| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Feb 2022 09:01:47 -0800 From: Stephen Hemminger <stephen@...workplumber.org> To: Nikolay Aleksandrov <nikolay@...dia.com> Cc: Felix Fietkau <nbd@....name>, <netdev@...r.kernel.org> Subject: Re: [RFC 1/2] net: bridge: add knob for filtering rx/tx BPDU packets on a port On Thu, 10 Feb 2022 16:55:40 +0200 Nikolay Aleksandrov <nikolay@...dia.com> wrote: > On 10/02/2022 16:24, Felix Fietkau wrote: > > Some devices (e.g. wireless APs) can't have devices behind them be part of > > a bridge topology with redundant links, due to address limitations. > > Additionally, broadcast traffic on these devices is somewhat expensive, due to > > the low data rate and wakeups of clients in powersave mode. > > This knob can be used to ensure that BPDU packets are never sent or forwarded > > to/from these devices > > > > Signed-off-by: Felix Fietkau <nbd@....name> > > --- > > include/linux/if_bridge.h | 1 + > > include/uapi/linux/if_link.h | 1 + > > net/bridge/br_forward.c | 5 +++++ > > net/bridge/br_input.c | 2 ++ > > net/bridge/br_netlink.c | 6 +++++- > > net/bridge/br_stp_bpdu.c | 9 +++++++-- > > net/core/rtnetlink.c | 4 +++- > > 7 files changed, 24 insertions(+), 4 deletions(-) > > > > Why can't netfilter or tc be used to filter these frames? > > It could but this looks better. BPDU filter matches what other hardware switch vendors offer and has the benefit of not adding another layer of complexity into user configurations. Adding one rule into a complex firewall or starting to have to configure tc is a mess.
Powered by blists - more mailing lists