lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Mon, 03 Mar 2014 07:12:32 -0500
From:	Vlad Yasevich <vyasevic@...hat.com>
To:	Toshiaki Makita <toshiaki.makita1@...il.com>
CC:	Toshiaki Makita <makita.toshiaki@....ntt.co.jp>,
	netdev@...r.kernel.org, bridge@...ts.linux-foundation.org,
	shemminger@...tta.com, mst@...hat.com, jhs@...atatu.com,
	john.r.fastabend@...el.com
Subject: Re: [PATCH 6/7] bridge: Manage promisc mode when vlans are configured
 on top of a bridge

On 03/01/2014 09:57 AM, Toshiaki Makita wrote:
> On Fri, 2014-02-28 at 14:34 -0500, Vlad Yasevich wrote:
>> On 02/27/2014 08:17 AM, Vlad Yasevich wrote:
>>> On 02/27/2014 07:06 AM, Toshiaki Makita wrote:
>>>> (2014/02/27 0:18), Vlad Yasevich wrote:
>>>>> If the user configures vlan interfaces on top of the bridge and the bridge
>>>>> doesn't have vlan filtering enabled, we have to place all the ports in
>>>>> promsic mode so that we can correctly receive tagged frames.
>>>>> When vlan filtering is enabled, the vlan configuration will be provided
>>>>> via filtering interface.
>>>>> When the vlan filtering is toggled, we also have mange promiscuity.
>>>>
>>>> If we disable vlan_filtering and no vlan interface is configured on the
>>>> bridge, we cannot forward any tagged traffic?
>>>
>>> We can't receive tagged traffic, so we turn promisc on.
>>>
>>>> If we want to forward frames from one port to another port (not from/to
>>>> bridge device), we have to add vlan interface or set promisc mode, right?
>>>>
>>>
>>> Hm..  Good point.  This isn't enough to address the scenario that Patch7
>>> tries to solve.  I'll need to think about that.  This is partially why
>>> I split functionality in Patch7 out.  It made things more difficult.
>>>
>>
>> I now understood what you were referring to above a bit better.
>> This patch solves just part of the problem.  The other part is what
>> happens when someone behind the bridge is using vlan tagging without
>> the bridge being aware of it and expects the bridge to forward such traffic.
>> So, if we ever want to disable promiscuous mode on the bridge ports, we
>> either need to depend on lan filtering being configured in the bridge
>> or have the ability to disable vlan filtering in the driver.
>>
>> Neither is really a good thing.  I'll need to think about this.
> 
> Yes, that is what I was worried about.
> As a bridge has no way to know which vid will be used in incoming
> frame's vlan tag, we maybe have to call vlan_vid_add() for all vids when
> we disable promiscuous on a port?  If we had an API to simply disable
> vlan filtering of a NIC, it could be better...

That's what I am looking at now.  Some nics appear to handle this better
then others.

-vlad

> 
> Thanks,
> Toshiaki Makita
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ