From 090af3d3a7fe36caa6eceb6bed51491425045ce9 Mon Sep 17 00:00:00 2001

From: Phil Sutter <psutter@redhat.com>

Date: Thu, 16 Jun 2016 16:50:59 +0200

Subject: [PATCH] iplink: Support VF Trust

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1302119

Upstream Status: iproute2.git commit b6d77d9ee3122

Conflicts: Context changes due to missing other features.

commit b6d77d9ee312246146e9b5ca70a8a1426898b484

Author: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>

Date:   Fri Feb 26 02:40:18 2016 +0000

    iplink: Support VF Trust

    Add IFLA_VF_TRUST message to trust the VF.

    PF can accept some privileged operation from the trusted VF.

    For example, ixgbe PF doesn't allow to enable VF promiscuous mode until

    the VF is trusted because it may hurt performance.

    To trust VF.

     # ip link set dev eth0 vf 1 trust on

    To untrust VF.

     # ip link set dev eth0 vf 1 trust off

    Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>

---

 ip/iplink.c           | 13 +++++++++++++

 man/man8/ip-link.8.in |  8 +++++++-

 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/ip/iplink.c b/ip/iplink.c

index 0f91043..84bdc56 100644

--- a/ip/iplink.c

+++ b/ip/iplink.c

@@ -81,6 +81,7 @@ void iplink_usage(void)

 	fprintf(stderr, "				   [ spoofchk { on | off} ]\n");

 	fprintf(stderr, "				   [ query_rss { on | off} ]\n");

 	fprintf(stderr, "				   [ state { auto | enable | disable} ] ]\n");

+	fprintf(stderr, "				   [ trust { on | off} ] ]\n");

 	fprintf(stderr, "			  [ master DEVICE ]\n");

 	fprintf(stderr, "			  [ nomaster ]\n");

 	fprintf(stderr, "			  [ addrgenmode { eui64 | none } ]\n");

@@ -302,6 +303,18 @@ static int iplink_parse_vf(int vf, int *argcp, char ***argvp,

 			ivs.vf = vf;

 			addattr_l(&req->n, sizeof(*req), IFLA_VF_RSS_QUERY_EN, &ivs, sizeof(ivs));

+		} else if (matches(*argv, "trust") == 0) {

+			struct ifla_vf_trust ivt;

+			NEXT_ARG();

+			if (matches(*argv, "on") == 0)

+				ivt.setting = 1;

+			else if (matches(*argv, "off") == 0)

+				ivt.setting = 0;

+			else

+				invarg("Invalid \"trust\" value\n", *argv);

+			ivt.vf = vf;

+			addattr_l(&req->n, sizeof(*req), IFLA_VF_TRUST, &ivt, sizeof(ivt));

+

 		} else if (matches(*argv, "state") == 0) {

 			struct ifla_vf_link_state ivl;

 			NEXT_ARG();

diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in

index 312be6b..1d052ef 100644

--- a/man/man8/ip-link.8.in

+++ b/man/man8/ip-link.8.in

@@ -118,7 +118,9 @@ ip-link \- network device configuration

 .RB "[ " vlan

 .IR VLANID " [ "

 .B qos

-.IR VLAN-QOS " ] ]"

+.IR VLAN-QOS " ] ] ["

+.B trust { on | off }

+] |

 .br

 .RB "[ " rate

 .IR TXRATE " ]"

@@ -872,6 +874,10 @@ parameter must be specified.

 .sp

 .BI spoofchk " on|off"

 - turn packet spoof checking on or off for the specified VF.

+.sp

+.BI trust " on|off"

+- trust the specified VF user. This enables that VF user can set a specific feature

+which may impact security and/or performance. (e.g. VF multicast promiscuous mode)

 .in -8

 .TP

-- 

1.8.3.1