diff options
| author | David S. Miller <davem@davemloft.net> | 2013-10-18 16:03:03 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2013-10-18 16:03:03 -0400 |
| commit | b8bde1c4f94908ce8e3c0434fb369a00e9217497 (patch) | |
| tree | 3db8a5398a20be4884b5fb753626331e43d35dc9 | |
| parent | 4b6c7879d84ad06a2ac5b964808ed599187a188d (diff) | |
| parent | dfb5fa32c66496a53ec6a45302d902416b51ade2 (diff) | |
Merge branch 'bridge_pvid'
Toshiaki Makita says:
====================
bridge: Fix problems around the PVID
There seem to be some undesirable behaviors related with PVID.
1. It has no effect assigning PVID to a port. PVID cannot be applied
to any frame regardless of whether we set it or not.
2. FDB entries learned via frames applied PVID are registered with
VID 0 rather than VID value of PVID.
3. We can set 0 or 4095 as a PVID that are not allowed in IEEE 802.1Q.
This leads interoperational problems such as sending frames with VID
4095, which is not allowed in IEEE 802.1Q, and treating frames with VID
0 as they belong to VLAN 0, which is expected to be handled as they have
no VID according to IEEE 802.1Q.
Note: 2nd and 3rd problems are potential and not exposed unless 1st problem
is fixed, because we cannot activate PVID due to it.
This is my analysis for each behavior.
1. We are using VLAN_TAG_PRESENT bit when getting PVID, and not when
adding/deleting PVID.
It can be fixed in either way using or not using VLAN_TAG_PRESENT,
but I think the latter is slightly more efficient.
2. We are setting skb->vlan_tci with the value of PVID but the variable
vid, which is used in FDB later, is set to 0 at br_allowed_ingress()
when untagged frames arrive at a port with PVID valid. I'm afraid that
vid should be updated to the value of PVID if PVID is valid.
3. According to IEEE 802.1Q-2011 (6.9.1 and Table 9-2), we cannot use
VID 0 or 4095 as a PVID.
It looks like that there are more stuff to consider.
- VID 0:
VID 0 shall not be configured in any FDB entry and used in a tag header
to indicate it is a 802.1p priority-tagged frame.
Priority-tagged frames should be applied PVID (from IEEE 802.1Q 6.9.1).
In my opinion, since we can filter incomming priority-tagged frames by
deleting PVID, we don't need to filter them by vlan_bitmap.
In other words, priority-tagged frames don't have VID 0 but have no VID,
which is the same as untagged frames, and should be filtered by unsetting
PVID.
So, not only we cannot set PVID as 0, but also we don't need to add 0 to
vlan_bitmap, which enables us to simply forbid to add vlan 0.
- VID 4095:
VID 4095 shall not be transmitted in a tag header. This VID value may be
used to indicate a wildcard match for the VID in management operations or
FDB entries (from IEEE 802.1Q Table 9-2).
In current implementation, we can create a static FDB entry with all
existing VIDs by not specifying any VID when creating it.
I don't think this way to add wildcard-like entries needs to change,
and VID 4095 looks no use and can be unacceptable to add.
Consequently, I believe what we should do for 3rd problem is below:
- Not allowing VID 0 and 4095 to be added.
- Applying PVID to priority-tagged (VID 0) frames.
Note: It has been descovered that another problem related to priority-tags
remains. If we use vlan 0 interface such as eth0.0, we cannot communicate
with another end station via a linux bridge.
This problem exists regardless of whether this patch set is applied or not
because we might receive untagged frames from another end station even if we
are sending priority-tagged frames.
This issue will be addressed by another patch set introducing an additional
egress policy, on which Vlad Yasevich is working.
See http://marc.info/?t=137880893800001&r=1&w=2 for detailed discussion.
Patch set follows this mail.
The order of patches is not the same as described above, because the way
to fix 1st problem is based on the assumption that we don't use VID 0 as
a PVID, which is realized by fixing 3rd problem.
(1/4)(2/4): Fix 3rd problem.
(3/4): Fix 1st problem.
(4/4): Fix 2nd probelm.
v2:
- Add descriptions about the problem related to priority-tags in cover letter.
- Revise patch comments to reference the newest spec.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/bridge/br_fdb.c | 4 | ||||
| -rw-r--r-- | net/bridge/br_netlink.c | 2 | ||||
| -rw-r--r-- | net/bridge/br_private.h | 4 | ||||
| -rw-r--r-- | net/bridge/br_vlan.c | 125 |
4 files changed, 71 insertions, 64 deletions
diff --git a/net/bridge/br_fdb.c b/net/bridge/br_fdb.c index ffd5874f2592..33e8f23acddd 100644 --- a/net/bridge/br_fdb.c +++ b/net/bridge/br_fdb.c | |||
| @@ -700,7 +700,7 @@ int br_fdb_add(struct ndmsg *ndm, struct nlattr *tb[], | |||
| 700 | 700 | ||
| 701 | vid = nla_get_u16(tb[NDA_VLAN]); | 701 | vid = nla_get_u16(tb[NDA_VLAN]); |
| 702 | 702 | ||
| 703 | if (vid >= VLAN_N_VID) { | 703 | if (!vid || vid >= VLAN_VID_MASK) { |
| 704 | pr_info("bridge: RTM_NEWNEIGH with invalid vlan id %d\n", | 704 | pr_info("bridge: RTM_NEWNEIGH with invalid vlan id %d\n", |
| 705 | vid); | 705 | vid); |
| 706 | return -EINVAL; | 706 | return -EINVAL; |
| @@ -794,7 +794,7 @@ int br_fdb_delete(struct ndmsg *ndm, struct nlattr *tb[], | |||
| 794 | 794 | ||
| 795 | vid = nla_get_u16(tb[NDA_VLAN]); | 795 | vid = nla_get_u16(tb[NDA_VLAN]); |
| 796 | 796 | ||
| 797 | if (vid >= VLAN_N_VID) { | 797 | if (!vid || vid >= VLAN_VID_MASK) { |
| 798 | pr_info("bridge: RTM_NEWNEIGH with invalid vlan id %d\n", | 798 | pr_info("bridge: RTM_NEWNEIGH with invalid vlan id %d\n", |
| 799 | vid); | 799 | vid); |
| 800 | return -EINVAL; | 800 | return -EINVAL; |
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c index e74ddc1c29a8..f75d92e4f96b 100644 --- a/net/bridge/br_netlink.c +++ b/net/bridge/br_netlink.c | |||
| @@ -243,7 +243,7 @@ static int br_afspec(struct net_bridge *br, | |||
| 243 | 243 | ||
| 244 | vinfo = nla_data(tb[IFLA_BRIDGE_VLAN_INFO]); | 244 | vinfo = nla_data(tb[IFLA_BRIDGE_VLAN_INFO]); |
| 245 | 245 | ||
| 246 | if (vinfo->vid >= VLAN_N_VID) | 246 | if (!vinfo->vid || vinfo->vid >= VLAN_VID_MASK) |
| 247 | return -EINVAL; | 247 | return -EINVAL; |
| 248 | 248 | ||
| 249 | switch (cmd) { | 249 | switch (cmd) { |
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index efb57d911569..7ca2ae45b2d5 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h | |||
| @@ -643,9 +643,7 @@ static inline u16 br_get_pvid(const struct net_port_vlans *v) | |||
| 643 | * vid wasn't set | 643 | * vid wasn't set |
| 644 | */ | 644 | */ |
| 645 | smp_rmb(); | 645 | smp_rmb(); |
| 646 | return (v->pvid & VLAN_TAG_PRESENT) ? | 646 | return v->pvid ?: VLAN_N_VID; |
| 647 | (v->pvid & ~VLAN_TAG_PRESENT) : | ||
| 648 | VLAN_N_VID; | ||
| 649 | } | 647 | } |
| 650 | 648 | ||
| 651 | #else | 649 | #else |
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c index 9a9ffe7e4019..53f0990eab58 100644 --- a/net/bridge/br_vlan.c +++ b/net/bridge/br_vlan.c | |||
| @@ -45,37 +45,34 @@ static int __vlan_add(struct net_port_vlans *v, u16 vid, u16 flags) | |||
| 45 | return 0; | 45 | return 0; |
| 46 | } | 46 | } |
| 47 | 47 | ||
| 48 | if (vid) { | 48 | if (v->port_idx) { |
| 49 | if (v->port_idx) { | 49 | p = v->parent.port; |
| 50 | p = v->parent.port; | 50 | br = p->br; |
| 51 | br = p->br; | 51 | dev = p->dev; |
| 52 | dev = p->dev; | 52 | } else { |
| 53 | } else { | 53 | br = v->parent.br; |
| 54 | br = v->parent.br; | 54 | dev = br->dev; |
| 55 | dev = br->dev; | 55 | } |
| 56 | } | 56 | ops = dev->netdev_ops; |
| 57 | ops = dev->netdev_ops; | 57 | |
| 58 | 58 | if (p && (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) { | |
| 59 | if (p && (dev->features & NETIF_F_HW_VLAN_CTAG_FILTER)) { | 59 | /* Add VLAN to the device filter if it is supported. |
| 60 | /* Add VLAN to the device filter if it is supported. | 60 | * Stricly speaking, this is not necessary now, since |
| 61 | * Stricly speaking, this is not necessary now, since | 61 | * devices are made promiscuous by the bridge, but if |
| 62 | * devices are made promiscuous by the bridge, but if | 62 | * that ever changes this code will allow tagged |
| 63 | * that ever changes this code will allow tagged | 63 | * traffic to enter the bridge. |
| 64 | * traffic to enter the bridge. | 64 | */ |
| 65 | */ | 65 | err = ops->ndo_vlan_rx_add_vid(dev, htons(ETH_P_8021Q), |
| 66 | err = ops->ndo_vlan_rx_add_vid(dev, htons(ETH_P_8021Q), | 66 | vid); |
| 67 | vid); | 67 | if (err) |
| 68 | if (err) | 68 | return err; |
| 69 | return err; | 69 | } |
| 70 | } | ||
| 71 | |||
| 72 | err = br_fdb_insert(br, p, dev->dev_addr, vid); | ||
| 73 | if (err) { | ||
| 74 | br_err(br, "failed insert local address into bridge " | ||
| 75 | "forwarding table\n"); | ||
| 76 | goto out_filt; | ||
| 77 | } | ||
| 78 | 70 | ||
| 71 | err = br_fdb_insert(br, p, dev->dev_addr, vid); | ||
| 72 | if (err) { | ||
| 73 | br_err(br, "failed insert local address into bridge " | ||
| 74 | "forwarding table\n"); | ||
| 75 | goto out_filt; | ||
| 79 | } | 76 | } |
| 80 | 77 | ||
| 81 | set_bit(vid, v->vlan_bitmap); | 78 | set_bit(vid, v->vlan_bitmap); |
| @@ -98,7 +95,7 @@ static int __vlan_del(struct net_port_vlans *v, u16 vid) | |||
| 98 | __vlan_delete_pvid(v, vid); | 95 | __vlan_delete_pvid(v, vid); |
| 99 | clear_bit(vid, v->untagged_bitmap); | 96 | clear_bit(vid, v->untagged_bitmap); |
| 100 | 97 | ||
| 101 | if (v->port_idx && vid) { | 98 | if (v->port_idx) { |
| 102 | struct net_device *dev = v->parent.port->dev; | 99 | struct net_device *dev = v->parent.port->dev; |
| 103 | const struct net_device_ops *ops = dev->netdev_ops; | 100 | const struct net_device_ops *ops = dev->netdev_ops; |
| 104 | 101 | ||
| @@ -192,6 +189,8 @@ out: | |||
| 192 | bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v, | 189 | bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v, |
| 193 | struct sk_buff *skb, u16 *vid) | 190 | struct sk_buff *skb, u16 *vid) |
| 194 | { | 191 | { |
| 192 | int err; | ||
| 193 | |||
| 195 | /* If VLAN filtering is disabled on the bridge, all packets are | 194 | /* If VLAN filtering is disabled on the bridge, all packets are |
| 196 | * permitted. | 195 | * permitted. |
| 197 | */ | 196 | */ |
| @@ -204,20 +203,32 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v, | |||
| 204 | if (!v) | 203 | if (!v) |
| 205 | return false; | 204 | return false; |
| 206 | 205 | ||
| 207 | if (br_vlan_get_tag(skb, vid)) { | 206 | err = br_vlan_get_tag(skb, vid); |
| 207 | if (!*vid) { | ||
| 208 | u16 pvid = br_get_pvid(v); | 208 | u16 pvid = br_get_pvid(v); |
| 209 | 209 | ||
| 210 | /* Frame did not have a tag. See if pvid is set | 210 | /* Frame had a tag with VID 0 or did not have a tag. |
| 211 | * on this port. That tells us which vlan untagged | 211 | * See if pvid is set on this port. That tells us which |
| 212 | * traffic belongs to. | 212 | * vlan untagged or priority-tagged traffic belongs to. |
| 213 | */ | 213 | */ |
| 214 | if (pvid == VLAN_N_VID) | 214 | if (pvid == VLAN_N_VID) |
| 215 | return false; | 215 | return false; |
| 216 | 216 | ||
| 217 | /* PVID is set on this port. Any untagged ingress | 217 | /* PVID is set on this port. Any untagged or priority-tagged |
| 218 | * frame is considered to belong to this vlan. | 218 | * ingress frame is considered to belong to this vlan. |
| 219 | */ | 219 | */ |
| 220 | __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), pvid); | 220 | *vid = pvid; |
| 221 | if (likely(err)) | ||
| 222 | /* Untagged Frame. */ | ||
| 223 | __vlan_hwaccel_put_tag(skb, htons(ETH_P_8021Q), pvid); | ||
| 224 | else | ||
| 225 | /* Priority-tagged Frame. | ||
| 226 | * At this point, We know that skb->vlan_tci had | ||
| 227 | * VLAN_TAG_PRESENT bit and its VID field was 0x000. | ||
| 228 | * We update only VID field and preserve PCP field. | ||
| 229 | */ | ||
| 230 | skb->vlan_tci |= pvid; | ||
| 231 | |||
| 221 | return true; | 232 | return true; |
| 222 | } | 233 | } |
| 223 | 234 | ||
| @@ -248,7 +259,9 @@ bool br_allowed_egress(struct net_bridge *br, | |||
| 248 | return false; | 259 | return false; |
| 249 | } | 260 | } |
| 250 | 261 | ||
| 251 | /* Must be protected by RTNL */ | 262 | /* Must be protected by RTNL. |
| 263 | * Must be called with vid in range from 1 to 4094 inclusive. | ||
| 264 | */ | ||
| 252 | int br_vlan_add(struct net_bridge *br, u16 vid, u16 flags) | 265 | int br_vlan_add(struct net_bridge *br, u16 vid, u16 flags) |
| 253 | { | 266 | { |
| 254 | struct net_port_vlans *pv = NULL; | 267 | struct net_port_vlans *pv = NULL; |
| @@ -278,7 +291,9 @@ out: | |||
| 278 | return err; | 291 | return err; |
| 279 | } | 292 | } |
| 280 | 293 | ||
| 281 | /* Must be protected by RTNL */ | 294 | /* Must be protected by RTNL. |
| 295 | * Must be called with vid in range from 1 to 4094 inclusive. | ||
| 296 | */ | ||
| 282 | int br_vlan_delete(struct net_bridge *br, u16 vid) | 297 | int br_vlan_delete(struct net_bridge *br, u16 vid) |
| 283 | { | 298 | { |
| 284 | struct net_port_vlans *pv; | 299 | struct net_port_vlans *pv; |
| @@ -289,14 +304,9 @@ int br_vlan_delete(struct net_bridge *br, u16 vid) | |||
| 289 | if (!pv) | 304 | if (!pv) |
| 290 | return -EINVAL; | 305 | return -EINVAL; |
| 291 | 306 | ||
| 292 | if (vid) { | 307 | spin_lock_bh(&br->hash_lock); |
| 293 | /* If the VID !=0 remove fdb for this vid. VID 0 is special | 308 | fdb_delete_by_addr(br, br->dev->dev_addr, vid); |
| 294 | * in that it's the default and is always there in the fdb. | 309 | spin_unlock_bh(&br->hash_lock); |
| 295 | */ | ||
| 296 | spin_lock_bh(&br->hash_lock); | ||
| 297 | fdb_delete_by_addr(br, br->dev->dev_addr, vid); | ||
| 298 | spin_unlock_bh(&br->hash_lock); | ||
| 299 | } | ||
| 300 | 310 | ||
| 301 | __vlan_del(pv, vid); | 311 | __vlan_del(pv, vid); |
| 302 | return 0; | 312 | return 0; |
| @@ -329,7 +339,9 @@ unlock: | |||
| 329 | return 0; | 339 | return 0; |
| 330 | } | 340 | } |
| 331 | 341 | ||
| 332 | /* Must be protected by RTNL */ | 342 | /* Must be protected by RTNL. |
| 343 | * Must be called with vid in range from 1 to 4094 inclusive. | ||
| 344 | */ | ||
| 333 | int nbp_vlan_add(struct net_bridge_port *port, u16 vid, u16 flags) | 345 | int nbp_vlan_add(struct net_bridge_port *port, u16 vid, u16 flags) |
| 334 | { | 346 | { |
| 335 | struct net_port_vlans *pv = NULL; | 347 | struct net_port_vlans *pv = NULL; |
| @@ -363,7 +375,9 @@ clean_up: | |||
| 363 | return err; | 375 | return err; |
| 364 | } | 376 | } |
| 365 | 377 | ||
| 366 | /* Must be protected by RTNL */ | 378 | /* Must be protected by RTNL. |
| 379 | * Must be called with vid in range from 1 to 4094 inclusive. | ||
| 380 | */ | ||
| 367 | int nbp_vlan_delete(struct net_bridge_port *port, u16 vid) | 381 | int nbp_vlan_delete(struct net_bridge_port *port, u16 vid) |
| 368 | { | 382 | { |
| 369 | struct net_port_vlans *pv; | 383 | struct net_port_vlans *pv; |
| @@ -374,14 +388,9 @@ int nbp_vlan_delete(struct net_bridge_port *port, u16 vid) | |||
| 374 | if (!pv) | 388 | if (!pv) |
| 375 | return -EINVAL; | 389 | return -EINVAL; |
| 376 | 390 | ||
| 377 | if (vid) { | 391 | spin_lock_bh(&port->br->hash_lock); |
| 378 | /* If the VID !=0 remove fdb for this vid. VID 0 is special | 392 | fdb_delete_by_addr(port->br, port->dev->dev_addr, vid); |
| 379 | * in that it's the default and is always there in the fdb. | 393 | spin_unlock_bh(&port->br->hash_lock); |
| 380 | */ | ||
| 381 | spin_lock_bh(&port->br->hash_lock); | ||
| 382 | fdb_delete_by_addr(port->br, port->dev->dev_addr, vid); | ||
| 383 | spin_unlock_bh(&port->br->hash_lock); | ||
| 384 | } | ||
| 385 | 394 | ||
| 386 | return __vlan_del(pv, vid); | 395 | return __vlan_del(pv, vid); |
| 387 | } | 396 | } |