| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 18 Mar 2022 17:03:31 +0100
From: Tobias Waldekranz <tobias@...dekranz.com>
To: Vladimir Oltean <olteanv@...il.com>
Cc: Florian Fainelli <f.fainelli@...il.com>,
Mattias Forsblad <mattias.forsblad@...il.com>,
netdev@...r.kernel.org, "David S . Miller" <davem@...emloft.net>,
Jakub Kicinski <kuba@...nel.org>, Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Mattias Forsblad <mattias.forsblad+netdev@...il.com>,
Joachim Wiberg <troglobit@...il.com>,
Ido Schimmel <idosch@...sch.org>,
"Allan W. Nielsen" <allan.nielsen@...rochip.com>,
Microchip Linux Driver Support <UNGLinuxDriver@...rochip.com>
Subject: Re: [PATCH net-next 0/3] bridge: dsa: switchdev: mv88e6xxx:
Implement local_receive bridge flag
On Fri, Mar 18, 2022 at 14:44, Vladimir Oltean <olteanv@...il.com> wrote:
> On Fri, Mar 18, 2022 at 01:09:08PM +0100, Tobias Waldekranz wrote:
>> >> > So have you seriously considered making the bridge ports that operate in
>> >> > 'dumb hub' mode have a pvid which isn't installed as a 'self' entry on
>> >> > the bridge device?
>> >>
>> >> Just so there's no confusion, you mean something like...
>> >>
>> >> ip link add dev br0 type bridge vlan_filtering 1 vlan_default_pvid 0
>> >>
>> >> for p in swp0 swp1; do
>> >> ip link set dev $p master br0
>> >> bridge vlan add dev $p vid 1 pvid untagged
>> >> done
>> >>
>> >> ... right?
>> >>
>> >> In that case, the repeater is no longer transparent with respect to
>> >> tagged packets, which the application requires.
>> >
>> > If you are sure that there exists one VLAN ID which is never used (like
>> > 4094), what you could do is you could set the port pvids to that VID
>> > instead of 1, and add the entire VLAN_N_VID range sans that VID in the
>> > membership list of the two ports, as egress-tagged.
>>
>> Yeah, I've thought about this too. If the device's only role is to act
>> as a repeater, then you can get away with it. But you will have consumed
>> all rows in the VTU and half of the rows in the ATU (we add an entry for
>> the broadcast address in every FID). So if you want to use your other
>> ports for regular bridging you're left with a very limited feature set.
>
> But VLANs in other bridges would reuse the same FIDs, at least in the
> current mv88e6xxx implementation with no FDB isolation, no? So even
> though the VTU is maxed out, it wouldn't get 'more' maxed out.
I'm pretty sure that mv88e6xxx won't allow the same VID to be configured
on multiple bridges. A quick test seems to support that:
root@...onet:~# ip link add dev br0 type bridge vlan_filtering 1
root@...onet:~# ip link add dev br1 type bridge vlan_filtering 1
root@...onet:~# ip link set dev br0 up
root@...onet:~# ip link set dev br1 up
root@...onet:~# ip link set dev swp1 master br0
root@...onet:~# ip link set dev swp2 master br1
RTNETLINK answers: Operation not supported
> As for the broadcast address needing to be present in the ATU, honestly
> I don't know too much about that. I see that some switches have a
> FloodBC bit, wouldn't that be useful?
mv88e6xxx can handle broadcast in two ways:
1. Always flood broadcast, independent of all other settings.
2. Treat broadcast as multicast, only allow flooding if unknown
multicast is allowed on the port, or if there's an entry in the ATU
(making it known) that allows it.
The kernel driver uses (2), because that is the only way (I know of)
that we can support the BCAST_FLOOD flag. In order to make BCAST_FLOOD
independent of MCAST_FLOOD, we have to load an entry allowing bc to
egress on all ports by default. De Morgan comes back to guide us once
more :)
>> > This is 'practical transparency' - if true transparency is required then
>> > yes, this doesn't work.
>> >
>> >> >> You might be tempted to solve this using flooding filters of the
>> >> >> switch's CPU port, but these go out the window if you have another
>> >> >> bridge configured, that requires that flooding of unknown traffic is
>> >> >> enabled.
>> >> >
>> >> > Not if CPU flooding can be managed on a per-user-port basis.
>> >>
>> >> True, but we aren't lucky enough to have hardware that can do that :)
>> >>
>> >> >> Another application is to create a similar setup, but with three ports,
>> >> >> and have the third one be used as a TAP.
>> >> >
>> >> > Could you expand more on this use case?
>> >>
>> >> Its just the standard use-case for a TAP really. You have some link of
>> >> interest that you want to snoop, but for some reason there is no way of
>> >> getting a PCAP from the station on either side:
>> >>
>> >> Link of interest
>> >> |
>> >> .-------. v .-------.
>> >> | Alice +---+ Bob |
>> >> '-------' '-------'
>> >>
>> >> So you insert a hub in the middle, and listen on a third port:
>> >>
>> >> .-------. .-----. .-------.
>> >> | Alice +---+ TAP +---+ Bob |
>> >> '-------' '--+--' '-------'
>> >> |
>> >> PC running tcpdump/wireshark
>> >>
>> >> The nice thing about being able to set this up in Linux is that if your
>> >> hardware comes with a mix of media types, you can dynamically create the
>> >> TAP for the job at hand. E.g. if Alice and Bob are communicating over a
>> >> fiber, but your PC only has a copper interface, you can bridge to fiber
>> >> ports with one copper; if you need to monitor a copper link 5min later,
>> >> you just swap out the fiber ports for two copper ports.
>> >>
>> >> >> >> Reviewed-by: Tobias Waldekranz <tobias@...dekranz.com>
>> >> >> >
>> >> >> > I don't believe this tag has much value since it was presumably carried
>> >> >> > over from an internal review. Might be worth adding it publicly now, though.
>> >> >>
>> >> >> I think Mattias meant to replicate this tag on each individual
>> >> >> patch. Aside from that though, are you saying that a tag is never valid
>> >> >> unless there is a public message on the list from the signee? Makes
>> >> >> sense I suppose. Anyway, I will send separate tags for this series.
Powered by blists - more mailing lists