| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 3 Jul 2018 15:42:42 +0300
From: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
To: netdev@...r.kernel.org
Cc: roopa@...ulusnetworks.com, dsahern@...nel.org, idosch@...lanox.com,
stephen@...workplumber.org,
Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
Subject: [PATCH iproute2 net-next] bridge: add support for isolated option
This patch adds support for the new isolated port option which, if set,
would allow the isolated ports to communicate only with non-isolated
ports and the bridge device. The option can be set via the bridge or ip
link type bridge_slave commands, e.g.:
$ ip link set dev eth0 type bridge_slave isolated on
$ bridge link set dev eth0 isolated on
Signed-off-by: Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
---
bridge/link.c | 11 +++++++++++
ip/iplink_bridge_slave.c | 9 +++++++++
man/man8/bridge.8 | 6 ++++++
man/man8/ip-link.8.in | 6 ++++--
4 files changed, 30 insertions(+), 2 deletions(-)
diff --git a/bridge/link.c b/bridge/link.c
index 8d89aca2e638..9656ca338782 100644
--- a/bridge/link.c
+++ b/bridge/link.c
@@ -152,6 +152,9 @@ static void print_protinfo(FILE *fp, struct rtattr *attr)
if (prtb[IFLA_BRPORT_VLAN_TUNNEL])
print_onoff(fp, "vlan_tunnel",
rta_getattr_u8(prtb[IFLA_BRPORT_VLAN_TUNNEL]));
+ if (prtb[IFLA_BRPORT_ISOLATED])
+ print_onoff(fp, "isolated",
+ rta_getattr_u8(prtb[IFLA_BRPORT_ISOLATED]));
} else
print_portstate(rta_getattr_u8(attr));
}
@@ -250,6 +253,7 @@ static void usage(void)
fprintf(stderr, " [ mcast_flood {on | off} ]\n");
fprintf(stderr, " [ neigh_suppress {on | off} ]\n");
fprintf(stderr, " [ vlan_tunnel {on | off} ]\n");
+ fprintf(stderr, " [ isolated {on | off} ]\n");
fprintf(stderr, " [ hwmode {vepa | veb} ]\n");
fprintf(stderr, " [ self ] [ master ]\n");
fprintf(stderr, " bridge link show [dev DEV]\n");
@@ -291,6 +295,7 @@ static int brlink_modify(int argc, char **argv)
__s8 flood = -1;
__s8 vlan_tunnel = -1;
__s8 mcast_flood = -1;
+ __s8 isolated = -1;
__s8 hairpin = -1;
__s8 bpdu_guard = -1;
__s8 fast_leave = -1;
@@ -386,6 +391,10 @@ static int brlink_modify(int argc, char **argv)
if (!on_off("vlan_tunnel", &vlan_tunnel,
*argv))
return -1;
+ } else if (strcmp(*argv, "isolated") == 0) {
+ NEXT_ARG();
+ if (!on_off("isolated", &isolated, *argv))
+ return -1;
} else {
usage();
}
@@ -444,6 +453,8 @@ static int brlink_modify(int argc, char **argv)
if (vlan_tunnel != -1)
addattr8(&req.n, sizeof(req), IFLA_BRPORT_VLAN_TUNNEL,
vlan_tunnel);
+ if (isolated != -1)
+ addattr8(&req.n, sizeof(req), IFLA_BRPORT_ISOLATED, isolated);
addattr_nest_end(&req.n, nest);
diff --git a/ip/iplink_bridge_slave.c b/ip/iplink_bridge_slave.c
index 3fbfb878cdc4..5a6e48559781 100644
--- a/ip/iplink_bridge_slave.c
+++ b/ip/iplink_bridge_slave.c
@@ -40,6 +40,7 @@ static void print_explain(FILE *f)
" [ group_fwd_mask MASK ]\n"
" [ neigh_suppress {on | off} ]\n"
" [ vlan_tunnel {on | off} ]\n"
+ " [ isolated {on | off} ]\n"
);
}
@@ -274,6 +275,10 @@ static void bridge_slave_print_opt(struct link_util *lu, FILE *f,
if (tb[IFLA_BRPORT_VLAN_TUNNEL])
_print_onoff(f, "vlan_tunnel", "vlan_tunnel",
rta_getattr_u8(tb[IFLA_BRPORT_VLAN_TUNNEL]));
+
+ if (tb[IFLA_BRPORT_ISOLATED])
+ _print_onoff(f, "isolated", "isolated",
+ rta_getattr_u8(tb[IFLA_BRPORT_ISOLATED]));
}
static void bridge_slave_parse_on_off(char *arg_name, char *arg_val,
@@ -379,6 +384,10 @@ static int bridge_slave_parse_opt(struct link_util *lu, int argc, char **argv,
NEXT_ARG();
bridge_slave_parse_on_off("vlan_tunnel", *argv, n,
IFLA_BRPORT_VLAN_TUNNEL);
+ } else if (matches(*argv, "isolated") == 0) {
+ NEXT_ARG();
+ bridge_slave_parse_on_off("isolated", *argv, n,
+ IFLA_BRPORT_ISOLATED);
} else if (matches(*argv, "help") == 0) {
explain();
return -1;
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index e7f7148315e1..f6d228c5ebfe 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -48,6 +48,7 @@ bridge \- show / manipulate bridge addresses and devices
.BR mcast_flood " { " on " | " off " } ] [ "
.BR neigh_suppress " { " on " | " off " } ] [ "
.BR vlan_tunnel " { " on " | " off " } ] [ "
+.BR isolated " { " on " | " off " } ] [ "
.BR self " ] [ " master " ]"
.ti -8
@@ -346,6 +347,11 @@ Controls whether neigh discovery (arp and nd) proxy and suppression is enabled o
Controls whether vlan to tunnel mapping is enabled on the port. By default this flag is off.
.TP
+.BR "isolated on " or " isolated off "
+Controls whether a given port will be isolated, which means it will be able to communicate with non-isolated ports only.
+By default this flag is off.
+
+.TP
.BI self
link setting is configured on specified physical device
diff --git a/man/man8/ip-link.8.in b/man/man8/ip-link.8.in
index 83ef3cae54b9..48c238660347 100644
--- a/man/man8/ip-link.8.in
+++ b/man/man8/ip-link.8.in
@@ -2049,9 +2049,11 @@ the following additional arguments are supported:
] [
.BR group_fwd_mask " MASK"
] [
-.BR neigh_suppress " { " on " | " off " } ]"
+.BR neigh_suppress " { " on " | " off " }"
+] [
+.BR vlan_tunnel " { " on " | " off " }"
] [
-.BR vlan_tunnel " { " on " | " off " } ]"
+.BR isolated " { " on " | " off " } ]"
.in +8
.sp
--
2.11.0
Powered by blists - more mailing lists