--- /dev/null
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 27 Aug 2021 12:22:32 +0200
+Subject: [PATCH] bridge: add knob for filtering rx/tx BPDU packets on a port
+
+Some devices (e.g. wireless APs) can't have devices behind them be part of
+a bridge topology with redundant links, due to address limitations.
+Additionally, broadcast traffic on these devices is somewhat expensive, due to
+the low data rate and wakeups of clients in powersave mode.
+This knob can be used to ensure that BPDU packets are never sent or forwarded
+to/from these devices
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/include/linux/if_bridge.h
++++ b/include/linux/if_bridge.h
+@@ -56,6 +56,7 @@ struct br_ip_list {
+ #define BR_MRP_AWARE BIT(17)
+ #define BR_MRP_LOST_CONT BIT(18)
+ #define BR_MRP_LOST_IN_CONT BIT(19)
++#define BR_BPDU_FILTER BIT(20)
+
+ #define BR_DEFAULT_AGEING_TIME (300 * HZ)
+
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -191,6 +191,7 @@ out:
+ void br_flood(struct net_bridge *br, struct sk_buff *skb,
+ enum br_pkt_type pkt_type, bool local_rcv, bool local_orig)
+ {
++ const unsigned char *dest = eth_hdr(skb)->h_dest;
+ struct net_bridge_port *prev = NULL;
+ struct net_bridge_port *p;
+
+@@ -206,6 +207,10 @@ void br_flood(struct net_bridge *br, str
+ case BR_PKT_MULTICAST:
+ if (!(p->flags & BR_MCAST_FLOOD) && skb->dev != br->dev)
+ continue;
++ if ((p->flags & BR_BPDU_FILTER) &&
++ unlikely(is_link_local_ether_addr(dest) &&
++ dest[5] == 0))
++ continue;
+ break;
+ case BR_PKT_BROADCAST:
+ if (!(p->flags & BR_BCAST_FLOOD) && skb->dev != br->dev)
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -305,6 +305,8 @@ static rx_handler_result_t br_handle_fra
+ fwd_mask |= p->group_fwd_mask;
+ switch (dest[5]) {
+ case 0x00: /* Bridge Group Address */
++ if (p->flags & BR_BPDU_FILTER)
++ goto drop;
+ /* If STP is turned off,
+ then must forward to keep loop detection */
+ if (p->br->stp_enabled == BR_NO_STP ||
+--- a/net/bridge/br_sysfs_if.c
++++ b/net/bridge/br_sysfs_if.c
+@@ -233,6 +233,7 @@ BRPORT_ATTR_FLAG(multicast_flood, BR_MCA
+ BRPORT_ATTR_FLAG(broadcast_flood, BR_BCAST_FLOOD);
+ BRPORT_ATTR_FLAG(neigh_suppress, BR_NEIGH_SUPPRESS);
+ BRPORT_ATTR_FLAG(isolated, BR_ISOLATED);
++BRPORT_ATTR_FLAG(bpdu_filter, BR_BPDU_FILTER);
+
+ #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
+ static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf)
+@@ -285,6 +286,7 @@ static const struct brport_attribute *br
+ &brport_attr_group_fwd_mask,
+ &brport_attr_neigh_suppress,
+ &brport_attr_isolated,
++ &brport_attr_bpdu_filter,
+ &brport_attr_backup_port,
+ NULL
+ };
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -80,7 +80,8 @@ void br_send_config_bpdu(struct net_brid
+ {
+ unsigned char buf[35];
+
+- if (p->br->stp_enabled != BR_KERNEL_STP)
++ if (p->br->stp_enabled != BR_KERNEL_STP ||
++ (p->flags & BR_BPDU_FILTER))
+ return;
+
+ buf[0] = 0;
+@@ -127,7 +128,8 @@ void br_send_tcn_bpdu(struct net_bridge_
+ {
+ unsigned char buf[4];
+
+- if (p->br->stp_enabled != BR_KERNEL_STP)
++ if (p->br->stp_enabled != BR_KERNEL_STP ||
++ (p->flags & BR_BPDU_FILTER))
+ return;
+
+ buf[0] = 0;
+@@ -172,6 +174,9 @@ void br_stp_rcv(const struct stp_proto *
+ if (!(br->dev->flags & IFF_UP))
+ goto out;
+
++ if (p->flags & BR_BPDU_FILTER)
++ goto out;
++
+ if (p->state == BR_STATE_DISABLED)
+ goto out;
+
+--- a/include/uapi/linux/if_link.h
++++ b/include/uapi/linux/if_link.h
+@@ -524,6 +524,7 @@ enum {
+ IFLA_BRPORT_BACKUP_PORT,
+ IFLA_BRPORT_MRP_RING_OPEN,
+ IFLA_BRPORT_MRP_IN_OPEN,
++ IFLA_BRPORT_BPDU_FILTER,
+ __IFLA_BRPORT_MAX
+ };
+ #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -137,6 +137,7 @@ static inline size_t br_port_info_size(v
+ + nla_total_size(1) /* IFLA_BRPORT_VLAN_TUNNEL */
+ + nla_total_size(1) /* IFLA_BRPORT_NEIGH_SUPPRESS */
+ + nla_total_size(1) /* IFLA_BRPORT_ISOLATED */
++ + nla_total_size(1) /* IFLA_BRPORT_BPDU_FILTER */
+ + nla_total_size(sizeof(struct ifla_bridge_id)) /* IFLA_BRPORT_ROOT_ID */
+ + nla_total_size(sizeof(struct ifla_bridge_id)) /* IFLA_BRPORT_BRIDGE_ID */
+ + nla_total_size(sizeof(u16)) /* IFLA_BRPORT_DESIGNATED_PORT */
+@@ -220,7 +221,8 @@ static int br_port_fill_attrs(struct sk_
+ BR_MRP_LOST_CONT)) ||
+ nla_put_u8(skb, IFLA_BRPORT_MRP_IN_OPEN,
+ !!(p->flags & BR_MRP_LOST_IN_CONT)) ||
+- nla_put_u8(skb, IFLA_BRPORT_ISOLATED, !!(p->flags & BR_ISOLATED)))
++ nla_put_u8(skb, IFLA_BRPORT_ISOLATED, !!(p->flags & BR_ISOLATED)) ||
++ nla_put_u8(skb, IFLA_BRPORT_BPDU_FILTER, !!(p->flags & BR_BPDU_FILTER)))
+ return -EMSGSIZE;
+
+ timerval = br_timer_value(&p->message_age_timer);
+@@ -728,6 +730,7 @@ static const struct nla_policy br_port_p
+ [IFLA_BRPORT_NEIGH_SUPPRESS] = { .type = NLA_U8 },
+ [IFLA_BRPORT_ISOLATED] = { .type = NLA_U8 },
+ [IFLA_BRPORT_BACKUP_PORT] = { .type = NLA_U32 },
++ [IFLA_BRPORT_BPDU_FILTER] = { .type = NLA_U8 },
+ };
+
+ /* Change the state of the port and notify spanning tree */
+@@ -826,6 +829,10 @@ static int br_setport(struct net_bridge_
+ if (err)
+ return err;
+
++ err = br_set_port_flag(p, tb, IFLA_BRPORT_BPDU_FILTER, BR_BPDU_FILTER);
++ if (err)
++ return err;
++
+ br_vlan_tunnel_old = (p->flags & BR_VLAN_TUNNEL) ? true : false;
+ err = br_set_port_flag(p, tb, IFLA_BRPORT_VLAN_TUNNEL, BR_VLAN_TUNNEL);
+ if (err)
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -55,7 +55,7 @@
+ #include <net/net_namespace.h>
+
+ #define RTNL_MAX_TYPE 50
+-#define RTNL_SLAVE_MAX_TYPE 36
++#define RTNL_SLAVE_MAX_TYPE 37
+
+ struct rtnl_link {
+ rtnl_doit_func doit;
+@@ -4680,7 +4680,9 @@ int ndo_dflt_bridge_getlink(struct sk_bu
+ brport_nla_put_flag(skb, flags, mask,
+ IFLA_BRPORT_MCAST_FLOOD, BR_MCAST_FLOOD) ||
+ brport_nla_put_flag(skb, flags, mask,
+- IFLA_BRPORT_BCAST_FLOOD, BR_BCAST_FLOOD)) {
++ IFLA_BRPORT_BCAST_FLOOD, BR_BCAST_FLOOD) ||
++ brport_nla_put_flag(skb, flags, mask,
++ IFLA_BRPORT_BPDU_FILTER, BR_BPDU_FILTER)) {
+ nla_nest_cancel(skb, protinfo);
+ goto nla_put_failure;
+ }
--- /dev/null
+From: Felix Fietkau <nbd@nbd.name>
+Date: Fri, 27 Aug 2021 12:22:32 +0200
+Subject: [PATCH] bridge: add knob for filtering rx/tx BPDU packets on a port
+
+Some devices (e.g. wireless APs) can't have devices behind them be part of
+a bridge topology with redundant links, due to address limitations.
+Additionally, broadcast traffic on these devices is somewhat expensive, due to
+the low data rate and wakeups of clients in powersave mode.
+This knob can be used to ensure that BPDU packets are never sentor forwarded
+to/from these devices
+
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+---
+
+--- a/include/linux/if_bridge.h
++++ b/include/linux/if_bridge.h
+@@ -47,6 +47,7 @@ struct br_ip_list {
+ #define BR_BCAST_FLOOD BIT(14)
+ #define BR_NEIGH_SUPPRESS BIT(15)
+ #define BR_ISOLATED BIT(16)
++#define BR_BPDU_FILTER BIT(17)
+
+ #define BR_DEFAULT_AGEING_TIME (300 * HZ)
+
+--- a/net/bridge/br_forward.c
++++ b/net/bridge/br_forward.c
+@@ -191,6 +191,7 @@ out:
+ void br_flood(struct net_bridge *br, struct sk_buff *skb,
+ enum br_pkt_type pkt_type, bool local_rcv, bool local_orig)
+ {
++ const unsigned char *dest = eth_hdr(skb)->h_dest;
+ struct net_bridge_port *prev = NULL;
+ struct net_bridge_port *p;
+
+@@ -206,6 +207,10 @@ void br_flood(struct net_bridge *br, str
+ case BR_PKT_MULTICAST:
+ if (!(p->flags & BR_MCAST_FLOOD) && skb->dev != br->dev)
+ continue;
++ if ((p->flags & BR_BPDU_FILTER) &&
++ unlikely(is_link_local_ether_addr(dest) &&
++ dest[5] == 0))
++ continue;
+ break;
+ case BR_PKT_BROADCAST:
+ if (!(p->flags & BR_BCAST_FLOOD) && skb->dev != br->dev)
+--- a/net/bridge/br_input.c
++++ b/net/bridge/br_input.c
+@@ -300,6 +300,8 @@ rx_handler_result_t br_handle_frame(stru
+ fwd_mask |= p->group_fwd_mask;
+ switch (dest[5]) {
+ case 0x00: /* Bridge Group Address */
++ if (p->flags & BR_BPDU_FILTER)
++ goto drop;
+ /* If STP is turned off,
+ then must forward to keep loop detection */
+ if (p->br->stp_enabled == BR_NO_STP ||
+--- a/net/bridge/br_sysfs_if.c
++++ b/net/bridge/br_sysfs_if.c
+@@ -233,6 +233,7 @@ BRPORT_ATTR_FLAG(multicast_flood, BR_MCA
+ BRPORT_ATTR_FLAG(broadcast_flood, BR_BCAST_FLOOD);
+ BRPORT_ATTR_FLAG(neigh_suppress, BR_NEIGH_SUPPRESS);
+ BRPORT_ATTR_FLAG(isolated, BR_ISOLATED);
++BRPORT_ATTR_FLAG(bpdu_filter, BR_BPDU_FILTER);
+
+ #ifdef CONFIG_BRIDGE_IGMP_SNOOPING
+ static ssize_t show_multicast_router(struct net_bridge_port *p, char *buf)
+@@ -285,6 +286,7 @@ static const struct brport_attribute *br
+ &brport_attr_group_fwd_mask,
+ &brport_attr_neigh_suppress,
+ &brport_attr_isolated,
++ &brport_attr_bpdu_filter,
+ &brport_attr_backup_port,
+ NULL
+ };
+--- a/net/bridge/br_stp_bpdu.c
++++ b/net/bridge/br_stp_bpdu.c
+@@ -80,7 +80,8 @@ void br_send_config_bpdu(struct net_brid
+ {
+ unsigned char buf[35];
+
+- if (p->br->stp_enabled != BR_KERNEL_STP)
++ if (p->br->stp_enabled != BR_KERNEL_STP ||
++ (p->flags & BR_BPDU_FILTER))
+ return;
+
+ buf[0] = 0;
+@@ -125,7 +126,8 @@ void br_send_tcn_bpdu(struct net_bridge_
+ {
+ unsigned char buf[4];
+
+- if (p->br->stp_enabled != BR_KERNEL_STP)
++ if (p->br->stp_enabled != BR_KERNEL_STP ||
++ (p->flags & BR_BPDU_FILTER))
+ return;
+
+ buf[0] = 0;
+@@ -168,6 +170,9 @@ void br_stp_rcv(const struct stp_proto *
+ if (!(br->dev->flags & IFF_UP))
+ goto out;
+
++ if (p->flags & BR_BPDU_FILTER)
++ goto out;
++
+ if (p->state == BR_STATE_DISABLED)
+ goto out;
+
+--- a/include/uapi/linux/if_link.h
++++ b/include/uapi/linux/if_link.h
+@@ -340,6 +340,7 @@ enum {
+ IFLA_BRPORT_NEIGH_SUPPRESS,
+ IFLA_BRPORT_ISOLATED,
+ IFLA_BRPORT_BACKUP_PORT,
++ IFLA_BRPORT_BPDU_FILTER,
+ __IFLA_BRPORT_MAX
+ };
+ #define IFLA_BRPORT_MAX (__IFLA_BRPORT_MAX - 1)
+--- a/net/bridge/br_netlink.c
++++ b/net/bridge/br_netlink.c
+@@ -137,6 +137,7 @@ static inline size_t br_port_info_size(v
+ + nla_total_size(1) /* IFLA_BRPORT_VLAN_TUNNEL */
+ + nla_total_size(1) /* IFLA_BRPORT_NEIGH_SUPPRESS */
+ + nla_total_size(1) /* IFLA_BRPORT_ISOLATED */
++ + nla_total_size(1) /* IFLA_BRPORT_BPDU_FILTER */
+ + nla_total_size(sizeof(struct ifla_bridge_id)) /* IFLA_BRPORT_ROOT_ID */
+ + nla_total_size(sizeof(struct ifla_bridge_id)) /* IFLA_BRPORT_BRIDGE_ID */
+ + nla_total_size(sizeof(u16)) /* IFLA_BRPORT_DESIGNATED_PORT */
+@@ -214,7 +215,8 @@ static int br_port_fill_attrs(struct sk_
+ nla_put_u16(skb, IFLA_BRPORT_GROUP_FWD_MASK, p->group_fwd_mask) ||
+ nla_put_u8(skb, IFLA_BRPORT_NEIGH_SUPPRESS,
+ !!(p->flags & BR_NEIGH_SUPPRESS)) ||
+- nla_put_u8(skb, IFLA_BRPORT_ISOLATED, !!(p->flags & BR_ISOLATED)))
++ nla_put_u8(skb, IFLA_BRPORT_ISOLATED, !!(p->flags & BR_ISOLATED)) ||
++ nla_put_u8(skb, IFLA_BRPORT_BPDU_FILTER, !!(p->flags & BR_BPDU_FILTER)))
+ return -EMSGSIZE;
+
+ timerval = br_timer_value(&p->message_age_timer);
+@@ -676,6 +678,7 @@ static const struct nla_policy br_port_p
+ [IFLA_BRPORT_NEIGH_SUPPRESS] = { .type = NLA_U8 },
+ [IFLA_BRPORT_ISOLATED] = { .type = NLA_U8 },
+ [IFLA_BRPORT_BACKUP_PORT] = { .type = NLA_U32 },
++ [IFLA_BRPORT_BPDU_FILTER] = { .type = NLA_U8 },
+ };
+
+ /* Change the state of the port and notify spanning tree */
+@@ -774,6 +777,10 @@ static int br_setport(struct net_bridge_
+ if (err)
+ return err;
+
++ err = br_set_port_flag(p, tb, IFLA_BRPORT_BPDU_FILTER, BR_BPDU_FILTER);
++ if (err)
++ return err;
++
+ br_vlan_tunnel_old = (p->flags & BR_VLAN_TUNNEL) ? true : false;
+ err = br_set_port_flag(p, tb, IFLA_BRPORT_VLAN_TUNNEL, BR_VLAN_TUNNEL);
+ if (err)
+--- a/net/core/rtnetlink.c
++++ b/net/core/rtnetlink.c
+@@ -55,7 +55,7 @@
+ #include <net/net_namespace.h>
+
+ #define RTNL_MAX_TYPE 50
+-#define RTNL_SLAVE_MAX_TYPE 36
++#define RTNL_SLAVE_MAX_TYPE 37
+
+ struct rtnl_link {
+ rtnl_doit_func doit;
+@@ -4373,7 +4373,9 @@ int ndo_dflt_bridge_getlink(struct sk_bu
+ brport_nla_put_flag(skb, flags, mask,
+ IFLA_BRPORT_UNICAST_FLOOD, BR_FLOOD) ||
+ brport_nla_put_flag(skb, flags, mask,
+- IFLA_BRPORT_PROXYARP, BR_PROXYARP)) {
++ IFLA_BRPORT_PROXYARP, BR_PROXYARP) ||
++ brport_nla_put_flag(skb, flags, mask,
++ IFLA_BRPORT_BPDU_FILTER, BR_BPDU_FILTER)) {
+ nla_nest_cancel(skb, protinfo);
+ goto nla_put_failure;
+ }
projects / openwrt / staging / stintel.git / commitdiff