• Petr Machata's avatar
    net: bridge: Maintain number of MDB entries in net_bridge_mcast_port · b57e8d87
    Petr Machata authored
    The MDB maintained by the bridge is limited. When the bridge is configured
    for IGMP / MLD snooping, a buggy or malicious client can easily exhaust its
    capacity. In SW datapath, the capacity is configurable through the
    IFLA_BR_MCAST_HASH_MAX parameter, but ultimately is finite. Obviously a
    similar limit exists in the HW datapath for purposes of offloading.
    
    In order to prevent the issue of unilateral exhaustion of MDB resources,
    introduce two parameters in each of two contexts:
    
    - Per-port and per-port-VLAN number of MDB entries that the port
      is member in.
    
    - Per-port and (when BROPT_MCAST_VLAN_SNOOPING_ENABLED is enabled)
      per-port-VLAN maximum permitted number of MDB entries, or 0 for
      no limit.
    
    The per-port multicast context is used for tracking of MDB entries for the
    port as a whole. This is available for all bridges.
    
    The per-port-VLAN multicast context is then only available on
    VLAN-filtering bridges on VLANs that have multicast snooping on.
    
    With these changes in place, it will be possible to configure MDB limit for
    bridge as a whole, or any one port as a whole, or any single port-VLAN.
    
    Note that unlike the global limit, exhaustion of the per-port and
    per-port-VLAN maximums does not cause disablement of multicast snooping.
    It is also permitted to configure the local limit larger than hash_max,
    even though that is not useful.
    
    In this patch, introduce only the accounting for number of entries, and the
    max field itself, but not the means to toggle the max. The next patch
    introduces the netlink APIs to toggle and read the values.
    Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
    Acked-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
    Reviewed-by: default avatarIdo Schimmel <idosch@nvidia.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    b57e8d87
br_private.h 62.3 KB