lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <cbd86da13416db43b018299bfe3a93707f301311.camel@nvidia.com>
Date: Thu, 22 Jan 2026 12:15:37 +0000
From: Cosmin Ratiu <cratiu@...dia.com>
To: "sd@...asysnail.net" <sd@...asysnail.net>
CC: "pabeni@...hat.com" <pabeni@...hat.com>, "netdev@...r.kernel.org"
	<netdev@...r.kernel.org>, "edumazet@...gle.com" <edumazet@...gle.com>,
	"andrew+netdev@...n.ch" <andrew+netdev@...n.ch>, "davem@...emloft.net"
	<davem@...emloft.net>, Dragos Tatulea <dtatulea@...dia.com>,
	"kuba@...nel.org" <kuba@...nel.org>
Subject: Re: [PATCH net] macsec: Support VLAN-filtering lower devices

On Tue, 2026-01-13 at 15:47 +0100, Sabrina Dubroca wrote:
> 2026-01-12, 10:32:17 +0000, Cosmin Ratiu wrote:
> > Perhaps "undesirable" is too strong of a word. I would use
> > "unneeded".
> > Having the encrypted VLANs in the lower dev HW filter can't do too
> > much
> > harm, except maybe allowing some non-macsec packets with those
> > vlans
> > when previously they wouldn't be allowed.
> 
> Well, if an admin has the filters working and suddenly starts seeing
> packets that should have been filtered out, they may get confused.
> 
> > But remember what happened before the mentioned "Fixes" patch: the
> > lower device was put in promisc mode because it didn't advertise
> > IFF_UNICAST_FLT so it would have received all packets anyway.
> > So this fix is strictly better, simple enough that it can be
> > understood
> > to be harmless.
> 
> Ok.
> 
> > The vlan_{get,drop}_rx_*_filter_info functions simply call device
> > notifiers when the VLAN filter flags change, they're not useful for
> > obtaining the list of VLANs. The upper devs keep track of those.
> 
> But that notifier gets caught in vlan_device_event, which calls
> vlan_filter_push_vids. That iterates all existing vlans and pushes
> them into the real device. That's why I thought it might work here,
> but I haven't tried.

Looked over this, and I think it's exactly what's needed.
I'll get back with an updated patch hopefully soon.

> > If I engineer the fix we're discussing here (which would make
> > macsec
> > keep track of VLANs), it would be significantly more complicated,
> > and
> > it belonging into net instead of net-next could be called into
> > question.
> 
> Sure, if we have to implement all that in macsec, I would agree to
> take the current patch, and do the tracking later in net-next. In
> that
> case, please just add a note to the commit message about the offload
> vs non-offload behavior we're discussing here.
> 
> Either way, it would also be good to add some selftests.

Will add.

Cosmin.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ