From owner-dev-commits-src-branches@freebsd.org Mon Feb 22 08:37:52 2021 Return-Path: Delivered-To: dev-commits-src-branches@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 5697654D272; Mon, 22 Feb 2021 08:37:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4DkbD01C4Pz4nkB; Mon, 22 Feb 2021 08:37:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1C2F222A0B; Mon, 22 Feb 2021 08:37:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 11M8bqij094980; Mon, 22 Feb 2021 08:37:52 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 11M8bqrf094979; Mon, 22 Feb 2021 08:37:52 GMT (envelope-from git) Date: Mon, 22 Feb 2021 08:37:52 GMT Message-Id: <202102220837.11M8bqrf094979@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Lutz Donnerhacke Subject: git: 8135f3f2fcd1 - stable/13 - netgraph/ng_bridge: Derive forwarding mode from first attached hook MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: donner X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: 8135f3f2fcd13feeba0362e59549ce3cb51d8c6e Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-branches@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commits to the stable branches of the FreeBSD src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Feb 2021 08:37:52 -0000 The branch stable/13 has been updated by donner: URL: https://cgit.FreeBSD.org/src/commit/?id=8135f3f2fcd13feeba0362e59549ce3cb51d8c6e commit 8135f3f2fcd13feeba0362e59549ce3cb51d8c6e Author: Lutz Donnerhacke AuthorDate: 2021-02-06 10:25:04 +0000 Commit: Lutz Donnerhacke CommitDate: 2021-02-22 08:21:04 +0000 netgraph/ng_bridge: Derive forwarding mode from first attached hook Handling of unknown MACs on an bridge with incomplete learning capabilites (aka uplink ports) can be defined in different ways. The classical approach is to broadcast unicast frames send to an unknown MAC, because the unknown devices can be everywhere. This mode is default for ng_bridge(4). In the case of dedicated uplink ports, which prohibit learning of MAC addresses in order to save memory and CPU cycles, the broadcast approach is dangerous. All traffic to the uplink port is broadcasted to every downlink port, too. In this case, it's better to restrict the distribution of frames to unknown MAC to the uplink ports only. In order to keep the chance small and the handling as natural as possible, the first attached link is used to determine the behaviour of the bridge: If it is an "uplink" port, then the bridge switch from classical mode to restricted mode. Reviewed By: kp Differential Revision: https://reviews.freebsd.org/D28487 (cherry picked from commit c869d905baa4e329dfd6793e7487b5985248ddb6) --- share/man/man4/ng_bridge.4 | 16 ++++++++++++++++ sys/netgraph/ng_bridge.c | 8 ++++++-- 2 files changed, 22 insertions(+), 2 deletions(-) diff --git a/share/man/man4/ng_bridge.4 b/share/man/man4/ng_bridge.4 index b5937375e87a..1451773711e9 100644 --- a/share/man/man4/ng_bridge.4 +++ b/share/man/man4/ng_bridge.4 @@ -109,6 +109,22 @@ hook of the bridge, and ignore the complexity of the outside world. Frames with unknown MACs are always sent out to .Dv uplink hooks, so no functionality is lost. +.Pp +Frames with unknown destination MAC addresses are replicated to any +available hook, unless the first connected hook is an +.Ar uplink +hook. +In this case the node assumes, that all unknown MAC addresses are +located soley on the +.Ar uplink +hooks and only those hooks will be used to send out frames with +unknown destination MACs. +If the first connected hook is an +.Ar link +hook, the node will replicate such frames to all types of hooks, +even if +.Ar uplink +hooks are connected later. .Sh CONTROL MESSAGES This node type supports the generic control messages, plus the following: diff --git a/sys/netgraph/ng_bridge.c b/sys/netgraph/ng_bridge.c index a21da545e210..ed08020ead70 100644 --- a/sys/netgraph/ng_bridge.c +++ b/sys/netgraph/ng_bridge.c @@ -105,7 +105,8 @@ struct ng_bridge_private { u_int numBuckets; /* num buckets in table */ u_int hashMask; /* numBuckets - 1 */ int numLinks; /* num connected links */ - int persistent; /* can exist w/o hooks */ + unsigned int persistent : 1, /* can exist w/o hooks */ + sendUnknown : 1;/* links receive unknowns by default */ struct callout timer; /* one second periodic timer */ }; typedef struct ng_bridge_private *priv_p; @@ -309,6 +310,7 @@ ng_bridge_constructor(node_p node) priv->conf.loopTimeout = DEFAULT_LOOP_TIMEOUT; priv->conf.maxStaleness = DEFAULT_MAX_STALENESS; priv->conf.minStableAge = DEFAULT_MIN_STABLE_AGE; + priv->sendUnknown = 1; /* classic bridge */ /* * This node has all kinds of stuff that could be screwed by SMP. @@ -371,9 +373,11 @@ ng_bridge_newhook(node_p node, hook_p hook, const char *name) if (isUplink) { link->learnMac = 0; link->sendUnknown = 1; + if (priv->numLinks == 0) /* if the first link is an uplink */ + priv->sendUnknown = 0; /* switch to restrictive mode */ } else { link->learnMac = 1; - link->sendUnknown = 1; + link->sendUnknown = priv->sendUnknown; } NG_HOOK_SET_PRIVATE(hook, link);