31 May, 2019
1 commit
-
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later versionextracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 3029 file(s).
Signed-off-by: Thomas Gleixner
Reviewed-by: Allison Randal
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman
26 Nov, 2018
1 commit
-
A recent change added a null check on p->dev after p->dev was being
dereferenced by the ns_capable check on p->dev. It turns out that
neither the p->dev and p->br null checks are necessary, and can be
removed, which cleans up a static analyis warning.As Nikolay Aleksandrov noted, these checks can be removed because:
"My reasoning of why it shouldn't be possible:
- On port add new_nbp() sets both p->dev and p->br before creating
kobj/sysfs- On port del (trickier) del_nbp() calls kobject_del() before call_rcu()
to destroy the port which in turn calls sysfs_remove_dir() which uses
kernfs_remove() which deactivates (shouldn't be able to open new
files) and calls kernfs_drain() to drain current open/mmaped files in
the respective dir before continuing, thus making it impossible to
open a bridge port sysfs file with p->dev and p->br equal to NULL.So I think it's safe to remove those checks altogether. It'd be nice to
get a second look over my reasoning as I might be missing something in
sysfs/kernfs call path."Thanks to Nikolay Aleksandrov's suggestion to remove the check and
David Miller for sanity checking this.Detected by CoverityScan, CID#751490 ("Dereference before null check")
Fixes: a5f3ea54f3cc ("net: bridge: add support for raw sysfs port options")
Signed-off-by: Colin Ian King
Acked-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
24 Jul, 2018
2 commits
-
This patch adds a new port attribute - IFLA_BRPORT_BACKUP_PORT, which
allows to set a backup port to be used for known unicast traffic if the
port has gone carrier down. The backup pointer is rcu protected and set
only under RTNL, a counter is maintained so when deleting a port we know
how many other ports reference it as a backup and we remove it from all.
Also the pointer is in the first cache line which is hot at the time of
the check and thus in the common case we only add one more test.
The backup port will be used only for the non-flooding case since
it's a part of the bridge and the flooded packets will be forwarded to it
anyway. To remove the forwarding just send a 0/non-existing backup port.
This is used to avoid numerous scalability problems when using MLAG most
notably if we have thousands of fdbs one would need to change all of them
on port carrier going down which takes too long and causes a storm of fdb
notifications (and again when the port comes back up). In a Multi-chassis
Link Aggregation setup usually hosts are connected to two different
switches which act as a single logical switch. Those switches usually have
a control and backup link between them called peerlink which might be used
for communication in case a host loses connectivity to one of them.
We need a fast way to failover in case a host port goes down and currently
none of the solutions (like bond) cannot fulfill the requirements because
the participating ports are actually the "master" devices and must have the
same peerlink as their backup interface and at the same time all of them
must participate in the bridge device. As Roopa noted it's normal practice
in routing called fast re-route where a precalculated backup path is used
when the main one is down.
Another use case of this is with EVPN, having a single vxlan device which
is backup of every port. Due to the nature of master devices it's not
currently possible to use one device as a backup for many and still have
all of them participate in the bridge (which is master itself).
More detailed information about MLAG is available at the link below.
https://docs.cumulusnetworks.com/display/DOCS/Multi-Chassis+Link+Aggregation+-+MLAGFurther explanation and a diagram by Roopa:
Two switches acting in a MLAG pair are connected by the peerlink
interface which is a bridge port.the config on one of the switches looks like the below. The other
switch also has a similar config.
eth0 is connected to one port on the server. And the server is
connected to both switches.br0 -- team0---eth0
|
-- switch-peerlinkSigned-off-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller -
This patch adds a new alternative store callback for port sysfs options
which takes a raw value (buf) and can use it directly. It is needed for the
backup port sysfs support since we have to pass the device by its name.Signed-off-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
21 Jul, 2018
1 commit
-
When creating various bridge objects in /sys/class/net/... make sure
that they belong to the container's owner instead of global root (if
they belong to a container/namespace).Signed-off-by: Tyler Hicks
Signed-off-by: David S. Miller
26 May, 2018
1 commit
-
This patch adds support for a new port flag - BR_ISOLATED. If it is set
then isolated ports cannot communicate between each other, but they can
still communicate with non-isolated ports. The same can be achieved via
ACLs but they can't scale with large number of ports and also the
complexity of the rules grows. This feature can be used to achieve
isolated vlan functionality (similar to pvlan) as well, though currently
it will be port-wide (for all vlans on the port). The new test in
should_deliver uses data that is already cache hot and the new boolean
is used to avoid an additional source port test in should_deliver.Signed-off-by: Nikolay Aleksandrov
Reviewed-by: Toshiaki Makita
Signed-off-by: David S. Miller
27 Mar, 2018
1 commit
-
Prefer the direct use of octal for permissions.
Done with checkpatch -f --types=SYMBOLIC_PERMS --fix-inplace
and some typing.Miscellanea:
o Whitespace neatening around these conversions.
Signed-off-by: Joe Perches
Signed-off-by: David S. Miller
13 Feb, 2018
1 commit
-
Now br_sysfs_if file flush doesn't have attr show. To read it will
cause kernel panic after users chmod u+r this file.Xiong found this issue when running the commands:
ip link add br0 type bridge
ip link add type veth
ip link set veth0 master br0
chmod u+r /sys/devices/virtual/net/veth0/brport/flush
timeout 3 cat /sys/devices/virtual/net/veth0/brport/flushkernel crashed with NULL a pointer dereference call trace.
This patch is to fix it by return -EINVAL when brport_attr->show
is null, just the same as the check for brport_attr->store in
brport_store().Fixes: 9cf637473c85 ("bridge: add sysfs hook to flush forwarding table")
Reported-by: Xiong Zhou
Signed-off-by: Xin Long
Signed-off-by: David S. Miller
02 Nov, 2017
1 commit
-
Currently the bridge device doesn't generate any notifications upon vlan
modifications on itself because it doesn't use the generic bridge
notifications.
With the recent changes we know if anything was modified in the vlan config
thus we can generate a notification when necessary for the bridge device
so add support to br_ifinfo_notify() similar to how other combined
functions are done - if port is present it takes precedence, otherwise
notify about the bridge. I've explicitly marked the locations where the
notification should be always for the port by setting bridge to NULL.
I've also taken the liberty to rearrange each modified function's local
variables in reverse xmas tree as well.Signed-off-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
09 Oct, 2017
1 commit
-
This patch adds a new bridge port flag BR_NEIGH_SUPPRESS to
suppress arp and nd flood on bridge ports. It implements
rfc7432, section 10.
https://tools.ietf.org/html/rfc7432#section-10
for ethernet VPN deployments. It is similar to the existing
BR_PROXYARP* flags but has a few semantic differences to conform
to EVPN standard. Unlike the existing flags, this new flag suppresses
flood of all neigh discovery packets (arp and nd) to tunnel ports.
Supports both vlan filtering and non-vlan filtering bridges.In case of EVPN, it is mainly used to avoid flooding
of arp and nd packets to tunnel ports like vxlan.This patch adds netlink and sysfs support to set this bridge port
flag.Signed-off-by: Roopa Prabhu
Signed-off-by: David S. Miller
29 Sep, 2017
1 commit
-
We need to be able to transparently forward most link-local frames via
tunnels (e.g. vxlan, qinq). Currently the bridge's group_fwd_mask has a
mask which restricts the forwarding of STP and LACP, but we need to be able
to forward these over tunnels and control that forwarding on a per-port
basis thus add a new per-port group_fwd_mask option which only disallows
mac pause frames to be forwarded (they're always dropped anyway).
The patch does not change the current default situation - all of the others
are still restricted unless configured for forwarding.
We have successfully tested this patch with LACP and STP forwarding over
VxLAN and qinq tunnels.Signed-off-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
28 Apr, 2017
1 commit
-
Support for l2 multicast flood control was added in commit b6cb5ac8331b
("net: bridge: add per-port multicast flood flag"). It allows broadcast
as it was introduced specifically for unknown multicast flood control.
But as broadcast is a special case of multicast, this may also need to
be disabled. For this purpose, introduce a flag to disable the flooding
of received l2 broadcasts. This approach is backwards compatible and
provides flexibility in filtering for the desired packet types.Cc: Nikolay Aleksandrov
Signed-off-by: Mike Manning
Reviewed-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
02 Mar, 2017
1 commit
-
…hed.h> into <linux/sched/signal.h>
Fix up affected files that include this signal functionality via sched.h.
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mike Galbraith <efault@gmx.de>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
25 Jan, 2017
1 commit
-
Implements an optional, per bridge port flag and feature to deliver
multicast packets to any host on the according port via unicast
individually. This is done by copying the packet per host and
changing the multicast destination MAC to a unicast one accordingly.multicast-to-unicast works on top of the multicast snooping feature of
the bridge. Which means unicast copies are only delivered to hosts which
are interested in it and signalized this via IGMP/MLD reports
previously.This feature is intended for interface types which have a more reliable
and/or efficient way to deliver unicast packets than broadcast ones
(e.g. wifi).However, it should only be enabled on interfaces where no IGMPv2/MLDv1
report suppression takes place. This feature is disabled by default.The initial patch and idea is from Felix Fietkau.
Signed-off-by: Felix Fietkau
[linus.luessing@c0d3.blue: various bug + style fixes, commit message]
Signed-off-by: Linus Lüssing
Reviewed-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
14 Oct, 2016
1 commit
-
When I added the multicast flood control flag, I also added an attribute
for it for sysfs similar to other flags, but I forgot to add it to
brport_attrs.Fixes: b6cb5ac8331b ("net: bridge: add per-port multicast flood flag")
Signed-off-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
02 Sep, 2016
1 commit
-
Add a per-port flag to control the unknown multicast flood, similar to the
unknown unicast flood flag and break a few long lines in the netlink flag
exports.Signed-off-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
14 Apr, 2016
1 commit
-
Now when we change the attributes of bridge or br_port by netlink,
a relevant netlink notification will be sent, but if we change them
by ioctl or sysfs, no notification will be sent.We should ensure that whenever those attributes change internally or from
sysfs/ioctl, that a netlink notification is sent out to listeners.Also, NetworkManager will use this in the future to listen for out-of-band
bridge master attribute updates and incorporate them into the runtime
configuration.This patch is used for br_sysfs_if, and we also move br_ifinfo_notify out
of store_flag.Signed-off-by: Xin Long
Reviewed-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
24 Jun, 2015
1 commit
-
Add a new argument to br_fdb_delete_by_port which allows to specify a
vid to match when flushing entries and use it in nbp_vlan_delete() to
flush the dynamically learned entries of the vlan/port pair when removing
a vlan from a port. Before this patch only the local mac was being
removed and the dynamically learned ones were left to expire.
Note that the do_all argument is still respected and if specified, the
vid will be ignored.Signed-off-by: Nikolay Aleksandrov
Signed-off-by: David S. Miller
06 Mar, 2015
1 commit
-
This extends the design in commit 958501163ddd ("bridge: Add support for
IEEE 802.11 Proxy ARP") with optional set of rules that are needed to
meet the IEEE 802.11 and Hotspot 2.0 requirements for ProxyARP. The
previously added BR_PROXYARP behavior is left as-is and a new
BR_PROXYARP_WIFI alternative is added so that this behavior can be
configured from user space when required.In addition, this enables proxyarp functionality for unicast ARP
requests for both BR_PROXYARP and BR_PROXYARP_WIFI since it is possible
to use unicast as well as broadcast for these frames.The key differences in functionality:
BR_PROXYARP:
- uses the flag on the bridge port on which the request frame was
received to determine whether to reply
- block bridge port flooding completely on ports that enable proxy ARPBR_PROXYARP_WIFI:
- uses the flag on the bridge port to which the target device of the
request belongs
- block bridge port flooding selectively based on whether the proxyarp
functionality repliedSigned-off-by: Jouni Malinen
Signed-off-by: David S. Miller
28 Oct, 2014
1 commit
-
This feature is defined in IEEE Std 802.11-2012, 10.23.13. It allows
the AP devices to keep track of the hardware-address-to-IP-address
mapping of the mobile devices within the WLAN network.The AP will learn this mapping via observing DHCP, ARP, and NS/NA
frames. When a request for such information is made (i.e. ARP request,
Neighbor Solicitation), the AP will respond on behalf of the
associated mobile device. In the process of doing so, the AP will drop
the multicast request frame that was intended to go out to the wireless
medium.It was recommended at the LKS workshop to do this implementation in
the bridge layer. vxlan.c is already doing something very similar.
The DHCP snooping code will be added to the userspace application
(hostapd) per the recommendation.This RFC commit is only for IPv4. A similar approach in the bridge
layer will be taken for IPv6 as well.Signed-off-by: Kyeyoon Park
Signed-off-by: David S. Miller
17 May, 2014
2 commits
-
By default, ports on the bridge are capable of automatic
discovery of nodes located behind the port. This is accomplished
via flooding of unknown traffic (BR_FLOOD) and learning the
mac addresses from these packets (BR_LEARNING).
If the above functionality is disabled by turning off these
flags, the port requires static configuration in the form
of static FDB entries to function properly.This patch adds functionality to keep track of all ports
capable of automatic discovery. This will later be used
to control promiscuity settings.Acked-by: Michael S. Tsirkin
Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
Turn the flag change macro into a function to allow
easier updates and to reduce space.Acked-by: Michael S. Tsirkin
Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
20 Dec, 2013
2 commits
-
"foo * bar" should be "foo *bar".
Signed-off-by: Tan Xiaojun
Signed-off-by: David S. Miller -
Spaces required before the open parenthesis '(', before the open
brace '{', after that ',' and around that '?/:'.Signed-off-by: Tan Xiaojun
Signed-off-by: David S. Miller
11 Jun, 2013
2 commits
-
Add a flag to control flood of unicast traffic. By default, flood is
on and the bridge will flood unicast traffic if it doesn't know
the destination. When the flag is turned off, unicast traffic
without an FDB will not be forwarded to the specified port.Signed-off-by: Vlad Yasevich
Reviewed-by: Michael S. Tsirkin
Signed-off-by: David S. Miller -
Allow user to control whether mac learning is enabled on the port.
By default, mac learning is enabled. Disabling mac learning will
cause new dynamic FDB entries to not be created for a particular port.Signed-off-by: Vlad Yasevich
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
06 Dec, 2012
2 commits
-
V3: make it a flag
V2: make the toggle per-portFast leave allows bridge to immediately stops the multicast
traffic on the port receives IGMP Leave when IGMP snooping is enabled,
no timeouts are observed.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang -
V2: make the toggle per-port
Fast leave allows bridge to immediately stops the multicast
traffic on the port receives IGMP Leave when IGMP snooping is enabled,
no timeouts are observed.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
19 Nov, 2012
1 commit
-
Allow an unpriviled user who has created a user namespace, and then
created a network namespace to effectively use the new network
namespace, by reducing capable(CAP_NET_ADMIN) and
capable(CAP_NET_RAW) calls to be ns_capable(net->user_ns,
CAP_NET_ADMIN), or capable(net->user_ns, CAP_NET_RAW) calls.Allow setting bridge paramters via sysfs.
Allow all of the bridge ioctls:
BRCTL_ADD_IF
BRCTL_DEL_IF
BRCTL_SET_BRDIGE_FORWARD_DELAY
BRCTL_SET_BRIDGE_HELLO_TIME
BRCTL_SET_BRIDGE_MAX_AGE
BRCTL_SET_BRIDGE_AGING_TIME
BRCTL_SET_BRIDGE_STP_STATE
BRCTL_SET_BRIDGE_PRIORITY
BRCTL_SET_PORT_PRIORITY
BRCTL_SET_PATH_COST
BRCTL_ADD_BRIDGE
BRCTL_DEL_BRDIGESigned-off-by: "Eric W. Biederman"
Signed-off-by: David S. Miller
15 Nov, 2012
3 commits
-
This is Linux bridge implementation of root port guard.
If BPDU is received from a leaf (edge) port, it should not
be elected as root port.Why would you want to do this?
If using STP on a bridge and the downstream bridges are not fully
trusted; this prevents a hostile guest for rerouting traffic.Why not just use netfilter?
Netfilter does not track of follow spanning tree decisions.
It would be difficult and error prone to try and mirror STP
resolution in netfilter module.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
This is Linux bridge implementation of STP protection
(Cisco BPDU guard/Juniper BPDU block). BPDU block disables
the bridge port if a STP BPDU packet is received.Why would you want to do this?
If running Spanning Tree on bridge, hostile devices on the network
may send BPDU and cause network failure. Enabling bpdu block
will detect and stop this.How to recover the port?
The port will be restarted if link is brought down, or
removed and reattached. For example:
# ip li set dev eth0 down; ip li set dev eth0 upSigned-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
Provide macro to build sysfs data structures and functions
for accessing flag bits. If flag bits change do netlink
notification.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
31 Jul, 2012
1 commit
-
Simple table that can be marked const.
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
05 Apr, 2011
1 commit
-
Apply restrictions on STP parameters based 802.1D 1998 standard.
* Fixes missing locking in set path cost ioctl
* Uses common code for both ioctl and sysfsThis is based on an earlier patch Sasikanth V but with overhaul.
Note:
1. It does NOT enforce the restriction on the relationship max_age and
forward delay or hello time because in existing implementation these are
set as independant operations.2. If STP is disabled, there is no restriction on forward delay
3. No restriction on holding time because users use Linux code to act
as hub or be sticky.4. Although standard allow 0-255, Linux only allows 0-63 for port priority
because more bits are reserved for port number.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
16 May, 2010
1 commit
-
Links for each port are created in sysfs using the device
name, but this could be changed after being added to the
bridge.As well as being unable to remove interfaces after this
occurs (because userspace tools don't recognise the new
name, and the kernel won't recognise the old name), adding
another interface with the old name to the bridge will
cause an error trying to create the sysfs link.This fixes the problem by listening for NETDEV_CHANGENAME
notifications and renaming the link.https://bugzilla.kernel.org/show_bug.cgi?id=12743
Signed-off-by: Simon Arlott
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
08 Mar, 2010
1 commit
-
Constify struct sysfs_ops.
This is part of the ops structure constification
effort started by Arjan van de Ven et al.Benefits of this constification:
* prevents modification of data that is shared
(referenced) by many other structure instances
at runtime* detects/prevents accidental (but not intentional)
modification attempts on archs that enforce
read-only kernel data at runtime* potentially better optimized code as the compiler
can assume that the const data cannot be changed* the compiler/linker move const data into .rodata
and therefore exclude them from false sharingSigned-off-by: Emese Revfy
Acked-by: David Teigland
Acked-by: Matt Domsch
Acked-by: Maciej Sosnowski
Acked-by: Hans J. Koch
Acked-by: Pekka Enberg
Acked-by: Jens Axboe
Acked-by: Stephen Hemminger
Signed-off-by: Greg Kroah-Hartman
28 Feb, 2010
1 commit
-
This patch allows the user to forcibly enable/disable ports as
having multicast routers attached. A port with a multicast router
will receive all multicast traffic.The value 0 disables it completely. The default is 1 which lets
the system automatically detect the presence of routers (currently
this is limited to picking up queries), and 2 means that the port
will always receive all multicast traffic.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
14 Aug, 2009
1 commit
-
This patch adds a 'hairpin' (also called 'reflective relay') mode
port configuration to the Linux Ethernet bridge kernel module.
A bridge supporting hairpin forwarding mode can send frames back
out through the port the frame was received on.Hairpin mode is required to support basic VEPA (Virtual
Ethernet Port Aggregator) capabilities.You can find additional information on VEPA here:
http://tech.groups.yahoo.com/group/evb/
http://www.ieee802.org/1/files/public/docs2009/new-hudson-vepa_seminar-20090514d.pdf
http://www.internet2.edu/presentations/jt2009jul/20090719-congdon.pdfAn additional patch 'bridge-utils: Add 'hairpin' port forwarding mode'
is provided to allow configuring hairpin mode from userspace tools.Signed-off-by: Paul Congdon
Signed-off-by: Anna Fischer
Acked-by: Arnd Bergmann
Signed-off-by: David S. Miller
19 May, 2009
1 commit
-
Holding rtnl_lock when we are unregistering the sysfs files can
deadlock if we unconditionally take rtnl_lock in a sysfs file. So fix
it with the now familiar patter of: rtnl_trylock and syscall_restart()Signed-off-by: Eric W. Biederman
Signed-off-by: David S. Miller
25 Jan, 2008
1 commit
-
The kobject in the bridge code is only used for registering with sysfs,
not for any lifespan rules. This patch changes it to be only a pointer
and use the simpler api for this kind of thing.Cc: Stephen Hemminger
Cc: Kay Sievers
Signed-off-by: Greg Kroah-Hartman
