lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20191003192445.GD21875@lunn.ch>
Date:   Thu, 3 Oct 2019 21:24:45 +0200
From:   Andrew Lunn <andrew@...n.ch>
To:     Vladimir Oltean <olteanv@...il.com>
Cc:     f.fainelli@...il.com, vivien.didelot@...il.com,
        davem@...emloft.net, netdev@...r.kernel.org
Subject: Re: [PATCH net-next] net: dsa: Allow port mirroring to the CPU port

On Thu, Oct 03, 2019 at 02:37:50AM +0300, Vladimir Oltean wrote:
> On a regular netdev, putting it in promiscuous mode means receiving all
> traffic passing through it, whether or not it was destined to its MAC
> address. Then monitoring applications such as tcpdump can see all
> traffic transiting it.
> 
> On Ethernet switches, clearly all ports are in promiscuous mode by
> definition, since they accept frames destined to any MAC address.
> However tcpdump does not capture all frames transiting switch ports,
> only the ones destined to, or originating from the CPU port.
> 
> To be able to monitor frames with tcpdump on the CPU port, extend the tc
> matchall classifier and mirred action to support the DSA master port as
> a possible mirror target.
> 
> Tested with:
> tc qdisc add dev swp2 clsact
> tc filter add dev swp2 ingress matchall skip_sw \
> 	action mirred egress mirror dev eth2
> tcpdump -i swp2

Humm.

O.K, i don't like this for a few reasons.

egress mirror dev eth2

Frames are supported to egress eth2. But in fact they will ingress on
eth2. That is not intuitive.

I'm also no sure how safe this it is to ingress mirror packets on the
master interface. Will they have DSA tags? I think that will vary from
device to device. Are we going to see some packets twice? Once for the
mirror, and a second time because they are destined to the CPU? Do we
end up processing the packets twice?

For your use case of wanting to see packets in tcpdump, i think we are
back to the discussion of what promisc mode means. I would prefer that
when a DSA slave interface is put into promisc mode for tcpdump, the
switch then forwards a copy of frames to the CPU, without
duplication. That is a much more intuitive model.

	  Andrew

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ