| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <cover.1742224300.git.petrm@nvidia.com>
Date: Mon, 17 Mar 2025 18:37:25 +0100
From: Petr Machata <petrm@...dia.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, Simon Horman <horms@...nel.org>, Andrew Lunn
<andrew+netdev@...n.ch>, <netdev@...r.kernel.org>
CC: Ido Schimmel <idosch@...dia.com>, Petr Machata <petrm@...dia.com>, "Amit
Cohen" <amcohen@...dia.com>, <mlxsw@...dia.com>
Subject: [PATCH net-next 0/6] mlxsw: Add VXLAN to the same hardware domain as physical bridge ports
Amit Cohen writes:
Packets which are trapped to CPU for forwarding in software data path
are handled according to driver marking of skb->offload_{,l3}_fwd_mark.
Packets which are marked as L2-forwarded in hardware, will not be flooded
by the bridge to bridge ports which are in the same hardware domain as the
ingress port.
Currently, mlxsw does not add VXLAN bridge ports to the same hardware
domain as physical bridge ports despite the fact that the device is able
to forward packets to and from VXLAN tunnels in hardware. In some
scenarios this can result in remote VTEPs receiving duplicate packets.
To solve such packets duplication, add VXLAN bridge ports to the same
hardware domain as other bridge ports.
One complication is ARP suppression which requires the local VTEP to avoid
flooding ARP packets to remote VTEPs if the local VTEP is able to reply on
behalf of remote hosts. This is currently implemented by having the device
flood ARP packets in hardware and trapping them during VXLAN encapsulation,
but marking them with skb->offload_fwd_mark=1 so that the bridge will not
re-flood them to physical bridge ports.
The above scheme will break when VXLAN bridge ports are added to the same
hardware domain as physical bridge ports as ARP packets that cannot be
suppressed by the bridge will not be able to egress the VXLAN bridge ports
due to hardware domain filtering. This is solved by trapping ARP packets
when they enter the device and not marking them as being forwarded in
hardware.
Patch set overview:
Patch #1 sets hardware to trap ARP packets at layer 2
Patches #2-#4 are preparations for setting hardwarwe domain of VXLAN
Patch #5 sets hardware domain of VXLAN
Patch #6 extends VXLAN flood test to verify that this set solves the
packets duplication
Amit Cohen (6):
mlxsw: Trap ARP packets at layer 2 instead of layer 3
mlxsw: spectrum: Call mlxsw_sp_bridge_vxlan_{join, leave}() for
VLAN-aware bridge
mlxsw: spectrum_switchdev: Add an internal API for VXLAN leave
mlxsw: spectrum_switchdev: Move mlxsw_sp_bridge_vxlan_join()
mlxsw: Add VXLAN bridge ports to same hardware domain as physical
bridge ports
selftests: vxlan_bridge: Test flood with unresolved FDB entry
.../net/ethernet/mellanox/mlxsw/spectrum.c | 22 ++-----
.../net/ethernet/mellanox/mlxsw/spectrum.h | 4 +-
.../mellanox/mlxsw/spectrum_switchdev.c | 66 +++++++++++++------
.../ethernet/mellanox/mlxsw/spectrum_trap.c | 12 ++--
drivers/net/ethernet/mellanox/mlxsw/trap.h | 5 +-
.../net/forwarding/vxlan_bridge_1d.sh | 8 +++
.../net/forwarding/vxlan_bridge_1q.sh | 15 +++++
7 files changed, 83 insertions(+), 49 deletions(-)
--
2.47.0
Powered by blists - more mailing lists