lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 28 Jan 2011 16:38:48 -0800
From:	Jay Vosburgh <fubar@...ibm.com>
To:	=?UTF-8?B?Tmljb2xhcyBkZSBQZXNsb8O8YW4=?= 
	<nicolas.2p.debian@...il.com>
cc:	Jiri Bohac <jbohac@...e.cz>,
	"bonding-devel@...ts.sourceforge.net" 
	<bonding-devel@...ts.sourceforge.net>,
	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: Bonding on bond

Nicolas de Pesloüan <nicolas.2p.debian@...il.com> wrote:

>Le 20/01/2011 20:53, Jay Vosburgh a écrit :
>> 	I'm in agreement that, by and large, nesting of bonds is
>> pointless.  However, I suspect that there are users out in the world who
>> are happily doing so, and this patch may shut them down.
>
>Hi Jay,
>
>I tested the following nested bonding configuration:
>
>bond1 : eth1 + eth3, in balance-rr mode.
>bond2 : eth0 + eth2, in balance-rr mode.
>bond0 : bond1 + bond2, in active-backup mode.
>
>The egress path apparently works not so bad, even if I didn't take time
>yet to check proper load balancing nor fail over.
>
>However, the ingress path doesn't work at all. bond0 is unable to receive any packets (ARP or IP).

	In light of this, I don't see a problem with disallowing nesting
of bonds.  It should be documented in bonding.txt.

>It doesn't sound surprising to me, having a look at the current code in __netif_receive_skb() :
>
>>         /*
>>          * bonding note: skbs received on inactive slaves should only
>>          * be delivered to pkt handlers that are exact matches.  Also
>>          * the deliver_no_wcard flag will be set.  If packet handlers
>>          * are sensitive to duplicate packets these skbs will need to
>>          * be dropped at the handler.
>>          */
>>         null_or_orig = NULL;
>>         orig_dev = skb->dev;
>>         master = ACCESS_ONCE(orig_dev->master);
>>         if (skb->deliver_no_wcard)
>>                 null_or_orig = orig_dev;
>>         else if (master) {
>>                 if (skb_bond_should_drop(skb, master)) {
>>                         skb->deliver_no_wcard = 1;
>>                         null_or_orig = orig_dev; /* deliver only exact match */
>>                 } else
>>                         skb->dev = master;
>>         }
>
>The skb_bond_should_drop() and skb->dev = master logic is only applied at a single level.
>
>After this code, skb->dev is the master dev of the receiving dev, but
>skb->dev->master can be != NULL, if another level of bonding
>exists. Nothing obvious would cause the packet to be delivered to this
>possible higher level bonding interface (skb->dev->master).
>
>Is something else expected to call __netif_receive_skb() again, with the
>current skb, to cause another level of bonding to be reachable? For as far
>as I understand, nothing will, but I might have missed something.
>
>> 	I've not tested with nesting in a while; I know it used to work
>> (at least for limited cases, typically an active-backup bond with a pair
>> of balance-xor or balance-rr or sometimes 802.3ad enslaved to it), but
>> has never really been a deliberate feature.  Is nesting now utterly
>> broken, as suggested by the list of problems above?
>
>I don't know whether someone really use nested bonding, but I can hardly
>imagine how one can have it works with current kernel, except for a pure
>egress application, without any feedback from the network. And such very
>specific application wouldn't even be able to receive an ARP reply...
>
>> 	If nesting really doesn't work and is going to be disabled, then
>> at a minimum it should also have an update to the documentation
>> explaining this.
>
>At least, we should explain that nesting bonding interfaces is known to be
>mostly broken and unsupported.
>
>That being said, we still miss a way to achieve a simple configuration
>with several links doing load balancing to a switch and one or several
>links doing fail over to another switch, both switches *not* being 802.3ad
>capable.

	This is a harder problem, but it's something that doesn't work
today (and I suspect hasn't for a long time, so if somebody was using
this, I think there would have been some discussion).

>Should we arrange for bonding to be allowed to nest, for this purpose, or
>should we find a way to setup this configuration with a single level of
>bonding ? I would prefer the second, but...

	I'm not sure that either is necessary; 802.3ad will do this
today, and few current production switches lack 802.3ad support.

	Adding support for etherchannel (i.e., not 802.3ad) gang
failover is nontrivial, because the multiple etherchannel port groups
will have to be managed separately, and most likely assigned manually.
Sure, it'd be nice to have, but I'm not sure if it's a benefit worth the
effort.

	Either way, for now, since I recall you mentioned in another
email that you'd crashed the system from nesting bonds, I don't see a
problem with disallowing nesting and updating the documentation with a
bit of this discussion (e.g., "nesting doesn't work, you're probably
trying to do gang failover, which 802.3ad already does for you").

	-J

---
	-Jay Vosburgh, IBM Linux Technology Center, fubar@...ibm.com
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ