Skip to content

incus/internal/server/nic_sriov: add hwspoofchk to disable hardware spoofcheck support #2021

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

incus/internal/server/nic_sriov: add hwspoofchk to disable hardware spoofcheck support #2021

wants to merge 1 commit into from

Conversation

fstern
Copy link

@fstern fstern commented Apr 28, 2025

I've added a hwspoofchk flag to the SRIOV nic device, because not all NICs support hardware spoof checking.

In my case I'm running this on Bluefield 3 VFs which only return "Operation not supported" when using the spoofchk flag.

This makes the option in networkSRIOVSetupVF configurable through a setting in the profile.

The default is enabled, to keep with existing setups.

Signed-off-by: Falk Stern [email protected]

@fstern fstern requested a review from stgraber as a code owner April 28, 2025 16:06
@stgraber
Copy link
Member

I think it'd be better to introduce security.mac_filtering to the sriov NIC type and it'd be fine for it to default to off, same way we do for every other NIC type.

I'm actually unsure why we decided to enforce it on sriov NICs by default when we don't on the SRIOV accelerated OVN NICs.

@fstern
Copy link
Author

fstern commented Apr 29, 2025

The sriov nics already utilize security.mac_filtering in e.g.

incus/internal/server/device/device_utils_network.go

Line 764 in 3540539

if util.IsTrue(d.config["security.mac_filtering"]) {

The problem here is, that even when it's off, the code wants to explicitly disable the feature with ip link set dev enp5s0 vf 0 spoofchk off.

Even disabling hardware spoofchecking is not supported with some cards, the process returns a non-zero exit code and the VM or container doesn't start.

The current code path already uses a useSpoofCheck flag, which just defaults to true in the function call of networkSRIOVSetupVF. This patch just makes it configurable.

@stgraber
Copy link
Member

Oops, sorry, I was reading the wrong sriov documentation on our end...

Right, so since security.mac_filtering is already a config option, we should make it so if it's enabled, we require the spoofcheck to be turned on, which would then fail on cards like yours. If it's not enabled, then we should attempt to turn off the spoofcheck, but not fail in the event that the operation fails (as we're now aware that some cards do not have that knob).

@stgraber
Copy link
Member

That would provide the expected behavior without having to offer another low level knob that we'd then need to be careful about when to allow for restricted environments.

@fstern
Copy link
Author

fstern commented May 2, 2025

Yes,

incus/internal/server/device/device_utils_network.go

Line 794 in 3540539

if useSpoofCheck {
could fail silently, but that already has that knob.

I don't feel comfortable enough to change that behaviour there, so I just made the useSpoofCheck knob accessible through config.

You've already run the tests - anything you want me to change in the commit?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stgraber stgraber Awaiting requested review from stgraber stgraber is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fstern @stgraber