VF in eswitch context does not filter mac when spoofchk is enabled

m.auger · December 13, 2024, 4:55pm

Hi community !

I aim to accelerate proxmox packet processing with the bridge offload capabilities of connectx-6 and/or bluefield2 cards.
The particularity of my setup is that the proxmox manages routing VMs for which it provides vxlan termination. My proxmox uses BGP/EVPN to set up VXLAN tunnels and mac learning.
With the bluefield2 host mode (like simple connectx-6) I’ve deployed sriov with switchdev in eswitch mode. the VFs act as vnic for the virtual routers. it’s very reliable and the TC rules allow certain flows to be processed in hw (with the help of representor port).

however, despite activation of the anti spoof configuration, the VF does not filter the mac

ex :
/opt/mellanox/iproute2/sbin/ip l set ens1f1np1 vf 30 spoofchk on

i wondered if the mac anti spoof is well supported in eswitch mode. i don’t have an obvious answer however the following mlx5_core log is sent when i hot swap the mac with the command

/sbin/ip link set ens1f1np1 vf 30 mac 11:22:33:44:55:66

log :
[Tue Dec 10 17:45:48 2024] mlx5_core 0000:12:00.1: mlx5_esw_set_vport_mac_locked:2361:(pid 27158): Set invalid MAC while spoofchk is on, vport(1)

rejecting my forged mac is appreciate because it say something important
mlx5 refuse mac type local_usage, mlx5 expects real OUI mac

hum, interesting…
the function named mlx5_esw_set_vport_mac_locked is quite clear:
it suggests that the eswitch support vport mac lock aka “mac anti spoof”

let’s go deeper into the code

eswitch interactions with kernel is describe in drivers/net/ethernet/mellanox/mlx5/core/eswitch.c

My anderstanding :
If spoofchk is enabled (evport->info.spoofchk = true), the NIC (ConnectX-6) should apply the check in hardware. This means that packet rejection does not depend on this code, but is handled at hardware level.
The key function for setting the MAC address is :

err = mlx5_modify_nic_vport_mac_address(esw->dev, vport_num, mac);

If this configuration is successful, the hardware knows the valid MAC address associated with this vport and rejects packets with a different MAC source address.

this is unfortunately not the behavior I observe…

a little help would be appreciated

thx

xiaofengl · February 5, 2025, 2:06am

Not sure if it work. You can try latest kernel and driver and latest firmware.

Topic		Replies	Views
DPDK-mlx5 set_mac question on Mellanox NIC passthru (or SR-IOV) at VMWare Hypervisor. Virtualization For Infiniband And Ethernet	1	705	September 18, 2018
Assigning VLAN IDs to Virtual NICs under SR-IOV: "Operation not supported" Mellanox OFED linux , sr-iov-virtualization-solutions , mlnx_ofed	3	783	December 19, 2024
Possible cause of VRRP not working Ethernet Adapter Cards	2	30	April 13, 2025
Problem with vlan with multicast mac over SR-IOV (VMware) Ethernet Adapter Cards	5	548	March 15, 2018
IBM PowerKVM: Configuring SR-IOV VFs on Different ConnectX-3 Ports	0	181	June 26, 2015
Local bridging / eswitch between ports on ConnectX-3 VPI in Ethernet mode Ethernet Adapter Cards flint , ofed_info-s	6	1064	November 13, 2019
Cannot-change-vf-trusted-mode-in-host-machine BlueField	2	47	November 20, 2024
Unable to add SF on host side with bluefield-2 in ECPF mode BlueField	2	862	December 27, 2023
Cannot create VFs on one PF, but can create on another BlueField sr-iov-virtualization-solutions	5	3029	May 17, 2023
Hello! I am using a MT27520 Family [ConnectX-3 Pro] 40G dual port card with SR-IOV enable, but the VF can not set to promiscuous mode. Promiscuous mode is set inside the VM, but it doesn't work. VM does not receive packets with unregistered DMAC. Software And Drivers	2	335	October 21, 2020

VF in eswitch context does not filter mac when spoofchk is enabled

Related topics