similar to: [Bridge] [PATCH] (1/4) bridge: use jenkins hash

Convert the bridge forwarding database over to using RCU. This avoids a read_lock and atomic_inc/dec in the fast path of output. Signed-off-by: Stephen Hemminger <shemminger@osdl.org> diff -Nru a/include/linux/list.h b/include/linux/list.h --- a/include/linux/list.h 2004-07-28 15:30:04 -07:00 +++ b/include/linux/list.h 2004-07-28 15:30:04 -07:00 @@ -678,6 +678,24 @@ pos &&

On 15/05/2023 11:50, Johannes Nixdorf wrote: > A malicious actor behind one bridge port may spam the kernel with packets > with a random source MAC address, each of which will create an FDB entry, > each of which is a dynamic allocation in the kernel. > > There are roughly 2^48 different MAC addresses, further limited by the > rhashtable they are stored in to 2^31. Each entry is

A malicious actor behind one bridge port may spam the kernel with packets with a random source MAC address, each of which will create an FDB entry, each of which is a dynamic allocation in the kernel. There are roughly 2^48 different MAC addresses, further limited by the rhashtable they are stored in to 2^31. Each entry is of the type struct net_bridge_fdb_entry, which is currently 128 bytes big.

A malicious actor behind one bridge port may spam the kernel with packets with a random source MAC address, each of which will create an FDB entry, each of which is a dynamic allocation in the kernel. There are roughly 2^48 different MAC addresses, further limited by the rhashtable they are stored in to 2^31. Each entry is of the type struct net_bridge_fdb_entry, which is currently 128 bytes big.

This patch checks kmem_cache_create() error and aborts loading module on failure. Cc: Stephen Hemminger <shemminger@linux-foundation.org> Signed-off-by: Akinobu Mita <akinobu.mita@gmail.com> --- net/bridge/br.c | 7 ++++++- net/bridge/br_fdb.c | 4 +++- net/bridge/br_private.h | 2 +- 3 files changed, 10 insertions(+), 3 deletions(-) Index:

This patch adds basic Virtual Ethernet Port Aggregator (VEPA) capabilities to the Linux kernel Ethernet bridging code. A Virtual Ethernet Port Aggregator (VEPA) is a capability within a physical end station that collaborates with an adjacent, external bridge to provide distributed bridging support between multiple virtual end stations and external networks. The VEPA collaborates by forwarding all

This patch adds basic Virtual Ethernet Port Aggregator (VEPA) capabilities to the Linux kernel Ethernet bridging code. A Virtual Ethernet Port Aggregator (VEPA) is a capability within a physical end station that collaborates with an adjacent, external bridge to provide distributed bridging support between multiple virtual end stations and external networks. The VEPA collaborates by forwarding all

This patch adds basic Virtual Ethernet Port Aggregator (VEPA) capabilities to the Linux kernel Ethernet bridging code. A Virtual Ethernet Port Aggregator (VEPA) is a capability within a physical end station that collaborates with an adjacent, external bridge to provide distributed bridging support between multiple virtual end stations and external networks. The VEPA collaborates by forwarding all

On Tue, Jun 20, 2023 at 09:55:31AM +0300, Nikolay Aleksandrov wrote: > On 6/19/23 10:14, Johannes Nixdorf wrote: > > +/* Set a FDB flag that implies the entry was not learned, and account > > + * for changes in the learned status. > > + */ > > +static void __fdb_set_flag_not_learned(struct net_bridge *br, > > + struct net_bridge_fdb_entry *fdb, > >

On 20/06/2023 16:35, Johannes Nixdorf wrote: > On Tue, Jun 20, 2023 at 09:55:31AM +0300, Nikolay Aleksandrov wrote: >> On 6/19/23 10:14, Johannes Nixdorf wrote: >>> +/* Set a FDB flag that implies the entry was not learned, and account >>> + * for changes in the learned status. >>> + */ >>> +static void __fdb_set_flag_not_learned(struct net_bridge *br,

Changes since v9: * series re-ordering so make functionality more distinct. Basic vlan filtering is patches 1-4. Support for PVID/untagged vlans is patches 5 and 6. VLAN support for FDB/MDB is patches 7-11. Patch 12 is still additional egress policy. * Slight simplification to code that extracts the VID from skb. Since we now depend on the vlan module, at the time of input skb_tci is

Introduce a limit on the amount of learned FDB entries on a bridge, configured by netlink with a build time default on bridge creation in the kernel config. For backwards compatibility the kernel config default is disabling the limit (0). Without any limit a malicious actor may OOM a kernel by spamming packets with changing MAC addresses on their bridge port, so allow the bridge creator to limit

This series of patches provides an ability to add VLANs to the bridge ports. This is similar to what can be found in most switches. The bridge port may have any number of VLANs added to it including vlan 0 priority tagged traffic. When vlans are added to the port, only traffic tagged with particular vlan will forwarded over this port. Additionally, vlan ids are added to FDB entries and become

From: Wei Yongjun <yongjun_wei at trendmicro.com.cn> Using for_each_set_bit_from() to simplify the code. Signed-off-by: Wei Yongjun <yongjun_wei at trendmicro.com.cn> --- net/bridge/br_fdb.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index b0812c9..48fe761 100644 --- a/net/bridge/br_fdb.c +++ b/net/bridge/br_fdb.c

Instead of issuing (0) statements when !CONFIG_SYSFS which will cause 'warning: ', we'll use inline statements instead. This will effectively do the same thing, but suppress any unnecessary warnings. Cc: Stephen Hemminger <shemminger at vyatta.com> Cc: bridge at lists.linux-foundation.org Cc: netdev at vger.kernel.org Signed-off-by: Lee Jones <lee.jones at linaro.org> ---

On Mon, Mar 27, 2023 at 05:31:26PM +0200, Hans Schultz wrote: > On Mon, Mar 27, 2023 at 14:52, Vladimir Oltean <olteanv at gmail.com> wrote: > > > > By the way, there is a behavior change here. > > > > Before: > > > > $ ip link add br0 type bridge && ip link set br0 up > > $ ip link set swp0 master br0 && ip link set swp0 up >

From: Cong Wang <amwang at redhat.com> V5: fix two bugs pointed out by Thomas remove seq check for now, mark it as TODO V4: remove some useless #include some coding style fix V3: drop debugging printk's update selinux perm table as well V2: drop patch 1/2, export ifindex directly Redesign netlink attributes Improve netlink seq check Handle IPv6 addr as well

Hi, The attached patches enables the bridge to filter and forward packets according to their IEEE 802.1q headers. The goals behind this change include : - Enable running STP on 802.1q tagged networks. STP packets must be untagged. It isn't obvious how else to enable STP with the current bridge and vlan code. - Add native support for an untagged vlan. Currently an untagged vlan can

The following series adds 2 new flags to bridge. One flag allows the user to control whether mac learning is performed on the interface or not. By default mac learning is on. The other flag allows the user to control whether unicast traffic is flooded (send without an fdb) to a given unicast port. Default is on. Changes since v4: - Implemented Stephen's suggestions. Changes since v2: -

V3: drop debugging printk's update selinux perm table as well V2: drop patch 1/2, export ifindex directly Redesign netlink attributes Improve netlink seq check Handle IPv6 addr as well This patch exports bridge multicast database via netlink message type RTM_GETMDB. Similar to fdb, but currently bridge-specific. We may need to support modify multicast database too