lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 1 Jul 2011 18:40:01 +0200
From:	David Lamparter <equinox@...c24.net>
To:	Stephen Hemminger <shemminger@...ux-foundation.org>
Cc:	David Lamparter <equinox@...c24.net>, netdev@...r.kernel.org,
	Nick Carter <ncarter100@...il.com>
Subject: Re: [PATCH] bridge: revisit IEEE 802 local multicast groups

On Fri, Jul 01, 2011 at 09:26:12AM -0700, Stephen Hemminger wrote:
> On Fri,  1 Jul 2011 13:12:50 +0200
> David Lamparter <equinox@...c24.net> wrote:
> 
> > this first and foremost fixes handling of bonding frames, which were
> > incorrectly forwarded until now. they need to never cross a bridge.
> > 
> > it also introduces a new switch to control handling of the other
> > not-that-special groups; if you want them forwarded despite having
> > STP running, there's a sysfs knob for that. you can implement your
> > local policy with ebtables then.
> > 
> > in the end, we now match hardware switch behaviour rather closely, but
> > still additionally allow playing tricks on things like 802.1X.
> > 
> > Signed-off-by: David Lamparter <equinox@...c24.net>
> > Cc: Stephen Hemminger <shemminger@...ux-foundation.org>
> > Cc: Nick Carter <ncarter100@...il.com>
> 
> Forwarding pause frames is wrong.

None of the patches discussed forwards pause frames.

> I wonder if the best solution for this crap is to just write
> a userland program to do the forwarding.

You can't do that without moving the remaining STP bits to userspace,
since if you want to keep STP in-kernel, you still need some policy.

Also, there is a fundamental conflict between a working bridge and the
desire to work as fully transparent L2 tap. As long as we forward
802.3ad/bonding frames, we are a broken bridge. Yet we still want that
for the tap case.

Plus, we don't need the userspace daemon if we can set the policy with
ebtables - which we can do if and only if we allow stripping down the
built-in restrictions.

I think the variant that I suggested to MichaƂ, with a 3-value knob
"drop it if STP" / "forward except pause/bond" / "forward all" is
the best way to go. It leaves the default usable but allows controlling
everything through ebtables.


-David

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ