search for: br_fdb_cach

...rr_out1: + br_fdb_fini(); +err_out0: llc_sap_put(br_stp_sap); + return err; } Index: 2.6-mm/net/bridge/br_fdb.c =================================================================== --- 2.6-mm.orig/net/bridge/br_fdb.c +++ 2.6-mm/net/bridge/br_fdb.c @@ -27,12 +27,14 @@ static struct kmem_cache *br_fdb_cache _ static int fdb_insert(struct net_bridge *br, struct net_bridge_port *source, const unsigned char *addr); -void __init br_fdb_init(void) +int __init br_fdb_init(void) { br_fdb_cache = kmem_cache_create("bridge_fdb_cache", sizeof(struct net_bridge_fdb_entry),...

...db_rcu_free); } @@ -391,6 +393,9 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, struct net_bridge_fdb_entry *fdb; int err; + if (unlikely(br->fdb_max_entries && br->fdb_n_entries >= br->fdb_max_entries)) + return NULL; + fdb = kmem_cache_alloc(br_fdb_cache, GFP_ATOMIC); if (!fdb) return NULL; @@ -408,6 +413,7 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, } hlist_add_head_rcu(&fdb->fdb_node, &br->fdb_list); + br->fdb_n_entries++; return fdb; } diff --git a/net/bridge/br_netlink.c b/net/bridg...

...; + if (unlikely(br->fdb_max_entries && br->fdb_n_entries >= br->fdb_max_entries)) > + return NULL; > + This one needs more work, fdb_create() is also used when user-space is adding new entries, so it would be nice to return a proper error. > fdb = kmem_cache_alloc(br_fdb_cache, GFP_ATOMIC); > if (!fdb) > return NULL; > @@ -408,6 +413,7 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, > } > > hlist_add_head_rcu(&fdb->fdb_node, &br->fdb_list); > + br->fdb_n_entries++; > > return fdb; >...

...truct net_bridge_fdb_entry *fdb; int err; + bool learned = !(flags & BR_FDB_NOT_LEARNED_MASK); + + if (unlikely(learned && br->fdb_max_learned_entries && + br->fdb_cur_learned_entries >= br->fdb_max_learned_entries)) + return NULL; fdb = kmem_cache_alloc(br_fdb_cache, GFP_ATOMIC); if (!fdb) @@ -409,6 +453,8 @@ static struct net_bridge_fdb_entry *fdb_create(struct net_bridge *br, hlist_add_head_rcu(&fdb->fdb_node, &br->fdb_list); + br->fdb_cur_learned_entries += learned; + return fdb; } @@ -894,7 +940,7 @@ void br_fdb_update(struct...

Introduce a limit on the amount of learned FDB entries on a bridge, configured by netlink with a build time default on bridge creation in the kernel config. For backwards compatibility the kernel config default is disabling the limit (0). Without any limit a malicious actor may OOM a kernel by spamming packets with changing MAC addresses on their bridge port, so allow the bridge creator to limit

Changes since v9: * series re-ordering so make functionality more distinct. Basic vlan filtering is patches 1-4. Support for PVID/untagged vlans is patches 5 and 6. VLAN support for FDB/MDB is patches 7-11. Patch 12 is still additional egress policy. * Slight simplification to code that extracts the VID from skb. Since we now depend on the vlan module, at the time of input skb_tci is

This series of patches provides an ability to add VLANs to the bridge ports. This is similar to what can be found in most switches. The bridge port may have any number of VLANs added to it including vlan 0 priority tagged traffic. When vlans are added to the port, only traffic tagged with particular vlan will forwarded over this port. Additionally, vlan ids are added to FDB entries and become