lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 9 Sep 2020 14:52:06 -0700
From:   Alexei Starovoitov <>
To:     Hangbin Liu <>
        Toke Høiland-Jørgensen <>,
        Jiri Benc <>,
        Jesper Dangaard Brouer <>,
        Eelco Chaudron <>,,
        Daniel Borkmann <>,
        Lorenzo Bianconi <>,
        David Ahern <>,
        Andrii Nakryiko <>
Subject: Re: [PATCHv11 bpf-next 2/5] xdp: add a new helper for dev map
 multicast support

On Mon, Sep 07, 2020 at 04:27:21PM +0800, Hangbin Liu wrote:
> This patch is for xdp multicast support. which has been discussed
> before[0], The goal is to be able to implement an OVS-like data plane in
> XDP, i.e., a software switch that can forward XDP frames to multiple ports.
> To achieve this, an application needs to specify a group of interfaces
> to forward a packet to. It is also common to want to exclude one or more
> physical interfaces from the forwarding operation - e.g., to forward a
> packet to all interfaces in the multicast group except the interface it
> arrived on. While this could be done simply by adding more groups, this
> quickly leads to a combinatorial explosion in the number of groups an
> application has to maintain.
> To avoid the combinatorial explosion, we propose to include the ability
> to specify an "exclude group" as part of the forwarding operation. This
> needs to be a group (instead of just a single port index), because a
> physical interface can be part of a logical grouping, such as a bond
> device.
> Thus, the logical forwarding operation becomes a "set difference"
> operation, i.e. "forward to all ports in group A that are not also in
> group B". This series implements such an operation using device maps to
> represent the groups. This means that the XDP program specifies two
> device maps, one containing the list of netdevs to redirect to, and the
> other containing the exclude list.

"set difference" and BPF_F_EXCLUDE_INGRESS makes sense to me as high level api,
but I don't see how program or helper is going to modify the packet
before multicasting it.
Even to implement a basic switch the program would need to modify destination
mac addresses before xmiting it on the device.
In case of XDP_TX the bpf program is doing it manually.
With this api the program is out of the loop.
It can prepare a packet for one target netdev, but sending the same
packet as-is to other netdevs isn't going to to work correctly.
Veth-s and tap-s don't care about mac and the stack will silently accept
packets even with wrong mac.
The same thing may happen with physical netdevs. The driver won't care
that dst mac is wrong. It will xmit it out, but the other side of the wire
will likely drop that packet unless it's promisc.
Properly implemented bridge shouldn't be doing it, but
I really don't see how this api can work in practice to implement real bridge.
What am I missing?

Powered by blists - more mailing lists