tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: kern/18035 IFF_SIMPLEX vs bridge(4)



On Tue, Aug 26, 2008 at 05:20:50PM -0400, der Mouse wrote:
> > I'm wondering whether the 's' in ether_shost in the original code is
> > a typo.
> 
> Possibly, but I think probably not.  The effect is "never learn
> multicast addresses", which strikes me as the right thing.

Yes, because such destinations should be splashed to all ports; if we
learn them behind one port that will no longer happen.

> > AFAIK no protocols send ethernet packets with a multicast source
> > address.
> 
> I don't know of any either, but I'm definitely not ready to say there
> are none.

.. and regardless we should be defensive against such senders.

> (I can easily imagine some sort of load-balancing setup that
> uses a multicast MAC as if it were an ordinary MAC, for example.)

No need to imagine, I can cite a specific example.  Check Point
firewalls running in a particular active-active load-balancing cluster
mode use exactly this trick.  They use a multicast MAC address for the
unicast IP address of the firewall, and respond to ARP requests
accordingly with that multicast MAC source address.  The intention is
that all cluster thus members get sent copies of all packets, and they
arbitrate amongst themselves as to who will process the packet further
using the usual header-hash-bucket-ownership pattern.  This doesn't
always work (some devices, notably cisco routers, refuse to learn from
such ARP replies and need to have the arp entry statically configured)
so there are other cluster modes in the product (with other tradeoffs)
too.

--
Dan.

Attachment: pgpiw33xF0AeF.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index