• Vlad Yasevich's avatar
    bridge: Automatically manage port promiscuous mode. · 2796d0c6
    Vlad Yasevich authored
    There exist configurations where the administrator or another management
    entity has the foreknowledge of all the mac addresses of end systems
    that are being bridged together.
    
    In these environments, the administrator can statically configure known
    addresses in the bridge FDB and disable flooding and learning on ports.
    This makes it possible to turn off promiscuous mode on the interfaces
    connected to the bridge.
    
    Here is why disabling flooding and learning allows us to control
    promiscuity:
     Consider port X.  All traffic coming into this port from outside the
    bridge (ingress) will be either forwarded through other ports of the
    bridge (egress) or dropped.  Forwarding (egress) is defined by FDB
    entries and by flooding in the event that no FDB entry exists.
    In the event that flooding is disabled, only FDB entries define
    the egress.  Once learning is disabled, only static FDB entries
    provided by a management entity define the egress.  If we provide
    information from these static FDBs to the ingress port X, then we'll
    be able to accept all traffic that can be successfully forwarded and
    drop all the other traffic sooner without spending CPU cycles to
    process it.
     Another way to define the above is as following equations:
        ingress = egress + drop
     expanding egress
        ingress = static FDB + learned FDB + flooding + drop
     disabling flooding and learning we a left with
        ingress = static FDB + drop
    
    By adding addresses from the static FDB entries to the MAC address
    filter of an ingress port X, we fully define what the bridge can
    process without dropping and can thus turn off promiscuous mode,
    thus dropping packets sooner.
    
    There have been suggestions that we may want to allow learning
    and update the filters with learned addresses as well.  This
    would require mac-level authentication similar to 802.1x to
    prevent attacks against the hw filters as they are limited
    resource.
    
    Additionally, if the user places the bridge device in promiscuous mode,
    all ports are placed in promiscuous mode regardless of the changes
    to flooding and learning.
    
    Since the above functionality depends on full static configuration,
    we have also require that vlan filtering be enabled to take
    advantage of this.  The reason is that the bridge has to be
    able to receive and process VLAN-tagged frames and the there
    are only 2 ways to accomplish this right now: promiscuous mode
    or vlan filtering.
    Suggested-by: default avatarMichael S. Tsirkin <mst@redhat.com>
    Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
    Signed-off-by: default avatarVlad Yasevich <vyasevic@redhat.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    2796d0c6
br_vlan.c 8.39 KB