Re: ixl(4) bhyve(8) SR-IOV with Transparent VLAN associated w/ VF's

2024-04-19 Thread Paul Procacci 
On Wed, Apr 17, 2024 at 10:04 PM Lexi Winter  wrote:

> Paul Procacci:
> > I'm assigning VF's to bhyve with pci passthru.
> [...]
> > Given this, I figured the best option would be to set the VLAN on the VF
> on
> > the host prior to handing it off to the bhyve instance effectively
> enabling
> > transparent vlans.
> [...]
> > Has anyone done this?  Does anyone have any pointers to accomplish this?
>
> i looked into this a while ago and concluded that it's not supported, at
> least on Intel cards.
>
> my recollection is that someone was working on this at one point, but
> never finished it -- unfortunately, i can't remember who that was...
>
> you may be able to work around this by running vlan(4) on the VF on the
> host instead of passing the interface to the guest, but then you lose
> most of the benefits of using SR-IOV to begin with.  i have run into
> some odd bugs with both SR-IOV and vlan(4) on ixgbe cards and would
> definitely recommend testing that thoroughly before deploying it.
>

That's a real bummer.   You'd think this would be kinda a thing considering
the security implications.

Welp, Thanks for writing back Lexi!

~Paul

-- 
__

:(){ :|:& };:

ixl(4) bhyve(8) SR-IOV with Transparent VLAN associated w/ VF's

2024-04-17 Thread Paul Procacci 
Hey all,

Strange one here.  Not much on the internet that I could find.

I'm assigning VF's to bhyve with pci passthru.
Doing this allows the bhyve instance maintainer to set their own vlan and
I'd like that not to be the case for various reasons.  One being I don't
need/want their traffic to potentially hit/sniff other traffic on any other
vlan than the one assigned to them.

Given this, I figured the best option would be to set the VLAN on the VF on
the host prior to handing it off to the bhyve instance effectively enabling
transparent vlans.

Unless I misreading ixl(4) which is a real possibility, it supports 'VLAN
tag insertion/extraction'.

Has anyone done this?  Does anyone have any pointers to accomplish this?

Thanks,
Paul

-- 
__

:(){ :|:& };: