lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 3 Feb 2022 14:43:32 +0200
From:   Vladimir Oltean <olteanv@...il.com>
To:     Tobias Waldekranz <tobias@...dekranz.com>
Cc:     davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
        Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Florian Fainelli <f.fainelli@...il.com>,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 net-next 1/5] net: dsa: mv88e6xxx: Improve isolation
 of standalone ports

On Thu, Feb 03, 2022 at 11:16:53AM +0100, Tobias Waldekranz wrote:
> Clear MapDA on standalone ports to bypass any ATU lookup that might
> point the packet in the wrong direction. This means that all packets
> are flooded using the PVT config. So make sure that standalone ports
> are only allowed to communicate with the local upstream port.
> 
> Here is a scenario in which this is needed:
> 
>    CPU
>     |     .----.
> .---0---. | .--0--.
> |  sw0  | | | sw1 |
> '-1-2-3-' | '-1-2-'
>       '---'
> 
> - sw0p1 and sw1p1 are bridged
> - sw0p2 and sw1p2 are in standalone mode
> - Learning must be enabled on sw0p3 in order for hardware forwarding
>   to work properly between bridged ports
> 
> 1. A packet with SA :aa comes in on sw1p2
>    1a. Egresses sw1p0
>    1b. Ingresses sw0p3, ATU adds an entry for :aa towards port 3
>    1c. Egresses sw0p0
> 
> 2. A packet with DA :aa comes in on sw0p2
>    2a. If an ATU lookup is done at this point, the packet will be
>        incorrectly forwarded towards sw0p3. With this change in place,
>        the ATU is bypassed and the packet is forwarded in accordance
>        with the PVT, which only contains the CPU port.
> 
> Signed-off-by: Tobias Waldekranz <tobias@...dekranz.com>
> ---

Reviewed-by: Vladimir Oltean <olteanv@...il.com>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ