From: Arnd Bergmann <arnd@arndb.de>
To: "Fischer, Anna" <anna.fischer@hp.com>
Cc: "evb@yahoogroups.com" <evb@yahoogroups.com>,
"'Stephen Hemminger'" <shemminger@linux-foundation.org>,
"bridge@lists.linux-foundation.org"
<bridge@lists.linux-foundation.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"virtualization@lists.linux-foundation.org"
<virtualization@lists.linux-foundation.org>,
"davem@davemloft.net" <davem@davemloft.net>,
"kaber@trash.net" <kaber@trash.net>,
"adobriyan@gmail.com" <adobriyan@gmail.com>,
"'Or Gerlitz'" <ogerlitz@voltaire.com>,
"Paul Congdon (UC Davis)" <ptcongdon@ucdavis.edu>
Subject: Re: [evb] Re: [PATCH][RFC] net/bridge: add basic VEPA support
Date: Mon, 10 Aug 2009 18:16:08 +0200 [thread overview]
Message-ID: <200908101816.08287.arnd@arndb.de> (raw)
In-Reply-To: <0199E0D51A61344794750DC57738F58E6D6AE99867@GVW1118EXC.americas.hpqcorp.net>
On Monday 10 August 2009, Fischer, Anna wrote:
> On the VEPA filtering service side, the only change we have implemented
> in the bridging code is that in VEPA mode all frames are passed to the
> uplink on TX. However, frames are still passed through the netfilter
> hooks before they go out on the wire. On the inbound path, there are
> no changes to the way frames are processed (except the filtering for
> the original source port), so netfilter hooks work in the same way
> as for a normal bridge.
Ah, interesting. I did not realize that the hooks were still active,
although that obviously makes sense. So that would be another
important difference between our implementations.
> If a frame is reflected back because of a hairpin turn, then of course
> the incoming port is the VEPA uplink port and not the port that
> originally sent the frame. So if you are trying to enforce some
> packet filtering on that inbound path, then you would have to do that
> based on MAC addresses and not on bridge ports. But I would assume that
> you would enforce the filtering already before you send out the frame
> to the adjacent bridge. Apart from that, if you enable your bridge to
> behave in VEPA mode, then you would typically do packet filtering etc
> on the adjacent bridge and not use the netfilter hook. You can still use
> both though, if you like.
Right, that was my point. They bridge in VEPA mode would likely be
configured to be completely ignorant of the data going through it
and not do any filter, and you do all filterring on the adjacent
bridge.
I just wasn't sure that this is possible with ebtables if the
adjacent bridge is a Linux system with the bridge in hairpin turn
mode.
Arnd <><
next prev parent reply other threads:[~2009-08-10 16:16 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-15 17:33 [PATCH][RFC] net/bridge: add basic VEPA support Fischer, Anna
2009-08-07 4:00 ` Stephen Hemminger
2009-08-07 11:29 ` Arnd Bergmann
2009-08-07 19:44 ` [evb] " Paul Congdon (UC Davis)
2009-08-10 15:23 ` Arnd Bergmann
2009-08-10 15:59 ` Fischer, Anna
2009-08-10 16:16 ` Arnd Bergmann [this message]
2009-08-07 18:58 ` Paul Congdon (UC Davis)
2009-08-08 9:49 ` Arnd Bergmann
2009-08-10 13:16 ` Fischer, Anna
2009-08-10 15:06 ` Arnd Bergmann
2009-08-10 15:07 ` Arnd Bergmann
2009-08-11 14:30 ` Fischer, Anna
2009-08-11 14:55 ` Paul Congdon (UC Davis)
2009-08-12 13:19 ` Arnd Bergmann
2009-08-12 14:32 ` Fischer, Anna
2009-08-12 16:27 ` Arnd Bergmann
2009-08-13 22:11 ` Fischer, Anna
2009-08-13 22:24 ` Fischer, Anna
-- strict thread matches above, loose matches on Subject: below --
2009-08-07 20:35 [evb] " Yaron Haviv
2009-08-07 21:00 ` Fischer, Anna
2009-08-08 9:22 ` Arnd Bergmann
2009-08-07 21:06 ` Paul Congdon (UC Davis)
2009-08-07 21:36 ` Stephen Hemminger
2009-08-09 11:19 ` Or Gerlitz
2009-08-10 15:20 ` Stephen Hemminger
2009-08-10 15:28 ` Arnd Bergmann
2009-08-10 16:32 ` Fischer, Anna
2009-08-10 16:51 ` Stephen Hemminger
2009-08-10 19:18 ` Arnd Bergmann
2009-08-27 12:35 ` Or Gerlitz
[not found] ` <0199E0D51A61344794750DC57738F58E6D6A6CD803__29862.6656564467$1249679159$gmane$org@GVW1118EXC.americas.hpqcorp.net>
2009-08-08 8:50 ` Benny Amorsen
2009-08-08 9:44 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200908101816.08287.arnd@arndb.de \
--to=arnd@arndb.de \
--cc=adobriyan@gmail.com \
--cc=anna.fischer@hp.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=evb@yahoogroups.com \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ogerlitz@voltaire.com \
--cc=ptcongdon@ucdavis.edu \
--cc=shemminger@linux-foundation.org \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).