| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Feb 2015 17:31:25 +0000 From: "Rose, Gregory V" <gregory.v.rose@...el.com> To: Or Gerlitz <gerlitz.or@...il.com>, "Kirsher, Jeffrey T" <jeffrey.t.kirsher@...el.com> CC: David Miller <davem@...emloft.net>, Linux Netdev List <netdev@...r.kernel.org>, "nhorman@...hat.com" <nhorman@...hat.com>, "sassmann@...hat.com" <sassmann@...hat.com>, "jogreene@...hat.com" <jogreene@...hat.com> Subject: RE: [net-next 13/16] i40e: Fix i40e_ndo_set_vf_spoofchk > -----Original Message----- > From: Or Gerlitz [mailto:gerlitz.or@...il.com] > Sent: Monday, February 23, 2015 9:18 AM > To: Kirsher, Jeffrey T > Cc: David Miller; Rose, Gregory V; Linux Netdev List; nhorman@...hat.com; > sassmann@...hat.com; jogreene@...hat.com > Subject: Re: [net-next 13/16] i40e: Fix i40e_ndo_set_vf_spoofchk > > On Mon, Feb 23, 2015 at 5:25 AM, Jeff Kirsher > <jeffrey.t.kirsher@...el.com> wrote: > > From: Greg Rose <gregory.v.rose@...el.com> > > > > The netdev op that allows the operator to turn MAC/VLAN spoof checking > > on and off did not include the flag for VLAN spoof checking. This > > patch fixes that problem. > > If we're on VST mode, the VF isn't aware their traffic is tagged with > vlan-id Y and if they try to send with vlan-id X I assume you are forcing > it to be Y, right? No, it is dropped and a malicious driver event is registered to the PF driver. > > If we're on VGT mode, what spoof check you can do? we don't have a model > for allowed vlans, did I miss something? This only applies in instances where the administrator has not set a VLAN id for the VF via the 'ip' utility. In that case, our rule is to allow the VF driver to set its own VLAN filters if it so wishes. This is a long standing rule for Intel VF drivers. So, with VLAN spoof checking turned on the VF will only be able to send VLAN tagged traffic where the VLAN filter is set in the HW. This allows the PF driver to continue to monitor and restrict what VLAN tagged traffic is allowed by the VF if it so desires. The Linux driver does not actually do this but it would be easy to use some common reporting tools to see what VLAN filters are in use by the VF and then take actions desired by the system administrator. Keeping a rule in place that the VF can only send on VLANs that are registered in the HW filters controlled by the PF increase security. Thanks, - Greg
Powered by blists - more mailing lists