A malicious actor behind one bridge port may spam the kernel with packets
with a random source MAC address, each of which will create an FDB entry,
each of which is a dynamic allocation in the kernel.
There are roughly 2^48 different MAC addresses, further limited by the
rhashtable they are stored
On 15/05/2023 11:50, Johannes Nixdorf wrote:
> A malicious actor behind one bridge port may spam the kernel with packets
> with a random source MAC address, each of which will create an FDB entry,
> each of which is a dynamic allocation in the kernel.
>
> There are roughly 2^48 different MAC addre
On 16/05/2023 11:12, Johannes Nixdorf wrote:
> Hi,
>
> On Mon, May 15, 2023 at 12:35:03PM +0300, Nikolay Aleksandrov wrote:
>> On 15/05/2023 11:50, Johannes Nixdorf wrote:
>>> A malicious actor behind one bridge port may spam the kernel with packets
>>> with a random source MAC address, each of wh
On 16/05/2023 11:12, Johannes Nixdorf wrote:
[snip]
>>> return -EMSGSIZE;
>>>
>>> #ifdef CONFIG_BRIDGE_VLAN_FILTERING
>>> diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
>>> index 2119729ded2b..64fb359c6e3e 100644
>>> --- a/net/bridge/br_private.h
>>> +++ b/net/bridge/
On 15/05/2023 11:50, Johannes Nixdorf wrote:
> A malicious actor behind one bridge port may spam the kernel with packets
> with a random source MAC address, each of which will create an FDB entry,
> each of which is a dynamic allocation in the kernel.
>
> There are roughly 2^48 different MAC addre
On 16/05/2023 11:53, Johannes Nixdorf wrote:
> On Tue, May 16, 2023 at 11:38:11AM +0300, Nikolay Aleksandrov wrote:
>> On 15/05/2023 11:50, Johannes Nixdorf wrote:
>>> A malicious actor behind one bridge port may spam the kernel with packets
>>> with a random source MAC address, each of which will
Hi,
On Tue, May 16, 2023 at 11:56:41AM +0300, Nikolay Aleksandrov wrote:
> Hmm.. perhaps we can add a flag mask of entries to count. Initially it can be
> only dynamic entries. We should include more people in this discussion (+CC
> Ido and Vladimir).
> Switchdev folks might have more specific re
On 16/05/2023 13:21, Vladimir Oltean wrote:
> Hi,
>
> On Tue, May 16, 2023 at 11:56:41AM +0300, Nikolay Aleksandrov wrote:
>> Hmm.. perhaps we can add a flag mask of entries to count. Initially it can be
>> only dynamic entries. We should include more people in this discussion (+CC
>> Ido and Vla
On Tue, May 16, 2023 at 01:32:05PM +0300, Nikolay Aleksandrov wrote:
> Let's take a step back, I wasn't suggesting we start with a full-fledged
> switchdev
> implementation. :) I meant only to see if the minimum global limit
> implementation
> suggested would suffice and would be able to later ex
On 16/05/2023 13:44, Vladimir Oltean wrote:
> On Tue, May 16, 2023 at 01:32:05PM +0300, Nikolay Aleksandrov wrote:
>> Let's take a step back, I wasn't suggesting we start with a full-fledged
>> switchdev
>> implementation. :) I meant only to see if the minimum global limit
>> implementation
>> su
On Tue, May 16, 2023 at 01:47:47PM +0300, Nikolay Aleksandrov wrote:
> Having the current count is just a helper, if you have a high limit dumping
> the table
> and counting might take awhile. Thanks for the feedback, then we'll polish
> and move
> on with the set for a global limit.
Ok, but to
On 16/05/2023 13:55, Vladimir Oltean wrote:
> On Tue, May 16, 2023 at 01:47:47PM +0300, Nikolay Aleksandrov wrote:
>> Having the current count is just a helper, if you have a high limit dumping
>> the table
>> and counting might take awhile. Thanks for the feedback, then we'll polish
>> and move
On Tue, May 16, 2023 at 02:04:30PM +0300, Nikolay Aleksandrov wrote:
> That was one of the questions actually. More that I'm thinking about this,
> the more
> I want to break it apart by type because we discussed being able to specify a
> flag
> mask for the limit (all, dynamic, dynamic+static et
On 16/05/2023 14:10, Vladimir Oltean wrote:
> On Tue, May 16, 2023 at 02:04:30PM +0300, Nikolay Aleksandrov wrote:
>> That was one of the questions actually. More that I'm thinking about this,
>> the more
>> I want to break it apart by type because we discussed being able to specify
>> a flag
>>
On Tue, May 16, 2023 at 11:38:11AM +0300, Nikolay Aleksandrov wrote:
> On 15/05/2023 11:50, Johannes Nixdorf wrote:
> > A malicious actor behind one bridge port may spam the kernel with packets
> > with a random source MAC address, each of which will create an FDB entry,
> > each of which is a dyna
Hi,
On Mon, May 15, 2023 at 12:35:03PM +0300, Nikolay Aleksandrov wrote:
> On 15/05/2023 11:50, Johannes Nixdorf wrote:
> > A malicious actor behind one bridge port may spam the kernel with packets
> > with a random source MAC address, each of which will create an FDB entry,
> > each of which is a
On Tue, May 16, 2023 at 02:18:15PM +0300, Nikolay Aleksandrov wrote:
> On 16/05/2023 14:10, Vladimir Oltean wrote:
> > On Tue, May 16, 2023 at 02:04:30PM +0300, Nikolay Aleksandrov wrote:
> >> That was one of the questions actually. More that I'm thinking about this,
> >> the more
> >> I want to b
18 matches
Mail list logo
