| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 02 Mar 2015 09:16:22 -0500 From: Jamal Hadi Salim <jhs@...atatu.com> To: Neil Horman <nhorman@...driver.com>, "Arad, Ronen" <ronen.arad@...el.com> CC: Thomas Graf <tgraf@...g.ch>, "netdev@...r.kernel.org" <netdev@...r.kernel.org>, Simon Horman <simon.horman@...ronome.com>, "Fastabend, John R" <john.r.fastabend@...el.com>, Jiri Pirko <jiri@...nulli.us>, "davem@...emloft.net" <davem@...emloft.net>, "andy@...yhouse.net" <andy@...yhouse.net>, "dborkman@...hat.com" <dborkman@...hat.com>, "ogerlitz@...lanox.com" <ogerlitz@...lanox.com>, "jesse@...ira.com" <jesse@...ira.com>, "jpettit@...ira.com" <jpettit@...ira.com>, "joestringer@...ira.com" <joestringer@...ira.com>, "sfeldma@...il.com" <sfeldma@...il.com>, "f.fainelli@...il.com" <f.fainelli@...il.com>, "roopa@...ulusnetworks.com" <roopa@...ulusnetworks.com>, "linville@...driver.com" <linville@...driver.com>, "shrijeet@...il.com" <shrijeet@...il.com>, "gospo@...ulusnetworks.com" <gospo@...ulusnetworks.com>, "bcrl@...ck.org" <bcrl@...ck.org>, Aviad Raveh <aviadr@...lanox.com>, Matty Kadosh <mattyk@...lanox.com>, sol@...y.com Subject: Re: Flows! Offload them. On 03/01/15 09:05, Neil Horman wrote: > On Sun, Mar 01, 2015 at 09:36:43AM +0000, Arad, Ronen wrote: >> >> Random offloading of flows does not preserve policy in general. >> For example let's consider two flows A.B.C.0/24 and A.B.C.D with the more >> specific rule has higher priority. >> If only the first rule is offloaded to HW, packets matched by the second >> rule will not be processed as expected by the user. >> Deciding which flow could be offloaded is an optimization decision that >> is better handled outside of the kernel. >> > Regarding the description of offload: > Random is I think a improper term here. There is nothing random about flow > offload. There is only the reality of needing to select which rules to offload, > as it is inevitable that hardware dataplane capacity won't/can't match that of > software limits. All we can do is select which of those flows are offloaded. > When dealing with offload in the context of an existing sofware function, the > constraints of selecting which rules those are become fairly clear. For example > with routing: > 1) More specific rules get offloaded first > 2) on overflow, you replace a rule that conforms to a pre-packaged policy (ex. > LRU), and iff it doesn't violate (1) Sounds sane as a starting point. Lets just talk L3 since this applies to any tcam approach (and expense of repeating things already discussed) For hook #2 Dave proposes in other email to just flush everything and do things in s/ware at that point for initial implementation. [Most people would try to aggregate things into a /24 for example to make space for more /32s. And theres all sorts of crazy shit to amortize tcam space that people do] But this brings in another requirement: CCing the Mellanox folks who brought up this issue numerous times. Things tend to "freeze" at that point while the kernel is madly moving things around (as would be the case with Dave's suggested "move all to software"). At netdev01, Aviad was suggesting that the kernel respond first with a netlink message "work in progress" or even lie with "success" if it knows it will accomplish this goal. Ccing Sol who had a different reason for waiting seconds long for things to be inserted into hardware. cheers, jamal -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists