| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Y0fP+9C0tE7P2xyK@shredder>
Date: Thu, 13 Oct 2022 11:44:43 +0300
From: Ido Schimmel <idosch@...dia.com>
To: Hans Schultz <netdev@...io-technology.com>
Cc: davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
Florian Fainelli <f.fainelli@...il.com>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Vladimir Oltean <olteanv@...il.com>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Kurt Kanzenbach <kurt@...utronix.de>,
Hauke Mehrtens <hauke@...ke-m.de>,
Woojung Huh <woojung.huh@...rochip.com>,
UNGLinuxDriver@...rochip.com, Sean Wang <sean.wang@...iatek.com>,
Landen Chao <Landen.Chao@...iatek.com>,
DENG Qingfang <dqfext@...il.com>,
Matthias Brugger <matthias.bgg@...il.com>,
Claudiu Manoil <claudiu.manoil@....com>,
Alexandre Belloni <alexandre.belloni@...tlin.com>,
Jiri Pirko <jiri@...nulli.us>,
Ivan Vecera <ivecera@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Shuah Khan <shuah@...nel.org>,
Russell King <linux@...linux.org.uk>,
Christian Marangi <ansuelsmth@...il.com>,
Daniel Borkmann <daniel@...earbox.net>,
Yuwei Wang <wangyuweihx@...il.com>,
Petr Machata <petrm@...dia.com>,
Florent Fourcot <florent.fourcot@...irst.fr>,
Hans Schultz <schultz.hans@...il.com>,
Joachim Wiberg <troglobit@...il.com>,
Amit Cohen <amcohen@...dia.com>, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
linux-mediatek@...ts.infradead.org,
bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole
feature
On Tue, Oct 04, 2022 at 05:20:36PM +0200, Hans Schultz wrote:
> Block traffic to a specific host with the command:
> bridge fdb add <MAC> vlan <vid> dev br0 blackhole
>
> Blackhole FDB entries can be added, deleted and replaced with
> ordinary FDB entries.
>
> Example with output:
>
> $ bridge fdb add 10:10:10:10:10:10 dev br0 blackhole
> $ bridge -d fdb show dev br0
> 10:10:10:10:10:10 vlan 1 blackhole master br0 permanent
> 10:10:10:10:10:10 blackhole master br0 permanent
> $ bridge -d -j -p fdb show dev br0
> [ {
> "mac": "10:10:10:10:10:10",
> "vlan": 1,
> "flags": [ "blackhole" ],
> "master": "br0",
> "state": "permanent"
> },{
> "mac": "10:10:10:10:10:10",
> "flags": [ "blackhole" ],
> "master": "br0",
> "state": "permanent"
> } ]
>
> Signed-off-by: Hans Schultz <netdev@...io-technology.com>
> ---
> bridge/fdb.c | 13 ++++++++++++-
> man/man8/bridge.8 | 12 ++++++++++++
> 2 files changed, 24 insertions(+), 1 deletion(-)
>
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index f1f0a5bb..1c8c50a8 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -38,7 +38,7 @@ static void usage(void)
> fprintf(stderr,
> "Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
> " [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n"
> - " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n"
> + " [ sticky ] [ local | static | dynamic ] [ blackhole ] [ vlan VID ]\n"
> " { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n"
> " [ via DEV ] [ src_vni VNI ]\n"
> " bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n"
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
> if (flags & NTF_STICKY)
> print_string(PRINT_ANY, NULL, "%s ", "sticky");
>
> + if (ext_flags & NTF_EXT_BLACKHOLE)
> + print_string(PRINT_ANY, NULL, "%s ", "blackhole");
> +
> if (ext_flags & NTF_EXT_LOCKED)
> print_string(PRINT_ANY, NULL, "%s ", "locked");
>
> @@ -421,6 +424,7 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> char *endptr;
> short vid = -1;
> __u32 nhid = 0;
> + __u32 ext_flags = 0;
>
> while (argc > 0) {
> if (strcmp(*argv, "dev") == 0) {
> @@ -492,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> req.ndm.ndm_flags |= NTF_EXT_LEARNED;
> } else if (matches(*argv, "sticky") == 0) {
> req.ndm.ndm_flags |= NTF_STICKY;
> + } else if (matches(*argv, "blackhole") == 0) {
> + ext_flags |= NTF_EXT_BLACKHOLE;
The policy seems to be to use strcmp() instead of matches() in new code:
https://lore.kernel.org/netdev/f7251b13-dbf2-f86c-6c2a-2c037b208017@gmail.com/
> } else {
> if (strcmp(*argv, "to") == 0)
> NEXT_ARG();
> @@ -534,6 +540,11 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
> if (dst_ok)
> addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen);
>
> + if (ext_flags &&
> + addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
> + sizeof(ext_flags)) < 0)
addattr32() ?
I will check the kernel patches now. I wouldn't submit a new version to
iproute2-next until the kernel patches are accepted.
> + return -1;
> +
> if (vid >= 0)
> addattr16(&req.n, sizeof(req), NDA_VLAN, vid);
> if (nhid > 0)
> diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
> index f4f1d807..0119a2a9 100644
> --- a/man/man8/bridge.8
> +++ b/man/man8/bridge.8
> @@ -85,6 +85,13 @@ bridge \- show / manipulate bridge addresses and devices
> .B nhid
> .IR NHID " } "
>
> +.ti -8
> +.BR "bridge fdb" " { " add " | " del " } "
> +.I LLADR
> +.B dev
> +.IR BRDEV " [ "
> +.BR self " ] [ " local " ] [ " blackhole " ] "
> +
> .ti -8
> .BR "bridge fdb" " [ [ " show " ] [ "
> .B br
> @@ -701,6 +708,11 @@ controller learnt dynamic entry. Kernel will not age such an entry.
> - this entry will not change its port due to learning.
> .sp
>
> +.B blackhole
> +- this entry will silently discard all matching packets. The entry must
> +be added as a local permanent entry.
> +.sp
> +
> .in -8
> The next command line parameters apply only
> when the specified device
> --
> 2.34.1
>
Powered by blists - more mailing lists