lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1393685845.1753.10.camel@localhost.localdomain>
Date:	Sat, 01 Mar 2014 23:57:25 +0900
From:	Toshiaki Makita <toshiaki.makita1@...il.com>
To:	vyasevic@...hat.com
Cc:	Toshiaki Makita <makita.toshiaki@....ntt.co.jp>,
	netdev@...r.kernel.org, bridge@...ts.linux-foundation.org,
	shemminger@...tta.com, mst@...hat.com, jhs@...atatu.com,
	john.r.fastabend@...el.com
Subject: Re: [PATCH 6/7] bridge: Manage promisc mode when vlans are
 configured on top of a bridge

On Fri, 2014-02-28 at 14:34 -0500, Vlad Yasevich wrote:
> On 02/27/2014 08:17 AM, Vlad Yasevich wrote:
> > On 02/27/2014 07:06 AM, Toshiaki Makita wrote:
> >> (2014/02/27 0:18), Vlad Yasevich wrote:
> >>> If the user configures vlan interfaces on top of the bridge and the bridge
> >>> doesn't have vlan filtering enabled, we have to place all the ports in
> >>> promsic mode so that we can correctly receive tagged frames.
> >>> When vlan filtering is enabled, the vlan configuration will be provided
> >>> via filtering interface.
> >>> When the vlan filtering is toggled, we also have mange promiscuity.
> >>
> >> If we disable vlan_filtering and no vlan interface is configured on the
> >> bridge, we cannot forward any tagged traffic?
> > 
> > We can't receive tagged traffic, so we turn promisc on.
> > 
> >> If we want to forward frames from one port to another port (not from/to
> >> bridge device), we have to add vlan interface or set promisc mode, right?
> >>
> > 
> > Hm..  Good point.  This isn't enough to address the scenario that Patch7
> > tries to solve.  I'll need to think about that.  This is partially why
> > I split functionality in Patch7 out.  It made things more difficult.
> > 
> 
> I now understood what you were referring to above a bit better.
> This patch solves just part of the problem.  The other part is what
> happens when someone behind the bridge is using vlan tagging without
> the bridge being aware of it and expects the bridge to forward such traffic.
> So, if we ever want to disable promiscuous mode on the bridge ports, we
> either need to depend on lan filtering being configured in the bridge
> or have the ability to disable vlan filtering in the driver.
> 
> Neither is really a good thing.  I'll need to think about this.

Yes, that is what I was worried about.
As a bridge has no way to know which vid will be used in incoming
frame's vlan tag, we maybe have to call vlan_vid_add() for all vids when
we disable promiscuous on a port?  If we had an API to simply disable
vlan filtering of a NIC, it could be better...

Thanks,
Toshiaki Makita

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ