[PATCH] net: macvlan: fix multicast delivery to bridge ports with shared source MAC

[PATCH] net: macvlan: fix multicast delivery to bridge ports with shared source MAC

[Kibaek Yoo]

When a macvlan interface in bridge mode shares its MAC address with an
external source (e.g., VRRP virtual MAC), incoming multicast frames
from that external source are incorrectly identified as locally
originated. macvlan_hash_lookup() matches the source MAC to a local
macvlan, causing macvlan_multicast_rx() to skip delivery to bridge
ports under the assumption they already received the frame during
transmission.

This assumption fails for protocols like VRRP where multiple hosts
legitimately share the same virtual MAC address. The local macvlan
never transmitted the frame, so bridge ports never saw it, yet the
multicast is not delivered to them.

Fix this by passing NULL as the source device and including
MACVLAN_MODE_BRIDGE in the mode mask for the else branch of
macvlan_multicast_rx(). This ensures all VEPA and bridge mode macvlan
interfaces receive incoming multicast regardless of source MAC
matching. The trade-off is that looped-back locally-originated
multicasts may be delivered to bridge ports a second time, but
multicast consumers already handle duplicate frames.

Signed-off-by: Kibaek Yoo <psykibaek@gmail.com>
---
 drivers/net/macvlan.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index a71f058ec..ea22909cb 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -313,11 +313,15 @@ static void macvlan_multicast_rx(const struct macvlan_port *port,
 				  MACVLAN_MODE_BRIDGE);
 	else
 		/*
-		 * flood only to VEPA ports, bridge ports
-		 * already saw the frame on the way out.
+		 * Flood to VEPA and bridge ports. We cannot distinguish
+		 * a looped-back locally-originated multicast from one
+		 * sent by an external source sharing the same source MAC
+		 * (e.g., VRRP virtual MAC), so deliver to bridge ports
+		 * as well to ensure correct reception in all cases.
 		 */
-		macvlan_broadcast(skb, port, src->dev,
-				  MACVLAN_MODE_VEPA);
+		macvlan_broadcast(skb, port, NULL,
+				  MACVLAN_MODE_VEPA |
+				  MACVLAN_MODE_BRIDGE);
 }
 
 static void macvlan_process_broadcast(struct work_struct *w)
-- 
2.50.1 (Apple Git-155)

Re: [PATCH] net: macvlan: fix multicast delivery to bridge ports with shared source MAC

[Jakub Kicinski]

On Wed, 25 Feb 2026 19:00:24 +0900 Kibaek Yoo wrote:
> When a macvlan interface in bridge mode shares its MAC address with an
> external source (e.g., VRRP virtual MAC), incoming multicast frames
> from that external source are incorrectly identified as locally
> originated. macvlan_hash_lookup() matches the source MAC to a local
> macvlan, causing macvlan_multicast_rx() to skip delivery to bridge
> ports under the assumption they already received the frame during
> transmission.
> 
> This assumption fails for protocols like VRRP where multiple hosts
> legitimately share the same virtual MAC address. The local macvlan
> never transmitted the frame, so bridge ports never saw it, yet the
> multicast is not delivered to them.
> 
> Fix this by passing NULL as the source device and including
> MACVLAN_MODE_BRIDGE in the mode mask for the else branch of

The change looks fine, AFAICT. But please rephrase the commit message
to avoid making it sound like a fix. The VRRP use case is rather odd
and it was simply not supported earlier. Now you're adding support 
with the tradeoff you note below. We don't want AI-based backporting
bots to pull this into LTS.

Please try to add a test case for your use case in selftests.

> macvlan_multicast_rx(). This ensures all VEPA and bridge mode macvlan
> interfaces receive incoming multicast regardless of source MAC
> matching. The trade-off is that looped-back locally-originated
> multicasts may be delivered to bridge ports a second time, but
> multicast consumers already handle duplicate frames.
-- 
pw-bot: cr

[PATCH v2 1/2] net: macvlan: support multicast rx for bridge ports with shared source MAC

[Kibaek Yoo]

Macvlan bridge mode currently does not handle the case where an
external source shares its MAC address with a local macvlan interface.
When such a frame arrives, macvlan_hash_lookup() matches the source
MAC to the local macvlan, and macvlan_multicast_rx() assumes bridge
ports already received the frame during local transmission. Since the
frame actually originated externally, bridge ports never saw it.

This situation arises with protocols like VRRP, where multiple hosts
use the same virtual MAC address.

Support this by passing NULL as the source device and including
MACVLAN_MODE_BRIDGE in the mode mask for the else branch of
macvlan_multicast_rx(). This ensures all VEPA and bridge mode macvlan
interfaces receive incoming multicast regardless of source MAC
matching. The trade-off is that looped-back locally-originated
multicasts may be delivered to bridge ports a second time, but
multicast consumers already handle duplicate frames.

Signed-off-by: Kibaek Yoo <psykibaek@gmail.com>
---
 drivers/net/macvlan.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/net/macvlan.c b/drivers/net/macvlan.c
index a71f058eceef0..ea22909cb09de 100644
--- a/drivers/net/macvlan.c
+++ b/drivers/net/macvlan.c
@@ -313,11 +313,15 @@ static void macvlan_multicast_rx(const struct macvlan_port *port,
 				  MACVLAN_MODE_BRIDGE);
 	else
 		/*
-		 * flood only to VEPA ports, bridge ports
-		 * already saw the frame on the way out.
+		 * Flood to VEPA and bridge ports. We cannot distinguish
+		 * a looped-back locally-originated multicast from one
+		 * sent by an external source sharing the same source MAC
+		 * (e.g., VRRP virtual MAC), so deliver to bridge ports
+		 * as well to ensure correct reception in all cases.
 		 */
-		macvlan_broadcast(skb, port, src->dev,
-				  MACVLAN_MODE_VEPA);
+		macvlan_broadcast(skb, port, NULL,
+				  MACVLAN_MODE_VEPA |
+				  MACVLAN_MODE_BRIDGE);
 }
 
 static void macvlan_process_broadcast(struct work_struct *w)
-- 
2.50.1 (Apple Git-155)

[PATCH v2 2/2] selftests: net: add macvlan multicast test for shared source MAC

[Kibaek Yoo]

Add a selftest that verifies multicast delivery to a macvlan bridge
port when the source MAC of the incoming frame matches the macvlan's
own MAC address.

This scenario occurs with protocols like VRRP where multiple hosts
share the same virtual MAC address. Without the corresponding kernel
change, macvlan bridge mode does not handle this case and the
multicast frame is not delivered.

Signed-off-by: Kibaek Yoo <psykibaek@gmail.com>
---
 tools/testing/selftests/net/Makefile          |  1 +
 .../selftests/net/macvlan_mcast_shared_mac.sh | 93 +++++++++++++++++++
 2 files changed, 94 insertions(+)
 create mode 100755 tools/testing/selftests/net/macvlan_mcast_shared_mac.sh

diff --git a/tools/testing/selftests/net/Makefile b/tools/testing/selftests/net/Makefile
index afdea6d95bde0..c12f6f600ee5e 100644
--- a/tools/testing/selftests/net/Makefile
+++ b/tools/testing/selftests/net/Makefile
@@ -54,6 +54,7 @@ TEST_PROGS := \
 	l2tp.sh \
 	link_netns.py \
 	lwt_dst_cache_ref_loop.sh \
+	macvlan_mcast_shared_mac.sh \
 	msg_zerocopy.sh \
 	nat6to4.sh \
 	ndisc_unsolicited_na_test.sh \
diff --git a/tools/testing/selftests/net/macvlan_mcast_shared_mac.sh b/tools/testing/selftests/net/macvlan_mcast_shared_mac.sh
new file mode 100755
index 0000000000000..ff5b893472474
--- /dev/null
+++ b/tools/testing/selftests/net/macvlan_mcast_shared_mac.sh
@@ -0,0 +1,93 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+#
+# Test multicast delivery to macvlan bridge ports when the source MAC
+# matches the macvlan's own MAC address (e.g., VRRP virtual MAC shared
+# across multiple hosts).
+#
+# Topology:
+#
+#   NS_SRC                          NS_BRIDGE
+#   veth_src (SHARED_MAC) <----->  veth_dst
+#                                     |
+#                                     +-- macvlan0 (bridge mode, SHARED_MAC)
+#
+# A multicast packet sent from NS_SRC with source MAC equal to
+# macvlan0's MAC must still be delivered to macvlan0.
+
+source lib.sh
+
+SHARED_MAC="00:00:5e:00:01:01"
+MCAST_ADDR="239.0.0.1"
+
+setup() {
+	setup_ns NS_SRC NS_BRIDGE
+
+	ip -net "${NS_BRIDGE}" link add veth_dst type veth \
+		peer name veth_src netns "${NS_SRC}"
+
+	ip -net "${NS_SRC}" link set veth_src address "${SHARED_MAC}"
+	ip -net "${NS_SRC}" link set veth_src up
+	ip -net "${NS_SRC}" addr add 192.168.1.1/24 dev veth_src
+
+	ip -net "${NS_BRIDGE}" link set veth_dst up
+
+	ip -net "${NS_BRIDGE}" link add macvlan0 link veth_dst \
+		type macvlan mode bridge
+	ip -net "${NS_BRIDGE}" link set macvlan0 address "${SHARED_MAC}"
+	ip -net "${NS_BRIDGE}" link set macvlan0 up
+	ip -net "${NS_BRIDGE}" addr add 192.168.1.2/24 dev macvlan0
+
+	# Accept all multicast so the mc_filter passes for any group.
+	ip -net "${NS_BRIDGE}" link set macvlan0 allmulticast on
+}
+
+cleanup() {
+	rm -f "${CAPFILE}" "${CAPOUT}"
+	cleanup_ns "${NS_SRC}" "${NS_BRIDGE}"
+}
+
+test_macvlan_mcast_shared_mac() {
+	CAPFILE=$(mktemp)
+	CAPOUT=$(mktemp)
+
+	echo "Testing multicast delivery to macvlan with shared source MAC"
+
+	# Listen for one ICMP packet on macvlan0.
+	timeout 5s ip netns exec "${NS_BRIDGE}" \
+		tcpdump -i macvlan0 -c 1 -w "${CAPFILE}" icmp &> "${CAPOUT}" &
+	local pid=$!
+	if ! slowwait 1 grep -qs "listening" "${CAPOUT}"; then
+		echo "[FAIL] tcpdump did not start listening"
+		return "${ksft_fail}"
+	fi
+
+	# Send multicast ping from NS_SRC; source MAC equals macvlan0's MAC.
+	ip netns exec "${NS_SRC}" \
+		ping -W 0.1 -c 3 -I veth_src "${MCAST_ADDR}" &> /dev/null
+
+	wait "${pid}"
+
+	local count
+	count=$(tcpdump -r "${CAPFILE}" 2>/dev/null | wc -l)
+	if [[ "${count}" -ge 1 ]]; then
+		echo "[ OK ]"
+		return "${ksft_pass}"
+	else
+		echo "[FAIL] expected at least 1 ICMP packet on macvlan0," \
+			"got ${count}"
+		return "${ksft_fail}"
+	fi
+}
+
+if [ ! -x "$(command -v tcpdump)" ]; then
+	echo "SKIP: Could not run test without tcpdump tool"
+	exit "${ksft_skip}"
+fi
+
+trap cleanup EXIT
+
+setup
+test_macvlan_mcast_shared_mac
+
+exit $?
-- 
2.50.1 (Apple Git-155)

Re: [PATCH v2 1/2] net: macvlan: support multicast rx for bridge ports with shared source MAC

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net-next.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Sat, 28 Feb 2026 16:16:12 +0900 you wrote:
> Macvlan bridge mode currently does not handle the case where an
> external source shares its MAC address with a local macvlan interface.
> When such a frame arrives, macvlan_hash_lookup() matches the source
> MAC to the local macvlan, and macvlan_multicast_rx() assumes bridge
> ports already received the frame during local transmission. Since the
> frame actually originated externally, bridge ports never saw it.
> 
> [...]

Here is the summary with links:
  - [v2,1/2] net: macvlan: support multicast rx for bridge ports with shared source MAC
    https://git.kernel.org/netdev/net-next/c/b52363f706e5
  - [v2,2/2] selftests: net: add macvlan multicast test for shared source MAC
    https://git.kernel.org/netdev/net-next/c/4ad96a7c9e2c

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html