From 090af3d3a7fe36caa6eceb6bed51491425045ce9 Mon Sep 17 00:00:00 2001
From: Phil Sutter <psutter@redhat.com>
Date: Thu, 16 Jun 2016 16:50:59 +0200
Subject: [PATCH] iplink: Support VF Trust
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1302119
Upstream Status: iproute2.git commit b6d77d9ee3122
Conflicts: Context changes due to missing other features.
commit b6d77d9ee312246146e9b5ca70a8a1426898b484
Author: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
Date: Fri Feb 26 02:40:18 2016 +0000
iplink: Support VF Trust
Add IFLA_VF_TRUST message to trust the VF.
PF can accept some privileged operation from the trusted VF.
For example, ixgbe PF doesn't allow to enable VF promiscuous mode until
the VF is trusted because it may hurt performance.
To trust VF.
# ip link set dev eth0 vf 1 trust on
To untrust VF.
# ip link set dev eth0 vf 1 trust off
Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
---
ip/iplink.c | 13 +++++++++++++
man/man8/ip-link.8.in | 8 +++++++-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/ip/iplink.c b/ip/iplink.c
index 0f91043..84bdc56 100644
--- a/ip/iplink.c
+++ b/ip/iplink.c
@@ -81,6 +81,7 @@ void iplink_usage(void)
fprintf(stderr, " [ spoofchk { on | off} ]\n");
fprintf(stderr, " [ query_rss { on | off} ]\n");
fprintf(stderr, " [ state { auto | enable | disable} ] ]\n");
+ fprintf(stderr, " [ trust { on | off} ] ]\n");
fprintf(stderr, " [ master DEVICE ]\n");
fprintf(stderr, " [ nomaster ]\n");
fprintf(stderr, " [ addrgenmode { eui64 | none } ]\n");
@@ -302,6 +303,18 @@ static int iplink_parse_vf(int vf, int *argcp, char ***argvp,
ivs.vf = vf;
addattr_l(&req->n, sizeof(*req), IFLA_VF_RSS_QUERY_EN, &ivs, sizeof(ivs));
+ } else if (matches(*argv, "trust") == 0) {
+ struct ifla_vf_trust ivt;
+ NEXT_ARG();
+ if (matches(*argv, "on") == 0)
+ ivt.setting = 1;
+ else if (matches(*argv, "off") == 0)
+ ivt.setting = 0;
+ else
+ invarg("Invalid \"trust\" value\n", *argv);
+ ivt.vf = vf;
+ addattr_l(&req->n, sizeof(*req), IFLA_VF_TRUST, &ivt, sizeof(ivt));
+
} else if (matches(*argv, "state") == 0) {
struct ifla_vf_link_state ivl;
NEXT_ARG();
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 312be6b..1d052ef 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -118,7 +118,9 @@ ip-link \- network device configuration
.RB "[ " vlan
.IR VLANID " [ "
.B qos
-.IR VLAN-QOS " ] ]"
+.IR VLAN-QOS " ] ] ["
+.B trust { on | off }
+] |
.br
.RB "[ " rate
.IR TXRATE " ]"
@@ -872,6 +874,10 @@ parameter must be specified.
.sp
.BI spoofchk " on|off"
- turn packet spoof checking on or off for the specified VF.
+.sp
+.BI trust " on|off"
+- trust the specified VF user. This enables that VF user can set a specific feature
+which may impact security and/or performance. (e.g. VF multicast promiscuous mode)
.in -8
.TP
--
1.8.3.1