On Thu, Jul 16, 2015 at 12:01:55PM +, Liran Liss wrote:
> - Name space lookup is done based on BTH.pkey, private_data.IP, and
> optionally GRH.DGID (if present, for extra validation)
Just changing the pkey to BTH.pkey would be fine by me.
Using GRH.DGID if available instead of the primary
> From: Jason Gunthorpe [mailto:jguntho...@obsidianresearch.com]
> > After all, it is the payload that designates the entity that you
> > want to establish a connection to, rather than the packet headers,
> > which are just meant to relay the packet to the proper CM
>
> No, that isn't right. The
On Wed, Jul 15, 2015 at 08:27:06PM +, Liran Liss wrote:
> If you want to restrict a container to a specific set of pkeys, use
> cgroups.
Ideally yes, but in the absence of a cgroup the set of pkeys assigned
to the container via ipoib is a reasonable alternate.
> This would apply both to CM MA
> From: Jason Gunthorpe [mailto:jguntho...@obsidianresearch.com]
>
> > What is really missing here I guess is a mechanism that would
> > enforce containers to only use certain pkeys - perhaps with
> > something like an RDMA cgroup. It could force containers to only
> > use approved pkeys not on
On Wed, Jul 15, 2015 at 01:57:48PM +0300, Haggai Eran wrote:
> On 13/07/2015 21:14, Jason Gunthorpe wrote:
> > On Mon, Jun 22, 2015 at 03:42:37PM +0300, Haggai Eran wrote:
> >> + switch (ib_event->event) {
> >> + case IB_CM_REQ_RECEIVED:
> >> + req->device = req_param->listen_id->dev
On 13/07/2015 21:14, Jason Gunthorpe wrote:
> On Mon, Jun 22, 2015 at 03:42:37PM +0300, Haggai Eran wrote:
>> +switch (ib_event->event) {
>> +case IB_CM_REQ_RECEIVED:
>> +req->device = req_param->listen_id->device;
>> +req->port = req_param->port;
>> +
On Mon, Jun 22, 2015 at 03:42:37PM +0300, Haggai Eran wrote:
> + switch (ib_event->event) {
> + case IB_CM_REQ_RECEIVED:
> + req->device = req_param->listen_id->device;
> + req->port = req_param->port;
> + req->local_gid = &req_param->primary_p
Instead of relying on a the ib_cm module to check an incoming CM request's
private data header, add these checks to the RDMA CM module. This allows a
following patch to to clean up the ib_cm interface and remove the code that
looks into the private headers. It will also allow supporting namespaces
