| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 29 Nov 2011 17:19:30 +0000
From: Ben Hutchings <bhutchings@...arflare.com>
To: Greg Rose <gregory.v.rose@...el.com>
CC: Roopa Prabhu <roprabhu@...co.com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"davem@...emloft.net" <davem@...emloft.net>,
"chrisw@...hat.com" <chrisw@...hat.com>,
"sri@...ibm.com" <sri@...ibm.com>,
"dragos.tatulea@...il.com" <dragos.tatulea@...il.com>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"arnd@...db.de" <arnd@...db.de>, "mst@...hat.com" <mst@...hat.com>,
"mchan@...adcom.com" <mchan@...adcom.com>,
"dwang2@...co.com" <dwang2@...co.com>,
"shemminger@...tta.com" <shemminger@...tta.com>,
"eric.dumazet@...il.com" <eric.dumazet@...il.com>,
"kaber@...sh.net" <kaber@...sh.net>,
"benve@...co.com" <benve@...co.com>
Subject: Re: [net-next-2.6 PATCH 0/6 v4] macvlan: MAC Address filtering
support for passthru mode
On Tue, 2011-11-29 at 16:35 +0000, Ben Hutchings wrote:
> On Mon, 2011-11-21 at 09:41 -0800, Greg Rose wrote:
> > On 11/18/2011 9:40 AM, Ben Hutchings wrote:
> [...]
> > > What concerns me is that this seems to be a workaround rather than a fix
> > > for over-use of promiscuous mode, and it changes the semantics of
> > > filtering modes in ways that haven't been well-specified.
> >
> > I feel the opposite is true. It allows a known set of receive filters
> > so that you don't have to use promiscuous mode, which cuts down on
> > overhead from processing packets the upper layer stack isn't really
> > interested in.
> >
> > >
> > > What if there's a software bridge between two net devices corresponding
> > > to separate physical ports, so that they really need to be promiscuous?
> > > What if the administrator runs tcpdump and really wants the (PF) net
> > > device to be promiscuous?
> >
> > I don't believe there is anything in this patch set that removes
> > promiscuous mode operation as it is commonly used. Perhaps I've missed
> > something.
> [...]
>
> Maybe I missed something!
>
> Let's be clear on what our models are for filtering. At the moment we
> have MAC filters set through ndo_set_rx_mode and VF filters set through
> ndo_set_vf_{mac,vlan}.
>
> Ignoring anti-spoofing for the moment, should the currently defined
> filters look like this (a):
>
> TX ^ | RX
> | v
> +------------------+---+-----------------+
> | | ++------------+ |
> | | |RX MAC filter| |
> | | ++------------+ |
> | | |match |
> | ^ v |
> | | ++------------+ |
> | | |RX VF filters| |
> | | +-------+-----+ |
> | /|\ no /|\ |
> | | | \ match/ | |match 2 |
> | | ^ \ / v | |
> | | | \ /match| |
> | | \ \/ 1/ | |
> | | \ /\ / | |
> | ^ \/ \/ v |
> | | /\ /\ | |
> | | / || \ | |
> | | / || \ | |
> | | / || \ | |
> | || || || |
> +----------------++-----++-----++--------+
> || || ||
> PF VF 1 VF 2
>
> or like this (b):
>
> TX ^ | RX
> | v
> +------------------+---+-----------------+
> | | ++------------+ |
> | | |RX VF filters| |
> | | ++--------+---+ |
> | | no|match /| |
> | ^ v | | |
> | | +-+----+ | | |
> | | |RX MAC| | | |
> | | |filter| | | |
> | | +------+ | | |
> | | |match | | |
> | /|\ | | | |
> | | | \ | match| |match 2 |
> | | ^ \/ 1 v | |
> | | | /\ | | |
> | | \/ \ / | |
> | | /\ \ / | |
> | ^ / \ \/ v |
> | || \ /\ | |
> | || || \ | |
> | || || \ | |
> | || || \ | |
> | || || || |
> +----------------++-----++-----++--------+
> || || ||
> PF VF 1 VF 2
>
> I think the current model is (a); do you agree?
>
> So is the proposed new model something like this (c):
Corrected diagram:
TX ^ | RX
| v
+------------------+---+-----------------+
| | ++------------+ |
| | |RX MAC filter| |
| ^ ++------------+ |
| | |match |
| no match| v |
| +----------------+ ++------------+ |
| |loopback filters| |RX VF filters| |
| +---------+-----++ +-------+-----+ |
| /|\ /|\ match /|\ |
| v | `-+>+-+-.2 / | | |
| \ \ | |m \ \ / | | |
| match 0\ `-+-+.a \ \ / v | |
| \ | | \t \ X / | |
| \ | \ \c X \ / | |
| \| \ \h \ X | |
| \ \/\1 X \ v |
| || /\ |/ \ \ | |
| |v / || \ \| |
| || / ^| \ | |
| ||/ |v || |
| || || || |
+----------------++-----++-----++--------+
|| || ||
PF VF 1 VF 2
> (I've labelled the new filters as loopback filters here, and I'm still
> leaving out anti-spoofing.)
>
> If not, please explain what the new model *is*.
>
> Ben.
>
--
Ben Hutchings, Staff Engineer, Solarflare
Not speaking for my employer; that's the marketing department's job.
They asked us to note that Solarflare product names are trademarked.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists