lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:	Fri, 1 Jul 2011 22:10:38 +0100
From:	Nick Carter <ncarter100@...il.com>
To:	Michał Mirosław <mirqus@...il.com>
Cc:	David Lamparter <equinox@...c24.net>,
	Stephen Hemminger <shemminger@...ux-foundation.org>,
	netdev@...r.kernel.org, davem@...emloft.net
Subject: Re: bridge vs. bonding/pause frames (was: Forward EAPOL...)

2011/7/1 Michał Mirosław <mirqus@...il.com>:
> W dniu 1 lipca 2011 17:16 użytkownik David Lamparter
> <equinox@...c24.net> napisał:
>> On Fri, Jul 01, 2011 at 04:58:56PM +0200, Michał Mirosław wrote:
>> [...]
>>> > We _MUST_NOT_ pass bonding frames in any case, but we
>>> > currently do that if STP is off. (cf. my earlier patch 1/2)
>>>
>>> If you use linux box as a (invisible) L2 network tap, then you want to
>>> pass everything in the hub mode (including LACP/whatever).
>>
>> We must not do that by default, this breaks bridges with bonding devices
>> as ports. I'm actively band-aiding that problem with ebtables on one of
>> my boxes currently.
>>
>> How about I change "stp_forward_802local" to "forward_802local" and it
>> gets 3 values like:
>> - 0 (default) behave like a switch, if STP is on then drop all 16
>>  groups, if STP is off then drop :01 and :02
>> - 1 forward regular groups - drop :01 and :02, forward everything else
>> - 2 forward everything ("invisible tap mode")
>> optional:
>> - -1 drop all 16 groups even if STP is off (not needed, can be done with
>>  ebtables...)
>>
>> btw, since the drivers should eat up pause frames, you're not a fully
>> invisible L2 tap anyway.
>
> If -1 can be done with ebtables what is different for 0 and 1 cases?
>
> Another idea: you could make this a 16-bit bitmap (bit per group) x2
> (STP vs non-STP) - that would cover all uses with the same amount of
> code.
That is exactly what I thought yesterday and I wrote and tested the
code today :)

+++ b/net/bridge/br_input.c
@@ -166,6 +166,9 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb)
 		if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
 			goto forward;

+		if (p->br->group_fwd_mask & (1 << dest[5]))
+			goto forward;

+++ b/net/bridge/br_private.h
@@ -244,6 +244,13 @@ struct net_bridge
 	struct timer_list		multicast_query_timer;
 #endif

+	/* Each bit used to match the LSB of the IEEE 802.1D group address
+	 * 01-80-C2-00-00-00 bit 0
+	 * ..
+	 * 01-80-C2-00-00-0F bit 15
+	 */
+	u16				group_fwd_mask;
+

I will post the full diffs to netdev now.  With this 'knob' users can
have any behaviour they require.
Nick

>
> Best Regards,
> Michał Mirosław
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ