lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <51082C94.7050003@redhat.com>
Date:	Tue, 29 Jan 2013 15:09:56 -0500
From:	Vlad Yasevich <vyasevic@...hat.com>
To:	shemminger@...tta.com
CC:	bridge@...ts.linux-foundation.org, davem@...emloft.net,
	netdev@...r.kernel.org, shmulik.ladkani@...il.com
Subject: Re: [PATCH 00/13] Add basic VLAN support to bridges

This is aimed for net-next.  Sorry for any confusion.

-vlad

On 01/29/2013 02:52 PM, Vlad Yasevich wrote:
> This is another revision of the VLAN filtering patchset.  It offers
> functionality that is similar to what can be found in switches as
> far as VLAN configuration and filtering of frames according to VLAN
> tags.
>
> Each port on the bridge, as well as the bridge itself, can be configured
> with a set of VLANs that they are willing to accept.  One of the vlans
> may be chosen as PVID and any untagged traffic will be associated with it.
>
> Changes since v6:
> * VLANs are now stored in a VLAN bitmap per port.  This allows for O(1)
> lookup at ingress and egress.  We simply check to see if the bit associated
> with the vlan id is set in the map.  The drawback to this approach is that
> it wastes some space when there is only a small number of VLANs.
> * In addition to the build time configuration option, VLAN filtering also has
> a configuration paramter in sysfs.  By default the filtering is turned off
> and all traffic is permitted.  When the filtring is turned on, we do strict
> matching to the filter configured.  Thus, if there is no configuration, all
> packets are rejected.  This was done to make the behavior more streight
> forward.  Without this (and if egress policy patch is rejected), the
> decision for how to forward untagged traffic that was not filtered at ingress
> is almost impossible to make.  It would not be right to deliver to every
> port that has PVID set as, each port may have a different PVID.
> * Separate egress policy bitmap patch has been isolated and is provided last
> in the series.  This has been a more contentious piece of functionality and I
> wanted to isolate it so that it could easily be dropped and not block the whole
> series.
>
> Changes since v5:
>   - Pulled VLAN filtering into its own file and made it a configuration options.
>   - Made new vlan filtering option dependent on VLAN_8021Q.
>   - Got rid of HW filter inlines and moved then vlan_core.c.
>     (All of the above suggested by Stephen Hemminger)
>
> Changes since v4:
>   - Pull per-port vlan data into its own structures and give it to the bridge
>     device thus making bridge device behave like a regular port for vlan
>     configuration.
>   - Add a per-vlan 'untagged' bitmap that determins egress policy.  If a port
>     is part of this bitmap, traffic egresses untagged.
>   - PVID is now used for ingress policy only.  Incomming frames without VLAN tag
>     are assigned to the PVID vlan.  Egress is determined via bitmap memberships.
>   - Allow for incremental config of a vlan.  Now, PVID and untagged memberships
>     may be set on existing vlans.  They however can NOT be cleared separately.
>   - VLAN deletion is now done via RTM_DELLINK command for PF_BRIDGE family.
>     This cleans up the netlink interface.
>
> Changes since v3:
>   - Re-integrated compiler problems that got left out last time.  Appologies.
>   - checkpatches.pl errors fixed
>
> Changes since v2:
>   - Added inline functiosn to manimulate vlan hw filters and re-use in 8021q
>     and bridge code.
>   - Use rtnl_dereference (Michael Tsirkin)
>   - Remove synchronize_net() call (Eric Dumazet)
>   - Fix NULL ptr deref bug I introduced in br_ifinfo_notify.
>
> Changes since v1:
>   - Fixed some forwarding bugs.
>   - Add vlan to local fdb entries.  New local entries are created per vlan
>     to facilite correct forwarding to bridge interface.
>   - Allow configuration of vlans directly on the bridge master device
>     in addition to ports.
>
> Changes since rfc v2:
>   - Per-port vlan bitmap is gone and is replaced with a vlan list.
>   - Added bridge vlan list, which is referenced by each port.  Entries in
>     the birdge vlan list have port bitmap that shows which port are parts
>     of which vlan.
>   - Netlink API changes.
>   - Dropped sysfs support for now.  If people think this is really usefull,
>     can add it back.
>   - Support for native/untagged vlans.
>
> Changes since rfc v1:
>   - Comments addressed regarding formatting and RCU usage
>   - iocts have been removed and changed over the netlink interface.
>   - Added support of user added ndb entries.
>   - changed sysfs interface to export a bitmap.  Also added a write interface.
>     I am not sure how much I like it, but it made my testing easier/faster.  I
>     might change the write interface to take text instead of binary.
>
> Vlad Yasevich (13):
>    vlan: wrap hw-acceleration calls in separate functions.
>    bridge: Add vlan filtering infrastructure
>    bridge: Validate that vlan is permitted on ingress
>    bridge: Verify that a vlan is allowed to egress on give port
>    bridge: Add netlink interface to configure vlans on bridge ports
>    bridge: Add the ability to configure pvid
>    bridge: Implement vlan ingress/egress policy
>    bridge: Add vlan to unicast fdb entries
>    bridge: Add vlan id to multicast groups
>    bridge: Add vlan support to static neighbors
>    bridge: Add vlan support for local fdb entries
>    bridge: Dump vlan information from a bridge port
>    bridge: Separate egress policy bitmap
>
>   drivers/net/ethernet/intel/ixgbe/ixgbe_main.c |    5 +-
>   drivers/net/macvlan.c                         |    2 +-
>   drivers/net/vxlan.c                           |    3 +-
>   include/linux/if_vlan.h                       |   21 ++
>   include/linux/netdevice.h                     |    6 +-
>   include/uapi/linux/if_bridge.h                |   13 +-
>   include/uapi/linux/neighbour.h                |    1 +
>   include/uapi/linux/rtnetlink.h                |    1 +
>   net/8021q/vlan.c                              |    4 +-
>   net/8021q/vlan_core.c                         |   82 ++++-
>   net/bridge/Kconfig                            |   14 +
>   net/bridge/Makefile                           |    2 +
>   net/bridge/br_device.c                        |    7 +-
>   net/bridge/br_fdb.c                           |  259 ++++++++++++---
>   net/bridge/br_forward.c                       |    9 +
>   net/bridge/br_if.c                            |    4 +-
>   net/bridge/br_input.c                         |   28 ++-
>   net/bridge/br_multicast.c                     |   69 +++--
>   net/bridge/br_netlink.c                       |  239 ++++++++++++--
>   net/bridge/br_private.h                       |  153 ++++++++-
>   net/bridge/br_sysfs_br.c                      |   21 ++
>   net/bridge/br_vlan.c                          |  448 +++++++++++++++++++++++++
>   net/core/rtnetlink.c                          |  111 ++++++-
>   23 files changed, 1354 insertions(+), 148 deletions(-)
>   create mode 100644 net/bridge/br_vlan.c
>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ