lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20251110112427.bxibfxj7ziyukzfs@skbuf>
Date: Mon, 10 Nov 2025 13:24:27 +0200
From: Vladimir Oltean <olteanv@...il.com>
To: Jonas Gorski <jonas.gorski@...il.com>
Cc: Florian Fainelli <florian.fainelli@...adcom.com>,
	Andrew Lunn <andrew@...n.ch>,
	"David S. Miller" <davem@...emloft.net>,
	Eric Dumazet <edumazet@...gle.com>,
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
	Simon Horman <horms@...nel.org>,
	Álvaro Fernández Rojas <noltari@...il.com>,
	Vivien Didelot <vivien.didelot@...il.com>,
	Florian Fainelli <f.fainelli@...il.com>, netdev@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH net] net: dsa: tag_brcm: do not mark link local traffic
 as offloaded

On Sun, Nov 09, 2025 at 02:46:35PM +0100, Jonas Gorski wrote:
> Broadcom switches locally terminate link local traffic and do not
> forward it, so we should not mark it as offloaded.
> 
> In some situations we still want/need to flood this traffic, e.g. if STP
> is disabled, or it is explicitly enabled via the group_fwd_mask. But if
> the skb is marked as offloaded, the kernel will assume this was already
> done in hardware, and the packets never reach other bridge ports.
> 
> So ensure that link local traffic is never marked as offloaded, so that
> the kernel can forward/flood these packets in software if needed.
> 
> Since the local termination in not configurable, check the destination
> MAC, and never mark packets as offloaded if it is a link local ether
> address.
> 
> While modern switches set the tag reason code to BRCM_EG_RC_PROT_TERM
> for trapped link local traffic, they also set it for link local traffic
> that is flooded (01:80:c2:00:00:10 to 01:80:c2:00:00:2f), so we cannot
> use it and need to look at the destination address for them as well.
> 
> Fixes: 964dbf186eaa ("net: dsa: tag_brcm: add support for legacy tags")
> Fixes: 0e62f543bed0 ("net: dsa: Fix duplicate frames flooded by learning")
> Signed-off-by: Jonas Gorski <jonas.gorski@...il.com>
> ---
> I shortly considered changing dsa_default_offload_fwd_mark(), but
> decided against it because other switches may have a working trap bit,
> and would then do a needless destination mac check.

Yes, exactly. Or they simply don't receive link-local traffic via packet traps.

Reviewed-by: Vladimir Oltean <olteanv@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ