[PATCH 0/2] bridge: Two small fixes to vlan filtering code.

[PATCH 0/2] bridge: Two small fixes to vlan filtering code.

[Vladislav Yasevich]

This series corrects 2 small issues that I've ran across recently
while doing more work with vlan filtering changes.

Thanks
-vlad

Vlad Yasevich (1):
  bridge: Check if vlan filtering is enabled only once.
  bridge: Allow clearing of pvid and untagged bitmap

 net/bridge/br_private.h |  3 +++
 net/bridge/br_vlan.c    | 18 ++++++++++++++----
 2 files changed, 17 insertions(+), 4 deletions(-)

-- 
1.9.3

[PATCH 1/2] bridge: Check if vlan filtering is enabled only once.

[Vladislav Yasevich]

The bridge code checks if vlan filtering is enabled on both
ingress and egress.   When the state flip happens, it
is possible for the bridge to currently be forwarding packets
and forwarding behavior becomes non-deterministic.  Bridge
may drop packets on some interfaces, but not others.

This patch solves this by caching the filtered state of the
packet into skb_cb on ingress.  The skb_cb is guaranteed to
not be over-written between the time packet entres bridge
forwarding path and the time it leaves it.  On egress, we
can then check the cached state to see if we need to
apply filtering information.

Signed-off-by: Vladislav Yasevich <vyasevic@redhat.com>
---
Please consider for stable.

 net/bridge/br_private.h |  3 +++
 net/bridge/br_vlan.c    | 14 ++++++++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 62a7fa2..b6c04cb 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -309,6 +309,9 @@ struct br_input_skb_cb {
 	int igmp;
 	int mrouters_only;
 #endif
+#ifdef CONFIG_BRIDGE_VLAN_FILTERING
+	bool vlan_filtered;
+#endif
 };
 
 #define BR_INPUT_SKB_CB(__skb)	((struct br_input_skb_cb *)(__skb)->cb)
diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index e1bcd65..f645197 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -125,7 +125,8 @@ struct sk_buff *br_handle_vlan(struct net_bridge *br,
 {
 	u16 vid;
 
-	if (!br->vlan_enabled)
+	/* If this packet was not filtered at input, let it pass */
+	if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
 		goto out;
 
 	/* Vlan filter table must be configured at this point.  The
@@ -164,8 +165,10 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
 	/* If VLAN filtering is disabled on the bridge, all packets are
 	 * permitted.
 	 */
-	if (!br->vlan_enabled)
+	if (!br->vlan_enabled) {
+		BR_INPUT_SKB_CB(skb)->vlan_filtered = false;
 		return true;
+	}
 
 	/* If there are no vlan in the permitted list, all packets are
 	 * rejected.
@@ -173,6 +176,7 @@ bool br_allowed_ingress(struct net_bridge *br, struct net_port_vlans *v,
 	if (!v)
 		goto drop;
 
+	BR_INPUT_SKB_CB(skb)->vlan_filtered = true;
 	proto = br->vlan_proto;
 
 	/* If vlan tx offload is disabled on bridge device and frame was
@@ -251,7 +255,8 @@ bool br_allowed_egress(struct net_bridge *br,
 {
 	u16 vid;
 
-	if (!br->vlan_enabled)
+	/* If this packet was not filtered at input, let it pass */
+	if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
 		return true;
 
 	if (!v)
@@ -270,7 +275,8 @@ bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid)
 	struct net_bridge *br = p->br;
 	struct net_port_vlans *v;
 
-	if (!br->vlan_enabled)
+	/* If filtering was disabled at input, let it pass. */
+	if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
 		return true;
 
 	v = rcu_dereference(p->vlan_info);
-- 
1.9.3

[PATCH 2/2] bridge: Allow clearing of pvid and untagged bitmap

[Vladislav Yasevich]

From: Vlad Yasevich <vyasevic@redhat.com>

Currently, it is possible to modify the vlan filter
configuration to add pvid or untagged support.
For example:
  bridge vlan add vid 10 dev eth0
  bridge vlan add vid 10 dev eth0 untagged pvid

The second statement will modify vlan 10 to
include untagged and pvid configuration.
However, it is currently impossible to go backwards
  bridge vlan add vid 10 dev eth0 untagged pvid
  bridge vlan add vid 10 dev eth0

Here nothing happens.  This patch correct this so
that any modifiers not supplied are removed from
the configuration.

Signed-off-by: Vlad Yasevich <vyasevic@redhat.com>
---
 net/bridge/br_vlan.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/net/bridge/br_vlan.c b/net/bridge/br_vlan.c
index f645197..4b86738 100644
--- a/net/bridge/br_vlan.c
+++ b/net/bridge/br_vlan.c
@@ -27,9 +27,13 @@ static void __vlan_add_flags(struct net_port_vlans *v, u16 vid, u16 flags)
 {
 	if (flags & BRIDGE_VLAN_INFO_PVID)
 		__vlan_add_pvid(v, vid);
+	else
+		__vlan_delete_pvid(v, vid);
 
 	if (flags & BRIDGE_VLAN_INFO_UNTAGGED)
 		set_bit(vid, v->untagged_bitmap);
+	else
+		clear_bit(vid, v->untagged_bitmap);
 }
 
 static int __vlan_add(struct net_port_vlans *v, u16 vid, u16 flags)
-- 
1.9.3

Re: [PATCH 0/2] bridge: Two small fixes to vlan filtering code.

[David Miller]

From: Vladislav Yasevich <vyasevich@gmail.com>
Date: Fri, 12 Sep 2014 16:26:15 -0400

> This series corrects 2 small issues that I've ran across recently
> while doing more work with vlan filtering changes.

Series applied and patch #1 queue up for -stable.

Re: [PATCH 1/2] bridge: Check if vlan filtering is enabled only once.

[Toshiaki Makita]

(14/09/13 (土) 5:26), Vladislav Yasevich wrote:
> The bridge code checks if vlan filtering is enabled on both
> ingress and egress.   When the state flip happens, it
> is possible for the bridge to currently be forwarding packets
> and forwarding behavior becomes non-deterministic.  Bridge
> may drop packets on some interfaces, but not others.
> 
> This patch solves this by caching the filtered state of the
> packet into skb_cb on ingress.  The skb_cb is guaranteed to
> not be over-written between the time packet entres bridge
> forwarding path and the time it leaves it.  On egress, we
> can then check the cached state to see if we need to
> apply filtering information.
...
> @@ -270,7 +275,8 @@ bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid)
>   	struct net_bridge *br = p->br;
>   	struct net_port_vlans *v;
>   
> -	if (!br->vlan_enabled)
> +	/* If filtering was disabled at input, let it pass. */
> +	if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
>   		return true;
>   
>   	v = rcu_dereference(p->vlan_info);
> 
I'm afraid br_should_learn() is not called after calling
br_allowed_ingress(), so vlan_filtered doesn't seem to be initialized at
this point.

Thanks,
Toshiaki Makita

Re: [PATCH 1/2] bridge: Check if vlan filtering is enabled only once.

[Vlad Yasevich]

On 09/14/2014 10:43 AM, Toshiaki Makita wrote:
> (14/09/13 (土) 5:26), Vladislav Yasevich wrote:
>> The bridge code checks if vlan filtering is enabled on both
>> ingress and egress.   When the state flip happens, it
>> is possible for the bridge to currently be forwarding packets
>> and forwarding behavior becomes non-deterministic.  Bridge
>> may drop packets on some interfaces, but not others.
>>
>> This patch solves this by caching the filtered state of the
>> packet into skb_cb on ingress.  The skb_cb is guaranteed to
>> not be over-written between the time packet entres bridge
>> forwarding path and the time it leaves it.  On egress, we
>> can then check the cached state to see if we need to
>> apply filtering information.
> ...
>> @@ -270,7 +275,8 @@ bool br_should_learn(struct net_bridge_port *p, struct sk_buff *skb, u16 *vid)
>>   	struct net_bridge *br = p->br;
>>   	struct net_port_vlans *v;
>>   
>> -	if (!br->vlan_enabled)
>> +	/* If filtering was disabled at input, let it pass. */
>> +	if (!BR_INPUT_SKB_CB(skb)->vlan_filtered)
>>   		return true;
>>   
>>   	v = rcu_dereference(p->vlan_info);
>>
> I'm afraid br_should_learn() is not called after calling
> br_allowed_ingress(), so vlan_filtered doesn't seem to be initialized at
> this point.
> 

You are right.  This the local input path so it can still use vlan_enabled. I'll resubmit.

Thanks
-vlad
> Thanks,
> Toshiaki Makita
>