similar to: [Bridge] [PATCH] Fix typo in net/bridge/br_stp_if.c

This patch adds a 'hairpin' (also called 'reflective relay') mode port configuration to the Linux Ethernet bridge kernel module. A bridge supporting hairpin forwarding mode can send frames back out through the port the frame was received on. Hairpin mode is required to support basic VEPA (Virtual Ethernet Port Aggregator) capabilities. You can find additional information on VEPA

This patch adds a 'hairpin' (also called 'reflective relay') mode port configuration to the Linux Ethernet bridge kernel module. A bridge supporting hairpin forwarding mode can send frames back out through the port the frame was received on. Hairpin mode is required to support basic VEPA (Virtual Ethernet Port Aggregator) capabilities. You can find additional information on VEPA

This patch adds a 'hairpin' (also called 'reflective relay') mode port configuration to the Linux Ethernet bridge kernel module. A bridge supporting hairpin forwarding mode can send frames back out through the port the frame was received on. Hairpin mode is required to support basic VEPA (Virtual Ethernet Port Aggregator) capabilities. You can find additional information on VEPA

Bridge locking for /sys/class/net/br0/bridge/stp_enabled was wrong. Another bug in bridge utilities makes it such that this interface, meant it wasn't being used. The locking needs to be removed from set_stp_state(), the lock is already acquired down in br_stp_start()/br_stp_stop. Signed-off-by: Stephen Hemminger <shemminger@linux-foundation.org> --- a/net/bridge/br_sysfs_br.c

When we create an L2 loop on a bridge in netns, we will see packets storm even if STP is enabled. # unshare -n # ip link add br0 type bridge # ip link add veth0 type veth peer name veth1 # ip link set veth0 master br0 up # ip link set veth1 master br0 up # ip link set br0 type bridge stp_state 1 # ip link set br0 up # sleep 30 # ip -s link show br0 2: br0:

On 12/07/2023 17:48, Ido Schimmel wrote: > On Tue, Jul 11, 2023 at 04:54:15PM -0700, Kuniyuki Iwashima wrote: >> When we create an L2 loop on a bridge in netns, we will see packets storm >> even if STP is enabled. >> >> # unshare -n >> # ip link add br0 type bridge >> # ip link add veth0 type veth peer name veth1 >> # ip link set veth0 master

A malicious actor behind one bridge port may spam the kernel with packets with a random source MAC address, each of which will create an FDB entry, each of which is a dynamic allocation in the kernel. There are roughly 2^48 different MAC addresses, further limited by the rhashtable they are stored in to 2^31. Each entry is of the type struct net_bridge_fdb_entry, which is currently 128 bytes big.

From: Evgeny Kravtsunov <emkravts@openvz.org> compare_ether_addr() implicitly requires that the addresses passed are 2-bytes aligned in memory. This is not true for br_stp_change_bridge_id() and br_stp_recalculate_bridge_id() in which one of the addresses is unsigned char *, and thus may not be 2-bytes aligned. Signed-off-by: Evgeny Kravtsunov <emkravts@openvz.org> Signed-off-by:

Introduce a limit on the amount of learned FDB entries on a bridge, configured by netlink with a build time default on bridge creation in the kernel config. For backwards compatibility the kernel config default is disabling the limit (0). Without any limit a malicious actor may OOM a kernel by spamming packets with changing MAC addresses on their bridge port, so allow the bridge creator to limit

On 12/07/2023 02:54, Kuniyuki Iwashima wrote: > When we create an L2 loop on a bridge in netns, we will see packets storm > even if STP is enabled. > > # unshare -n > # ip link add br0 type bridge > # ip link add veth0 type veth peer name veth1 > # ip link set veth0 master br0 up > # ip link set veth1 master br0 up > # ip link set br0 type bridge stp_state 1

(CC'ing bridge maintainers.) Kuniyuki Iwashima <kuniyu at amazon.com> writes: > From: Harry Coin <hcoin at quietfountain.com> > Date: Tue, 11 Jul 2023 16:40:03 -0500 >> On 7/11/23 15:44, Andrew Lunn wrote: >> >>>>>> The current llc_rcv.c around line 166 in net/llc/llc_input.c has >> >>>>>> >>

Looks like somebody forgot to use the _bh spin_lock variant. We ran into a deadlock where br->hello_timer expired while br_stp_disable_br() walked br->port_list. Anush can provide you with a test program. Patch against 2.6.16-rc3 inlined. diff -rup linux-2.6.16-rc3/net/bridge/br_stp_if.c linux-2.6.16-rc3-brfix/net/bridge/br_stp_if.c --- linux-2.6.16-rc3/net/bridge/br_stp_if.c

Looks like somebody forgot to use the _bh spin_lock variant. We ran into a deadlock where br->hello_timer expired while br_stp_disable_br() walked br->port_list. Anush can provide you with a test program. Patch against 2.6.16-rc3 inlined. Signed-off-by: Adrian Drzewiecki diff -rup linux-2.6.16-rc3/net/bridge/br_stp_if.c linux-2.6.16-rc3-brfix/net/bridge/br_stp_if.c ---

Merge the ioctl stub calls that just end up calling the sub-function to do the actual ioctl. Move br_get_XXX_ifindices into the ioctl file as well where they can be static. diff -Nru a/net/bridge/br_device.c b/net/bridge/br_device.c --- a/net/bridge/br_device.c 2004-05-20 10:51:05 -07:00 +++ b/net/bridge/br_device.c 2004-05-20 10:51:05 -07:00 @@ -19,21 +19,6 @@ #include <asm/uaccess.h>

Currently we would still potentially suffer multicast packet loss if there is just either an IGMP or an MLD querier: For the former case, we would possibly drop IPv6 multicast packets, for the latter IPv4 ones. This is because we are currently assuming that if either an IGMP or MLD querier is present that the other one is present, too. This patch makes the behaviour and fix added in "bridge:

Changes since v9: * series re-ordering so make functionality more distinct. Basic vlan filtering is patches 1-4. Support for PVID/untagged vlans is patches 5 and 6. VLAN support for FDB/MDB is patches 7-11. Patch 12 is still additional egress policy. * Slight simplification to code that extracts the VID from skb. Since we now depend on the vlan module, at the time of input skb_tci is

This series of patches provides an ability to add VLANs to the bridge ports. This is similar to what can be found in most switches. The bridge port may have any number of VLANs added to it including vlan 0 priority tagged traffic. When vlans are added to the port, only traffic tagged with particular vlan will forwarded over this port. Additionally, vlan ids are added to FDB entries and become

I have a bridge that has gigabit interfaces. The machine in question has the fun job of being a Bridge, Firewall and SMB server. Both of the Gigabit interfaces are connected to workstations directly via Xover cable (well MDI-X to be exact). My question is, if I enable jumbo frames on the gigabit interfaces will that make any difference in overall transfer rate of the bridge? I was thinking it

The following series adds 2 new flags to bridge. One flag allows the user to control whether mac learning is performed on the interface or not. By default mac learning is on. The other flag allows the user to control whether unicast traffic is flooded (send without an fdb) to a given unicast port. Default is on. Changes since v4: - Implemented Stephen's suggestions. Changes since v2: -

This allows the called fdb_create to detect that the entry was added by the user early in the process. This is in preparation to adding limits in fdb_create that should not apply to user created fdb entries. Signed-off-by: Johannes Nixdorf <jnixdorf-oss at avm.de> --- Changes since v1: - Added this change to ensure user added entries are not limited. net/bridge/br_fdb.c | 6 +++--- 1