* An VM's VF cannot receive IPv6 multicast traffic
from other VMs' VFs in the same Mellanox adapter
_if_ its VF trust setting is not enabled, and on
Xenial currently iproute2 _cannot_ enable it.
* This breaks IPv6 NDP (Neighbor Discovery Protocol)
in that scenario.
* This upload adds three iproute2 upstream commits
to enable/disable the VF setting, which resolves
that problem/limitation.
[Test Case]
* Check 'ip link help' for the 'trust' option:
Before:
# ip link help 2>&1 | grep trust
<nothing>
After:
# ip link help 2>&1 | grep trust
[ trust { on | off} ] ]
* Check 'ip link show dev PF' for 'trust on|off' field in VFs.
Before: (trust field _is not_ present)
# ip link show dev ens1f0
...
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto
After: (trust field _is_ present)
# ip link show dev ens1f0
...
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
* Set the VF trust on/off and check it:
Set VF 0 trust on:
# ip link set ens1f0 vf 0 trust on
# ip link show dev ens1f0 | grep trust
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust on
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
Set VF 0 trust off:
# ip link set ens1f0 vf 0 trust off
# ip link show dev ens1f0 | grep trust
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
[Regression Potential]
* Regression potential is low because the commits just add the
netlink attribute for the userspace-kernel interface and the
ways to set/clear it, and show the current value to the user.
* Regressions could happen _if_ the user turns the setting on
(it's disabled by default) and there's a problem/bug likely
in _other_ component that depends on that setting (which is
something to fix on such component).
[Other Info]
* The users that reported this problem have verified
the test package with these changes, and confirmed
that it now works correctly for IPv6 NDP/multicast.
[Impact]
* An VM's VF cannot receive IPv6 multicast traffic
from other VMs' VFs in the same Mellanox adapter
_if_ its VF trust setting is not enabled, and on
Xenial currently iproute2 _cannot_ enable it.
* This breaks IPv6 NDP (Neighbor Discovery Protocol)
in that scenario.
* This upload adds three iproute2 upstream commits
to enable/disable the VF setting, which resolves
that problem/limitation.
[Test Case]
* Check 'ip link help' for the 'trust' option:
Before:
# ip link help 2>&1 | grep trust
<nothing>
After:
# ip link help 2>&1 | grep trust
[ trust { on | off} ] ]
* Check 'ip link show dev PF' for 'trust on|off' field in VFs.
Before: (trust field _is not_ present)
# ip link show dev ens1f0
...
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto
After: (trust field _is_ present)
# ip link show dev ens1f0
...
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
* Set the VF trust on/off and check it:
Set VF 0 trust on:
# ip link set ens1f0 vf 0 trust on
# ip link show dev ens1f0 | grep trust
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust on
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
Set VF 0 trust off:
# ip link set ens1f0 vf 0 trust off
# ip link show dev ens1f0 | grep trust
vf 0 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
vf 1 MAC 00:00:00:00:00:00, spoof checking on, link-state auto, trust off
[Regression Potential]
* Regression potential is low because the commits just add the
netlink attribute for the userspace-kernel interface and the
ways to set/clear it, and show the current value to the user.
* Regressions could happen _if_ the user turns the setting on
(it's disabled by default) and there's a problem/bug likely
in _other_ component that depends on that setting (which is
something to fix on such component).
[Other Info]
* The users that reported this problem have verified
the test package with these changes, and confirmed
that it now works correctly for IPv6 NDP/multicast.