lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YzhfDgqjBvhqNUHX@shredder>
Date:   Sat, 1 Oct 2022 18:38:54 +0300
From:   Ido Schimmel <idosch@...dia.com>
To:     Hans Schultz <netdev@...io-technology.com>
Cc:     davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
        Florian Fainelli <f.fainelli@...il.com>,
        Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Vladimir Oltean <olteanv@...il.com>,
        Eric Dumazet <edumazet@...gle.com>,
        Paolo Abeni <pabeni@...hat.com>,
        Kurt Kanzenbach <kurt@...utronix.de>,
        Hauke Mehrtens <hauke@...ke-m.de>,
        Woojung Huh <woojung.huh@...rochip.com>,
        UNGLinuxDriver@...rochip.com, Sean Wang <sean.wang@...iatek.com>,
        Landen Chao <Landen.Chao@...iatek.com>,
        DENG Qingfang <dqfext@...il.com>,
        Matthias Brugger <matthias.bgg@...il.com>,
        Claudiu Manoil <claudiu.manoil@....com>,
        Alexandre Belloni <alexandre.belloni@...tlin.com>,
        Jiri Pirko <jiri@...nulli.us>,
        Ivan Vecera <ivecera@...hat.com>,
        Roopa Prabhu <roopa@...dia.com>,
        Nikolay Aleksandrov <razor@...ckwall.org>,
        Shuah Khan <shuah@...nel.org>,
        Russell King <linux@...linux.org.uk>,
        Christian Marangi <ansuelsmth@...il.com>,
        Daniel Borkmann <daniel@...earbox.net>,
        Yuwei Wang <wangyuweihx@...il.com>,
        Petr Machata <petrm@...dia.com>,
        Florent Fourcot <florent.fourcot@...irst.fr>,
        Hans Schultz <schultz.hans@...il.com>,
        Joachim Wiberg <troglobit@...il.com>,
        Amit Cohen <amcohen@...dia.com>, linux-kernel@...r.kernel.org,
        linux-arm-kernel@...ts.infradead.org,
        linux-mediatek@...ts.infradead.org,
        bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole
 feature

On Thu, Sep 29, 2022 at 05:21:37PM +0200, Hans Schultz wrote:
> Block traffic to a specific host with the command:
> bridge fdb add <MAC> vlan <vid> dev br0 blackhole

Please add an example with regular and JSON output.

> 
> The blackhole FDB entries can be added, deleted and replaced with
> ordinary FDB entries.
> 
> Signed-off-by: Hans Schultz <netdev@...io-technology.com>
> ---
>  bridge/fdb.c                   | 7 ++++++-
>  include/uapi/linux/neighbour.h | 4 ++++
>  man/man8/bridge.8              | 6 ++++++
>  3 files changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index 0fbe9bd3..2160f1c2 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -38,7 +38,7 @@ static void usage(void)
>  	fprintf(stderr,
>  		"Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
>  		"              [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n"
> -		"              [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n"
> +		"              [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n"

[ blackhole ]

>  		"              { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n"
>  		"	       [ via DEV ] [ src_vni VNI ]\n"
>  		"       bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n"
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
>  	if (flags & NTF_STICKY)
>  		print_string(PRINT_ANY, NULL, "%s ", "sticky");
>  
> +	if (ext_flags & NTF_EXT_BLACKHOLE)
> +		print_string(PRINT_ANY, NULL, "%s ", "blackhole");
> +
>  	if (ext_flags & NTF_EXT_LOCKED)
>  		print_string(PRINT_ANY, NULL, "%s ", "locked");
>  
> @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
>  			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
>  		} else if (matches(*argv, "sticky") == 0) {
>  			req.ndm.ndm_flags |= NTF_STICKY;
> +		} else if (matches(*argv, "blackhole") == 0) {
> +			ext_flags |= NTF_EXT_BLACKHOLE;
>  		} else {
>  			if (strcmp(*argv, "to") == 0)
>  				NEXT_ARG();
> diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
> index 4dda051b..cc7d540e 100644
> --- a/include/uapi/linux/neighbour.h
> +++ b/include/uapi/linux/neighbour.h
> @@ -54,6 +54,7 @@ enum {
>  /* Extended flags under NDA_FLAGS_EXT: */
>  #define NTF_EXT_MANAGED		(1 << 0)
>  #define NTF_EXT_LOCKED		(1 << 1)
> +#define NTF_EXT_BLACKHOLE	(1 << 2)
>  
>  /*
>   *	Neighbor Cache Entry States.
> @@ -91,6 +92,9 @@ enum {
>   * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
>   * locked port feature, that ensures that an entry exists while at the same
>   * time dropping packets on ingress with src MAC and VID matching the entry.
> + *
> + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed
> + * from any port to the destination MAC, VID pair associated with it.
>   */
>  
>  struct nda_cacheinfo {
> diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
> index 40250477..af2e7db2 100644
> --- a/man/man8/bridge.8
> +++ b/man/man8/bridge.8
> @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry.
>  - this entry will not change its port due to learning.
>  .sp

Need to patch the "SYNOPSIS" section as well

>  
> +.B blackhole
> +- this is an entry that denies all forwarding from any port to a destination
> +matching the entry. It can be added by userspace, but the flag is mostly set
> +from a hardware driver.

I'm not sure the last sentence belongs in the man page. We have no way
of knowing if it is true and it can change with time.

How about:

"this entry will silently discard all matching packets. The entry must
be added as a local permanent entry."

> +.sp
> +
>  .in -8
>  The next command line parameters apply only
>  when the specified device
> -- 
> 2.34.1
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ