Linux Ethernet Bridging - Sep 2022 - [Bridge] [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature

Block traffic to a specific host with the command:
bridge fdb add <MAC> vlan <vid> dev br0 blackhole

The blackhole FDB entries can be added, deleted and replaced with
ordinary FDB entries.

Signed-off-by: Hans Schultz <netdev at kapio-technology.com>
---
 bridge/fdb.c                   | 7 ++++++-
 include/uapi/linux/neighbour.h | 4 ++++
 man/man8/bridge.8              | 6 ++++++
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/bridge/fdb.c b/bridge/fdb.c
index 0fbe9bd3..2160f1c2 100644
--- a/bridge/fdb.c
+++ b/bridge/fdb.c
@@ -38,7 +38,7 @@ static void usage(void)
 	fprintf(stderr,
 		"Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
 		"              [ self ] [ master ] [ use ] [ router ] [ extern_learn
]\n"
-		"              [ sticky ] [ local | static | dynamic ] [ vlan VID
]\n"
+		"              [ sticky ] [ local | static | dynamic ] [blackhole] [
vlan VID ]\n"
 		"              { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ]
}\n"
 		"	       [ via DEV ] [ src_vni VNI ]\n"
 		"       bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID
]\n"
@@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags,
__u8 ext_flags)
 	if (flags & NTF_STICKY)
 		print_string(PRINT_ANY, NULL, "%s ", "sticky");
 
+	if (ext_flags & NTF_EXT_BLACKHOLE)
+		print_string(PRINT_ANY, NULL, "%s ", "blackhole");
+
 	if (ext_flags & NTF_EXT_LOCKED)
 		print_string(PRINT_ANY, NULL, "%s ", "locked");
 
@@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char
**argv)
 			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
 		} else if (matches(*argv, "sticky") == 0) {
 			req.ndm.ndm_flags |= NTF_STICKY;
+		} else if (matches(*argv, "blackhole") == 0) {
+			ext_flags |= NTF_EXT_BLACKHOLE;
 		} else {
 			if (strcmp(*argv, "to") == 0)
 				NEXT_ARG();
diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h
index 4dda051b..cc7d540e 100644
--- a/include/uapi/linux/neighbour.h
+++ b/include/uapi/linux/neighbour.h
@@ -54,6 +54,7 @@ enum {
 /* Extended flags under NDA_FLAGS_EXT: */
 #define NTF_EXT_MANAGED		(1 << 0)
 #define NTF_EXT_LOCKED		(1 << 1)
+#define NTF_EXT_BLACKHOLE	(1 << 2)
 
 /*
  *	Neighbor Cache Entry States.
@@ -91,6 +92,9 @@ enum {
  * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the
  * locked port feature, that ensures that an entry exists while at the same
  * time dropping packets on ingress with src MAC and VID matching the entry.
+ *
+ * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed
+ * from any port to the destination MAC, VID pair associated with it.
  */
 
 struct nda_cacheinfo {
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index 40250477..af2e7db2 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such
an entry.
 - this entry will not change its port due to learning.
 .sp
 
+.B blackhole
+- this is an entry that denies all forwarding from any port to a destination
+matching the entry. It can be added by userspace, but the flag is mostly set
+from a hardware driver.
+.sp
+
 .in -8
 The next command line parameters apply only
 when the specified device
-- 
2.34.1

On Thu, 29 Sep 2022 17:21:37 +0200
Hans Schultz <netdev at kapio-technology.com> wrote:
>  
> @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc,
char **argv)
>  			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
>  		} else if (matches(*argv, "sticky") == 0) {
>  			req.ndm.ndm_flags |= NTF_STICKY;
> +		} else if (matches(*argv, "blackhole") == 0) {
> +			ext_flags |= NTF_EXT_BLACKHOLE;
>  		} else {
>  			if (strcmp(*argv, "to") == 0)
>  				NEXT_ARG();
The parsing of flags is weird here, most of the flags are compared with strcmp()
but some use matches()..  I should have used strcmp() all the time; but at the
time did not realize what kind of confusion matches() can cause.

On Thu, Sep 29, 2022 at 05:21:37PM +0200, Hans Schultz
wrote:
> Block traffic to a specific host with the command:
> bridge fdb add <MAC> vlan <vid> dev br0 blackhole
Please add an example with regular and JSON output.
> 
> The blackhole FDB entries can be added, deleted and replaced with
> ordinary FDB entries.
> 
> Signed-off-by: Hans Schultz <netdev at kapio-technology.com>
> ---
>  bridge/fdb.c                   | 7 ++++++-
>  include/uapi/linux/neighbour.h | 4 ++++
>  man/man8/bridge.8              | 6 ++++++
>  3 files changed, 16 insertions(+), 1 deletion(-)
> 
> diff --git a/bridge/fdb.c b/bridge/fdb.c
> index 0fbe9bd3..2160f1c2 100644
> --- a/bridge/fdb.c
> +++ b/bridge/fdb.c
> @@ -38,7 +38,7 @@ static void usage(void)
>  	fprintf(stderr,
>  		"Usage: bridge fdb { add | append | del | replace } ADDR dev
DEV\n"
>  		"              [ self ] [ master ] [ use ] [ router ] [
extern_learn ]\n"
> -		"              [ sticky ] [ local | static | dynamic ] [ vlan VID
]\n"
> +		"              [ sticky ] [ local | static | dynamic ] [blackhole]
[ vlan VID ]\n"
[ blackhole ]
>  		"              { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid
NHID ] }\n"
>  		"	       [ via DEV ] [ src_vni VNI ]\n"
>  		"       bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID
]\n"
> @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int
flags, __u8 ext_flags)
>  	if (flags & NTF_STICKY)
>  		print_string(PRINT_ANY, NULL, "%s ", "sticky");
>  
> +	if (ext_flags & NTF_EXT_BLACKHOLE)
> +		print_string(PRINT_ANY, NULL, "%s ", "blackhole");
> +
>  	if (ext_flags & NTF_EXT_LOCKED)
>  		print_string(PRINT_ANY, NULL, "%s ", "locked");
>  
> @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc,
char **argv)
>  			req.ndm.ndm_flags |= NTF_EXT_LEARNED;
>  		} else if (matches(*argv, "sticky") == 0) {
>  			req.ndm.ndm_flags |= NTF_STICKY;
> +		} else if (matches(*argv, "blackhole") == 0) {
> +			ext_flags |= NTF_EXT_BLACKHOLE;
>  		} else {
>  			if (strcmp(*argv, "to") == 0)
>  				NEXT_ARG();
> diff --git a/include/uapi/linux/neighbour.h
b/include/uapi/linux/neighbour.h
> index 4dda051b..cc7d540e 100644
> --- a/include/uapi/linux/neighbour.h
> +++ b/include/uapi/linux/neighbour.h
> @@ -54,6 +54,7 @@ enum {
>  /* Extended flags under NDA_FLAGS_EXT: */
>  #define NTF_EXT_MANAGED		(1 << 0)
>  #define NTF_EXT_LOCKED		(1 << 1)
> +#define NTF_EXT_BLACKHOLE	(1 << 2)
>  
>  /*
>   *	Neighbor Cache Entry States.
> @@ -91,6 +92,9 @@ enum {
>   * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with
the
>   * locked port feature, that ensures that an entry exists while at the
same
>   * time dropping packets on ingress with src MAC and VID matching the
entry.
> + *
> + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is
allowed
> + * from any port to the destination MAC, VID pair associated with it.
>   */
>  
>  struct nda_cacheinfo {
> diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
> index 40250477..af2e7db2 100644
> --- a/man/man8/bridge.8
> +++ b/man/man8/bridge.8
> @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age
such an entry.
>  - this entry will not change its port due to learning.
>  .sp
Need to patch the "SYNOPSIS" section as well
>  
> +.B blackhole
> +- this is an entry that denies all forwarding from any port to a
destination
> +matching the entry. It can be added by userspace, but the flag is mostly
set
> +from a hardware driver.
I'm not sure the last sentence belongs in the man page. We have no way
of knowing if it is true and it can change with time.

How about:

"this entry will silently discard all matching packets. The entry must
be added as a local permanent entry."
> +.sp
> +
>  .in -8
>  The next command line parameters apply only
>  when the specified device
> -- 
> 2.34.1
>