lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 13 Mar 2022 14:23:47 +0300 From: Arınç ÜNAL <arinc.unal@...nc9.com> To: Jakub Kicinski <kuba@...nel.org>, Florian Fainelli <f.fainelli@...il.com>, Vladimir Oltean <olteanv@...il.com>, Alvin Šipraga <ALSI@...g-olufsen.dk>, Linus Walleij <linus.walleij@...aro.org>, Andrew Lunn <andrew@...n.ch>, Luiz Angelo Daros de Luca <luizluca@...il.com>, DENG Qingfang <dqfext@...il.com>, erkin.bozoglu@...ont.com Cc: "netdev@...r.kernel.org" <netdev@...r.kernel.org> Subject: Isolating DSA Slave Interfaces on a Bridge with Bridge Offloading Hi all, The company I work with has got a product with a Mediatek MT7530 switch. They want to offer isolation for the switch ports on a bridge. I have run a test on a slightly modified 5.17-rc1 kernel. These commands below should prevent communication between the two interfaces: bridge link set dev sw0p4 isolated on bridge link set dev sw0p3 isolated on However, computers connected to each of these ports can still communicate with each other. Bridge TX forwarding offload is implemented on the MT7530 DSA driver. What I understand is isolation works on the software and because of the bridge offloading feature, the frames never reach the CPU where we can block it. Two solutions I can think of: - Disable bridge offloading when isolation is enabled on a DSA slave interface. Not the best solution but seems easy to implement. - When isolation is enabled on a DSA slave interface, do not mirror the related FDB entries to the switch hardware so we can keep the bridge offloading feature for other ports. I suppose this could only be achieved on switch specific DSA drivers so the implementation would differ by each driver. Cheers. Arınç
Powered by blists - more mailing lists