diff -Nru iproute2-4.3.0/debian/changelog iproute2-4.3.0/debian/changelog
--- iproute2-4.3.0/debian/changelog	2017-12-04 17:03:46.000000000 +0000
+++ iproute2-4.3.0/debian/changelog	2018-11-01 15:38:15.000000000 +0000
@@ -1,3 +1,12 @@
+iproute2 (4.3.0-1ubuntu3.16.04.4) xenial; urgency=medium
+
+  * Add support for VF Trust (LP: #1800877)
+    - d/p/1008-vf_trust_dddf1b44126e.patch: netlink attribute
+    - d/p/1009-vf_trust_b6d77d9ee312.patch: set it for kernel
+    - d/p/1010-vf_trust_fe9322781e63.patch: print it for user
+
+ -- Mauricio Faria de Oliveira <mfo@canonical.com>  Tue, 18 Sep 2018 12:21:44 -0300
+
 iproute2 (4.3.0-1ubuntu3.16.04.3) xenial; urgency=medium
 
   * Fix ip maddr show (LP: #1732032):
diff -Nru iproute2-4.3.0/debian/patches/1008-vf_trust_dddf1b44126e.patch iproute2-4.3.0/debian/patches/1008-vf_trust_dddf1b44126e.patch
--- iproute2-4.3.0/debian/patches/1008-vf_trust_dddf1b44126e.patch	1970-01-01 00:00:00.000000000 +0000
+++ iproute2-4.3.0/debian/patches/1008-vf_trust_dddf1b44126e.patch	2018-11-02 14:45:12.000000000 +0000
@@ -0,0 +1,37 @@
+Origin: upstream, https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=dddf1b44126eaa25c6698be618fb452fc7b9bed3
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1800877
+From: Stephen Hemminger <shemming@brocade.com>
+Date: Fri, 23 Oct 2015 15:47:07 -0700
+Subject: [PATCH] add new IFLA_VF_TRUST netlink attribute
+
+---
+ include/linux/if_link.h | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/include/linux/if_link.h b/include/linux/if_link.h
+index 288d3cd61679..31f584cb2576 100644
+--- a/include/linux/if_link.h
++++ b/include/linux/if_link.h
+@@ -500,6 +500,7 @@ enum {
+ 				 * on/off switch
+ 				 */
+ 	IFLA_VF_STATS,		/* network device statistics */
++	IFLA_VF_TRUST,		/* Trust VF */
+ 	__IFLA_VF_MAX,
+ };
+ 
+@@ -561,6 +562,11 @@ enum {
+ 
+ #define IFLA_VF_STATS_MAX (__IFLA_VF_STATS_MAX - 1)
+ 
++struct ifla_vf_trust {
++	__u32 vf;
++	__u32 setting;
++};
++
+ /* VF ports management section
+  *
+  *	Nested layout of set/get msg is:
+-- 
+2.17.1
+
diff -Nru iproute2-4.3.0/debian/patches/1009-vf_trust_b6d77d9ee312.patch iproute2-4.3.0/debian/patches/1009-vf_trust_b6d77d9ee312.patch
--- iproute2-4.3.0/debian/patches/1009-vf_trust_b6d77d9ee312.patch	1970-01-01 00:00:00.000000000 +0000
+++ iproute2-4.3.0/debian/patches/1009-vf_trust_b6d77d9ee312.patch	2018-11-02 14:47:15.000000000 +0000
@@ -0,0 +1,82 @@
+Origin: backport, https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=b6d77d9ee312246146e9b5ca70a8a1426898b484
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1800877
+From: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
+Date: Fri, 26 Feb 2016 02:40:18 +0000
+Subject: [PATCH] iplink: Support VF Trust
+
+Add IFLA_VF_TRUST message to trust the VF.
+PF can accept some privileged operation from the trusted VF.
+For example, ixgbe PF doesn't allow to enable VF promiscuous mode until
+the VF is trusted because it may hurt performance.
+
+To trust VF.
+ # ip link set dev eth0 vf 1 trust on
+
+To untrust VF.
+ # ip link set dev eth0 vf 1 trust off
+
+Signed-off-by: Hiroshi Shimamoto <h-shimamoto@ct.jp.nec.com>
+---
+ ip/iplink.c           | 13 +++++++++++++
+ man/man8/ip-link.8.in |  7 ++++++-
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/ip/iplink.c b/ip/iplink.c
+index 5ab9d613c4f9..69f50572633b 100644
+--- a/ip/iplink.c
++++ b/ip/iplink.c
+@@ -82,6 +82,7 @@ void iplink_usage(void)
+ 	fprintf(stderr, "				   [ spoofchk { on | off} ] ]\n");
+ 	fprintf(stderr, "				   [ query_rss { on | off} ] ]\n");
+ 	fprintf(stderr, "				   [ state { auto | enable | disable} ] ]\n");
++	fprintf(stderr, "				   [ trust { on | off} ] ]\n");
+ 	fprintf(stderr, "			  [ master DEVICE ]\n");
+ 	fprintf(stderr, "			  [ nomaster ]\n");
+ 	fprintf(stderr, "			  [ addrgenmode { eui64 | none } ]\n");
+@@ -352,6 +353,18 @@ static int iplink_parse_vf(int vf, int *argcp, char ***argvp,
+ 			ivs.vf = vf;
+ 			addattr_l(&req->n, sizeof(*req), IFLA_VF_RSS_QUERY_EN, &ivs, sizeof(ivs));
+ 
++		} else if (matches(*argv, "trust") == 0) {
++			struct ifla_vf_trust ivt;
++			NEXT_ARG();
++			if (matches(*argv, "on") == 0)
++				ivt.setting = 1;
++			else if (matches(*argv, "off") == 0)
++				ivt.setting = 0;
++			else
++				invarg("Invalid \"trust\" value\n", *argv);
++			ivt.vf = vf;
++			addattr_l(&req->n, sizeof(*req), IFLA_VF_TRUST, &ivt, sizeof(ivt));
++
+ 		} else if (matches(*argv, "state") == 0) {
+ 			struct ifla_vf_link_state ivl;
+ 
+diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
+index 4d3234352004..221831e52bc9 100644
+--- a/man/man8/ip-link.8.in
++++ b/man/man8/ip-link.8.in
+@@ -142,7 +142,8 @@ ip-link \- network device configuration
+ .B min_tx_rate
+ .IR TXRATE " ] ["
+ .B spoofchk { on | off } ] [
+-.B state { auto | enable | disable}
++.B state { auto | enable | disable} ] [
++.B trust { on | off }
+ ] |
+ .br
+ .B master
+@@ -1018,6 +1019,10 @@ parameter must be specified.
+ reflection of the PF link state, enable lets the VF to communicate with other VFs on
+ this host even if the PF link state is down, disable causes the HW to drop any packets
+ sent by the VF.
++.sp
++.BI trust " on|off"
++- trust the specified VF user. This enables that VF user can set a specific feature
++which may impact security and/or performance. (e.g. VF multicast promiscuous mode)
+ .in -8
+ 
+ .TP
+-- 
+2.17.1
+
diff -Nru iproute2-4.3.0/debian/patches/1010-vf_trust_fe9322781e63.patch iproute2-4.3.0/debian/patches/1010-vf_trust_fe9322781e63.patch
--- iproute2-4.3.0/debian/patches/1010-vf_trust_fe9322781e63.patch	1970-01-01 00:00:00.000000000 +0000
+++ iproute2-4.3.0/debian/patches/1010-vf_trust_fe9322781e63.patch	2018-11-02 14:47:39.000000000 +0000
@@ -0,0 +1,35 @@
+Origin: upstream, https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=fe9322781e6351b5572cbaa8df4dd0e5ec96398a
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1800877
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 31 Mar 2016 14:43:32 +0200
+Subject: [PATCH] ip-link: Support printing VF trust setting
+
+This adds a new item to VF lines of a PF, stating whether the VF is
+trusted or not.
+
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+---
+ ip/ipaddress.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ip/ipaddress.c b/ip/ipaddress.c
+index f27d423ca723..b2e294d29ca2 100644
+--- a/ip/ipaddress.c
++++ b/ip/ipaddress.c
+@@ -378,6 +378,13 @@ static void print_vfinfo(FILE *fp, struct rtattr *vfinfo)
+ 		else
+ 			fprintf(fp, ", link-state disable");
+ 	}
++	if (vf[IFLA_VF_TRUST]) {
++		struct ifla_vf_trust *vf_trust = RTA_DATA(vf[IFLA_VF_TRUST]);
++
++		if (vf_trust->setting != -1)
++			fprintf(fp, ", trust %s",
++			        vf_trust->setting ? "on" : "off");
++	}
+ 	if (vf[IFLA_VF_STATS] && show_stats)
+ 		print_vf_stats64(fp, vf[IFLA_VF_STATS]);
+ }
+-- 
+2.17.1
+
diff -Nru iproute2-4.3.0/debian/patches/series iproute2-4.3.0/debian/patches/series
--- iproute2-4.3.0/debian/patches/series	2017-12-04 17:03:46.000000000 +0000
+++ iproute2-4.3.0/debian/patches/series	2018-11-01 15:37:50.000000000 +0000
@@ -9,3 +9,6 @@
 1005-ip-maddr-fix-igmp-parsing.patch
 1006-ip-maddr-avoid-uninitialized-data.patch
 1007-ip-maddr-fix-filtering-by-device.patch
+1008-vf_trust_dddf1b44126e.patch
+1009-vf_trust_b6d77d9ee312.patch
+1010-vf_trust_fe9322781e63.patch