[openib-general] Re: [PATCH] CMA and iWARP
Caitlin Bestler
caitlinb at broadcom.com
Thu Jan 26 09:20:48 PST 2006
openib-general-bounces at openib.org wrote:
> On Tue, 2006-01-24 at 09:13 -0800, Roland Dreier wrote:
>> Tom> The intended behavior is to provide "full coordination". For
>> Tom> the example you give, I would expect that rdma_resolve_addr
>> Tom> would fail due to to a timeout waiting for an ARP reply.
>>
>> OK, now I'm going off into crazy-land, but I could have a rule that
>> filters on source MAC and ethertype, and lets ARPs but no other
>> packets through.
>>
>> - R.
>
> Perhaps the netfilter subsystem also needs similar notifier
> hooks? Then the iwarp CM could be notified of netfilter
> changes and notify providers to go re-examine the rules and
> kill any connections that violate the rules.
>
> Just thinking out loud...
>
Yes.
The key point here is that netfilter will only be able to
control the establishment and perhaps the existence of a
connection. By the very nature of offloaded stateful
connections, netfilter will NOT be able to see individual
packets *within* a connection.
The three fundamental questions are:
1) How does netfilter approve initiating a connection?
2) How does netfilter approve accepting a connection?
3) How does netfilter cause established connections that
are now contrary to policy to be cancelled? Or does it?
Once there is a preliminary consensus here, we'll have to bounce
that proposal to both netdev and netfilter.
More information about the general
mailing list