lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230529221808.360b04c6@kernel.org>
Date: Mon, 29 May 2023 22:18:08 -0700
From: Jakub Kicinski <kuba@...nel.org>
To: Ido Schimmel <idosch@...dia.com>
Cc: <netdev@...r.kernel.org>, <bridge@...ts.linux-foundation.org>,
 <davem@...emloft.net>, <pabeni@...hat.com>, <edumazet@...gle.com>,
 <taras.chornyi@...ision.eu>, <saeedm@...dia.com>, <leon@...nel.org>,
 <petrm@...dia.com>, <vladimir.oltean@....com>, <claudiu.manoil@....com>,
 <alexandre.belloni@...tlin.com>, <UNGLinuxDriver@...rochip.com>,
 <jhs@...atatu.com>, <xiyou.wangcong@...il.com>, <jiri@...nulli.us>,
 <roopa@...dia.com>, <razor@...ckwall.org>, <simon.horman@...igine.com>
Subject: Re: [PATCH net-next v2 1/8] skbuff: bridge: Add layer 2 miss
 indication

On Mon, 29 May 2023 14:48:28 +0300 Ido Schimmel wrote:
> For EVPN non-DF (Designated Forwarder) filtering we need to be able to
> prevent decapsulated traffic from being flooded to a multi-homed host.
> Filtering of multicast and broadcast traffic can be achieved using the
> following flower filter:
> 
>  # tc filter add dev bond0 egress pref 1 proto all flower indev vxlan0 dst_mac 01:00:00:00:00:00/01:00:00:00:00:00 action drop
> 
> Unlike broadcast and multicast traffic, it is not currently possible to
> filter unknown unicast traffic. The classification into unknown unicast
> is performed by the bridge driver, but is not visible to other layers
> such as tc.
> 
> Solve this by adding a new 'l2_miss' bit to the tc skb extension. Clear
> the bit whenever a packet enters the bridge (received from a bridge port
> or transmitted via the bridge) and set it if the packet did not match an
> FDB or MDB entry. If there is no skb extension and the bit needs to be
> cleared, then do not allocate one as no extension is equivalent to the
> bit being cleared. The bit is not set for broadcast packets as they
> never perform a lookup and therefore never incur a miss.

Acked-by: Jakub Kicinski <kuba@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ