| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b78b8659-d89d-4fd4-b922-f3c24b705deb@nbd.name> Date: Thu, 17 Oct 2024 20:39:17 +0200 From: Felix Fietkau <nbd@....name> To: Pablo Neira Ayuso <pablo@...filter.org> Cc: Eric Woudstra <ericwouds@...il.com>, Nikolay Aleksandrov <razor@...ckwall.org>, "David S. Miller" <davem@...emloft.net>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Jozsef Kadlecsik <kadlec@...filter.org>, Roopa Prabhu <roopa@...dia.com>, Matthias Brugger <matthias.bgg@...il.com>, AngeloGioacchino Del Regno <angelogioacchino.delregno@...labora.com>, Jiri Pirko <jiri@...nulli.us>, Sebastian Andrzej Siewior <bigeasy@...utronix.de>, Lorenzo Bianconi <lorenzo@...nel.org>, Frank Wunderlich <frank-w@...lic-files.de>, Daniel Golle <daniel@...rotopia.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org, netfilter-devel@...r.kernel.org, coreteam@...filter.org, bridge@...ts.linux.dev, linux-arm-kernel@...ts.infradead.org, linux-mediatek@...ts.infradead.org Subject: Re: [PATCH RFC v1 net-next 00/12] bridge-fastpath and related improvements On 17.10.24 20:09, Pablo Neira Ayuso wrote: > On Thu, Oct 17, 2024 at 07:06:51PM +0200, Felix Fietkau wrote: >> On 17.10.24 14:39, Pablo Neira Ayuso wrote: >> > On Thu, Oct 17, 2024 at 11:17:09AM +0200, Felix Fietkau wrote: >> > [...] >> > > By the way, based on some reports that I received, I do believe that the >> > > existing forwarding fastpath also doesn't handle roaming properly. >> > > I just didn't have the time to properly look into that yet. >> > >> > I think it should work for the existing forwarding fastpath. >> > >> > - If computer roams from different port, packets follow classic path, >> > then new flow entry is created. The flow old entry expires after 30 >> > seconds. >> > - If route is stale, flow entry is also removed. >> > >> > Maybe I am missing another possible scenario? >> >> I'm mainly talking about the scenario where a computer moves to a different >> switch port on L2 only, so all routes remain the same. >> >> I haven't fully analyzed the issue, but I did find a few potential issues >> with what you're describing. >> >> 1. Since one direction remains the same when a computer roams, a new flow >> entry would probably fail to be added because of an existing entry in the >> flow hash table. > > I don't think so, hash includes iifidx. I'm talking about the side where the input ifindex remains the same, but the output interface doesn't. >> 2. Even with that out of the way, the MTK hardware offload currently does >> not support matching the incoming switch/ethernet port. >> So even if we manage to add an updated entry, the old entry could still be >> kept alive by the hardware. > > OK, that means probably driver needs to address the lack of iifidx in > the matching by dealling with more than one single flow entry to point > to one single hardware entry (refcounting?). If we have multiple colliding entries, I think a more reasonable behavior would be allowing the newer flow to override the older one. >> The issues I found probably wouldn't cause connection hangs in pure L3 >> software flow offload, since it will use the bridge device for xmit instead >> of its members. But since hardware offload needs to redirect traffic to >> individual bridge ports, it could cause connection hangs with stale flow >> entries. > > I would not expect a hang, packets will just flow over classic path > for a little while for the computer that is roaming until the new flow > entry is added. If the hardware still handles traffic, but redirects it to the wrong destination port, the connection will hang. - Felix
Powered by blists - more mailing lists