[openib-general] Re: [PATCH] CMA and iWARP

Caitlin Bestler caitlinb at broadcom.com
Thu Jan 26 09:20:48 PST 2006


openib-general-bounces at openib.org wrote:
> On Tue, 2006-01-24 at 09:13 -0800, Roland Dreier wrote:
>>     Tom> The intended behavior is to provide "full coordination". For
>>     Tom> the example you give, I would expect that rdma_resolve_addr
>>     Tom> would fail due to to a timeout waiting for an ARP reply.
>> 
>> OK, now I'm going off into crazy-land, but I could have a rule that
>> filters on source MAC and ethertype, and lets ARPs but no other
>> packets through. 
>> 
>>  - R.
> 
> Perhaps the netfilter subsystem also needs similar notifier
> hooks?  Then the iwarp CM could be notified of netfilter
> changes and notify providers to go re-examine the rules and
> kill any connections that violate the rules.
> 
> Just thinking out loud...
> 

Yes.

The key point here is that netfilter will only be able to
control the establishment and perhaps the existence of a
connection. By the very nature of offloaded stateful 
connections, netfilter will NOT be able to see individual
packets *within* a connection.

The three fundamental questions are:

	1) How does netfilter approve initiating a connection?
	2) How does netfilter approve accepting a connection?
	3) How does netfilter cause established connections that
		are now contrary to policy to be cancelled? Or does it?

Once there is a preliminary consensus here, we'll have to bounce
that proposal to both netdev and netfilter.




More information about the general mailing list