lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <YhUVNc58trg+r3V9@shredder>
Date:   Tue, 22 Feb 2022 18:54:13 +0200
From:   Ido Schimmel <idosch@...sch.org>
To:     Vladimir Oltean <olteanv@...il.com>
Cc:     netdev@...r.kernel.org, Andrew Lunn <andrew@...n.ch>,
        Florian Fainelli <f.fainelli@...il.com>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Jiri Pirko <jiri@...nulli.us>,
        DENG Qingfang <dqfext@...il.com>,
        Tobias Waldekranz <tobias@...dekranz.com>,
        George McCollister <george.mccollister@...il.com>,
        Vlad Yasevich <vyasevich@...il.com>,
        Roopa Prabhu <roopa@...dia.com>,
        Nikolay Aleksandrov <nikolay@...dia.com>
Subject: Re: [RFC PATCH v2 net-next 05/17] net: bridge: implement unicast
 filtering for the bridge device

On Tue, Feb 22, 2022 at 01:21:53PM +0200, Vladimir Oltean wrote:
> Hi Ido,
> 
> On Mon, 1 Mar 2021 at 17:22, Ido Schimmel <idosch@...sch.org> wrote:
> >
> > On Wed, Feb 24, 2021 at 01:43:38PM +0200, Vladimir Oltean wrote:
> > > From: Vladimir Oltean <vladimir.oltean@....com>
> > >
> > > The bridge device currently goes into promiscuous mode when it has an
> > > upper with a different MAC address than itself. But it could do better:
> > > it could sync the MAC addresses of its uppers to the software FDB, as
> > > local entries pointing to the bridge itself. This is compatible with
> > > switchdev, since drivers are now instructed to trap these MAC addresses
> > > to the CPU.
> > >
> > > Note that the dev_uc_add API does not propagate VLAN ID, so this only
> > > works for VLAN-unaware bridges.
> >
> > IOW, it breaks VLAN-aware bridges...
> >
> > I understand that you do not want to track bridge uppers, but once you
> > look beyond L2 you will need to do it anyway.
> >
> > Currently, you only care about getting packets with specific DMACs to
> > the CPU. With L3 offload you will need to send these packets to your
> > router block instead and track other attributes of these uppers such as
> > their MTU so that the hardware will know to generate MTU exceptions. In
> > addition, the hardware needs to know the MAC addresses of these uppers
> > so that it will rewrite the SMAC of forwarded packets.
> 
> Ok, let's say I want to track bridge uppers. How can I track the changes to
> those interfaces' secondary addresses, in a way that keeps the association
> with their VLAN ID, if those uppers are VLAN interfaces?

Hi,

I'm not sure what you mean by "secondary addresses", but the canonical
way that I'm familiar with of adding MAC addresses to a netdev is to use
macvlan uppers. For example:

# ip link add name br0 up type bridge vlan_filtering 1
# ip link add link br0 name br0.10 type vlan id 10
# ip link add link br0.10 name br0.10-v address 00:11:22:33:44:55 type macvlan mode private

keepalived uses it in VRRP virtual MAC mode (for example):
https://github.com/acassen/keepalived/blob/master/doc/NOTE_vrrp_vmac.txt

In the software data path, this will result in br0 transitioning to
promisc mode and passing all the packets to upper devices that will
filter them.

In the hardware data path, you can apply promisc mode by flooding to
your CPU port (I believe this is what you are trying to avoid) or
install an FDB entry <00:11:22:33:44:55,10> that points to your CPU
port.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ