similar to: Permission problems with samba 2.2.x

There is a structural problem in switchdev, where the flag bits in struct switchdev_notifier_fdb_info (added_by_user, is_local etc) only represent a simplified / denatured view of what's in struct net_bridge_fdb_entry :: flags (BR_FDB_ADDED_BY_USER, BR_FDB_LOCAL etc). Each time we want to pass more information about struct net_bridge_fdb_entry :: flags to struct switchdev_notifier_fdb_info

A malicious actor behind one bridge port may spam the kernel with packets with a random source MAC address, each of which will create an FDB entry, each of which is a dynamic allocation in the kernel. There are roughly 2^48 different MAC addresses, further limited by the rhashtable they are stored in to 2^31. Each entry is of the type struct net_bridge_fdb_entry, which is currently 128 bytes big.

This allows the called fdb_create to detect that the entry was added by the user early in the process. This is in preparation to adding limits in fdb_create that should not apply to user created fdb entries. Signed-off-by: Johannes Nixdorf <jnixdorf-oss at avm.de> --- Changes since v1: - Added this change to ensure user added entries are not limited. net/bridge/br_fdb.c | 6 +++--- 1

Test FDB ageing of user entry created by bridge fdb replace ADDR dev <DEV> master dynamic Use LOW_AGEING_TIME variable in forwarding.config to set a low ageing time. Beware, DSA might not accept the ageing time you want. Check the age_time_coeff value for your driver. Signed-off-by: Hans J. Schultz <netdev at kapio-technology.com> --- .../net/forwarding/bridge_locked_port.sh |

On Wed, Apr 12, 2023 at 07:00:02PM +0300, Ido Schimmel wrote: > On Wed, Apr 12, 2023 at 05:27:33PM +0300, Vladimir Oltean wrote: > > How are extern_learn FDB entries processed by spectrum's > > SWITCHDEV_FDB_ADD_TO_DEVICE handler? > > No different than "BR_FDB_STATIC", which is a bug I'm aware of and > intend to fix in net-next when I get the time

On Sat, Mar 18, 2023 at 03:10:10PM +0100, Hans J. Schultz wrote: > +# Test of dynamic FDB entries. > +locked_port_dyn_fdb() > +{ > + local mac=00:01:02:03:04:05 > + local ageing_time > + > + RET=0 > + ageing_time=$(bridge_ageing_time_get br0) > + tc qdisc add dev $swp2 clsact > + ip link set dev br0 type bridge ageing_time $LOW_AGEING_TIME > + bridge link set dev

On Mon, Mar 20, 2023 at 10:44, Ido Schimmel <idosch at nvidia.com> wrote: >> + $MZ $swp1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ >> + -a $mac -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q >> + tc_check_packets "dev $swp2 egress" 1 1 >> + check_fail $? "Dynamic FDB entry did not age out" > > Shouldn't this be check_err()? After

Support setting the FDB limit through ip link. The arguments is: - fdb_max_learned: A 32-bit unsigned integer specifying the maximum number of learned FDB entries, with 0 disabling the limit. Also support reading back the current number of learned FDB entries in the bridge by this count. The returned value's name is: - fdb_n_learned: A 32-bit unsigned

On Wed, Apr 12, 2023 at 07:24:07PM +0300, Vladimir Oltean wrote: > I'll send v2 with BR_FDB_ADDED_BY_EXT_LEARN not prevented from being > notified from switchdev. > > Unless you have any objection, I won't send v2 like this: > > if (test_bit(BR_FDB_ADDED_BY_USER, &fdb->flags) && > !test_bit(BR_FDB_STATIC, &fdb->flags) && >

On Sun, Mar 26, 2023 at 05:41:06PM +0200, Hans Schultz wrote: > On Mon, Mar 20, 2023 at 10:44, Ido Schimmel <idosch at nvidia.com> wrote: > >> + $MZ $swp1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ > >> + -a $mac -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q > >> + tc_check_packets "dev $swp2 egress" 1 1 > >> + check_fail $?

On Tue, Jun 20, 2023 at 09:55:31AM +0300, Nikolay Aleksandrov wrote: > On 6/19/23 10:14, Johannes Nixdorf wrote: > > +/* Set a FDB flag that implies the entry was not learned, and account > > + * for changes in the learned status. > > + */ > > +static void __fdb_set_flag_not_learned(struct net_bridge *br, > > + struct net_bridge_fdb_entry *fdb, > >

Hi I am using R version 2.7.2. on a windows XP OS and have a question concerning an analysis of covariance with count data I am trying to do, I will give details of a scaled down version of the analysis (as I have more covariates and need to take account of over-dispersion etc etc) but as I am sure it is only a simple problem but I just can't see how to fix it. I have a data set with count

On 20/06/2023 16:35, Johannes Nixdorf wrote: > On Tue, Jun 20, 2023 at 09:55:31AM +0300, Nikolay Aleksandrov wrote: >> On 6/19/23 10:14, Johannes Nixdorf wrote: >>> +/* Set a FDB flag that implies the entry was not learned, and account >>> + * for changes in the learned status. >>> + */ >>> +static void __fdb_set_flag_not_learned(struct net_bridge *br,

On Mon, Mar 27, 2023 at 14:52, Vladimir Oltean <olteanv at gmail.com> wrote: > > By the way, there is a behavior change here. > > Before: > > $ ip link add br0 type bridge && ip link set br0 up > $ ip link set swp0 master br0 && ip link set swp0 up > $ bridge fdb add dev swp0 00:01:02:03:04:05 master dynamic > [ 70.010181] mscc_felix 0000:00:00.5:

Hello All, I have a list of dataframes, and I need to subset it by keeping only those dataframes in the list that meet a certain criterion. Specifically, I need to generate a second list which only includes those dataframes whose number of rows is > 1. Could someone suggest how to do this? I have come close to what I need with loops and such, but there must be a less clumsy way... Many

On 2023-01-18 00:17, Vladimir Oltean wrote: > On Tue, Jan 17, 2023 at 07:57:11PM +0100, Hans J. Schultz wrote: >> Dynamic FDB flag needs to be propagated through the DSA layer to be >> added to drivers. >> Use a u16 for fdb flags for future use, so that other flags can also >> be >> sent the same way without having to change function interfaces. >> >>

On Tue, Jan 17, 2023 at 07:57:10PM +0100, Hans J. Schultz wrote: > To be able to add dynamic FDB entries to drivers from userspace, the > dynamic flag must be added when sending RTM_NEWNEIGH events down. > > Signed-off-by: Hans J. Schultz <netdev at kapio-technology.com> > --- > include/net/switchdev.h | 1 + > net/bridge/br_switchdev.c | 1 + > 2 files changed, 2

On Sat, Mar 18, 2023 at 03:10:06PM +0100, Hans J. Schultz wrote: > diff --git a/net/dsa/dsa.c b/net/dsa/dsa.c > index e5f156940c67..c07a2e225ae5 100644 > --- a/net/dsa/dsa.c > +++ b/net/dsa/dsa.c > @@ -626,6 +626,12 @@ static int dsa_switch_setup(struct dsa_switch *ds) > > ds->configure_vlan_while_not_filtering = true; > > + /* Since dynamic FDB entries are

To be able to add dynamic FDB entries to drivers from userspace, the dynamic flag must be added when sending RTM_NEWNEIGH events down. Signed-off-by: Hans J. Schultz <netdev at kapio-technology.com> --- include/net/switchdev.h | 1 + net/bridge/br_switchdev.c | 1 + 2 files changed, 2 insertions(+) diff --git a/include/net/switchdev.h b/include/net/switchdev.h index

Introduce a limit on the amount of learned FDB entries on a bridge, configured by netlink with a build time default on bridge creation in the kernel config. For backwards compatibility the kernel config default is disabling the limit (0). Without any limit a malicious actor may OOM a kernel by spamming packets with changing MAC addresses on their bridge port, so allow the bridge creator to limit