search for: ageing_time

Test FDB ageing of user entry created by bridge fdb replace ADDR dev <DEV> master dynamic Use LOW_AGEING_TIME variable in forwarding.config to set a low ageing time. Beware, DSA might not accept the ageing time you want. Check the age_time_coeff value for your driver. Signed-off-by: Hans J. Schultz <netdev at kapio-technology.com> --- .../net/forwarding/bridge_locked_port.sh | 36 +++++++++++++...

On Sat, Mar 18, 2023 at 03:10:10PM +0100, Hans J. Schultz wrote: > +# Test of dynamic FDB entries. > +locked_port_dyn_fdb() > +{ > + local mac=00:01:02:03:04:05 > + local ageing_time > + > + RET=0 > + ageing_time=$(bridge_ageing_time_get br0) > + tc qdisc add dev $swp2 clsact > + ip link set dev br0 type bridge ageing_time $LOW_AGEING_TIME > + bridge link set dev $swp1 learning on locked on > + > + bridge fdb replace $mac dev $swp1 master dynamic > +...

...idge info - /sys/class/bridge/brX/ get port list - /sys/class/bridge/brX/ports/* set bridge forward delay - /sys/class/bridge/brX/forward_delay set bridge hello time - /sys/class/bridge/brX/hello_time set bridge max age - /sys/class/bridge/brX/max_age set ageing time - /sys/class/bridge/brX/ageing_time set gc interval - deprecated does nothing anymore set get port info - /sys/class/bridge/brX/ports/ethX/* set bridge stp state - /sys/class/bridge/brX/stp set bridge priority - /sys/class/bridge/brX/priority set port priority - /sys/class/bridge/brX/ports/ethX/priority set path cost - /sys/c...

On Mon, Mar 20, 2023 at 10:44, Ido Schimmel <idosch at nvidia.com> wrote: >> + $MZ $swp1 -c 1 -p 128 -t udp "sp=54321,dp=12345" \ >> + -a $mac -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q >> + tc_check_packets "dev $swp2 egress" 1 1 >> + check_fail $? "Dynamic FDB entry did not age out" > > Shouldn't this be check_err()? After

...br->bridge_max_age = clock_t_to_jiffies(arg0); + br->bridge_max_age = clock_t_to_jiffies(args[1]); if (br_is_root_bridge(br)) br->max_age = br->bridge_max_age; spin_unlock_bh(&br->lock); @@ -151,7 +180,7 @@ if (!capable(CAP_NET_ADMIN)) return -EPERM; - br->ageing_time = clock_t_to_jiffies(arg0); + br->ageing_time = clock_t_to_jiffies(args[1]); return 0; case BRCTL_GET_PORT_INFO: @@ -160,7 +189,7 @@ struct net_bridge_port *pt; rcu_read_lock(); - if ((pt = br_get_port(br, arg1)) == NULL) { + if ((pt = br_get_port(br, args[2])) == NULL) { r...

...-a $mac -b `mac_get $h2` -A 192.0.2.1 -B 192.0.2.2 -q tc_check_packets "dev $swp2 egress" 1 1 - check_fail $? "Dynamic FDB entry did not age out" + check_err $? "Dynamic FDB entry did not age out" ip link set dev br0 type bridge ageing_time $ageing_time bridge link set dev $swp1 learning off locked off ``` # ./bridge_locked_port.sh TEST: Locked port ipv4 [ OK ] TEST: Locked port ipv6 [ OK ] TEST: Locked port vlan...

....c index 8eca8a5c80c6..d455a28df7c9 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -528,6 +528,8 @@ void br_dev_setup(struct net_device *dev) br->bridge_hello_time = br->hello_time = 2 * HZ; br->bridge_forward_delay = br->forward_delay = 15 * HZ; br->bridge_ageing_time = br->ageing_time = BR_DEFAULT_AGEING_TIME; + br->fdb_n_entries = 0; + br->fdb_max_entries = 0; dev->max_mtu = ETH_MAX_MTU; br_netfilter_rtable_init(br); diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index e69a872bfc1d..8a833e6dee92 100644 --- a/net/bridge/br_fdb.c +++ b/...

...hdev notifier chain, where interested drivers have no choice but to assume this is a static FDB entry. So currently, all drivers offload it to hardware as such. bridge fdb get 00:01:02:03:04:05 dev swp0 master 00:01:02:03:04:05 dev swp0 offload master br0 The software FDB entry expires after the $ageing_time and the bridge notifies its deletion as well, so it eventually disappears from hardware too. This is a problem, because it is actually desirable to start offloading "master dynamic" FDB entries correctly, and this is how the current incorrect behavior was discovered. To see why the curr...

...The default of 0 disables the limit. + + If unsure, say 0. diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c index 8eca8a5c80c6..93f081ce8195 100644 --- a/net/bridge/br_device.c +++ b/net/bridge/br_device.c @@ -530,6 +530,8 @@ void br_dev_setup(struct net_device *dev) br->bridge_ageing_time = br->ageing_time = BR_DEFAULT_AGEING_TIME; dev->max_mtu = ETH_MAX_MTU; + br->fdb_max_learned_entries = CONFIG_BRIDGE_DEFAULT_FDB_MAX_LEARNED; + br_netfilter_rtable_init(br); br_stp_timer_init(br); br_multicast_init(br); -- 2.40.1

...df7c9 100644 > --- a/net/bridge/br_device.c > +++ b/net/bridge/br_device.c > @@ -528,6 +528,8 @@ void br_dev_setup(struct net_device *dev) > br->bridge_hello_time = br->hello_time = 2 * HZ; > br->bridge_forward_delay = br->forward_delay = 15 * HZ; > br->bridge_ageing_time = br->ageing_time = BR_DEFAULT_AGEING_TIME; > + br->fdb_n_entries = 0; > + br->fdb_max_entries = 0; Unnecessary, the private area is already cleared. > dev->max_mtu = ETH_MAX_MTU; > > br_netfilter_rtable_init(br); > diff --git a/net/bridge/br_fdb.c b/net/bridge...

...ed > drivers have no choice but to assume this is a static FDB entry. > So currently, all drivers offload it to hardware as such. > > bridge fdb get 00:01:02:03:04:05 dev swp0 master > 00:01:02:03:04:05 dev swp0 offload master br0 > > The software FDB entry expires after the $ageing_time and the bridge > notifies its deletion as well, so it eventually disappears from hardware > too. > > This is a problem, because it is actually desirable to start offloading > "master dynamic" FDB entries correctly, and this is how the current > incorrect behavior was di...

...r->uplink == p) + br->uplink = NULL; kobject_uevent(&p->kobj, KOBJ_REMOVE); kobject_del(&p->kobj); @@ -203,6 +205,7 @@ static struct net_device *new_bridge_dev(struct net *net, const char *name) br->topology_change = 0; br->topology_change_detected = 0; br->ageing_time = 300 * HZ; + br->uplink = NULL; br_netfilter_rtable_init(br); diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 5ee1a36..8027156 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -50,6 +50,15 @@ int br_handle_frame_finish(struct sk_buff *skb) br = p->br...

...r->uplink == p) + br->uplink = NULL; kobject_uevent(&p->kobj, KOBJ_REMOVE); kobject_del(&p->kobj); @@ -203,6 +205,7 @@ static struct net_device *new_bridge_dev(struct net *net, const char *name) br->topology_change = 0; br->topology_change_detected = 0; br->ageing_time = 300 * HZ; + br->uplink = NULL; br_netfilter_rtable_init(br); diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 5ee1a36..8027156 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -50,6 +50,15 @@ int br_handle_frame_finish(struct sk_buff *skb) br = p->br...

...r->uplink == p) + br->uplink = NULL; kobject_uevent(&p->kobj, KOBJ_REMOVE); kobject_del(&p->kobj); @@ -203,6 +205,7 @@ static struct net_device *new_bridge_dev(struct net *net, const char *name) br->topology_change = 0; br->topology_change_detected = 0; br->ageing_time = 300 * HZ; + br->uplink = NULL; br_netfilter_rtable_init(br); diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 5ee1a36..8027156 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -50,6 +50,15 @@ int br_handle_frame_finish(struct sk_buff *skb) br = p->br...

Introduce a limit on the amount of learned FDB entries on a bridge, configured by netlink with a build time default on bridge creation in the kernel config. For backwards compatibility the kernel config default is disabling the limit (0). Without any limit a malicious actor may OOM a kernel by spamming packets with changing MAC addresses on their bridge port, so allow the bridge creator to limit

This series of patches provides an ability to add VLANs to the bridge ports. This is similar to what can be found in most switches. The bridge port may have any number of VLANs added to it including vlan 0 priority tagged traffic. When vlans are added to the port, only traffic tagged with particular vlan will forwarded over this port. Additionally, vlan ids are added to FDB entries and become