| Message ID | 20220929152137.167626-2-netdev@kapio-technology.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | [iproute2-next,1/2] bridge: link: enable MacAuth/MAB feature | expand |
On Thu, 29 Sep 2022 17:21:37 +0200 Hans Schultz <netdev@kapio-technology.com> wrote: > > @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv) > req.ndm.ndm_flags |= NTF_EXT_LEARNED; > } else if (matches(*argv, "sticky") == 0) { > req.ndm.ndm_flags |= NTF_STICKY; > + } else if (matches(*argv, "blackhole") == 0) { > + ext_flags |= NTF_EXT_BLACKHOLE; > } else { > if (strcmp(*argv, "to") == 0) > NEXT_ARG(); The parsing of flags is weird here, most of the flags are compared with strcmp() but some use matches().. I should have used strcmp() all the time; but at the time did not realize what kind of confusion matches() can cause.
On 2022-09-29 17:43, Stephen Hemminger wrote: > On Thu, 29 Sep 2022 17:21:37 +0200 > Hans Schultz <netdev@kapio-technology.com> wrote: > >> >> @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int >> argc, char **argv) >> req.ndm.ndm_flags |= NTF_EXT_LEARNED; >> } else if (matches(*argv, "sticky") == 0) { >> req.ndm.ndm_flags |= NTF_STICKY; >> + } else if (matches(*argv, "blackhole") == 0) { >> + ext_flags |= NTF_EXT_BLACKHOLE; >> } else { >> if (strcmp(*argv, "to") == 0) >> NEXT_ARG(); > > The parsing of flags is weird here, most of the flags are compared with > strcmp() > but some use matches().. I should have used strcmp() all the time; but > at the > time did not realize what kind of confusion matches() can cause. Maybe just change all of them then, and then how about using strncmp() and maybe also strnlen() instead?
On Thu, Sep 29, 2022 at 05:21:37PM +0200, Hans Schultz wrote: > Block traffic to a specific host with the command: > bridge fdb add <MAC> vlan <vid> dev br0 blackhole Please add an example with regular and JSON output. > > The blackhole FDB entries can be added, deleted and replaced with > ordinary FDB entries. > > Signed-off-by: Hans Schultz <netdev@kapio-technology.com> > --- > bridge/fdb.c | 7 ++++++- > include/uapi/linux/neighbour.h | 4 ++++ > man/man8/bridge.8 | 6 ++++++ > 3 files changed, 16 insertions(+), 1 deletion(-) > > diff --git a/bridge/fdb.c b/bridge/fdb.c > index 0fbe9bd3..2160f1c2 100644 > --- a/bridge/fdb.c > +++ b/bridge/fdb.c > @@ -38,7 +38,7 @@ static void usage(void) > fprintf(stderr, > "Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n" > " [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n" > - " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n" > + " [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n" [ blackhole ] > " { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n" > " [ via DEV ] [ src_vni VNI ]\n" > " bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n" > @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags) > if (flags & NTF_STICKY) > print_string(PRINT_ANY, NULL, "%s ", "sticky"); > > + if (ext_flags & NTF_EXT_BLACKHOLE) > + print_string(PRINT_ANY, NULL, "%s ", "blackhole"); > + > if (ext_flags & NTF_EXT_LOCKED) > print_string(PRINT_ANY, NULL, "%s ", "locked"); > > @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv) > req.ndm.ndm_flags |= NTF_EXT_LEARNED; > } else if (matches(*argv, "sticky") == 0) { > req.ndm.ndm_flags |= NTF_STICKY; > + } else if (matches(*argv, "blackhole") == 0) { > + ext_flags |= NTF_EXT_BLACKHOLE; > } else { > if (strcmp(*argv, "to") == 0) > NEXT_ARG(); > diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h > index 4dda051b..cc7d540e 100644 > --- a/include/uapi/linux/neighbour.h > +++ b/include/uapi/linux/neighbour.h > @@ -54,6 +54,7 @@ enum { > /* Extended flags under NDA_FLAGS_EXT: */ > #define NTF_EXT_MANAGED (1 << 0) > #define NTF_EXT_LOCKED (1 << 1) > +#define NTF_EXT_BLACKHOLE (1 << 2) > > /* > * Neighbor Cache Entry States. > @@ -91,6 +92,9 @@ enum { > * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the > * locked port feature, that ensures that an entry exists while at the same > * time dropping packets on ingress with src MAC and VID matching the entry. > + * > + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed > + * from any port to the destination MAC, VID pair associated with it. > */ > > struct nda_cacheinfo { > diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 > index 40250477..af2e7db2 100644 > --- a/man/man8/bridge.8 > +++ b/man/man8/bridge.8 > @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry. > - this entry will not change its port due to learning. > .sp Need to patch the "SYNOPSIS" section as well > > +.B blackhole > +- this is an entry that denies all forwarding from any port to a destination > +matching the entry. It can be added by userspace, but the flag is mostly set > +from a hardware driver. I'm not sure the last sentence belongs in the man page. We have no way of knowing if it is true and it can change with time. How about: "this entry will silently discard all matching packets. The entry must be added as a local permanent entry." > +.sp > + > .in -8 > The next command line parameters apply only > when the specified device > -- > 2.34.1 >
On 2022-10-01 17:38, Ido Schimmel wrote: > > I'm not sure the last sentence belongs in the man page. We have no way > of knowing if it is true and it can change with time. > > How about: > > "this entry will silently discard all matching packets. The entry must > be added as a local permanent entry." > Fine with me...
On 2022-10-01 17:38, Ido Schimmel wrote: > > Need to patch the "SYNOPSIS" section as well > Does this look right to you for the addition to the "SYNOPSIS"?... bridge fdb { add | del } LLADR dev BRDEV [ self ] [ local ] [ blackhole ]
diff --git a/bridge/fdb.c b/bridge/fdb.c index 0fbe9bd3..2160f1c2 100644 --- a/bridge/fdb.c +++ b/bridge/fdb.c @@ -38,7 +38,7 @@ static void usage(void) fprintf(stderr, "Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n" " [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n" - " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n" + " [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n" " { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n" " [ via DEV ] [ src_vni VNI ]\n" " bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n" @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags) if (flags & NTF_STICKY) print_string(PRINT_ANY, NULL, "%s ", "sticky"); + if (ext_flags & NTF_EXT_BLACKHOLE) + print_string(PRINT_ANY, NULL, "%s ", "blackhole"); + if (ext_flags & NTF_EXT_LOCKED) print_string(PRINT_ANY, NULL, "%s ", "locked"); @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv) req.ndm.ndm_flags |= NTF_EXT_LEARNED; } else if (matches(*argv, "sticky") == 0) { req.ndm.ndm_flags |= NTF_STICKY; + } else if (matches(*argv, "blackhole") == 0) { + ext_flags |= NTF_EXT_BLACKHOLE; } else { if (strcmp(*argv, "to") == 0) NEXT_ARG(); diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h index 4dda051b..cc7d540e 100644 --- a/include/uapi/linux/neighbour.h +++ b/include/uapi/linux/neighbour.h @@ -54,6 +54,7 @@ enum { /* Extended flags under NDA_FLAGS_EXT: */ #define NTF_EXT_MANAGED (1 << 0) #define NTF_EXT_LOCKED (1 << 1) +#define NTF_EXT_BLACKHOLE (1 << 2) /* * Neighbor Cache Entry States. @@ -91,6 +92,9 @@ enum { * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the * locked port feature, that ensures that an entry exists while at the same * time dropping packets on ingress with src MAC and VID matching the entry. + * + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed + * from any port to the destination MAC, VID pair associated with it. */ struct nda_cacheinfo { diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index 40250477..af2e7db2 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry. - this entry will not change its port due to learning. .sp +.B blackhole +- this is an entry that denies all forwarding from any port to a destination +matching the entry. It can be added by userspace, but the flag is mostly set +from a hardware driver. +.sp + .in -8 The next command line parameters apply only when the specified device
Block traffic to a specific host with the command: bridge fdb add <MAC> vlan <vid> dev br0 blackhole The blackhole FDB entries can be added, deleted and replaced with ordinary FDB entries. Signed-off-by: Hans Schultz <netdev@kapio-technology.com> --- bridge/fdb.c | 7 ++++++- include/uapi/linux/neighbour.h | 4 ++++ man/man8/bridge.8 | 6 ++++++ 3 files changed, 16 insertions(+), 1 deletion(-)