All of lore.kernel.org
 help / color / mirror / Atom feed
* RE: [Bridge] Re: ebtables target to disable an interface
@ 2003-08-08 13:23 Eble, Dan
  2003-08-09 12:07 ` Bart De Schuymer
  0 siblings, 1 reply; 6+ messages in thread
From: Eble, Dan @ 2003-08-08 13:23 UTC (permalink / raw)
  To: bridge

> From: Cameron Simpson [mailto:cs@zip.com.au] 
>
> You could log the event, and monitor the log with a
> 	tail -f logfile | ...
> to turn it off. No extension needed.

Thanks for the suggestion, but it's not the best fit for the system I'm
working in.  (Carrying the reasoning further, I could have the kernel log
*everything* it does and...)

Is there a problem with bringing down the interface from inside?  

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Bridge] Re: ebtables target to disable an interface
  2003-08-08 13:23 [Bridge] Re: ebtables target to disable an interface Eble, Dan
@ 2003-08-09 12:07 ` Bart De Schuymer
  0 siblings, 0 replies; 6+ messages in thread
From: Bart De Schuymer @ 2003-08-09 12:07 UTC (permalink / raw)
  To: Eble, Dan, bridge

On Friday 08 August 2003 15:23, Eble, Dan wrote:
> Thanks for the suggestion, but it's not the best fit for the system I'm
> working in.  (Carrying the reasoning further, I could have the kernel log
> *everything* it does and...)
>
> Is there a problem with bringing down the interface from inside?

I don't know the details by heart, but the code to bring a bridge port down 
probably expects being called from user context, not from within softirq. 
That code can probably sleep, which is not allowed inside softirq.
Problems with removing ports that are the in-port or out-port of currently 
processed frames will show up too.

cheers,
Bart


^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: [Bridge] Re: ebtables target to disable an interface
@ 2003-08-12 15:29 Eble, Dan
  0 siblings, 0 replies; 6+ messages in thread
From: Eble, Dan @ 2003-08-12 15:29 UTC (permalink / raw)
  To: bridge

> You could log the event, and monitor the log with a
> 	tail -f logfile | ...
> to turn it off. No extension needed.
> -- 
> Cameron Simpson <cs@zip.com.au> DoD#743
> http://www.cskk.ezoshosting.com/cs/

I just discovered the iptables ULOG target, which sends packets to user
space through a netlink socket.  I may try to convert it into an ebtables
watcher, but I will experiment with iptables ULOG first, to see how easy it
is to use.

-- 
Dan Eble <dane@aiinet.com>  _____  .
                           |  _  |/|
Applied Innovation Inc.    | |_| | |            "All Protocols MUST be odd"
http://www.aiinet.com/     |__/|_|_|              -- RFC 1661 (PPP)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [Bridge] Re: ebtables target to disable an interface
  2003-08-11 12:22 Eble, Dan
@ 2003-08-11 23:22 ` Bart De Schuymer
  0 siblings, 0 replies; 6+ messages in thread
From: Bart De Schuymer @ 2003-08-11 23:22 UTC (permalink / raw)
  To: Eble, Dan; +Cc: bridge

On Monday 11 August 2003 14:22, Eble, Dan wrote:
> Thanks for the advice.  Still, I would like to avoid using the log to
> communicate between the driver and a process.  What do you think of using a
> netlink socket to send a message from the bridge driver?  (Once it works,
> it could be used for spanning tree control too, as DaveM suggested a while
> back for an alternative to ioctl).
>
> The only problem is I'm not very familiar with netlink sockets.  From what
> I have heard here, though, it sounds like I have a better chance to make a
> netlink socket work properly than to shut down the port from inside the
> kernel without causing a panic, deadlock, or memory leak.

I'm not familiar with them either. But it looks like that's the best solution 
for your problem.

cheers,
Bart


^ permalink raw reply	[flat|nested] 6+ messages in thread
* RE: [Bridge] Re: ebtables target to disable an interface
@ 2003-08-11 12:22 Eble, Dan
  2003-08-11 23:22 ` Bart De Schuymer
  0 siblings, 1 reply; 6+ messages in thread
From: Eble, Dan @ 2003-08-11 12:22 UTC (permalink / raw)
  To: 'Bart De Schuymer'; +Cc: bridge

Thanks for the advice.  Still, I would like to avoid using the log to
communicate between the driver and a process.  What do you think of using a
netlink socket to send a message from the bridge driver?  (Once it works, it
could be used for spanning tree control too, as DaveM suggested a while back
for an alternative to ioctl).

The only problem is I'm not very familiar with netlink sockets.  From what I
have heard here, though, it sounds like I have a better chance to make a
netlink socket work properly than to shut down the port from inside the
kernel without causing a panic, deadlock, or memory leak.

> -----Original Message-----
> From: Bart De Schuymer [mailto:bdschuym@pandora.be] 
> Sent: Saturday, August 09, 2003 8:08 AM
> To: Eble, Dan; bridge@osdl.org
> Subject: Re: [Bridge] Re: ebtables target to disable an interface
> 
> 
> On Friday 08 August 2003 15:23, Eble, Dan wrote:
> > Thanks for the suggestion, but it's not the best fit for 
> the system I'm
> > working in.  (Carrying the reasoning further, I could have 
> the kernel log
> > *everything* it does and...)
> >
> > Is there a problem with bringing down the interface from inside?
> 
> I don't know the details by heart, but the code to bring a 
> bridge port down 
> probably expects being called from user context, not from 
> within softirq. 
> That code can probably sleep, which is not allowed inside softirq.
> Problems with removing ports that are the in-port or out-port 
> of currently 
> processed frames will show up too.
> 
> cheers,
> Bart
> 

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bridge] Re: ebtables target to disable an interface
  2003-08-07 20:44 [Bridge] " Eble, Dan
@ 2003-08-08  0:14 ` Cameron Simpson
  0 siblings, 0 replies; 6+ messages in thread
From: Cameron Simpson @ 2003-08-08  0:14 UTC (permalink / raw)
  To: bridge

On 16:44 07 Aug 2003, Eble, Dan <DanE@aiinet.com> wrote:
| I would like to set up an ACL for an ethernet port using ebtables rules, and
| if a security violation occurs, to physically disable the port (i.e.
| whatever "ifconfig down" does).  I did not see such a feature in the
| ebtables man page.  Does this exist anywhere, or do I have to create a new
| extension for it?

You could log the event, and monitor the log with a
	tail -f logfile | ...
to turn it off. No extension needed.
-- 
Cameron Simpson <cs@zip.com.au> DoD#743
http://www.cskk.ezoshosting.com/cs/

Loud Pipes make noise.
Skill and experience save lives.
        - Ed Morandi, edm@cbnewsj.att.com, DoD#0733

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2003-08-12 15:29 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2003-08-08 13:23 [Bridge] Re: ebtables target to disable an interface Eble, Dan
2003-08-09 12:07 ` Bart De Schuymer
  -- strict thread matches above, loose matches on Subject: below --
2003-08-12 15:29 Eble, Dan
2003-08-11 12:22 Eble, Dan
2003-08-11 23:22 ` Bart De Schuymer
2003-08-07 20:44 [Bridge] " Eble, Dan
2003-08-08  0:14 ` [Bridge] " Cameron Simpson

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.