| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190823155734.4d2uihaylfv34nkg@soft-dev3.microsemi.net>
Date: Fri, 23 Aug 2019 17:57:36 +0200
From: Horatiu Vultur <horatiu.vultur@...rochip.com>
To: Andrew Lunn <andrew@...n.ch>
CC: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>,
<roopa@...ulusnetworks.com>, <davem@...emloft.net>,
<UNGLinuxDriver@...rochip.com>, <alexandre.belloni@...tlin.com>,
<allan.nielsen@...rochip.com>, <netdev@...r.kernel.org>,
<linux-kernel@...r.kernel.org>, <bridge@...ts.linux-foundation.org>
Subject: Re: [PATCH 0/3] Add NETIF_F_HW_BRIDGE feature
Hi Andrew
The 08/23/2019 15:25, Andrew Lunn wrote:
> External E-Mail
>
>
> > > > Why do the devices have to be from the same driver ?
> > After seeing yours and Andrews comments I realize that I try to do two
> > things, but I have only explained one of them.
> >
> > Here is what I was trying to do:
> > A. Prevent ports from going into promisc mode, if it is not needed.
>
> The switch definition is promisc is a bit odd. You really need to
> split it into two use cases.
>
> The Linux interface is not a member of a bridge. In this case, promisc
> mode would mean all frames ingressing the port should be forwarded to
> the CPU. Without promisc, you can program the hardware to just accept
> frames with the interfaces MAC address. So this is just the usual
> behaviour of an interface.
Yes, this is well understood.
>
> When the interface is part of the bridge, then you can turn on all the
> learning and not forward frames to the CPU, unless the CPU asks for
> them. But you need to watch out for various flags. By default, you
> should flood to the CPU, unknown destinations to the CPU etc. But some
> of these can be turned off by flags.
>
> > B. Prevent adding the CPU to the flood-mask (in Ocelot we have a
> > flood-mask controlling who should be included when flooding due to
> > destination unknown).
>
> So destination unknown should be flooded to the CPU. The CPU might
> know where to send the frame.
Exactly the CPU should be in the flood mask by default. But if the
network driver knows that CPU will not forward it anywhere else, then it
is safe to remove the CPU from the flood mask. The network driver will
know this by monitoring which interfaces are added to the bridge.
>
> > To solve item "B", the network driver needs to detect if there is a
> > foreign interfaces added to the bridge. If that is the case then to add
> > the CPU port to the flooding mask otherwise no.
>
> It is not just a foreign interface. What about the MAC address on the
> bridge interface?
I think the network driver will get this event and it can install a
entry in the MAC table to copy the frames to the CPU.
>
> > > > This is too specific targeting some devices.
> > Maybe I was wrong to mention specific HW in the commit message. The
> > purpose of the patch was to add an optimization (not to copy all the
> > frames to the CPU) for HW that is capable of learning and flooding the
> > frames.
>
> To some extent, this is also tied to your hardware not learning MAC
> addresses from frames passed from the CPU. You should also consider
> fixing this. The SW bridge does send out notifications when it
> adds/removes MAC addresses to its tables. You probably want to receive
> this modifications, and use them to program your hardware to forward
> frames to the CPU when needed.
Yes we will fix this. We will listen to the notifications and then update
the HW so it would send those frames to CPU.
Maybe intially I should just resend this patch, with the changes that I
mention previously. And after that to send a new patch series with all
these remarks that you mention here Andrew.
>
> Andrew
>
--
/Horatiu
Powered by blists - more mailing lists