| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <87a6uk5apb.fsf@waldekranz.com>
Date: Fri, 11 Dec 2020 21:50:24 +0100
From: Tobias Waldekranz <tobias@...dekranz.com>
To: Vladimir Oltean <olteanv@...il.com>
Cc: davem@...emloft.net, kuba@...nel.org, andrew@...n.ch,
vivien.didelot@...il.com, f.fainelli@...il.com,
j.vosburgh@...il.com, vfalico@...il.com, andy@...yhouse.net,
netdev@...r.kernel.org
Subject: Re: [PATCH v3 net-next 2/4] net: dsa: Link aggregation support
On Tue, Dec 08, 2020 at 13:23, Vladimir Oltean <olteanv@...il.com> wrote:
> Sorry it took so long. I wanted to understand:
> (a) where are the challenged for drivers to uniformly support software
> bridging when they already have code for bridge offloading. I found
> the following issues:
> - We have taggers that unconditionally set skb->offload_fwd_mark = 1,
> which kind of prevents software bridging. I'm not sure what the
> fix for these should be.
I took a closer look at the software fallback mode for LAGs and I've
found three issues that prevent this from working in a bridged setup,
two of which are easy to fix. This is the setup (team0 is _not_
offloaded):
(A) br0
/
team0
/ \
swp0 swp1
1. DSA tries to offload port attributes for standalone ports. So in this
setup, if vlan filtering is enabled on br0, we will enable it in
hardware which on mv88e6xxx causes swp0/1 to drop all packets on
ingress due to a VTU violation. This is a very easy fix, I will
include it in v4.
2. The issue Vladimir mentioned above. This is also a straight forward
fix, I have patch for tag_dsa, making sure that offload_fwd_mark is
never set for ports in standalone mode.
I am not sure if I should solve it like that or if we should just
clear the mark in dsa_switch_rcv if the dp does not have a
bridge_dev. I know both Vladimir and I were leaning towards each
tagger solving it internally. But looking at the code, I get the
feeling that all taggers will end up copying the same block of code
anyway. What do you think?
With these two patches in place, setup (A) works as expected. But if you
extend it to (team0 still not offloaded):
(B) br0
/ \
team0 \
/ \ \
swp0 swp1 swp2
You instantly run into:
3. Only traffic which does _not_ have offload_fwd_mark set is allowed to
pass from swp2 to team0. This is because the bridge uses
dev_get_port_parent_id to figure out which ports belong to the same
switch. This will recurse down through all lowers and find swp0/1
which will answer with the same ID as swp2.
In the case where team0 is offloaded, this is exactly what we want,
but in a setup like (B) they do not have the same "logical" parent in
the sense that br0 is led to believe. I.e. the hardware will never
forward packets between swp0/1 and swp2.
I do not see an obvious solution to this. Refusing to divulge the
parent just because you are a part of a software LAG seems fraught
with danger as there are other users of those APIs. Adding yet
another ndo would theoretically be possible, but not
desirable. Ideas?
As for this series, my intention is to make sure that (A) works as
intended, leaving (B) for another day. Does that seem reasonable?
NOTE: In the offloaded case, (B) will of course also be supported.
Powered by blists - more mailing lists