From: Ido Schimmel <idosch@idosch.org>
To: "Allan W. Nielsen" <allan.nielsen@microchip.com>
Cc: Jiri Pirko <jiri@resnulli.us>, David Miller <davem@davemloft.net>,
andrew@lunn.ch, horatiu.vultur@microchip.com,
alexandre.belloni@bootlin.com, UNGLinuxDriver@microchip.com,
ivecera@redhat.com, f.fainelli@gmail.com, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3 1/2] net: core: Notify on changes to dev->promiscuity.
Date: Sun, 8 Sep 2019 13:15:27 +0300 [thread overview]
Message-ID: <20190908101527.GA20499@splinter> (raw)
In-Reply-To: <20190903081410.zpcdm2dzqrxyg43c@lx-anielsen.microsemi.net>
On Tue, Sep 03, 2019 at 10:14:12AM +0200, Allan W. Nielsen wrote:
> The 09/03/2019 09:13, Ido Schimmel wrote:
> > On Mon, Sep 02, 2019 at 07:42:31PM +0200, Allan W. Nielsen wrote:
> > With these patches applied I assume I will see the following traffic
> > when running tcpdump on one of the netdevs exposed by the ocelot driver:
> >
> > - Ingress: All
> > - Egress: Only locally generated traffic and traffic forwarded by the
> > kernel from interfaces not belonging to the ocelot driver
> >
> > The above means I will not see any offloaded traffic transmitted by the
> > port. Is that correct?
> Correct - but maybe we should change this.
>
> In Ocelot and in LANxxxx (the part we are working on now), we can come pretty
> close. We can get the offloaded TX traffic to the CPU, but it will not be
> re-written (it will look like the ingress frame, which is not always the same as
> the egress frame, vlan tags an others may be re-written).
Yes, this is the same with mlxsw. You can trap the egress frames, but
they will reach the CPU unmodified via the ingress port.
> In some of our chips we can actually do this (not Ocelot, and not the LANxxxx
> part we are working on now) after the frame as been re-written.
Cool.
> > I see that the driver is setting 'offload_fwd_mark' for any traffic trapped
> > from bridged ports, which means the bridge will drop it before it traverses
> > the packet taps on egress.
> Correct.
>
> > Large parts of the discussion revolve around the fact that switch ports
> > are not any different than other ports. Dave wrote "Please stop
> > portraying switches as special in this regard" and Andrew wrote "[The
> > user] just wants tcpdump to work like on their desktop."
> And we are trying to get as close to this as practical possible, knowing that it
> may not be exactly the same.
>
> > But if anything, this discussion proves that switch ports are special in
> > this regard and that tcpdump will not work like on the desktop.
> I think it can come really close. Some drivers may be able to fix the TX issue
> you point out, others may not.
>
> > Beside the fact that I don't agree (but gave up) with the new
> > interpretation of promisc mode, I wonder if we're not asking for trouble
> > with this patchset. Users will see all offloaded traffic on ingress, but
> > none of it on egress. This is in contrast to the sever/desktop, where
> > Linux is much more dominant in comparison to switches (let alone hw
> > accelerated ones) and where all the traffic is visible through tcpdump.
> > I can already see myself having to explain this over and over again to
> > confused users.
> >
> > Now, I understand that showing egress traffic is inherently difficult.
> > It means one of two things:
> >
> > 1. We allow packets to be forwarded by both the software and the
> > hardware
> > 2. We trap all ingressing traffic from all the ports
> If the HW cannot copy the egress traffic to the CPU (which our HW cannot), then
> you need to do both. All ingress traffic needs to go to the CPU, you need to
> make all the forwarding decisions in the CPU, to figure out what traffic happens
> to go to the port you want to monitor.
>
> I really doubt this will work in real life. Too much traffic, and HW may make
> different forwarding decision that the SW (tc rules in HW but not in SW), which
> means that it will not be good for debugging anyway.
I agree.
>
> > Both options can have devastating effects on the network and therefore
> > should not be triggered by a supposedly innocent invocation of tcpdump.
> Agree.
>
> > I again wonder if it would not be wiser to solve this by introducing two
> > new flags to tcpdump for ingress/egress (similar to -Q in/out) capturing
> > of offloaded traffic. The capturing of egress offloaded traffic can be
> > documented with the appropriate warnings.
> Not sure I agree, but I will try to spend some more time considering it.
>
> In the mean while, what TC action was it that Jiri suggestion we should use? The
> trap action is no good, and it prevents the forwarding in silicon, and I'm not
> aware of a "COPY-TO-CPU" action.
I agree. We would either need a new or just extend the existing one with
a new attribute.
> > Anyway, I don't want to hold you up, I merely want to make sure that the
> > above (assuming it's correct) is considered before the patches are
> > applied.
> Sounds good, and thanks for all the time spend on reviewing and asking the
> critical questions.
Thanks for bringing up these issues. I will be happy to review future
patches.
next prev parent reply other threads:[~2019-09-08 10:21 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 9:22 [PATCH v3 0/2] net: core: Notify on changes to dev->promiscuity Horatiu Vultur
2019-08-29 9:22 ` [PATCH v3 1/2] " Horatiu Vultur
2019-08-29 9:51 ` Jiri Pirko
2019-08-29 10:56 ` Horatiu Vultur
2019-08-29 12:18 ` Jiri Pirko
2019-08-29 12:44 ` Horatiu Vultur
2019-08-29 12:55 ` Ivan Vecera
2019-08-29 13:15 ` Horatiu Vultur
2019-08-29 13:15 ` Andrew Lunn
2019-08-29 13:39 ` Ivan Vecera
2019-08-29 13:26 ` Andrew Lunn
2019-08-29 13:49 ` Jiri Pirko
2019-08-29 14:37 ` Andrew Lunn
2019-08-29 17:57 ` Ido Schimmel
2019-08-29 18:29 ` Andrew Lunn
2019-08-29 19:36 ` Ido Schimmel
2019-08-29 22:12 ` David Miller
2019-08-30 5:39 ` Jiri Pirko
2019-08-30 6:02 ` David Miller
2019-08-30 6:36 ` Jiri Pirko
2019-08-30 6:54 ` Ivan Vecera
2019-08-30 7:13 ` David Miller
2019-08-30 7:12 ` David Miller
2019-08-30 7:21 ` Jiri Pirko
2019-08-30 7:32 ` David Miller
2019-08-30 8:01 ` Jiri Pirko
2019-09-02 17:42 ` Allan W. Nielsen
2019-09-02 17:51 ` Jiri Pirko
2019-09-02 18:05 ` Allan W. Nielsen
2019-09-02 18:45 ` Jiri Pirko
2019-09-03 6:13 ` Ido Schimmel
2019-09-03 8:14 ` Allan W. Nielsen
2019-09-08 10:15 ` Ido Schimmel [this message]
2019-08-30 9:43 ` Ido Schimmel
2019-08-31 19:35 ` Andrew Lunn
2019-08-31 20:47 ` Ido Schimmel
2019-09-01 18:48 ` Andrew Lunn
2019-09-02 17:55 ` Allan W. Nielsen
2019-09-01 6:54 ` Jiri Pirko
2019-08-29 22:10 ` David Miller
2019-08-29 22:08 ` David Miller
2019-08-30 6:13 ` Jiri Pirko
2019-08-30 6:18 ` David Miller
2019-08-30 7:26 ` Ivan Vecera
2019-08-29 9:22 ` [PATCH v3 2/2] net: mscc: Implement promisc mode Horatiu Vultur
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190908101527.GA20499@splinter \
--to=idosch@idosch.org \
--cc=UNGLinuxDriver@microchip.com \
--cc=alexandre.belloni@bootlin.com \
--cc=allan.nielsen@microchip.com \
--cc=andrew@lunn.ch \
--cc=davem@davemloft.net \
--cc=f.fainelli@gmail.com \
--cc=horatiu.vultur@microchip.com \
--cc=ivecera@redhat.com \
--cc=jiri@resnulli.us \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).