| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Jan 2015 23:09:20 -0800 From: "Samudrala, Sridhar" <sridhar.samudrala@...el.com> To: roopa <roopa@...ulusnetworks.com>, Scott Feldman <sfeldma@...il.com> CC: "stephen@...workplumber.org" <stephen@...workplumber.org>, "David S. Miller" <davem@...emloft.net>, Jamal Hadi Salim <jhs@...atatu.com>, Jiří Pírko <jiri@...nulli.us>, "Arad, Ronen" <ronen.arad@...el.com>, Thomas Graf <tgraf@...g.ch>, john fastabend <john.fastabend@...il.com>, "vyasevic@...hat.com" <vyasevic@...hat.com>, Netdev <netdev@...r.kernel.org>, Wilson Kok <wkok@...ulusnetworks.com>, Andy Gospodarek <gospo@...ulusnetworks.com> Subject: Re: [RFC PATCH net-next] bridge: ability to disable forwarding on a port On 1/19/2015 10:20 PM, roopa wrote: > On 1/18/15, 11:37 PM, Scott Feldman wrote: > > <snip..> >> >> Not sure. I don't know the use case, but I think I might have heard that >> there could be a case >> where a switch port could be bridged with a vm's port running on the >> switch. (?) >>> >>> Ignoring the above usecase for a bit. And thinking through this >>> again, It >>> appears that this check should >>> be only on the ingress port, no ? >>> >>> If the ingress bridge port is an offloaded port, don't flood or forward >>> because hardware has already done it. >>> And this is best done with the offload feature flag on the bridge port. >> That's assuming hardware did the flood. Maybe your other option to >> mark the skb if already flooded by hw is best. That's enough info for >> the bridge driver to make a decision to flood or not to the other >> ports, and it's an implementation decision for the driver/device to do >> the flood offload, if desired, and mark the skb if it did. > > Still thinking we can just use the offload feature flag here. How > about avoid forwarding only if both src and dst ports have > forwarding offloaded/accelerated by a switch asic ?. That should > cover all cases. >> >> Btw, you're still saying flood or forward, but in my mind we're >> talking about flood only: flood of unknown unicast or flood of >> bcast/mcast pkts. Forwarding would be for known-unicast pkts, which >> should even involve the bridge driver since that forwarding is >> offloaded to the device. > > I was also taking into account pkts copied to the CPU due to an acl > rule such as log. > These unicast pkts can come to cpu even if it is already forwarded in hw. Do you have a switch port netdev that corresponds to CPU port? Or are they seen on the bridge device? Thanks Sridhar -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists