From: Xuan Zhuo <xuanzhuo@linux.alibaba.com>
To: Parav Pandit <parav@nvidia.com>,
"jasowang@redhat.com" <jasowang@redhat.com>,
"Michael S. Tsirkin" <mst@redhat.com>
Cc: Satananda Burla <sburla@marvell.com>,
"virtio-dev@lists.oasis-open.org"
<virtio-dev@lists.oasis-open.org>,
"virtio-comment@lists.oasis-open.org"
<virtio-comment@lists.oasis-open.org>
Subject: [virtio-comment] virtio-net ip restriction.
Date: Tue, 08 Aug 2023 16:04:40 +0800 [thread overview]
Message-ID: <1691481880.8297818-1-xuanzhuo@linux.alibaba.com> (raw)
## Background
For cloud, the ip restriction is important. Because the user of the vm is
untrustworthy. One user may use the ip of another to config the netdevice to
receive and send packets. So we need to restrict the ip traffic of the device(or port).
## Implement
Now we have these choice:
1. introduce the switch(as the part of pf or as a separate device under all PF
and VFs ), the switch support rx/tx filter
2. the virtio-net device support the ip restriction
Parav wrote:
> I understood that you for some reason do not need restrictions for the PF.
> I do not know why you don't need it. :)
> Most cloud setups that I came across so far, needs it, but ok...
PF is used by the administrator, so the ip restriction for the PF is
not important. But we can have this feature.
> The design for the switch object needs to cover the PF as well, even though it may not be done initially.
> (hint: an abstraction of switch port to be done, instead of doing things directly on the group member id).
>
> We are seeing use cases reducing of having switch located on the PF for its VFs.
So for you, we should introduce a switching PF?
> So please reconsider.
> I remember you mentioned in past in other thread, that mac etc is controlled from the infrastructure side.
YES.
> So, I repeatedly ask if you _really_ need to have the switch object as part of the owner PF or not.
For me, that are all ok.
Could you explain the difference between these?
So I would to know which one is better and which one is simper?
> Which sort of contradicts with locating the administrative switch on the owner PF.
Why?
For us, all is on the DPU.
>
> If it does, flow filters vq that is being worked with Heng, Satananda, David
> and others seems right direction to implement simple->complex switch object
> progressively.
Great!!
Thanks.
This publicly archived list offers a means to provide input to the
OASIS Virtual I/O Device (VIRTIO) TC.
In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.
Subscribe: virtio-comment-subscribe@lists.oasis-open.org
Unsubscribe: virtio-comment-unsubscribe@lists.oasis-open.org
List help: virtio-comment-help@lists.oasis-open.org
List archive: https://lists.oasis-open.org/archives/virtio-comment/
Feedback License: https://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: https://www.oasis-open.org/policies-guidelines/mailing-lists
Committee: https://www.oasis-open.org/committees/virtio/
Join OASIS: https://www.oasis-open.org/join/
next reply other threads:[~2023-08-08 8:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-08 8:04 Xuan Zhuo [this message]
2023-08-10 7:04 ` [virtio-comment] virtio-net ip restriction Jason Wang
2023-08-14 12:01 ` Xuan Zhuo
2023-08-14 13:03 ` [virtio-comment] " Parav Pandit
2023-08-15 3:10 ` [virtio-comment] " Xuan Zhuo
2023-08-15 4:16 ` [virtio-comment] " Parav Pandit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1691481880.8297818-1-xuanzhuo@linux.alibaba.com \
--to=xuanzhuo@linux.alibaba.com \
--cc=jasowang@redhat.com \
--cc=mst@redhat.com \
--cc=parav@nvidia.com \
--cc=sburla@marvell.com \
--cc=virtio-comment@lists.oasis-open.org \
--cc=virtio-dev@lists.oasis-open.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).