| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 28 Feb 2011 21:46:06 -0800 From: Jay Vosburgh <fubar@...ibm.com> To: Andy Gospodarek <andy@...yhouse.net> cc: Nicolas de =?iso-8859-1?Q?Peslo=FCan?= <nicolas.2p.debian@...il.com>, netdev@...r.kernel.org, David Miller <davem@...emloft.net>, Herbert Xu <herbert@...dor.hengli.com.au>, Jiri Pirko <jpirko@...hat.com> Subject: Re: [PATCH net-2.6] bonding: drop frames received with master's source MAC Andy Gospodarek <andy@...yhouse.net> wrote: >On Mon, Feb 28, 2011 at 10:45:08PM +0100, Nicolas de Pesloüan wrote: >> Le 28/02/2011 17:32, Andy Gospodarek a écrit : >>> On Sat, Feb 26, 2011 at 12:08:03AM +0100, Nicolas de Pesloüan wrote: >>>> Le 25/02/2011 23:24, Andy Gospodarek a écrit : >>> [...] >>>>> >>>>> I confirmed your suspicion, this breaks ARP monitoring. I would still >>>>> welcome other opinions though as I think it would be nice to fix this as >>>>> low as possible. >>>> >>>> Why do you want to fix it earlier that in ndisc_recv_ns drop? Your >>>> original idea of silently dropping the frame there seems perfect to me. >>>> >>> >>> Maybe it's just me, but I cannot understand why we want a bunch of extra >>> packets floating up into the stack when they may only create issues for >>> the recipients of these duplicate frames. >>> >>> Clearly my original patch needs to be refined so ARP monitoring still >>> works, but I would rather fix the issue there than in a higher layer. >> >> Jay explained that the current implementation should already trap those >> frames, on inactive slaves, in modes where inactive slaves exist. I agree >> with him. >> >> What mode are you seeing this problem in? If the current "should drop" >> logic is leaking, then yes, we should fix it. But we currently don't see >> where it is leaking. >> > >Use round-robin. To reproduce just take the interface down and bring it >back up. You should see the messages right away. What is the bond connected to? The -rr and -xor modes are meant to interoperate with switch ports configured for Etherchannel (or an equivalent). In that case, I wouldn't expect the switch to turn the broadcasts / multicasts around and send them back out to a member of the channel group they originated from. If the switch isn't configured properly, then I'd expect it to complain about MAC flapping or the like. Unless it's an unmanaged switch that doesn't do Etherchannel (etc), or you're setting up an unusual topology. >I've been doing some more testing on a new patch and should have >something ready tomorrow. My latest patch actually replaces the final >'return 0' with a call to a function that will return true if the sender >was the device that received it. This will hopefully prevent some of >the failures with the first patch I posted. I'll know a bit more >tomorrow if this approach seems reasonable. How do you figure that out? In -rr mode, all of the slaves should have the same MAC address, and the slaves shouldn't be running IPv6 addrconf separately from the master anyway. Something magic just for NA/NS packets? -J --- -Jay Vosburgh, IBM Linux Technology Center, fubar@...ibm.com -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists