lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <838f8b3fa51e43e2b5ddeb80bfefff34@BK99MAIL02.bk.local>
Date:   Thu, 30 Jul 2020 09:34:53 +0000
From:   "Gaube, Marvin (THSE-TL1)" <Marvin.Gaube@...at.de>
To:     Florian Fainelli <f.fainelli@...il.com>,
        Woojung Huh <woojung.huh@...rochip.com>,
        Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>
CC:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: AW: AW: PROBLEM: (DSA/Microchip): 802.1Q-Header lost on KSZ9477-DSA
 ingress without bridge

Hello,
the following was tested:

ip link add name br0 type bridge
echo 1 >/sys/class/net/br0/bridge/vlan_filtering
ip link set dev lan1 master br0
ip link set dev lan1 up
ip link set dev br0 up
bridge vlan show
> port              vlan-id  
> lan1              1 PVID Egress Untagged
> br0               1 PVID Egress Untagged
tcpdump -i br0 -e
> de:1c:87:(..) (oui Unknown) > 33:33:00:01:00:06 (oui Unknown), ethertype IPv6 (0x86dd), length 308 ...
bridge vlan del dev lan1 vid 1
bridge vlan add dev lan1 vid 21 tagged
bridge vlan show
> port              vlan-id  
> lan1              21
> br0               1 PVID Egress Untagged
tcpdump -i br0 -e
> Nothing. The frames with VLAN 21 ingress should appear here
bridge vlan del dev lan1 vid 21
bridge vlan add dev lan1 vid 25 pvid
bridge vlan show
> port              vlan-id  
> lan1              25 PVID
> br0               1 PVID Egress Untagged
tcpdump -i br0 -e
> de:1c:87:(..) (oui Unknown) > 33:33:00:01:00:06 (oui Unknown), ethertype 802.1Q (0x8100), length 312: vlan 25, p 0, ethertype IPv6 ...

When I tcpdump onto eth1, I see the packets with 0x8100 vid 21 all the time.

The MAC driver is freescale/fec on imx7d (compatible string in device tree: "fsl,imx7d-fecfsl,imx6sx-fec"). 
It seems, that it not sets NETIF_F_HW_VLAN_CTAG_FILTER.

Best Regards
Marvin Gaube

-----Ursprüngliche Nachricht-----
Von: Florian Fainelli <f.fainelli@...il.com> 
Gesendet: Mittwoch, 29. Juli 2020 17:03
An: Gaube, Marvin (THSE-TL1) <Marvin.Gaube@...at.de>; Woojung Huh <woojung.huh@...rochip.com>; Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>
Cc: netdev@...r.kernel.org
Betreff: Re: AW: PROBLEM: (DSA/Microchip): 802.1Q-Header lost on KSZ9477-DSA ingress without bridge



On 7/29/2020 7:49 AM, Gaube, Marvin (THSE-TL1) wrote:
> Hello,
> I just tried a VLAN-enabled bridge.
> All ingress packets definitely have the 802.1q-Tag on CPU ingress, double-checked that. Tried again with VLAN21-Tagged frames coming in the physical port.
> It seems that the bridge also handles all packets from lan1 as untagged. When I add lan1 to the bridge, the following happens:
> 
> If lan1 has (only) VLAN 21 tagged on the bridge, no packet appears.
> As soon as I add an untagged/pvid VLAN to lan1 on the bridge, all packets appear on the bridge with whichever VLAN I added.
> I checked simultaneously with the CPU Ingress-Port (eth1), the same packets had Ethertype 8100 with VLAN 21 when they entered CPU.

Can you share the commands you use to set-up your bridge with VLAN filtering and VLAN21 added to the VLAN database of the bridge for lan1?

> 
> With Switchport 1, the physical switch port of the KSZ is meant.

OK.

> 
> About the last thing: VLAN tagged frames are definitively passed to the CPU.
> If I "tcpdump -xx" onto eth1, I see for example "(12 byte MAC) 8100 0015 86dd (IPv6-Payload)". The tail tag is also visible.
> Exactly the same frame appears on lan1 as "(12 byte MAC) 86dd (IPv6-Payload)", so the 802.1q-Header is present on CPU ingress.
> Therefore the VLAN tag probably is lost between eth1 (Ingress) and the respective DSA-Interface, and is not filtered on the KSZ9477.

What Ethernet controller driver is eth1, does it support VLAN receive filter (NETIF_F_HW_VLAN_CTAG_FILTER)?

> 
> Best Regards
> Marvin Gaube
> 
> -----Ursprüngliche Nachricht-----
> Von: Florian Fainelli <f.fainelli@...il.com>
> Gesendet: Mittwoch, 29. Juli 2020 15:48
> An: Gaube, Marvin (THSE-TL1) <Marvin.Gaube@...at.de>; Woojung Huh 
> <woojung.huh@...rochip.com>; Microchip Linux Driver Support 
> <UNGLinuxDriver@...rochip.com>
> Cc: netdev@...r.kernel.org
> Betreff: Re: PROBLEM: (DSA/Microchip): 802.1Q-Header lost on 
> KSZ9477-DSA ingress without bridge
> 
> 
> 
> On 7/28/2020 11:05 PM, Gaube, Marvin (THSE-TL1) wrote:
>> Summary: 802.1Q-Header lost on KSZ9477-DSA ingress without bridge
>> Keywords: networking, dsa, microchip, 802.1q, vlan Full description:
>>
>> Hello,
>> we're trying to get 802.1Q-Tagged Ethernet Frames through an KSZ9477 DSA-enabled switch without creating a bridge on the kernel side.
> 
> Does it work if you have a bridge that is VLAN aware though? If it does, this would suggest that the default VLAN behavior without a bridge is too restrictive and needs changing.
> 
>> Following setup:
>> Switchport 1 <-- KSZ9477 --> eth1 (CPU-Port) <---> lan1
> 
> This representation is confusing, is switchport 1 a network device or is this meant to be physical switch port number of 1 of the KSZ9477?
> 
>>
>> No bridge is configured, only the interface directly. Untagged packets are working without problems. The Switch uses the ksz9477-DSA-Driver with Tail-Tagging ("DSA_TAG_PROTO_KSZ9477").
>> When sending packets with 802.1Q-Header (tagged VLAN) into the Switchport, I see them including the 802.1Q-Header on eth1.
>> They also appear on lan1, but with the 802.1Q-Header missing.
>> When I create an VLAN-Interface over lan1 (e.g. lan1.21), nothing arrives there.
>> The other way around, everything works fine: Packets transmitted into lan1.21 are appearing in 802.1Q-VLAN 21 on the Switchport 1.
>>
>> I assume that is not the intended behavior.
>> I haven't found an obvious reason for this behavior yet, but I suspect the VLAN-Header gets stripped of anywhere around "dsa_switch_rcv" in net/dsa/dsa.c or "ksz9477_rcv" in net/dsa/tag_ksz.c.
> 
> Not sure how though, ksz9477_rcv() only removes the trail tag, this should leave any header intact. It seems to me that the switch is incorrectly configured and is not VLAN aware at all, nor passing VLAN tagged frames through on ingress to CPU when it should.
> --
> Florian
> 
> ________________________________
> 
> Tesat-Spacecom GmbH & Co. KG
> Sitz: Backnang; Registergericht: Amtsgericht Stuttgart HRA 270977 
> Persoenlich haftender Gesellschafter: Tesat-Spacecom 
> Geschaeftsfuehrungs GmbH;
> Sitz: Backnang; Registergericht: Amtsgericht Stuttgart HRB 271658;
> Geschaeftsfuehrung: Dr. Marc Steckling, Kerstin Basche, Ralf 
> Zimmermann
> 
> [banner]
> 

--
Florian

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ