bridge: Automatically manage port promiscuous mode.

There exist configurations where the administrator or another management
entity has the foreknowledge of all the mac addresses of end systems
that are being bridged together.

In these environments, the administrator can statically configure known
addresses in the bridge FDB and disable flooding and learning on ports.
This makes it possible to turn off promiscuous mode on the interfaces
connected to the bridge.

Here is why disabling flooding and learning allows us to control
promiscuity:
 Consider port X.  All traffic coming into this port from outside the
bridge (ingress) will be either forwarded through other ports of the
bridge (egress) or dropped.  Forwarding (egress) is defined by FDB
entries and by flooding in the event that no FDB entry exists.
In the event that flooding is disabled, only FDB entries define
the egress.  Once learning is disabled, only static FDB entries
provided by a management entity define the egress.  If we provide
information from these static FDBs to the ingress port X, then we'll
be able to accept all traffic that can be successfully forwarded and
drop all the other traffic sooner without spending CPU cycles to
process it.
 Another way to define the above is as following equations:
    ingress = egress + drop
 expanding egress
    ingress = static FDB + learned FDB + flooding + drop
 disabling flooding and learning we a left with
    ingress = static FDB + drop

By adding addresses from the static FDB entries to the MAC address
filter of an ingress port X, we fully define what the bridge can
process without dropping and can thus turn off promiscuous mode,
thus dropping packets sooner.

There have been suggestions that we may want to allow learning
and update the filters with learned addresses as well.  This
would require mac-level authentication similar to 802.1x to
prevent attacks against the hw filters as they are limited
resource.

Additionally, if the user places the bridge device in promiscuous mode,
all ports are placed in promiscuous mode regardless of the changes
to flooding and learning.

Since the above functionality depends on full static configuration,
we have also require that vlan filtering be enabled to take
advantage of this.  The reason is that the bridge has to be
able to receive and process VLAN-tagged frames and the there
are only 2 ways to accomplish this right now: promiscuous mode
or vlan filtering.

Suggested-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 98 insertions, 7 deletions

diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 3fefff974540..091d39f5067c 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -85,6 +85,82 @@ void br_port_carrier_check(struct net_bridge_port *p)
         spin_unlock_bh(&br->lock);
 }
 
+static void br_port_set_promisc(struct net_bridge_port *p)
+{
+        int err = 0;
+
+        if (br_promisc_port(p))
+                return;
+
+        err = dev_set_promiscuity(p->dev, 1);
+        if (err)
+                return;
+
+        br_fdb_unsync_static(p->br, p);
+        p->flags |= BR_PROMISC;
+}
+
+static void br_port_clear_promisc(struct net_bridge_port *p)
+{
+        int err;
+
+        /* Check if the port is already non-promisc or if it doesn't
+         * support UNICAST filtering.  Without unicast filtering support
+         * we'll end up re-enabling promisc mode anyway, so just check for
+         * it here.
+         */
+        if (!br_promisc_port(p) || !(p->dev->priv_flags & IFF_UNICAST_FLT))
+                return;
+
+        /* Since we'll be clearing the promisc mode, program the port
+         * first so that we don't have interruption in traffic.
+         */
+        err = br_fdb_sync_static(p->br, p);
+        if (err)
+                return;
+
+        dev_set_promiscuity(p->dev, -1);
+        p->flags &= ~BR_PROMISC;
+}
+
+/* When a port is added or removed or when certain port flags
+ * change, this function is called to automatically manage
+ * promiscuity setting of all the bridge ports.  We are always called
+ * under RTNL so can skip using rcu primitives.
+ */
+void br_manage_promisc(struct net_bridge *br)
+{
+        struct net_bridge_port *p;
+        bool set_all = false;
+
+        /* If vlan filtering is disabled or bridge interface is placed
+         * into promiscuous mode, place all ports in promiscuous mode.
+         */
+        if ((br->dev->flags & IFF_PROMISC) || !br_vlan_enabled(br))
+                set_all = true;
+
+        list_for_each_entry(p, &br->port_list, list) {
+                if (set_all) {
+                        br_port_set_promisc(p);
+                } else {
+                        /* If the number of auto-ports is <= 1, then all other
+                         * ports will have their output configuration
+                         * statically specified through fdbs.  Since ingress
+                         * on the auto-port becomes forwarding/egress to other
+                         * ports and egress configuration is statically known,
+                         * we can say that ingress configuration of the
+                         * auto-port is also statically known.
+                         * This lets us disable promiscuous mode and write
+                         * this config to hw.
+                         */
+                        if (br->auto_cnt <= br_auto_port(p))
+                                br_port_clear_promisc(p);
+                        else
+                                br_port_set_promisc(p);
+                }
+        }
+}
+
 static void nbp_update_port_count(struct net_bridge *br)
 {
         struct net_bridge_port *p;
@@ -94,7 +170,23 @@ static void nbp_update_port_count(struct net_bridge *br)
                 if (br_auto_port(p))
                         cnt++;
         }
-        br->auto_cnt = cnt;
+        if (br->auto_cnt != cnt) {
+                br->auto_cnt = cnt;
+                br_manage_promisc(br);
+        }
+}
+
+static void nbp_delete_promisc(struct net_bridge_port *p)
+{
+        /* If port is currently promiscous, unset promiscuity.
+         * Otherwise, it is a static port so remove all addresses
+         * from it.
+         */
+        dev_set_allmulti(p->dev, -1);
+        if (br_promisc_port(p))
+                dev_set_promiscuity(p->dev, -1);
+        else
+                br_fdb_unsync_static(p->br, p);
 }
 
 static void release_nbp(struct kobject *kobj)
@@ -145,7 +237,7 @@ static void del_nbp(struct net_bridge_port *p)
 
         sysfs_remove_link(br->ifobj, p->dev->name);
 
-        dev_set_promiscuity(dev, -1);
+        nbp_delete_promisc(p);
 
         spin_lock_bh(&br->lock);
         br_stp_disable_port(p);
@@ -153,11 +245,10 @@ static void del_nbp(struct net_bridge_port *p)
 
         br_ifinfo_notify(RTM_DELLINK, p);
 
-        nbp_vlan_flush(p);
-        br_fdb_delete_by_port(br, p, 1);
-
         list_del_rcu(&p->list);
 
+        nbp_vlan_flush(p);
+        br_fdb_delete_by_port(br, p, 1);
         nbp_update_port_count(br);
 
         dev->priv_flags &= ~IFF_BRIDGE_PORT;
@@ -238,7 +329,7 @@ static struct net_bridge_port *new_nbp(struct net_bridge *br,
         p->path_cost = port_cost(dev);
         p->priority = 0x8000 >> BR_PORT_BITS;
         p->port_no = index;
-        p->flags = BR_LEARNING | BR_FLOOD | BR_PROMISC;
+        p->flags = BR_LEARNING | BR_FLOOD;
         br_init_port(p);
         p->state = BR_STATE_DISABLED;
         br_stp_port_timer_init(p);
@@ -367,7 +458,7 @@ int br_add_if(struct net_bridge *br, struct net_device *dev)
 
         call_netdevice_notifiers(NETDEV_JOIN, dev);
 
-        err = dev_set_promiscuity(dev, 1);
+        err = dev_set_allmulti(dev, 1);
         if (err)
                 goto put_back;