| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Oct 2022 17:20:36 +0200
From: Hans Schultz <netdev@...io-technology.com>
To: davem@...emloft.net, kuba@...nel.org
Cc: netdev@...r.kernel.org, Hans Schultz <netdev@...io-technology.com>,
Florian Fainelli <f.fainelli@...il.com>,
Andrew Lunn <andrew@...n.ch>,
Vivien Didelot <vivien.didelot@...il.com>,
Vladimir Oltean <olteanv@...il.com>,
Eric Dumazet <edumazet@...gle.com>,
Paolo Abeni <pabeni@...hat.com>,
Kurt Kanzenbach <kurt@...utronix.de>,
Hauke Mehrtens <hauke@...ke-m.de>,
Woojung Huh <woojung.huh@...rochip.com>,
UNGLinuxDriver@...rochip.com, Sean Wang <sean.wang@...iatek.com>,
Landen Chao <Landen.Chao@...iatek.com>,
DENG Qingfang <dqfext@...il.com>,
Matthias Brugger <matthias.bgg@...il.com>,
Claudiu Manoil <claudiu.manoil@....com>,
Alexandre Belloni <alexandre.belloni@...tlin.com>,
Jiri Pirko <jiri@...nulli.us>,
Ivan Vecera <ivecera@...hat.com>,
Roopa Prabhu <roopa@...dia.com>,
Nikolay Aleksandrov <razor@...ckwall.org>,
Shuah Khan <shuah@...nel.org>,
Russell King <linux@...linux.org.uk>,
Christian Marangi <ansuelsmth@...il.com>,
Daniel Borkmann <daniel@...earbox.net>,
Yuwei Wang <wangyuweihx@...il.com>,
Petr Machata <petrm@...dia.com>,
Ido Schimmel <idosch@...dia.com>,
Florent Fourcot <florent.fourcot@...irst.fr>,
Hans Schultz <schultz.hans@...il.com>,
Joachim Wiberg <troglobit@...il.com>,
Amit Cohen <amcohen@...dia.com>, linux-kernel@...r.kernel.org,
linux-arm-kernel@...ts.infradead.org,
linux-mediatek@...ts.infradead.org,
bridge@...ts.linux-foundation.org, linux-kselftest@...r.kernel.org
Subject: [PATCH v2 iproute2-next 4/4] bridge: fdb: enable FDB blackhole feature
Block traffic to a specific host with the command:
bridge fdb add <MAC> vlan <vid> dev br0 blackhole
Blackhole FDB entries can be added, deleted and replaced with
ordinary FDB entries.
Example with output:
$ bridge fdb add 10:10:10:10:10:10 dev br0 blackhole
$ bridge -d fdb show dev br0
10:10:10:10:10:10 vlan 1 blackhole master br0 permanent
10:10:10:10:10:10 blackhole master br0 permanent
$ bridge -d -j -p fdb show dev br0
[ {
"mac": "10:10:10:10:10:10",
"vlan": 1,
"flags": [ "blackhole" ],
"master": "br0",
"state": "permanent"
},{
"mac": "10:10:10:10:10:10",
"flags": [ "blackhole" ],
"master": "br0",
"state": "permanent"
} ]
Signed-off-by: Hans Schultz <netdev@...io-technology.com>
---
bridge/fdb.c | 13 ++++++++++++-
man/man8/bridge.8 | 12 ++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/bridge/fdb.c b/bridge/fdb.c
index f1f0a5bb..1c8c50a8 100644
--- a/bridge/fdb.c
+++ b/bridge/fdb.c
@@ -38,7 +38,7 @@ static void usage(void)
fprintf(stderr,
"Usage: bridge fdb { add | append | del | replace } ADDR dev DEV\n"
" [ self ] [ master ] [ use ] [ router ] [ extern_learn ]\n"
- " [ sticky ] [ local | static | dynamic ] [ vlan VID ]\n"
+ " [ sticky ] [ local | static | dynamic ] [ blackhole ] [ vlan VID ]\n"
" { [ dst IPADDR ] [ port PORT] [ vni VNI ] | [ nhid NHID ] }\n"
" [ via DEV ] [ src_vni VNI ]\n"
" bridge fdb [ show [ br BRDEV ] [ brport DEV ] [ vlan VID ]\n"
@@ -116,6 +116,9 @@ static void fdb_print_flags(FILE *fp, unsigned int flags, __u8 ext_flags)
if (flags & NTF_STICKY)
print_string(PRINT_ANY, NULL, "%s ", "sticky");
+ if (ext_flags & NTF_EXT_BLACKHOLE)
+ print_string(PRINT_ANY, NULL, "%s ", "blackhole");
+
if (ext_flags & NTF_EXT_LOCKED)
print_string(PRINT_ANY, NULL, "%s ", "locked");
@@ -421,6 +424,7 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
char *endptr;
short vid = -1;
__u32 nhid = 0;
+ __u32 ext_flags = 0;
while (argc > 0) {
if (strcmp(*argv, "dev") == 0) {
@@ -492,6 +496,8 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
req.ndm.ndm_flags |= NTF_EXT_LEARNED;
} else if (matches(*argv, "sticky") == 0) {
req.ndm.ndm_flags |= NTF_STICKY;
+ } else if (matches(*argv, "blackhole") == 0) {
+ ext_flags |= NTF_EXT_BLACKHOLE;
} else {
if (strcmp(*argv, "to") == 0)
NEXT_ARG();
@@ -534,6 +540,11 @@ static int fdb_modify(int cmd, int flags, int argc, char **argv)
if (dst_ok)
addattr_l(&req.n, sizeof(req), NDA_DST, &dst.data, dst.bytelen);
+ if (ext_flags &&
+ addattr_l(&req.n, sizeof(req), NDA_FLAGS_EXT, &ext_flags,
+ sizeof(ext_flags)) < 0)
+ return -1;
+
if (vid >= 0)
addattr16(&req.n, sizeof(req), NDA_VLAN, vid);
if (nhid > 0)
diff --git a/man/man8/bridge.8 b/man/man8/bridge.8
index f4f1d807..0119a2a9 100644
--- a/man/man8/bridge.8
+++ b/man/man8/bridge.8
@@ -85,6 +85,13 @@ bridge \- show / manipulate bridge addresses and devices
.B nhid
.IR NHID " } "
+.ti -8
+.BR "bridge fdb" " { " add " | " del " } "
+.I LLADR
+.B dev
+.IR BRDEV " [ "
+.BR self " ] [ " local " ] [ " blackhole " ] "
+
.ti -8
.BR "bridge fdb" " [ [ " show " ] [ "
.B br
@@ -701,6 +708,11 @@ controller learnt dynamic entry. Kernel will not age such an entry.
- this entry will not change its port due to learning.
.sp
+.B blackhole
+- this entry will silently discard all matching packets. The entry must
+be added as a local permanent entry.
+.sp
+
.in -8
The next command line parameters apply only
when the specified device
--
2.34.1
Powered by blists - more mailing lists