lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 1 Jan 2020 02:10:27 +0100
From:   Pali Rohár <>
To:     Ido Schimmel <>
Cc:     Russell King - ARM Linux admin <>,, Jiri Pirko <>,
        Ivan Vecera <>, Andrew Lunn <>,
        Vivien Didelot <>
Subject: Re: [RFC 0/3] VLANs, DSA switches and multiple bridges

On Tuesday 31 December 2019 20:06:14 Ido Schimmel wrote:
> On Tue, Dec 31, 2019 at 05:10:20PM +0100, Pali Rohár wrote:
> > On Sunday 22 December 2019 19:22:35 Russell King - ARM Linux admin wrote:
> > > Hi,
> > > 
> > > I've been trying to configure DSA for VLANs and not having much success.
> > > The setup is quite simple:
> > > 
> > > - The main network is untagged
> > > - The wifi network is a vlan tagged with id $VN running over the main
> > >   network.
> > > 
> > > I have an Armada 388 Clearfog with a PCIe wifi card which I'm trying to
> > > setup to provide wifi access to the vlan $VN network, while the switch
> > > is also part of the main network.
> > 
> > Hello, I do not know if it is related, but I have a problem with DSa,
> > VLAN and mv88e6085 on Espressobin board (armada-3720).
> > 
> > My setup/topology is similar:
> > 
> > eth0 --> main interface for mv88e6085 switch
> This is the DSA master interface?


> > wan --> first RJ45 port from eth0
> > lan0 --> second RJ45 port from eth0
> > wan.10 --> unpacked VLAN with id 10 packets from wan
> > 
> > Just one note, wan and wan.10 uses different MAC addresses.
> Is this something you configured?

Yes. My configuration is:

  ip link set dev wan address <address1>
  ip link add link wan name wan.10 type vlan id 10
  ip link set dev wan.10 address <address2>

Just to note that same setup on Raspberry PI is working fine. Here on
Raspberry PI for second RJ45 port I'm using external USB based network
adapter, so DSA on RPI is not used at all. Which means that Linux kernel
does not have any problem with setting / using two different MAC
addresses on one physical network adapter.

> By default the MAC address of the VLAN
> device should be inherited from the real device. What happens if they
> have the same MAC address?

I do not know. I have not tested this scenario. Currently I have my
Espressobin with mv88e6085 out of my hands and is disconnected from
internet, so I cannot do this test right now.

> > Also lan0 has another MAC address.
> > 
> > Basically on upstream wan are two different/separated networks. First
> > one is untagged, second one is tagged with vlan id 10 and tagged packets
> > should come on wan interface (linux kernel then pass untagged packets to
> > wan and vlan id 10 tagged as "untagged" to wan.10). lan0 is downstream
> > network and in this configuration Espressobin works as router. So there
> > is no switching between RJ45 ports, all packets should come to CPU and
> > Linux's iptables do all stuff.
> > 
> > And now the problem. All (untagged) traffic for first network on wan
> > works fine (incoming + outgoing). Also all outgoing packets from wan.10
> > interface are correctly transmitted (other side see on first RJ45 port
> > that packets are properly tagged by id 10). But for unknown reason all
> > incoming packets with vlan id 10 on first RJ45 port are dropped. Even
> > tcpdump on eth0 does not see them.
> > 
> > Could be this problem related to one which Russel described? I tried to
> > debug this problem but I give up 2 days before Russel send this email
> > with patches, so I have not had a chance to test it.
> I'm not sure. I believe Russel was not able to receive tagged packets at
> all and he was using a bridged setup, unlike you (IIUC). Also, below you
> write that sometimes you're able to receive packets with VLAN 10.

Yes, sometimes I was able to receive packets, but I run this setup for
about 4 hours (or more) and only few times (for 5 minutes) it worked.

> > One very strange behavior is that sometimes mv88e6085 starts accepting
> > those vlan id 10 packets and kernel them properly send to wan.10
> > interface and userspacee applications see them. And once they start
> > appearing it works for 5 minutes, exactly 300s. After 300s they are
> > again silently somehow dropped (tcpdump again does not see them). I was
> > not able to detect anything which could cause that kernel started seeing
> > them. Looks for me it was really random. But exact time 300s is really
> > strange.
> 300 seconds is the default ageing time the Linux bridge uses, so maybe
> the problem is the hardware FDB table and not the VLAN filter.
> Andrew / Vivien, how routed traffic is handled on this platform? Is it
> possible that the FDB table is consulted first and the expectation is
> that it would direct the packet towards the CPU port? If so, I guess
> that the FDB entry with {VID 10, wan.10's MAC} is aged-out and flooding
> towards the CPU is disabled?

Hm... that is interesting.

When run was running tcpdump I did not passed -p flag, so tcpdump
automatically was listening in promiscuous mode.

And I was trying those tests also with setting "promisc" mode via ip
link and nothing was changed.

So if above is truth then also promiscuous mode is broken and filtered.

(I expect that network adapter in promiscuous mode receive also packets
which target MAC address is not same as MAC address configured for
network interface.)

> > 
> > I used default Debian Buster kernel (without any custom patches). Also
> > one from Debian Buster backports, but behavior was still same.
> > 
> > -- 
> > Pali Rohár
> >

Pali Rohár

Download attachment "signature.asc" of type "application/pgp-signature" (196 bytes)

Powered by blists - more mailing lists