| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 01 Mar 2022 22:04:09 +0100
From: Tobias Waldekranz <tobias@...dekranz.com>
To: Florian Fainelli <f.fainelli@...il.com>,
Mattias Forsblad <mattias.forsblad@...il.com>,
netdev@...r.kernel.org
Cc: "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Mattias Forsblad <mattias.forsblad+netdev@...il.com>
Subject: Re: [PATCH net-next 0/3] bridge: dsa: switchdev: mv88e6xxx:
Implement local_receive bridge flag
On Tue, Mar 01, 2022 at 09:14, Florian Fainelli <f.fainelli@...il.com> wrote:
> On 3/1/2022 4:31 AM, Mattias Forsblad wrote:
>> Greetings,
>>
>> This series implements a new bridge flag 'local_receive' and HW
>> offloading for Marvell mv88e6xxx.
>>
>> When using a non-VLAN filtering bridge we want to be able to limit
>> traffic to the CPU port to lessen the CPU load. This is specially
>> important when we have disabled learning on user ports.
>>
>> A sample configuration could be something like this:
>>
>> br0
>> / \
>> swp0 swp1
>>
>> ip link add dev br0 type bridge stp_state 0 vlan_filtering 0
>> ip link set swp0 master br0
>> ip link set swp1 master br0
>> ip link set swp0 type bridge_slave learning off
>> ip link set swp1 type bridge_slave learning off
>> ip link set swp0 up
>> ip link set swp1 up
>> ip link set br0 type bridge local_receive 0
>> ip link set br0 up
>>
>> The first part of the series implements the flag for the SW bridge
>> and the second part the DSA infrastructure. The last part implements
>> offloading of this flag to HW for mv88e6xxx, which uses the
>> port vlan table to restrict the ingress from user ports
>> to the CPU port when this flag is cleared.
>
> Why not use a bridge with VLAN filtering enabled? I cannot quite find it
> right now, but Vladimir recently picked up what I had attempted before
> which was to allow removing the CPU port (via the bridge master device)
> from a specific group of VLANs to achieve that isolation.
>
Hi Florian,
Yes we are aware of this work, which is awesome by the way! For anyone
else who is interested, I believe you are referring to this series:
https://lore.kernel.org/netdev/20220215170218.2032432-1-vladimir.oltean@nxp.com/
There are cases though, where you want a TPMR-like setup (or "dumb hub"
mode, if you will) and ignore all tag information.
One application could be to use a pair of ports on a switch as an
ethernet extender/repeater for topologies that span large physical
distances. If this repeater is part of a redundant topology, you'd to
well to disable learning, in order to avoid dropping packets when the
surrounding active topology changes. This, in turn, will mean that all
flows will be classified as unknown unicast. For that reason it is very
important that the CPU be shielded.
You might be tempted to solve this using flooding filters of the
switch's CPU port, but these go out the window if you have another
bridge configured, that requires that flooding of unknown traffic is
enabled.
Another application is to create a similar setup, but with three ports,
and have the third one be used as a TAP.
>> Reviewed-by: Tobias Waldekranz <tobias@...dekranz.com>
>
> I don't believe this tag has much value since it was presumably carried
> over from an internal review. Might be worth adding it publicly now, though.
I think Mattias meant to replicate this tag on each individual
patch. Aside from that though, are you saying that a tag is never valid
unless there is a public message on the list from the signee? Makes
sense I suppose. Anyway, I will send separate tags for this series.
Powered by blists - more mailing lists