lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Fri,  8 Apr 2022 23:03:31 +0300
From:   Vladimir Oltean <vladimir.oltean@....com>
To:     netdev@...r.kernel.org
Cc:     Jakub Kicinski <kuba@...nel.org>,
        "David S. Miller" <davem@...emloft.net>,
        Florian Fainelli <f.fainelli@...il.com>,
        Andrew Lunn <andrew@...n.ch>,
        Vivien Didelot <vivien.didelot@...il.com>,
        Vladimir Oltean <olteanv@...il.com>,
        UNGLinuxDriver@...rochip.com, Paolo Abeni <pabeni@...hat.com>,
        Roopa Prabhu <roopa@...dia.com>,
        Nikolay Aleksandrov <nikolay@...dia.com>,
        Jiri Pirko <jiri@...dia.com>, Ido Schimmel <idosch@...dia.com>,
        Tobias Waldekranz <tobias@...dekranz.com>,
        Mattias Forsblad <mattias.forsblad@...il.com>
Subject: [PATCH net-next 0/6] Disable host flooding for DSA ports under a bridge

For this patch series to make more sense, it should be reviewed from the
last patch to the first. Changes were made in the order that they were
just to preserve patch-with-patch functionality.

A little while ago, some DSA switch drivers gained support for
IFF_UNICAST_FLT, a mechanism through which they are notified of the
MAC addresses required for local standalone termination.
A bit longer ago, DSA also gained support for offloading BR_FDB_LOCAL
bridge FDB entries, which are the MAC addresses required for local
termination when under a bridge.

So we have come one step closer to removing the CPU from the list of
destinations for packets with unknown MAC DA. What remains is to check
whether any software L2 forwarding is enabled, and that is accomplished
by monitoring the neighbor bridge ports that DSA switches have.

With these changes, DSA drivers that fulfill the requirements for
dsa_switch_supports_uc_filtering() and dsa_switch_supports_mc_filtering()
will keep flooding towards the CPU disabled for as long as no port is
promiscuous. The bridge won't attempt to make its ports promiscuous
anymore either if said ports are offloaded by switchdev (this series
changes that behavior). Instead, DSA will fall back by its own will to
promiscuous mode on bridge ports when the bridge itself becomes
promiscuous, or a foreign interface is detected under the same bridge.

Vladimir Oltean (6):
  net: refactor all NETDEV_CHANGE notifier calls to a single function
  net: emit NETDEV_CHANGE for changes to IFF_PROMISC | IFF_ALLMULTI
  net: dsa: walk through all changeupper notifier functions
  net: dsa: track whether bridges have foreign interfaces in them
  net: dsa: monitor changes to bridge promiscuity
  net: bridge: avoid uselessly making offloaded ports promiscuous

 include/net/dsa.h  |   4 +-
 net/bridge/br_if.c |  63 +++++++++++--------
 net/core/dev.c     |  34 +++++-----
 net/dsa/dsa_priv.h |   2 +
 net/dsa/port.c     |  12 ++++
 net/dsa/slave.c    | 150 ++++++++++++++++++++++++++++++++++++++++++---
 6 files changed, 215 insertions(+), 50 deletions(-)

-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ