1. 14 Feb, 2013 6 commits
  2. 11 Feb, 2013 1 commit
  3. 03 Jan, 2013 1 commit
  4. 19 Dec, 2012 1 commit
  5. 16 Dec, 2012 1 commit
  6. 12 Dec, 2012 2 commits
  7. 11 Dec, 2012 1 commit
    • Cong Wang's avatar
      bridge: fix seq check in br_mdb_dump() · 2ce297fc
      Cong Wang authored
      
      
      In case of rehashing, introduce a global variable 'br_mdb_rehash_seq'
      which gets increased every time when rehashing, and assign
      net->dev_base_seq + br_mdb_rehash_seq to cb->seq.
      
      In theory cb->seq could be wrapped to zero, but this is not
      easy to fix, as net->dev_base_seq is not visible inside
      br_mdb_rehash(). In practice, this is rare.
      
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Stephen Hemminger <shemminger@vyatta.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Thomas Graf <tgraf@suug.ch>
      Cc: Jesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarCong Wang <amwang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2ce297fc
  8. 07 Dec, 2012 1 commit
    • Cong Wang's avatar
      bridge: export multicast database via netlink · ee07c6e7
      Cong Wang authored
      
      
      V5: fix two bugs pointed out by Thomas
          remove seq check for now, mark it as TODO
      
      V4: remove some useless #include
          some coding style fix
      
      V3: drop debugging printk's
          update selinux perm table as well
      
      V2: drop patch 1/2, export ifindex directly
          Redesign netlink attributes
          Improve netlink seq check
          Handle IPv6 addr as well
      
      This patch exports bridge multicast database via netlink
      message type RTM_GETMDB. Similar to fdb, but currently bridge-specific.
      We may need to support modify multicast database too (RTM_{ADD,DEL}MDB).
      
      (Thanks to Thomas for patient reviews)
      
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Stephen Hemminger <shemminger@vyatta.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Thomas Graf <tgraf@suug.ch>
      Cc: Jesper Dangaard Brouer <brouer@redhat.com>
      Signed-off-by: default avatarCong Wang <amwang@redhat.com>
      Acked-by: default avatarThomas Graf <tgraf@suug.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ee07c6e7
  9. 05 Dec, 2012 2 commits
    • David S. Miller's avatar
      bridge: implement multicast fast leave · c2d3babf
      David S. Miller authored
      
      
      V3: make it a flag
      V2: make the toggle per-port
      
      Fast leave allows bridge to immediately stops the multicast
      traffic on the port receives IGMP Leave when IGMP snooping is enabled,
      no timeouts are observed.
      
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Stephen Hemminger <shemminger@vyatta.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarCong Wang <amwang@redhat.com>
      c2d3babf
    • Amerigo Wang's avatar
      bridge: implement multicast fast leave · 50426b59
      Amerigo Wang authored
      
      
      V2: make the toggle per-port
      
      Fast leave allows bridge to immediately stops the multicast
      traffic on the port receives IGMP Leave when IGMP snooping is enabled,
      no timeouts are observed.
      
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Stephen Hemminger <shemminger@vyatta.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarCong Wang <amwang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50426b59
  10. 15 Nov, 2012 2 commits
    • stephen hemminger's avatar
      bridge: add root port blocking · 1007dd1a
      stephen hemminger authored
      
      
      This is Linux bridge implementation of root port guard.
      If BPDU is received from a leaf (edge) port, it should not
      be elected as root port.
      
      Why would you want to do this?
      If using STP on a bridge and the downstream bridges are not fully
      trusted; this prevents a hostile guest for rerouting traffic.
      
      Why not just use netfilter?
      Netfilter does not track of follow spanning tree decisions.
      It would be difficult and error prone to try and mirror STP
      resolution in netfilter module.
      
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1007dd1a
    • stephen hemminger's avatar
      bridge: implement BPDU blocking · a2e01a65
      stephen hemminger authored
      
      
      This is Linux bridge implementation of STP protection
      (Cisco BPDU guard/Juniper BPDU block). BPDU block disables
      the bridge port if a STP BPDU packet is received.
      
      Why would you want to do this?
      If running Spanning Tree on bridge, hostile devices on the network
      may send BPDU and cause network failure. Enabling bpdu block
      will detect and stop this.
      
      How to recover the port?
      The port will be restarted if link is brought down, or
      removed and reattached.  For example:
       # ip li set dev eth0 down; ip li set dev eth0 up
      
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2e01a65
  11. 04 Nov, 2012 1 commit
  12. 31 Oct, 2012 2 commits
    • John Fastabend's avatar
      net: set and query VEB/VEPA bridge mode via PF_BRIDGE · 2469ffd7
      John Fastabend authored
      
      
      Hardware switches may support enabling and disabling the
      loopback switch which puts the device in a VEPA mode defined
      in the IEEE 802.1Qbg specification. In this mode frames are
      not switched in the hardware but sent directly to the switch.
      SR-IOV capable NICs will likely support this mode I am
      aware of at least two such devices. Also I am told (but don't
      have any of this hardware available) that there are devices
      that only support VEPA modes. In these cases it is important
      at a minimum to be able to query these attributes.
      
      This patch adds an additional IFLA_BRIDGE_MODE attribute that can be
      set and dumped via the PF_BRIDGE:{SET|GET}LINK operations. Also
      anticipating bridge attributes that may be common for both embedded
      bridges and software bridges this adds a flags attribute
      IFLA_BRIDGE_FLAGS currently used to determine if the command or event
      is being generated to/from an embedded bridge or software bridge.
      Finally, the event generation is pulled out of the bridge module and
      into rtnetlink proper.
      
      For example using the macvlan driver in VEPA mode on top of
      an embedded switch requires putting the embedded switch into
      a VEPA mode to get the expected results.
      
      	--------  --------
              | VEPA |  | VEPA |       <-- macvlan vepa edge relays
              --------  --------
                 |        |
                 |        |
              ------------------
              |      VEPA      |       <-- embedded switch in NIC
              ------------------
                      |
                      |
              -------------------
              | external switch |      <-- shiny new physical
      	-------------------          switch with VEPA support
      
      A packet sent from the macvlan VEPA at the top could be
      loopbacked on the embedded switch and never seen by the
      external switch. So in order for this to work the embedded
      switch needs to be set in the VEPA state via the above
      described commands.
      
      By making these attributes nested in IFLA_AF_SPEC we allow
      future extensions to be made as needed.
      
      CC: Lennert Buytenhek <buytenh@wantstofly.org>
      CC: Stephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2469ffd7
    • John Fastabend's avatar
      net: create generic bridge ops · e5a55a89
      John Fastabend authored
      
      
      The PF_BRIDGE:RTM_{GET|SET}LINK nlmsg family and type are
      currently embedded in the ./net/bridge module. This prohibits
      them from being used by other bridging devices. One example
      of this being hardware that has embedded bridging components.
      
      In order to use these nlmsg types more generically this patch
      adds two net_device_ops hooks. One to set link bridge attributes
      and another to dump the current bride attributes.
      
      	ndo_bridge_setlink()
      	ndo_bridge_getlink()
      
      CC: Lennert Buytenhek <buytenh@wantstofly.org>
      CC: Stephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e5a55a89
  13. 30 Oct, 2012 1 commit
  14. 01 Oct, 2012 1 commit
  15. 19 Sep, 2012 1 commit
  16. 14 Aug, 2012 1 commit
  17. 27 Jun, 2012 1 commit
  18. 15 Apr, 2012 2 commits
    • John Fastabend's avatar
      net: add generic PF_BRIDGE:RTM_ FDB hooks · 77162022
      John Fastabend authored
      This adds two new flags NTF_MASTER and NTF_SELF that can
      now be used to specify where PF_BRIDGE netlink commands should
      be sent. NTF_MASTER sends the commands to the 'dev->master'
      device for parsing. Typically this will be the linux net/bridge,
      or open-vswitch devices. Also without any flags set the command
      will be handled by the master device as well so that current user
      space tools continue to work as expected.
      
      The NTF_SELF flag will push the PF_BRIDGE commands to the
      device. In the basic example below the commands are then parsed
      and programmed in the embedded bridge.
      
      Note if both NTF_SELF and NTF_MASTER bits are set then the
      command will be sent to both 'dev->master' and 'dev' this allows
      user space to easily keep the embedded bridge and software bridge
      in sync.
      
      There is a slight complication in the case with both flags set
      when an error occurs. To resolve this the rtnl handler clears
      the NTF_ flag in the netlink ack to indicate which sets completed
      successfully. The add/del handlers will abort as soon as any
      error occurs.
      
      To support this new net device ops were added to call into
      the device and the existing bridging code was refactored
      to use these. There should be no required changes in user space
      to support the current bridge behavior.
      
      A basic setup with a SR-IOV enabled NIC looks like this,
      
                veth0  veth2
                  |      |
                ------------
                |  bridge0 |   <---- software bridging
                ------------
                     /
                     /
        ethx.y      ethx
          VF         PF
           \         \          <---- propagate FDB entries to HW
           \         \
        --------------------
        |  Embedded Bridge |    <---- hardware offloaded switching
        --------------------
      
      In this case the embedded bridge must be managed to allow 'veth0'
      to communicate with 'ethx.y' correctly. At present drivers managing
      the embedded bridge either send frames onto the network which
      then get dropped by the switch OR the embedded bridge will flood
      these frames. With this patch we have a mechanism to manage the
      embedded bridge correctly from user space. This example is specific
      to SR-IOV but replacing the VF with another PF or dropping this
      into the DSA framework generates similar management issues.
      
      Examples session using the 'br'[1] tool to add, dump and then
      delete a mac address with a new "embedded" option and enabled
      ixgbe driver:
      
      # br fdb add 22:35:19:ac:60:59 dev eth3
      # br fdb
      port    mac addr                flags
      veth0   22:35:19:ac:60:58       static
      veth0   9a:5f:81:f7:f6:ec       local
      eth3    00:1b:21:55:23:59       local
      eth3    22:35:19:ac:60:59       static
      veth0   22:35:19:ac:60:57       static
      #br fdb add 22:35:19:ac:60:59 embedded dev eth3
      #br fdb
      port    mac addr                flags
      veth0   22:35:19:ac:60:58       static
      veth0   9a:5f:81:f7:f6:ec       local
      eth3    00:1b:21:55:23:59       local
      eth3    22:35:19:ac:60:59       static
      veth0   22:35:19:ac:60:57       static
      eth3    22:35:19:ac:60:59       local embedded
      #br fdb del 22:35:19:ac:60:59 embedded dev eth3
      
      I added a couple lines to 'br' to set the flags correctly is all. It
      is my opinion that the merit of this patch is now embedded and SW
      bridges can both be modeled correctly in user space using very nearly
      the same message passing.
      
      [1] 'br' tool was published as an RFC here and will be renamed 'bridge'
          http://patchwork.ozlabs.org/patch/117664/
      
      
      
      Thanks to Jamal Hadi Salim, Stephen Hemminger and Ben Hutchings for
      valuable feedback, suggestions, and review.
      
      v2: fixed api descriptions and error case with both NTF_SELF and
          NTF_MASTER set plus updated patch description.
      
      Signed-off-by: default avatarJohn Fastabend <john.r.fastabend@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      77162022
    • Herbert Xu's avatar
      bridge: Add multicast_querier toggle and disable queries by default · c5c23260
      Herbert Xu authored
      
      
      Sending general queries was implemented as an optimisation to speed
      up convergence on start-up.  In order to prevent interference with
      multicast routers a zero source address has to be used.
      
      Unfortunately these packets appear to cause some multicast-aware
      switches to misbehave, e.g., by disrupting multicast packets to us.
      
      Since the multicast snooping feature still functions without sending
      our own queries, this patch will change the default to not send
      queries.
      
      For those that need queries in order to speed up convergence on start-up,
      a toggle is provided to restore the previous behaviour.
      
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5c23260
  19. 11 Apr, 2012 1 commit
    • Herbert Xu's avatar
      bridge: Do not send queries on multicast group leaves · 996304bb
      Herbert Xu authored
      
      
      As it stands the bridge IGMP snooping system will respond to
      group leave messages with queries for remaining membership.
      This is both unnecessary and undesirable.  First of all any
      multicast routers present should be doing this rather than us.
      What's more the queries that we send may end up upsetting other
      multicast snooping swithces in the system that are buggy.
      
      In fact, we can simply remove the code that send these queries
      because the existing membership expiry mechanism doesn't rely
      on them anyway.
      
      So this patch simply removes all code associated with group
      queries in response to group leave messages.
      
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      996304bb
  20. 16 Dec, 2011 1 commit
  21. 11 Dec, 2011 1 commit
  22. 09 Dec, 2011 1 commit
  23. 16 Nov, 2011 1 commit
  24. 19 Oct, 2011 1 commit
  25. 06 Oct, 2011 1 commit
    • stephen hemminger's avatar
      bridge: allow forwarding some link local frames · 515853cc
      stephen hemminger authored
      
      
      This is based on an earlier patch by Nick Carter with comments
      by David Lamparter but with some refinements. Thanks for their patience
      this is a confusing area with overlap of standards, user requirements,
      and compatibility with earlier releases.
      
      It adds a new sysfs attribute
         /sys/class/net/brX/bridge/group_fwd_mask
      that controls forwarding of frames with address of: 01-80-C2-00-00-0X
      The default setting has no forwarding to retain compatibility.
      
      One change from earlier releases is that forwarding of group
      addresses is not dependent on STP being enabled or disabled. This
      choice was made based on interpretation of tie 802.1 standards.
      I expect complaints will arise because of this, but better to follow
      the standard than continue acting incorrectly by default.
      
      The filtering mask is writeable, but only values that don't forward
      known control frames are allowed. It intentionally blocks attempts
      to filter control protocols. For example: writing a 8 allows
      forwarding 802.1X PAE addresses which is the most common request.
      
      Reported-by: default avatarDavid Lamparter <equinox@diac24.net>
      Original-patch-by: default avatarNick Carter <ncarter100@gmail.com>
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Tested-by: default avatarBenjamin Poirier <benjamin.poirier@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      515853cc
  26. 23 Jul, 2011 1 commit
    • stephen hemminger's avatar
      bridge: send proper message_age in config BPDU · 0c03150e
      stephen hemminger authored
      A bridge topology with three systems:
      
            +------+  +------+
            | A(2) |--| B(1) |
            +------+  +------+
                 \    /
                +------+
                | C(3) |
                +------+
      
      What is supposed to happen:
       * bridge with the lowest ID is elected root (for example: B)
       * C detects that A->C is higher cost path and puts in blocking state
      
      What happens. Bridge with lowest id (B) is elected correctly as
      root and things start out fine initially. But then config BPDU
      doesn't get transmitted from A -> C. Because of that
      the link from A-C is transistioned to the forwarding state.
      
      The root cause of this is that the configuration messages
      is generated with bogus message age, and dropped before
      sending.
      
      In the standardmessage_age is supposed to be:
        the time since the generation of the Configuration BPDU by
        the Root that instigated the generation of this Configuration BPDU.
      
      Reimplement this by recording the timestamp (age + jiffies) when
      recording config information. The old code incorrectly used the time
      elapsed on the ageing timer which was incorrect.
      
      See also:
        https://bugzilla.vyatta.com/show_bug.cgi?id=7164
      
      
      
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0c03150e
  27. 28 Apr, 2011 1 commit
  28. 05 Apr, 2011 3 commits