lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 13 Dec 2018 11:54:28 +0000
From:   Petr Machata <petrm@...lanox.com>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:     "j.vosburgh@...il.com" <j.vosburgh@...il.com>,
        "vfalico@...il.com" <vfalico@...il.com>,
        "andy@...yhouse.net" <andy@...yhouse.net>,
        "davem@...emloft.net" <davem@...emloft.net>,
        Jiri Pirko <jiri@...lanox.com>,
        Ido Schimmel <idosch@...lanox.com>,
        "roopa@...ulusnetworks.com" <roopa@...ulusnetworks.com>,
        "nikolay@...ulusnetworks.com" <nikolay@...ulusnetworks.com>
Subject: [PATCH net-next 00/13] Introduce NETDEV_PRE_CHANGEADDR

Spectrum devices have a limitation that all router interfaces need to
have the same address prefix. In Spectrum-1, the requirement is for the
initial 38 bits of all RIFs to be the same, in Spectrum-2 the limit is
36 bits. Currently violations of this requirement are not diagnosed. At
the same time, if the condition is not upheld, the mismatched MAC
address ends up overwriting the common prefix, and all RIF MAC addresses
silently change to the new prefix.

It is therefore desirable to be able at least to diagnose the issue, and
better to reject attempts to change MAC addresses in ways that is
incompatible with the device.

Currently MAC address changes are notified through emission of
NETDEV_CHANGEADDR, which is done after the change. Extending this
message to allow vetoing is certainly possible, but several other
notification types have instead adopted a simple two-stage approach:
first a "pre" notification is sent to make sure all interested parties
are OK with the change that's about to be done. Then the change is done,
and afterwards a "post" notification is sent.

This dual approach is easier to use: when the change is vetoed, nothing
has changed yet, and it's therefore unnecessary to roll anything back.
Therefore this patchset introduces it for NETDEV_CHANGEADDR as well.

One prominent path to emitting NETDEV_CHANGEADDR is through
dev_set_mac_address(). Therefore in patch #1, give this function an
extack argument, so that a textual reason for rejection (or a warning)
can be communicated back to the user.

In patch #2, add the new notification type. In patch #3, have dev.c emit
the notification for instances of dev_addr change, or addition of an
address to dev_addrs list.

In patches #4 and #5, extend the bridge driver to handle and emit the
new notifier.

In patch #6, change IPVLAN to emit the new notifier.

Likewise for bonding driver in patches #7 and #8. Note that the team
driver doesn't need this treatment, as it goes through
dev_set_mac_address().

In patches #9, #10 and #11 adapt mlxsw to veto MAC addresses on router
interfaces, if they violate the requirement that all RIF MAC addresses
have the same prefix.

Finally in patches #12 and #13, add a test for vetoing of a direct
change of a port device MAC, and indirect change of a bridge MAC.

Petr Machata (13):
  net: dev: Add extack argument to dev_set_mac_address()
  net: dev: Add NETDEV_PRE_CHANGEADDR
  net: dev: Issue NETDEV_PRE_CHANGEADDR
  net: bridge: Issue NETDEV_PRE_CHANGEADDR
  net: bridge: Handle NETDEV_PRE_CHANGEADDR from ports
  net: ipvlan: Issue NETDEV_PRE_CHANGEADDR
  net: bonding: Give bond_set_dev_addr() a return value
  net: bonding: Issue NETDEV_PRE_CHANGEADDR
  mlxsw: spectrum_router: Generalize
    mlxsw_sp_netdevice_router_port_event()
  mlxsw: spectrum: Add mlxsw_sp.mac_mask
  mlxsw: spectrum_router: Veto unsupported RIF MAC addresses
  selftests: mlxsw: Test RIF MAC vetoing
  selftests: mlxsw: Test FID RIF MAC vetoing

 drivers/net/bonding/bond_alb.c                     |   9 +-
 drivers/net/bonding/bond_main.c                    |  44 ++++--
 drivers/net/ethernet/mellanox/mlxsw/spectrum.c     |  15 +-
 drivers/net/ethernet/mellanox/mlxsw/spectrum.h     |   4 +-
 .../net/ethernet/mellanox/mlxsw/spectrum_router.c  |  86 +++++++++--
 drivers/net/hyperv/netvsc_drv.c                    |   4 +-
 drivers/net/ipvlan/ipvlan_main.c                   |  14 ++
 drivers/net/macvlan.c                              |   4 +-
 drivers/net/tap.c                                  |   2 +-
 drivers/net/team/team.c                            |   2 +-
 drivers/net/tun.c                                  |   2 +-
 drivers/usb/gadget/function/u_ether.c              |   2 +-
 include/linux/netdevice.h                          |  13 +-
 net/bridge/br.c                                    |  13 ++
 net/bridge/br_if.c                                 |   9 ++
 net/core/dev.c                                     |  29 +++-
 net/core/dev_addr_lists.c                          |   3 +
 net/core/dev_ioctl.c                               |   2 +-
 net/core/rtnetlink.c                               |   2 +-
 net/ieee802154/nl-phy.c                            |   2 +-
 .../selftests/drivers/net/mlxsw/rtnetlink.sh       | 170 +++++++++++++++++++++
 21 files changed, 385 insertions(+), 46 deletions(-)
 create mode 100755 tools/testing/selftests/drivers/net/mlxsw/rtnetlink.sh

-- 
2.4.11

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ