lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 6 Nov 2019 13:47:47 +0000
From:   Ioana Ciornei <ioana.ciornei@....com>
To:     Andrew Lunn <andrew@...n.ch>
CC:     "gregkh@...uxfoundation.org" <gregkh@...uxfoundation.org>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "f.fainelli@...il.com" <f.fainelli@...il.com>
Subject: RE: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect STP
 to CPU

> Subject: Re: [PATCH 06/12] staging: dpaa2-ethsw: add ACL entry to redirect
> STP to CPU
> 
> > The control queues do not form an actual interface in the sense that
> > the CPU does not receive unknown unicast, broadcast and multicast
> > frames by default.  For each frame that we want to direct to the CPU
> > we must add an ACL entry.
> 
> So this appears to be one of the dumbest switches so far :-(

To be fair, the actual hardware can do much more.
The problem here is that the firmware models the switch in a non-Linux style.

> 
> Can you add an ACL which is all L2 broadcast/multicast?  That would be a good
> first step.

I can add that but it would not be enough.
For example, unknown unicast would not be matched thus would not reach the CPU.

> 
> Does the ACL stop further processing of the frame? Ideally you want the
> switch to also flood broadcast/multicast out other ports, if they are in a
> bridge. If it cannot, you end up with the software bridge doing the flooding.

Yes, the ACL stops any further processing. 

> 
> So i also assume it does not perform learning on CPU frames? That probably
> means you need to connect up the fdb add/remove calls to add in ACLs. And
> you will need to implement ndo_set_rx_mode. Each unicast and multicast
> address needs to be turned into an ACL. What i don't know is if the network
> stack will automatically add the interfaces own MAC address. You might have
> to handle that special case.
> 
>     Andrew

Your assumption is true, learning, with the current implementation, is not possible for CPU frames.
In .ndo_start_xmit() we inject directly into the switch port's Tx queues, thus bypassing the entire learning process.

All in all, I do not see a way out just by using the ACL mechanism (because of unknown unicast frames).

I have to talk in detail with the firmware team, but from what I can understand if we make the following changes in firmware it would better fit the Linux framework:
 * make the CPU receive unknown unicast, broadcast and multicast frames by default (without any ACLs)
 * frames originated on the CPU should not bypass the learning process (it should have its own Tx queues that go through the same learning process)

Thanks,
Ioana

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ