Re: [net-next 8/8] net/mlx5: Add vf ACL access via tc flower

From: Saeed Mahameed <saeedm@dev.mellanox.co.il>
To: Jakub Kicinski <jakub.kicinski@netronome.com>
Cc: Saeed Mahameed <saeedm@mellanox.com>,
	"David S. Miller" <davem@davemloft.net>,
	"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
	Ariel Levkovich <lariel@mellanox.com>
Subject: Re: [net-next 8/8] net/mlx5: Add vf ACL access via tc flower
Date: Tue, 12 Nov 2019 16:31:19 -0800	[thread overview]
Message-ID: <CALzJLG8ZiBdibjwY+xg0iBgqoEC1BFLcejTyHZYfsfbB7d20cQ@mail.gmail.com> (raw)
In-Reply-To: <20191112154124.4f0f38f9@cakuba>

On Tue, Nov 12, 2019 at 3:41 PM Jakub Kicinski
<jakub.kicinski@netronome.com> wrote:
>
> On Tue, 12 Nov 2019 17:13:53 +0000, Saeed Mahameed wrote:
> > From: Ariel Levkovich <lariel@mellanox.com>
> >
> > Implementing vf ACL access via tc flower api to allow
> > admins configure the allowed vlan ids on a vf interface.
> >
> > To add a vlan id to a vf's ingress/egress ACL table while
> > in legacy sriov mode, the implementation intercepts tc flows
> > created on the pf device where the flower matching keys include
> > the vf's mac address as the src_mac (eswitch ingress) or the
> > dst_mac (eswitch egress) while the action is accept.
> >
> > In such cases, the mlx5 driver interpets these flows as adding
> > a vlan id to the vf's ingress/egress ACL table and updates
> > the rules in that table using eswitch ACL configuration api
> > that is introduced in a previous patch.
>
> Nack, the magic interpretation of rules installed on the PF is a no go.

PF is the eswitch manager it is legit for the PF to forward rules to
the eswitch FDB,
we do it all over the place, this is how ALL legacy ndos work, why
this should be treated differently ?

Anyway just for the record, I don't think you are being fair here, you
just come up with rules on the go just to block anything related to
legacy mode.