lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 27 May 2020 02:19:05 +0300
From:   Ido Schimmel <>
To:     Jakub Kicinski <>
Cc:,,,, Ido Schimmel <>
Subject: Re: [PATCH net-next 00/14] mlxsw: Various trap changes - part 2

On Tue, May 26, 2020 at 03:14:37PM -0700, Jakub Kicinski wrote:
> On Tue, 26 May 2020 02:05:42 +0300 Ido Schimmel wrote:
> > From: Ido Schimmel <>
> > 
> > This patch set contains another set of small changes in mlxsw trap
> > configuration. It is the last set before exposing control traps (e.g.,
> > IGMP query, ARP request) via devlink-trap.
> When traps were introduced my understanding was that they are for
> reporting frames which hit an expectation on the datapath. IOW the
> primary use for them was troubleshooting.
> Now, if I'm following things correctly we have explicit DHCP, IGMP,
> ARP, ND, BFD etc. traps. Are we still in the troubleshooting realm?

First of all, we always had them. This patch set mainly performs some
cleanups in mlxsw.

Second, I don't understand how you got the impression that the primary
use of devlink-trap is troubleshooting. I was very clear and transparent
about the scope of the work from the very beginning and I don't wish to
be portrayed as if I wasn't.

The first two paragraphs from the kernel documentation [1] explicitly
mention the ability to trap control packets to the CPU:

"Devices capable of offloading the kernel’s datapath and perform
functions such as bridging and routing must also be able to send
specific packets to the kernel (i.e., the CPU) for processing.

For example, a device acting as a multicast-aware bridge must be able to
send IGMP membership reports to the kernel for processing by the bridge
module. Without processing such packets, the bridge module could never
populate its MDB."

In my reply to you from almost a year ago I outlined the entire plan for
devlink-trap [2]:

"Switch ASICs have dedicated traps for specific packets. Usually, these
packets are control packets (e.g., ARP, BGP) which are required for the
correct functioning of the control plane. You can see this in the SAI
interface, which is an abstraction layer over vendors' SDKs:

We need to be able to configure the hardware policers of these traps and
read their statistics to understand how many packets they dropped. We
currently do not have a way to do any of that and we rely on hardcoded
defaults in the driver which do not fit every use case (from

We plan to extend devlink-trap mechanism to cover all these use cases. I
hope you agree that this functionality belongs in devlink given it is a
device-specific configuration and not a netdev-specific one.

That being said, in its current form, this mechanism is focused on traps
that correlate to packets the device decided to drop as this is very
useful for debugging."

In the last cycle, when I added the ability to configure trap policers
[3] I again mentioned under "Future plans" that I plan to "Add more
packet traps.  For example, for control packets (e.g., IGMP)".

If you worry that packets received via control traps will be somehow
tunneled to user space via drop_monitor, then I can assure you this is
not the case. You can refer to this commit [4] from the next submission.



Powered by blists - more mailing lists