lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 4 Jul 2022 16:36:12 +0200 From: Hans S <schultz.hans@...il.com> To: Ido Schimmel <idosch@...dia.com> Cc: "David S. Miller" <davem@...emloft.net>, Jakub Kicinski <kuba@...nel.org>, netdev@...r.kernel.org, Andrew Lunn <andrew@...n.ch>, Vivien Didelot <vivien.didelot@...il.com>, Florian Fainelli <f.fainelli@...il.com>, Vladimir Oltean <olteanv@...il.com>, Eric Dumazet <edumazet@...gle.com>, Paolo Abeni <pabeni@...hat.com>, Jiri Pirko <jiri@...nulli.us>, Ivan Vecera <ivecera@...hat.com>, Roopa Prabhu <roopa@...dia.com>, Nikolay Aleksandrov <razor@...ckwall.org>, Shuah Khan <shuah@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Hans Schultz <schultz.hans+netdev@...il.com>, linux-kernel@...r.kernel.org, bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org Subject: Re: [PATCH net-next v1 1/1] net: bridge: ensure that link-local traffic cannot unlock a locked port On Mon, Jul 4, 2022 at 1:00 PM Ido Schimmel <idosch@...dia.com> wrote: > > On Mon, Jul 04, 2022 at 09:54:31AM +0200, Hans S wrote: > > > > > > IIUC, with mv88e6xxx, when the port is locked and learning is disabled: > > > > > > 1. You do not get miss violation interrupts. Meaning, you can't report > > > 'locked' entries to the bridge driver. > > > > > > 2. You do not get aged-out interrupts. Meaning, you can't tell the > > > bridge driver to remove aged-out entries. > > > > > > My point is that this should happen regardless if learning is enabled on > > > the bridge driver or not. Just make sure it is always enabled in > > > mv88e6xxx when the port is locked. Learning in the bridge driver itself > > > can be off, thereby eliminating the need to disable learning from > > > link-local packets. > > > > So you suggest that we enable learning in the driver when locking the > > port and document that learning should be turned off from user space > > before locking the port? > > Yes. Ideally, the bridge driver would reject configurations where > learning is enabled and the port is locked, but it might be too late for > that. It would be good to add a note in the man page that learning > should be disabled when the port is locked to avoid "unlocking" the port > by accident. Well you cannot unlock the port by either enabling or disabling learning after the port is locked, but Mac-Auth and refreshing might not work. I clarify just so that no-one gets confused. I can do so that the driver returns -EINVAL if learning is on when locking the port, but that would of course only be for mv88e6xxx...
Powered by blists - more mailing lists