From b6d77d9ee312246146e9b5ca70a8a1426898b484 Mon Sep 17 00:00:00 2001 From: Hiroshi Shimamoto Date: Fri, 26 Feb 2016 02:40:18 +0000 Subject: [PATCH 1/2] iplink: Support VF Trust Add IFLA_VF_TRUST message to trust the VF. PF can accept some privileged operation from the trusted VF. For example, ixgbe PF doesn't allow to enable VF promiscuous mode until the VF is trusted because it may hurt performance. To trust VF. # ip link set dev eth0 vf 1 trust on To untrust VF. # ip link set dev eth0 vf 1 trust off Signed-off-by: Hiroshi Shimamoto --- ip/iplink.c | 13 +++++++++++++ man/man8/ip-link.8.in | 7 ++++++- 2 files changed, 19 insertions(+), 1 deletion(-) diff --git a/ip/iplink.c b/ip/iplink.c index 5ab9d613..69f50572 100644 --- a/ip/iplink.c +++ b/ip/iplink.c @@ -82,6 +82,7 @@ void iplink_usage(void) fprintf(stderr, " [ spoofchk { on | off} ] ]\n"); fprintf(stderr, " [ query_rss { on | off} ] ]\n"); fprintf(stderr, " [ state { auto | enable | disable} ] ]\n"); + fprintf(stderr, " [ trust { on | off} ] ]\n"); fprintf(stderr, " [ master DEVICE ]\n"); fprintf(stderr, " [ nomaster ]\n"); fprintf(stderr, " [ addrgenmode { eui64 | none | stable_secret | random } ]\n"); @@ -356,6 +357,18 @@ static int iplink_parse_vf(int vf, int *argcp, char ***argvp, ivs.vf = vf; addattr_l(&req->n, sizeof(*req), IFLA_VF_RSS_QUERY_EN, &ivs, sizeof(ivs)); + } else if (matches(*argv, "trust") == 0) { + struct ifla_vf_trust ivt; + NEXT_ARG(); + if (matches(*argv, "on") == 0) + ivt.setting = 1; + else if (matches(*argv, "off") == 0) + ivt.setting = 0; + else + invarg("Invalid \"trust\" value\n", *argv); + ivt.vf = vf; + addattr_l(&req->n, sizeof(*req), IFLA_VF_TRUST, &ivt, sizeof(ivt)); + } else if (matches(*argv, "state") == 0) { struct ifla_vf_link_state ivl; diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in index 4d323435..221831e5 100644 --- a/man/man8/ip-link.8.in +++ b/man/man8/ip-link.8.in @@ -142,7 +142,8 @@ ip-link \- network device configuration .B min_tx_rate .IR TXRATE " ] [" .B spoofchk { on | off } ] [ -.B state { auto | enable | disable} +.B state { auto | enable | disable} ] [ +.B trust { on | off } ] | .br .B master @@ -1019,6 +1020,10 @@ parameter must be specified. reflection of the PF link state, enable lets the VF to communicate with other VFs on this host even if the PF link state is down, disable causes the HW to drop any packets sent by the VF. +.sp +.BI trust " on|off" +- trust the specified VF user. This enables that VF user can set a specific feature +which may impact security and/or performance. (e.g. VF multicast promiscuous mode) .in -8 .TP From 67eedcd9a145f30aa0a185b7235f01b66349effe Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Thu, 25 Feb 2016 13:07:35 +0100 Subject: [PATCH 2/2] iprule: Align help text with man page synopsis The help text was misleading: One could think it is possible to list rules by selector, which would be nice but isn't. This change also clarifies that 'ip rule' defaults to 'list' if no further arguments are given. Signed-off-by: Phil Sutter --- ip/iprule.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ip/iprule.c b/ip/iprule.c index 9923b8eb..33b71976 100644 --- a/ip/iprule.c +++ b/ip/iprule.c @@ -33,8 +33,9 @@ static void usage(void) __attribute__((noreturn)); static void usage(void) { - fprintf(stderr, "Usage: ip rule [ list | add | del | flush | save ] SELECTOR ACTION\n"); - fprintf(stderr, " ip rule restore\n"); + fprintf(stderr, "Usage: ip rule { add | del } SELECTOR ACTION\n"); + fprintf(stderr, " ip rule { flush | save | restore }\n"); + fprintf(stderr, " ip rule [ list ]\n"); fprintf(stderr, "SELECTOR := [ not ] [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark FWMARK[/MASK] ]\n"); fprintf(stderr, " [ iif STRING ] [ oif STRING ] [ pref NUMBER ]\n"); fprintf(stderr, "ACTION := [ table TABLE_ID ]\n");