Module Name: src
Committed By: ozaki-r
Date: Tue Sep 3 07:59:48 UTC 2024
Modified Files:
src/sys/net: if_bridge.c if_bridgevar.h
Log Message:
bridge: implement interface protection
It enables a feature similar to "protected-port" or "isolation" in some
router products by marking member interfaces protected; when a frame
arrives on a protected interface and is being forwarded to another
protected interface, the frame will be discarded.
The code is developed by the SEIL team at IIJ.
To generate a diff of this commit:
cvs rdiff -u -r1.193 -r1.194 src/sys/net/if_bridge.c
cvs rdiff -u -r1.38 -r1.39 src/sys/net/if_bridgevar.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_bridge.c
diff -u src/sys/net/if_bridge.c:1.193 src/sys/net/if_bridge.c:1.194
--- src/sys/net/if_bridge.c:1.193 Tue Jul 16 03:35:38 2024
+++ src/sys/net/if_bridge.c Tue Sep 3 07:59:48 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: if_bridge.c,v 1.193 2024/07/16 03:35:38 ozaki-r Exp $ */
+/* $NetBSD: if_bridge.c,v 1.194 2024/09/03 07:59:48 ozaki-r Exp $ */
/*
* Copyright 2001 Wasabi Systems, Inc.
@@ -80,7 +80,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_bridge.c,v 1.193 2024/07/16 03:35:38 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_bridge.c,v 1.194 2024/09/03 07:59:48 ozaki-r Exp $");
#ifdef _KERNEL_OPT
#include "opt_inet.h"
@@ -102,6 +102,7 @@ __KERNEL_RCSID(0, "$NetBSD: if_bridge.c,
#include <sys/cprng.h>
#include <sys/mutex.h>
#include <sys/kmem.h>
+#include <sys/syslog.h>
#include <net/bpf.h>
#include <net/if.h>
@@ -247,7 +248,7 @@ static void bridge_forward(struct bridge
static void bridge_timer(void *);
-static void bridge_broadcast(struct bridge_softc *, struct ifnet *,
+static void bridge_broadcast(struct bridge_softc *, struct ifnet *, bool,
struct mbuf *);
static int bridge_rtupdate(struct bridge_softc *, const uint8_t *,
@@ -1014,6 +1015,18 @@ bridge_ioctl_sifflags(struct bridge_soft
}
}
+ if (bif->bif_flags & IFBIF_PROTECTED) {
+ if ((req->ifbr_ifsflags & IFBIF_PROTECTED) == 0) {
+ log(LOG_INFO, "%s: disabling protection on %s\n",
+ sc->sc_if.if_xname, bif->bif_ifp->if_xname);
+ }
+ } else {
+ if (req->ifbr_ifsflags & IFBIF_PROTECTED) {
+ log(LOG_INFO, "%s: enabling protection on %s\n",
+ sc->sc_if.if_xname, bif->bif_ifp->if_xname);
+ }
+ }
+
bif->bif_flags = req->ifbr_ifsflags;
bridge_release_member(sc, bif, &psref);
@@ -1798,6 +1811,7 @@ bridge_forward(struct bridge_softc *sc,
struct psref psref;
struct psref psref_src;
DECLARE_LOCK_VARIABLE;
+ bool src_if_protected;
if ((sc->sc_if.if_flags & IFF_RUNNING) == 0)
return;
@@ -1858,6 +1872,8 @@ bridge_forward(struct bridge_softc *sc,
goto out;
}
+ src_if_protected = ((bif->bif_flags & IFBIF_PROTECTED) != 0);
+
bridge_release_member(sc, bif, &psref);
/*
@@ -1889,7 +1905,7 @@ bridge_forward(struct bridge_softc *sc,
goto out;
if (dst_if == NULL) {
- bridge_broadcast(sc, src_if, m);
+ bridge_broadcast(sc, src_if, src_if_protected, m);
goto out;
}
@@ -1922,6 +1938,12 @@ bridge_forward(struct bridge_softc *sc,
}
}
+ if ((bif->bif_flags & IFBIF_PROTECTED) && src_if_protected) {
+ m_freem(m);
+ bridge_release_member(sc, bif, &psref);
+ goto out;
+ }
+
bridge_release_member(sc, bif, &psref);
/*
@@ -2101,7 +2123,7 @@ out:
*/
static void
bridge_broadcast(struct bridge_softc *sc, struct ifnet *src_if,
- struct mbuf *m)
+ bool src_if_protected, struct mbuf *m)
{
struct bridge_iflist *bif;
struct mbuf *mc;
@@ -2136,6 +2158,11 @@ bridge_broadcast(struct bridge_softc *sc
goto next;
if (dst_if != src_if) {
+ if ((bif->bif_flags & IFBIF_PROTECTED) &&
+ src_if_protected) {
+ goto next;
+ }
+
mc = m_copypacket(m, M_DONTWAIT);
if (mc == NULL) {
if_statinc(&sc->sc_if, if_oerrors);
Index: src/sys/net/if_bridgevar.h
diff -u src/sys/net/if_bridgevar.h:1.38 src/sys/net/if_bridgevar.h:1.39
--- src/sys/net/if_bridgevar.h:1.38 Tue Jul 16 03:35:38 2024
+++ src/sys/net/if_bridgevar.h Tue Sep 3 07:59:48 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: if_bridgevar.h,v 1.38 2024/07/16 03:35:38 ozaki-r Exp $ */
+/* $NetBSD: if_bridgevar.h,v 1.39 2024/09/03 07:59:48 ozaki-r Exp $ */
/*
* Copyright 2001 Wasabi Systems, Inc.
@@ -130,8 +130,9 @@ struct ifbreq {
#define IFBIF_LEARNING 0x01 /* if can learn */
#define IFBIF_DISCOVER 0x02 /* if sends packets w/ unknown dest. */
#define IFBIF_STP 0x04 /* if participates in spanning tree */
+#define IFBIF_PROTECTED 0x08 /* if participates in protected mode */
-#define IFBIFBITS "\020\1LEARNING\2DISCOVER\3STP"
+#define IFBIFBITS "\020\1LEARNING\2DISCOVER\3STP\4PROTECTED"
/* BRDGFLUSH */
#define IFBF_FLUSHDYN 0x00 /* flush learned addresses only */
