14 Oct, 2013
3 commits
-
[ Upstream commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2 ]
The NULL deref happens when br_handle_frame is called between these
2 lines of del_nbp:
dev->priv_flags &= ~IFF_BRIDGE_PORT;
/* --> br_handle_frame is called at this time */
netdev_rx_handler_unregister(dev);In br_handle_frame the return of br_port_get_rcu(dev) is dereferenced
without check but br_port_get_rcu(dev) returns NULL if:
!(dev->priv_flags & IFF_BRIDGE_PORT)Eric Dumazet pointed out the testing of IFF_BRIDGE_PORT is not necessary
here since we're in rcu_read_lock and we have synchronize_net() in
netdev_rx_handler_unregister. So remove the testing of IFF_BRIDGE_PORT
and by the previous patch, make sure br_port_get_rcu is called in
bridging code.Signed-off-by: Hong Zhiguo
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit 1fb1754a8c70d69ab480763c423e0a74369c4a67 ]
current br_port_get_rcu is problematic in bridging path
(NULL deref). Change these calls in netlink path first.Signed-off-by: Hong Zhiguo
Acked-by: Eric Dumazet
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman -
[ Upstream commit be4f154d5ef0ca147ab6bcd38857a774133f5450 ]
At some point limits were added to forward_delay. However, the
limits are only enforced when STP is enabled. This created a
scenario where you could have a value outside the allowed range
while STP is disabled, which then stuck around even after STP
is enabled.This patch fixes this by clamping the value when we enable STP.
I had to move the locking around a bit to ensure that there is
no window where someone could insert a value outside the range
while we're in the middle of enabling STP.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller
Signed-off-by: Greg Kroah-Hartman
16 Apr, 2013
1 commit
-
Keep a STP port path cost value if it was set by a user.
Don't replace it with the link-speed based path cost
whenever the link goes down and comes back up.Reported-by: Roopa Prabhu
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
08 Mar, 2013
1 commit
-
Obviously, vid should be considered when searching for multicast
group.Cc: Vlad Yasevich
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang
Acked-by: Vlad Yasevich
Signed-off-by: David S. Miller
14 Feb, 2013
12 commits
-
Add an ability to configure a separate "untagged" egress
policy to the VLAN information of the bridge. This superseeds PVID
policy and makes PVID ingress-only. The policy is configured with a
new flag and is represented as a port bitmap per vlan. Egress frames
with a VLAN id in "untagged" policy bitmap would egress
the port without VLAN header.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
When VLAN is added to the port, a local fdb entry for that port
(the entry with the mac address of the port) is added for that
VLAN. This way we can correctly determine if the traffic
is for the bridge itself. If the address of the port changes,
we try to change all the local fdb entries we have for that port.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
When a user adds bridge neighbors, allow him to specify VLAN id.
If the VLAN id is not specified, the neighbor will be added
for VLANs currently in the ports filter list. If no VLANs are
configured on the port, we use vlan 0 and only add 1 entry.Signed-off-by: Vlad Yasevich
Acked-by: Jitendra Kalsaria
Signed-off-by: David S. Miller -
Add vlan_id to multicasts groups so that we know which vlan
each group belongs to and can correctly forward to appropriate vlan.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
This patch adds vlan to unicast fdb entries that are created for
learned addresses (not the manually configured ones). It adds
vlan id into the hash mix and uses vlan as an addditional parameter
for an entry match.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
A user may designate a certain vlan as PVID. This means that
any ingress frame that does not contain a vlan tag is assigned to
this vlan and any forwarding decisions are made with this vlan in mind.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
At ingress, any untagged traffic is assigned to the PVID.
Any tagged traffic is filtered according to membership bitmap.At egress, if the vlan matches the PVID, the frame is sent
untagged. Otherwise the frame is sent tagged.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
Using the RTM_GETLINK dump the vlan filter list of a given
bridge port. The information depends on setting the filter
flag similar to how nic VF info is dumped.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
Add a netlink interface to add and remove vlan configuration on bridge port.
The interface uses the RTM_SETLINK message and encodes the vlan
configuration inside the IFLA_AF_SPEC. It is possble to include multiple
vlans to either add or remove in a single message.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
When bridge forwards a frame, make sure that a frame is allowed
to egress on that port.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
When a frame arrives on a port or transmitted by the bridge,
if we have VLANs configured, validate that a given VLAN is allowed
to enter the bridge.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller -
Adds an optional infrustructure component to bridge that would allow
native vlan filtering in the bridge. Each bridge port (as well
as the bridge device) now get a VLAN bitmap. Each bit in the bitmap
is associated with a vlan id. This way if the bit corresponding to
the vid is set in the bitmap that the packet with vid is allowed to
enter and exit the port.Write access the bitmap is protected by RTNL and read access
protected by RCU.Vlan functionality is disabled by default.
Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
12 Feb, 2013
1 commit
-
And remove no longer used br->flags.
Signed-off-by: Jiri Pirko
Acked-by: Stephen Hemminger
Signed-off-by: David S. Miller
03 Jan, 2013
1 commit
-
This patch adds empty br_mdb_init() and br_mdb_uninit() definitions in
br_private.h to avoid build failure when CONFIG_BRIDGE_IGMP_SNOOPING is not set.
These methods were moved from br_multicast.c to br_netlink.c by
commit 3ec8e9f085bcaef0de1077f555c2c5102c223390Signed-off-by: Rami Rosen
Signed-off-by: David S. Miller
20 Dec, 2012
1 commit
-
Bridge fdb and link rtnl operations are registered in
core/rtnetlink. Bridge mdb operations are registred
in bridge/mdb. When removing bridge module, do not
unregister ALL PF_BRIDGE ops since that would remove
the ops from rtnetlink as well. Do remove mdb ops when
bridge is destroyed.Signed-off-by: Vlad Yasevich
Signed-off-by: David S. Miller
16 Dec, 2012
1 commit
-
This patch adds a flag to each mdb entry, so that we can distinguish
permanent entries with temporary entries.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
13 Dec, 2012
2 commits
-
This patch implents adding/deleting mdb entries via netlink.
Currently all entries are temp, we probably need a flag to distinguish
permanent entries too.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller -
As Stephen mentioned, we need to monitor the mdb
changes in user-space, so add notifications via netlink too.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
12 Dec, 2012
1 commit
-
In case of rehashing, introduce a global variable 'br_mdb_rehash_seq'
which gets increased every time when rehashing, and assign
net->dev_base_seq + br_mdb_rehash_seq to cb->seq.In theory cb->seq could be wrapped to zero, but this is not
easy to fix, as net->dev_base_seq is not visible inside
br_mdb_rehash(). In practice, this is rare.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Cc: Jesper Dangaard Brouer
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
08 Dec, 2012
1 commit
-
V5: fix two bugs pointed out by Thomas
remove seq check for now, mark it as TODOV4: remove some useless #include
some coding style fixV3: drop debugging printk's
update selinux perm table as wellV2: drop patch 1/2, export ifindex directly
Redesign netlink attributes
Improve netlink seq check
Handle IPv6 addr as wellThis patch exports bridge multicast database via netlink
message type RTM_GETMDB. Similar to fdb, but currently bridge-specific.
We may need to support modify multicast database too (RTM_{ADD,DEL}MDB).(Thanks to Thomas for patient reviews)
Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Cc: Thomas Graf
Cc: Jesper Dangaard Brouer
Signed-off-by: Cong Wang
Acked-by: Thomas Graf
Signed-off-by: David S. Miller
06 Dec, 2012
2 commits
-
V3: make it a flag
V2: make the toggle per-portFast leave allows bridge to immediately stops the multicast
traffic on the port receives IGMP Leave when IGMP snooping is enabled,
no timeouts are observed.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang -
V2: make the toggle per-port
Fast leave allows bridge to immediately stops the multicast
traffic on the port receives IGMP Leave when IGMP snooping is enabled,
no timeouts are observed.Cc: Herbert Xu
Cc: Stephen Hemminger
Cc: "David S. Miller"
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
15 Nov, 2012
2 commits
-
This is Linux bridge implementation of root port guard.
If BPDU is received from a leaf (edge) port, it should not
be elected as root port.Why would you want to do this?
If using STP on a bridge and the downstream bridges are not fully
trusted; this prevents a hostile guest for rerouting traffic.Why not just use netfilter?
Netfilter does not track of follow spanning tree decisions.
It would be difficult and error prone to try and mirror STP
resolution in netfilter module.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller -
This is Linux bridge implementation of STP protection
(Cisco BPDU guard/Juniper BPDU block). BPDU block disables
the bridge port if a STP BPDU packet is received.Why would you want to do this?
If running Spanning Tree on bridge, hostile devices on the network
may send BPDU and cause network failure. Enabling bpdu block
will detect and stop this.How to recover the port?
The port will be restarted if link is brought down, or
removed and reattached. For example:
# ip li set dev eth0 down; ip li set dev eth0 upSigned-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
04 Nov, 2012
1 commit
-
Instead of issuing (0) statements when !CONFIG_SYSFS which will cause
'warning: ', we'll use inline statements instead. This will effectively
do the same thing, but suppress any unnecessary warnings.Cc: Stephen Hemminger
Cc: bridge@lists.linux-foundation.org
Cc: netdev@vger.kernel.org
Signed-off-by: Lee Jones
Signed-off-by: David S. Miller
01 Nov, 2012
3 commits
-
Jeff Kirsher says:
====================
This series contains updates to ixgbe, ixgbevf, igbvf, igb and
networking core (bridge). Most notably is the addition of support
for local link multicast addresses in SR-IOV mode to the networking
core.Also note, the ixgbe patch "ixgbe: Add support for pipeline reset" and
"ixgbe: Fix return value from macvlan filter function" is revised based
on community feedback.
====================Signed-off-by: David S. Miller
-
Hardware switches may support enabling and disabling the
loopback switch which puts the device in a VEPA mode defined
in the IEEE 802.1Qbg specification. In this mode frames are
not switched in the hardware but sent directly to the switch.
SR-IOV capable NICs will likely support this mode I am
aware of at least two such devices. Also I am told (but don't
have any of this hardware available) that there are devices
that only support VEPA modes. In these cases it is important
at a minimum to be able to query these attributes.This patch adds an additional IFLA_BRIDGE_MODE attribute that can be
set and dumped via the PF_BRIDGE:{SET|GET}LINK operations. Also
anticipating bridge attributes that may be common for both embedded
bridges and software bridges this adds a flags attribute
IFLA_BRIDGE_FLAGS currently used to determine if the command or event
is being generated to/from an embedded bridge or software bridge.
Finally, the event generation is pulled out of the bridge module and
into rtnetlink proper.For example using the macvlan driver in VEPA mode on top of
an embedded switch requires putting the embedded switch into
a VEPA mode to get the expected results.-------- --------
| VEPA | | VEPA |
CC: Stephen Hemminger
Signed-off-by: John Fastabend
Signed-off-by: David S. Miller -
The PF_BRIDGE:RTM_{GET|SET}LINK nlmsg family and type are
currently embedded in the ./net/bridge module. This prohibits
them from being used by other bridging devices. One example
of this being hardware that has embedded bridging components.In order to use these nlmsg types more generically this patch
adds two net_device_ops hooks. One to set link bridge attributes
and another to dump the current bride attributes.ndo_bridge_setlink()
ndo_bridge_getlink()CC: Lennert Buytenhek
CC: Stephen Hemminger
Signed-off-by: John Fastabend
Signed-off-by: David S. Miller
30 Oct, 2012
1 commit
-
In SR-IOV mode the PF driver acts as the uplink port and is
used to send control packets e.g. lldpad, stp, etc.eth0.1 eth0.2 eth0
VF VF PF
| | |
Tested-by: Phil Schmitt
Tested-by: Sibai Li
Signed-off-by: Jeff Kirsher
02 Oct, 2012
1 commit
-
Later changes need to be able to refer to neighbour attributes
when doing fdb_add.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
20 Sep, 2012
1 commit
-
The internal functions for add/deleting addresses don't change
their argument.Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
15 Aug, 2012
1 commit
-
slave_enable_netpoll() and __netpoll_setup() may be called
with read_lock() held, so should use GFP_ATOMIC to allocate
memory. Eric suggested to pass gfp flags to __netpoll_setup().Cc: Eric Dumazet
Cc: "David S. Miller"
Reported-by: Dan Carpenter
Signed-off-by: Eric Dumazet
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
27 Jun, 2012
1 commit
-
This ensures that bridges created with brctl(8) or ioctl(2) directly
also carry IFLA_LINKINFO when dumped over netlink. This also allows
to create a bridge with ioctl(2) and delete it with RTM_DELLINK.Signed-off-by: Thomas Graf
Signed-off-by: Stephen Hemminger
Signed-off-by: David S. Miller
16 Apr, 2012
2 commits
-
This adds two new flags NTF_MASTER and NTF_SELF that can
now be used to specify where PF_BRIDGE netlink commands should
be sent. NTF_MASTER sends the commands to the 'dev->master'
device for parsing. Typically this will be the linux net/bridge,
or open-vswitch devices. Also without any flags set the command
will be handled by the master device as well so that current user
space tools continue to work as expected.The NTF_SELF flag will push the PF_BRIDGE commands to the
device. In the basic example below the commands are then parsed
and programmed in the embedded bridge.Note if both NTF_SELF and NTF_MASTER bits are set then the
command will be sent to both 'dev->master' and 'dev' this allows
user space to easily keep the embedded bridge and software bridge
in sync.There is a slight complication in the case with both flags set
when an error occurs. To resolve this the rtnl handler clears
the NTF_ flag in the netlink ack to indicate which sets completed
successfully. The add/del handlers will abort as soon as any
error occurs.To support this new net device ops were added to call into
the device and the existing bridging code was refactored
to use these. There should be no required changes in user space
to support the current bridge behavior.A basic setup with a SR-IOV enabled NIC looks like this,
veth0 veth2
| |
------------
| bridge0 |
Signed-off-by: David S. Miller -
Sending general queries was implemented as an optimisation to speed
up convergence on start-up. In order to prevent interference with
multicast routers a zero source address has to be used.Unfortunately these packets appear to cause some multicast-aware
switches to misbehave, e.g., by disrupting multicast packets to us.Since the multicast snooping feature still functions without sending
our own queries, this patch will change the default to not send
queries.For those that need queries in order to speed up convergence on start-up,
a toggle is provided to restore the previous behaviour.Signed-off-by: Herbert Xu
Signed-off-by: David S. Miller