Re: [PATCH net-next] net: dsa: allow port mirroring towards foreign interfaces

From: Jakub Kicinski <kuba@kernel.org>
To: Vladimir Oltean <olteanv@gmail.com>
Cc: Florian Fainelli <f.fainelli@gmail.com>,
	"David S . Miller" <davem@davemloft.net>,
	netdev@vger.kernel.org, Andrew Lunn <andrew@lunn.ch>,
	Vivien Didelot <vivien.didelot@gmail.com>
Subject: Re: [PATCH net-next] net: dsa: allow port mirroring towards foreign interfaces
Date: Sat, 6 Feb 2021 15:58:57 -0800	[thread overview]
Message-ID: <20210206155857.1d983d1f@kicinski-fedora-pc1c0hjn.dhcp.thefacebook.com> (raw)
In-Reply-To: <20210205230521.s2eb2alw5pkqqafv@skbuf>

On Sat, 6 Feb 2021 01:05:21 +0200 Vladimir Oltean wrote:
> On Fri, Feb 05, 2021 at 02:42:55PM -0800, Florian Fainelli wrote:
> > How does the mirred action deal with that case? How does it know that
> > packets delivered to the DSA master should be sent towards a foreign
> > address, do I need to set-up two mirred rules? One that set-ups the
> > filter on say sw0p0 to redirect egress to eth0 (DSA master) and another
> > one to ingress filter on eth0 and egress mirror to eth1 (USB ethernet
> > dongle)?  
> 
> [ I should have posted this as RFC, somebody asked me if it's possible,
>   I only tested ingress mirroring, saw something come out, and posted this.
>   I didn't even study act_mirred.c to see why I got anything at all ]

Let me mark it as RFC, then :)

> For ingress mirroring there should be nothing special about the mirror
> packets, it's just more traffic in the ingress data path where the qdisc
> hook already exists.

For ingress the only possible corner case seems to be if the filter has
SKIP_SW set, then HW will send to CPU but SW will ignore.

That's assuming the frame still comes on the CPU appropriately tagged.

> For egress mirroring I don't think there's really any way for the mirred
> action to take over the packets from what is basically the ingress qdisc
> and into the egress qdisc of the DSA interface such that they will be
> redirected to the selected mirror. I hadn't even thought about egress
> mirroring. I suppose with more API, we could have DSA do introspection
> into the frame header, see it's an egress-mirrored packet, and inject it
> into the egress qdisc of the net device instead of doing netif_rx.

IMHO it's not very pretty but FWIW some "SmartNIC" drivers already do
a similar thing. But to be clear that's just an optimization, right?
The SW should still be able to re-process and come to the same
decisions as the switch, provided SKIP_SW was not set?

> The idea with 2 mirrors might work however it's not amazing and I was
> thinking that if we bother to do something at all, we could as well try
> to think it through and come up with something that's seamless for the
> user.