lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 18 Feb 2019 00:50:31 +0000
From:   Russell King - ARM Linux admin <>
To:     Florian Fainelli <>
Cc:     Andrew Lunn <>,
        Vivien Didelot <>,
        "David S. Miller" <>,
Subject: Re: [PATCH net-next 1/3] net: dsa: add support for bridge flags

On Sun, Feb 17, 2019 at 02:07:54PM -0800, Florian Fainelli wrote:
> On 2/17/2019 2:04 PM, Russell King - ARM Linux admin wrote:
> > On Sun, Feb 17, 2019 at 01:37:19PM -0800, Florian Fainelli wrote:
> >>
> >>
> >> On 2/17/2019 6:25 AM, Russell King wrote:
> >>> The Linux bridge implementation allows various properties of the bridge
> >>> to be controlled, such as flooding unknown unicast and multicast frames.
> >>> This patch adds the necessary DSA infrastructure to allow the Linux
> >>> bridge support to control these properties for DSA switches.
> >>>
> >>> We implement this by providing two new methods: one to get the switch-
> >>> wide support bitmask, and another to set the properties.
> >>>
> >>> Signed-off-by: Russell King <>
> >>> ---
> >>
> >> [snip]
> >>
> >>>  
> >>> +int dsa_port_bridge_flags(const struct dsa_port *dp, unsigned long flags,
> >>> +			  struct switchdev_trans *trans)
> >>> +{
> >>> +	struct dsa_switch *ds = dp->ds;
> >>> +	int port = dp->index;
> >>> +
> >>> +	if (switchdev_trans_ph_prepare(trans))
> >>> +		return ds->ops->port_bridge_flags ? 0 : -EOPNOTSUPP;
> >>> +
> >>> +	if (ds->ops->port_bridge_flags)
> >>> +		ds->ops->port_bridge_flags(ds, port, flags);
> >>
> >> If you have a switch fabric with multiple switches, it seems to me that
> >> you also need to make sure that the DSA and CPU ports will have
> >> compatible flooding attribute, so just like the port_vlan_add()
> >> callback, you probably need to make this a switch fabric-wide event and
> >> use a notifier here. At least the DSA ports need to have MC flooding
> >> turned on for an user port to also have MC flooding working.
> > 
> > mv88e6xxx already today detects CPU and DSA ports and sets unicast
> > and multicast flooding for these ports - see
> > mv88e6xxx_setup_egress_floods():
> Indeed, probably for historical reasons, since that type of logic should
> ideally be migrated to the core DSA layer, this is fine for now though.

>From what I can see, the port_vlan_add()/port_vlan_del() implementation
is far from ideal, just like "always enabling flooding for CPU/DSA
ports" is not ideal.

>From what I can see, when we add a vlan to any port in a group of
switches, we turn on forwarding of frames within that vlan to all
switches and the CPU port regardless of whether there are any ports
configured on those other switches.

If we apply the same logic to flooding (which is an egress control),
then as soon as we enable flooding on any port in a bridged group of
switches, we start forwarding flooded frames to all switches and the
CPU port regardless of whether anyone there is interested.

What would be more optimal is to only enable flooding in the direction
of switches that have an interest in those patches.  For example, lets
assume we have three daisy-chained switches with three lan ports each,
with interfaces of the format swNlanN.

All of sw1's lan interfaces and one of sw2's lan interfaces are part
of a Linux bridge.  Let's say we have enabled flooding on only one of
sw1's ports and the rest are disabled.  With the way port_vlan_add()
works (which you're suggesting as a model for flooding too) we would
end up enabling flooding across all switches and to the CPU port, even

- sw3 has no interest in any of the flooded frames as none of its ports
  are part of the bridge
- sw2 has no interest in any of the frames flooded from sw1

Doesn't seem optimal.

Given that, is it worth applying the same implementation to flooding
as already exists for vlans?  It would mean that as soon as we have
any single port in the group of switches that has flooding enabled,
we've enabled flooding across the entire group of switches.  As we
are unable to access the neighbouring switches state, we're unable
to turn flooding off (just like we're already unable to disable vlan
forwarding on the CPU/DSA ports).

Maybe if DSA had some infrastructure to know what downstream and
upstream switches wanted in terms of which frames, we could do better
but I don't currently see any infrastructure for that.

RMK's Patch system:
FTTC broadband for 0.8mile line in suburbia: sync at 12.1Mbps down 622kbps up
According to 11.9Mbps down 500kbps up

Powered by blists - more mailing lists