lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Sep 2022 10:15:18 +0300 From: Ido Schimmel <idosch@...dia.com> To: netdev@...io-technology.com Cc: Vladimir Oltean <olteanv@...il.com>, davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org, Florian Fainelli <f.fainelli@...il.com>, Andrew Lunn <andrew@...n.ch>, Vivien Didelot <vivien.didelot@...il.com>, Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Kurt Kanzenbach <kurt@...utronix.de>, Hauke Mehrtens <hauke@...ke-m.de>, Woojung Huh <woojung.huh@...rochip.com>, UNGLinuxDriver@...rochip.com, Sean Wang <sean.wang@...iatek.com>, Landen Chao <Landen.Chao@...iatek.com>, DENG Qingfang <dqfext@...il.com>, Matthias Brugger <matthias.bgg@...il.com>, Claudiu Manoil <claudiu.manoil@....com>, Alexandre Belloni <alexandre.belloni@...tlin.com>, Jiri Pirko <jiri@...nulli.us>, Ivan Vecera <ivecera@...hat.com>, Roopa Prabhu <roopa@...dia.com>, Nikolay Aleksandrov <razor@...ckwall.org>, Shuah Khan <shuah@...nel.org>, Christian Marangi <ansuelsmth@...il.com>, Daniel Borkmann <daniel@...earbox.net>, Yuwei Wang <wangyuweihx@...il.com>, linux-kernel@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, linux-mediatek@...ts.infradead.org, bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH v5 net-next 6/6] selftests: forwarding: add test of MAC-Auth Bypass to locked port tests On Tue, Sep 20, 2022 at 11:29:12PM +0200, netdev@...io-technology.com wrote: > I have made a blackhole selftest, which looks like this: > > test_blackhole_fdb() > { > RET=0 > > check_blackhole_fdb_support || return 0 > > tcpdump_start $h2 > $MZ $h1 -q -t udp -a $h1 -b $h2 I don't think you can give an interface name to '-a' and '-b'? > tcpdump_stop > tcpdump_show | grep -q udp > check_err $? "test_blackhole_fdb: No packet seen on initial" > tcpdump_cleanup > > bridge fdb add `mac_get $h2` dev br0 blackhole > bridge fdb show dev br0 | grep -q "blackhole" Make this grep more specific so that we are sure it is the entry user space installed. Something like this: bridge fdb get `mac_get $h2` br br0 | grep -q blackhole > check_err $? "test_blackhole_fdb: No blackhole FDB entry found" > > tcpdump_start $h2 > $MZ $h1 -q -t udp -a $h1 -b $h2 > tcpdump_stop > tcpdump_show | grep -q udp > check_fail $? "test_blackhole_fdb: packet seen with blackhole fdb > entry" > tcpdump_cleanup The tcpdump filter is not specific enough. It can catch other UDP packets (e.g., multicast) being received by $h2. Anyway, to be sure the feature works as expected we need to make sure that the packets are not even egressing $swp2. Checking that they are not received by $h2 is not enough. See this (untested) suggestion [1] that uses a tc filter on the egress of $swp2. > > bridge fdb del `mac_get $h2` dev br0 blackhole > bridge fdb show dev br0 | grep -q "blackhole" > check_fail $? "test_blackhole_fdb: Blackhole FDB entry not deleted" > > tcpdump_start $h2 > $MZ $h1 -q -t udp -a $h1 -b $h2 > tcpdump_stop > tcpdump_show | grep -q udp > check_err $? "test_blackhole_fdb: No packet seen after removing > blackhole FDB entry" > tcpdump_cleanup > > log_test "Blackhole FDB entry test" > } > > the setup is simple and is the same as in bridge_sticky_fdb.sh. > > Does the test look sound or is there obvious mistakes? [1] blackhole_fdb() { RET=0 tc filter add dev $swp2 egress protocol ip pref 1 handle 1 flower \ dst_ip 192.0.2.2 ip_proto udp dst_port 12345 action pass $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q tc_check_packets "dev $swp2 egress" 1 1 check_err $? "Packet not seen on egress before adding blackhole entry" bridge fdb add `mac_get $h2` dev br0 blackhole bridge fdb get `mac_get $h2` br br0 | grep -q blackhole check_err $? "Blackhole entry not found" $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q tc_check_packets "dev $swp2 egress" 1 1 check_err $? "Packet seen on egress after adding blackhole entry" # Check blackhole entries can be replaced. bridge fdb replace `mac_get $h2` dev $swp2 master static bridge fdb get `mac_get $h2` br br0 | grep -q blackhole check_fail $? "Blackhole entry found after replacement" $MZ $h1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ -a own -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q tc_check_packets "dev $swp2 egress" 1 2 check_err $? "Packet not seen on egress after replacing blackhole entry" bridge fdb del `mac_get $h2` dev $swp2 master static tc filter del dev $swp2 egress protocol ip pref 1 handle 1 flower log_test "Blackhole FDB entry" }
Powered by blists - more mailing lists