| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 9 Apr 2022 20:45:57 +0000
From: Vladimir Oltean <vladimir.oltean@....com>
To: Tobias Waldekranz <tobias@...dekranz.com>
CC: "netdev@...r.kernel.org" <netdev@...r.kernel.org>,
Jakub Kicinski <kuba@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Florian Fainelli <f.fainelli@...il.com>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Vladimir Oltean <olteanv@...il.com>,
"UNGLinuxDriver@...rochip.com" <UNGLinuxDriver@...rochip.com>,
Paolo Abeni <pabeni@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <nikolay@...dia.com>,
Jiri Pirko <jiri@...dia.com>, Ido Schimmel <idosch@...dia.com>,
Mattias Forsblad <mattias.forsblad@...il.com>,
Joachim Wiberg <troglobit@...il.com>
Subject: Re: [PATCH net-next 0/6] Disable host flooding for DSA ports under a
bridge
Hi Tobias,
On Sat, Apr 09, 2022 at 09:46:54PM +0200, Tobias Waldekranz wrote:
> On Fri, Apr 08, 2022 at 23:03, Vladimir Oltean <vladimir.oltean@....com> wrote:
> > For this patch series to make more sense, it should be reviewed from the
> > last patch to the first. Changes were made in the order that they were
> > just to preserve patch-with-patch functionality.
> >
> > A little while ago, some DSA switch drivers gained support for
> > IFF_UNICAST_FLT, a mechanism through which they are notified of the
> > MAC addresses required for local standalone termination.
> > A bit longer ago, DSA also gained support for offloading BR_FDB_LOCAL
> > bridge FDB entries, which are the MAC addresses required for local
> > termination when under a bridge.
> >
> > So we have come one step closer to removing the CPU from the list of
> > destinations for packets with unknown MAC DA.What remains is to check
> > whether any software L2 forwarding is enabled, and that is accomplished
> > by monitoring the neighbor bridge ports that DSA switches have.
> >
> > With these changes, DSA drivers that fulfill the requirements for
> > dsa_switch_supports_uc_filtering() and dsa_switch_supports_mc_filtering()
> > will keep flooding towards the CPU disabled for as long as no port is
> > promiscuous. The bridge won't attempt to make its ports promiscuous
> > anymore either if said ports are offloaded by switchdev (this series
> > changes that behavior). Instead, DSA will fall back by its own will to
> > promiscuous mode on bridge ports when the bridge itself becomes
> > promiscuous, or a foreign interface is detected under the same bridge.
>
> Hi Vladimir,
>
> Great stuff! I've added Joachim to Cc. He has been working on a series
> to add support for configuring the equivalent of BR_FLOOD,
> BR_MCAST_FLOOD, and BR_BCAST_FLOOD on the bridge itself. I.e. allowing
> the user to specify how local_rcv is managed in br_handle_frame_finish.
>
> For switchdev drivers, being able to query whether a bridge will ingress
> unknown unicast to the host or not seems like the missing piece that
> makes this bullet proof. I.e. if you have...
>
> - No foreign interfaces
> - No promisc
> _and_
> - No BR_FLOOD on the bridge itself
>
> ..._then_ you can safely disable unicast flooding towards the CPU
> port. The same would hold for multicast and BR_MCAST_FLOOD of course.
>
> Not sure how close Joachim is to publishing his work. But I just thought
> you two should know about the other one's work :)
I haven't seen Joachim's work and I sure hope he can clarify. It seems
like there is some overlap that I don't currently know what to make of.
The way I see things, BR_FLOOD and BR_MCAST_FLOOD are egress settings,
so I'm not sure how to interpret them when applied to the bridge device
itself. On the other hand, treating IFF_PROMISC/IFF_ALLMULTI on the
bridge device as the knob that decides whether the software bridge wants
to ingress unknown MAC DA packets seems the more appropriate thing to do.
Powered by blists - more mailing lists