From: Stephen Hemminger <stephen@networkplumber.org>
To: Bernhard Thaler <bernhard.thaler@wvnet.at>
Cc: netdev@vger.kernel.org, bridge@lists.linux-foundation.org,
davem@davemloft.net
Subject: Re: [PATCH 1/1] bridge: remove BR_GROUPFWD_RESTRICTED for arbitrary forwarding of reserved addresses
Date: Mon, 5 Jan 2015 22:10:34 -0800 [thread overview]
Message-ID: <20150105221034.0f69d6fd@urahara> (raw)
In-Reply-To: <1420505776-26827-1-git-send-email-bernhard.thaler@wvnet.at>
On Tue, 6 Jan 2015 01:56:15 +0100
Bernhard Thaler <bernhard.thaler@wvnet.at> wrote:
> BR_GROUPFWD_RESTRICTED bitmask restricts users from setting values to
> /sys/class/net/brX/bridge/group_fwd_mask that allow forwarding of
> some IEEE 802.1D Table 7-10 Reserved addresses:
> (MAC Control) 802.3 01-80-C2-00-00-01
> (Link Aggregation) 802.3 01-80-C2-00-00-02
> 802.1AB LLDP 01-80-C2-00-00-0E
> BR_GROUPFWD_RESTRICTED may have been set as an extra protection against
> forwarding these control frames as forwarding 802.1X PAE (01-80-C2-00-00-03)
> in 802.1X setups satisfies most common use-cases.
> Other situations, such as placing a software based bridge as a "TAP" between two
> devices may require to forward e.g. LLDP frames while debugging network problems
> or actively changing/filtering traffic with ebtables.
>
> This patch allows to set e.g.:
> echo 65535 > /sys/class/net/brX/bridge/group_fwd_mask
> which sets no restrictions on the forwardable reserved addresses.
>
> - the default value 0 will still comply with 802.1D and not forward any
> reserved addresses
> - values such as 8 for forwarding 802.1X related frames will behave the
> same way as with BR_GROUPFWD_RESTRICTED currently in place, so backward
> compatibility to current scripts using group_fwd_masks shoudl be possible
>
> Administrators and network engineers however will be able to arbitrarily
> forward any reserved addresses without BR_GROUPFWD_RESTRICTED. This will
> be non-standard compliant behavior, but forwarding of any reserved address
> right from the beginning is. Users should be aware of this anyway and
> know what/why they are doing when setting values such as 65535, 32768, 16384,
> 4, 2 for group_fwd_mask
>
> This patch was tested on a bridge with two interfaces created with bridge-utils.
>
> Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
I am ok with forwarding LLDP because some people need it.
But allowing forwarding STP or PAUSE frames is bad.
We don't let people do things that break networks. Other examples
already exist like set all 0 ethernet addresses, or the restrictions
on allowing net 127 in IP addresses.
next prev parent reply other threads:[~2015-01-06 6:10 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-06 0:56 [PATCH 1/1] bridge: remove BR_GROUPFWD_RESTRICTED for arbitrary forwarding of reserved addresses Bernhard Thaler
2015-01-06 6:10 ` Stephen Hemminger [this message]
2018-10-01 14:28 ` Richard Weinberger
2018-10-01 16:24 ` Florian Fainelli
2018-10-01 18:16 ` Richard Weinberger
2018-10-01 18:25 ` Ido Schimmel
2018-10-01 18:32 ` Richard Weinberger
2018-10-01 18:48 ` Ido Schimmel
2018-10-01 18:54 ` Richard Weinberger
2018-10-01 19:04 ` Ido Schimmel
2018-10-01 19:10 ` Richard Weinberger
2018-10-02 14:59 ` Nikolay Aleksandrov
2018-10-02 15:56 ` Richard Weinberger
2018-10-02 16:10 ` Nikolay Aleksandrov
2018-10-02 19:30 ` Richard Weinberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150105221034.0f69d6fd@urahara \
--to=stephen@networkplumber.org \
--cc=bernhard.thaler@wvnet.at \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).