lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 7 Sep 2020 13:48:21 +0300
From:   Vladimir Oltean <olteanv@...il.com>
To:     Kurt Kanzenbach <kurt@...utronix.de>
Cc:     Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org,
        Rob Herring <robh+dt@...nel.org>, devicetree@...r.kernel.org,
        Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
        Richard Cochran <richardcochran@...il.com>,
        Kamil Alkhouri <kamil.alkhouri@...offenburg.de>,
        ilias.apalodimas@...aro.org
Subject: Re: [PATCH v5 2/7] net: dsa: Add DSA driver for Hirschmann Hellcreek
 switches

On Mon, Sep 07, 2020 at 08:05:25AM +0200, Kurt Kanzenbach wrote:
> Well, that depends on whether hellcreek_vlan_add() is called for
> creating that vlan interfaces. In general: As soon as both ports are
> members of the same vlan that traffic is switched.

That's indeed what I would expect.
Not only that, but with your pvid-based setup, you only ensure port
separation for untagged traffic anyway. I don't think you even need to
call hellcreek_vlan_add() for VID 100 to be switched between ports,
because your .port_vlan_filtering callback does not in fact disable VLAN
awareness, it just configures the ports to not drop unknown VLANs. So,
arguably, VLAN classification is still performed. An untagged packet is
classified to the PVID, a tagged packet is classified to the VID in the
packet. So tagged packets bypass the separation.

So, I think that's not ok. I think the only proper way to solve this is
to inform the IP designers that VLANs are no substitute for a port
forwarding matrix (a lookup table that answers the question "can port i
forward to port j"). Switch ports that are individually addressable by
the network stack are a fundamental assumption of the switchdev
framework.

> > I remember asking in Message-ID: <20200716082935.snokd33kn52ixk5h@...uf>
> > whether it would be possible for you to set
> > ds->configure_vlan_while_not_filtering = true during hellcreek_setup.
> > Did anything unexpected happen while trying that?
>
> No, that comment got lost.
>
> So looking at the flag: Does it mean the driver can receive vlan
> configurations when a bridge without vlan filtering is used? That might
> be problematic as this driver uses vlans for the port separation by
> default. This is undone when vlan filtering is set to 1 meaning vlan
> configurations can be received without any problems.

Yes.
Generally speaking, the old DSA behavior is something that we're trying
to get rid of, once all drivers set the option to true. So a new driver
should not rely on it even if it needs something like that. If you need
caching of VLANs installed by the bridge and/or by the 8021q module,
then you can add those to a list, and restore them in the
.port_vlan_filtering callback by yourself. You can look at how sja1105
does that.

Thanks,
-Vladimir

Powered by blists - more mailing lists