- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey All,
I have a VM runs on Cisco server that runs KVM with SR-IOV enabled.
4 VFs are attached to this VM and spoof check is off on all of them.
I still get 'spoofed packets detected' warning all the time
"ixgbe 0000::0c:00.0 eth17: 2 Spoofed packets detected"
I read online that spoof detection is enabled by default (on compilation) on ixgbe driver when SR-IOV is active.
Any idea how to overcome this issue?
If any more information needed please let me know.
Thanks,
Shaham
Link Copied
- « Previous
-
- 1
- 2
- Next »
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sandy,
I finally got the functionality working as what I wanted. I did the following:
1. I did not set any VLAN tag to VF.
2. Turned OFF spoofing using ip link command.
With above two steps, I was able to send VLAN packets from my application on VM. However, receiving VLAN packets in my VM/application on VM still is a problem. I had looked into ixgbe source code and added extra code in ixgbe_main.c in the function: "void ixgbe_set_rx_mode(struct net_device *netdev)" before writing to VLANCTRL register at the end of function:
/* Forcefully Disable VLAN Filtering in VLANCTRL */
vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);
With this I am receiving packets with VLAN tag in my VM. I did not find any way to do this with ethtool or ip commands. If there is a way to do this with other tools please let me know.
regards,
Ravi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ravi,
Thanks for providing the details. Glad to know that you were able to fix the issue.
As of the moment, we use the IP link commands to configure this functionality.
We'll check on this and will keep you posted on any updates.
Sincerely,
Sandy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ravi,
Upon checking, you can only use the command to configure the VLAN tag in VM, we did not find other tools/commands to do this either.
Sincerely,
Sandy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Ravi,
When you were able to overcome spoofed packets issue (not setting any VLAN on VFs & Turning off spoofing), did it involve changes in the ixgbe driver code?
If so, can you share the exact changes you did?
Thanks in advance,
Shaham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Shaham,
As I mentioned in my earlier mails, my requirement was to get the VLAN tagged packets in the VM and VM sending out fully tagged packet. For sending out VLAN tagged packet, I disabled the spoof check using ip link command and did not add any VLAN tag to interface (VF). However, for receiving the VLAN tagged packet into the VM, I had to change a little in ixgbe driver and forcefully disable VLAN filtering.
In ixgbe_main.c in the function: "void ixgbe_set_rx_mode(struct net_device *netdev)" before writing to VLANCTRL register at the end of function, I have added:
/* Forcefully Disable VLAN Filtering in VLANCTRL */
vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);
Hope it helps.
regards,
Ravi
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Ravi,
Thanks a lot!
I finally got to make vlan-tagged traffic work on my setup!
Shaham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Sandy/wb,
Is there a plan to fix this issue in future version of ixgbe?
Or maybe add an ip sommand to set these flags?
Thanks,
Shaham
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Shaham,
We will not add this settings in future updates as this may entail security and other issues.
Sincerely,
Sandy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Sandy, According to what we see in this thread, as long as a VF is tagged with VLAN, the anti-spoofing will always be considered as on, disregarding the value of spoofchk_enabled. Can you explain the reason behind this behavior? Thanks, Toby
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- « Previous
-
- 1
- 2
- Next »