| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 Oct 2022 15:52:09 +0100
From: Casper Andersson <casper.casan@...il.com>
To: Steen Hegelund <steen.hegelund@...rochip.com>
Cc: "David S . Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
Paolo Abeni <pabeni@...hat.com>, UNGLinuxDriver@...rochip.com,
Randy Dunlap <rdunlap@...radead.org>,
Russell King <rmk+kernel@...linux.org.uk>,
Wan Jiabing <wanjiabing@...o.com>,
Nathan Huckleberry <nhuck@...gle.com>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
Daniel Machon <daniel.machon@...rochip.com>,
Horatiu Vultur <horatiu.vultur@...rochip.com>,
Lars Povlsen <lars.povlsen@...rochip.com>
Subject: Re: [PATCH net-next v2 2/5] net: microchip: sparx5: Adding more tc
flower keys for the IS2 VCAP
Hi Steen,
On 2022-10-31 13:14, Steen Hegelund wrote:
> Hi Casper,
>
> First of all thanks for the testing effort (as usual). This is most welcome.
>
> On Mon, 2022-10-31 at 11:44 +0100, Casper Andersson wrote:
> > EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
> >
> > Hi Steen,
> >
> > On 2022-10-28 16:45, Steen Hegelund wrote:
> > > - IPv4 Addresses
> > > tc filter add dev eth12 ingress chain 8000000 prio 12 handle 12 \
> > > protocol ip flower skip_sw dst_ip 1.0.1.1 src_ip 2.0.2.2 \
> > > action trap
> >
> > I'm not able to get this working on PCB135. I tested the VLAN tags and
> > did not work either (did not test the rest). The example from the
> > previous patch series doesn't work either after applying this series.
>
>
> Yes I did not really explain this part (and I will update the series with an explanation).
>
> 1) The rule example in the previous series will no longer work as expected as the changes to the
> port keyset configuration now requires a non-ip frame to generate the MAC_ETYPE keyset.
>
> So to test the MAC_ETYPE case your rule must be non-ip and not use "protocol all" which is not
> supported yet.
>
> Here is an example using the "protocol 0xbeef":
>
> tc qdisc add dev eth3 clsact
> tc filter add dev eth3 ingress chain 8000000 prio 10 handle 10 \
> protocol 0xbeef flower skip_sw \
> dst_mac 0a:0b:0c:0d:0e:0f \
> src_mac 2:0:0:0:0:1 \
> action trap
>
> And send a frame like this (using EasyFrame):
>
> ef tx eth_fiber1 rep 10 eth dmac 0a:0b:0c:0d:0e:0f smac 2::1 et 0xbeef data repeat 50 0x61
Thanks, this works. I saw now that you even mentioned that "protocol
all" doesn't work at the very end of this commit message.
> I am not sure what went wrong when you tested the ipv4 rule, but if I create the rule that you
> quoted above the rule is activated when I send frames like this:
>
> ef tx eth_fiber1 rep 10 eth dmac 0a:0b:0c:0d:0e:0f smac 2::2 ipv4 dip 1.0.1.1 sip 2.0.2.2 data
> repeat 50 0x61
Looks like adding the "data" at the end of it makes a difference when
creating the packets. Without it the ip.proto field becomes 17 (UDP).
With "data" it becomes 0 (IPv6 Hop-by-Hop Option). Ef will defaults to
17 if no data is specified, otherwise it ends up 0. And the reason
UDP doesn't get trapped I assume is because this rule falls under the
IPV4_OTHER keyset (as opposed to IPV4_TCP_UDP).
Doing just this was enough:
ef tx eth0 rep 10 eth dmac 0a:0b:0c:0d:0e:0f smac 2::2 ipv4 dip 1.0.1.1 sip 2.0.2.2 data
This also solved it for VLANs. I have successfully tested ipv4, ipv6,
protocol info (ICMP), and vlan tag info from the examples you provided.
Tested on Microchip PCB135 switch.
Tested-by: Casper Andersson <casper.casan@...il.com>
BR,
Casper
>
> Note that the smac is changed to avoid hitting the first rule.
>
> 2) As for the VLAN based rules, the VLAN information used by IS2 is the classified VID and PCP, so
> you need to create a bridge and add the VID to the bridge and the ports to see this in action.
>
> IS0 uses the VLAN tags in the frames directly: this is one of the differences between IS0 and IS2.
>
> This is how I set up a bridge on my PCB134 when I do the testing:
>
> ip link add name br5 type bridge
> ip link set dev br5 up
> ip link set eth12 master br5
> ip link set eth13 master br5
> ip link set eth14 master br5
> ip link set eth15 master br5
> sysctl -w net.ipv6.conf.eth12.disable_ipv6=1
> sysctl -w net.ipv6.conf.eth13.disable_ipv6=1
> sysctl -w net.ipv6.conf.eth14.disable_ipv6=1
> sysctl -w net.ipv6.conf.eth15.disable_ipv6=1
> sysctl -w net.ipv6.conf.br5.disable_ipv6=1
> ip link set dev br5 type bridge vlan_filtering 1
> bridge vlan add dev eth12 vid 600
> bridge vlan add dev eth13 vid 600
> bridge vlan add dev eth14 vid 600
> bridge vlan add dev eth15 vid 600
> bridge vlan add dev br5 vid 600 self
>
> This should now allow you to use the classified VLAN information in IS2 on these four ports.
>
> >
> > This example was provided in your last patch series and worked earlier.
> >
> > My setup is PC-eth0 -> PCB135-eth3 and I use the following EasyFrames
> > command to send packets:
> >
> > ef tx eth0 rep 50 eth smac 02:00:00:00:00:01 dmac 0a:0b:0c:0d:0e:0f
> >
> > IPv4:
> > tc qdisc add dev eth3 clsact
> > tc filter add dev eth3 ingress chain 8000000 prio 12 handle 12 \
> > protocol ip flower skip_sw dst_ip 1.0.1.1 src_ip 2.0.2.2 \
> > action trap
> >
> > ef tx eth0 rep 50 eth smac 02:00:00:00:00:01 dmac 0a:0b:0c:0d:0e:0f ipv4 dip 1.0.1.1 sip 2.0.2.2
> >
> > Same setup as above and I can't get this to work either.
>
> Maybe you are hitting the first rule here, so changing the smac to avoid that, should help.
>
> >
> > I'm using tcpdump to watch the interface to see if the packets are being
> > trapped or not. Changing the packets' dmac to broadcast lets me see the
> > packets so I don't have any issue with the setup.
> >
> > BR,
> > Casper
> >
>
> Best Regards
> Steen
BR,
Casper
Powered by blists - more mailing lists