| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20210206164319.4120ce73@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com>
Date: Sat, 6 Feb 2021 16:43:19 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Vladimir Oltean <olteanv@...il.com>
Cc: Florian Fainelli <f.fainelli@...il.com>,
"David S . Miller" <davem@...emloft.net>, netdev@...r.kernel.org,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>
Subject: Re: [PATCH net-next] net: dsa: allow port mirroring towards foreign
interfaces
On Sun, 7 Feb 2021 02:16:17 +0200 Vladimir Oltean wrote:
> On Sat, Feb 06, 2021 at 03:58:57PM -0800, Jakub Kicinski wrote:
> > > For ingress mirroring there should be nothing special about the mirror
> > > packets, it's just more traffic in the ingress data path where the qdisc
> > > hook already exists.
> >
> > For ingress the only possible corner case seems to be if the filter has
> > SKIP_SW set, then HW will send to CPU but SW will ignore.
>
> Correct, but I'm not sure if this requirement can be enforced at driver
> level though.
True, we'd need to add more info to struct flow_cls_common_offload.
> > That's assuming the frame still comes on the CPU appropriately tagged.
>
> For ingress mirroring I think the assumption that it does is reasonable,
> since the packet should be mirrored before the forwarding took place, it
> can only have one DSA tag and that would be the tag where the source
> port is the ingress port.
> For egress mirroring, software would need to see the mirrored packet as
> coming from the egress port, and this would mean that the source port in
> the DSA frame header would have to be equal to the egress port.
>
> > > For egress mirroring I don't think there's really any way for the mirred
> > > action to take over the packets from what is basically the ingress qdisc
> > > and into the egress qdisc of the DSA interface such that they will be
> > > redirected to the selected mirror. I hadn't even thought about egress
> > > mirroring. I suppose with more API, we could have DSA do introspection
> > > into the frame header, see it's an egress-mirrored packet, and inject it
> > > into the egress qdisc of the net device instead of doing netif_rx.
> >
> > IMHO it's not very pretty but FWIW some "SmartNIC" drivers already do
> > a similar thing. But to be clear that's just an optimization, right?
> > The SW should still be able to re-process and come to the same
> > decisions as the switch, provided SKIP_SW was not set?
>
> I guess what would need to happen is that we'd need to do something like
> this, from the DSA tagging protocol files:
>
> if (is_egress_mirror(skb)) {
> skb_get(skb);
> skb_push(skb, ETH_ALEN);
> skb = sch_handle_egress(skb, &err, skb->dev);
> if (skb)
> consume_skb(skb);
> return NULL;
> }
>
> basically just run whatever tc filters there might be on that packet (in
> our case mirred), then discard it.
>
> It's not an optimization thing. Egress mirrored traffic on a DSA switch
> is still ingress traffic from software's perspective, so it won't match
> on any mirred action on any egress qdisc. Only packets sent from the
> network stack would match the mirred egress mirror rule, however there
> might be lots of offloaded flows which don't.
>
> Or I might just be misunderstanding.
Okay, that makes sense, sounds like we just can't expect the DSA tag
with ingress port info preserved when frames are trapped at egress.
All depends on HW capabilities then.
Powered by blists - more mailing lists