| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Sep 2019 09:13:24 +0300
From: Ido Schimmel <idosch@...sch.org>
To: "Allan W. Nielsen" <allan.nielsen@...rochip.com>
Cc: Jiri Pirko <jiri@...nulli.us>, David Miller <davem@...emloft.net>,
andrew@...n.ch, horatiu.vultur@...rochip.com,
alexandre.belloni@...tlin.com, UNGLinuxDriver@...rochip.com,
ivecera@...hat.com, f.fainelli@...il.com, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v3 1/2] net: core: Notify on changes to dev->promiscuity.
On Mon, Sep 02, 2019 at 07:42:31PM +0200, Allan W. Nielsen wrote:
> I have been reading through this thread several times and I still do not get it.
Allan,
I kept thinking about this and I want to make sure that I correctly
understand the end result.
With these patches applied I assume I will see the following traffic
when running tcpdump on one of the netdevs exposed by the ocelot driver:
- Ingress: All
- Egress: Only locally generated traffic and traffic forwarded by the
kernel from interfaces not belonging to the ocelot driver
The above means I will not see any offloaded traffic transmitted by the
port. Is that correct? I see that the driver is setting
'offload_fwd_mark' for any traffic trapped from bridged ports, which
means the bridge will drop it before it traverses the packet taps on
egress.
Large parts of the discussion revolve around the fact that switch ports
are not any different than other ports. Dave wrote "Please stop
portraying switches as special in this regard" and Andrew wrote "[The
user] just wants tcpdump to work like on their desktop."
But if anything, this discussion proves that switch ports are special in
this regard and that tcpdump will not work like on the desktop.
Beside the fact that I don't agree (but gave up) with the new
interpretation of promisc mode, I wonder if we're not asking for trouble
with this patchset. Users will see all offloaded traffic on ingress, but
none of it on egress. This is in contrast to the sever/desktop, where
Linux is much more dominant in comparison to switches (let alone hw
accelerated ones) and where all the traffic is visible through tcpdump.
I can already see myself having to explain this over and over again to
confused users.
Now, I understand that showing egress traffic is inherently difficult.
It means one of two things:
1. We allow packets to be forwarded by both the software and the
hardware
2. We trap all ingressing traffic from all the ports
Both options can have devastating effects on the network and therefore
should not be triggered by a supposedly innocent invocation of tcpdump.
I again wonder if it would not be wiser to solve this by introducing two
new flags to tcpdump for ingress/egress (similar to -Q in/out) capturing
of offloaded traffic. The capturing of egress offloaded traffic can be
documented with the appropriate warnings.
Anyway, I don't want to hold you up, I merely want to make sure that the
above (assuming it's correct) is considered before the patches are
applied.
Thanks
Powered by blists - more mailing lists