each guest virtio-nic receives only what he requested for. - In this case, in addition to pushing the filters down to the physical nic we will have to maintain the same filter in macvlan and do a filter lookup before forwarding the traffic to a virtio-nic. But I am thinking phase 2 might be redundant given virtio-nic already does filtering for the guest. It does? Do you mean the filter that qemu does in userspace? Yes I meant the filter that qemu does in userspace qemu-kvm/hw/virtio-net.c receive_filter(). In which case we might not need phase 2 at all. I might have been over complicating things.
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/8/2011 8:00 PM, Roopa Prabhu wrote: On 9/8/11 12:33 PM, Michael S. Tsirkinm...@redhat.com wrote: On Thu, Sep 08, 2011 at 12:23:56PM -0700, Roopa Prabhu wrote: I think the main usecase for passthru mode is to assign a SR-IOV VF to a single guest. Yes and for the passthru usecase this patch should be enough to enable filtering in hw (eventually like I indicated before I need to fix vlan filtering too). So with filtering in hw, and in sriov VF case, VFs actually share a filtering table. How will that be partitioned? AFAIK, though it might maintain a single filter table space in hw, hw does know which filter belongs to which VF. And the OS driver does not need to do anything special. The VF driver exposes a VF netdev. And any uc/mc addresses registered with a VF netdev are registered with the hw by the driver. And hw will filter and send only pkts that the VF has expressed interest in. Does your NIC driver support adding multiple mac addresses to a VF? I have tried a few other SR-IOV NICs sometime back and they didn't support this feature. Currently, we don't have an interface to add multiple mac addresses to a netdev other than an indirect way of creating a macvlan /if on top of it. Thanks Sridhar No special filter partitioning in hw is required. Thanks, Roopa -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On Thu, Sep 08, 2011 at 07:53:11PM -0700, Roopa Prabhu wrote: Phase 1: Goal: Enable hardware filtering for all macvlan modes - In macvlan passthru mode the single guest virtio-nic connected will receive traffic that he requested for - In macvlan non-passthru mode all guest virtio-nics sharing the physical nic will see all other guest traffic but the filtering at guest virtio-nic I don't think guests currently filter anything. I was referring to Qemu-kvm virtio-net in virtion_net_receive-receive_filter. I think It only passes pkts that the guest OS is interested. It uses the filter table that I am passing to macvtap in this patch. This happens after userspace thread gets woken up and data is copied there. So relying on filtering at that level is going to be very inefficient on a system with multiple active guests. Further, and for that reason, vhost-net doesn't do filtering at all, relying on the backends to pass it correct packets. -- MST -- To unsubscribe from this list: send the line unsubscribe kvm in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [net-next-2.6 PATCH 0/3 RFC] macvlan: MAC Address filtering support for passthru mode
On 9/7/11 5:34 AM, Michael S. Tsirkin m...@redhat.com wrote: On Tue, Sep 06, 2011 at 03:35:40PM -0700, Roopa Prabhu wrote: This patch is an attempt at providing address filtering support for macvtap devices in PASSTHRU mode. Its still a work in progress. Briefly tested for basic functionality. Wanted to get some feedback on the direction before proceeding. Good work, thanks. Thanks. I have hopefully CC'ed all concerned people. kvm crowd might also be interested. Try using ./scripts/get_maintainer.pl as well. Thanks for the tip. Expanded CC list a bit more. PASSTHRU mode today sets the lowerdev in promiscous mode. In PASSTHRU mode there is a 1-1 mapping between macvtap device and physical nic or VF. And all filtering is done in lowerdev hw. The lowerdev does not need to be in promiscous mode as long as the guest filters are passed down to the lowerdev. This patch tries to remove the need for putting the lowerdev in promiscous mode. I have also referred to the thread below where TUNSETTXFILTER was mentioned in this context: http://patchwork.ozlabs.org/patch/69297/ This patch basically passes the addresses got by TUNSETTXFILTER to macvlan lowerdev. I have looked at previous work and discussions on this for qemu-kvm by Michael Tsirkin, Alex Williamson and Dragos Tatulea http://patchwork.ozlabs.org/patch/78595/ http://patchwork.ozlabs.org/patch/47160/ https://patchwork.kernel.org/patch/474481/ Redhat bugzilla by Michael Tsirkin: https://bugzilla.redhat.com/show_bug.cgi?id=655013 I used Michael's qemu-kvm patch for testing the changes with KVM I would like to cover both MAC and vlan filtering in this work. Open Questions/Issues: - There is a need for vlan filtering to complete the patch. It will require a new tap ioctl cmd for vlans. Some ideas on this are: a) TUNSETVLANFILTER: This will entail we send the whole vlan bitmap filter (similar to tun_filter for addresses). Passing the vlan id's to lower device will mean going thru the whole list of vlans every time. OR b) TUNSETVLAN with vlan id and flag to set/unset Does option 'b' sound ok ? - In this implementation we make the macvlan address list same as the address list that came in the filter with TUNSETTXFILTER. This will not cover cases where the macvlan device needs to have other addresses that are not necessarily in the filter. Is this a problem ? What cases do you have in mind? This patch targets only macvlan PASSTHRU mode and for PASSTHRU mode I don't see a problem with uc/mc address list being the same in all the stacked netdevs in the path. I called that out above to make sure I was not missing any case in PASSTHRU mode where this might be invalid. Otherwise I don't see a problem in the simple PASSTHRU use case this patch supports. - The patch currently only supports passing of IFF_PROMISC and IFF_MULTICAST filter flags to lowerdev This patch series implements the following 01/3 - macvlan: Add support for unicast filtering in macvlan 02/3 - macvlan: Add function to set addr filter on lower device in passthru mode 03/3 - macvtap: Add support for TUNSETTXFILTER Please comment. Thanks. Signed-off-by: Roopa Prabhu ropra...@cisco.com Signed-off-by: Christian Benvenuti be...@cisco.com Signed-off-by: David Wang dwa...@cisco.com The security isn't lower than with promisc, so I don't see a problem with this as such. There are more features we'll want down the road though, so let's see whether the interface will be able to satisfy them in a backwards compatible way before we set it in stone. Here's what I came up with: How will the filtering table be partitioned within guests? Since this patch supports macvlan PASSTHRU mode only, in which the lower device has 1-1 mapping to the guest nic, it does not require any partitioning of filtering table within guests. Unless I missed understanding something. If the lower device were being shared by multiple guest network interfaces (non PASSTHRU mode), only then we will need to maintain separate filter tables for each guest network interface in macvlan and forward the pkt to respective guest interface after a filter lookup. This could affect performance too I think. I chose to support PASSTHRU Mode only at first because its simpler and all code additions are in control path only. A way to limit what the guest can do would also be useful. How can this be done? selinux? I vaguely remember a thread on the same context.. had a suggestion to maintain pre-approved address lists and allow guest filter registration of only those addresses for security. This seemed reasonable. Plus the ability to support additional address registration from guest could be made configurable (One of your ideas again from prior work). I am not an selinux expert, but I am thinking we can use it to only allow or disallow access or operations to the macvtap device. (?). I will check more on this. Any
