From: Antonio Quartulli <antonio@open-mesh.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"bridge@lists.linux-foundation.org"
<bridge@lists.linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Bridge] [PATCH 1/3] if.h: add IFF_BRIDGE_RESTRICTED flag
Date: Tue, 9 Apr 2013 08:33:43 +0200 [thread overview]
Message-ID: <20130409063342.GA3771@open-mesh.com> (raw)
In-Reply-To: <CAOaVG17nHuoRsf2Kss6LnpgC-Aojcso_zLYyBa18Vn9CGGY+GA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2509 bytes --]
Hi Stephen,
thank you for your reply.
On Mon, Apr 08, 2013 at 11:58:48 -0700, Stephen Hemminger wrote:
> The standard way to do this is to use netfilter. Considering the
> additional device flags and skb flag changes, I am not sure that your
> method is better.
>
The point is that netfilter would not help me in "distributing" this policy
remotely over a generic layer2 network.
Using these flags, instead, I can make other modules (e.g. batman-adv) notice
that the skb has been marked and then react using their own logic.
If netfilter (at the bridge level) could "mark" the skbs somehow then I could use
it for this purpose. But I don't think this is really possible.
Cheers,
> On Mon, Apr 8, 2013 at 10:41 AM, Antonio Quartulli
> <antonio@open-mesh.com> wrote:
> > This new flag tells whether a network device has to be
> > considered as restricted in the new bridge forwarding logic.
> >
> > Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> > ---
> > include/uapi/linux/if.h | 1 +
> > net/core/dev.c | 2 +-
> > 2 files changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/uapi/linux/if.h b/include/uapi/linux/if.h
> > index 1ec407b..5c3a9bd 100644
> > --- a/include/uapi/linux/if.h
> > +++ b/include/uapi/linux/if.h
> > @@ -83,6 +83,7 @@
> > #define IFF_SUPP_NOFCS 0x80000 /* device supports sending custom FCS */
> > #define IFF_LIVE_ADDR_CHANGE 0x100000 /* device supports hardware address
> > * change when it's running */
> > +#define IFF_BRIDGE_RESTRICTED 0x200000 /* device is bridge-restricted */
> >
> >
> > #define IF_GET_IFACE 0x0001 /* for querying only */
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 3655ff9..49eafc8 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -4627,7 +4627,7 @@ int __dev_change_flags(struct net_device *dev, unsigned int flags)
> >
> > dev->flags = (flags & (IFF_DEBUG | IFF_NOTRAILERS | IFF_NOARP |
> > IFF_DYNAMIC | IFF_MULTICAST | IFF_PORTSEL |
> > - IFF_AUTOMEDIA)) |
> > + IFF_AUTOMEDIA | IFF_BRIDGE_RESTRICTED)) |
> > (dev->flags & (IFF_UP | IFF_VOLATILE | IFF_PROMISC |
> > IFF_ALLMULTI));
> >
> > --
> > 1.8.1.5
> >
--
Antonio Quartulli
..each of us alone is worth nothing..
Ernesto "Che" Guevara
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Antonio Quartulli <antonio@open-mesh.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: "David S. Miller" <davem@davemloft.net>,
"bridge@lists.linux-foundation.org"
<bridge@lists.linux-foundation.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH 1/3] if.h: add IFF_BRIDGE_RESTRICTED flag
Date: Tue, 9 Apr 2013 08:33:43 +0200 [thread overview]
Message-ID: <20130409063342.GA3771@open-mesh.com> (raw)
In-Reply-To: <CAOaVG17nHuoRsf2Kss6LnpgC-Aojcso_zLYyBa18Vn9CGGY+GA@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2509 bytes --]
Hi Stephen,
thank you for your reply.
On Mon, Apr 08, 2013 at 11:58:48 -0700, Stephen Hemminger wrote:
> The standard way to do this is to use netfilter. Considering the
> additional device flags and skb flag changes, I am not sure that your
> method is better.
>
The point is that netfilter would not help me in "distributing" this policy
remotely over a generic layer2 network.
Using these flags, instead, I can make other modules (e.g. batman-adv) notice
that the skb has been marked and then react using their own logic.
If netfilter (at the bridge level) could "mark" the skbs somehow then I could use
it for this purpose. But I don't think this is really possible.
Cheers,
> On Mon, Apr 8, 2013 at 10:41 AM, Antonio Quartulli
> <antonio@open-mesh.com> wrote:
> > This new flag tells whether a network device has to be
> > considered as restricted in the new bridge forwarding logic.
> >
> > Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
> > ---
> > include/uapi/linux/if.h | 1 +
> > net/core/dev.c | 2 +-
> > 2 files changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/include/uapi/linux/if.h b/include/uapi/linux/if.h
> > index 1ec407b..5c3a9bd 100644
> > --- a/include/uapi/linux/if.h
> > +++ b/include/uapi/linux/if.h
> > @@ -83,6 +83,7 @@
> > #define IFF_SUPP_NOFCS 0x80000 /* device supports sending custom FCS */
> > #define IFF_LIVE_ADDR_CHANGE 0x100000 /* device supports hardware address
> > * change when it's running */
> > +#define IFF_BRIDGE_RESTRICTED 0x200000 /* device is bridge-restricted */
> >
> >
> > #define IF_GET_IFACE 0x0001 /* for querying only */
> > diff --git a/net/core/dev.c b/net/core/dev.c
> > index 3655ff9..49eafc8 100644
> > --- a/net/core/dev.c
> > +++ b/net/core/dev.c
> > @@ -4627,7 +4627,7 @@ int __dev_change_flags(struct net_device *dev, unsigned int flags)
> >
> > dev->flags = (flags & (IFF_DEBUG | IFF_NOTRAILERS | IFF_NOARP |
> > IFF_DYNAMIC | IFF_MULTICAST | IFF_PORTSEL |
> > - IFF_AUTOMEDIA)) |
> > + IFF_AUTOMEDIA | IFF_BRIDGE_RESTRICTED)) |
> > (dev->flags & (IFF_UP | IFF_VOLATILE | IFF_PROMISC |
> > IFF_ALLMULTI));
> >
> > --
> > 1.8.1.5
> >
--
Antonio Quartulli
..each of us alone is worth nothing..
Ernesto "Che" Guevara
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2013-04-09 6:33 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-08 17:41 [Bridge] [PATCH 0/3] bridge: implement restricted forwarding policy Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-04-08 17:41 ` [Bridge] [PATCH 1/3] if.h: add IFF_BRIDGE_RESTRICTED flag Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-04-08 18:58 ` [Bridge] " Stephen Hemminger
2013-04-08 18:58 ` Stephen Hemminger
2013-04-09 6:33 ` Antonio Quartulli [this message]
2013-04-09 6:33 ` Antonio Quartulli
2013-04-09 7:56 ` [Bridge] " Antonio Quartulli
2013-04-09 7:56 ` Antonio Quartulli
2013-04-09 12:57 ` [Bridge] " Jamal Hadi Salim
2013-04-09 12:57 ` Jamal Hadi Salim
2013-04-09 13:51 ` [Bridge] " Antonio Quartulli
2013-04-09 13:51 ` Antonio Quartulli
2013-04-09 15:49 ` [Bridge] " Jamal Hadi Salim
2013-04-09 15:49 ` Jamal Hadi Salim
2013-04-10 16:54 ` [Bridge] " Antonio Quartulli
2013-04-10 16:54 ` Antonio Quartulli
2013-04-10 20:46 ` [Bridge] " Stephen Hemminger
2013-04-10 20:46 ` Stephen Hemminger
2013-04-11 10:56 ` [Bridge] " Antonio Quartulli
2013-04-11 10:56 ` Antonio Quartulli
2013-04-11 11:03 ` [Bridge] " Jamal Hadi Salim
2013-04-11 11:03 ` Jamal Hadi Salim
2013-04-08 17:41 ` [Bridge] [PATCH 2/3] sk_buff: add bridge_restricted flag Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-04-08 17:41 ` [Bridge] [PATCH 3/3] bridge: implement restricted port forwarding policy Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-05-06 18:48 ` Using skb->mark outside netfilter (was: [PATCH 0/3] bridge: implement restricted forwarding policy) Antonio Quartulli
2013-05-07 13:04 ` Using skb->mark outside netfilter Jamal Hadi Salim
2013-05-07 13:23 ` Antonio Quartulli
2013-05-07 13:30 ` Jamal Hadi Salim
2013-05-07 14:17 ` Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130409063342.GA3771@open-mesh.com \
--to=antonio@open-mesh.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.