From: Arnd Bergmann <arnd@arndb.de>
To: "Paul Congdon \(UC Davis\)" <ptcongdon@ucdavis.edu>
Cc: "'Fischer, Anna'" <anna.fischer@hp.com>,
"'Stephen Hemminger'" <shemminger@linux-foundation.org>,
bridge@lists.linux-foundation.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org,
virtualization@lists.linux-foundation.org, evb@yahoogroups.com,
davem@davemloft.net, kaber@trash.net, adobriyan@gmail.com,
"'Eric Biederman'" <ebiederm@xmission.com>
Subject: Re: [PATCH][RFC] net/bridge: add basic VEPA support
Date: Wed, 12 Aug 2009 15:19:36 +0200 [thread overview]
Message-ID: <200908121519.36808.arnd@arndb.de> (raw)
In-Reply-To: <001001ca1a93$b6e50ee0$24af2ca0$@edu>
On Tuesday 11 August 2009, Paul Congdon (UC Davis) wrote:
> > >
> > > The patch from Eric Biederman to allow macvlan to bridge between
> > > its slave ports is at
> > >
> > > http://kerneltrap.org/mailarchive/linux-netdev/2009/3/9/5125774
> >
> > Looking through the discussions here, it does not seem as if a decision
> > was made to integrate those patches, because they would make the
> > macvlan interface behave too much like a bridge.
Right, that question is still open, and dont't see it as very important
right now, as long as we can still use it for VEPA.
> > Also, it seems as if there was still a problem with doing
> > multicast/broadcast delivery when enabling local VM-to-VM
> > communication. Is that solved by now?
Not yet, but I guess it comes as a natural extension when I fix
multicast/broadcast delivery from the reflective relay for VEPA.
The logic that I would use there is:
broadcast from a dowstream port:
if (bridge_mode(source_port)) {
forward_to_upstream(frame);
for_each_downstream(port) {
/* deliver to all bridge ports except self, do
not deliver to any VEPA port. */
if (bridge_mode(port) && port != source_port) {
forward_to_downstream(frame, port);
}
}
} else {
forward_to_upstream(frame);
}
broadcast from the upstream port
if (bridge_mode(frame.source)) {
/* comes from a port in bridge mode, so has already been
delivered to all other bridge ports */
for_each_downstream(port) {
if (!bridge_mode(port)) {
forward_to_downstream(frame, port);
}
}
} else if (vepa_mode(frame.source)) {
/* comes from VEPA port, so need to deliver to all
bridge and all vepa ports except self */
for_each_downstream(port) {
if (port != frame.source)
forward_to_downstream(frame, port);
} else {
/* external source, so flood to everyone */
for_each_downstream(port) {
forward_to_downstream(frame, port);
}
For multicast, we can do the same, or optionally add a per-port filter
as you mentioned, if it becomes a bottleneck.
Do you think this addresses the problem, or did I miss something important?
> Also, is there a solution, or plans for a solution, to address macvtap
> interfaces that are set to 'promiscuous' mode? It would seem fairly easy to
> support this for interfaces that are simply trying to listen to the port
> (e.g. Wireshark).
If you want to use tcpdump or wireshark on all ports simulateously in a pure
VEPA, you can still attach it to the 'lowerdev', e.g. eth0 or eth0.2 (for macvlan
nested in vlan).
If we allow bridge ports, we might want to extend the local delivery
to also go through all the hooks of the external port, so that you can
attach packet sockets there.
> If the port was being used by something like a firewall
> then the VEPA filtering doesn't work too well.
Not sure what you mean. Are you talking about a firewall separating the guests
from the outside, between the VEPA and the reflective relay, or a firewall between
the guests in case of local delivery?
Arnd <><
next prev parent reply other threads:[~2009-08-12 13:20 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-15 17:33 [PATCH][RFC] net/bridge: add basic VEPA support Fischer, Anna
2009-08-07 4:00 ` Stephen Hemminger
2009-08-07 11:29 ` Arnd Bergmann
2009-08-07 19:44 ` [evb] " Paul Congdon (UC Davis)
2009-08-10 15:23 ` Arnd Bergmann
2009-08-10 15:59 ` Fischer, Anna
2009-08-10 16:16 ` Arnd Bergmann
2009-08-07 18:58 ` Paul Congdon (UC Davis)
2009-08-08 9:49 ` Arnd Bergmann
2009-08-10 13:16 ` Fischer, Anna
2009-08-10 15:06 ` Arnd Bergmann
2009-08-10 15:07 ` Arnd Bergmann
2009-08-11 14:30 ` Fischer, Anna
2009-08-11 14:55 ` Paul Congdon (UC Davis)
2009-08-12 13:19 ` Arnd Bergmann [this message]
2009-08-12 14:32 ` Fischer, Anna
2009-08-12 16:27 ` Arnd Bergmann
2009-08-13 22:11 ` Fischer, Anna
2009-08-13 22:24 ` Fischer, Anna
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200908121519.36808.arnd@arndb.de \
--to=arnd@arndb.de \
--cc=adobriyan@gmail.com \
--cc=anna.fischer@hp.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=ebiederm@xmission.com \
--cc=evb@yahoogroups.com \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=ptcongdon@ucdavis.edu \
--cc=shemminger@linux-foundation.org \
--cc=virtualization@lists.linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).