RE: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect STP to CPU

From: Ioana Ciornei
Date: Wed Nov 06 2019 - 08:47:54 EST

Next message: Namhyung Kim: "Re: [PATCHSET cgroup/for-5.5] kernfs,cgroup: support 64bit inos and unify cgroup IDs"
Previous message: Robert Stupp: "Re: mlockall(MCL_CURRENT) blocking infinitely"
In reply to: Andrew Lunn: "Re: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect STP to CPU"
Next in thread: Andrew Lunn: "Re: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect STP to CPU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Subject: Re: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect
> STP to CPU
>
> > The control queues do not form an actual interface in the sense that
> > the CPU does not receive unknown unicast, broadcast and multicast
> > frames by default. For each frame that we want to direct to the CPU
> > we must add an ACL entry.
>
> So this appears to be one of the dumbest switches so far :-(

To be fair, the actual hardware can do much more.
The problem here is that the firmware models the switch in a non-Linux style.

>
> Can you add an ACL which is all L2 broadcast/multicast? That would be a good
> first step.

I can add that but it would not be enough.
For example, unknown unicast would not be matched thus would not reach the CPU.

>
> Does the ACL stop further processing of the frame? Ideally you want the
> switch to also flood broadcast/multicast out other ports, if they are in a
> bridge. If it cannot, you end up with the software bridge doing the flooding.

Yes, the ACL stops any further processing.

>
> So i also assume it does not perform learning on CPU frames? That probably
> means you need to connect up the fdb add/remove calls to add in ACLs. And
> you will need to implement ndo_set_rx_mode. Each unicast and multicast
> address needs to be turned into an ACL. What i don't know is if the network
> stack will automatically add the interfaces own MAC address. You might have
> to handle that special case.
>
> Andrew

Your assumption is true, learning, with the current implementation, is not possible for CPU frames.
In .ndo_start_xmit() we inject directly into the switch port's Tx queues, thus bypassing the entire learning process.

All in all, I do not see a way out just by using the ACL mechanism (because of unknown unicast frames).

I have to talk in detail with the firmware team, but from what I can understand if we make the following changes in firmware it would better fit the Linux framework:
* make the CPU receive unknown unicast, broadcast and multicast frames by default (without any ACLs)
* frames originated on the CPU should not bypass the learning process (it should have its own Tx queues that go through the same learning process)

Thanks,
Ioana

Next message: Namhyung Kim: "Re: [PATCHSET cgroup/for-5.5] kernfs,cgroup: support 64bit inos and unify cgroup IDs"
Previous message: Robert Stupp: "Re: mlockall(MCL_CURRENT) blocking infinitely"
In reply to: Andrew Lunn: "Re: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect STP to CPU"
Next in thread: Andrew Lunn: "Re: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect STP to CPU"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]