From patchwork Thu Sep 29 15:21:37 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hans Schultz X-Patchwork-Id: 12994228 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5B07CC433F5 for ; Thu, 29 Sep 2022 15:25:12 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235920AbiI2PZL (ORCPT ); Thu, 29 Sep 2022 11:25:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235808AbiI2PZE (ORCPT ); Thu, 29 Sep 2022 11:25:04 -0400 Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk [46.183.139.199]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21E8E380; Thu, 29 Sep 2022 08:24:54 -0700 (PDT) Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112]) by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id CF1A418847F4; Thu, 29 Sep 2022 15:24:52 +0000 (UTC) Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109]) by mailout.gigahost.dk (Postfix) with ESMTP id C88282500370; Thu, 29 Sep 2022 15:24:52 +0000 (UTC) Received: by smtp.gigahost.dk (Postfix, from userid 1000) id B9CA99EC0007; Thu, 29 Sep 2022 15:24:52 +0000 (UTC) X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662 Received: from fujitsu.vestervang (2-104-116-184-cable.dk.customer.tdc.net [2.104.116.184]) by smtp.gigahost.dk (Postfix) with ESMTPSA id E30C09120FED; Thu, 29 Sep 2022 15:24:51 +0000 (UTC) From: Hans Schultz To: davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz , Florian Fainelli , Andrew Lunn , Vivien Didelot , Vladimir Oltean , Eric Dumazet , Paolo Abeni , Kurt Kanzenbach , Hauke Mehrtens , Woojung Huh , UNGLinuxDriver@microchip.com, Sean Wang , Landen Chao , DENG Qingfang , Matthias Brugger , Claudiu Manoil , Alexandre Belloni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Russell King , Christian Marangi , Daniel Borkmann , Yuwei Wang , Petr Machata , Ido Schimmel , Florent Fourcot , Hans Schultz , Joachim Wiberg , Amit Cohen , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature Date: Thu, 29 Sep 2022 17:21:37 +0200 Message-Id: <20220929152137.167626-2-netdev@kapio-technology.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220929152137.167626-1-netdev@kapio-technology.com> References: <20220929152137.167626-1-netdev@kapio-technology.com> MIME-Version: 1.0 Organization: Westermo Network Technologies AB Precedence: bulk List-ID: X-Mailing-List: linux-kselftest@vger.kernel.org Block traffic to a specific host with the command: bridge fdb add vlan dev br0 blackhole The blackhole FDB entries can be added, deleted and replaced with ordinary FDB entries. Signed-off-by: Hans Schultz --- bridge/fdb.c | 7 ++++++- include/uapi/linux/neighbour.h | 4 ++++ man/man8/bridge.8 | 6 ++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/bridge/fdb.c b/bridge/fdb.c index 0fbe9bd3..2160f1c2 100644 --- a/bridge/fdb.c +++ b/bridge/fdb.c @@ -38,7 +38,7 @@ static void usage(void) fprintf(stderr, "Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n" " [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n" - " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n" + " [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n" " { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n" " [ via DEV ] [ src_vni VNI ]\n" " bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n" @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags) if (flags & NTF_STICKY) print_string(PRINT_ANY, NULL, "%s ", "sticky"); + if (ext_flags & NTF_EXT_BLACKHOLE) + print_string(PRINT_ANY, NULL, "%s ", "blackhole"); + if (ext_flags & NTF_EXT_LOCKED) print_string(PRINT_ANY, NULL, "%s ", "locked"); @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv) req.ndm.ndm_flags |= NTF_EXT_LEARNED; } else if (matches(*argv, "sticky") == 0) { req.ndm.ndm_flags |= NTF_STICKY; + } else if (matches(*argv, "blackhole") == 0) { + ext_flags |= NTF_EXT_BLACKHOLE; } else { if (strcmp(*argv, "to") == 0) NEXT_ARG(); diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h index 4dda051b..cc7d540e 100644 --- a/include/uapi/linux/neighbour.h +++ b/include/uapi/linux/neighbour.h @@ -54,6 +54,7 @@ enum { /* Extended flags under NDA_FLAGS_EXT: */ #define NTF_EXT_MANAGED (1 << 0) #define NTF_EXT_LOCKED (1 << 1) +#define NTF_EXT_BLACKHOLE (1 << 2) /* * Neighbor Cache Entry States. @@ -91,6 +92,9 @@ enum { * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the * locked port feature, that ensures that an entry exists while at the same * time dropping packets on ingress with src MAC and VID matching the entry. + * + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed + * from any port to the destination MAC, VID pair associated with it. */ struct nda_cacheinfo { diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index 40250477..af2e7db2 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry. - this entry will not change its port due to learning. .sp +.B blackhole +- this is an entry that denies all forwarding from any port to a destination +matching the entry. It can be added by userspace, but the flag is mostly set +from a hardware driver. +.sp + .in -8 The next command line parameters apply only when the specified device