| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Jan 2022 16:46:50 +0100
From: Tobias Waldekranz <tobias@...dekranz.com>
To: davem@...emloft.net, kuba@...nel.org
Cc: netdev@...r.kernel.org
Subject: [PATCH net-next 0/5] net: dsa: mv88e6xxx: Improve standalone port isolation
The ideal isolation between standalone ports satisfies two properties:
1. Packets from one standalone port must not be forwarded to any other
port.
2. Packets from a standalone port must be sent to the CPU port.
mv88e6xxx solves (1) by isolating standalone ports using the PVT. Up
to this point though, (2) has not guaranteed; as the ATU is still
consulted, there is a chance that incoming packets never reach the CPU
if its DA has previously been used as the SA of an earlier packet (see
1/5 for more details). This is typically not a problem, except for one
very useful setup in which switch ports are looped in order to run the
bridge kselftests in tools/testing/selftests/net/forwarding. This
series attempts to solve (2).
Ideally, we could simply use the "ForceMap" bit of more modern chips
(Agate and newer) to classify all incoming packets as MGMT. This is
not available on older silicon that is still widely used (Opal Plus
chips like the 6097 for example).
Instead, this series takes a two pronged approach:
1/5: Always clear MapDA on standalone ports to make sure that no ATU
entry can lead packets astray. This solves (2) for single-chip
systems.
2/5: Trivial prep work for 4/5.
3/5: Trivial prep work for 4/5.
4/5: On multi-chip systems though, this is not enough. On the incoming
chip, the packet will be forced out towards the CPU thanks to
1/5, but on any intermediate chips the ATU is still consulted. We
override this behavior by marking the reserved standalone VID (0)
as a policy VID, the DSA ports' VID policy is set to TRAP. This
will cause the packet to be reclassified as MGMT on the first
intermediate chip, after which it's a straight shot towards the
CPU.
Finally, we allow more tests to be run on mv88e6xxx:
5/5: The bridge_vlan{,un}aware suites sets an ageing_time of 10s on
the bridge it creates, but mv88e6xxx has a minimum supported time
of 15s. Allow this time to be overridden in forwarding.config.
With this series in place, mv88e6xxx passes the following kselftest
suites:
- bridge_port_isolation.sh
- bridge_sticky_fdb.sh
- bridge_vlan_aware.sh
- bridge_vlan_unaware.sh
Tobias Waldekranz (5):
net: dsa: mv88e6xxx: Improve isolation of standalone ports
net: dsa: mv88e6xxx: Support policy entries in the VTU
net: dsa: mv88e6xxx: Enable port policy support on 6097
net: dsa: mv88e6xxx: Improve multichip isolation of standalone ports
selftests: net: bridge: Parameterize ageing timeout
drivers/net/dsa/mv88e6xxx/chip.c | 96 ++++++++++++++-----
drivers/net/dsa/mv88e6xxx/chip.h | 1 +
drivers/net/dsa/mv88e6xxx/global1.h | 1 +
drivers/net/dsa/mv88e6xxx/global1_vtu.c | 5 +-
drivers/net/dsa/mv88e6xxx/port.c | 7 +-
drivers/net/dsa/mv88e6xxx/port.h | 2 +-
include/net/dsa.h | 12 +++
.../net/forwarding/bridge_vlan_aware.sh | 5 +-
.../net/forwarding/bridge_vlan_unaware.sh | 5 +-
.../net/forwarding/forwarding.config.sample | 2 +
tools/testing/selftests/net/forwarding/lib.sh | 1 +
11 files changed, 103 insertions(+), 34 deletions(-)
--
2.25.1
Powered by blists - more mailing lists