lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <DB8PR04MB578560774FBE36E6CCDABE02F0CE9@DB8PR04MB5785.eurprd04.prod.outlook.com>
Date:   Thu, 2 Sep 2021 03:14:18 +0000
From:   Xiaoliang Yang <xiaoliang.yang_1@....com>
To:     Vladimir Oltean <vladimir.oltean@....com>,
        "allan.nielsen@...rochip.com" <allan.nielsen@...rochip.com>,
        "joergen.andreasen@...rochip.com" <joergen.andreasen@...rochip.com>
CC:     "davem@...emloft.net" <davem@...emloft.net>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
        "UNGLinuxDriver@...rochip.com" <UNGLinuxDriver@...rochip.com>,
        "vinicius.gomes@...el.com" <vinicius.gomes@...el.com>,
        "michael.chan@...adcom.com" <michael.chan@...adcom.com>,
        "saeedm@...lanox.com" <saeedm@...lanox.com>,
        "jiri@...lanox.com" <jiri@...lanox.com>,
        "idosch@...lanox.com" <idosch@...lanox.com>,
        "alexandre.belloni@...tlin.com" <alexandre.belloni@...tlin.com>,
        "kuba@...nel.org" <kuba@...nel.org>, Po Liu <po.liu@....com>,
        Leo Li <leoyang.li@....com>
Subject: RE: [PATCH v3 net-next 5/8] net: dsa: felix: support psfp filter on
 vsc9959


 
On Tue, Aug 31, 2021 at 18:49:53PM +0300, Vladimir Oltean wrote
> On Tue, Aug 31, 2021 at 09:59:11AM +0000, Xiaoliang Yang wrote:
> > On Tue, Aug 31, 2021 at 17:18:00PM +0300, Vladimir Oltean wrote:
> > > > > > I think in previous versions you were automatically installing
> > > > > > a static MAC table entry when one was not present (either it
> > > > > > was absent, or the entry was dynamically learned). Why did that
> change?
> > > > >
> > > > > The PSFP gate and police action are set on ingress port, and "
> > > > > tc-filter" has no parameter to set the forward port for the
> > > > > filtered stream. And I also think that adding a FDB mac entry in
> > > > > tc-filter command is not good.
> > > >
> > > > Fair enough, but if that's what you want, we'll need to think a
> > > > lot harder about how this needs to be modeled.
> > > >
> > > > Would you not have to protect against a 'bridge fdb del' erasing
> > > > your MAC table entry after you've set up the TSN stream on it?
> > > >
> > > > Right now, DSA does not even call the driver's .port_fdb_del
> > > > method from atomic context, just from deferred work context. So
> > > > even if you wanted to complain and say "cannot remove FDB entry
> > > > until SFID stops pointing at it", that would not be possible with today's
> code structure.
> > > >
> > > > And what would you do if the bridge wants to delete the FDB entry
> > > > irrevocably, like when the user wants to delete the bridge in its
> > > > entirety? You would still remain with filters in tc which are not
> > > > backed by any MAC table entry.
> > > >
> > > > Hmm..
> > > > Either the TSN standards for PSFP and FRER are meant to be
> > > > implemented within the bridge driver itself, and not as part of
> > > > tc, or the Microchip implementation is very weird for wiring them
> > > > into the bridge MAC
> > > table.
> > > >
> > > > Microchip people, any comments?
> > >
> > > In sja1105's implementation of PSFP (which is not standard-compliant
> > > as it is based on TTEthernet, but makes more sense anyway), the
> > > Virtual Links (SFIDs
> > > here) are not based on the FDB table, but match only on the given source
> port.
> > > They behave much more like ACL entries.
> > > The way I've modeled them in Linux was to force the user to offload
> > > multiple actions for the same tc-filter, both a redirect action and a
> police/gate action.
> > > https://www.kernel.org/doc/html/latest/networking/dsa/sja1105.html#t
> > > ime-b
> > > ased-ingress-policing
> > >
> > > I'm not saying this helps you, I'm just saying maybe the Microchip
> > > implementation is strange, but then again, I might be looking the
> > > wrong way at it.
> >
> > Yes, Using redirect action can give PSFP filter a forward port to add
> > MAC table entry. But it also has the issue that when using "bridge fdb
> > del" to delete the MAC entry will cause the tc-filter rule not
> > working.
> 
> We need to define the expected behavior.
> 
> As far as the 802.1Q-2018 spec is concerned, there is no logical dependency
> between the FDB lookup and the PSFP streams. But there seems to be no
> explicit text that forbids it either, though.
> 
> If you install a tc-redirect rule and offload it as a bridge FDB entry, it needs to
> behave like a tc-redirect rule and not a bridge FDB entry.
> So it only needs to match on the intended source port. I don't believe that is
> possible. If it is, let's do that.
> 
> To me, putting PSFP inside the bridge driver is completely outside of the
> question. There is no evidence that it belongs there, and there are switch
> implementations from other vendors where the FDB lookup process is
> completely independent from the Qci stream identification process.
> Anyway, this strategy of combining the two could only work for the NULL
> stream identifiers in the first place (MAC DA + VLAN ID), not for the others (IP
> Stream identification etc etc).
> 
> So what remains, if nothing else is possible, is to require the user to manage
> the bridge FDB entries, and make sure that the kernel side is sane, and does
> not remain with broken data structures. That is going to be a PITA both for the
> user and for the kernel side, because we are going to make the tc-flower filters
> effectively depend upon the bridge state.
> 
> Let's wait for some feedback from Microchip engineers, how they envisioned
> this to be integrated with operating systems.

Yes, Since the PSFP hardware module relies on the MAC table, this requires the
User to manage bridge FDB entries to ensure PSFP works. Only set PSFP on the
existing MAC table entries to ensure consistency.

Any comments from Microchip engineers?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ