lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <cover.1689262695.git.petrm@nvidia.com>
Date: Thu, 13 Jul 2023 18:15:23 +0200
From: Petr Machata <petrm@...dia.com>
To: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
	<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
	<pabeni@...hat.com>, <netdev@...r.kernel.org>
CC: Ido Schimmel <idosch@...dia.com>, Petr Machata <petrm@...dia.com>,
	Danielle Ratson <danieller@...dia.com>, <mlxsw@...dia.com>
Subject: [PATCH net-next 00/11] mlxsw: Manage RIF across PVID changes

The mlxsw driver currently makes the assumption that the user applies
configuration in a bottom-up manner. Thus netdevices need to be added to
the bridge before IP addresses are configured on that bridge or SVI added
on top of it. Enslaving a netdevice to another netdevice that already has
uppers is in fact forbidden by mlxsw for this reason. Despite this safety,
it is rather easy to get into situations where the offloaded configuration
is just plain wrong.

As an example, take a front panel port, configure an IP address: it gets a
RIF. Now enslave the port to the bridge, and the RIF is gone. Remove the
port from the bridge again, but the RIF never comes back. There is a number
of similar situations, where changing the configuration there and back
utterly breaks the offload.

The situation is going to be made better by implementing a range of replays
and post-hoc offloads.

In this patch set, address the ordering issues related to creation of
bridge RIFs. Currently, mlxsw has several shortcomings with regards to RIF
handling due to PVID changes:

- In order to cause RIF for a bridge device to be created, the user is
  expected first to set PVID, then to add an IP address. The reverse
  ordering is disallowed, which is not very user-friendly.

- When such bridge gets a VLAN upper whose VID was the same as the existing
  PVID, and this VLAN netdevice gets an IP address, a RIF is created for
  this netdevice. The new RIF is then assigned to the 802.1Q FID for the
  given VID. This results in a working configuration. However, then, when
  the VLAN netdevice is removed again, the RIF for the bridge itself is
  never reassociated to the PVID.

- PVID cannot be changed once the bridge has uppers. Presumably this is
  because the driver does not manage RIFs properly in face of PVID changes.
  However, as the previous point shows, it is still possible to get into
  invalid configurations.

This patch set addresses these issues and relaxes some of the ordering
requirements that mlxsw had. The patch set proceeds as follows:

- In patch #1, pass extack to mlxsw_sp_br_ban_rif_pvid_change()

- To relax ordering between setting PVID and adding an IP address to a
  bridge, mlxsw must be able to request that a RIF is created with a given
  VLAN ID, instead of trying to deduce it from the current netdevice
  settings, which do not reflect the user-requested values yet. This is
  done in patches #2 and #3.

- Similarly, mlxsw_sp_inetaddr_bridge_event() will need to make decisions
  based on the user-requested value of PVID, not the current value. Thus in
  patches #4 and #5, add a new argument which carries the requested PVID
  value.

- Finally in patch #6 relax the ban on PVID changes when a bridge has
  uppers. Instead, add the logic necessary for creation of a RIF as a
  result of PVID change.

- Relevant selftests are presented afterwards. In patch #7 a preparatory
  helper is added to lib.sh. Patches #8, #9, #10 and #11 include selftests
  themselves.

Petr Machata (11):
  mlxsw: spectrum_switchdev: Pass extack to
    mlxsw_sp_br_ban_rif_pvid_change()
  mlxsw: spectrum_router: Pass struct mlxsw_sp_rif_params to fid_get
  mlxsw: spectrum_router: Take VID for VLAN FIDs from RIF params
  mlxsw: spectrum_router: Adjust mlxsw_sp_inetaddr_vlan_event() coding
    style
  mlxsw: spectrum_router: mlxsw_sp_inetaddr_bridge_event: Add an
    argument
  mlxsw: spectrum_switchdev: Manage RIFs on PVID change
  selftests: forwarding: lib: Add ping6_, ping_test_fails()
  selftests: router_bridge: Add tests to remove and add PVID
  selftests: router_bridge_vlan: Add PVID change test
  selftests: router_bridge_vlan_upper_pvid: Add a new selftest
  selftests: router_bridge_pvid_vlan_upper: Add a new selftest

 .../ethernet/mellanox/mlxsw/spectrum_router.c | 169 +++++++++++++++--
 .../ethernet/mellanox/mlxsw/spectrum_router.h |   4 +
 .../mellanox/mlxsw/spectrum_switchdev.c       |  32 +---
 .../testing/selftests/net/forwarding/Makefile |   2 +
 tools/testing/selftests/net/forwarding/lib.sh |  18 ++
 .../selftests/net/forwarding/router_bridge.sh |  50 +++++
 .../router_bridge_pvid_vlan_upper.sh          | 155 ++++++++++++++++
 .../net/forwarding/router_bridge_vlan.sh      | 100 ++++++++--
 .../router_bridge_vlan_upper_pvid.sh          | 171 ++++++++++++++++++
 9 files changed, 643 insertions(+), 58 deletions(-)
 create mode 100755 tools/testing/selftests/net/forwarding/router_bridge_pvid_vlan_upper.sh
 create mode 100755 tools/testing/selftests/net/forwarding/router_bridge_vlan_upper_pvid.sh

-- 
2.40.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ