[PATCH net-next 0/2] net: bridge: add per-port unknown multicast flood control

[PATCH net-next 0/2] net: bridge: add per-port unknown multicast flood control

[Nikolay Aleksandrov via Bridge]

Hi,
The first patch prepares the forwarding path by having the exact packet
type passed down so we can later filter based on it and the per-port
unknown mcast flood flag introduced in the second patch. It is similar to
how the per-port unknown unicast flood flag works.
Nice side-effects of patch 01 are the slight reduction of tests in the
fast-path and a few minor checkpatch fixes.

Thanks,
 Nik

Nikolay Aleksandrov (2):
  net: bridge: change unicast boolean to exact pkt_type
  net: bridge: add per-port multicast flood flag

 include/linux/if_bridge.h    |  3 ++-
 include/uapi/linux/if_link.h |  1 +
 net/bridge/br_device.c       |  8 ++++----
 net/bridge/br_forward.c      |  7 +++++--
 net/bridge/br_if.c           |  2 +-
 net/bridge/br_input.c        | 40 +++++++++++++++++++++++++---------------
 net/bridge/br_netlink.c      | 12 +++++++++---
 net/bridge/br_private.h      |  7 ++++++-
 net/bridge/br_sysfs_if.c     |  1 +
 9 files changed, 54 insertions(+), 27 deletions(-)

-- 
2.1.4

[PATCH net-next 1/2] net: bridge: change unicast boolean to exact pkt_type

[Nikolay Aleksandrov]

Remove the unicast flag and introduce an exact pkt_type. That would help us
for the upcoming per-port multicast flood flag and also slightly reduce the
tests in the input fast path.

Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
---
 net/bridge/br_device.c  |  8 ++++----
 net/bridge/br_forward.c |  4 ++--
 net/bridge/br_input.c   | 40 +++++++++++++++++++++++++---------------
 net/bridge/br_private.h |  7 ++++++-
 4 files changed, 37 insertions(+), 22 deletions(-)

diff --git a/net/bridge/br_device.c b/net/bridge/br_device.c
index 09f26940aba5..89a687f3c0a3 100644
--- a/net/bridge/br_device.c
+++ b/net/bridge/br_device.c
@@ -62,10 +62,10 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
 		goto out;
 
 	if (is_broadcast_ether_addr(dest)) {
-		br_flood(br, skb, false, false, true);
+		br_flood(br, skb, BR_PKT_BROADCAST, false, true);
 	} else if (is_multicast_ether_addr(dest)) {
 		if (unlikely(netpoll_tx_running(dev))) {
-			br_flood(br, skb, false, false, true);
+			br_flood(br, skb, BR_PKT_MULTICAST, false, true);
 			goto out;
 		}
 		if (br_multicast_rcv(br, NULL, skb, vid)) {
@@ -78,11 +78,11 @@ netdev_tx_t br_dev_xmit(struct sk_buff *skb, struct net_device *dev)
 		    br_multicast_querier_exists(br, eth_hdr(skb)))
 			br_multicast_flood(mdst, skb, false, true);
 		else
-			br_flood(br, skb, false, false, true);
+			br_flood(br, skb, BR_PKT_MULTICAST, false, true);
 	} else if ((dst = __br_fdb_get(br, dest, vid)) != NULL) {
 		br_forward(dst->dst, skb, false, true);
 	} else {
-		br_flood(br, skb, true, false, true);
+		br_flood(br, skb, BR_PKT_UNICAST, false, true);
 	}
 out:
 	rcu_read_unlock();
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index 32a02de39cd2..a1fc6edfdeb0 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -176,7 +176,7 @@ out:
 
 /* called under rcu_read_lock */
 void br_flood(struct net_bridge *br, struct sk_buff *skb,
-	      bool unicast, bool local_rcv, bool local_orig)
+	      int pkt_type, bool local_rcv, bool local_orig)
 {
 	u8 igmp_type = br_multicast_igmp_type(skb);
 	struct net_bridge_port *prev = NULL;
@@ -184,7 +184,7 @@ void br_flood(struct net_bridge *br, struct sk_buff *skb,
 
 	list_for_each_entry_rcu(p, &br->port_list, list) {
 		/* Do not flood unicast traffic to ports that turn it off */
-		if (unicast && !(p->flags & BR_FLOOD))
+		if (pkt_type == BR_PKT_UNICAST && !(p->flags & BR_FLOOD))
 			continue;
 
 		/* Do not flood to ports that enable proxy ARP */
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index 3132cfc80e9d..ddc3b974828a 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -131,11 +131,12 @@ static void br_do_proxy_arp(struct sk_buff *skb, struct net_bridge *br,
 /* note: already called with rcu_read_lock */
 int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb)
 {
-	bool local_rcv = false, mcast_hit = false, unicast = true;
 	struct net_bridge_port *p = br_port_get_rcu(skb->dev);
 	const unsigned char *dest = eth_hdr(skb)->h_dest;
 	struct net_bridge_fdb_entry *dst = NULL;
 	struct net_bridge_mdb_entry *mdst;
+	bool local_rcv, mcast_hit = false;
+	int pkt_type = BR_PKT_UNICAST;
 	struct net_bridge *br;
 	u16 vid = 0;
 
@@ -152,24 +153,29 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
 	if (p->flags & BR_LEARNING)
 		br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, false);
 
-	if (!is_broadcast_ether_addr(dest) && is_multicast_ether_addr(dest) &&
-	    br_multicast_rcv(br, p, skb, vid))
-		goto drop;
+	local_rcv = !!(br->dev->flags & IFF_PROMISC);
+	if (is_multicast_ether_addr(dest)) {
+		/* by definition the broadcast is also a multicast address */
+		if (is_broadcast_ether_addr(dest)) {
+			pkt_type = BR_PKT_BROADCAST;
+			local_rcv = true;
+		} else {
+			pkt_type = BR_PKT_MULTICAST;
+			if (br_multicast_rcv(br, p, skb, vid))
+				goto drop;
+		}
+	}
 
 	if (p->state == BR_STATE_LEARNING)
 		goto drop;
 
 	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
 
-	local_rcv = !!(br->dev->flags & IFF_PROMISC);
-
 	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
 		br_do_proxy_arp(skb, br, vid, p);
 
-	if (is_broadcast_ether_addr(dest)) {
-		local_rcv = true;
-		unicast = false;
-	} else if (is_multicast_ether_addr(dest)) {
+	switch (pkt_type) {
+	case BR_PKT_MULTICAST:
 		mdst = br_mdb_get(br, skb, vid);
 		if ((mdst || BR_INPUT_SKB_CB_MROUTERS_ONLY(skb)) &&
 		    br_multicast_querier_exists(br, eth_hdr(skb))) {
@@ -183,18 +189,22 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
 			local_rcv = true;
 			br->dev->stats.multicast++;
 		}
-		unicast = false;
-	} else if ((dst = __br_fdb_get(br, dest, vid)) && dst->is_local) {
-		/* Do not forward the packet since it's local. */
-		return br_pass_frame_up(skb);
+		break;
+	case BR_PKT_UNICAST:
+		dst = __br_fdb_get(br, dest, vid);
+	default:
+		break;
 	}
 
 	if (dst) {
+		if (dst->is_local)
+			return br_pass_frame_up(skb);
+
 		dst->used = jiffies;
 		br_forward(dst->dst, skb, local_rcv, false);
 	} else {
 		if (!mcast_hit)
-			br_flood(br, skb, unicast, local_rcv, false);
+			br_flood(br, skb, pkt_type, local_rcv, false);
 		else
 			br_multicast_flood(mdst, skb, local_rcv, false);
 	}
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 2379b2b865c9..d9e492b2a17e 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -517,12 +517,17 @@ int br_fdb_external_learn_del(struct net_bridge *br, struct net_bridge_port *p,
 			      const unsigned char *addr, u16 vid);
 
 /* br_forward.c */
+enum {
+	BR_PKT_UNICAST,
+	BR_PKT_MULTICAST,
+	BR_PKT_BROADCAST
+};
 int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb);
 void br_forward(const struct net_bridge_port *to, struct sk_buff *skb,
 		bool local_rcv, bool local_orig);
 int br_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb);
 void br_flood(struct net_bridge *br, struct sk_buff *skb,
-	      bool unicast, bool local_rcv, bool local_orig);
+	      int pkt_type, bool local_rcv, bool local_orig);
 
 /* br_if.c */
 void br_port_carrier_check(struct net_bridge_port *p);
-- 
2.1.4

[PATCH net-next 2/2] net: bridge: add per-port multicast flood flag

[Nikolay Aleksandrov]

Add a per-port flag to control the unknown multicast flood, similar to the
unknown unicast flood flag and break a few long lines in the netlink flag
exports.

Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
---
 include/linux/if_bridge.h    |  3 ++-
 include/uapi/linux/if_link.h |  1 +
 net/bridge/br_forward.c      |  3 +++
 net/bridge/br_if.c           |  2 +-
 net/bridge/br_netlink.c      | 12 +++++++++---
 net/bridge/br_sysfs_if.c     |  1 +
 6 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/include/linux/if_bridge.h b/include/linux/if_bridge.h
index dcb89e3515db..5b4fb39392ae 100644
--- a/include/linux/if_bridge.h
+++ b/include/linux/if_bridge.h
@@ -40,11 +40,12 @@ struct br_ip_list {
 #define BR_ADMIN_COST		BIT(4)
 #define BR_LEARNING		BIT(5)
 #define BR_FLOOD		BIT(6)
-#define BR_AUTO_MASK		(BR_FLOOD | BR_LEARNING)
 #define BR_PROMISC		BIT(7)
 #define BR_PROXYARP		BIT(8)
 #define BR_LEARNING_SYNC	BIT(9)
 #define BR_PROXYARP_WIFI	BIT(10)
+#define BR_MCAST_FLOOD		BIT(11)
+#define BR_AUTO_MASK		(BR_FLOOD | BR_MCAST_FLOOD | BR_LEARNING)
 
 #define BR_DEFAULT_AGEING_TIME	(300 * HZ)
 
diff --git a/include/uapi/linux/if_link.h b/include/uapi/linux/if_link.h
index a1b5202c5f6b..9bf3aecfe05b 100644
--- a/include/uapi/linux/if_link.h
+++ b/include/uapi/linux/if_link.h
@@ -318,6 +318,7 @@ enum {
 	IFLA_BRPORT_FLUSH,
 	IFLA_BRPORT_MULTICAST_ROUTER,
 	IFLA_BRPORT_PAD,
+	IFLA_BRPORT_MCAST_FLOOD,
 	__IFLA_BRPORT_MAX
 };
 #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index a1fc6edfdeb0..21f68d930059 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -186,6 +186,9 @@ void br_flood(struct net_bridge *br, struct sk_buff *skb,
 		/* Do not flood unicast traffic to ports that turn it off */
 		if (pkt_type == BR_PKT_UNICAST && !(p->flags & BR_FLOOD))
 			continue;
+		if (pkt_type == BR_PKT_MULTICAST &&
+		    !(p->flags & BR_MCAST_FLOOD))
+			continue;
 
 		/* Do not flood to ports that enable proxy ARP */
 		if (p->flags & BR_PROXYARP)
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c
index 1da3221845f1..ed0dd3340084 100644
--- a/net/bridge/br_if.c
+++ b/net/bridge/br_if.c
@@ -362,7 +362,7 @@ static struct net_bridge_port *new_nbp(struct net_bridge *br,
 	p->path_cost = port_cost(dev);
 	p->priority = 0x8000 >> BR_PORT_BITS;
 	p->port_no = index;
-	p->flags = BR_LEARNING | BR_FLOOD;
+	p->flags = BR_LEARNING | BR_FLOOD | BR_MCAST_FLOOD;
 	br_init_port(p);
 	br_set_state(p, BR_STATE_DISABLED);
 	br_stp_port_timer_init(p);
diff --git a/net/bridge/br_netlink.c b/net/bridge/br_netlink.c
index 190a5bc00f4a..e99037c6f7b7 100644
--- a/net/bridge/br_netlink.c
+++ b/net/bridge/br_netlink.c
@@ -169,10 +169,15 @@ static int br_port_fill_attrs(struct sk_buff *skb,
 	    nla_put_u32(skb, IFLA_BRPORT_COST, p->path_cost) ||
 	    nla_put_u8(skb, IFLA_BRPORT_MODE, mode) ||
 	    nla_put_u8(skb, IFLA_BRPORT_GUARD, !!(p->flags & BR_BPDU_GUARD)) ||
-	    nla_put_u8(skb, IFLA_BRPORT_PROTECT, !!(p->flags & BR_ROOT_BLOCK)) ||
-	    nla_put_u8(skb, IFLA_BRPORT_FAST_LEAVE, !!(p->flags & BR_MULTICAST_FAST_LEAVE)) ||
+	    nla_put_u8(skb, IFLA_BRPORT_PROTECT,
+		       !!(p->flags & BR_ROOT_BLOCK)) ||
+	    nla_put_u8(skb, IFLA_BRPORT_FAST_LEAVE,
+		       !!(p->flags & BR_MULTICAST_FAST_LEAVE)) ||
 	    nla_put_u8(skb, IFLA_BRPORT_LEARNING, !!(p->flags & BR_LEARNING)) ||
-	    nla_put_u8(skb, IFLA_BRPORT_UNICAST_FLOOD, !!(p->flags & BR_FLOOD)) ||
+	    nla_put_u8(skb, IFLA_BRPORT_UNICAST_FLOOD,
+		       !!(p->flags & BR_FLOOD)) ||
+	    nla_put_u8(skb, IFLA_BRPORT_MCAST_FLOOD,
+		       !!(p->flags & BR_MCAST_FLOOD)) ||
 	    nla_put_u8(skb, IFLA_BRPORT_PROXYARP, !!(p->flags & BR_PROXYARP)) ||
 	    nla_put_u8(skb, IFLA_BRPORT_PROXYARP_WIFI,
 		       !!(p->flags & BR_PROXYARP_WIFI)) ||
@@ -630,6 +635,7 @@ static int br_setport(struct net_bridge_port *p, struct nlattr *tb[])
 	br_set_port_flag(p, tb, IFLA_BRPORT_PROTECT, BR_ROOT_BLOCK);
 	br_set_port_flag(p, tb, IFLA_BRPORT_LEARNING, BR_LEARNING);
 	br_set_port_flag(p, tb, IFLA_BRPORT_UNICAST_FLOOD, BR_FLOOD);
+	br_set_port_flag(p, tb, IFLA_BRPORT_MCAST_FLOOD, BR_MCAST_FLOOD);
 	br_set_port_flag(p, tb, IFLA_BRPORT_PROXYARP, BR_PROXYARP);
 	br_set_port_flag(p, tb, IFLA_BRPORT_PROXYARP_WIFI, BR_PROXYARP_WIFI);
 
diff --git a/net/bridge/br_sysfs_if.c b/net/bridge/br_sysfs_if.c
index 1e04d4d44273..e657258e1f2c 100644
--- a/net/bridge/br_sysfs_if.c
+++ b/net/bridge/br_sysfs_if.c
@@ -171,6 +171,7 @@ BRPORT_ATTR_FLAG(learning, BR_LEARNING);
 BRPORT_ATTR_FLAG(unicast_flood, BR_FLOOD);
 BRPORT_ATTR_FLAG(proxyarp, BR_PROXYARP);
 BRPORT_ATTR_FLAG(proxyarp_wifi, BR_PROXYARP_WIFI);
+BRPORT_ATTR_FLAG(multicast_flood, BR_MCAST_FLOOD);
 
 #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
 static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf)
-- 
2.1.4

Re: [PATCH net-next 1/2] net: bridge: change unicast boolean to exact pkt_type

[Stephen Hemminger]

On Tue, 30 Aug 2016 15:08:58 +0200
Nikolay Aleksandrov <nikolay@cumulusnetworks.com> wrote:

>  /* br_forward.c */
> +enum {
> +	BR_PKT_UNICAST,
> +	BR_PKT_MULTICAST,
> +	BR_PKT_BROADCAST
> +};
>  int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb);
>  void br_forward(const struct net_bridge_port *to, struct sk_buff *skb,
>  		bool local_rcv, bool local_orig);
>  int br_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb);
>  void br_flood(struct net_bridge *br, struct sk_buff *skb,
> -	      bool unicast, bool local_rcv, bool local_orig);
> +	      int pkt_type, bool local_rcv, bool local_orig);

Why not make pkt_type an enum value, you already have that infrastructure there.

enum br_pkt_type {
	BR_PKT_UNICAST,
...
};

void br_flood(struct net_bridge *br, struct sk_buff *skb,
              enum br_pkt_type pkt_type, ...

Re: [PATCH net-next 1/2] net: bridge: change unicast boolean to exact pkt_type

[Nikolay Aleksandrov via Bridge]

On 30/08/16 16:56, Stephen Hemminger wrote:
> On Tue, 30 Aug 2016 15:08:58 +0200
> Nikolay Aleksandrov <nikolay@cumulusnetworks.com> wrote:
> 
>>  /* br_forward.c */
>> +enum {
>> +	BR_PKT_UNICAST,
>> +	BR_PKT_MULTICAST,
>> +	BR_PKT_BROADCAST
>> +};
>>  int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb);
>>  void br_forward(const struct net_bridge_port *to, struct sk_buff *skb,
>>  		bool local_rcv, bool local_orig);
>>  int br_forward_finish(struct net *net, struct sock *sk, struct sk_buff *skb);
>>  void br_flood(struct net_bridge *br, struct sk_buff *skb,
>> -	      bool unicast, bool local_rcv, bool local_orig);
>> +	      int pkt_type, bool local_rcv, bool local_orig);
> 
> Why not make pkt_type an enum value, you already have that infrastructure there.
> 
> enum br_pkt_type {
> 	BR_PKT_UNICAST,
> ...
> };
> 
> void br_flood(struct net_bridge *br, struct sk_buff *skb,
>               enum br_pkt_type pkt_type, ...
> 

sure, will change it to enum
v2 coming up

Re: [PATCH net-next 1/2] net: bridge: change unicast boolean to exact pkt_type

[Stephen Hemminger]

On Tue, 30 Aug 2016 15:08:58 +0200
Nikolay Aleksandrov <nikolay@cumulusnetworks.com> wrote:

> -	if (!is_broadcast_ether_addr(dest) && is_multicast_ether_addr(dest) &&
> -	    br_multicast_rcv(br, p, skb, vid))
> -		goto drop;
> +	local_rcv = !!(br->dev->flags & IFF_PROMISC);
local_rcv is needlessly initialized in existing code. Pls remove that.

> +	if (is_multicast_ether_addr(dest)) {
> +		/* by definition the broadcast is also a multicast address */
> +		if (is_broadcast_ether_addr(dest)) {
> +			pkt_type = BR_PKT_BROADCAST;
> +			local_rcv = true;
> +		} else {
> +			pkt_type = BR_PKT_MULTICAST;
> +			if (br_multicast_rcv(br, p, skb, vid))
> +				goto drop;
> +		}
> +	}
>


These could go after the BR_STATE_LEARNING check

>  	if (p->state == BR_STATE_LEARNING)
>  		goto drop;
>  
>  	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
>  
> -	local_rcv = !!(br->dev->flags & IFF_PROMISC);
> -
>  	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
>  		br_do_proxy_arp(skb, br, vid, p);
>

can't proxy_arp change what was a broadcast packet into a unicast packet?

Re: [PATCH net-next 1/2] net: bridge: change unicast boolean to exact pkt_type

[Nikolay Aleksandrov]

On 30/08/16 16:59, Stephen Hemminger wrote:
> On Tue, 30 Aug 2016 15:08:58 +0200
> Nikolay Aleksandrov <nikolay@cumulusnetworks.com> wrote:
> 
>> -	if (!is_broadcast_ether_addr(dest) && is_multicast_ether_addr(dest) &&
>> -	    br_multicast_rcv(br, p, skb, vid))
>> -		goto drop;
>> +	local_rcv = !!(br->dev->flags & IFF_PROMISC);
> local_rcv is needlessly initialized in existing code. Pls remove that.
> 

Please check again, I did remove it in this patch.

>> +	if (is_multicast_ether_addr(dest)) {
>> +		/* by definition the broadcast is also a multicast address */
>> +		if (is_broadcast_ether_addr(dest)) {
>> +			pkt_type = BR_PKT_BROADCAST;
>> +			local_rcv = true;
>> +		} else {
>> +			pkt_type = BR_PKT_MULTICAST;
>> +			if (br_multicast_rcv(br, p, skb, vid))
>> +				goto drop;
>> +		}
>> +	}
>>
> 
> 
> These could go after the BR_STATE_LEARNING check

They can't because of br_multicast_rcv().

> 
>>  	if (p->state == BR_STATE_LEARNING)
>>  		goto drop;
>>  
>>  	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
>>  
>> -	local_rcv = !!(br->dev->flags & IFF_PROMISC);
>> -
>>  	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
>>  		br_do_proxy_arp(skb, br, vid, p);
>>
> 
> can't proxy_arp change what was a broadcast packet into a unicast packet?
> 

Re: [PATCH net-next 1/2] net: bridge: change unicast boolean to exact pkt_type

[Nikolay Aleksandrov via Bridge]

On 30/08/16 17:00, Nikolay Aleksandrov wrote:
> On 30/08/16 16:59, Stephen Hemminger wrote:
[snip]
>>>  	if (p->state == BR_STATE_LEARNING)
>>>  		goto drop;
>>>  
>>>  	BR_INPUT_SKB_CB(skb)->brdev = br->dev;
>>>  
>>> -	local_rcv = !!(br->dev->flags & IFF_PROMISC);
>>> -
>>>  	if (IS_ENABLED(CONFIG_INET) && skb->protocol == htons(ETH_P_ARP))
>>>  		br_do_proxy_arp(skb, br, vid, p);
>>>
>>
>> can't proxy_arp change what was a broadcast packet into a unicast packet?
>>
> 

Sorry I missed this question, no it shouldn't be possible. The proxy arp
code only inspects the skb and acts accordingly, it doesn't do any
modifications IIRC.