lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <87h7nhlksr.fsf@waldekranz.com>
Date:   Sat, 16 Jan 2021 02:42:12 +0100
From:   Tobias Waldekranz <tobias@...dekranz.com>
To:     Rasmus Villemoes <rasmus.villemoes@...vas.dk>,
        Andrew Lunn <andrew@...n.ch>,
        Network Development <netdev@...r.kernel.org>,
        Vivien Didelot <vivien.didelot@...il.com>
Cc:     Horatiu Vultur <horatiu.vultur@...rochip.com>,
        Vladimir Oltean <olteanv@...il.com>
Subject: Re: commit 4c7ea3c0791e (net: dsa: mv88e6xxx: disable SA learning for DSA and CPU ports)

On Thu, Jan 14, 2021 at 14:49, Rasmus Villemoes <rasmus.villemoes@...vas.dk> wrote:
> Hi
>
> I've noticed something rather odd with my mv88e6250, which led me to the
> commit in the subject.
>
> First, the MAC address of the master device never seems to get learned
> (at least according to "mv88e6xxx_dump --atu"), so all packets destined
> for the machine gets flooded out all ports - which I can verify with
> wireshark. That is, I have three machines
>
> A --- B --- C
>
> with B being the board with an embedded mv88e6250, A pinging B, and C
> running wireshark - and it shows lots of "ping request (no response
> found)". Same if B pings A; the responses from A also get to C.
>
> But this is somewhat to be expected; automatic learning has been
> disabled by commit 4c7ea3c0791e (later commits have change the logic
> around there somewhat, but the end result is the same: the PAV for the
> cpu port being clear), and I can't find anywhere in the code which would
> manually add the master device's address to the ATU.
>
> However: Even when I do
>
> -	if (dsa_is_cpu_port(ds, port))
> +	if (dsa_is_cpu_port(ds, port) && 0)
>
> and verify with "mv88e6xxx_dump --ports" that the CPU port now has the
> expected value in port offset 0x0b:
>
> 0b 0001 0002 0004 0008 0010 0020 0040
>
> (it's port 5, i.e. the 0020 value), I still see the above behaviour -
> the master device's address doesn't get learned (nor does some garbage
> address appear in the ATU), and the unicast packets are still forwarded
> out all ports. So I must be missing something else.

The thing you are missing is that all packets from the CPU are sent with
FROM_CPU tags. SA learning is not performed on these as it intended for
control traffic.

Ideally, bulk traffic would be sent with a FORWARD tag. But there is
currently no way for the DSA tagger to discriminate the bulk data from
control traffic. And changing that is no small task.

In the mean time we could extend Vladimir's (added to CC) work on
assisted CPU port learning to include the local bridge addresses. You
pushed me to take a first stab at this :) Please have a look at this
series:

https://lore.kernel.org/netdev/20210116012515.3152-1-tobias@waldekranz.com/

> Finally, I'm wondering how the tagging could get in the way of learning
> the right address, given that the tag is inserted after the DA and SA.

Yes, but the CPU port is configured in DSA mode, so the switch will use
the tag command (FROM_CPU) to determine if learning should be done or
not.

> ====
>
> But this is all just some odd observations; the traffic does seem to
> work, though sending all unicast traffic to all neighbours seems to be a
> waste of bandwidth.
>
> What I'm _really_ trying to do is to get my mv88e6250 to participate in
> an MRP ring, which AFAICT will require that the master device's MAC gets
> added as a static entry in the ATU: Otherwise, when the ring goes from
> open to closed, I've seen the switch wrongly learn the node's own mac
> address as being in the direction of one of the normal ports, which
> obviously breaks all traffic. So if the topology is
>
>    M
>  /   \
> C1 *** C2
>
> with the link between C1 and C2 being broken, both M-C1 and M-C2 links
> are in forwarding (hence learning) state, so when the C1-C2 link gets
> reestablished, it will take at least one received test packet for M to
> decide to put one of the ports in blocking state - by which time the
> damage is done, and the ATU now has a broken entry for M's own mac address.

Well the static entry for the bridge MAC should be installed with the
aforementioned series applied. So that should not be an issue.

My guess is that MRP will still not work though, as you will probably
need the ability to trap certain groups to the CPU (management
entries). I.e. some MRP PDUs must be allowed to ingress on blocked
ports, no?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ