Ethernet Products
Determine ramifications of Intel® Ethernet products and technologies
4974 Discussions

SR-IOV with ixgbe - spoof packets detected

sfrid
Beginner
10,938 Views

Hey All,

I have a VM runs on Cisco server that runs KVM with SR-IOV enabled.

4 VFs are attached to this VM and spoof check is off on all of them.

I still get 'spoofed packets detected' warning all the time

"ixgbe 0000::0c:00.0 eth17: 2 Spoofed packets detected"

I read online that spoof detection is enabled by default (on compilation) on ixgbe driver when SR-IOV is active.

Any idea how to overcome this issue?

If any more information needed please let me know.

Thanks,

Shaham

0 Kudos
30 Replies
RBhat3
Beginner
1,407 Views

Hi Sandy,

I finally got the functionality working as what I wanted. I did the following:

1. I did not set any VLAN tag to VF.

2. Turned OFF spoofing using ip link command.

With above two steps, I was able to send VLAN packets from my application on VM. However, receiving VLAN packets in my VM/application on VM still is a problem. I had looked into ixgbe source code and added extra code in ixgbe_main.c in the function: "void ixgbe_set_rx_mode(struct net_device *netdev)" before writing to VLANCTRL register at the end of function:

/* Forcefully Disable VLAN Filtering in VLANCTRL */

vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);

With this I am receiving packets with VLAN tag in my VM. I did not find any way to do this with ethtool or ip commands. If there is a way to do this with other tools please let me know.

regards,

Ravi

0 Kudos
SYeo3
Valued Contributor I
1,407 Views

Hi Ravi,

Thanks for providing the details. Glad to know that you were able to fix the issue.

As of the moment, we use the IP link commands to configure this functionality.

We'll check on this and will keep you posted on any updates.

Sincerely,

Sandy

0 Kudos
SYeo3
Valued Contributor I
1,407 Views

Hi Ravi,

Upon checking, you can only use the command to configure the VLAN tag in VM, we did not find other tools/commands to do this either.

Sincerely,

Sandy

0 Kudos
sfrid
Beginner
1,407 Views

Hey Ravi,

When you were able to overcome spoofed packets issue (not setting any VLAN on VFs & Turning off spoofing), did it involve changes in the ixgbe driver code?

If so, can you share the exact changes you did?

Thanks in advance,

Shaham

0 Kudos
RBhat3
Beginner
1,407 Views

Shaham,

As I mentioned in my earlier mails, my requirement was to get the VLAN tagged packets in the VM and VM sending out fully tagged packet. For sending out VLAN tagged packet, I disabled the spoof check using ip link command and did not add any VLAN tag to interface (VF). However, for receiving the VLAN tagged packet into the VM, I had to change a little in ixgbe driver and forcefully disable VLAN filtering.

In ixgbe_main.c in the function: "void ixgbe_set_rx_mode(struct net_device *netdev)" before writing to VLANCTRL register at the end of function, I have added:

/* Forcefully Disable VLAN Filtering in VLANCTRL */

vlnctrl &= ~(IXGBE_VLNCTRL_VFE | IXGBE_VLNCTRL_CFIEN);

Hope it helps.

regards,

Ravi

0 Kudos
sfrid
Beginner
1,407 Views

Hey Ravi,

Thanks a lot!

I finally got to make vlan-tagged traffic work on my setup!

Shaham

0 Kudos
sfrid
Beginner
1,407 Views

Hey Sandy/wb,

Is there a plan to fix this issue in future version of ixgbe?

Or maybe add an ip sommand to set these flags?

Thanks,

Shaham

0 Kudos
SYeo3
Valued Contributor I
1,407 Views

Hi shaham,

I'll check on this.

Sincerely,

Sandy

0 Kudos
SYeo3
Valued Contributor I
1,407 Views

Hi Shaham,

We will not add this settings in future updates as this may entail security and other issues.

Sincerely,

Sandy

0 Kudos
gXu4
Beginner
1,407 Views

Hi Sandy, According to what we see in this thread, as long as a VF is tagged with VLAN, the anti-spoofing will always be considered as on, disregarding the value of spoofchk_enabled. Can you explain the reason behind this behavior? Thanks, Toby

0 Kudos
Reply