1. 15 Nov, 2012 4 commits
    • stephen hemminger's avatar
      bridge: add root port blocking · 1007dd1a
      stephen hemminger authored
      This is Linux bridge implementation of root port guard.
      If BPDU is received from a leaf (edge) port, it should not
      be elected as root port.
      
      Why would you want to do this?
      If using STP on a bridge and the downstream bridges are not fully
      trusted; this prevents a hostile guest for rerouting traffic.
      
      Why not just use netfilter?
      Netfilter does not track of follow spanning tree decisions.
      It would be difficult and error prone to try and mirror STP
      resolution in netfilter module.
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1007dd1a
    • stephen hemminger's avatar
      bridge: implement BPDU blocking · a2e01a65
      stephen hemminger authored
      This is Linux bridge implementation of STP protection
      (Cisco BPDU guard/Juniper BPDU block). BPDU block disables
      the bridge port if a STP BPDU packet is received.
      
      Why would you want to do this?
      If running Spanning Tree on bridge, hostile devices on the network
      may send BPDU and cause network failure. Enabling bpdu block
      will detect and stop this.
      
      How to recover the port?
      The port will be restarted if link is brought down, or
      removed and reattached.  For example:
       # ip li set dev eth0 down; ip li set dev eth0 up
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2e01a65
    • stephen hemminger's avatar
      bridge: add template for bridge port flags · cd753732
      stephen hemminger authored
      Provide macro to build sysfs data structures and functions
      for accessing flag bits.  If flag bits change do netlink
      notification.
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cd753732
    • stephen hemminger's avatar
      bridge: bridge port parameters over netlink · 25c71c75
      stephen hemminger authored
      Expose bridge port parameter over netlink. By switching to a nested
      message, this can be used for other bridge parameters.
      
      This changes IFLA_PROTINFO attribute from one byte to a full nested
      set of attributes. This is safe for application interface because the
      old message used IFLA_PROTINFO and new one uses
       IFLA_PROTINFO | NLA_F_NESTED.
      
      The code adapts to old format requests, and therefore stays
      compatible with user mode RSTP daemon. Since the type field
      for nested and unnested attributes are different, and the old
      code in libnetlink doesn't do the mask, it is also safe to use
      with old versions of bridge monitor command.
      
      Note: although mode is only a boolean, treating it as a
      full byte since in the future someone will probably want to add more
      values (like macvlan has).
      Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25c71c75
  2. 14 Nov, 2012 6 commits
  3. 13 Nov, 2012 15 commits
  4. 12 Nov, 2012 1 commit
  5. 11 Nov, 2012 2 commits
  6. 10 Nov, 2012 4 commits
  7. 09 Nov, 2012 8 commits