search for: vlan_filtering

...e.c @@ -34,6 +34,7 @@ static void print_explain(FILE *f) " [ group_fwd_mask MASK ]\n" " [ group_address ADDRESS ]\n" " [ no_linklocal_learn NO_LINKLOCAL_LEARN ]\n" + " [ fdb_max_learned_entries FDB_MAX_LEARNED_ENTRIES ]\n" " [ vlan_filtering VLAN_FILTERING ]\n" " [ vlan_protocol VLAN_PROTOCOL ]\n" " [ vlan_default_pvid VLAN_DEFAULT_PVID ]\n" @@ -168,6 +169,14 @@ static int bridge_parse_opt(struct link_util *lu, int argc, char **argv, bm.optval |= no_ll_learn_bit; else bm.optval &=...

...e.c @@ -34,6 +34,7 @@ static void print_explain(FILE *f) " [ group_fwd_mask MASK ]\n" " [ group_address ADDRESS ]\n" " [ no_linklocal_learn NO_LINKLOCAL_LEARN ]\n" + " [ fdb_max_learned_entries FDB_MAX_LEARNED_ENTRIES ]\n" " [ vlan_filtering VLAN_FILTERING ]\n" " [ vlan_protocol VLAN_PROTOCOL ]\n" " [ vlan_default_pvid VLAN_DEFAULT_PVID ]\n" @@ -168,6 +169,14 @@ static int bridge_parse_opt(struct link_util *lu, int argc, char **argv, bm.optval |= no_ll_learn_bit; else bm.optval &=...

.../ip/iplink_bridge.c @@ -34,6 +34,7 @@ static void print_explain(FILE *f) " [ group_fwd_mask MASK ]\n" " [ group_address ADDRESS ]\n" " [ no_linklocal_learn NO_LINKLOCAL_LEARN ]\n" + " [ fdb_max_learned FDB_MAX_LEARNED ]\n" " [ vlan_filtering VLAN_FILTERING ]\n" " [ vlan_protocol VLAN_PROTOCOL ]\n" " [ vlan_default_pvid VLAN_DEFAULT_PVID ]\n" @@ -168,6 +169,14 @@ static int bridge_parse_opt(struct link_util *lu, int argc, char **argv, bm.optval |= no_ll_learn_bit; else bm.optval &=...

Introduce a limit on the amount of learned FDB entries on a bridge, configured by netlink with a build time default on bridge creation in the kernel config. For backwards compatibility the kernel config default is disabling the limit (0). Without any limit a malicious actor may OOM a kernel by spamming packets with changing MAC addresses on their bridge port, so allow the bridge creator to limit

...rivate.h index 2119729ded2b..bd5c18286a40 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -581,6 +581,7 @@ struct br_input_skb_cb { #endif u8 proxyarp_replied:1; u8 src_port_isolated:1; + u8 miss:1; /* FDB or MDB lookup miss */ #ifdef CONFIG_BRIDGE_VLAN_FILTERING u8 vlan_filtered:1; #endif And set this bit upon misses instead of skb->l2_miss: @@ -203,6 +205,8 @@ void br_flood(struct net_bridge *br, struct sk_buff *skb, struct net_bridge_port *prev = NULL; struct net_bridge_port *p; + BR_INPUT_SKB_CB(skb)->miss = 1; +...

...a set of Docker containers to a KVM. The containers shall be isolated in a way that they cannot communicate to each other without going through the KVM, which will act as router/firewall. For this, I thought about the following simple setup (as opposed to a more complex one involving a bridge with vlan_filtering and a seperate VLAN for each container): +------------------------------------------------------------------+ | Host | |  +-------------+ +----------------------+---+ |  | KVM         |                      | Docker           +-> | a | |  |  +----------+     +----------+     +--------------+ +-...

...;containers to a KVM. The containers shall be isolated in a way that they >cannot communicate to each other without going through the KVM, which >will act as router/firewall. For this, I thought about the following >simple setup (as opposed to a more complex one involving a bridge with >vlan_filtering and a seperate VLAN for each container): > >+------------------------------------------------------------------+ >| Host | >|  +-------------+ +----------------------+---+ >|  | KVM         |                      | Docker           +-> | a | >|  |  +----------+     +----------+...

Changes since v9: * series re-ordering so make functionality more distinct. Basic vlan filtering is patches 1-4. Support for PVID/untagged vlans is patches 5 and 6. VLAN support for FDB/MDB is patches 7-11. Patch 12 is still additional egress policy. * Slight simplification to code that extracts the VID from skb. Since we now depend on the vlan module, at the time of input skb_tci is