2019-05-27 14:55:01 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Handle incoming frames
|
|
|
|
* Linux ethernet bridge
|
|
|
|
*
|
|
|
|
* Authors:
|
|
|
|
* Lennert Buytenhek <buytenh@gnu.org>
|
|
|
|
*/
|
|
|
|
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 16:04:11 +08:00
|
|
|
#include <linux/slab.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include <linux/kernel.h>
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
#include <linux/etherdevice.h>
|
|
|
|
#include <linux/netfilter_bridge.h>
|
2019-04-13 12:03:36 +08:00
|
|
|
#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
|
2019-04-11 22:36:41 +08:00
|
|
|
#include <net/netfilter/nf_queue.h>
|
2019-04-13 12:03:36 +08:00
|
|
|
#endif
|
2014-10-24 05:49:17 +08:00
|
|
|
#include <linux/neighbour.h>
|
|
|
|
#include <net/arp.h>
|
2020-05-11 00:37:40 +08:00
|
|
|
#include <net/dsa.h>
|
2011-07-15 23:47:34 +08:00
|
|
|
#include <linux/export.h>
|
2013-02-13 20:00:10 +08:00
|
|
|
#include <linux/rculist.h>
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "br_private.h"
|
2017-02-01 14:59:55 +08:00
|
|
|
#include "br_private_tunnel.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2015-09-16 09:04:18 +08:00
|
|
|
static int
|
|
|
|
br_netif_receive_skb(struct net *net, struct sock *sk, struct sk_buff *skb)
|
2015-09-16 09:04:15 +08:00
|
|
|
{
|
2017-03-14 00:38:17 +08:00
|
|
|
br_drop_fake_rtable(skb);
|
2015-09-16 09:04:15 +08:00
|
|
|
return netif_receive_skb(skb);
|
|
|
|
}
|
|
|
|
|
2010-02-28 03:41:40 +08:00
|
|
|
static int br_pass_frame_up(struct sk_buff *skb)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-02-28 03:41:40 +08:00
|
|
|
struct net_device *indev, *brdev = BR_INPUT_SKB_CB(skb)->brdev;
|
2010-03-02 21:32:09 +08:00
|
|
|
struct net_bridge *br = netdev_priv(brdev);
|
bridge: vlan: add per-vlan struct and move to rhashtables
This patch changes the bridge vlan implementation to use rhashtables
instead of bitmaps. The main motivation behind this change is that we
need extensible per-vlan structures (both per-port and global) so more
advanced features can be introduced and the vlan support can be
extended. I've tried to break this up but the moment net_port_vlans is
changed and the whole API goes away, thus this is a larger patch.
A few short goals of this patch are:
- Extensible per-vlan structs stored in rhashtables and a sorted list
- Keep user-visible behaviour (compressed vlans etc)
- Keep fastpath ingress/egress logic the same (optimizations to come
later)
Here's a brief list of some of the new features we'd like to introduce:
- per-vlan counters
- vlan ingress/egress mapping
- per-vlan igmp configuration
- vlan priorities
- avoid fdb entries replication (e.g. local fdb scaling issues)
The structure is kept single for both global and per-port entries so to
avoid code duplication where possible and also because we'll soon introduce
"port0 / aka bridge as port" which should simplify things further
(thanks to Vlad for the suggestion!).
Now we have per-vlan global rhashtable (bridge-wide) and per-vlan port
rhashtable, if an entry is added to a port it'll get a pointer to its
global context so it can be quickly accessed later. There's also a
sorted vlan list which is used for stable walks and some user-visible
behaviour such as the vlan ranges, also for error paths.
VLANs are stored in a "vlan group" which currently contains the
rhashtable, sorted vlan list and the number of "real" vlan entries.
A good side-effect of this change is that it resembles how hw keeps
per-vlan data.
One important note after this change is that if a VLAN is being looked up
in the bridge's rhashtable for filtering purposes (or to check if it's an
existing usable entry, not just a global context) then the new helper
br_vlan_should_use() needs to be used if the vlan is found. In case the
lookup is done only with a port's vlan group, then this check can be
skipped.
Things tested so far:
- basic vlan ingress/egress
- pvids
- untagged vlans
- undef CONFIG_BRIDGE_VLAN_FILTERING
- adding/deleting vlans in different scenarios (with/without global ctx,
while transmitting traffic, in ranges etc)
- loading/removing the module while having/adding/deleting vlans
- extracting bridge vlan information (user ABI), compressed requests
- adding/deleting fdbs on vlans
- bridge mac change, promisc mode
- default pvid change
- kmemleak ON during the whole time
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-26 01:00:11 +08:00
|
|
|
struct net_bridge_vlan_group *vg;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2020-11-20 19:22:23 +08:00
|
|
|
dev_sw_netstats_rx_add(brdev, skb->len);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2015-10-13 03:47:02 +08:00
|
|
|
vg = br_vlan_group_rcu(br);
|
2022-05-18 08:58:40 +08:00
|
|
|
|
|
|
|
/* Reset the offload_fwd_mark because there could be a stacked
|
|
|
|
* bridge above, and it should not think this bridge it doing
|
|
|
|
* that bridge's work forwarding out its ports.
|
|
|
|
*/
|
|
|
|
br_switchdev_frame_unmark(skb);
|
|
|
|
|
2013-02-13 20:00:11 +08:00
|
|
|
/* Bridge is just like any other port. Make sure the
|
2021-01-08 10:53:32 +08:00
|
|
|
* packet is allowed except in promisc mode when someone
|
2013-02-13 20:00:11 +08:00
|
|
|
* may be running packet capture.
|
|
|
|
*/
|
|
|
|
if (!(brdev->flags & IFF_PROMISC) &&
|
bridge: vlan: add per-vlan struct and move to rhashtables
This patch changes the bridge vlan implementation to use rhashtables
instead of bitmaps. The main motivation behind this change is that we
need extensible per-vlan structures (both per-port and global) so more
advanced features can be introduced and the vlan support can be
extended. I've tried to break this up but the moment net_port_vlans is
changed and the whole API goes away, thus this is a larger patch.
A few short goals of this patch are:
- Extensible per-vlan structs stored in rhashtables and a sorted list
- Keep user-visible behaviour (compressed vlans etc)
- Keep fastpath ingress/egress logic the same (optimizations to come
later)
Here's a brief list of some of the new features we'd like to introduce:
- per-vlan counters
- vlan ingress/egress mapping
- per-vlan igmp configuration
- vlan priorities
- avoid fdb entries replication (e.g. local fdb scaling issues)
The structure is kept single for both global and per-port entries so to
avoid code duplication where possible and also because we'll soon introduce
"port0 / aka bridge as port" which should simplify things further
(thanks to Vlad for the suggestion!).
Now we have per-vlan global rhashtable (bridge-wide) and per-vlan port
rhashtable, if an entry is added to a port it'll get a pointer to its
global context so it can be quickly accessed later. There's also a
sorted vlan list which is used for stable walks and some user-visible
behaviour such as the vlan ranges, also for error paths.
VLANs are stored in a "vlan group" which currently contains the
rhashtable, sorted vlan list and the number of "real" vlan entries.
A good side-effect of this change is that it resembles how hw keeps
per-vlan data.
One important note after this change is that if a VLAN is being looked up
in the bridge's rhashtable for filtering purposes (or to check if it's an
existing usable entry, not just a global context) then the new helper
br_vlan_should_use() needs to be used if the vlan is found. In case the
lookup is done only with a port's vlan group, then this check can be
skipped.
Things tested so far:
- basic vlan ingress/egress
- pvids
- untagged vlans
- undef CONFIG_BRIDGE_VLAN_FILTERING
- adding/deleting vlans in different scenarios (with/without global ctx,
while transmitting traffic, in ranges etc)
- loading/removing the module while having/adding/deleting vlans
- extracting bridge vlan information (user ABI), compressed requests
- adding/deleting fdbs on vlans
- bridge mac change, promisc mode
- default pvid change
- kmemleak ON during the whole time
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-26 01:00:11 +08:00
|
|
|
!br_allowed_egress(vg, skb)) {
|
2013-02-13 20:00:11 +08:00
|
|
|
kfree_skb(skb);
|
|
|
|
return NET_RX_DROP;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
indev = skb->dev;
|
2008-05-22 05:13:47 +08:00
|
|
|
skb->dev = brdev;
|
2017-02-01 14:59:55 +08:00
|
|
|
skb = br_handle_vlan(br, NULL, vg, skb);
|
2014-03-28 09:51:18 +08:00
|
|
|
if (!skb)
|
|
|
|
return NET_RX_DROP;
|
2016-06-28 22:57:06 +08:00
|
|
|
/* update the multicast stats if the packet is IGMP/MLD */
|
2016-07-07 03:12:21 +08:00
|
|
|
br_multicast_count(br, NULL, skb, br_multicast_igmp_type(skb),
|
2016-06-28 22:57:06 +08:00
|
|
|
BR_MCAST_DIR_TX);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2015-09-16 09:04:16 +08:00
|
|
|
return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
|
|
|
|
dev_net(indev), NULL, skb, indev, NULL,
|
2015-09-16 09:04:15 +08:00
|
|
|
br_netif_receive_skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2010-07-27 16:26:30 +08:00
|
|
|
/* note: already called with rcu_read_lock */
|
2015-09-16 09:04:18 +08:00
|
|
|
int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-06-15 14:50:45 +08:00
|
|
|
struct net_bridge_port *p = br_port_get_rcu(skb->dev);
|
2016-08-31 21:36:51 +08:00
|
|
|
enum br_pkt_type pkt_type = BR_PKT_UNICAST;
|
2016-07-14 11:09:59 +08:00
|
|
|
struct net_bridge_fdb_entry *dst = NULL;
|
2021-07-20 01:06:25 +08:00
|
|
|
struct net_bridge_mcast_port *pmctx;
|
2010-02-28 03:41:48 +08:00
|
|
|
struct net_bridge_mdb_entry *mdst;
|
2016-08-31 21:36:51 +08:00
|
|
|
bool local_rcv, mcast_hit = false;
|
2021-07-20 01:06:25 +08:00
|
|
|
struct net_bridge_mcast *brmctx;
|
2021-07-20 01:06:28 +08:00
|
|
|
struct net_bridge_vlan *vlan;
|
2016-07-14 11:09:59 +08:00
|
|
|
struct net_bridge *br;
|
2013-02-13 20:00:14 +08:00
|
|
|
u16 vid = 0;
|
2020-01-24 19:40:22 +08:00
|
|
|
u8 state;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
net: bridge: mst: Multiple Spanning Tree (MST) mode
Allow the user to switch from the current per-VLAN STP mode to an MST
mode.
Up to this point, per-VLAN STP states where always isolated from each
other. This is in contrast to the MSTP standard (802.1Q-2018, Clause
13.5), where VLANs are grouped into MST instances (MSTIs), and the
state is managed on a per-MSTI level, rather that at the per-VLAN
level.
Perhaps due to the prevalence of the standard, many switching ASICs
are built after the same model. Therefore, add a corresponding MST
mode to the bridge, which we can later add offloading support for in a
straight-forward way.
For now, all VLANs are fixed to MSTI 0, also called the Common
Spanning Tree (CST). That is, all VLANs will follow the port-global
state.
Upcoming changes will make this actually useful by allowing VLANs to
be mapped to arbitrary MSTIs and allow individual MSTI states to be
changed.
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-03-16 23:08:43 +08:00
|
|
|
if (!p)
|
2006-02-10 09:08:52 +08:00
|
|
|
goto drop;
|
|
|
|
|
2022-02-23 18:16:46 +08:00
|
|
|
br = p->br;
|
net: bridge: mst: Multiple Spanning Tree (MST) mode
Allow the user to switch from the current per-VLAN STP mode to an MST
mode.
Up to this point, per-VLAN STP states where always isolated from each
other. This is in contrast to the MSTP standard (802.1Q-2018, Clause
13.5), where VLANs are grouped into MST instances (MSTIs), and the
state is managed on a per-MSTI level, rather that at the per-VLAN
level.
Perhaps due to the prevalence of the standard, many switching ASICs
are built after the same model. Therefore, add a corresponding MST
mode to the bridge, which we can later add offloading support for in a
straight-forward way.
For now, all VLANs are fixed to MSTI 0, also called the Common
Spanning Tree (CST). That is, all VLANs will follow the port-global
state.
Upcoming changes will make this actually useful by allowing VLANs to
be mapped to arbitrary MSTIs and allow individual MSTI states to be
changed.
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-03-16 23:08:43 +08:00
|
|
|
|
|
|
|
if (br_mst_is_enabled(br)) {
|
|
|
|
state = BR_STATE_FORWARDING;
|
|
|
|
} else {
|
|
|
|
if (p->state == BR_STATE_DISABLED)
|
|
|
|
goto drop;
|
|
|
|
|
|
|
|
state = p->state;
|
|
|
|
}
|
|
|
|
|
2021-07-20 01:06:25 +08:00
|
|
|
brmctx = &p->br->multicast_ctx;
|
|
|
|
pmctx = &p->multicast_ctx;
|
2020-01-24 19:40:22 +08:00
|
|
|
if (!br_allowed_ingress(p->br, nbp_vlan_group_rcu(p), skb, &vid,
|
2021-07-20 01:06:28 +08:00
|
|
|
&state, &vlan))
|
2014-04-09 16:00:30 +08:00
|
|
|
goto out;
|
2013-02-13 20:00:10 +08:00
|
|
|
|
2022-02-23 18:16:46 +08:00
|
|
|
if (p->flags & BR_PORT_LOCKED) {
|
|
|
|
struct net_bridge_fdb_entry *fdb_src =
|
|
|
|
br_fdb_find_rcu(br, eth_hdr(skb)->h_source, vid);
|
|
|
|
|
bridge: Add MAC Authentication Bypass (MAB) support
Hosts that support 802.1X authentication are able to authenticate
themselves by exchanging EAPOL frames with an authenticator (Ethernet
bridge, in this case) and an authentication server. Access to the
network is only granted by the authenticator to successfully
authenticated hosts.
The above is implemented in the bridge using the "locked" bridge port
option. When enabled, link-local frames (e.g., EAPOL) can be locally
received by the bridge, but all other frames are dropped unless the host
is authenticated. That is, unless the user space control plane installed
an FDB entry according to which the source address of the frame is
located behind the locked ingress port. The entry can be dynamic, in
which case learning needs to be enabled so that the entry will be
refreshed by incoming traffic.
There are deployments in which not all the devices connected to the
authenticator (the bridge) support 802.1X. Such devices can include
printers and cameras. One option to support such deployments is to
unlock the bridge ports connecting these devices, but a slightly more
secure option is to use MAB. When MAB is enabled, the MAC address of the
connected device is used as the user name and password for the
authentication.
For MAB to work, the user space control plane needs to be notified about
MAC addresses that are trying to gain access so that they will be
compared against an allow list. This can be implemented via the regular
learning process with the sole difference that learned FDB entries are
installed with a new "locked" flag indicating that the entry cannot be
used to authenticate the device. The flag cannot be set by user space,
but user space can clear the flag by replacing the entry, thereby
authenticating the device.
Locked FDB entries implement the following semantics with regards to
roaming, aging and forwarding:
1. Roaming: Locked FDB entries can roam to unlocked (authorized) ports,
in which case the "locked" flag is cleared. FDB entries cannot roam
to locked ports regardless of MAB being enabled or not. Therefore,
locked FDB entries are only created if an FDB entry with the given {MAC,
VID} does not already exist. This behavior prevents unauthenticated
devices from disrupting traffic destined to already authenticated
devices.
2. Aging: Locked FDB entries age and refresh by incoming traffic like
regular entries.
3. Forwarding: Locked FDB entries forward traffic like regular entries.
If user space detects an unauthorized MAC behind a locked port and
wishes to prevent traffic with this MAC DA from reaching the host, it
can do so using tc or a different mechanism.
Enable the above behavior using a new bridge port option called "mab".
It can only be enabled on a bridge port that is both locked and has
learning enabled. Locked FDB entries are flushed from the port once MAB
is disabled. A new option is added because there are pure 802.1X
deployments that are not interested in notifications about locked FDB
entries.
Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-11-02 03:39:21 +08:00
|
|
|
if (!fdb_src) {
|
|
|
|
/* FDB miss. Create locked FDB entry if MAB is enabled
|
|
|
|
* and drop the packet.
|
|
|
|
*/
|
|
|
|
if (p->flags & BR_PORT_MAB)
|
|
|
|
br_fdb_update(br, p, eth_hdr(skb)->h_source,
|
|
|
|
vid, BIT(BR_FDB_LOCKED));
|
2022-02-23 18:16:46 +08:00
|
|
|
goto drop;
|
bridge: Add MAC Authentication Bypass (MAB) support
Hosts that support 802.1X authentication are able to authenticate
themselves by exchanging EAPOL frames with an authenticator (Ethernet
bridge, in this case) and an authentication server. Access to the
network is only granted by the authenticator to successfully
authenticated hosts.
The above is implemented in the bridge using the "locked" bridge port
option. When enabled, link-local frames (e.g., EAPOL) can be locally
received by the bridge, but all other frames are dropped unless the host
is authenticated. That is, unless the user space control plane installed
an FDB entry according to which the source address of the frame is
located behind the locked ingress port. The entry can be dynamic, in
which case learning needs to be enabled so that the entry will be
refreshed by incoming traffic.
There are deployments in which not all the devices connected to the
authenticator (the bridge) support 802.1X. Such devices can include
printers and cameras. One option to support such deployments is to
unlock the bridge ports connecting these devices, but a slightly more
secure option is to use MAB. When MAB is enabled, the MAC address of the
connected device is used as the user name and password for the
authentication.
For MAB to work, the user space control plane needs to be notified about
MAC addresses that are trying to gain access so that they will be
compared against an allow list. This can be implemented via the regular
learning process with the sole difference that learned FDB entries are
installed with a new "locked" flag indicating that the entry cannot be
used to authenticate the device. The flag cannot be set by user space,
but user space can clear the flag by replacing the entry, thereby
authenticating the device.
Locked FDB entries implement the following semantics with regards to
roaming, aging and forwarding:
1. Roaming: Locked FDB entries can roam to unlocked (authorized) ports,
in which case the "locked" flag is cleared. FDB entries cannot roam
to locked ports regardless of MAB being enabled or not. Therefore,
locked FDB entries are only created if an FDB entry with the given {MAC,
VID} does not already exist. This behavior prevents unauthenticated
devices from disrupting traffic destined to already authenticated
devices.
2. Aging: Locked FDB entries age and refresh by incoming traffic like
regular entries.
3. Forwarding: Locked FDB entries forward traffic like regular entries.
If user space detects an unauthorized MAC behind a locked port and
wishes to prevent traffic with this MAC DA from reaching the host, it
can do so using tc or a different mechanism.
Enable the above behavior using a new bridge port option called "mab".
It can only be enabled on a bridge port that is both locked and has
learning enabled. Locked FDB entries are flushed from the port once MAB
is disabled. A new option is added because there are pure 802.1X
deployments that are not interested in notifications about locked FDB
entries.
Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-11-02 03:39:21 +08:00
|
|
|
} else if (READ_ONCE(fdb_src->dst) != p ||
|
|
|
|
test_bit(BR_FDB_LOCAL, &fdb_src->flags)) {
|
|
|
|
/* FDB mismatch. Drop the packet without roaming. */
|
|
|
|
goto drop;
|
2022-11-10 16:54:22 +08:00
|
|
|
} else if (test_bit(BR_FDB_LOCKED, &fdb_src->flags)) {
|
bridge: Add MAC Authentication Bypass (MAB) support
Hosts that support 802.1X authentication are able to authenticate
themselves by exchanging EAPOL frames with an authenticator (Ethernet
bridge, in this case) and an authentication server. Access to the
network is only granted by the authenticator to successfully
authenticated hosts.
The above is implemented in the bridge using the "locked" bridge port
option. When enabled, link-local frames (e.g., EAPOL) can be locally
received by the bridge, but all other frames are dropped unless the host
is authenticated. That is, unless the user space control plane installed
an FDB entry according to which the source address of the frame is
located behind the locked ingress port. The entry can be dynamic, in
which case learning needs to be enabled so that the entry will be
refreshed by incoming traffic.
There are deployments in which not all the devices connected to the
authenticator (the bridge) support 802.1X. Such devices can include
printers and cameras. One option to support such deployments is to
unlock the bridge ports connecting these devices, but a slightly more
secure option is to use MAB. When MAB is enabled, the MAC address of the
connected device is used as the user name and password for the
authentication.
For MAB to work, the user space control plane needs to be notified about
MAC addresses that are trying to gain access so that they will be
compared against an allow list. This can be implemented via the regular
learning process with the sole difference that learned FDB entries are
installed with a new "locked" flag indicating that the entry cannot be
used to authenticate the device. The flag cannot be set by user space,
but user space can clear the flag by replacing the entry, thereby
authenticating the device.
Locked FDB entries implement the following semantics with regards to
roaming, aging and forwarding:
1. Roaming: Locked FDB entries can roam to unlocked (authorized) ports,
in which case the "locked" flag is cleared. FDB entries cannot roam
to locked ports regardless of MAB being enabled or not. Therefore,
locked FDB entries are only created if an FDB entry with the given {MAC,
VID} does not already exist. This behavior prevents unauthenticated
devices from disrupting traffic destined to already authenticated
devices.
2. Aging: Locked FDB entries age and refresh by incoming traffic like
regular entries.
3. Forwarding: Locked FDB entries forward traffic like regular entries.
If user space detects an unauthorized MAC behind a locked port and
wishes to prevent traffic with this MAC DA from reaching the host, it
can do so using tc or a different mechanism.
Enable the above behavior using a new bridge port option called "mab".
It can only be enabled on a bridge port that is both locked and has
learning enabled. Locked FDB entries are flushed from the port once MAB
is disabled. A new option is added because there are pure 802.1X
deployments that are not interested in notifications about locked FDB
entries.
Signed-off-by: Hans J. Schultz <netdev@kapio-technology.com>
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-11-02 03:39:21 +08:00
|
|
|
/* FDB match, but entry is locked. Refresh it and drop
|
|
|
|
* the packet.
|
|
|
|
*/
|
|
|
|
br_fdb_update(br, p, eth_hdr(skb)->h_source, vid,
|
|
|
|
BIT(BR_FDB_LOCKED));
|
|
|
|
goto drop;
|
|
|
|
}
|
2022-02-23 18:16:46 +08:00
|
|
|
}
|
|
|
|
|
2016-08-26 00:42:37 +08:00
|
|
|
nbp_switchdev_frame_mark(p, skb);
|
|
|
|
|
2005-05-30 05:15:55 +08:00
|
|
|
/* insert into forwarding database after filtering to avoid spoofing */
|
2013-06-05 22:08:00 +08:00
|
|
|
if (p->flags & BR_LEARNING)
|
2019-11-01 20:46:37 +08:00
|
|
|
br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, 0);
|
2005-05-30 05:15:55 +08:00
|
|
|
|
2016-08-31 21:36:51 +08:00
|
|
|
local_rcv = !!(br->dev->flags & IFF_PROMISC);
|
2019-07-02 20:00:20 +08:00
|
|
|
if (is_multicast_ether_addr(eth_hdr(skb)->h_dest)) {
|
2016-08-31 21:36:51 +08:00
|
|
|
/* by definition the broadcast is also a multicast address */
|
2019-07-02 20:00:20 +08:00
|
|
|
if (is_broadcast_ether_addr(eth_hdr(skb)->h_dest)) {
|
2016-08-31 21:36:51 +08:00
|
|
|
pkt_type = BR_PKT_BROADCAST;
|
|
|
|
local_rcv = true;
|
|
|
|
} else {
|
|
|
|
pkt_type = BR_PKT_MULTICAST;
|
2021-07-20 01:06:28 +08:00
|
|
|
if (br_multicast_rcv(&brmctx, &pmctx, vlan, skb, vid))
|
2016-08-31 21:36:51 +08:00
|
|
|
goto drop;
|
|
|
|
}
|
|
|
|
}
|
2010-02-28 03:41:48 +08:00
|
|
|
|
2020-01-24 19:40:22 +08:00
|
|
|
if (state == BR_STATE_LEARNING)
|
2006-02-10 09:08:52 +08:00
|
|
|
goto drop;
|
2005-12-22 11:00:18 +08:00
|
|
|
|
2010-02-28 03:41:40 +08:00
|
|
|
BR_INPUT_SKB_CB(skb)->brdev = br->dev;
|
2018-05-24 16:56:48 +08:00
|
|
|
BR_INPUT_SKB_CB(skb)->src_port_isolated = !!(p->flags & BR_ISOLATED);
|
2010-02-28 03:41:40 +08:00
|
|
|
|
2017-10-07 13:12:38 +08:00
|
|
|
if (IS_ENABLED(CONFIG_INET) &&
|
|
|
|
(skb->protocol == htons(ETH_P_ARP) ||
|
|
|
|
skb->protocol == htons(ETH_P_RARP))) {
|
|
|
|
br_do_proxy_suppress_arp(skb, br, vid, p);
|
2017-10-07 13:12:39 +08:00
|
|
|
} else if (IS_ENABLED(CONFIG_IPV6) &&
|
|
|
|
skb->protocol == htons(ETH_P_IPV6) &&
|
2018-09-26 22:01:05 +08:00
|
|
|
br_opt_get(br, BROPT_NEIGH_SUPPRESS_ENABLED) &&
|
2017-10-07 13:12:39 +08:00
|
|
|
pskb_may_pull(skb, sizeof(struct ipv6hdr) +
|
|
|
|
sizeof(struct nd_msg)) &&
|
|
|
|
ipv6_hdr(skb)->nexthdr == IPPROTO_ICMPV6) {
|
|
|
|
struct nd_msg *msg, _msg;
|
|
|
|
|
|
|
|
msg = br_is_nd_neigh_msg(skb, &_msg);
|
|
|
|
if (msg)
|
|
|
|
br_do_suppress_nd(skb, br, vid, p, msg);
|
2017-10-07 13:12:38 +08:00
|
|
|
}
|
2014-10-24 05:49:17 +08:00
|
|
|
|
2016-08-31 21:36:51 +08:00
|
|
|
switch (pkt_type) {
|
|
|
|
case BR_PKT_MULTICAST:
|
2023-10-25 20:30:11 +08:00
|
|
|
mdst = br_mdb_entry_skb_get(brmctx, skb, vid);
|
2013-08-01 07:06:20 +08:00
|
|
|
if ((mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) &&
|
2021-07-20 01:06:25 +08:00
|
|
|
br_multicast_querier_exists(brmctx, eth_hdr(skb), mdst)) {
|
2017-11-10 06:10:57 +08:00
|
|
|
if ((mdst && mdst->host_joined) ||
|
2021-07-20 01:06:25 +08:00
|
|
|
br_multicast_is_router(brmctx, skb)) {
|
2016-07-14 11:10:01 +08:00
|
|
|
local_rcv = true;
|
2023-09-18 17:13:51 +08:00
|
|
|
DEV_STATS_INC(br->dev, multicast);
|
2016-07-14 11:10:00 +08:00
|
|
|
}
|
|
|
|
mcast_hit = true;
|
2016-07-14 11:09:59 +08:00
|
|
|
} else {
|
2016-07-14 11:10:01 +08:00
|
|
|
local_rcv = true;
|
2023-09-18 17:13:51 +08:00
|
|
|
DEV_STATS_INC(br->dev, multicast);
|
2016-07-14 11:09:59 +08:00
|
|
|
}
|
2016-08-31 21:36:51 +08:00
|
|
|
break;
|
|
|
|
case BR_PKT_UNICAST:
|
2019-07-02 20:00:20 +08:00
|
|
|
dst = br_fdb_find_rcu(br, eth_hdr(skb)->h_dest, vid);
|
2021-03-10 13:41:15 +08:00
|
|
|
break;
|
2016-08-31 21:36:51 +08:00
|
|
|
default:
|
|
|
|
break;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2016-07-14 11:10:00 +08:00
|
|
|
if (dst) {
|
2017-02-08 00:46:46 +08:00
|
|
|
unsigned long now = jiffies;
|
|
|
|
|
2019-10-29 19:45:53 +08:00
|
|
|
if (test_bit(BR_FDB_LOCAL, &dst->flags))
|
2016-08-31 21:36:51 +08:00
|
|
|
return br_pass_frame_up(skb);
|
|
|
|
|
2017-02-08 00:46:46 +08:00
|
|
|
if (now != dst->used)
|
|
|
|
dst->used = now;
|
2016-07-14 11:10:02 +08:00
|
|
|
br_forward(dst->dst, skb, local_rcv, false);
|
2016-07-14 11:10:00 +08:00
|
|
|
} else {
|
|
|
|
if (!mcast_hit)
|
2023-04-19 23:34:53 +08:00
|
|
|
br_flood(br, skb, pkt_type, local_rcv, false, vid);
|
2016-07-14 11:10:00 +08:00
|
|
|
else
|
2021-07-20 01:06:25 +08:00
|
|
|
br_multicast_flood(mdst, skb, brmctx, local_rcv, false);
|
2007-09-17 07:20:48 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2016-07-14 11:10:01 +08:00
|
|
|
if (local_rcv)
|
|
|
|
return br_pass_frame_up(skb);
|
2010-02-28 03:41:39 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
out:
|
|
|
|
return 0;
|
2006-02-10 09:08:52 +08:00
|
|
|
drop:
|
|
|
|
kfree_skb(skb);
|
|
|
|
goto out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2014-09-18 17:29:03 +08:00
|
|
|
EXPORT_SYMBOL_GPL(br_handle_frame_finish);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2016-06-07 17:06:58 +08:00
|
|
|
static void __br_handle_local_finish(struct sk_buff *skb)
|
2006-03-21 14:59:06 +08:00
|
|
|
{
|
2010-06-15 14:50:45 +08:00
|
|
|
struct net_bridge_port *p = br_port_get_rcu(skb->dev);
|
2013-02-13 20:00:16 +08:00
|
|
|
u16 vid = 0;
|
2006-03-21 14:59:06 +08:00
|
|
|
|
2014-05-26 14:15:53 +08:00
|
|
|
/* check if vlan is allowed, to avoid spoofing */
|
2018-11-24 10:34:21 +08:00
|
|
|
if ((p->flags & BR_LEARNING) &&
|
2019-11-04 17:36:51 +08:00
|
|
|
nbp_state_should_learn(p) &&
|
2018-11-24 10:34:21 +08:00
|
|
|
!br_opt_get(p->br, BROPT_NO_LL_LEARN) &&
|
|
|
|
br_should_learn(p, skb, &vid))
|
2019-11-01 20:46:37 +08:00
|
|
|
br_fdb_update(p->br, p, eth_hdr(skb)->h_source, vid, 0);
|
2016-06-07 17:06:58 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* note: already called with rcu_read_lock */
|
|
|
|
static int br_handle_local_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
__br_handle_local_finish(skb);
|
2016-03-12 18:14:42 +08:00
|
|
|
|
2019-04-11 18:56:39 +08:00
|
|
|
/* return 1 to signal the okfn() was called so it's ok to use the skb */
|
|
|
|
return 1;
|
2006-03-21 14:59:06 +08:00
|
|
|
}
|
|
|
|
|
2019-04-11 22:36:41 +08:00
|
|
|
static int nf_hook_bridge_pre(struct sk_buff *skb, struct sk_buff **pskb)
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
|
|
|
|
struct nf_hook_entries *e = NULL;
|
|
|
|
struct nf_hook_state state;
|
|
|
|
unsigned int verdict, i;
|
|
|
|
struct net *net;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
net = dev_net(skb->dev);
|
|
|
|
#ifdef HAVE_JUMP_LABEL
|
|
|
|
if (!static_key_false(&nf_hooks_needed[NFPROTO_BRIDGE][NF_BR_PRE_ROUTING]))
|
|
|
|
goto frame_finish;
|
|
|
|
#endif
|
|
|
|
|
|
|
|
e = rcu_dereference(net->nf.hooks_bridge[NF_BR_PRE_ROUTING]);
|
|
|
|
if (!e)
|
|
|
|
goto frame_finish;
|
|
|
|
|
|
|
|
nf_hook_state_init(&state, NF_BR_PRE_ROUTING,
|
|
|
|
NFPROTO_BRIDGE, skb->dev, NULL, NULL,
|
|
|
|
net, br_handle_frame_finish);
|
|
|
|
|
|
|
|
for (i = 0; i < e->num_hook_entries; i++) {
|
|
|
|
verdict = nf_hook_entry_hookfn(&e->hooks[i], skb, &state);
|
|
|
|
switch (verdict & NF_VERDICT_MASK) {
|
|
|
|
case NF_ACCEPT:
|
2019-04-11 22:36:42 +08:00
|
|
|
if (BR_INPUT_SKB_CB(skb)->br_netfilter_broute) {
|
|
|
|
*pskb = skb;
|
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
}
|
2019-04-11 22:36:41 +08:00
|
|
|
break;
|
|
|
|
case NF_DROP:
|
|
|
|
kfree_skb(skb);
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
case NF_QUEUE:
|
2019-07-03 02:41:14 +08:00
|
|
|
ret = nf_queue(skb, &state, i, verdict);
|
2019-04-11 22:36:41 +08:00
|
|
|
if (ret == 1)
|
|
|
|
continue;
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
default: /* STOLEN */
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
frame_finish:
|
|
|
|
net = dev_net(skb->dev);
|
|
|
|
br_handle_frame_finish(net, NULL, skb);
|
|
|
|
#else
|
|
|
|
br_handle_frame_finish(dev_net(skb->dev), NULL, skb);
|
|
|
|
#endif
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
}
|
|
|
|
|
2020-10-27 18:02:42 +08:00
|
|
|
/* Return 0 if the frame was not processed otherwise 1
|
|
|
|
* note: already called with rcu_read_lock
|
|
|
|
*/
|
|
|
|
static int br_process_frame_type(struct net_bridge_port *p,
|
|
|
|
struct sk_buff *skb)
|
|
|
|
{
|
|
|
|
struct br_frame_type *tmp;
|
|
|
|
|
|
|
|
hlist_for_each_entry_rcu(tmp, &p->br->frame_type_list, list)
|
|
|
|
if (unlikely(tmp->type == skb->protocol))
|
|
|
|
return tmp->frame_handler(p, skb);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2007-03-22 04:38:47 +08:00
|
|
|
* Return NULL if skb is handled
|
2010-07-27 16:26:30 +08:00
|
|
|
* note: already called with rcu_read_lock
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2020-05-11 00:37:40 +08:00
|
|
|
static rx_handler_result_t br_handle_frame(struct sk_buff **pskb)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2010-06-02 05:52:08 +08:00
|
|
|
struct net_bridge_port *p;
|
2011-03-12 11:14:39 +08:00
|
|
|
struct sk_buff *skb = *pskb;
|
2005-04-17 06:20:36 +08:00
|
|
|
const unsigned char *dest = eth_hdr(skb)->h_dest;
|
|
|
|
|
2010-08-23 01:35:32 +08:00
|
|
|
if (unlikely(skb->pkt_type == PACKET_LOOPBACK))
|
2011-03-12 11:14:39 +08:00
|
|
|
return RX_HANDLER_PASS;
|
2010-06-02 05:52:08 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
if (!is_valid_ether_addr(eth_hdr(skb)->h_source))
|
2007-03-22 04:42:06 +08:00
|
|
|
goto drop;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2007-10-14 15:39:01 +08:00
|
|
|
skb = skb_share_check(skb, GFP_ATOMIC);
|
|
|
|
if (!skb)
|
2011-03-12 11:14:39 +08:00
|
|
|
return RX_HANDLER_CONSUMED;
|
2007-10-14 15:39:01 +08:00
|
|
|
|
2019-04-11 22:36:40 +08:00
|
|
|
memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
|
skbuff: bridge: Add layer 2 miss indication
For EVPN non-DF (Designated Forwarder) filtering we need to be able to
prevent decapsulated traffic from being flooded to a multi-homed host.
Filtering of multicast and broadcast traffic can be achieved using the
following flower filter:
# tc filter add dev bond0 egress pref 1 proto all flower indev vxlan0 dst_mac 01:00:00:00:00:00/01:00:00:00:00:00 action drop
Unlike broadcast and multicast traffic, it is not currently possible to
filter unknown unicast traffic. The classification into unknown unicast
is performed by the bridge driver, but is not visible to other layers
such as tc.
Solve this by adding a new 'l2_miss' bit to the tc skb extension. Clear
the bit whenever a packet enters the bridge (received from a bridge port
or transmitted via the bridge) and set it if the packet did not match an
FDB or MDB entry. If there is no skb extension and the bit needs to be
cleared, then do not allocate one as no extension is equivalent to the
bit being cleared. The bit is not set for broadcast packets as they
never perform a lookup and therefore never incur a miss.
A bit that is set for every flooded packet would also work for the
current use case, but it does not allow us to differentiate between
registered and unregistered multicast traffic, which might be useful in
the future.
To keep the performance impact to a minimum, the marking of packets is
guarded by the 'tc_skb_ext_tc' static key. When 'false', the skb is not
touched and an skb extension is not allocated. Instead, only a
5 bytes nop is executed, as demonstrated below for the call site in
br_handle_frame().
Before the patch:
```
memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
c37b09: 49 c7 44 24 28 00 00 movq $0x0,0x28(%r12)
c37b10: 00 00
p = br_port_get_rcu(skb->dev);
c37b12: 49 8b 44 24 10 mov 0x10(%r12),%rax
memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
c37b17: 49 c7 44 24 30 00 00 movq $0x0,0x30(%r12)
c37b1e: 00 00
c37b20: 49 c7 44 24 38 00 00 movq $0x0,0x38(%r12)
c37b27: 00 00
```
After the patch (when static key is disabled):
```
memset(skb->cb, 0, sizeof(struct br_input_skb_cb));
c37c29: 49 c7 44 24 28 00 00 movq $0x0,0x28(%r12)
c37c30: 00 00
c37c32: 49 8d 44 24 28 lea 0x28(%r12),%rax
c37c37: 48 c7 40 08 00 00 00 movq $0x0,0x8(%rax)
c37c3e: 00
c37c3f: 48 c7 40 10 00 00 00 movq $0x0,0x10(%rax)
c37c46: 00
#ifdef CONFIG_HAVE_JUMP_LABEL_HACK
static __always_inline bool arch_static_branch(struct static_key *key, bool branch)
{
asm_volatile_goto("1:"
c37c47: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
br_tc_skb_miss_set(skb, false);
p = br_port_get_rcu(skb->dev);
c37c4c: 49 8b 44 24 10 mov 0x10(%r12),%rax
```
Subsequent patches will extend the flower classifier to be able to match
on the new 'l2_miss' bit and enable / disable the static key when
filters that match on it are added / deleted.
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Acked-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2023-05-29 19:48:28 +08:00
|
|
|
br_tc_skb_miss_set(skb, false);
|
2019-04-11 22:36:40 +08:00
|
|
|
|
2010-06-15 14:50:45 +08:00
|
|
|
p = br_port_get_rcu(skb->dev);
|
2021-08-23 18:21:18 +08:00
|
|
|
if (p->flags & BR_VLAN_TUNNEL)
|
|
|
|
br_handle_ingress_vlan_tunnel(skb, p, nbp_vlan_group_rcu(p));
|
2010-06-02 05:52:08 +08:00
|
|
|
|
2012-11-01 17:11:11 +08:00
|
|
|
if (unlikely(is_link_local_ether_addr(dest))) {
|
2014-06-10 19:59:24 +08:00
|
|
|
u16 fwd_mask = p->br->group_fwd_mask_required;
|
|
|
|
|
2011-10-04 02:14:46 +08:00
|
|
|
/*
|
|
|
|
* See IEEE 802.1D Table 7-10 Reserved addresses
|
|
|
|
*
|
|
|
|
* Assignment Value
|
|
|
|
* Bridge Group Address 01-80-C2-00-00-00
|
|
|
|
* (MAC Control) 802.3 01-80-C2-00-00-01
|
|
|
|
* (Link Aggregation) 802.3 01-80-C2-00-00-02
|
|
|
|
* 802.1X PAE address 01-80-C2-00-00-03
|
|
|
|
*
|
|
|
|
* 802.1AB LLDP 01-80-C2-00-00-0E
|
|
|
|
*
|
|
|
|
* Others reserved for future standardization
|
|
|
|
*/
|
2017-09-27 21:12:44 +08:00
|
|
|
fwd_mask |= p->group_fwd_mask;
|
2011-10-04 02:14:46 +08:00
|
|
|
switch (dest[5]) {
|
|
|
|
case 0x00: /* Bridge Group Address */
|
|
|
|
/* If STP is turned off,
|
|
|
|
then must forward to keep loop detection */
|
2014-06-10 19:59:24 +08:00
|
|
|
if (p->br->stp_enabled == BR_NO_STP ||
|
|
|
|
fwd_mask & (1u << dest[5]))
|
2011-10-04 02:14:46 +08:00
|
|
|
goto forward;
|
2016-06-07 17:06:58 +08:00
|
|
|
*pskb = skb;
|
|
|
|
__br_handle_local_finish(skb);
|
|
|
|
return RX_HANDLER_PASS;
|
2011-10-04 02:14:46 +08:00
|
|
|
|
|
|
|
case 0x01: /* IEEE MAC (Pause) */
|
2007-04-26 13:05:55 +08:00
|
|
|
goto drop;
|
|
|
|
|
2016-07-22 19:56:20 +08:00
|
|
|
case 0x0E: /* 802.1AB LLDP */
|
|
|
|
fwd_mask |= p->br->group_fwd_mask;
|
|
|
|
if (fwd_mask & (1u << dest[5]))
|
|
|
|
goto forward;
|
|
|
|
*pskb = skb;
|
|
|
|
__br_handle_local_finish(skb);
|
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
|
2011-10-04 02:14:46 +08:00
|
|
|
default:
|
|
|
|
/* Allow selective forwarding for most other protocols */
|
2014-06-10 19:59:24 +08:00
|
|
|
fwd_mask |= p->br->group_fwd_mask;
|
|
|
|
if (fwd_mask & (1u << dest[5]))
|
2011-10-04 02:14:46 +08:00
|
|
|
goto forward;
|
|
|
|
}
|
2009-05-15 14:10:13 +08:00
|
|
|
|
2019-04-11 18:56:39 +08:00
|
|
|
/* The else clause should be hit when nf_hook():
|
|
|
|
* - returns < 0 (drop/error)
|
|
|
|
* - returns = 0 (stolen/nf_queue)
|
|
|
|
* Thus return 1 from the okfn() to signal the skb is ok to pass
|
|
|
|
*/
|
|
|
|
if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN,
|
|
|
|
dev_net(skb->dev), NULL, skb, skb->dev, NULL,
|
|
|
|
br_handle_local_finish) == 1) {
|
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
} else {
|
|
|
|
return RX_HANDLER_CONSUMED;
|
|
|
|
}
|
2007-04-26 13:05:55 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2020-10-27 18:02:42 +08:00
|
|
|
if (unlikely(br_process_frame_type(p, skb)))
|
2020-04-26 21:22:07 +08:00
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
|
2009-05-15 14:10:13 +08:00
|
|
|
forward:
|
net: bridge: mst: Multiple Spanning Tree (MST) mode
Allow the user to switch from the current per-VLAN STP mode to an MST
mode.
Up to this point, per-VLAN STP states where always isolated from each
other. This is in contrast to the MSTP standard (802.1Q-2018, Clause
13.5), where VLANs are grouped into MST instances (MSTIs), and the
state is managed on a per-MSTI level, rather that at the per-VLAN
level.
Perhaps due to the prevalence of the standard, many switching ASICs
are built after the same model. Therefore, add a corresponding MST
mode to the bridge, which we can later add offloading support for in a
straight-forward way.
For now, all VLANs are fixed to MSTI 0, also called the Common
Spanning Tree (CST). That is, all VLANs will follow the port-global
state.
Upcoming changes will make this actually useful by allowing VLANs to
be mapped to arbitrary MSTIs and allow individual MSTI states to be
changed.
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-03-16 23:08:43 +08:00
|
|
|
if (br_mst_is_enabled(p->br))
|
|
|
|
goto defer_stp_filtering;
|
|
|
|
|
2007-03-22 04:42:06 +08:00
|
|
|
switch (p->state) {
|
|
|
|
case BR_STATE_FORWARDING:
|
|
|
|
case BR_STATE_LEARNING:
|
net: bridge: mst: Multiple Spanning Tree (MST) mode
Allow the user to switch from the current per-VLAN STP mode to an MST
mode.
Up to this point, per-VLAN STP states where always isolated from each
other. This is in contrast to the MSTP standard (802.1Q-2018, Clause
13.5), where VLANs are grouped into MST instances (MSTIs), and the
state is managed on a per-MSTI level, rather that at the per-VLAN
level.
Perhaps due to the prevalence of the standard, many switching ASICs
are built after the same model. Therefore, add a corresponding MST
mode to the bridge, which we can later add offloading support for in a
straight-forward way.
For now, all VLANs are fixed to MSTI 0, also called the Common
Spanning Tree (CST). That is, all VLANs will follow the port-global
state.
Upcoming changes will make this actually useful by allowing VLANs to
be mapped to arbitrary MSTIs and allow individual MSTI states to be
changed.
Signed-off-by: Tobias Waldekranz <tobias@waldekranz.com>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
2022-03-16 23:08:43 +08:00
|
|
|
defer_stp_filtering:
|
bridge: Convert compare_ether_addr to ether_addr_equal
Use the new bool function ether_addr_equal to add
some clarity and reduce the likelihood for misuse
of compare_ether_addr for sorting.
Done via cocci script:
$ cat compare_ether_addr.cocci
@@
expression a,b;
@@
- !compare_ether_addr(a, b)
+ ether_addr_equal(a, b)
@@
expression a,b;
@@
- compare_ether_addr(a, b)
+ !ether_addr_equal(a, b)
@@
expression a,b;
@@
- !ether_addr_equal(a, b) == 0
+ ether_addr_equal(a, b)
@@
expression a,b;
@@
- !ether_addr_equal(a, b) != 0
+ !ether_addr_equal(a, b)
@@
expression a,b;
@@
- ether_addr_equal(a, b) == 0
+ !ether_addr_equal(a, b)
@@
expression a,b;
@@
- ether_addr_equal(a, b) != 0
+ ether_addr_equal(a, b)
@@
expression a,b;
@@
- !!ether_addr_equal(a, b)
+ ether_addr_equal(a, b)
Signed-off-by: Joe Perches <joe@perches.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2012-05-09 02:56:49 +08:00
|
|
|
if (ether_addr_equal(p->br->dev->dev_addr, dest))
|
2005-04-17 06:20:36 +08:00
|
|
|
skb->pkt_type = PACKET_HOST;
|
|
|
|
|
2019-04-11 22:36:41 +08:00
|
|
|
return nf_hook_bridge_pre(skb, pskb);
|
2007-03-22 04:42:06 +08:00
|
|
|
default:
|
|
|
|
drop:
|
|
|
|
kfree_skb(skb);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2011-03-12 11:14:39 +08:00
|
|
|
return RX_HANDLER_CONSUMED;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2020-05-11 00:37:40 +08:00
|
|
|
|
|
|
|
/* This function has no purpose other than to appease the br_port_get_rcu/rtnl
|
|
|
|
* helpers which identify bridged ports according to the rx_handler installed
|
|
|
|
* on them (so there _needs_ to be a bridge rx_handler even if we don't need it
|
|
|
|
* to do anything useful). This bridge won't support traffic to/from the stack,
|
|
|
|
* but only hardware bridging. So return RX_HANDLER_PASS so we don't steal
|
|
|
|
* frames from the ETH_P_XDSA packet_type handler.
|
|
|
|
*/
|
|
|
|
static rx_handler_result_t br_handle_frame_dummy(struct sk_buff **pskb)
|
|
|
|
{
|
|
|
|
return RX_HANDLER_PASS;
|
|
|
|
}
|
|
|
|
|
|
|
|
rx_handler_func_t *br_get_rx_handler(const struct net_device *dev)
|
|
|
|
{
|
|
|
|
if (netdev_uses_dsa(dev))
|
|
|
|
return br_handle_frame_dummy;
|
|
|
|
|
|
|
|
return br_handle_frame;
|
|
|
|
}
|
2020-10-27 18:02:42 +08:00
|
|
|
|
|
|
|
void br_add_frame(struct net_bridge *br, struct br_frame_type *ft)
|
|
|
|
{
|
|
|
|
hlist_add_head_rcu(&ft->list, &br->frame_type_list);
|
|
|
|
}
|
|
|
|
|
|
|
|
void br_del_frame(struct net_bridge *br, struct br_frame_type *ft)
|
|
|
|
{
|
|
|
|
struct br_frame_type *tmp;
|
|
|
|
|
|
|
|
hlist_for_each_entry(tmp, &br->frame_type_list, list)
|
|
|
|
if (ft == tmp) {
|
|
|
|
hlist_del_rcu(&ft->list);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
}
|