lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 31 Dec 2019 20:06:14 +0200
From:   Ido Schimmel <idosch@...sch.org>
To:     Pali Rohár <pali.rohar@...il.com>
Cc:     Russell King - ARM Linux admin <linux@...linux.org.uk>,
        netdev@...r.kernel.org, Jiri Pirko <jiri@...nulli.us>,
        Ivan Vecera <ivecera@...hat.com>, Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>
Subject: Re: [RFC 0/3] VLANs, DSA switches and multiple bridges

On Tue, Dec 31, 2019 at 05:10:20PM +0100, Pali Rohár wrote:
> On Sunday 22 December 2019 19:22:35 Russell King - ARM Linux admin wrote:
> > Hi,
> > 
> > I've been trying to configure DSA for VLANs and not having much success.
> > The setup is quite simple:
> > 
> > - The main network is untagged
> > - The wifi network is a vlan tagged with id $VN running over the main
> >   network.
> > 
> > I have an Armada 388 Clearfog with a PCIe wifi card which I'm trying to
> > setup to provide wifi access to the vlan $VN network, while the switch
> > is also part of the main network.
> 
> Hello, I do not know if it is related, but I have a problem with DSa,
> VLAN and mv88e6085 on Espressobin board (armada-3720).
> 
> My setup/topology is similar:
> 
> eth0 --> main interface for mv88e6085 switch

This is the DSA master interface?

> wan --> first RJ45 port from eth0
> lan0 --> second RJ45 port from eth0
> wan.10 --> unpacked VLAN with id 10 packets from wan
> 
> Just one note, wan and wan.10 uses different MAC addresses.

Is this something you configured? By default the MAC address of the VLAN
device should be inherited from the real device. What happens if they
have the same MAC address?

> Also lan0 has another MAC address.
> 
> Basically on upstream wan are two different/separated networks. First
> one is untagged, second one is tagged with vlan id 10 and tagged packets
> should come on wan interface (linux kernel then pass untagged packets to
> wan and vlan id 10 tagged as "untagged" to wan.10). lan0 is downstream
> network and in this configuration Espressobin works as router. So there
> is no switching between RJ45 ports, all packets should come to CPU and
> Linux's iptables do all stuff.
> 
> And now the problem. All (untagged) traffic for first network on wan
> works fine (incoming + outgoing). Also all outgoing packets from wan.10
> interface are correctly transmitted (other side see on first RJ45 port
> that packets are properly tagged by id 10). But for unknown reason all
> incoming packets with vlan id 10 on first RJ45 port are dropped. Even
> tcpdump on eth0 does not see them.
> 
> Could be this problem related to one which Russel described? I tried to
> debug this problem but I give up 2 days before Russel send this email
> with patches, so I have not had a chance to test it.

I'm not sure. I believe Russel was not able to receive tagged packets at
all and he was using a bridged setup, unlike you (IIUC). Also, below you
write that sometimes you're able to receive packets with VLAN 10.

> One very strange behavior is that sometimes mv88e6085 starts accepting
> those vlan id 10 packets and kernel them properly send to wan.10
> interface and userspacee applications see them. And once they start
> appearing it works for 5 minutes, exactly 300s. After 300s they are
> again silently somehow dropped (tcpdump again does not see them). I was
> not able to detect anything which could cause that kernel started seeing
> them. Looks for me it was really random. But exact time 300s is really
> strange.

300 seconds is the default ageing time the Linux bridge uses, so maybe
the problem is the hardware FDB table and not the VLAN filter.

Andrew / Vivien, how routed traffic is handled on this platform? Is it
possible that the FDB table is consulted first and the expectation is
that it would direct the packet towards the CPU port? If so, I guess
that the FDB entry with {VID 10, wan.10's MAC} is aged-out and flooding
towards the CPU is disabled?

> 
> I used default Debian Buster kernel (without any custom patches). Also
> one from Debian Buster backports, but behavior was still same.
> 
> -- 
> Pali Rohár
> pali.rohar@...il.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ