lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <8735wno2sy.fsf@waldekranz.com>
Date:   Mon, 22 Mar 2021 12:17:33 +0100
From:   Tobias Waldekranz <tobias@...dekranz.com>
To:     Vladimir Oltean <olteanv@...il.com>,
        Jakub Kicinski <kuba@...nel.org>,
        "David S. Miller" <davem@...emloft.net>
Cc:     Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        Roopa Prabhu <roopa@...dia.com>,
        Nikolay Aleksandrov <nikolay@...dia.com>,
        Jiri Pirko <jiri@...nulli.us>,
        Ido Schimmel <idosch@...sch.org>,
        Alexandre Belloni <alexandre.belloni@...tlin.com>,
        UNGLinuxDriver@...rochip.com, Vadym Kochan <vkochan@...vell.com>,
        Taras Chornyi <tchornyi@...vell.com>,
        Grygorii Strashko <grygorii.strashko@...com>,
        Vignesh Raghavendra <vigneshr@...com>,
        Ioana Ciornei <ioana.ciornei@....com>,
        Ivan Vecera <ivecera@...hat.com>, linux-omap@...r.kernel.org,
        Vladimir Oltean <vladimir.oltean@....com>
Subject: Re: [RFC PATCH v2 net-next 06/16] net: dsa: sync multicast router state when joining the bridge

On Fri, Mar 19, 2021 at 01:18, Vladimir Oltean <olteanv@...il.com> wrote:
> From: Vladimir Oltean <vladimir.oltean@....com>
>
> Make sure that the multicast router setting of the bridge is picked up
> correctly by DSA when joining, regardless of whether there are
> sandwiched interfaces or not. The SWITCHDEV_ATTR_ID_BRIDGE_MROUTER port
> attribute is only emitted from br_mc_router_state_change.
>
> Signed-off-by: Vladimir Oltean <vladimir.oltean@....com>
> ---
>  net/dsa/port.c | 10 ++++++++++
>  1 file changed, 10 insertions(+)
>
> diff --git a/net/dsa/port.c b/net/dsa/port.c
> index ac1afe182c3b..8380509ee47c 100644
> --- a/net/dsa/port.c
> +++ b/net/dsa/port.c
> @@ -189,6 +189,10 @@ static int dsa_port_switchdev_sync(struct dsa_port *dp,
>  	if (err && err != -EOPNOTSUPP)
>  		return err;
>  
> +	err = dsa_port_mrouter(dp->cpu_dp, br_multicast_router(br), extack);
> +	if (err && err != -EOPNOTSUPP)
> +		return err;
> +
>  	return 0;
>  }
>  
> @@ -212,6 +216,12 @@ static void dsa_port_switchdev_unsync(struct dsa_port *dp)
>  	dsa_port_set_state_now(dp, BR_STATE_FORWARDING);
>  
>  	/* VLAN filtering is handled by dsa_switch_bridge_leave */
> +
> +	/* Some drivers treat the notification for having a local multicast
> +	 * router by allowing multicast to be flooded to the CPU, so we should
> +	 * allow this in standalone mode too.
> +	 */
> +	dsa_port_mrouter(dp->cpu_dp, true, NULL);

Is this really for the DSA layer to decide? The driver has already been
notified that at least one port is now in standalone mode. So if that
particular driver then requires all multicast to be flooded towards the
CPU, it can make that decision on its own.

E.g. say that you implement standalone mode using a matchall TCAM rule
that maps all frames coming in on a particular port to the CPU. You
could still leave flooding of unknown multicast off in that case. Now
that driver has to figure out if the notification about a multicast
router on the CPU is a real router, or the DSA layer telling it
something that it can safely ignore.

Today I think that most (all?) DSA drivers treats mrouter in the same
way as the multicast flooding bridge flag. But AFAIK, the semantic
meaning of the setting is "flood IP multicast to this port because there
is a router behind it somewhere". This means unknown _IP_ multicast, but
also all known (IGMP/MLD) groups. As most smaller devices cannot
separate IP multicast from the non-IP variety, we flood everything. But
we should also make sure that the port in question receives all known
groups for the _bridge_ in question. Because this is really a bridge
setting, though that information is not carried over to the driver
today. So reusing it in this way feels like it could be problematic down
the road.

>  }
>  
>  int dsa_port_bridge_join(struct dsa_port *dp, struct net_device *br,
> -- 
> 2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ