From: Antonio Quartulli <antonio@open-mesh.com>
To: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"bridge@lists.linux-foundation.org"
<bridge@lists.linux-foundation.org>,
"David S. Miller" <davem@davemloft.net>
Subject: Re: [Bridge] [PATCH 1/3] if.h: add IFF_BRIDGE_RESTRICTED flag
Date: Tue, 9 Apr 2013 15:51:44 +0200 [thread overview]
Message-ID: <20130409135143.GA5177@open-mesh.com> (raw)
In-Reply-To: <51641049.3030100@mojatatu.com>
[-- Attachment #1: Type: text/plain, Size: 1997 bytes --]
On Tue, Apr 09, 2013 at 05:57:45 -0700, Jamal Hadi Salim wrote:
> Hi,
>
> Consider using tc for this.
> You can tag the packet using skb mark on the receiving end point,
> match them on the bridge and execute actions not to forward them.
Does this work at the bridge level? A packet entering a port and going out from
another one can be affected by tc/mark?
>
> cheers,
> jamal
>
> On 13-04-09 03:56 AM, Antonio Quartulli wrote:
> > On Mon, Apr 08, 2013 at 11:58:48 -0700, Stephen Hemminger wrote:
> >> The standard way to do this is to use netfilter. Considering the
> >> additional device flags and skb flag changes, I am not sure that your
> >> method is better.
> >
> > To make it a bit more clear:
> >
> > 1) the skb flag will be used on the "receiving end-point" by batman-adv to mark
> > received packets and so instruct the bridge to do not forward them to restricted
> > interfaces.
> >
> > 2) the IFF_ flag is used by batman-adv on the "sending side" to determine
> > whether a packet has been originated by a restricted interface and so instruct
> > the remote endpoint to mark the skb when received.
> >
> > 3) to make the bridge code general enough, I decided to let it mark packets
> > coming from restricted interfaces as well so that it can also apply the policy
> > at 1) locally, without any further setting. The logic described in 1) is
> > therefore applied by the bridge even for local packets (not passing through
> > batman-adv)
> >
> >
> >
> > Point 3) is the only one where netfilter might help. But using two mechanism to
> > achieve one goal looked not sane to me and therefore I decided to to do it this
> > way. And actually the code allowing point 3 is only:
> >
> > + skb->bridge_restricted = !!(skb->dev->flags & IFF_BRIDGE_RESTRICTED);
> >
> >
> > I hope this summary did not create further confusion :)
> >
>
--
Antonio Quartulli
..each of us alone is worth nothing..
Ernesto "Che" Guevara
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
WARNING: multiple messages have this Message-ID (diff)
From: Antonio Quartulli <antonio@open-mesh.com>
To: Jamal Hadi Salim <jhs@mojatatu.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>,
"David S. Miller" <davem@davemloft.net>,
"bridge@lists.linux-foundation.org"
<bridge@lists.linux-foundation.org>,
"netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: [PATCH 1/3] if.h: add IFF_BRIDGE_RESTRICTED flag
Date: Tue, 9 Apr 2013 15:51:44 +0200 [thread overview]
Message-ID: <20130409135143.GA5177@open-mesh.com> (raw)
In-Reply-To: <51641049.3030100@mojatatu.com>
[-- Attachment #1: Type: text/plain, Size: 1997 bytes --]
On Tue, Apr 09, 2013 at 05:57:45 -0700, Jamal Hadi Salim wrote:
> Hi,
>
> Consider using tc for this.
> You can tag the packet using skb mark on the receiving end point,
> match them on the bridge and execute actions not to forward them.
Does this work at the bridge level? A packet entering a port and going out from
another one can be affected by tc/mark?
>
> cheers,
> jamal
>
> On 13-04-09 03:56 AM, Antonio Quartulli wrote:
> > On Mon, Apr 08, 2013 at 11:58:48 -0700, Stephen Hemminger wrote:
> >> The standard way to do this is to use netfilter. Considering the
> >> additional device flags and skb flag changes, I am not sure that your
> >> method is better.
> >
> > To make it a bit more clear:
> >
> > 1) the skb flag will be used on the "receiving end-point" by batman-adv to mark
> > received packets and so instruct the bridge to do not forward them to restricted
> > interfaces.
> >
> > 2) the IFF_ flag is used by batman-adv on the "sending side" to determine
> > whether a packet has been originated by a restricted interface and so instruct
> > the remote endpoint to mark the skb when received.
> >
> > 3) to make the bridge code general enough, I decided to let it mark packets
> > coming from restricted interfaces as well so that it can also apply the policy
> > at 1) locally, without any further setting. The logic described in 1) is
> > therefore applied by the bridge even for local packets (not passing through
> > batman-adv)
> >
> >
> >
> > Point 3) is the only one where netfilter might help. But using two mechanism to
> > achieve one goal looked not sane to me and therefore I decided to to do it this
> > way. And actually the code allowing point 3 is only:
> >
> > + skb->bridge_restricted = !!(skb->dev->flags & IFF_BRIDGE_RESTRICTED);
> >
> >
> > I hope this summary did not create further confusion :)
> >
>
--
Antonio Quartulli
..each of us alone is worth nothing..
Ernesto "Che" Guevara
[-- Attachment #2: Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2013-04-09 13:51 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-04-08 17:41 [Bridge] [PATCH 0/3] bridge: implement restricted forwarding policy Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-04-08 17:41 ` [Bridge] [PATCH 1/3] if.h: add IFF_BRIDGE_RESTRICTED flag Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-04-08 18:58 ` [Bridge] " Stephen Hemminger
2013-04-08 18:58 ` Stephen Hemminger
2013-04-09 6:33 ` [Bridge] " Antonio Quartulli
2013-04-09 6:33 ` Antonio Quartulli
2013-04-09 7:56 ` [Bridge] " Antonio Quartulli
2013-04-09 7:56 ` Antonio Quartulli
2013-04-09 12:57 ` [Bridge] " Jamal Hadi Salim
2013-04-09 12:57 ` Jamal Hadi Salim
2013-04-09 13:51 ` Antonio Quartulli [this message]
2013-04-09 13:51 ` Antonio Quartulli
2013-04-09 15:49 ` [Bridge] " Jamal Hadi Salim
2013-04-09 15:49 ` Jamal Hadi Salim
2013-04-10 16:54 ` [Bridge] " Antonio Quartulli
2013-04-10 16:54 ` Antonio Quartulli
2013-04-10 20:46 ` [Bridge] " Stephen Hemminger
2013-04-10 20:46 ` Stephen Hemminger
2013-04-11 10:56 ` [Bridge] " Antonio Quartulli
2013-04-11 10:56 ` Antonio Quartulli
2013-04-11 11:03 ` [Bridge] " Jamal Hadi Salim
2013-04-11 11:03 ` Jamal Hadi Salim
2013-04-08 17:41 ` [Bridge] [PATCH 2/3] sk_buff: add bridge_restricted flag Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-04-08 17:41 ` [Bridge] [PATCH 3/3] bridge: implement restricted port forwarding policy Antonio Quartulli
2013-04-08 17:41 ` Antonio Quartulli
2013-05-06 18:48 ` Using skb->mark outside netfilter (was: [PATCH 0/3] bridge: implement restricted forwarding policy) Antonio Quartulli
2013-05-07 13:04 ` Using skb->mark outside netfilter Jamal Hadi Salim
2013-05-07 13:23 ` Antonio Quartulli
2013-05-07 13:30 ` Jamal Hadi Salim
2013-05-07 14:17 ` Antonio Quartulli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130409135143.GA5177@open-mesh.com \
--to=antonio@open-mesh.com \
--cc=bridge@lists.linux-foundation.org \
--cc=davem@davemloft.net \
--cc=jhs@mojatatu.com \
--cc=netdev@vger.kernel.org \
--cc=stephen@networkplumber.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.