Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp2356205rwb; Thu, 29 Sep 2022 09:10:28 -0700 (PDT) X-Google-Smtp-Source: AMsMyM540S4Ow/x+5+OAfQHSaNtefpi1vk8IgYc3aw7d4zfNS0dhMB7m+A7xIRA/YBNf1blKdFG3 X-Received: by 2002:a05:6402:1f84:b0:455:27b8:27aa with SMTP id c4-20020a0564021f8400b0045527b827aamr3975699edc.243.1664467828078; Thu, 29 Sep 2022 09:10:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664467828; cv=none; d=google.com; s=arc-20160816; b=g/xYnF0SdEyGVDrU4sjh74KrKpYv9UMuWgWzSynK0t7JwS1QHijTktaMh9zvZLaxN0 JaW5VwhTd46OuVZNi9jt5jqPO5V9RcRY9D9qiaVmr3yoqCRf1pYBPNekhvrxvK46m3FP 4w8u8r2+LmUUN4nLU/7vd5JGMmBpEt8POz3COjXfCPT5jnIA2rxMKpVm6FKKi90CTRHe VRJwoFh60EhbYwiovOVYjtU82UDRlGl+dsmgAzEkewddbW0sSR3GYEMhQw/qAxIwzMZz ss9o4LrTv7Ng4yeI/WG+JvF1tD1iq6OpZys51CDk2Tl6lJhQSdSL6f4E/t0trcYFFbkP Yn1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:organization :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from; bh=AVezsC6ZmeLiUL5Pzy7zCQZR72/k7mmP1SOZlNAVJ+4=; b=h4dkFoy+cG0tQ/1iRGbg1Rk/GYXMJgDiv/P9kFbdldEm5jQXm2zKIqs7j7N40Kvo/P eNbCOYr6Bq5sFiUMofy7vkIE/3k0l9kf3tXmmLoR6SLPm1ToAQcMbxO6rPOpu91Clnvi tQLhL67u5OE80D/qLvTxvWHZFHusA03WTSbx8H+GgQRzj0XT7dDIDXm+9QUfZgYrOy8U WakrSfHD+YM89VajiPxpnEmNFPeNEO+p4O6NkwUCJ7fa0QAMPNV82dQKnD1hlWF5W1+8 uD58DBIur0opWuTwyogXas6rRvWhhwo8LBCNfPF5jkpZ2rlr/+qy7iIu1d0bFZket475 mivw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v13-20020a056402348d00b00457c7c790e2si9075740edc.484.2022.09.29.09.10.02; Thu, 29 Sep 2022 09:10:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235930AbiI2PZM (ORCPT + 99 others); Thu, 29 Sep 2022 11:25:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57694 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235808AbiI2PZE (ORCPT ); Thu, 29 Sep 2022 11:25:04 -0400 Received: from mailout-taastrup.gigahost.dk (mailout-taastrup.gigahost.dk [46.183.139.199]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 21E8E380; Thu, 29 Sep 2022 08:24:54 -0700 (PDT) Received: from mailout.gigahost.dk (mailout.gigahost.dk [89.186.169.112]) by mailout-taastrup.gigahost.dk (Postfix) with ESMTP id CF1A418847F4; Thu, 29 Sep 2022 15:24:52 +0000 (UTC) Received: from smtp.gigahost.dk (smtp.gigahost.dk [89.186.169.109]) by mailout.gigahost.dk (Postfix) with ESMTP id C88282500370; Thu, 29 Sep 2022 15:24:52 +0000 (UTC) Received: by smtp.gigahost.dk (Postfix, from userid 1000) id B9CA99EC0007; Thu, 29 Sep 2022 15:24:52 +0000 (UTC) X-Screener-Id: 413d8c6ce5bf6eab4824d0abaab02863e8e3f662 Received: from fujitsu.vestervang (2-104-116-184-cable.dk.customer.tdc.net [2.104.116.184]) by smtp.gigahost.dk (Postfix) with ESMTPSA id E30C09120FED; Thu, 29 Sep 2022 15:24:51 +0000 (UTC) From: Hans Schultz To: davem@davemloft.net, kuba@kernel.org Cc: netdev@vger.kernel.org, Hans Schultz , Florian Fainelli , Andrew Lunn , Vivien Didelot , Vladimir Oltean , Eric Dumazet , Paolo Abeni , Kurt Kanzenbach , Hauke Mehrtens , Woojung Huh , UNGLinuxDriver@microchip.com, Sean Wang , Landen Chao , DENG Qingfang , Matthias Brugger , Claudiu Manoil , Alexandre Belloni , Jiri Pirko , Ivan Vecera , Roopa Prabhu , Nikolay Aleksandrov , Shuah Khan , Russell King , Christian Marangi , Daniel Borkmann , Yuwei Wang , Petr Machata , Ido Schimmel , Florent Fourcot , Hans Schultz , Joachim Wiberg , Amit Cohen , linux-kernel@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-mediatek@lists.infradead.org, bridge@lists.linux-foundation.org, linux-kselftest@vger.kernel.org Subject: [PATCH iproute2-next 2/2] bridge: fdb: enable FDB blackhole feature Date: Thu, 29 Sep 2022 17:21:37 +0200 Message-Id: <20220929152137.167626-2-netdev@kapio-technology.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20220929152137.167626-1-netdev@kapio-technology.com> References: <20220929152137.167626-1-netdev@kapio-technology.com> MIME-Version: 1.0 Organization: Westermo Network Technologies AB Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Block traffic to a specific host with the command: bridge fdb add vlan dev br0 blackhole The blackhole FDB entries can be added, deleted and replaced with ordinary FDB entries. Signed-off-by: Hans Schultz --- bridge/fdb.c | 7 ++++++- include/uapi/linux/neighbour.h | 4 ++++ man/man8/bridge.8 | 6 ++++++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/bridge/fdb.c b/bridge/fdb.c index 0fbe9bd3..2160f1c2 100644 --- a/bridge/fdb.c +++ b/bridge/fdb.c @@ -38,7 +38,7 @@ static void usage(void) fprintf(stderr, "Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n" " [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n" - " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n" + " [ sticky ] [ local | static | dynamic ] [blackhole] [ vlan VID ]\n" " { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n" " [ via DEV ] [ src_vni VNI ]\n" " bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n" @@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags) if (flags & NTF_STICKY) print_string(PRINT_ANY, NULL, "%s ", "sticky"); + if (ext_flags & NTF_EXT_BLACKHOLE) + print_string(PRINT_ANY, NULL, "%s ", "blackhole"); + if (ext_flags & NTF_EXT_LOCKED) print_string(PRINT_ANY, NULL, "%s ", "locked"); @@ -493,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv) req.ndm.ndm_flags |= NTF_EXT_LEARNED; } else if (matches(*argv, "sticky") == 0) { req.ndm.ndm_flags |= NTF_STICKY; + } else if (matches(*argv, "blackhole") == 0) { + ext_flags |= NTF_EXT_BLACKHOLE; } else { if (strcmp(*argv, "to") == 0) NEXT_ARG(); diff --git a/include/uapi/linux/neighbour.h b/include/uapi/linux/neighbour.h index 4dda051b..cc7d540e 100644 --- a/include/uapi/linux/neighbour.h +++ b/include/uapi/linux/neighbour.h @@ -54,6 +54,7 @@ enum { /* Extended flags under NDA_FLAGS_EXT: */ #define NTF_EXT_MANAGED (1 << 0) #define NTF_EXT_LOCKED (1 << 1) +#define NTF_EXT_BLACKHOLE (1 << 2) /* * Neighbor Cache Entry States. @@ -91,6 +92,9 @@ enum { * NTF_EXT_LOCKED flagged FDB entries are placeholder entries used with the * locked port feature, that ensures that an entry exists while at the same * time dropping packets on ingress with src MAC and VID matching the entry. + * + * NTF_EXT_BLACKHOLE flagged FDB entries ensure that no forwarding is allowed + * from any port to the destination MAC, VID pair associated with it. */ struct nda_cacheinfo { diff --git a/man/man8/bridge.8 b/man/man8/bridge.8 index 40250477..af2e7db2 100644 --- a/man/man8/bridge.8 +++ b/man/man8/bridge.8 @@ -699,6 +699,12 @@ controller learnt dynamic entry. Kernel will not age such an entry. - this entry will not change its port due to learning. .sp +.B blackhole +- this is an entry that denies all forwarding from any port to a destination +matching the entry. It can be added by userspace, but the flag is mostly set +from a hardware driver. +.sp + .in -8 The next command line parameters apply only when the specified device -- 2.34.1