03 Jan, 2013
2 commits
-
This patch adds empty br_mdb_init() and br_mdb_uninit() definitions in
br_private.h to avoid build failure when CONFIG_BRIDGE_IGMP_SNOOPING is not set.
These methods were moved from br_multicast.c to br_netlink.c by
commit 3ec8e9f085bcaef0de1077f555c2c5102c223390Signed-off-by: Rami Rosen
Signed-off-by: David S. Miller -
Commit 63233159fd4e596568f5f168ecb0879b61631d47:
bridge: Do not unregister all PF_BRIDGE rtnl operations
introduced a bug where a removal of a single bridge from a
multi-bridge system would remove MDB netlink handlers.
The handlers should only be removed once all bridges are gone, but
since we don't keep track of the number of bridge interfaces, it's
simpler to do it when the bridge module is unloaded. To make it
consistent, move the registration code into module initialization
code path.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
22 Dec, 2012
1 commit
-
When netdev_set_master faild in br_add_if, we should
call br_netpoll_disable to do some cleanup jobs,such
as free the memory of struct netpoll which allocated
in br_netpoll_enable.Signed-off-by: Gao feng
Acked-by: Cong Wang
Signed-off-by: David S. Miller
20 Dec, 2012
2 commits
-
When dumping mdb table, set the addresses the kernel returns
based on the address protocol type.Signed-off-by: Vlad Yasevich
Acked-by: Cong Wang
Signed-off-by: David S. Miller -
Bridge fdb and link rtnl operations are registered in
core/rtnetlink. Bridge mdb operations are registred
in bridge/mdb. When removing bridge module, do not
unregister ALL PF_BRIDGE ops since that would remove
the ops from rtnetlink as well. Do remove mdb ops when
bridge is destroyed.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
16 Dec, 2012
1 commit
-
This patch adds a flag to each mdb entry, so that we can distinguish
permanent entries with temporary entries.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
15 Dec, 2012
1 commit
-
As suggested by Stephen Hemminger, this remove the temporary variable
introduced in commit eca2a43bb0d2c6ebd528be6acb30a88435abe307
("bridge: fix icmpv6 endian bug and other sparse warnings")Signed-off-by: Ang Way Chuang
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
14 Dec, 2012
1 commit
-
Fix the warnings reported by sparse on recent bridge multicast
changes. Mostly just rcu annotation issues but in this case
sparse found a real bug! The ICMPv6 mld2 query mrc
values is in network byte order.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
13 Dec, 2012
2 commits
-
This patch implents adding/deleting mdb entries via netlink.
Currently all entries are temp, we probably need a flag to distinguish
permanent entries too.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
As Stephen mentioned, we need to monitor the mdb
changes in user-space, so add notifications via netlink too.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
12 Dec, 2012
1 commit
-
In case of rehashing, introduce a global variable 'br_mdb_rehash_seq'
which gets increased every time when rehashing, and assign
net->dev_base_seq + br_mdb_rehash_seq to cb->seq.In theory cb->seq could be wrapped to zero, but this is not
easy to fix, as net->dev_base_seq is not visible inside
br_mdb_rehash(). In practice, this is rare.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Cc: Jesper Dangaard Brouer
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
11 Dec, 2012
1 commit
-
We pass IFLA_BRPORT_MAX to nla_parse_nested() so we need
IFLA_BRPORT_MAX + 1 elements. Also Smatch complains that we read past
the end of the array when in br_set_port_flag() when it's called with
IFLA_BRPORT_FAST_LEAVE.Signed-off-by: Dan Carpenter
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
08 Dec, 2012
1 commit
-
V5: fix two bugs pointed out by Thomas
remove seq check for now, mark it as TODOV4: remove some useless #include
some coding style fixV3: drop debugging printk's
update selinux perm table as wellV2: drop patch 1/2, export ifindex directly
Redesign netlink attributes
Improve netlink seq check
Handle IPv6 addr as wellThis patch exports bridge multicast database via netlink
message type RTM_GETMDB. Similar to fdb, but currently bridge-specific.
We may need to support modify multicast database too (RTM_{ADD,DEL}MDB).(Thanks to Thomas for patient reviews)
Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Cc: Jesper Dangaard Brouer
Signed-off-by: Cong Wang
Acked-by: Thomas Graf
Signed-off-by: David S. Miller
06 Dec, 2012
2 commits
-
V3: make it a flag
V2: make the toggle per-portFast leave allows bridge to immediately stops the multicast
traffic on the port receives IGMP Leave when IGMP snooping is enabled,
no timeouts are observed.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang -
V2: make the toggle per-port
Fast leave allows bridge to immediately stops the multicast
traffic on the port receives IGMP Leave when IGMP snooping is enabled,
no timeouts are observed.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
19 Nov, 2012
3 commits
-
- Only allow moving network devices to network namespaces you have
CAP_NET_ADMIN privileges over.- Enable creating/deleting/modifying interfaces
- Enable adding/deleting addresses
- Enable adding/setting/deleting neighbour entries
- Enable adding/removing routes
- Enable adding/removing fib rules
- Enable setting the forwarding state
- Enable adding/removing ipv6 address labels
- Enable setting bridge parameterSigned-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller -
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.Allow setting bridge paramters via sysfs.
Allow all of the bridge ioctls:
BRCTL_ADD_IF
BRCTL_DEL_IF
BRCTL_SET_BRDIGE_FORWARD_DELAY
BRCTL_SET_BRIDGE_HELLO_TIME
BRCTL_SET_BRIDGE_MAX_AGE
BRCTL_SET_BRIDGE_AGING_TIME
BRCTL_SET_BRIDGE_STP_STATE
BRCTL_SET_BRIDGE_PRIORITY
BRCTL_SET_PORT_PRIORITY
BRCTL_SET_PATH_COST
BRCTL_ADD_BRIDGE
BRCTL_DEL_BRDIGESigned-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller -
- In rtnetlink_rcv_msg convert the capable(CAP_NET_ADMIN) check
to ns_capable(net->user-ns, CAP_NET_ADMIN). Allowing unprivileged
users to make netlink calls to modify their local network
namespace.- In the rtnetlink doit methods add capable(CAP_NET_ADMIN) so
that calls that are not safe for unprivileged users are still
protected.Later patches will remove the extra capable calls from methods
that are safe for unprivilged users.Acked-by: Serge Hallyn
Signed-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
15 Nov, 2012
4 commits
-
This is Linux bridge implementation of root port guard.
If BPDU is received from a leaf (edge) port, it should not
be elected as root port.Why would you want to do this?
If using STP on a bridge and the downstream bridges are not fully
trusted; this prevents a hostile guest for rerouting traffic.Why not just use netfilter?
Netfilter does not track of follow spanning tree decisions.
It would be difficult and error prone to try and mirror STP
resolution in netfilter module.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
This is Linux bridge implementation of STP protection
(Cisco BPDU guard/Juniper BPDU block). BPDU block disables
the bridge port if a STP BPDU packet is received.Why would you want to do this?
If running Spanning Tree on bridge, hostile devices on the network
may send BPDU and cause network failure. Enabling bpdu block
will detect and stop this.How to recover the port?
The port will be restarted if link is brought down, or
removed and reattached. For example:
# ip li set dev eth0 down; ip li set dev eth0 upSigned-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Provide macro to build sysfs data structures and functions
for accessing flag bits. If flag bits change do netlink
notification.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Expose bridge port parameter over netlink. By switching to a nested
message, this can be used for other bridge parameters.This changes IFLA_PROTINFO attribute from one byte to a full nested
set of attributes. This is safe for application interface because the
old message used IFLA_PROTINFO and new one uses
IFLA_PROTINFO | NLA_F_NESTED.The code adapts to old format requests, and therefore stays
compatible with user mode RSTP daemon. Since the type field
for nested and unnested attributes are different, and the old
code in libnetlink doesn't do the mask, it is also safe to use
with old versions of bridge monitor command.Note: although mode is only a boolean, treating it as a
full byte since in the future someone will probably want to add more
values (like macvlan has).Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
04 Nov, 2012
1 commit
-
Instead of issuing (0) statements when !CONFIG_SYSFS which will cause
'warning: ', we'll use inline statements instead. This will effectively
do the same thing, but suppress any unnecessary warnings.Cc: Stephen Hemminger
Cc: bridge@lists.linux-foundation.org
Cc: netdev@vger.kernel.org
Signed-off-by: Lee Jones
Signed-off-by: David S. Miller
03 Nov, 2012
3 commits
-
Since this array is no longer part of the bridge driver, it should
have an 'eth' prefix not 'br'.We also assume that either it's 16-bit-aligned or the architecture has
efficient unaligned access. Ensure the first of these is true by
explicitly aligning it.Signed-off-by: Ben Hutchings
Acked-by: John Fastabend
Signed-off-by: David S. Miller -
Function name should include '_ether_addr'.
Return type should be bool.
Parameter name should be 'addr' not 'dest' (also matching kernel-doc).Signed-off-by: Ben Hutchings
Acked-by: John Fastabend
Signed-off-by: David S. Miller -
Parse the string into an array of bytes rather than ints, so we can
use is_link_local() rather than reimplementing it.Signed-off-by: Ben Hutchings
Signed-off-by: David S. Miller
01 Nov, 2012
3 commits
-
Jeff Kirsher says:
====================
This series contains updates to ixgbe, ixgbevf, igbvf, igb and
networking core (bridge). Most notably is the addition of support
for local link multicast addresses in SR-IOV mode to the networking
core.Also note, the ixgbe patch "ixgbe: Add support for pipeline reset" and
"ixgbe: Fix return value from macvlan filter function" is revised based
on community feedback.
====================Signed-off-by: David S. Miller
-
Hardware switches may support enabling and disabling the
loopback switch which puts the device in a VEPA mode defined
in the IEEE 802.1Qbg specification. In this mode frames are
not switched in the hardware but sent directly to the switch.
SR-IOV capable NICs will likely support this mode I am
aware of at least two such devices. Also I am told (but don't
have any of this hardware available) that there are devices
that only support VEPA modes. In these cases it is important
at a minimum to be able to query these attributes.This patch adds an additional IFLA_BRIDGE_MODE attribute that can be
set and dumped via the PF_BRIDGE:{SET|GET}LINK operations. Also
anticipating bridge attributes that may be common for both embedded
bridges and software bridges this adds a flags attribute
IFLA_BRIDGE_FLAGS currently used to determine if the command or event
is being generated to/from an embedded bridge or software bridge.
Finally, the event generation is pulled out of the bridge module and
into rtnetlink proper.For example using the macvlan driver in VEPA mode on top of
an embedded switch requires putting the embedded switch into
a VEPA mode to get the expected results.-------- --------
| VEPA | | VEPA |
CC: Stephen Hemminger
Signed-off-by: John Fastabend
Signed-off-by: David S. Miller -
The PF_BRIDGE:RTM_{GET|SET}LINK nlmsg family and type are
currently embedded in the ./net/bridge module. This prohibits
them from being used by other bridging devices. One example
of this being hardware that has embedded bridging components.In order to use these nlmsg types more generically this patch
adds two net_device_ops hooks. One to set link bridge attributes
and another to dump the current bride attributes.ndo_bridge_setlink()
ndo_bridge_getlink()CC: Lennert Buytenhek
CC: Stephen Hemminger
Signed-off-by: John Fastabend
Signed-off-by: David S. Miller
30 Oct, 2012
1 commit
-
In SR-IOV mode the PF driver acts as the uplink port and is
used to send control packets e.g. lldpad, stp, etc.eth0.1 eth0.2 eth0
VF VF PF
| | |
Tested-by: Phil Schmitt
Tested-by: Sibai Li
Signed-off-by: Jeff Kirsher
11 Oct, 2012
1 commit
-
If lower layer driver leaves the ip header in the skb fragment, it needs to
be first pulled into skb->data before inspecting ip header length or ip version
number.Signed-off-by: Sarveshwar Bandi
Signed-off-by: David S. Miller
02 Oct, 2012
1 commit
-
Later changes need to be able to refer to neighbour attributes
when doing fdb_add.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
20 Sep, 2012
1 commit
-
The internal functions for add/deleting addresses don't change
their argument.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
15 Sep, 2012
1 commit
-
Conflicts:
net/netfilter/nfnetlink_log.c
net/netfilter/xt_LOG.cRather easy conflict resolution, the 'net' tree had bug fixes to make
sure we checked if a socket is a time-wait one or not and elide the
logging code if so.Whereas on the 'net-next' side we are calculating the UID and GID from
the creds using different interfaces due to the user namespace changes
from Eric Biederman.Signed-off-by: David S. Miller
12 Sep, 2012
1 commit
-
auto75914331@hushmail.com reports that iptables does not correctly
output the KERN_.$IPTABLES -A RULE_0_in -j LOG --log-level notice --log-prefix "DENY in: "
result with linux 3.6-rc5
Sep 12 06:37:29 xxxxx kernel: DENY in: IN=eth0 OUT= MAC=.......result with linux 3.5.3 and older:
Sep 9 10:43:01 xxxxx kernel: DENY in: IN=eth0 OUT= MAC......commit 04d2c8c83d0
("printk: convert the format for KERN_ to a 2 byte pattern")
updated the syslog header style but did not update netfilter uses.Do so.
Use KERN_SOH and string concatenation instead of "%c" KERN_SOH_ASCII
as suggested by Eric Dumazet.Signed-off-by: Joe Perches
cc: auto75914331@hushmail.com
Signed-off-by: Pablo Neira Ayuso
11 Sep, 2012
1 commit
-
It is a frequent mistake to confuse the netlink port identifier with a
process identifier. Try to reduce this confusion by renaming fields
that hold port identifiers portid instead of pid.I have carefully avoided changing the structures exported to
userspace to avoid changing the userspace API.I have successfully built an allyesconfig kernel with this change.
Signed-off-by: "Eric W. Biederman"
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
09 Sep, 2012
1 commit
-
This patch defines netlink_kernel_create as a wrapper function of
__netlink_kernel_create to hide the struct module *me parameter
(which seems to be THIS_MODULE in all existing netlink subsystems).Suggested by David S. Miller.
Signed-off-by: Pablo Neira Ayuso
Signed-off-by: David S. Miller
23 Aug, 2012
2 commits
-
Pablo Neira Ayuso says:
====================
This is the first batch of Netfilter and IPVS updates for your
net-next tree. Mostly cleanups for the Netfilter side. They are:* Remove unnecessary RTNL locking now that we have support
for namespace in nf_conntrack, from Patrick McHardy.* Cleanup to eliminate unnecessary goto in the initialization
path of several Netfilter tables, from Jean Sacren.* Another cleanup from Wu Fengguang, this time to PTR_RET instead
of if IS_ERR then return PTR_ERR.* Use list_for_each_entry_continue_rcu in nf_iterate, from
Michael Wang.* Add pmtu_disc sysctl option to disable PMTU in their tunneling
transmitter, from Julian Anastasov.* Generalize application protocol registration in IPVS and modify
IPVS FTP helper to use it, from Julian Anastasov.* update Kconfig. The IPVS FTP helper depends on the Netfilter FTP
helper for NAT support, from Julian Anastasov.* Add logic to update PMTU for IPIP packets in IPVS, again
from Julian Anastasov.* A couple of sparse warning fixes for IPVS and Netfilter from
Claudiu Ghioc and Patrick McHardy respectively.Patrick's IPv6 NAT changes will follow after this batch, I need
to flush this batch first before refreshing my tree.
====================Signed-off-by: David S. Miller
16 Aug, 2012
1 commit
-
Alternative solution for problem found by Linux Driver Verification
project (linuxtesting.org).As it noted in the comment before the br_handle_frame_finish
function, this function should be called under rcu_read_lock.The problem callgraph:
br_dev_xmit -> br_nf_pre_routing_finish_bridge_slow ->
-> br_handle_frame_finish -> br_port_get_rcu -> rcu_dereferenceAnd in this case there is no read-lock section.
Reported-by: Denis Efremov
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller