PATCH: fix bridged 802.3ad bonding

PATCH: fix bridged 802.3ad bonding

[Jiri Bohac]

Hi,

Bonding in 802.3ad mode breaks when the bond interface is added
to a bridge (which makes 802.3ad unusable in XEN, for example).

The problem is that br_pass_frame_up() will change the skb's dev
pointer to point to the bridge interface. As a result, the LACP
packets will not reach the bond_3ad_lacpdu_recv() protocol
handler registered on the bonding device. Even if they did, the
handler won't work with the changed skb->dev.

The following patch fixes the problem.

Signed-off-by: Jiri Bohac <jbohac@suse.cz>


diff --git a/net/core/dev.c b/net/core/dev.c
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1832,6 +1832,32 @@ static inline struct net_device *skb_bond(struct sk_buff *skb)
 }
 
 
+/*
+ * If a bonding master interface in 802.3ad mode is part of a bridge,
+ * the bridging hook will mangle the skb->dev to the bridge device.
+ * The bonding 802.3ad protocol handler needs to access the original device,
+ * so fix this up for the 802.3ad packets.
+ */
+static inline void skb_fixup_bridged_bond(struct sk_buff *skb, struct net_device **orig_dev)
+{
+	if (unlikely(skb->protocol == __constant_htons(ETH_P_SLOW)) &&
+	    (skb->dev->priv_flags & IFF_EBRIDGE)) {
+		struct net_device *dev;
+
+		read_lock(&dev_base_lock);
+		dev = __dev_get_by_index(&init_net, skb->iif);
+		read_unlock(&dev_base_lock);
+
+		if (!dev)
+			return;
+
+		if (dev->master)
+			skb->dev = dev->master;
+
+		*orig_dev = dev;
+	}
+}
+
 static void net_tx_action(struct softirq_action *h)
 {
 	struct softnet_data *sd = &__get_cpu_var(softnet_data);
@@ -2080,6 +2106,8 @@ ncls:
 	if (!skb)
 		goto out;
 
+	skb_fixup_bridged_bond(skb, &orig_dev);
+
 	type = skb->protocol;
 	list_for_each_entry_rcu(ptype,
 			&ptype_base[ntohs(type) & PTYPE_HASH_MASK], list) {

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ

Re: PATCH: fix bridged 802.3ad bonding

[Patrick McHardy]

Jiri Bohac wrote:
> Hi,
> 
> Bonding in 802.3ad mode breaks when the bond interface is added
> to a bridge (which makes 802.3ad unusable in XEN, for example).
> 
> The problem is that br_pass_frame_up() will change the skb's dev
> pointer to point to the bridge interface. As a result, the LACP
> packets will not reach the bond_3ad_lacpdu_recv() protocol
> handler registered on the bonding device. Even if they did, the
> handler won't work with the changed skb->dev.
> 
> The following patch fixes the problem.


This shouldn't be done in the core code. How about handling this
in either the bridging code or registering the ptype handler for
the briding device?

Re: PATCH: fix bridged 802.3ad bonding

[Stephen Hemminger]

On Tue, 3 Jun 2008 15:21:06 +0200
Jiri Bohac <jbohac@suse.cz> wrote:

> Hi,
> 
> Bonding in 802.3ad mode breaks when the bond interface is added
> to a bridge (which makes 802.3ad unusable in XEN, for example).
> 
> The problem is that br_pass_frame_up() will change the skb's dev
> pointer to point to the bridge interface. As a result, the LACP
> packets will not reach the bond_3ad_lacpdu_recv() protocol
> handler registered on the bonding device. Even if they did, the
> handler won't work with the changed skb->dev.
> 
> The following patch fixes the problem.
> 
> Signed-off-by: Jiri Bohac <jbohac@suse.cz>

Agree with Patrick, it might be a real problem but your solution
is doing it in the wrong place. The packets do arrive on the bridge
interface which is an aggregation of all the interfaces in the bridge.

The LACPDU's are received via now on the bond device. If you moved
the packet type handler down to the physical interface, this problem
would go away because the packets would be handled to bond_3ad_lacpdu_recv
prior to being handled by the bridge.  You would still have to handle
cases where bonding device was inactive, but that shouldn't be hard.

Re: PATCH: fix bridged 802.3ad bonding

[Jiri Bohac]

Hi,

On Tue, Jun 03, 2008 at 09:46:04AM -0700, Stephen Hemminger wrote:
> On Tue, 3 Jun 2008 15:21:06 +0200 Jiri Bohac <jbohac@suse.cz> wrote:
> 
> > Bonding in 802.3ad mode breaks when the bond interface is added
> > to a bridge (which makes 802.3ad unusable in XEN, for example).
> > 
> > The problem is that br_pass_frame_up() will change the skb's dev
> > pointer to point to the bridge interface. As a result, the LACP
> > packets will not reach the bond_3ad_lacpdu_recv() protocol
> > handler registered on the bonding device. Even if they did, the
> > handler won't work with the changed skb->dev.

... actually, now I realized the above statement is wrong. The
bridging code does not change the LACP frames, it just drops
them, because the LACP frames always have the link-local
destination MAC address.
 
> The packets do arrive on the bridge
> interface which is an aggregation of all the interfaces in the bridge.
> 
> The LACPDU's are received via now on the bond device. If you moved
> the packet type handler down to the physical interface, this problem
> would go away because the packets would be handled to bond_3ad_lacpdu_recv
> prior to being handled by the bridge.

This wouldn't really work, because with bonding the packet only
passes through netif_receive_skb() once, it just has the skb->dev
modified by skb_bond() at the very beginning.

But I think I found a much nicer fix for the problem:

diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -136,6 +136,10 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
 		if (skb->protocol == htons(ETH_P_PAUSE))
 			goto drop;
 
+		/* Don't touch SLOW frames (LACP, etc.) */
+		if (skb->protocol == htons(ETH_P_SLOW))
+			return skb;
+
 		/* Process STP BPDU's through normal netif_receive_skb() path */
 		if (p->br->stp_enabled != BR_NO_STP) {
 			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,

The LACP frames always have the link-local destination MAC
address and so they are not handled by the bridge anyway. They
are only dropped, unless STP is turned on. So let's just not drop
the SLOW packets. Does this look better?

Thanks,

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ

Re: PATCH: fix bridged 802.3ad bonding

[Stephen Hemminger]

On Tue, 3 Jun 2008 21:32:27 +0200
Jiri Bohac <jbohac@suse.cz> wrote:

> Hi,
> 
> On Tue, Jun 03, 2008 at 09:46:04AM -0700, Stephen Hemminger wrote:
> > On Tue, 3 Jun 2008 15:21:06 +0200 Jiri Bohac <jbohac@suse.cz> wrote:
> > 
> > > Bonding in 802.3ad mode breaks when the bond interface is added
> > > to a bridge (which makes 802.3ad unusable in XEN, for example).
> > > 
> > > The problem is that br_pass_frame_up() will change the skb's dev
> > > pointer to point to the bridge interface. As a result, the LACP
> > > packets will not reach the bond_3ad_lacpdu_recv() protocol
> > > handler registered on the bonding device. Even if they did, the
> > > handler won't work with the changed skb->dev.
> 
> ... actually, now I realized the above statement is wrong. The
> bridging code does not change the LACP frames, it just drops
> them, because the LACP frames always have the link-local
> destination MAC address.
>  
> > The packets do arrive on the bridge
> > interface which is an aggregation of all the interfaces in the bridge.
> > 
> > The LACPDU's are received via now on the bond device. If you moved
> > the packet type handler down to the physical interface, this problem
> > would go away because the packets would be handled to bond_3ad_lacpdu_recv
> > prior to being handled by the bridge.
> 
> This wouldn't really work, because with bonding the packet only
> passes through netif_receive_skb() once, it just has the skb->dev
> modified by skb_bond() at the very beginning.
> 
> But I think I found a much nicer fix for the problem:
> 
> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> --- a/net/bridge/br_input.c
> +++ b/net/bridge/br_input.c
> @@ -136,6 +136,10 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
>  		if (skb->protocol == htons(ETH_P_PAUSE))
>  			goto drop;
>  
> +		/* Don't touch SLOW frames (LACP, etc.) */
> +		if (skb->protocol == htons(ETH_P_SLOW))
> +			return skb;
> +
>  		/* Process STP BPDU's through normal netif_receive_skb() path */
>  		if (p->br->stp_enabled != BR_NO_STP) {
>  			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> 
> The LACP frames always have the link-local destination MAC
> address and so they are not handled by the bridge anyway. They
> are only dropped, unless STP is turned on. So let's just not drop
> the SLOW packets. Does this look better?
> 

Better, but still have a couple of questions:
1) Do you want to processing frames when bridge port is in blocking
   state (because STP detected a loop)?
2) Do you want to process after netfilter processing to allow
   some firewalling possiblity?

Re: PATCH: fix bridged 802.3ad bonding

[Jiri Bohac]

On Tue, Jun 03, 2008 at 01:13:26PM -0700, Stephen Hemminger wrote:
> On Tue, 3 Jun 2008 21:32:27 +0200
> Jiri Bohac <jbohac@suse.cz> wrote:

> > diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> > --- a/net/bridge/br_input.c
> > +++ b/net/bridge/br_input.c
> > @@ -136,6 +136,10 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
> >  		if (skb->protocol == htons(ETH_P_PAUSE))
> >  			goto drop;
> >  
> > +		/* Don't touch SLOW frames (LACP, etc.) */
> > +		if (skb->protocol == htons(ETH_P_SLOW))
> > +			return skb;
> > +
> >  		/* Process STP BPDU's through normal netif_receive_skb() path */
> >  		if (p->br->stp_enabled != BR_NO_STP) {
> >  			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> > 
> > The LACP frames always have the link-local destination MAC
> > address and so they are not handled by the bridge anyway. They
> > are only dropped, unless STP is turned on. So let's just not drop
> > the SLOW packets. Does this look better?
> > 
> 
> Better, but still have a couple of questions:
> 1) Do you want to processing frames when bridge port is in blocking
>    state (because STP detected a loop)?

Yes. When the bond is one of the bridged interfaces, the bridge
should not affect it at all, I think. I'm talking about this kind
of setup:

eth0--\
eth1---> bond0 ---- bridge
eth2--/             |  |
                    |  |
wlan1---------------   |
wlan2------------------

The bridge should treat bond0 just like any other bridged
interface (e.g. wlan1 or wlan2) and not influence its internal
functionality at all.

Whatever state the bridge is in, it should not influence the
bond's private communication (LACP). Of course, the bridge will
block traffic that arrives on the bond, but it should not block
control traffic that arrives on the physical slave interfaces
before it reaches the bond.

> 2) Do you want to process after netfilter processing to allow
>    some firewalling possiblity?

Again, the bonding works well when there is no bridging. I think
it should continue to work the same when the bond is added to a
brdidge. 

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ

Re: PATCH: fix bridged 802.3ad bonding

[Jay Vosburgh]

Stephen Hemminger <shemminger@linux-foundation.org> wrote:

>On Tue, 3 Jun 2008 21:32:27 +0200
>Jiri Bohac <jbohac@suse.cz> wrote:
[...]
>> But I think I found a much nicer fix for the problem:
>> 
>> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
>> --- a/net/bridge/br_input.c
>> +++ b/net/bridge/br_input.c
>> @@ -136,6 +136,10 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
>>  		if (skb->protocol == htons(ETH_P_PAUSE))
>>  			goto drop;
>>  
>> +		/* Don't touch SLOW frames (LACP, etc.) */
>> +		if (skb->protocol == htons(ETH_P_SLOW))
>> +			return skb;
>> +
>>  		/* Process STP BPDU's through normal netif_receive_skb() path */
>>  		if (p->br->stp_enabled != BR_NO_STP) {
>>  			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
>> 
>> The LACP frames always have the link-local destination MAC
>> address and so they are not handled by the bridge anyway. They
>> are only dropped, unless STP is turned on. So let's just not drop
>> the SLOW packets. Does this look better?
>> 
>
>Better, but still have a couple of questions:
>1) Do you want to processing frames when bridge port is in blocking
>   state (because STP detected a loop)?

	I believe so.  If I'm reading correctly, the layout is something
like:

bridge -> bond0 -> [ eth0, eth1, etc ]

	so bonding needs to see the LACPDUs in order to decide which
subset of the slaves (eth0, eth1, etc) should be active and which should
not.  That, in turn, may affect the topology of the network.  In other
words, the presence or absence of a loop is determined by the set of
interfaces (or, really, the location of the peer of that set) made
active by link aggregation.  For 802.3ad, the set of active slaves
(active aggregator) will always connect to the same peer, but link
failures could move the active aggregator from one peer to a different
peer.

	This seems to agree with my (brief) examination of standards and
documentation: 802.3ad doesn't really say much about STP, 802.1d 6.5.1
discusses link aggregation a bit, in particular:

a) For a MAC entity that contains a Link Aggregation sublayer, the value
of MAC_Enabled is directly determined by the value of the aAggAdminState
attribute (30.7.1.13 in IEEE Std 802.3-2002), and the value of
MAC_Operational is directly determined by the value of the aAggOperState
attribute (30.7.1.13 in IEEE Std 802.3).

	suggests that the aggregation is treated as a unit (I'm not that
familiar with 802.1d, so I could be misreading it here).

	Lastly, Cisco's Etherchannel implementation treats a LACP
aggregation as a single bridge port.

	Thoughts?

	-J

---
	-Jay Vosburgh, IBM Linux Technology Center, fubar@us.ibm.com

Re: PATCH: fix bridged 802.3ad bonding

[Stephen Hemminger]

On Tue, 03 Jun 2008 14:22:08 -0700
Jay Vosburgh <fubar@us.ibm.com> wrote:

> Stephen Hemminger <shemminger@linux-foundation.org> wrote:
> 
> >On Tue, 3 Jun 2008 21:32:27 +0200
> >Jiri Bohac <jbohac@suse.cz> wrote:
> [...]
> >> But I think I found a much nicer fix for the problem:
> >> 
> >> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> >> --- a/net/bridge/br_input.c
> >> +++ b/net/bridge/br_input.c
> >> @@ -136,6 +136,10 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
> >>  		if (skb->protocol == htons(ETH_P_PAUSE))
> >>  			goto drop;
> >>  
> >> +		/* Don't touch SLOW frames (LACP, etc.) */
> >> +		if (skb->protocol == htons(ETH_P_SLOW))
> >> +			return skb;
> >> +
> >>  		/* Process STP BPDU's through normal netif_receive_skb() path */
> >>  		if (p->br->stp_enabled != BR_NO_STP) {
> >>  			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> >> 
> >> The LACP frames always have the link-local destination MAC
> >> address and so they are not handled by the bridge anyway. They
> >> are only dropped, unless STP is turned on. So let's just not drop
> >> the SLOW packets. Does this look better?
> >> 
> >
> >Better, but still have a couple of questions:
> >1) Do you want to processing frames when bridge port is in blocking
> >   state (because STP detected a loop)?
> 
> 	I believe so.  If I'm reading correctly, the layout is something
> like:
> 
> bridge -> bond0 -> [ eth0, eth1, etc ]
> 
> 	so bonding needs to see the LACPDUs in order to decide which
> subset of the slaves (eth0, eth1, etc) should be active and which should
> not.  That, in turn, may affect the topology of the network.  In other
> words, the presence or absence of a loop is determined by the set of
> interfaces (or, really, the location of the peer of that set) made
> active by link aggregation.  For 802.3ad, the set of active slaves
> (active aggregator) will always connect to the same peer, but link
> failures could move the active aggregator from one peer to a different
> peer.
> 
> 	This seems to agree with my (brief) examination of standards and
> documentation: 802.3ad doesn't really say much about STP, 802.1d 6.5.1
> discusses link aggregation a bit, in particular:
> 
> a) For a MAC entity that contains a Link Aggregation sublayer, the value
> of MAC_Enabled is directly determined by the value of the aAggAdminState
> attribute (30.7.1.13 in IEEE Std 802.3-2002), and the value of
> MAC_Operational is directly determined by the value of the aAggOperState
> attribute (30.7.1.13 in IEEE Std 802.3).
> 
> 	suggests that the aggregation is treated as a unit (I'm not that
> familiar with 802.1d, so I could be misreading it here).
> 
> 	Lastly, Cisco's Etherchannel implementation treats a LACP
> aggregation as a single bridge port.
> 
> 	Thoughts?
> 

I think the LACP frames need to be filterable. Otherwise, you open
yourself up to problems with spoofed frames. See the security attack
on STP from a couple of years ago.

Re: PATCH: fix bridged 802.3ad bonding

[Stephen Hemminger]

On Tue, 03 Jun 2008 14:22:08 -0700
Jay Vosburgh <fubar@us.ibm.com> wrote:

> Stephen Hemminger <shemminger@linux-foundation.org> wrote:
> 
> >On Tue, 3 Jun 2008 21:32:27 +0200
> >Jiri Bohac <jbohac@suse.cz> wrote:
> [...]
> >> But I think I found a much nicer fix for the problem:
> >> 
> >> diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
> >> --- a/net/bridge/br_input.c
> >> +++ b/net/bridge/br_input.c
> >> @@ -136,6 +136,10 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
> >>  		if (skb->protocol == htons(ETH_P_PAUSE))
> >>  			goto drop;
> >>  
> >> +		/* Don't touch SLOW frames (LACP, etc.) */
> >> +		if (skb->protocol == htons(ETH_P_SLOW))
> >> +			return skb;
> >> +
> >>  		/* Process STP BPDU's through normal netif_receive_skb() path */
> >>  		if (p->br->stp_enabled != BR_NO_STP) {
> >>  			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> >> 
> >> The LACP frames always have the link-local destination MAC
> >> address and so they are not handled by the bridge anyway. They
> >> are only dropped, unless STP is turned on. So let's just not drop
> >> the SLOW packets. Does this look better?
> >> 


I prefer the following because it process all link-local frames through
the normal input path. This means the frames will:
	* be filterable by netfilter
	* processed by af_packet users
	* not forwarded across bridge (this is important).


--- a/net/bridge/br_input.c	2008-06-03 21:44:54.000000000 -0700
+++ b/net/bridge/br_input.c	2008-06-03 21:52:20.000000000 -0700
@@ -135,15 +135,12 @@ struct sk_buff *br_handle_frame(struct n
 		/* Pause frames shouldn't be passed up by driver anyway */
 		if (skb->protocol == htons(ETH_P_PAUSE))
 			goto drop;
-
-		/* Process STP BPDU's through normal netif_receive_skb() path */
-		if (p->br->stp_enabled != BR_NO_STP) {
-			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
-				    NULL, br_handle_local_finish))
-				return NULL;
-			else
-				return skb;
-		}
+
+		if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
+			    NULL, br_handle_local_finish))
+			return NULL;	/* frame consumed by filter */
+		else
+			return skb;	/* continue processing */
 	}
 
 	switch (p->state) {

Re: PATCH: fix bridged 802.3ad bonding

[Jiri Bohac]

On Tue, Jun 03, 2008 at 09:55:19PM -0700, Stephen Hemminger wrote:
> I prefer the following because it process all link-local frames through
> the normal input path. This means the frames will:
> 	* be filterable by netfilter

Well, the LACP frames are not filtered by netfilter when there is
bonding on its own (not part of a bridge), so I don't see why
this should change when the bond is made part of a bridge.

Maybe it is a good idea to run the LACP frames through netfilter,
but I think this should be done consistently in the bonding code,
whether or not bridging is set up, and probably on the individual
slave interfaces. It does not make sense to filter bonding's LACP
frames in ebtables, IMHO.

> 	* not forwarded across bridge (this is important).

I thought this was the case with my second patch as well (?)

 
> --- a/net/bridge/br_input.c	2008-06-03 21:44:54.000000000 -0700
> +++ b/net/bridge/br_input.c	2008-06-03 21:52:20.000000000 -0700
> @@ -135,15 +135,12 @@ struct sk_buff *br_handle_frame(struct n
>  		/* Pause frames shouldn't be passed up by driver anyway */
>  		if (skb->protocol == htons(ETH_P_PAUSE))
>  			goto drop;
> -
> -		/* Process STP BPDU's through normal netif_receive_skb() path */
> -		if (p->br->stp_enabled != BR_NO_STP) {
> -			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> -				    NULL, br_handle_local_finish))
> -				return NULL;
> -			else
> -				return skb;
> -		}
> +
> +		if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> +			    NULL, br_handle_local_finish))
> +			return NULL;	/* frame consumed by filter */
> +		else
> +			return skb;	/* continue processing */
>  	}
>  
>  	switch (p->state) {

where did the "if (p->br->stp_enabled != BR_NO_STP)" condition
go? Is it not needed? I thought it was there to prevent the STP
BPDUs from being handled when STP is turned off.

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ

Re: PATCH: fix bridged 802.3ad bonding

[Stephen Hemminger]

On Wed, 4 Jun 2008 10:24:25 +0200
Jiri Bohac <jbohac@suse.cz> wrote:

> On Tue, Jun 03, 2008 at 09:55:19PM -0700, Stephen Hemminger wrote:
> > I prefer the following because it process all link-local frames through
> > the normal input path. This means the frames will:
> > 	* be filterable by netfilter
> 
> Well, the LACP frames are not filtered by netfilter when there is
> bonding on its own (not part of a bridge), so I don't see why
> this should change when the bond is made part of a bridge.
> 
> Maybe it is a good idea to run the LACP frames through netfilter,
> but I think this should be done consistently in the bonding code,
> whether or not bridging is set up, and probably on the individual
> slave interfaces. It does not make sense to filter bonding's LACP
> frames in ebtables, IMHO.
> 
> > 	* not forwarded across bridge (this is important).
> 
> I thought this was the case with my second patch as well (?)
> 
>  
> > --- a/net/bridge/br_input.c	2008-06-03 21:44:54.000000000 -0700
> > +++ b/net/bridge/br_input.c	2008-06-03 21:52:20.000000000 -0700
> > @@ -135,15 +135,12 @@ struct sk_buff *br_handle_frame(struct n
> >  		/* Pause frames shouldn't be passed up by driver anyway */
> >  		if (skb->protocol == htons(ETH_P_PAUSE))
> >  			goto drop;
> > -
> > -		/* Process STP BPDU's through normal netif_receive_skb() path */
> > -		if (p->br->stp_enabled != BR_NO_STP) {
> > -			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> > -				    NULL, br_handle_local_finish))
> > -				return NULL;
> > -			else
> > -				return skb;
> > -		}
> > +
> > +		if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> > +			    NULL, br_handle_local_finish))
> > +			return NULL;	/* frame consumed by filter */
> > +		else
> > +			return skb;	/* continue processing */
> >  	}
> >  
> >  	switch (p->state) {
> 
> where did the "if (p->br->stp_enabled != BR_NO_STP)" condition
> go? Is it not needed? I thought it was there to prevent the STP
> BPDUs from being handled when STP is turned off.
> 

That is already done in br_stp_rcv so the check here was not
needed.

Re: PATCH: fix bridged 802.3ad bonding

[Jiri Bohac]

On Wed, Jun 04, 2008 at 09:06:33AM -0700, Stephen Hemminger wrote:
> On Wed, 4 Jun 2008 10:24:25 +0200
> Jiri Bohac <jbohac@suse.cz> wrote:
> 
> > On Tue, Jun 03, 2008 at 09:55:19PM -0700, Stephen Hemminger wrote:
> > >
> > > --- a/net/bridge/br_input.c	2008-06-03 21:44:54.000000000 -0700
> > > +++ b/net/bridge/br_input.c	2008-06-03 21:52:20.000000000 -0700
> > > @@ -135,15 +135,12 @@ struct sk_buff *br_handle_frame(struct n
> > >  		/* Pause frames shouldn't be passed up by driver anyway */
> > >  		if (skb->protocol == htons(ETH_P_PAUSE))
> > >  			goto drop;
> > > -
> > > -		/* Process STP BPDU's through normal netif_receive_skb() path */
> > > -		if (p->br->stp_enabled != BR_NO_STP) {
> > > -			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> > > -				    NULL, br_handle_local_finish))
> > > -				return NULL;
> > > -			else
> > > -				return skb;
> > > -		}
> > > +
> > > +		if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> > > +			    NULL, br_handle_local_finish))
> > > +			return NULL;	/* frame consumed by filter */
> > > +		else
> > > +			return skb;	/* continue processing */
> > >  	}
> > >  
> > >  	switch (p->state) {
> > 
> > where did the "if (p->br->stp_enabled != BR_NO_STP)" condition
> > go? Is it not needed? I thought it was there to prevent the STP
> > BPDUs from being handled when STP is turned off.
> > 
> 
> That is already done in br_stp_rcv so the check here was not
> needed.

Ah, I see. So can we get one of the patches in? I still think
that running the LACP frames through the bridging NF hooks does
not make sense, but it's your call.

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ

Re: PATCH: fix bridged 802.3ad bonding

[David Miller]

From: Jiri Bohac <jbohac@suse.cz>
Date: Thu, 5 Jun 2008 12:13:20 +0200

> On Wed, Jun 04, 2008 at 09:06:33AM -0700, Stephen Hemminger wrote:
> > On Wed, 4 Jun 2008 10:24:25 +0200
> > Jiri Bohac <jbohac@suse.cz> wrote:
> > 
> > > On Tue, Jun 03, 2008 at 09:55:19PM -0700, Stephen Hemminger wrote:
> > > >
> > > > --- a/net/bridge/br_input.c	2008-06-03 21:44:54.000000000 -0700
> > > > +++ b/net/bridge/br_input.c	2008-06-03 21:52:20.000000000 -0700
> > > > @@ -135,15 +135,12 @@ struct sk_buff *br_handle_frame(struct n
> > > >  		/* Pause frames shouldn't be passed up by driver anyway */
> > > >  		if (skb->protocol == htons(ETH_P_PAUSE))
> > > >  			goto drop;
> > > > -
> > > > -		/* Process STP BPDU's through normal netif_receive_skb() path */
> > > > -		if (p->br->stp_enabled != BR_NO_STP) {
> > > > -			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> > > > -				    NULL, br_handle_local_finish))
> > > > -				return NULL;
> > > > -			else
> > > > -				return skb;
> > > > -		}
> > > > +
> > > > +		if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
> > > > +			    NULL, br_handle_local_finish))
> > > > +			return NULL;	/* frame consumed by filter */
> > > > +		else
> > > > +			return skb;	/* continue processing */
> > > >  	}
> > > >  
> > > >  	switch (p->state) {
> > > 
> > > where did the "if (p->br->stp_enabled != BR_NO_STP)" condition
> > > go? Is it not needed? I thought it was there to prevent the STP
> > > BPDUs from being handled when STP is turned off.
> > > 
> > 
> > That is already done in br_stp_rcv so the check here was not
> > needed.
> 
> Ah, I see. So can we get one of the patches in? I still think
> that running the LACP frames through the bridging NF hooks does
> not make sense, but it's your call.

Stephen, if prefer your approach, please repost your patch with full
commit message and proper signoffs, thanks!

Re: PATCH: fix bridged 802.3ad bonding

[Jiri Bohac]

On Tue, Jun 10, 2008 at 03:42:36PM -0700, David Miller wrote:
> From: Jiri Bohac <jbohac@suse.cz> Date: Thu, 5 Jun 2008 12:13:20 +0200
> > Ah, I see. So can we get one of the patches in? I still think
> > that running the LACP frames through the bridging NF hooks does
> > not make sense, but it's your call.
> 
> Stephen, if prefer your approach, please repost your patch with full
> commit message and proper signoffs, thanks!

Stephen, I haven't seen a definitive answer from you - can you
please either ack my patch (underneath) or repost yours?

Thanks!


Fix bridged 802.3ad bonding

When a bonding master is added to a bridge, the bridging hook
will take over the LACP frames. The bonding ETH_P_SLOW ptype
handler will not get these, because the skb->dev is changed by
the bridging code. This breaks bonding in the 802.3ad mode.

ETH_P_SLOW frames should not be touched by the bridge.

Signed-off-by: Jiri Bohac <jbohac@suse.cz>

--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -136,6 +136,10 @@ struct sk_buff *br_handle_frame(struct net_bridge_port *p, struct sk_buff *skb)
 		if (skb->protocol == htons(ETH_P_PAUSE))
 			goto drop;
 
+		/* Don't touch SLOW frames (LACP, etc.) */
+		if (skb->protocol == htons(ETH_P_SLOW))
+			return skb;
+
 		/* Process STP BPDU's through normal netif_receive_skb() path */
 		if (p->br->stp_enabled != BR_NO_STP) {
 			if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,

-- 
Jiri Bohac <jbohac@suse.cz>
SUSE Labs, SUSE CZ